Spyware, Viruses, & Security forum

General discussion

NEWS - February 01, 2011

by Carol~ Forum moderator / February 1, 2011 1:23 AM PST
Spammers Hijack Internet Space Assigned to Egyptian President's Wife

Egyptian citizens calling for besieged President Hosni Mubarak to step down may have been cut off from using the Web, but spammers have been busy cutting the government off from its own Internet address space: Earlier this month, junk e-mail artists hijacked a large swath of Internet addresses assigned to Mubarak's wife.

According to Spamhaus.org, well known spammers commandeered a chunk of more than 5,000 IP addresses that were assigned years ago to Suzanne Mubarak and the Suzanne Mubarak Science Exploration Center. Spamhaus reports that those addresses have been used recently to promote a variety of dodgy Web businesses, and that the hijacked block is under the control of an organization that has ties to alleged spammer Michael Lindsay and iMedia Networks. iMedia did not respond to requests for comment.

The high profile land grab is the latest example of how spammers are becoming more brazen in their quest for non-blacklisted Internet address space from which to send spam, said Rod Rasmussen, president and chief technology officer of Internet Identity.

Continued : http://krebsonsecurity.com/2011/02/spammers-hijack-internet-space-assigned-to-egyptian-presidents-wife/
Discussion is locked
You are posting a reply to: NEWS - February 01, 2011
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - February 01, 2011
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Attacks on London Stock Exchange under investigation
by Carol~ Forum moderator / February 1, 2011 1:28 AM PST

According to media reports, last August the London Stock Exchange was the victim of a cyber-attack which resulted in a collapse in the share prices of at least five companies. On the 24th of August, the value of BT's shares fell by nearly ?1 billion. The London Stock Exchange (LSE) responded by suspending trading.

The problem was officially blamed on an incorrect price on a large number of stock orders. A similar event is reported to have occurred in November. An investigation is to be launched to look into the circumstances and to determine whether the two incidents were the result of (terrorist) attacks. According to the reports, the first attack occurred shortly after the LSE switched to an open source system.

In contrast to other stock exchanges, the LSE is not connected to the internet on any major scale. This is in contrast to the situation in the US, where authorities are also investigating attempted attacks in which criminals, allegedly from Russia, attempted to "destabilise" Western financial markets. It is, however, questionable whether a disruption can remain isolated, given the degree of interconnection of global markets and the interdependence between international companies.

Continued : http://www.h-online.com/security/news/item/Attacks-on-London-Stock-Exchange-under-investigation-1181494.html

Also : Cyber raids 'threaten British, US stock markets'

Collapse -
Darkshell Botnets Targeting Chinese Manufacturers With DDoS
by Carol~ Forum moderator / February 1, 2011 3:51 AM PST

Researchers are tracking a new bot that originated in China and is being used by various associated botnets that are hammering away with DDoS attacks aimed at several dozen targets around the world, including a number of telecom companies and specialized manufacturers.

The piece of malware behind these botnets, known as Darkshell, is using a slew of command-and-control servers, nearly all of which are located in China, and is fairly run-of-the-mill in terms of its installation and operation. However, the one rather odd part of the Darkshell botnets' behavior is that their owners are using the networks to launch attacks against a large number of manufacturers of relatively obscure machinery used for food processing.

It's not unusual for a particular group of attackers to focus its efforts on bringing down the sites of one specific company or even a group of companies. This often is the result of some slight, real or imagined, committed by the victim, or of an unpopular political opinion held by one of its executives. However, it's quite odd for several individual botnets--even though they're using the same bot -- to attack such a large number of players in a fairly low-visibility industry.

Continued : https://threatpost.com/en_us/blogs/darkshell-botnets-targeting-chinese-manufacturers-ddos-attacks-013111
Collapse -
Mozilla slips 'Do Not Track' header into Firefox nightlies
by Carol~ Forum moderator / February 1, 2011 3:51 AM PST

Mozilla has uploaded a working prototype of its "Do Not Track" http header into the Firefox nightly builds.

Anyone interested in testing the header can do so by downloading a pre-beta version of Firefox, but it won't have any real effect until websites and advertisers chose to recognize the thing.

Mozilla proposed such a header with a blog post last week, hoping to give netizens the option of shielding themselves from ad networks that attempt to track their web behavior. Since then, working in tandem with Stanford University's donottrack.us project, the open sourcers have (slightly) modified the design. The header now reads "DNT: 1? when a user turns on the do-not-track option, rather than the original proposal: "X-Do-Not-Track". The new header is designed to be shorter and more precise.

Continued : http://www.theregister.co.uk/2011/02/01/mozilla_don_not_track_header_in_firefox_nightlies/

Collapse -
Arbor: Mobile Networks Trail Fixed Line in Security
by Carol~ Forum moderator / February 1, 2011 3:51 AM PST

Mobile network operators are trailing their fixed-line counterparts by several years in regards to security, with many experiencing outages and other problems due to the use of outdated security technology, according to a new report released Tuesday by Arbor Networks.

As demand for mobile Internet access has grown, mobile operators have focused on growing revenue rather than securing their infrastructure, said Paul Scanlon, a solutions architect for Arbor. Mobile operators are eight to 10 years behind their fixed-line counterparts when it comes to security, he said.

"They're just not keeping pace with state-of-the-art security solutions," Scanlon said.

Arbor surveyed 111 network operators for its Worldwide Infrastructure Security Report, which covers a period from October 2009 to September 2010.

Continued : http://www.pcworld.com/businesscenter/article/218356/arbor_mobile_networks_trail_fixed_line_in_security.html

Collapse -
Facebook will close all accounts today? Rogue app spreads
by Carol~ Forum moderator / February 1, 2011 3:51 AM PST

Has Facebook CEO Mark Zuckerberg really announced that all accounts will be closed today unless users take action?

Of course not. But it's exactly the type of message that would get many users to click on a link without thinking of the possible consequences - especially if the message appears to have been shared with them by one of their Facebook friends. [Screenshot]

Facebook will close down all accounts today. The official announcement
was made by Mark Zuckerberg - Facebook Owner.
This is a simple step to keep your account working.
If you want to have you account from now, please verify your account.

Clicking on the link isn't advisable. It takes you to a normal Facebook application permissions dialog, the kind you're probably all too familiar with if you spend much time on Facebook. However, this dialog box is requesting permissions for a rogue application - clicking "allow" will permit the app to post the message to your wall as well, spreading the link virally to your Facebook contacts.

Continued : http://nakedsecurity.sophos.com/2011/02/01/facebook-will-close-all-accounts-today-rogue-app-spreads-virally/
Collapse -
Dating site and hacker in online spat over security breach
by Carol~ Forum moderator / February 1, 2011 3:51 AM PST

The founder of Canadian dating website PlentyOfFish.com has become embroiled in an online spat with a white-hat hacker who found security bugs on the site and a reporter who began asking questions about the flaw.

Markus Frind, the founder and chief executive of Plenty of Fish, claims he was approached by someone who exported 345 users accounts from pof.com's database before trying to convince the site to hire his crew as a security team. If PlentyofFish.com didn't play ball, then the hacker threatened to go to the press, according to Frind, who said he interpreted the action as attempted extortion.

However, the Argentinian hacker who approached the site, Chris Russo, said he was only trying to warn PlentyofFish.com of a security vulnerability he had found. Russo created a proof of concept demo of the vulnerability, which he shared with former Washington Post staffer Brian Krebs, who runs the Krebs on Security blog, around a fortnight ago.

Continued : http://www.theregister.co.uk/2011/02/01/dating_site_security_breach_row/

Brian Krebs : PlentyofFish.com Hacked, Blames Messenger

Marcus Frindt: Plentyoffish Hacked

Collapse -
With great name comes great liability?
by Carol~ Forum moderator / February 1, 2011 3:52 AM PST

As users become smarter in distinguishing the name of fake and real antivirus programs, rogueware authors have now resorted to a bolder move - stealing the identity of a legit program and using it on their fake products. A rogue was recently discovered to be using AVG's logo and reputable name, hoping to mislead and trick people into purchasing the fake AV.

It implemented the typical method used by other rogues, i.e., pretending to scan the system and then claiming to have detected multiple malicious files. Since the free version is limited in capability, users have to upgrade to the full (fake) version to remove these files.

Aside from AVG's logo, the rogue's interface bears no resemblance to that of the legit AVG Anti-Virus Free Edition 2011.

Fake [Screenshot] vs Real [Screenshot]

However, users who aren't familiar with the product might not notice this difference and think that they are getting the real thing.

One bit of advice - watch out for the source. Most antivirus companies provide free/trial versions of their products directly on their websites. So, skip the untrustworthy channel and get it directly from the AV vendors.


Collapse -
Outbreak: Post Express Service malware attack spammed out
by Carol~ Forum moderator / February 1, 2011 3:52 AM PST

Be on your guard against the latest "undelivered package" malware attack that cybercriminals are spamming out right now.

Regular readers of Naked Security will be all too familiar with emails claiming to come from the likes of FedEx, UPS and DHL which pretend to be about a parcel that wasn't delivered properly (and all you have to do is click on the attachment to become infected.)

Now we're seeing malicious emails which pretend to come from "Post Express Service". Here's a typical example: [Screenshot]

Subject: Post Express Service. Get the parcel NR<random number>
Message body:
Dear client.

Your package has been returned to the Post Express office.
The reason of the return is "Error in the delivery address"

Attached to the letter mailing label contains the details of the package delivery.
You have to print mailing label, and come in the Post Express office in order to receive the packages.

Thank you.
Post Express Support

Attached file: Post_Express_Label_<random number>.zip

Other subject lines used in the attack include:

Continued : http://nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out/

Collapse -
Elementary Gmail phishing
by Carol~ Forum moderator / February 1, 2011 3:52 AM PST

Cybercriminals are regularly presented as twisted geniuses by the popular media, beavering away in dank basements constructing the latest malware to mess up critical national infrastructure or honing code to break into bank accounts and steal millions.

The truth is, of course, often somewhat less dramatic. The simple truth is that you don't need to build a sophisticated attack to trick the typical computer users into clicking on a dangerous link or attachment. You just need to dress it up as something alluring (a naked video of Natalie Portman or a bill for an air ticket you never purchased would probably do the job, for instance)

And sometimes, you just need to ask users a question with a straight enough face. If you're bold and brazen enough, you might just get away with it.

Take this elementary phishing attack that was seen by a Naked Security reader late last week, for instance. [Screenshot]

Continued : http://nakedsecurity.sophos.com/2011/02/01/elementary-gmail-phishing/

Collapse -
The End Of IP As We Know It
by Carol~ Forum moderator / February 1, 2011 4:47 AM PST

Today, IANA announced that it had handed out two more /8 IPv4 assignments to APNIC. As a result, IANA is down to 5 /8s, triggering its special policy to hand out one address to each regional registrar (RIR). The 5 RIRs are AFRNIC (Africa), APNIC (Asia Pacific), ARIN (North America), LACNIC (Latin America) and RIPE (Europe). [1]

IANA hands IP address space to the RIRs in chunks of /8s, who then pass it on to ISPs, who then pass it on to end users. Some large end users may approach their RIR directly, and some "legacy assignments" are managed by IANA directly.

But in the end, what does this all mean?

(this FAQ is a work in progress)

A Quick FAQ To IPv4 Exhaustion

1 - Will the Internet stop working?

Continued : http://isc.sans.edu/diary.html?storyid=10342

Also : IPv4 Internet addresses: 251 blocks down, 5 to go

Collapse -
IPv4's funeral expected to come Thursday
by Carol~ Forum moderator / February 1, 2011 7:50 AM PST

A press conference taking place on Thursday in Miami is expected to mark the last allocation of Internet Protocol, Version 4 addresses by the central authority that assigns them.

The event, which will be held at 9:30 a.m. Eastern time and will be shared via webcast, will bring together four nonprofit organizations that coordinate the Internet's addressing system, according to an advisory sent to the news media on Tuesday. The Internet Corporation for Assigned Names and Numbers (ICANN), the Number Resources Organization, the Internet Architecture Board and the Internet Society all are scheduled to participate.

The advisory specifies that the event will concern the dwindling number of IPv4 addresses. The total supply of 4.3 billion IPv4 addresses has been nearing depletion for several years, leading to warnings that enterprises and Internet service providers (ISPs) should adopt IPv6, a next-generation protocol with virtually unlimited addresses.

IPv4 addresses are allocated by the Internet Assigned Numbers Authority (IANA), a part of ICANN, in large "/8" blocks of about 16 million addresses each. IANA has allocated all but five of these blocks, and its rules now call for one of the remaining blocks to be handed out to each of the five regional Internet registries (RIRs).

Continued : http://www.computerworld.com/s/article/9207638/IPv4_s_funeral_expected_to_come_Thursday

Collapse -
Egyptians can now tweet without an Internet connection
by Carol~ Forum moderator / February 1, 2011 4:47 AM PST

After Facebook experienced the state-wide password hijacking attempt organized by the Tunisian government and solved it by using social authentication and routing login attempts coming from inside the country to the https version of the site, Twitter has also had the opportunity to do some out-of-the-box problem solving as Egypt plunges into "Internet darkness" courtesy of president Mubarak.

The question was how to allow the Egyptian people to keep tweeting about the situation in the country and seeing the tweets posted by others? Joining forces with a team of engineers from Google and SayNow, the Twitter team has been able to offer a solution that doesn't involve using the Internet.

Named Speak2Tweet, the solution allows anyone who doesn't have access to the Internet to tweet by leaving a voicemail on a dedicated international phone number (+16504194196 or +390662207294 or +97316199855).

Continued : http://www.net-security.org/secworld.php?id=10518

Collapse -
Kaspersky Confirms Source Code Leak, Threatens Legal Action
by Carol~ Forum moderator / February 1, 2011 4:47 AM PST

Russian antivirus vendor Kaspersky Lab has confirmed the unauthorized online availability of its intellectual property in the form of source code and warned that it will launch legal action against people who downloaded and shared it.

In a statement sent to Softpedia, the company says that partial source code for its 2008 range of consumer products was stolen almost three years ago by a former employee.

The person responsible was quickly arrested and received a three-year suspended prison sentence for violations under Article 183 of the Russian Federation Criminal Code.

Kaspersky further confirms that it had knowledge of the source code being distributed on underground forums since as early as November 2010 and that the same files made their way onto more public websites recently.

The company continues to maintain that the leak does not affect the security of its users or products, because all critical protection technologies have been radically changed since then.

Continued : http://news.softpedia.com/news/Kaspersky-Confirms-Source-Code-Leak-Threatens-Legal-Action-Against-Downloaders-181456.shtml

Related : Kaspersky source code on the internet after data theft

Also : Kaspersky plays down source-code leak

Collapse -
AppRiver Filters Malicious Websites via SecureSurf
by Carol~ Forum moderator / February 1, 2011 6:06 AM PST

AppRiver's new SecureSurf Web-filtering application combines Domain Name System lookups with proxy routing to filter potentially malicious content from Internet traffic.

Businesses can use SecureSurf to block Websites containing malicious content as well as to enforce corporate browsing policies, Joel Smith, CTO of AppRiver, told eWEEK. When a user attempts to visit a Website, SecureSurf first checks the site against a continuously updated list to learn if it was a known malicious address. The list included sites that distribute malware and contain adult content or other objectionable content. Administrators can also create "whitelists" of known good sites that users are allowed to access.

SecureSurf directs all sites not on either list through a hosted proxy server, which conducts a rapid and detailed content analysis, Smith said. While the DNS (Domain Name System) lookup instantly rejects known bad sites, the proxy server can be used to evaluate sites that may not be known yet or are legitimate sites that somehow violate company policy, he said. If the company policy restricts users accessing video-sharing sites, administrators can configure SecureSurf using the customer portal to block those sites.

Continued : http://www.eweek.com/c/a/Security/AppRiver-Filters-Malicious-Web-Sites-via-SecureSurf-116907/

Collapse -
DIY Cybercrime: Exploits, Loaders, and Affiliates Part 2
by Carol~ Forum moderator / February 1, 2011 6:06 AM PST

This is the second half of our 2-part report about how cybercrime kits aid cybercriminals in conducting malicious attacks. The first post primarily discussed how the Phoenix Exploit Kit is used to exploit many possible bugs on a user's system, thus leading to system compromise. This second part discusses the employment of the DLoader toolkit, and how the earlier mentioned compromise escalates further to the installation of multiple malware into the user's system.

DLoader and the Botnet Business Model

The distribution of malware is typically conducted within partnerships and affiliate programs. One model used to monetize botnet operations is known the pay-per-install (PPI) model wherein affiliate programs pay malware distributors whenever the distributor installs a specific piece of malware onto a victim's computer.
DLoader is a Web-based administration tool that allows botnet operators to manage the malware that they force the bots under their control to install. For each installation, the botnet operator receives payment from partners or affiliates.

Continued : http://blog.trendmicro.com/diy-cybercrime-exploits-loaders-and-affiliates-part-2/

Related : DIY Cybercrime: Exploits, Loaders, and Affiliates Part 1

Collapse -
U.S. Resume Controversial File-Sharing Domain Seizures
by Carol~ Forum moderator / February 1, 2011 7:50 AM PST

US authorities have seized the domain of the hugely popular sports streaming and P2P download site Rojadirecta. The site, which is one of the most visited sites on the Internet, lost its .org domain which now redirects to a notice from DOJ/ICE. Rojadirecta is an unusual target because two courts in Spain have ruled that the site operates legally, and other than the .org domain the site has no links to the US.

Rojadirecta is known as one of the world's major Internet sports broadcast indexes. The site links to broadcasts of many popular soccer matches plus other sporting events including NBA, MLB, NFL, NPB, IPL.

The site has well over a million visitors a day, and is listed among the 100 most popular sites in Spain in terms of traffic. This morning, however, visitors were surprised by a warning from US authorities. Continuing the previous "Operation in Our Sites" actions, the Department of Justice (DOJ) and Homeland Security's Immigration and Customs Enforcement (ICE) had seized Rojadirecta's .org domain.

Continued : http://torrentfreak.com/us-resume-file-sharing-domain-seizures-110201/

Also from Torrent Freak:

670 Alleged File-Sharers Off The Hook As BitTorrent Case Dismissed

Last year, an adult movie producer filed suit against 670 individuals who it claimed had infringed copyright on an obscure title. Now the entire case, which was presented by lawyer Evan Stone, has been dismissed. The plaintiffs were scathing about the court-appointed EFF attorneys, describing them as defenders of piracy. The case was dismissed with prejudice, which means that each of the John Doe defendants are completely off the hook.

On 21st September 2010, a mass lawsuit was filed at the U.S. District Court for the Northern District of Texas. The suit, which was filed by lawyer Evan Stone on behalf of Mick Haig Productions, targeted 670 BitTorrent users who allegedly shared an obscure adult movie titled Der Gute Onkel.

As revealed in our earlier article, the complaint stated that Mick Haig owns the copyright to the movie, but it was never officially registered with the Copyright Office. But as we will read, there were bigger, more terminal problems in store.

Collapse -
Report: Ryanair's booking system is insecure
by Carol~ Forum moderator / February 1, 2011 7:50 AM PST

Economy airline Ryanair's online booking system allows for flight amendments and the addition of extra services for their associated fees. According to a report by Berlin newspaper Der Tagesspiegel (German language link), it's easy for an outsider to gain access to the system using just a reservation number or email address along with the flight date as well as the departure and destination airports. This data can be found out quite easily, for example by asking people about their holiday plans via Facebook. It's therefore relatively easy for anyone to maliciously manipulate Ryanair bookings.

While other airlines require either a password or a unique booking number to access their booking systems, Der Tagesspiegel quotes Ryanair spokesman Daniel de Carvalho as saying such security measures are superfluous. He stresses that it is each passengers responsibility to keep their personal information secure.


Popular Forums
Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions

The Samsung RF23M8090SG

One of the best French door fridges we've tested

A good-looking fridge with useful features like an auto-filling water pitcher and a temperature-adjustable "FlexZone" drawer. It was a near-flawless performer in our cooling tests.