NEWS - February 01, 2013

For the second time in a month, Apple has effectively blacklisted the current version of the Java Web plugin on OS X. The block comes just days after it was discovered that the latest version of the plugin, which had been rushed out to patch a critical vulnerability, can still be exploited despite its heightened security mechanisms.

Apple has worked to distance itself from Java in recent years. The company deprecated its own version of the Java virtual machine for OS X, instead deferring development to Oracle itself. The browser plugin in particular has become a common vector for malware attacks, and Apple removed the Java Web plugin from recent versions of OS X last year. Those needing the plugin must install it separately.

Apple has also added additional security controls to OS X, including a mechanism that forces its Safari browser to use a minimum specified version of various plugins, such as Flash or Java. When security vulnerabilities are discovered in various plugins, Apple can update its Xprotect list to specify which version is acceptable. Earlier versions of plugins are then blocked from running within Safari.

Continued : http://arstechnica.com/apple/2013/01/for-second-time-in-a-month-apple-blacklists-java-web-plug-in/

Also: Apple blocks Java on the Mac over security concerns

From Bitdefender's "HOTforSecurity" blog:

Popular webmail provider Yahoo has been slammed with a new e-mail-based attack that seizes control of victims' accounts. Bitdefender Labs discovered the ongoing campaign today and are once again warning users about the dangers of clicking spammy links.

The account hijacking begins with a spam message with a short link to an apparently harmless session of the reliable news channel MSNBC (hxxp://www.msnbc.msn.com-im9.net[removed]).

A closer look at the real link reveals that the true domain is not part of MSNBC, but a crafty domain composed of subdomains at hxxp://com-im9.net.

The domain was registered in Ukraine on Jan 27 and is hosted in a data center in Nicosia, Cyprus. This page contains a piece of malicious JavaScript, disguised as the popular Lightbox library that will perform the attack in stage 2. [Screenshot]

Continued : http://www.hotforsecurity.com/blog/yahoo-accounts-hijacked-via-xss-type-attack-5172.html

Related: How Yahoo allowed hackers to hijack my neighbor's e-mail account (Updated)

From the Symantec Security Response Blog:

A few weeks ago, we observed a spear phishing campaign targeting groups in the aerospace and defense industry. We identified at least 12 different organizations targeted in this attack. These organizations include aviation, air traffic control, and government and defense contractors. [Screenshot]

In choosing their targets, the attackers identified individuals in important roles, including directors and vice presidents. The content of all the emails were identical. The attackers used a report published in 2012 regarding the outlook of the aerospace and defense industries as the lure. The intention of the attackers was to make it seem as though this email originally came from the company that authored the report. The emails were also crafted to look as though they were being forwarded by internal employees or by individuals from within the industries identified.

When the malicious PDF attached to the email is opened, it attempts to exploit the Adobe Flash Player CVE-2011-0611 'SWF' File Remote Memory Corruption Vulnerability (CVE-2011-0611). If successful, it drops malicious files as well as a clean PDF file to keep the ruse going.

Continued : http://www.symantec.com/connect/fr/blogs/backdoorbarkiofork-targets-aerospace-and-defense-industry

From the F-Secure Antivirus Research Weblog:

Yesterday as I was testing Facebook's Graph Search, which is in Beta, I searched for the following: women who live in Helsinki, Finland and who like sushi. (I wanted something that would get lots of results. It did.)

At the end of the day, I cleared my search history.

Then today, a sponsored story for a Helsinki-based sushi restaurant appeared in my News Feed. [Screenshot]

Perhaps it's just a coincidence...

In any case, today, continuing my testing, I searched for people with my name who live in Finland. (The result: me and another guy.) Graph Search will definitely make it easier for your Facebook profile to be found by others.

Here's a couple of things to check on just to make sure you don't have anything exposed.

First of all, consider limiting all of your old posts. Most of the profiles that I've observed make good use of current privacy controls, but some have pre-2010 legacy posts which are public. [Screenshot]

Continued : http://www.f-secure.com/weblog/archives/00002495.html

Google Chrome users are being targeted these days by a wave of attacks that uses malicious extensions hosted in the official Chrome Web Store. The attack appears to be of Turkish origin and is using Facebook to spread. We saw users of different nationalities infected with the malicious extensions, which the cybercriminals are sending to the official store regularly, in a cat-and-mouse game.

As we already reported in March 2012, Brazilian cybercriminals were able at that time to host a malicious extension in the Chrome Web Store. Since then in June 2012 Google has changed the way users can add third party browser extensions i.e. not allowing the installation that are not hosted on the official Web Store. More recently Google removed the possibility of silent installations, which has been widely abused by third parties.

Maybe for these reasons bad guys started to concentrate their efforts to upload bad extensions to the official store. Now it's the turn of Turkish cybercriminals; they were able to host several extensions there in the last few days.

Continued : http://www.securelist.com/en/blog/208194095/Malicious_Chrome_extensions_a_cat_and_mouse_game

"Black Hat Europe researcher builds prototype device that could be used to steal corporate data, listen in on voice calls, videoconferences"

You know that docking station you snap your laptop into at the office? It can be hacked, too.

A British researcher next month at Black Hat Europe will show just how valuable those seemingly benign devices can be to a determined attacker targeting an organization or group of users. Andy Davis, research director for UK-based NCC Group, built a prototype hardware device that can easily be placed inside a laptop docking station to sniff traffic and ultimately, steal sensitive corporate communications information from the laptop.

"You see docking stations all over the place in organizations because people are using hot-desking type environments, so different laptops can be attached to them [the docks] each day," Davis says. "And they are considered a trusted part of the infrastructure: nobody thinks someone might tamper with one or swap one for another. Admins are more concerned with protecting your laptop: that's where the money is and the information."

Continued : http://www.darkreading.com/mobile-security/167901113/security/client-security/240147566/hacking-the-laptop-docking-station.html.html

Related: Laptop Docks Can Be Used for Hardware-Based Cyberattacks, Expert Says

While Android malware continues to grow faster than other malware types, it still accounts for only a minute fraction of all malware on the Web, according to Cisco's annual security report released this week.

Compromised websites hosting malicious Java and iFrame attacks and other malware far and away outpaces all other delivery vectors for malware, Cisco's report said.

"These types of attacks often represent malicious code on 'trusted' webpages that users may visit every day— meaning an attacker is able to compromise users without even raising their suspicion," the report added.

Infecting benign sites with malware remains at the heart of malware propagation as attackers continue to find great success delivering malware over infected banner ads on Websites, malicious media files or redirects via iFrame

"Web malware encounters occur everywhere people visit on the Internet—including the most legitimate of websites that they visit frequently, even for business purposes," said Mary Landesman, senior security researcher with Cisco. "Indeed, business and industry sites are one of the top three categories visited when a malware encounter occurred. Of course, this isn't the result of business sites that are designed to be malicious."

Continued: https://threatpost.com/en_us/blogs/report-mainstream-websites-host-majority-malware-013113

The world's largest online ticket retailer is to stop requiring users to enter hard-to-read words in order to prove they are human.

Captcha - which asks users to type in words to prove they are not robots trying to cheat the system - is used on many sites.

But Ticketmaster has moved to ditch it in favour of a simpler system.

It means users will write phrases, such as "freezing temperatures", rather than, for example, "tormentis harlory".

Captcha stands for Completely Automated Public Turing test to tell Computers and Humans Apart, and was first developed at Carnegie Mellon university in 2000.

For sites such as Ticketmaster, Captcha is used to make sure robots are not used to buy up tickets automatically.

Continued : http://www.bbc.co.uk/news/technology-21260007

Every so often, the sophistication of the technology being built into credit card skimmers amazes even the experts who are accustomed to studying such crimeware. This post focuses on one such example — images from one of several compromised point-of-sale devices that used Bluetooth technology to send the stolen data to the fraudsters wirelessly.

In October 2012, forensics experts with Trustwave Spiderlabs were called in to examine the handiwork of several Bluetooth based point-of-sale skimmers found at a major U.S. retailer. The skimmers described and pictured in this blog post were retrieved from a retail breach that has not yet been disclosed, said Jonathan Spruill, a security consultant at Trustwave.

Spruill said the card-skimming devices that had been added to the small point-of-sale machines was beyond anything he'd encountered in skimmer technology to date.

"The stuff we've been seeing lately is a leap forward in these types of crimes," said Spruill, a former special agent with the U.S. Secret Service. "You hate to say you admire the work, but at some point you say, 'Wow, that's pretty clever.' From a technical and hardware standpoint, this was really well thought-out."

Continued: http://krebsonsecurity.com/2013/02/pro-grade-point-of-sale-skimmer/

From the GFI Labs Blog:

There's currently a number of "Twitter Verified" style accounts posting to Twitter, asking users to "Retweet to become verified", or posting up peculiar minigames along the lines of "The last person to RT this Tweet becomes verified". It's all rather odd, and shows no sign of slowing down. [Screenshot]

At this point, we've seen the following accounts posting similar content:

⇒ VerifiedTwiiter (notice the "ii")
⇒ PersonalVerify
⇒ nextverified
⇒ requestverified
⇒ openverified
⇒ verifiedartist
⇒ privateverified
⇒ diewhilelaughin

freeverify seems to be unrelated, with the last Tweet appearing back in August (humorously, it also mentions "we have not been verified as it takes 1 to 3 months to be totally verified". It takes up to 3 months for Twitter to verify itself?)

Along with asking for Retweets, some of the accounts seem to be looking for recently verified individuals, then sending them a Tweet to say "you're verified" shortly afterwards. By doing so, it would appear to anybody looking on that they had indeed just verified somebody.

Continued : http://www.gfi.com/blog/retweet-to-become-verified-on-twitter-not-likely/

Banking malware has primarily been just that, an attack tool used against financial institutions to steal money from online bank accounts. But what if cybercrime gangs decided to flip that on its head, and use malware such as the Citadel banking Trojan to steal credentials from not only banks, but government agencies and commercial businesses?

That situation apparently has been in play since late December. McAfee reported this week that it has observed an uptick in attacks, primarily in Europe, where Citadel has been used to attack government offices in Poland, businesses in Denmark and Sweden, as well as government agencies in Japan.

The use of Citadel, a less-circulated variant of the Zeus malware, is noteworthy because Citadel was removed from commercial underground marketplaces last June after its author Aquabox was banned from trading and said he would sell only to referrals. McAfee has observed 300 Citadel samples still active in the wild compromising more than 500 victims in Europe. By comparison, fewer than a dozen have been compromised in the United States. By comparison, Zeus infections number in the tens of thousands, McAfee's Ryan Sherstobitoff said in the company's report, "Inside the World of the Citadel Trojan."

Continued : https://threatpost.com/en_us/blogs/citadel-trojan-it-s-not-just-banking-fraud-anymore-020113