Spyware, Viruses, & Security forum


NEWS - February 15, 2013

by Carol~ Moderator / February 14, 2013 9:37 PM PST
Thanks, Adobe. Protection for critical zero-day exploit not on by default

The recently discovered zero-day attacks targeting critical vulnerabilities in Adobe's ubiquitous Reader application are able to bypass recently added security defenses unless end users manually make changes to default settings, company officials said.

According to an advisory Adobe published Wednesday night, the "protected view" feature prevents the current attacks from working—but only if it's manually enabled. To turn it on, access Preferences > Security (Enhanced) and then check the "Files from potentially unsafe locations," or even the "All files" option. Then click OK. There's also a way for administrators to enable protected view on Windows machines across their organization.

The revelation is significant because it means users aren't protected when using the default version of the widely used document reader. The limitation came to light following the discovery of in-the-wild attacks against current versions of Reader, which are being exploited to surreptitiously install malware on end-user computers. The exploit is also noteworthy because its intricate code base bypasses several additional protections added just four months ago with the goal thwarting malware attacks.

Continued : http://arstechnica.com/security/2013/02/thanks-adobe-protection-for-critical-zero-day-exploit-not-on-by-default/

No patch yet for Adobe PDF exploits - Adobe suggests a workaround, but Mac users need not apply
Adobe recommends workaround for critical holes in Reader
Adobe Recommends Protected View as Temporary Zero Day Mitigation
How To Use PDF Files More Safely
Discussion is locked
You are posting a reply to: NEWS - February 15, 2013
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - February 15, 2013
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
iOS 6.1 flaw allows bypass of password-protected lock screen
by Carol~ Moderator / February 14, 2013 9:45 PM PST

A security flaw recently discovered in iOS 6.1 lets anyone bypass your iPhone password lock and access some of your data after following a series of steps. The method is detailed in the YouTube video below and involves making and immediately canceling an emergency call, holding down the power button a couple of times during the process, and pushing the home button after getting into the phone's contact list.

Once the lock is bypassed you won't actually have full access to every app on the phone but it's still possible to snoop around local device data. Particularly, users will be limited to the Phone app, and from there it's possible to browse contact information, make calls, check voicemails, and look through photos (by attempting to add a photo to a contact). You can even send emails and texts through the sharing-a-contact feature. [VIDEO]

Exactly how someone came up with such a combination of button holding and tapping is beyond me, but I was able to verify the method on an iPhone 4 running iOS 6.1 and it works. No word on whether iPads and iPods are vulnerable too but it seems unlikely since the process involves making an emergency call.

This isn't the first time a lock screen vulnerability in iOS has become public. A very similar bug affected iOS 4.1 back in 2010 and was fixed in iOS 4.2. The company hasn't commented on the latest loophole yet.

Here are the detailed steps:

Continued : http://www.techspot.com/news/51641-flaw-in-ios-61-lets-you-bypass-password-protected-lock-screen.html

iOS 6.1 brings back bug that gives anyone access to your contacts, photos (Update)
New iOS 6.1 Flaw Allows Access to iPhone's Contacts, Photos
New iOS 6.1 Security Flaw Grants Limited Access To Phone App, Photos, Email, Messages, FaceTime
Why The iOS 6.1 Exploit Is No Reason To Worry

Collapse -
Unlock iPhone w/o the passcode - harmless trick or crime?
by Carol~ Moderator / February 14, 2013 11:25 PM PST
Unlock an iPhone without the passcode - harmless trick or computer crime?

A YouTube video showing you how to unlock an iPhone 5 without the passcode has racked up nearly 300,000 hits over the past two weeks.

There are some caveats, though:

• You need physical access to the device.
• You need manual dexterity or a fair bit of practice.
• You only get access to some of the data.
• You have to make a phoney emergency call as part of the process.

I'm not going to repeat the instructions here.

I'll just say that they're reasonably arcane: you almost turn the phone off twice during the process, as well as actually placing an emergency call but cutting it off before it goes through.

For the last reason alone, I invite you never to pull this trick, even on your own phone "to see if it works".

I'm not sure what the regulations are in your country, but there's every possibility you could get in trouble with the authorities for that part of the trick alone.

In fact, it's not really a trick. It's a crime, even without the bogus emergency call.

Continued : http://nakedsecurity.sophos.com/2013/02/15/unlock-iphone-without-password/
Collapse -
Google Play Store's "privacy problem" is taxing
by Carol~ Moderator / February 14, 2013 9:46 PM PST

Google's Play Store is giving out email addresses, post codes and full names to the seller of an Android application whenever an app is purchased, according to an Australian developer's report. Calling it a "massive, massive privacy issue", Dan Nolan says "Google. Fix it. Immediately". The problem is that Google may not be able to fix it, as it appears to be related to how users and developers do business on Google's Play Store.

Another developer, Eric Butler, pointed out in a blog post that he had noted the issue of details being shared in July 2012 and other developers had observed the same problem. It was in one of the later discussions that a Google employee explained that the details were handed over because the developer was the merchant of record and had a number of responsibilities legally regarding taxes. Further details are available in a Google Help document which explained that pricing in many national stores was regarded as tax-inclusive and that it was the merchant of record's job to work out in which countries they owed tax. The information about purchases sent by Google was supplied for that purpose.

Continued : http://www.h-online.com/security/news/item/Google-Play-Store-s-privacy-problem-is-taxing-1803644.html

Also: Google Play Gives User Data to App Devs

Collapse -
Major Certificate Authorities Unite In The Name Of SSL
by Carol~ Moderator / February 14, 2013 9:46 PM PST

Amid growing concerns of threats to and the integrity of the certificate authority (CA) infrastructure, the world's biggest CAs have banded together to promote and evolve stronger website security.

"We felt SSL needed a leader," says Jeremy Rowley, associate general counsel for DigiCert, which, along with Comodo, Entrust, GlobalSign, Go Daddy, Symantec, and Trend Micro, today officially launched the new organization. "We felt a group of CAs, rather than one CA," was a better approach, he says.

The first line of business for the new Certificate Authority Security Council (CASC) is to push the adoption of online certificate status protocol (OCSP) stapling for Web server administrators, software vendors, browser makers, and end users. OCSP stapling is a method of revoking invalid or expired digital certificates. It's an enhancement to the OCSP protocol that basically eliminates the need for Web users to check OCSP responses with the CA, and is more efficient because the Web server caches the response from the CA.

"In OCSP stapling, the Web server goes to the CA, gets a response signed by the CA, and keeps it at the Web server. So when the browser goes there in the SSL handshake ... it gets a response right away," says Bruce Morton, director of certificate services for Entrust. "There's less latency to users of that site. It's a performance enhancement a lot of users are looking for."

Continued : http://www.darkreading.com/authentication/167901072/security/vulnerabilities/240148546/major-certificate-authorities-unite-in-the-name-of-ssl-security.html

New CA Group Has Big Names, Small Impact
CAs Form New Alliance to Focus on Security Issues, Education
Certificate Authorities Band Together to Improve SSL Security

Collapse -
Cyber Attacks Against Uyghur Mac OS X Users Intensify
by Carol~ Moderator / February 14, 2013 9:46 PM PST

From the Kaspersky Labs Weblog:

In partnership with researchers at AlienVault Labs, we've analysed a series of targeted attacks against Uyghur Mac OS X users which took place during the past months. You can read their analysis here. For our research, please read below.

We previously wrote about targeted attacks against Tibetan activists which used Mac OS X malware. In addition to these, last June we reported about attacks using Mac OS X malware against Uyghur supporters. These later attacks took advantage of social engineering to infect unsuspecting users with "Backdoor.OSX.MaControl.b".

During the past months, we've monitored a series of targeted attacks against Uyghur supporters, most notably against the World Uyghur Congress (WUC).

Several filenames were used in these attacks, including:

Continued : http://www.securelist.com/en/blog/208194116/Cyber_Attacks_Against_Uyghur_Mac_OS_X_Users_Intensify

Collapse -
A world of hurt after McAfee mistakenly revokes key for ..
by Carol~ Moderator / February 14, 2013 9:46 PM PST
... signing Mac apps

A McAfee administrator accidentally revoked the digital key used to certify desktop applications that run on Apple's OS X platform, creating headaches for customers who want to install or upgrade Mac antivirus products.

A certificate revocation list [CRL] hosted by Apple Worldwide developer servers lists the reason for the cancellation as a "key compromise," but McAfee officials said they never lost control of the sensitive certificate which is used to prove applications are legitimate releases. The revocation date shows as February 6, meaning that for seven days now, customers have had no means to validate McAfee applications they want to install on Macs.

"We were told that as a workaround, we should just allow untrusted certificates until they figure it out," an IT administrator at a large organization, who asked that he not be identified, told Ars. "They're telling us to trust untrusted certs, and that definitely puts us at risk."

Continued : http://arstechnica.com/security/2013/02/a-world-of-hurt-after-mcafee-mistakenly-revokes-key-for-signing-mac-apps/
Collapse -
Targeted 'phone ring flooding' attacks as a service going..
by Carol~ Moderator / February 14, 2013 9:47 PM PST
... mainstream

Dancho Danchev @ the Webroot Threat Blog:

Throughout the past year, we observed an increase in the availability of malicious (DIY) tools and services that were once exclusively targeting sophisticated cybercriminals, often operating within invite-only cybercrime-friendly Web communities. This development is a clear indication that the business models behind these tools and services cannot scale, and in order to ensure a sustainable revenue stream, the cybercriminals behind them need to change their tactics - which is exactly what we're seeing them do.

By starting to advertise these very same malicious (DIY) tools and services on publicly accessible forums, they're proving that they're willing to sacrifice a certain degree of OPSEC (Operational Security) for the sake of growing their business model and attracting new customers. Just like the managed SMS flooding as a service concept, which we previously profiled and discussed, there's yet another tactic in use by cybercriminals who want to assist fellow cybercriminals in their fraudulent "cash-out schemes' - and it's called 'phone ring flooding as a service'.

In this post, I'll profile a popular, publicly advertised service, which according to its Web site, has been in operation for 3 years and has had over a thousand customers.

More details:

Continued : http://blog.webroot.com/2013/02/13/targeted-phone-ring-flooding-attacks-as-a-service-going-mainstream/
Collapse -
Tax-themed malicious spam bombard inboxes
by Carol~ Moderator / February 14, 2013 11:25 PM PST

As the end of the U.S. tax season slowly approaches, cyber crooks are stepping up their game and are sending bogus out tax-themed emails.

Webroot warns about an alert supposedly sent by the U.S. Internal Revenue Service, claiming that the recipient's income tax refund appeal has been turned down: [Screenshot]

Those users who follow the offered link will be redirected to a compromised website hosting the Blackhole exploit kit and will be saddled with various malware.

Intuit, the company that develops popular tax preparation software and offers related services to businesses, is warning its customers about bogus "TurboTax State Return Rejected" emails: [Screenshot]

Continued : http://www.net-security.org/secworld.php?id=14426

Collapse -
A Chinese Hacker's Identity Unmasked
by Carol~ Moderator / February 15, 2013 4:08 AM PST

Joe Stewart's day starts at 6:30 a.m. in Myrtle Beach, S.C., with a peanut butter sandwich, a sugar-free Red Bull, and 50,000 or so pieces of malware waiting in his e-mail in-box. Stewart, 42, is the director of malware research at Dell SecureWorks, a unit of Dell, and he spends his days hunting for Internet spies. Malware is the blanket term for malicious software that lets hackers take over your computer; clients and fellow researchers constantly send Stewart suspicious specimens harvested from networks under attack. His job is to sort through the toxic haul and isolate anything he hasn't seen before: He looks for things like software that can let hackers break into databases, control security cameras, and monitor e-mail.

Within the industry, Stewart is well-known. In 2003 he unraveled one of the first spam botnets, which let hackers commandeer tens of thousands of computers at once and order them to stuff in-boxes with millions of unwanted e-mails. He spent a decade helping to keep online criminals from breaking into bank accounts and such. In 2011, Stewart turned his sights on China. "I thought I'd have this figured out in two months," he says. Two years later, trying to identify Chinese malware and develop countermeasures is pretty much all he does.

Computer attacks from China occasionally cause a flurry of headlines, as did last month's hack on the New York Times. An earlier wave of media attention crested in 2010, when Google and Intel announced they'd been hacked. But these reports don't convey the unrelenting nature of the attacks. It's not a matter of isolated incidents; it's a continuous invasion.

Continued : http://www.businessweek.com/articles/2013-02-14/a-chinese-hackers-identity-unmasked

Popular Forums
Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions


Turn up the volume with our Apple Byte sweeps!

Two lucky winners will take home the coveted smart speaker that lets Siri help you around your connected house. This sweepstake ends Feb. 25, 2018.