HolidayBuyer's Guide

Spyware, Viruses, & Security forum


NEWS - February 18, 2013

by Carol~ Forum moderator / February 17, 2013 11:33 PM PST
Facebook computers compromised by zero-day Java exploit

Facebook officials said they recently discovered that computers belonging to several of its engineers had been hacked using a zero-day Java attack that installed a collection of previously unseen malware. In an exclusive interview with Ars Technica, company officials said that the attack did not expose customer data, and it was contained to the laptops of a small number of Facebook engineers. But other companies who were affected by the same hacking campaign may not have been so lucky.

Facebook's internal security team worked with a third party to "sinkhole" the attackers' command server, taking over the network traffic coming into it from systems infected by its malware. They discovered traffic coming from several other companies, according to Facebook Chief Security Officer Joe Sullivan. Facebook notified those companies of the attack, and it has turned the case over to federal law enforcement. An investigation is still ongoing. While some of the affected companies were aware of an ongoing attack, others were unaware of the problem before being notified by Facebook.

Continued :

Facebook Attackers Exploited Java Zero-Day Bug
Facebook Says Employee Laptops Compromised in 'Sophisticated' Attack
Facebook engineers compromised by Java Zero-day[/b
Discussion is locked
You are posting a reply to: NEWS - February 18, 2013
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - February 18, 2013
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Can freezing an Android device crack its encryption keys?
by Carol~ Forum moderator / February 18, 2013 12:55 AM PST

Every few years, someone reads, or remembers, or rediscovers something we often forget: computer memory isn't volatile, after all.

RAM chips don't lose their contents immediately when you turn your computer off, and that can have interesting security ramifications.

Don't get too excited: RAM contents don't persist without power in a reliable and consistent way.

If you accidentally pull the plug out of the wall before you've saved that fantastic new presentation, don't expect to get it back.

But if you can cycle the power quickly enough, and reboot under your own control from some secondary device, such as a USB key, you might be able to see the ghostly remnants of what the previously-running operating system was up to.

You can guess where this is going.


Boffins FREEZE PHONES to crack Android on-device crypto
A spell in the freezer unlocks Android RAM data

Collapse -
BlackBerry Enterprise Server vulnerable to dangerous TIFFs
by Carol~ Forum moderator / February 18, 2013 12:56 AM PST

BlackBerry has published details of critical vulnerabilities in components of its BlackBerry Enterprise Server (BES). The holes allow attackers to execute arbitrary code on systems running BlackBerry Enterprise Server.

The flaws affect the BlackBerry MDS Connection Service and BlackBerry Messaging Agent when they are processing TIFF images for rendering on BlackBerry smartphones. The MDS Connection Service flaw requires an attacker to create a web page and persuade a BlackBerry smartphone user to view that page and click on a link. With the Messaging Agent flaw it is possible for an attacker to embed a specially crafted image into an email to a user of the enterprise server; it is not necessary for a user to click on anything or even attempt to view the message for the exploit to take place. The underlying bugs, CVE-2012-2088 and CVE-2012-4447 exist in the libtiff library and are fixed in BES 5.0.4 MR2.

Continued :

Also: BlackBerry warns of TIFF vulnerability that could allow malware to run on enterprise servers

Collapse -
Fake invoices in personalized emails deliver ransomware
by Carol~ Forum moderator / February 18, 2013 12:56 AM PST

When a business, social network or any other online service that you use or have signed up for sends you an email, they address you by the name you provided. This is one of the things that usually differentiates real email from spoofed malicious ones, but there are exceptions.

Spear-phishing emails are one, and the other is emails in which attackers extract likely names from the email address they send the message to, in the hopes of guessing the right one.

Avira's Sorin Mustaca recently received an email that falls in this latter category: [Screenshot]

The email has purportedly been sent by German online shopping portal and tried to convince him to open the attached file (allegedly the invoice for things he bought).

The email "contains in the body the first and last name taken probably from the email address, thus being very convincing for the unaware user," he pointed out. "The same formula is used to name the attachment - a zip archive with the name 'Rechnung .zip' / 'Invoice .zip'."

Continued :

Related: Reveton Ransomware Still Distributed via Cleverly Designed Emails, Despite Arrests

Collapse -
Brace for MORE ZOMBIE ATTACK ALERT pranks, warn security bod
by Carol~ Forum moderator / February 18, 2013 12:56 AM PST

Vulnerabilities in America's TV emergency alert system - exploited last week by pranksters to put out fake warnings of a zombie apocalypse - remain widespread, it is claimed. And that's after station bosses remember to change the default passwords on their broadcast equipment.

Mischievous miscreants managed to hack into a television station's emergency alert system in Montana to broadcast an on-air audio warning about the end of the world.

The attack on KRTC's equipment was repeated in other three states: two stations were electronically broken into in Michigan as well as several others in California, Montana and New Mexico, according to Karole White, president of the Michigan Association of Broadcasters. "It isn't what [the pranksters] said," White said. "It is the fact that they got into the system."

Continued :

Collapse -
Mozilla Updates CA Certificate Policy
by Carol~ Forum moderator / February 18, 2013 1:39 AM PST

Mozilla announced an update to their CA Certificate policy on Friday, including changes on compliance and auditing. The update, the organization explained in a blog post, continues their efforts towards stronger controls and visibility.

"Mozilla is working towards stronger controls and visibility of publicly-trusted issuing certificates in order to make better trust decisions, detect security incidents faster, and limit the impact of each security incident," a blog post from the Mozilla Security Team explained.

Version 2.1 of the CA Certificate policy encourages CAs to constrain subordinate CA certificates using X.509 extensions (RFC 5280) to restrict usage. However, the post adds that Mozilla knows such constraints may not be practical in some cases. Therefore, subordinate CA certificates may instead be publicly disclosed, and audited in accordance with Mozilla's CA Certificate Policy.

All subordinate CA certificates that are issued after May 15, 2013 must comply with the new CA Certificate policy within one-year, accounting for the impact these changes may have to large organizations that will need to plan for new infrastructure and auditing.

Continued :

Collapse -
Contest aims to boost state of password encryption
by Carol~ Forum moderator / February 18, 2013 2:43 AM PST

A group of cryptographers from academia and the tech industry are hoping to improve online password protection by holding an international competition to develop a new password hash algorithm that is more difficult for hackers to break.

Organizers of the Password Hashing Competition have set up a website for submissions, which are due by Jan. 31, 2014. The group has also posted technical guidelines and an explanation of how entries will be evaluated. No prizes are planned. The National Institute of Standards and Technology is a key body in the setting of standards for encryption and hash algorithms.

Hashing algorithms are used to turn plaintext passwords into a series of letters and numbers to foil hackers that break into databases supporting websites. Popular algorithmic standards used today include the NIST-controlled SHA, designed by the U.S. National Security Agency. SHA stands for Secure Hash Algorithm.

Continued :

Also: Cryptographers Aim to Find New Password Hashing Algorithm

Popular Forums
Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions


Cameras that make great holiday gifts

Let them start the new year with a step up in photo and video quality from a phone.