HolidayBuyer's Guide

Spyware, Viruses, & Security forum

Alert

NEWS - February 25, 2014

by Carol~ Forum moderator / February 24, 2014 10:16 PM PST
New iOS flaw makes devices susceptible to covert keylogging, researchers say

"Proof-of-concept app in Apple's App Store sent keystrokes to remote server."

Researchers said they have identified a flaw in Apple's iOS that makes it possible for attackers to surreptitiously log every touch a user makes, including characters typed into the keyboard, TouchID presses, and adjustments to the volume control.

The vulnerability affects even non-jailbroken iPhones and iPads running iOS versions 7.0.4, 7.0.5, and 7.0.6, as well as those running on 6.1.x, researchers from security firm FireEye wrote in a blog post published Monday night. They said attackers could carry out the covert monitoring using an app that bypasses Apple's stringent app review process. The app uses multitasking capabilities built into iOS to capture user inputs. The blog post explained:

'We have created a proof-of-concept "monitoring" app on non-jailbroken iOS 7.0.x devices. This "monitoring" app can record all the user touch/press events in the background, including touches on the screen, home button press, volume button press and TouchID press, and then this app can send all user events to any remote server, as shown in Fig.1. Potential attackers can use such information to reconstruct every character the victim inputs.....

Continued : http://arstechnica.com/security/2014/02/new-ios-flaw-makes-devices-susceptible-to-covert-keylogging-researchers-say/
Discussion is locked
You are posting a reply to: NEWS - February 25, 2014
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - February 25, 2014
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Proof of concept captures all SSL traffic via Apple's goto..
by Carol~ Forum moderator / February 25, 2014 12:06 AM PST
Proof of concept captures all SSL traffic via Apple's goto fail exploit

" A New Zealand security consultant has used a man-in-the-middle proxy to mop up all SSL traffic related to the App store, updates, iCloud data, and traffic from apps that use certificate pining, such as Twitter."

Less than a day's work was all it took for one New Zealand security consultant to develop a proof of concept for the actively open OS X exploit revealed at the weekend, and known as "goto fail".

Aldo Cortesi, CEO and founder of security consultancy firm Nullcube, said in a blogpost today that he had modified his existing mitmproxy code to take advantage of the open hole in OS X Mavericks.

"I've confirmed full transparent interception of HTTPS traffic on both IOS (prior to 7.0.6) and OSX Mavericks," Cortesi wrote.

"Nearly all encrypted traffic, including usernames, passwords, and even Apple app updates can be captured."

Cortesi said that iCloud data, including KeyChain enrollment and updates, data from Calendar application, and traffic from apps that use certificate pining, such as Twitter. A New Zealand security consultant has used a man-in-the-middle proxy to mop up all SSL traffic related to the App store, updates, iCloud data, and traffic from apps that use certificate pining, such as Twitter."

Continued : http://www.zdnet.com/proof-of-concept-captures-all-ssl-traffic-via-apples-goto-fail-exploit-7000026735/
Collapse -
Microsoft EMET's protections can be bypassed ..
by Carol~ Forum moderator / February 25, 2014 12:06 AM PST
.. researchers show

Microsoft's Enhanced Mitigation Experience Toolkit (EMET) is a good piece of software and helpful for protecting non-kernel Microsoft applications and third-party software, but the protection it offers can also be bypassed completely if the attackers know what they are doing, claim researchers from security firm Bromium.

"EMET adds special protections (for 32bit processes only) against a relatively new hacker technique known as ROP (return oriented programming)," Bromium's Jared DeMott explained in a blog post.

Continued : http://www.net-security.org/secworld.php?id=16420

Related:
Attack code bypasses Microsoft zero-day protection software
Researchers Develop Complete Microsoft EMET Bypass
New attack completely bypasses Microsoft zero-day protection app
Collapse -
YouTube ads spread banking malware
by Carol~ Forum moderator / February 25, 2014 1:19 AM PST

Security researchers at Bromium have discovered that hackers were spreading malware onto computers while unsuspecting users were watching YouTube videos.

The drive-by-download attack was distributed via adverts shown on the YouTube website, and used an exploit kit to infect Windows PCs with a version of the Caphaw banking Trojan.

According to a blog post by Bromium, the attack relied upon the exploitation of a Java vulnerability (CVE-2013-2460, patched by Oracle in mid-2013).

According to the security firm, whose vSentry technology intercepted the attack, the exploit kit used by the hackers was the same one which was recently used to infect visitors to the Hasbro toys website.

Continued: http://grahamcluley.com/2014/02/youtube-malware/

Collapse -
Card Backlog Extends Pain from Target Breach
by Carol~ Forum moderator / February 25, 2014 1:20 AM PST

Last week's story about steeply falling prices on credit and debit card data stolen from Target mentioned several reasons why many banks may not have already reissued all of their cards impacted by the breach. But it left out one other key reason: A huge backlog of orders at companies that manufacture credit and debit cards on behalf of financial institutions.

Turns out, while the crooks responsible for monetizing the Target breach seem to have had little trouble counterfeiting stolen cards, the process by which banks obtain legitimate replacement cards for their customers is not always quite so speedy.

I recently spoke with a gentleman who heads up security at a small federal credit union, and this individual said his institution ended up printing their own cards in-house after being told by their financial services provider that their order for some 2,000 new customer cards compromised in the Target breach would have to get behind a backlog of more than 2 million existing orders from other banks.

Continued : http://krebsonsecurity.com/2014/02/card-backlog-extends-pain-from-target-breach/

Collapse -
Apple releases OS X 10.9.2, patches SSL flaw and adds ..
by Carol~ Forum moderator / February 25, 2014 5:04 AM PST
.. FaceTime Audio support

"The "goto fail" bug has been patched after four days in the wild."

[Screenshot]
Visiting one of the many test sites for the "goto fail" bug in Safari in OS X 10.9.2 confirms that the problem has been fixed.

After several months of testing, Apple has released OS X version 10.9.2 to the general public. In addition to the typical laundry list of updates and security fixes, the second major update to Mavericks fixes the "goto fail" SSL/TLS bug that Apple patched in iOS 7 on Friday. The SSL bug isn't mentioned in the release notes that appear in Software Update, but the bug is mentioned on Apple's security page for 10.9.2. We were also able to confirm the fix by visiting several goto fail test sites in Safari after applying the update. Security updates for Mountain Lion and Lion have been provided as well, but previous versions of OS X were never affected by the goto fail bug in the first place—those patches will fix other problems, but users won't need to worry about the goto fail bug either way.

Continued : http://arstechnica.com/apple/2014/02/apple-releases-os-x-10-9-2-patches-ssl-flaw-and-adds-facetime-audio-support/

Related: Mac OS X 10.9.2 released. Apple fixes critical SSL security hole
Collapse -
Android Trojan delivered via Facebook "Suggested Posts"
by Carol~ Forum moderator / February 25, 2014 5:06 AM PST

Researchers have uncovered a potentially massive attack on Android users. This highly elaborate ploy originates on Facebook, where cyber-criminals advertise a series of apps.

When users access Facebook from their Android mobile device, they will see different messages under the title "Suggested Post" advertising WhatsApp tips like: "Want to know how to see your contacts' chats on WhatsApp?" or "Want to hide your WhatsApp connection status?".

If the intended victim clicks on any of these ads, they are redirected to a fake version of Google Play, the Android app store. The user, thinking that this is the genuine site, downloads the free app, which is really a Trojan that subscribes users to a premium-rate SMS service without their knowledge.

Continued : http://www.net-security.org/malware_news.php?id=2717

Collapse -
WhatsApp Desktop Client Doesn't Exist, Used in Spam Attack
by Carol~ Forum moderator / February 25, 2014 5:06 AM PST
.. Anyway

TrendLabs Security Intelligence Blog:

The popular messaging application WhatsApp recently made headlines when it was acquired by Facebook for a staggering $19 billion. Cybercriminals didn't waste much time to capitalize on this bit of news: barely a week after the official announcement, we saw a spam attack that claims that a desktop version of the popular mobile app is now being tested. [Screenshot: Spammed message]

Our engineers found a spam sample that mentions Facebook's purchase of WhatsApp, and also says that a version of WhatsApp is now available for users on Windows and Mac PCs. The message also provides a download link to this version, which is detected as TROJ_BANLOAD.YZV, which is commonly used to download banking malware. (This behavior is the same, whether on PCs or mobile devices.)

Continued: http://blog.trendmicro.com/trendlabs-security-intelligence/whatsapp-desktop-client-doesnt-exist-used-in-spam-attack-anyway/
Collapse -
"Pony" botnet pilfers digital coins worth $220,000 in ..
by Carol~ Forum moderator / February 25, 2014 6:40 AM PST
.. sustained attack

"Malware steals digital wallets from infected computers." - [Screenshot: Geographical break down of computers infected by Pony]

Criminals have pilfered about $220,000 worth of bitcoins and other digital currencies in a sustained, global attack that uses malware to steal the digital wallets stored on infected computers, researchers said Monday.

The malicious application known as Pony stole the digital loot from 85 wallets from September through January, researchers from security firm Trustwave's Spider Labs division wrote in a blog post. In all, the malware stole coins from at least four different digital currencies, including 355 bitcoins, 280 Litecoins, 33 Primecoins, and 45 Feathercoins. The coins were only a small part of the assets seized by Pony. During the same four-month span, Pony lifted credentials for more than 725,000 accounts. Those user names and passwords controlled access to accounts for websites, e-mail, FTP, secure shell, and remote desktops.

Continued: http://arstechnica.com/security/2014/02/pony-botnet-pilfers-digital-coins-worth-220000-in-sustained-attack/

Related:
Cybercriminals Use Pony Botnet to Steal 700,000 Account Credentials, Virtual Currencies
Latest Instance of Pony Botnet Pilfers $200K, 700K Credentials
Collapse -
New Charity Scam Claims Parents Can't Afford Surgery
by Carol~ Forum moderator / February 25, 2014 6:40 AM PST

Bitdefenders' "HOTforSecurity" Blog:

A new charity scam spreading on Facebook claims parents can't afford surgery for their sick baby, according to Hoax Slayer. Once again, scammers "trade" likes, comments and shares for $1 to $100. After gaining user engagement and compassion, they can redirect likes towards fraudulent or malicious profiles and pages.

The hoax features an image of a baby with a large surgery scar lying in a hospital bed. The scam claims that Facebook and CNN will donate money to cover parents' medical expenses. Users are tricked into believing their like, share or comment will be converted in donation money.

"Please Dont Ignore,!" scam messages read. "His parents can't afford surgery so facebook and cnn are paying half of the expenses

1 like - $1

1 comment - 10$

1 share - 100$."

According to Hoax Slayer, the heart-wrenching picture is actually stolen from a 2012 blog post that discussed the baby's surgery. [Screenshot]

Continued : http://www.hotforsecurity.com/blog/new-charity-scam-claims-parents-cant-afford-surgery-8015.html

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

The Samsung RF23M8090SG

One of the best French door fridges we've tested

A good-looking fridge with useful features like an auto-filling water pitcher and a temperature-adjustable "FlexZone" drawer. It was a near-flawless performer in our cooling tests.