NEWS - January 02, 2013

Late last week the social networking giant Facebook patched a particularly voyeuristic security vulnerability in the platform that could have given malefactors the ability to remotely turn on the webcams of other users and post videos to their profiles, according to a Bloomberg News report.

The vulnerability was discovered in July by the Indian security firm XY Sec. The firm's founders, Aditya Gupta and Subho Halder told Bloomberg that Facebook must have considered the bugs serious because they paid XY Sec five times the typical $500 bug bounty price.

On his personal website, Gupta said the issue arose from a problem in Facebook's video upload feature. Evidently Facebook did not have, in Gupta's words, "proper security checks enforced." If exploited, it would have given an attacker the ability to secretly record video using another user's webcam and post that content to the victim's wall without their knowledge.

A Facebook spokesperson, Fred Wolens, told Bloomberg it appeared as if the vulnerability had not been exploited and that no users were impacted by it.

Continued : https://threatpost.com/en_us/blogs/facebook-patches-webcam-snooping-vulnerability-123112

Also: Facebook Fixes "Midnight Delivery" Privacy Flaw

From the Trendlabs Security Intelligence Blog:

Ever wonder how those pesky pop-up ads end up on your smartphone? More importantly, do you ever consider what this seemingly harmless display of ads can do to you and your data? There are more to these ads than just taking up space and eating up your phone's bandwidth and battery life.

This month's Mobile Review (pdf) sheds light on the overlooked organizations behind these ads, mobile ad networks. Get to know how they operate, their hidden activities, their motivations, and how they directly affect you. Though not intentionally malicious, their processes can still put mobile users at risk.

Late in November, Senior Threat Researcher Noriyaki Hayashi already gave us a concise breakdown of free app ecosystem and the part mobile ad networks play in it. This report gives an update on how these networks have adapted to further aid app developers and, in some way, protect users as well.

Also in this report is a look at mobile malware type called premium service abusers. We analyzed how they get on smartphones, how they behave, and why they are a preferred money-making scheme of cybercriminals. Compared to our midyear stats, premium services abusers remained the top mobile malware threat in November 2012, with FAKE and BOXER variants alone raking up to over 57% of our total accumulated mobile malware detections.

http://blog.trendmicro.com/trendlabs-security-intelligence/mobile-ad-networks-how-do-they-operate/

Once you settle on your preferred security suite, most likely you'll stick with it for the long haul. It's important to choose a tough, effective suite. Researchers at AV-Test evaluated 17 major security suites over a period of 22 months and just published their results as "The Ultimate Endurance Test for Internet Security Suites." Each suite underwent ten rounds of testing under various Windows versions between January 2011 and October 2012, so in most cases the tests spanned multiple product versions. Bitdefender Internet Security earned the highest score, but others weren't far behind.

In each round of testing, a product could earn up to six points in each of three categories. For the purpose of this report, researchers averaged the ten scores for each product in each category. The sum of these averages is the final "endurance" score, with a maximum of 18 points possible.

Testing Protection
The protection test checks how well each product defends a test computer against malware attack. All of the programs were tested simultaneously to ensure that "the status of all update files and similar factors was on the same timescale." ...

Continued : http://securitywatch.pcmag.com/none/306431-security-suite-endurance-test-winners

Sometimes it takes a security scare to help improve your overall security posture. Case in point: Over the holidays, I learned that our alarm system — one of the most widely used home security systems in America — contains a default code that disables the alarm. Although entering this code simultaneously alerts the police that an intruder is in the house, it also could give thieves just enough time to get away with your valuables without alerting the neighbors.

Over the holidays, I lost my keychain. On said chain was a very expensive key fob for unlocking and starting our car, the keys to our front door, and a remote control that arms and disarms the alarm system. For several days, the wife and I searched frantically and repeatedly for the keys. Needless to say, I didn't leave the house the whole time. In the hopes of perhaps disabling the alarm keyfob myself, I downloaded the user manual for my alarm system (a Safewatch Pro 3000), but I could not figure out a way to complete the process.

After of the fourth day of failing to locate the missing keys, we decided it was time to call a locksmith and ADT, our alarm company. The ADT technician arrived promptly and was extremely fast, courteous and helpful. But he said he couldn't remove the fob without plugging in an external keyboard that he had on hand.

Continued : http://krebsonsecurity.com/2013/01/does-your-alarm-have-a-default-duress-code/

Bollywood is making what is reportedly its first venture into the world of cybercrime - with a new movie due to be released later in 2013 about hacking and computer malware. [Screenshot]

The comedy-thriller, titled "Mickey Virus", is set in Delhi and will star TV anchorman Manish Paul in what is said to be his big screen debut. (No, we haven't heard of him either - but he seems to be well known in India for hosting TV talent shows).

It will remain to be seen how well "Mickey Virus" represents the world of computer security. Will it do a better job than the Western TV and film shows we have seen tackling cybercrime in the past, with their bizarre ideas of what malware attacks look like, and what hacking involves?

We've seen real cybercrime events inspire movie plotlines before. For instance, "Subject: I love you" which appears to have been very loosely sparked by the Love Bug worm.

Continued : http://nakedsecurity.sophos.com/2013/01/02/mickey-virus-bollywood/

Cybercriminals have spammed out a malicious Trojan horse, via an email claiming to offer season's greetings and photographs of a woman wearing a bikini.

As many people return to their desks following the holiday break, there is a danger that they will find a dangerous email lurking inside their inbox alongside the regular mountain of spam.

In the following example, intercepted by SophosLabs, the malicious email claims to come from Selma. (Or is it Gretchen?) [Screenshot]

Subject: HAPPY NEW YEAR

Ciao mia cara!
Come stai? Come promesso, ecco le mie foto bikini. Spero che sara love it!
Questo e il mio umile dono per il nuovo anno! Ci vediamo piu tardi : )
Il tuo amore Selma
01.01.2013 16:04:43

Here's another example, claiming to be a belated Christmas greeting:

Continued : http://nakedsecurity.sophos.com/2013/01/02/bikini-screensaver/