Spyware, Viruses, & Security forum

Alert

NEWS - January 03, 2013

by Carol~ Moderator / January 3, 2013 1:32 AM PST
Chrome Clickjacking Vulnerability Could Expose User Information on Google, Amazon

An apparent clickjacking, or UI redress vulnerability, in Google's Chrome web browser could make it possible for attackers to glean users' e-mail addresses, their first and last names and other information according to recent work done by an Italian researcher.

Luca De Fulgentis, who writes about security for Nibble Security's blog, detailed the issue earlier this week, along with another separate data extraction method.

De Fulgentis shows how a user's information can be extracted with the help of a malicious page using information on a page from Google's support forums. If logged in, users' e-mail addresses, names and profile picture URL can be extracted from the browser via support.google.com, while similar user information can be extracted from web resources belonging to Microsoft's Live.com and Yahoo!'s Profiles pages.

De Fulgentis explains another data extraction technique: a two-step drag and drop method that relies on users being tricked into letting Chrome publish their data publicly.

Continued : https://threatpost.com/en_us/blogs/chrome-clickjacking-vulnerability-could-expose-user-information-google-amazon-010213
Discussion is locked
You are posting a reply to: NEWS - January 03, 2013
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - January 03, 2013
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
SQL injection vulnerability hits all Ruby on Rails versions
by Carol~ Moderator / January 3, 2013 1:39 AM PST

The Ruby on Rails developers are warning of an SQL injection vulnerability that affects all current versions of the web framework. New releases of Ruby on Rails - 3.2.10, 3.1.9 and 3.0.18 - are now available. It is recommended that all users update immediately. For users unable to update, there are patches available for supported versions 3.2 and 3.1 and older versions 3.0 and 2.3.

The problem, according to the advisory, is that, because of the way dynamic finders in ActiveRecord extract options from method parameters, a method parameter can be used as a scope and by carefully manipulating that scope, users can inject arbitrary SQL. Dynamic finders use the method name to determine what field to search, so calls such as:

Post.find_by_id(params[:id])

would be vulnerable to an attack. The original problem was disclosed on the Phenoelit blog in late December where the author applied the technique to extract user credentials from a Ruby on Rails system, circumventing the authlogic authentication framework.

http://www.h-online.com/security/news/item/SQL-injection-vulnerability-hits-all-Ruby-on-Rails-versions-1776203.html

Also:
SQL Injection Flaw Haunts All Ruby on Rails Versions
Ruby on Rails security updates address SQL injection flaw
All Ruby on Rails versions affected by SQL injection flaw

See Vulnerabilities & Fixes: Ruby on Rails Method Parameters SQL Injection Vulnerability

Collapse -
To thwart hackers, firms salting their servers w/ fake data
by Carol~ Moderator / January 3, 2013 1:49 AM PST

Brown Printing Co., which prints popular magazines and catalogues, knew that it had valuable assets in its computer systems and that those assets — online editions and subscriber databases — were increasingly at risk with the proliferation of cyber-espionage.

And so, to confront one of the newest and most damaging crimes, it turned to one of the oldest tricks in human history: deception.

The Waseca, Minn., company began planting fake data in Web servers to lure hackers into "rabbit holes" in the hopes of frustrating them into giving up. The bait was varied — including bogus user log-ins and passwords and phony system configuration files. Anyone who took it was being watched by Brown, their computer locations tagged and their tactics recorded.

"We're taking the hackers' strengths and we're making it their weaknesses," said Nathan Hosper, a senior information technology officer at Brown. "They get caught up in this cycle of fake information."

Continued : http://www.washingtonpost.com/world/national-security/to-thwart-hackers-firms-salting-their-servers-with-fake-data/2013/01/02/3ce00712-4afa-11e2-9a42-d1ce6d0ed278_story.html

Collapse -
Pirated iOS apps without jailbreaking
by Carol~ Moderator / January 3, 2013 1:49 AM PST

The operators of Chinese warez portals have found a sly way of offering pirated iOS apps for Apple devices that haven't been jailbroken. iOS normally only launches apps that have been approved and signed by Apple. Most signed apps originate from the App Store and have been permanently associated with a purchaser's Apple account using Apple's FairPlay DRM system. If the DRM protection is removed, the app's signature becomes invalid; for such a program to start, the signature check must be disabled by jailbreaking the device.

The operators of the illegal download portals appear to have chosen a bolder approach. They don't remove the DRM in the first place. Heise Security, The H's German associates, downloaded a number of test apps and found the original app buyers' plain-text names. The programs still seemed to be linked to their accounts. iOS does allow users to install apps that weren't bought via the Apple account that is associated with the device, but to do so, it is usually necessary to log in with the appropriate account.

Continued : http://www.h-online.com/security/news/item/Pirated-iOS-apps-without-jailbreaking-1776354.htm

Collapse -
Fraudulent Cert for Google Domains Found After Mistake by..
by Carol~ Moderator / January 3, 2013 5:15 AM PST
... Turkish CA

Google has pushed out an update that blocks an intermediate digital certificate for *.google.com after discovering that a Turkish certificate authority had mistakenly issued intermediate certificates to two organizations that should only have gotten normal SSL certificates. That error gave those two organizations the power to issue certificates that carried the same authority as the CA itself and allowed one of the organizations to issue the fraudulent wild card certificate for Google. One of the groups that obtained the intermediate certificate is a Turkish government agency.

The problem was discovered by Google security personnel just before Christmas and the Google team quickly found that it was a Turkish CA named TURKTRUST that had issued the intermediate certificate. That mistake essentially granted the company with the intermediate certificate the ability to issue certificates for any domain it chose.

"In response, we updated Chrome's certificate revocation metadata on December 25 to block that intermediate CA, and then alerted TURKTRUST and other browser vendors. TURKTRUST told us that based on our information, they discovered that in August 2011 they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates. On December 26, we pushed another Chrome metadata update to block the second mistaken CA certificate and informed the other browser vendors," Google's Adam Langley wrote in an analysis of the episode.

Continued : https://threatpost.com/en_us/blogs/fraudulent-certificate-google-domains-found-after-mistake-turkish-ca-010313

Related: Security Advisory 2798897 (Certificate Trust List Updated)

Also: Google, Microsoft, and Mozilla revoke two fraudulent Turkish certificates used in targeted attacks
Collapse -
DDoS Hacktivists: No U.S. Bank is Safe
by Carol~ Moderator / January 3, 2013 5:17 AM PST

The hacktivist group Izz ad-Din al-Qassam Cyber Fighters claims that its second phase of distributed-denial-of-service attacks has affected nine banks since Dec. 11, and it warns that more attacks are on the way.

"Rulers and officials of American banks must expect our massive attacks! From now on, none of the U.S. banks will be safe from our attacks," the hacktivists write in a Jan. 1 post on Pastebin.

The group says its DDoS strikes waged since the kickoff of its second campaign in early December have targeted JPMorgan Chase, Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC Financial Services Group, BB&T Corp., Suntrust Banks and Regions Financial Corp. (see 5 Banks Targeted for New DDoS Attacks.)

The group claims its attacks against U.S. banks will continue until a YouTube video deemed offensive to Muslims is removed.

December Attacks

On a Dec. 10 post, Izz ad-Din al-Qassam Cyber Fighters announced plans for its second campaign, targeting PNC, U.S. Bank, BofA, Chase and SunTrust. Since then, the group has posted two subsequent threats and, as indicated in its Jan. 1 post, has apparently hit a total of nine banks.

Continued : http://www.bankinfosecurity.com/ddos-hacktivists-no-us-bank-safe-a-5401

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?