NEWS - January 28, 2013

The title of this blog is far from unique. Tracking security flaws in Java is like counting grains of sand on a beach.

As I write this on January 27, 2013, the flaw in question is new. It is known by its creator, Adam Gowdiak of Security Explorations, simply as Issue 53.

Before going into detail, let's first put things in perspective.

The last Java flaw garnered a ton of attention, with a typical headline reporting that the Department of Homeland Security told everyone to disable Java. It's not clear why that flaw garnered so much attention. The New York Times reported it as a "rare" warning, but that news was not fit to print. The warning was routine.

In the middle of the last scare, Art Manion and Will Dormann of CERT wrote

"We've been telling people to disable Java for years. In fact, the first version of the Securing Your Web Browser document from 2006 provided clear recommendations for disabling Java in web browsers."

Oracle released a new edition of Java (Version 7 Update 11) to fix that problem, very quickly (perhaps an example of what bad publicity can do). But since that fix was issued on January 13th, the bad news for Java has continued to trickle out.

MORE BAD NEWS

Continued: http://blogs.computerworld.com/malware-and-vulnerabilities/21693/yet-another-java-security-flaw-discovered-number-53

* * * * * * * * * * * * * * * * * *

Java's new "very high" security mode can't protect you from malware

"Fix that was supposed to make malware attacks harder can be easily circumvented"

Security researchers have uncovered a newly discovered bug in Oracle's Java framework that allows attackers to bypass important security protections designed to prevent malware attacks.

The security improvements were introduced in Java 7 Update 10, and they came after a spate of in-the-wild attacks exploited fully patched versions of Java. Those allowed crooks to surreptitiously install malware on the computers of unsuspecting people using Java browser plugins. By default, the change required end users to manually allow the execution of Java code not digitally signed by a trusted authority. Users also had the ability to prevent any unsigned Java applet from running at all. Some security experts praised Oracle for adding the feature because it promised to drastically reduce the success of attacks that exploit security bugs in Java.

"Unfortunately, the above is only a theory," security researcher Adam Gowdiak wrote on Sunday, referring to the way the protections are supposed to block untrusted code from running on end-user computers. "In practice, it is possible to execute an unsigned (and malicious!) Java code without a prompt corresponding to security settings configured in Java Control Panel."

Continued : http://arstechnica.com/security/2013/01/javas-new-very-high-security-mode-cant-protect-you-from-malware/

A $170,000 cyberheist last month against an Illinois nursing home provider starkly illustrates how large financial institutions are being leveraged to target security weaknesses at small to regional banks and credit unions.

I have written about more than 80 organizations that were victims of cyberheists, and a few recurring themes have emerged from nearly all of these breaches. First, a majority of the victim organizations banked at smaller institutions. Second, virtually all of the money mules — willing or unwitting individuals recruited to help launder the stolen funds — used accounts at the top five largest U.S. banks.

The attack on Niles Nursing Inc. provides a textbook example. On Monday, Dec. 17, 2012, computer crooks logged into the company's online banking accounts using the controller's credentials and tunneling their connection through his hacked PC. At the beginning of the heist, the miscreants added 11 money mules to Niles' payroll, sending them automated clearing house (ACH) payments totaling more than $58,000, asking each mule to withdraw their transfers in cash and wire the money to individuals in Ukraine and Russia.

Continued : https://krebsonsecurity.com/2013/01/big-bank-mules-target-small-bank-businesses/

Most malware is severely crippled if it can't contact the C&C servers from which it receives its instructions and updates, so malware authors are constantly coming up with new ways to thwart firewalls, intrusion prevention systems and local gateways blocking such communication.

The latest innovation in this particular "field" has been spotted by Symantec researcher Takashi Katsuki, who recently discovered a Trojan that uses Sender Policy Framework (SPF) to keep the connection between malware and C&C servers alive and well.

Ironically, the SPF is an email validation system designed to spot email spoofing and, therefore, spam.

"SPF consists of a domain name server (DNS) request and response. If a sender's DNS server is set up to use SPF, the DNS response contains the SPF in a text (TXT) record," explains Katsuki.

Continued : http://www.net-security.org/malware_news.php?id=2387

Related:
Browser-hijacking malware talks to attackers using SPF email validation protocol
Cybercriminals Use Anti-Spam System for Communication Between Malware and Server

A group of Internet users in the U.K. are seeking damages, disclosure and an apology from Google for its alleged undermining of the security settings on Apple's Safari browser to track online usage covertly.

Members of the group, described as informal, have instructed a technology and media law firm, Olswang, to begin action against Google, the group said.

The claims center around tracking cookies, which were allegedly installed in secret by Google on computers and mobile devices of users of the Safari browser, Olswang said in a statement on Sunday. The legal firm has been retained by the group to coordinate claims.

The U.S. Federal Trade Commission said in August last year that Google agreed to pay US$22.5 million civil penalty to settle charges that it misrepresented to users of Safari that it would not place tracking cookies or serve targeted ads to those users, violating an earlier privacy settlement between the company and the FTC.

Continued : http://www.networkworld.com/news/2013/012813-google-faces-legal-action-in-266174.html

Also:
Google faces UK legal action over Apple Safari tracking claims
Google faces UK legal action over Apple privacy concerns

From the Symantec Security Response Blog:

As we predicted toward the end of last year, we are once again seeing an upswing in ransomware activity in 2013. The ransomware extortion scam has been in existence now for a number of years but its popularity among cybercriminals has grown over the last two years and it continues to indiscriminately plague computer users in greater numbers. Symantec has tracked this growing menace in various blogs, a whitepaper, and a video.

In the last week Symantec has observed a new spike in ransomware activity being seen worldwide. While several variants of the ransomware threat are responsible for the overall spike, the main ransomware variant being observed is Trojan.Ransomlock.Y. This variant is being distributed through pornographic websites leading to the Impact Exploit kit. Symantec has the following Intrusion Prevention Signatures (IPS) in place for the Impact Exploit kit and is observing a similar telemetry spike around detections of this exploit kit:

• Web Attack: Impact Exploit Kit Website
• Web Attack: Impact Exploit Kit Website 2
• Web Attack: Impact Exploit Kit Website 3

[Screenshot: Trojan.Ransomlock.Y]

Continued: http://www.symantec.com/connect/blogs/upswing-ransomware-activity

Twitter said Monday that worldwide requests from governments about its users rose nearly 20 percent in second half of 2012 as it sought to raise awareness about "invasive" actions.

The popular messaging platform said information requests in the July-December period numbered 1,009, up from 849 in the prior six months.

In launching a revamped "transparency report" modeled after one by Google, Twitter said it hopes the data can be useful to those seeking to keep an open Internet.

"We believe the open exchange of information can have a positive global impact," Twitter legal policy manager Jeremy Kessel said in a blog post marking what activists have dubbed Data Privacy Day.

"To that end, it is vital for us (and other Internet services) to be transparent about government requests for user information and government requests to withhold content from the Internet; these growing inquiries can have a serious chilling effect on free expression -- and real privacy implications."

Continued : http://www.securityweek.com/twitter-says-government-data-requests-rise

Also:
Government Appetite Growing for Twitter User Data
Twitter Complied with 69% of US Government Requests for Account Data
Twitter complies with over half of all requests for user data

When late last year Facebook changed its Statement of Rights and Responsibilities and Data Use Policy, the social network's users lost their right to vote on future proposed changes, but retained that of commenting on them when they are made public and influencing their final form.

At the time, Elliot Schrage, Facebook's vice president of communications, public policy, and marketing, announced new ways to establish a "meaningful dialogue" between the company and the Facebook community, among which was also a new feature that would let users submit questions to Erin Egan, Facebook's Chief Privacy Officer of Policy.

The feature has finally been launched today (coincidence or not, today is also Data Privacy Day), and can be accessed here.

Users are urged to submit privacy-related questions to Egan by filling out an online form, and she will answer a few of them each month. She has started this month by answering some privacy questions she gets asked on a regular basis.

Continued : http://www.net-security.org/secworld.php?id=14314

The US Department of Defense is to increase the size of its cybersecurity forces fivefold over the next few years, boosting the department's Cyber Command personnel from 900 to 4,900. Anonymous US officials said the expansion had been approved by the Pentagon at the end of last year, according to a report in the Washington Post.

Those officials noted that attacks, such as the one which wiped data from 30,000 computers at a Saudi Arabian state oil company last summer, had highlighted the gravity of the threat for the Pentagon.

The plan will involve the creation of three forces under Cyber Command. A "national mission force" will focus on US infrastructure, power grids and plants, a "combat mission force" will help commanders plan and execute offensive operations outside the US and "cyber protection forces" will shore up the Defense Department's own network defenses. The plan appears to go further than the cyber strategy plan presented in July 2011.

http://www.h-online.com/security/news/item/US-military-to-massively-increases-cyber-security-personnel-1792415.html

Related:
Pentagon to boost cybersecurity force numbers: report
Pentagon Plans Massive Increase in Cybersecurity Teams
U.S. DoD's cybersecurity force to increase fivefold