NEWS - January 29, 2013

The Rails developers have released Ruby on Rails 3.0.20 and 2.3.16 which contain one, and only one, "extremely critical security fix". The problem only affects Rails 3.0.x and 2.3.x with Rails 3.1.x and 3.2.x not affected. Users of the 2.3 and 3.0 branches are advised to update as soon as possible, or to apply patches if they cannot upgrade. If they cannot do that either, a workaround of setting

ActiveSupport::JSON.backend = "JSONGem"

in the application's initialisation code will, at least, prevent the vulnerable code from being called.

The problem is related to the flaw discovered earlier this month where the XML formatted parameters could include YAML serialised data which, when deserialised, would create live objects within the server which could be used to exploit it. The exploit went wild quickly and a number of servers were compromised.

Continued : http://www.h-online.com/security/news/item/Rails-developers-close-another-extremely-critical-flaw-1793511.html

Also: Some Versions of Ruby on Rails Vulnerable to New Parsing Attack

See Vulnerabilities & Fixes: Ruby on Rails JSON Parser YAML Handling Vulnerability

From the TrendLabs Security Intelligence Blog:

Malicious schemes promising free or discounted items are effective because everyone likes a great offer. More so, if the offered item is a much-talked about product like Windows 8.

Last year, we unraveled some fake">http://blog.trendmicro.com/trendlabs-security-intelligence/fake-windows-8-key-generators-surface/]fake Windows 8 generators, fake Windows 8 antivirus programs, and phishing email that surfaced right after the platform's release. Though it's been months since it was launched, we found out that certain bad guys are continuously using the brand to lure users into their ruse. This time, however, they are offering Windows 8 "activators" amidst news of Microsoft's limited offer of discounted Windows 8 upgrade.

During our research, we found several websites using Windows 8 as keywords. The first site purportedly offers free Windows 8 "activator", which is actually fake (detected by Trend Micro as HKTL_KEYGEN). [Screenshot: Site offering fake Windows 8 activator]

The other site we looked into also offers free Windows 8 activator, dubbing it the "Windows 8 Activator Loader Extreme Edition 2013". [Screenshot: Site offering rogue Windows 8 activator]

Continued : http://blog.trendmicro.com/trendlabs-security-intelligence/free-windows-8-activator-think-again/

From Bitdefender's "HOTforSecurity" Blog:

Security researchers revealed vulnerabilities in the digital video recorders of CCTV video cameras that would allow an attacker to seize control of the buggy devices to watch the recorded video streams, copy, delete or turn them on and off.

Apart from enabling illegal access to the security camera systems, the buggy devices also transform the machine into a jumping-off point of access to computers in a network, behind a company's firewall, according to researchers with security firm Rapid7.

H.D. Moore, chief security officer with Rapid7, found some 58,000 unique IPs running a vulnerable DVR platform in 150 countries, of which the United States, India, and Italy took the lion's share.

"In addition to Ray Sharp, the exposures seem to affect rebranded DVR products by Swann, Lorex, URMET, KGuard, Defender, DEAPA/DSP Cop, SVAT, Zmodo, BCS, Bolide, EyeForce, Atlantis, Protectron, Greatek, Soyo, Hi-View, Cosmos, and J2000," Moore writes in his blog post.

Continued : http://www.hotforsecurity.com/blog/dvr-flaw-allows-attacker-to-control-security-cameras-5164.html

Related:
Hackers squeeze through DVR hole, break into CCTV cameras
What if your security camera were an insecurity camera?

Regulators in the Netherlands and Canada say the popular messaging application WhatsApp is violating internationally accepted privacy norms by stockpiling phone numbers belonging to people who don't even use the service.

Officials in both countries say WhatsApp Inc. is going through its users' address books and copying every single phone number before transmitting them to the Mountain View, California-based company's servers.

Many communications services ask for access to their customer's address books to help connect them with friends. But under Canadian and Dutch law, personal information belonging to nonusers must be destroyed once it's no longer being used.

Canada's Office of the Privacy Commissioner and the Dutch Data Protection Authority also criticized WhatsApp for weak security and sloppy encryption.

Continued: http://www.usnews.com/news/technology/articles/2013/01/29/canada-holland-whatsapp-violates-privacy-norms

Also:
WhatsApp privacy weaknesses could trigger prosecutions
Netherlands, Canada Say WhatsApp Still Violates Privacy Laws
WhatsApp's privacy investigated by joint Canadian-Dutch probe

ESET discovered a social engineering Trojan horse that managed to steal the login credentials of more than 16,000 Facebook users.

The 'PokerAgent' Trojan targeted Zynga Poker, the most popular online poker site in the world. Zynga Poker hosts the Texas Hold'Em Poker App for Facebook. According to APPData, the game has more than 35 million active monthly users.

Specifically, the malware was designed to steal users' Facebook login details and link them with user information for the online poker game. ESET first began studying the Trojan in early 2012. However, thanks to proactive generic detection of this threat, ESET users were protected against the Trojan as early as December 2011. [Screenshot]

Because 'PokerAgent' was most active in Israel, ESET contacted the Israeli CERT as well as the Israeli police in early 2012. Because of the ongoing investigation, ESET was not able to publicly disclose any details about the threat. However, in addition to working with the Israeli CERT team, Facebook was also notified and took immediate preventive measures to protect their members and thwart future attacks on the hijacked accounts.

Continued: http://www.net-security.org/malware_news.php?id=2388