15 total posts
Mozilla outs un-Google site sign-in prototype
Mozilla has proposed a new method for signing into websites that avoids both site-specific passwords and existing cross-site sign-in services from corporate behemoths such as Google and Facebook.
Known as BrowserID, Mozilla's prototype is built atop a new "Verified Email Protocol", which uses public-key cryptography to prove that a particular user owns a particular email address. In essence, BrowserID lets you log into a website simply by clicking on a button and choosing an email address you wish to sign in with. Behind the scenes, the website, your browser, and a separate verification service use crypto keys to verify your identity.
"For a Web developer, creating a new application always involves an annoying hurdle: how do users sign in? An email address with a confirmation step is the classic method, but it demands a user's time and requires the user to take an extra step and remember another password. Outsourcing login and identity management to large providers like Facebook, Twitter, or Google is an option, but these products also come with lock-in, reliability issues, and data privacy concerns," Mozilla says in a blog post, referring to services based on OpenID and similar protocols.
Continued : http://www.theregister.co.uk/2011/07/15/mozilla_browser_id/
New Hotmail security features against account hijacking
Microsoft has decided to introduce two new security features for its web-based Hotmail service, in the hope that this will make the accounts more difficult to hijack and eventual hijackings spotted faster.
The first one makes the use of extremely common passwords impossible. "Common passwords are not just 'password' or '123456' (although those are frighteningly common), but also include words or phrases that just happen to be shared by millions of people, like 'ilovecats' or 'gogiants,'" explains Dick Craddock, Program Manager at Microsoft.
The feature will be rolled out soon, and it will hopefully prevent successful brute force "dictionary" attacks.
The second one has already been released, and allows users to report compromised accounts to Microsoft immediately after receiving a spam or scam email from a contact's email account.
Continued : http://www.net-security.org/secworld.php?id=11292
Hotmail fights back against hacked email accounts
Hotmail to ban common passwords
Vulnerability in Skype allows accounts to be hijacked
Popular VoIP software Skype contains a security issue which could enable an attacker to gain access to a contact's account. In a security advisory, Levent Kayan, who discovered the vulnerability, reports that in some cases it could even allow access to the user's system.
According to Kayan, Skype 126.96.36.199 (the current version) and earlier for Windows and Mac are affected. The Linux version is not affected. The H's associates at heise Security in Germany were able to reproduce the problem in version 188.8.131.52 under Windows 7 and Windows XP, although in some cases more than ten logons were required before the problem manifested itself - why this should be the case is unclear. Kayan reports that he has informed the vendor. No patch is available at present.
Update:Vulnerability in Skype allows accounts to be hijacked
Update - Skype has now confirmed it is aware of the hole and has already developed a patch to be published within the next week. Skype provides a plausible explanation as to why the problem isn't immediately reproducible: to take advantage of it, the attacker must appear in the victim's list of frequent contacts. Skype classifies the issue as a lesser problem because an attacker is allegedly only able to display messages through Skype or redirect pages.
Many sites cookie-track users regardless of opt-outs
More than 10 per cent of companies that promise not to track internet users' online activity for behavioural advertising purposes still do so, according to new research.
Researchers at Stanford Law School investigated whether companies belonging to a voluntary scheme run by the Network Advertising Initiative (NAI) actually complied with the rules they had signed up to.
The NAI encourages online businesses to voluntarily adopt a set of rules governing online behavioural advertising. Those rules force member companies to tell users that cookies they store about them could be used to serve behavioural ads. The rules also state that member companies must stop using the cookies to serve ads if asked to by users.
The researchers claimed that at least eight NAI members out of the 64 they investigated continued placing behavioural ad cookies on researchers' machines after being asked not to.
Continued : http://www.theregister.co.uk/2011/07/15/websites_still_dish_out_tracking_track_despite_opt_out/
More Than 100 Arrested in Fake Internet Sales
Law enforcement officials in Romania and the United States have arrested and charged more than 100 individuals in connection with an organized fraud ring that used phony online auctions for cars, boats and other high-priced items to bilk consumers out of at least $10 million.
According to a statement from the Justice Department, the scams run by this ring followed a familiar script. Conspirators located in Romania would post items for sale such as cars, motorcycles and boats on Internet auction and online websites. They would instruct interested buyers to wire transfer the purchase money to a fictitious name they claimed to be an employee of an escrow company. Once the victim wired the funds, the co-conspirators in Romania would text information about the wire transfer to co-conspirators in the United States known as "arrows" to enable them to retrieve the wired funds. They would also provide the arrows with instructions as to where to send the funds after retrieval.
The arrows in the United States would then visit wire transfer services such as Western Union or MoneyGram, provide false documents including passports and drivers' licenses in the name of the recipient of the wire transfer, and grab the cash. They would subsequently wire the funds overseas, typically to individuals in Romania, minus a percentage kept for commissions. The victims would not receive the items they believed they were purchasing. In some cases, co-conspirators in Romania also directed arrows to provide bank accounts in the United States where larger amounts of funds could be wired by victims of the fraud.
Oracle to issue 78 bug fixes
Oracle is planning to issue 78 patches covering a number of its software products on Tuesday, including 13 fixes for its flagship database, according to a statement posted to its website on Thursday.
The database patches cover a number of database editions, including 11g R1 and R2, as well as 10G R1 and R2. Two of the vulnerabilities can be exploited over a network without login credentials.
Another three patches cover Oracle's Secure Backup product, all of which can be exploited remotely without authentication.
Oracle plans to issue seven patches for various modules in its Fusion Middleware line, while Enterprise Manager Grid Control will get 18 fixes.
E-Business Suite and Oracle's supply chain products will get one patch each, while a dozen are scheduled to be released for PeopleSoft.
Oracle is also rolling out 23 patches for products gained through the acquisition of Sun Microsystems, including GlassFish Server, VirtualBox, Solaris, SPARC Enterprise M Series and SPARC T3 series. Nine of the weaknesses can be exploited over a network without requiring a username or password, Oracle said.
The patch batch scheduled for Tuesday is roughly the same size as the previous update in April, which included 73 fixes. Oracle has been issuing patches for Java SE on separate dates, with the most recent set arriving last month.
Also: Oracle to patch 78 vulnerabilities
All your data belong to 'Remo'
From Kaspersky Labs Weblog:
One of the main goals of a cybercriminal is to gain total control over a victim's machine. This is currently done through the use of RATs (remote admin tools) and other methods. The infected computers are used by cybercriminals for all sorts of malicious activity.
It's no different with Brazilian cybercriminals - they have the same intent, but due to their culture of immediacy their efforts are often focused on creating Trojan bankers, rather than botnets, RATs or other methods of remote control. But this behavior is slowly changing - a recent attack shows they are ready to create a network of local infected machines and take total control of it, stealing personal data and using the infected machines to send spam. They are doing all this in a very creative way: registering a remote user account called 'Remo' which is password-protected. Through this account the cybercriminals have total access and control over the infected machine.
The attack starts with an e-mail posing as an alleged update for Flash Player. The downloader will actually install the legitimate Flash Player, but will also download another file that appears in the image below as "ajuda.txt": [Screenshot]
Once downloaded, the .txt file will be renamed to .msi and the files it contains will be installed on the system. Inside the .msi file we found several files:
Continued : http://www.securelist.com/en/blog/208193037/All_your_data_belong_to_Remo
A Look Inside Targeted Email Attacks
The number of targeted attacks has increased dramatically in recent years. Major companies, government agencies, and political organizations alike have reported being the target of attacks. The rule of the thumb is, the more sensitive the information that an organization handles, the higher the possibility of becoming a victim of such an attack.
Here, we'll attempt to provide insight on a number of key questions related to targeted attacks, such as where did the malicious email come from, which particular organizations are being targeted, which domains (spoofed or not) sent the email, what kinds of malicious attachments did the emails contain, etc. Our analysis of the data showed that, on average, targeted email attacks are on the rise: [Screenshot: Targeted attacks trend]
For this analysis, we first looked at the origin of the email messages. The emails were launched from 6,391 unique IPs across 91 different countries, spread throughout the world. Based on the representative set of data we have, below is a regional breakdown of email-based attacks: [Screenshot: Malicious email origin, by region]
Now, we ask ourselves, which sector is the most likely target of these attacks? Below are the top 10 most targeted types of organizations, derived from the domains that the emails were sent to: [Screenshot: Malicious email attack targets, by industry]
Continued : http://www.symantec.com/connect/blogs/look-inside-targeted-email-attacks
How to Buy Friends and Deceive People
Want more friends and followers? Emerging enterprises will create them for you - for a price. An abundance of low-cost, freelance labor online is posing huge challenges for Internet companies trying to combat the growing abuse of their services, and has created a virtual testbed for emerging industries built to assist a range of cybercrime activities, new research shows.
Free services like Craigslist, Facebook, Gmail and Twitter have long sought to deter scammers and spammers by deploying technical countermeasures designed to prevent automated activity, such as the use of botnets to create new accounts en masse. These defenses typically require users to perform tasks that are difficult to automate, at least in theory, such as requiring that new accounts be verified by phone before activation.
But researchers from the University of California, San Diego found that these fraud controls increasingly are being defeated by freelance work arrangements: buyers "crowdsource" work by posting jobs they need done, and globally distributed workers bid on projects that they are willing to take on.
"The availability of this on-demand, for-hire contract market to do just about anything you can think of means it's very easy for people to innovate around new scams," said Stefan Savage, a UCSD computer science professor and co-author of the study.
The UCSD team examined almost seven years worth of data from freelancer.com, a popular marketplace for those looking for work. They found that 65-70 percent of the 84,000+ jobs offered for bidding during that time appeared to be for legitimate work such online content creation and Web programming. The remainder centered around four classes of what they termed "dirty" jobs, such as account registration and verification, social network linking (buying friends and followers), search engine optimization, and ad posting and bulk mailing.
Continued : http://krebsonsecurity.com/2011/07/how-to-buy-friends-and-deceive-people/
Was the Vodafone Femtocell hack new?
Yesterday, 14 July, news that The Hacker's Choice had published details on how to use a Vodafone "Sure Signal" femtocell as a 3G phone interception point was circulated around the internet. The group had published detailed instructions covering how to wire a serial console up to gain access, break into the device and then modify the device's Linux-based software to intercept and decode traffic. It also covered how to remove the location device to stop the network provider confirming the unit's location. The proof of concept hack was both impressive and comprehensive.
The only problem, for those that wish to replicate the work, is that the project, according to its own timeline in the document, stopped in July 2010. According to Vodafone, the holes that the group exploited to gain access to the device were closed in a software update - since July 2010, a new version of femtocells has been deployed by Vodafone and other phone networks, which may or may not be more secure. Vodafone have identified a number of devices running software which predates the patch and have now disabled their access to their phone network.
The Hacker's Choice admitted that they did not "know about any femto after Jul 2010" but said that they were more interested in the architectural flaws of the femtocell network which sees cell phone network secret information requested and sent to the relatively insecure femtocell stations.
Continued : http://www.h-online.com/security/news/item/Was-the-Vodafone-Femtocell-hack-new-1279947.html
Related: MAJOR HACK: Voda femtocells open phones up to intercept
Apple releases iOS 4.3.4/4.2.9 to fix JailBreakMe.com flaw
After a little more than a week after disclosure, Apple has patched three flaws in iOS for iPod Touch, iPad, iPad2, iPhone 3GS, iPhone 4 and the Verizon iPhone.
You may recall the return of the website JailBreakMe.com 10 days ago which exploited these vulnerabilities to provide an easy method of jailbreaking your iDevice.
The updated version for all but the Verizon iPhone is version 4.3.4, while Verizon customers can update to 4.2.9. To update just open iTunes, check for updates and plug in your phone/MP3 player/tablet.
This raises one of my big pet peeves with Apple products.. Why do I have to tether to update? Oh! I see you will have that feature in iOS 5? I guess I will stay vulnerable until I happen to be in the same city as my copy of iTunes.
Two of the fixes are for font handling issues in PDFs that allow for remote code execution (RCE). The third fix is in the graphics handling code and can be exploited to allow for elevation of privilege (EoP).
Continued : http://nakedsecurity.sophos.com/2011/07/15/apple-releases-ios-4-3-44-2-9-to-fix-jailbreakme-com-flaw/
Apple Fixes Jailbreak PDF Bug With iOS 4.3.4
Apple Software Updates
Google Chrome OS Hacked Using ScratchPad App
how permissions can be abused to steal data
In a preview of a demonstration at the upcoming Black Hat security conference, a security researcher demonstrated how browser extensions can be used to compromise Chrome OS.
The Chrome extension ScratchPad had a wide range of permissions that made it vulnerable to a cross-site scripting attack, Matt Johansen, an application security specialist at WhiteHat Security, said July 14 in a preview of a presentation he will be making at Black Hat.
Johansen did his work on the Google CR-48 Beta laptop released last fall, but said malicious extensions would affect any device running Chrome OS, whether it is the CR-48 or the Chromebook.
He noted WhiteHat Security was able to "abuse" the Chrome OS "pretty quickly".
Exploit Based On ScratchPad Weakness
Johansen used ScratchPad, a preinstalled extension that allows users to take notes and auto-sync the note files with Google Docs in the "ScratchPad" folder, in his preview. The extension had a "quote-unquote feature" that allowed users to share ScratchPad folders without requesting any user permissions, Johansen said.
Continued : http://www.eweekeurope.co.uk/news/google-chrome-os-hacked-using-scratchpad-extension-34234