18 total posts
Researcher raids browser history for webmail login tokens
In a disclosure that has implications for the security of e-commerce and Web 2.0 sites everywhere, a researcher has perfected a technique for stealing unique identifiers used to prevent unauthorized access to email accounts and other private resources.
Websites typically append a random sequence of characters to URLs after a user has entered a correct password. The token is designed to prevent CSRF (cross-site request forgery) attacks, which trick websites into executing unauthorized commands by exploiting the trust they have for a given user's browser. The token is generally unique for each user, preventing an attacker from using CSRF attacks to rifle through a victim's account simply by sending a generic URL to a website.
Now, a researcher who goes by the name Inferno has come up with a way to guess CRSF tokens using brute forcing techniques by combining it with a much older attack.
More in http://www.theregister.co.uk/2009/07/20/csrf_token_hijacking/
Digital Spy fights second malware attack
Celebrity and TV gossip website Digital Spy is investigating reports that its subscribers outside the UK have been exposed to malware. The latest reported outbreak follows an earlier malware infestation, later traced to tainted banner ads, that hit the site only six weeks ago.
Digital Spy is a high-traffic website frequented by surfers gorging on information about celebrity shenanigans and reality TV programmes. As with the previous attack, news that the site might be serving up malware surfaced via posts on Digital Spy's forum.
Subscribers reported warnings from their anti-virus scanner and hijacked connections, re-routing them via dating sites, among other examples of weird behaviour.
Complete article in http://www.theregister.co.uk/2009/07/20/digital_spy_malware/
McAfee updates managed cloud security service
McAfee's latest version of its managed security service includes new features that let companies scan their Web sites for vulnerabilities as well as check for compliance with payment-card industry standards for handling financial data.
McAfee's Total Protection Service 5.0 has also been expanded to 18 languages, said Sal Viveros, a McAfee security analyst.
The vulnerability assessment service scans Web sites to see if they've been hacked and then can send reports to administrators as to what's wrong. The service can also check to see if a particular Web site complies with the Payment Card Industry Data Security Standard, which is a set of rules supported by card companies such as MasterCard and Visa.
McAfee has also integrated into the latest release technology that came from Secure Computing, which McAfee announced it would acquire in September 2008 for US$465 million.
Article is in http://www.networkworld.com/news/2009/072009-mcafee-updates-managed-cloud-security.html
Hidden-cam video of US sports reporter lures web users to...
Links to Erin Andrews peephole video infect PC and Mac user
IT security and control firm Sophos is warning all internet users to be wary of websites claiming to host a controversial nude video of high-profile ESPN reporter Erin Andrews - hackers are using the hype surrounding the hidden camera tape to distribute malware that will infect both PC and Mac computer systems.
The internet has been abuzz with news that a voyeur had secretly filmed the glamorous US sports reporter through the peephole of her hotel room door. Lawyers working for Andrews said that they will take legal action against anyone distributing the footage, which was taken without her knowledge or consent. However, opportunists and hackers have been quick to set up websites claiming to contain the illicit content, in the hope of driving internet traffic to their websites or infecting innocent victims.
Computer users who visit many of these sites are running the risk of being infected by the OSX/Jahlav-C Trojan horse on Macs, or the Mal/FakeAV-AY Trojan if visiting from a Windows computer. Once a hacker has control of your computer they can steal sensitive information and con unsuspecting computer users into paying for bogus online protection.
Video clip and more info in http://www.sophos.com/pressoffice/news/articles/2009/07/erin-andrews-peephole-video.html
See also blog reports by Sunbelt and McAfee on this
Erin Andrews “peep hole” video malware booming
Researchers at Sunbelt Software have detected that the Trojan installers used in the scam are generating a large number of polymorphic variants. The installers change with sites each day and number around 10,000 unique hash's.
Malware From Celebrity Video - But I Thought I Just Installed A Video Player !
The malware downloaded from this site are currently detected as FakeAlert-DA and FakeAlert-EL. For MacOS users, the MediaPlayer.dmg malware will be detected as OSX/Puper.a trojan. In other related cases, we are currently detecting them as Generic FakeAlert.a and Generic FakeAlert.c.
Internet users are advised to refrain from installing programs that are linked from hot news and media sites.
Swine flu malware poses as pig plague update
By John Leyden
Posted in Spam, 21st July 2009 10:03 GMT
Wrongdoers have created a new strain of swine flu-themed malware.
A Trojan, containing backdoor and keylogger functionality, poses as a Word document from the US Centre of Disease Control giving information about the disease.
The infectious file - Novel H1N1 Flu Situation Update.exe - appears with an icon that makes it look like a Word document file. Users tempted to open the booby-trapped file are presented with a document.
Meanwhile the malicious code does its mischief in the background, as explained in a write-up (containing screenshots) by net security firm F-Secure here. F-Secure classifies the Trojan as Agent-AVZQ.
Spammers Running Wild In Latest MySpace Phishing Attack
In the last 24 hours there has been a sudden surge in the amount of spam being sent and received by MySpace users, suggesting that the site has fallen prey to a security exploit that grants spammers access to accounts. Many users are logging in to find that they’ve commented on their friend’s status updates with spammy messages inviting them to “make $$ this summer”. We’ve reached out to MySpace to ensure that they are aware of the issue.
Some MySpacers are speculating on the site’s forums that the hack is tied to phishing links in status updates, which seems to be in line with the reports we’ve seen of literally hundreds of identical spam status updates to certain band profiles (see the screenshot below).
Update: We’ve learned that this is in fact the case — MySpace users are falling prey to a phishing attack through links in status updates that invite them to renter their login information, which is then used to spam their accounts. MySpace expects to have a fix for this out later today that will remove all of these links.
More in http://www.techcrunch.com/2009/07/20/spammers-running-wild-in-latest-myspace-hack/
RIM fights BlackBerry snoop gaffe
RIM, maker of the BlackBerry mobile phone, has told the Reg that Etisalat is talking tosh and the BlackBerry remains a secure platform, after the United Arab Emirates operator "patched" the device with surveillance software.
The "patch" which Etisalat sent out last week was actually a surveillance application, designed to make copies of received e-mails, despite the operator's claims that the software was designed to ease 2G to 3G handoffs. RIM has sent The Register a statement making it clear that such an operator-issued application simply could not interact with low-level radio functionality, and that there aren't any problems on Etisalat's network that needed fixing anyway.
RIM's statement is restrained: so restrained that one can hear the sound of gritted teeth between the words: "Etisalat also issued a press release that referred to the software as a BlackBerry Software Upgrade... RIM confirms that this software is not a patch and it is not a RIM authorized upgrade. RIM did not develop this software application and RIM was not involved in any way in the testing, promotion or distribution of this software application."
Complete article in http://www.theregister.co.uk/2009/07/21/etisalat_blackberry_snooping_again/
Researcher: BlackBerry Spyware Wasn’t Ready for Prime Time
A BlackBerry software upgrade in the Middle East that turned out to be an e-mail interception program was likely a buggy beta version of a U.S.-made surveillance product, according to an analyst who dissected the malicious code.
Sheran Gunasekera, who works as a security consultant in Asia, released a white paper examining the spyware. (.pdf) Gunasekera said the software had no protective measures to obfuscate it, making it easy to decompile and examine — an unusual flaw for a program designed for surreptitious interception.
Another researcher named Nigel Gourlay was the first to examine the code and report that it was spyware, designed to intercept a user’s e-mail messages. The program appeared to be written by a U.S.-based company named SS8, which markets surveillance tools to law-enforcement and intelligence agencies. The company hasn’t responded to repeated inquiries from Threat Level.
Full story in http://www.wired.com/threatlevel/2009/07/blackberry-spyware/
Why Twitter Hack is Not a Cloud Security Wake-up Call
The recent Twitter hack illustrates a problem with weak passwords, not cloud security, writes Pete Soderling, founder of Web development shop Mechanikal and API management company Stratus Security Technologies.
My Google Alerts for cloud security have been going off with an increased vengeance.
In the current Web buzz about the recently stolen Twitter documents sent out by a hacker to TechCrunch, people have been pointing to the attack and citing it as a cloud computing security wake-up call.
In fact, the Twitter hack is an older and more common type of attack that any computing system is vulnerable to: weak password security.
Continue reading in http://www.csoonline.com/article/497513/Why_Twitter_Hack_is_NOT_a_Cloud_Security_Wake_up_Call?source=CSONLE_nlt_update_2009-07-21
LA officials question Google Apps plan
A Los Angeles councilman and the head of a police group are questioning the city's plan to move government e-mail and other records onto Google's hosted Web service Google Apps.
"Anytime you go to a Web-based system, that puts you just a little further out than you were before," LA City Councilman Tony Cardenas told The Associated Press. "Drug cartels would pay any sum of money to be aware of our progress on investigations."
Paul Weber, president of the LA Police Protective League, also said he is worried about the safety of sensitive police investigation records if they are moved to Google Apps.
The concerns come after sensitive Twitter documents were stolen by a hacker who gained access to a Twitter employee's Yahoo e-mail account and from there got information that allowed access to the company's data on Google Apps. Although the breach occurred in May, the severity of the situation wasn't clear until last week when the hacker fed the data to TechCrunch for public posting.
While Twitter executives noted that there was no security vulnerability in Google Apps, the linking of personal and work e-mail by the employee, re-use of passwords on multiple accounts, and easy to guess security questions allowed an outsider to steal confidential information and expose it to the world.
Read more in http://news.cnet.com/8301-1009_3-10291911-83.html
The great WiFi robbery: police to patrol down your street
The Queensland Police fraud squad says it will be the first police force in the world to go on "wardriving" missions to warn homes and businesses if their wireless networks are not secure.
Detective Superintendent Brian Hay said criminals were piggy-backing on the WiFi connections of ordinary computer users and using them to anonymously commit crimes such as fraud and identity theft.
The process of searching for open wireless networks using a laptop or handheld in a moving vehicle is known in the geek community as "wardriving".
Detective Superintendent Hay said it was important for police to get "ahead of the game" as crooks were now sharing information on satellite maps showing vulnerable areas with large numbers of unsecured networks.
He blamed computer equipment sellers for not doing enough to educate customers on the importance of security.
Continue reading in http://www.smh.com.au/technology/security/the-great--wifi-robbery-police-to-patrol-down-your-street-20090721-drqb.html via Sunbelt Blog
Hey Mr. DJ, Don't Put That Record On
Symantec Security Response Blogs today:
Hopefully the readers of the Security Response Blogs are well aware of advance-fee fraud, which is also known as a 419 scam. A 419 scam typically pops up disguised as an email from some member of a royal family from a country far away, trying to transfer large amounts of money to you. The story used in the fraud schemes doesn’t vary much these days. However, these advance-fee scams have evolved and adapted to all of the new information sources that are available, including social networks. Such as with the following example, which was seen a couple of times at the beginning of June this year.
The scammer searched in Facebook for people who have highlighted the fact that they are disc jockeys. Since it is likely that such people usually want to be found and are proud to be DJs, it is quite easy for an attacker to create a very targeted user list for his scam. Simply browsing and comparing dedicated user interest groups can reveal all of the necessary information.
Armed with this information, the attacker rolled out some adequate bait for the DJ user group. The attacker pretended to be an event organizer from Miami, searching for new talent to be a stand-in for another artist who cancelled a booking on short notice. Following the contact message on Facebook was a list of documents boosting the seriousness of this offer: flight confirmation, five-star hotel reservations, and a signed contract offering 3,000 Euros for playing six nights in Miami’s finest clubs—a dream for any newcomer DJ. According to people who were contacted by the scammer, his appearance was very convincing and he acted in a professional manner, even calling the victims on the phone to discuss details. Social engineering at its best.
Continue readig this at http://www.symantec.com/connect/blogs/hey-mr-dj-don-t-put-record
National Pharmaceutical Control Bureau of Malaysia Web site
Websense Security Labs ThreatSeeker Network has detected that the the Web site of the National Pharmaceutical Control Bureau of Malaysia has been compromised and injected with malicious code. The Web host has been injected with an iframe that leads to a site laden with exploits.
More details in http://securitylabs.websense.com/content/Alerts/3446.aspx
Microsoft Malware Protection Center v2 website launched
From MS MPC Blog:
We've been working hard, have heard your feedback, and are excited to announce V2 of the MMPC Portal! This new portal contains several new features including stream-lined sample submission and tracking, which is made possible by creating an MMPC profile. When you log in, the information saved in your MMPC profile auto-populates the sample submission form, thereby expediting the submission process. You can then monitor the status of your submission online – if you are logged in (using your MMPC profile) while submitting a sample, we will allow you to view details for all samples you have submitted in the past. In effect we now have ‘one stop shopping’ for sample submission and tracking.
MMPC Portal V2 includes a change log which allows you to see new and updated detections in the most recent definition versions. We have also implemented RSS feeds for encyclopedia entries, active malware lists, and the change log to allow you to stay up to date. We have stream-lined our UI to improve accessibility to content, extended existing content, and created new content. The new content includes a ‘guidance and advice’ section, improved encyclopedia content/organization, expanded glossary, a list of recent research papers, updates on news and events, highlights around awards and certifications, as well as an introduction to our team.
More in http://blogs.technet.com/mmpc/archive/2009/07/21/we-are-excited-to-announce-the-release-of-the-mmpc-portal-v2.aspx