18 total posts
Browser Feature Can Be Abused to Misrepresent ..
Browser Feature Can Be Abused to Misrepresent Download Origin, Researcher Says
Legitimate browser functionality can be abused to trick users into believing that a trusted website has asked them to download a file, which is actually being served from a rogue server, Google security engineer Michal Zalewski demonstrated on Tuesday.
Zalewski's proof-of-concept attack begins with a button on a page that, when clicked, opens the official Flash Player download website in a second tab and switches the browser's focus to it. After a few seconds, the original page serves a file called flash11_updater.exe from Zalewski's server, which causes the browser to display a download dialog.
However, because this happens while the active tab is the one with the official Flash Player website loaded into it and an adobe.com URL in the address bar, it appears as if the download was initiated by Adobe's website.
"In a way this is a social engineer's holy grail," said Emmanuel Carabott, security research manager at security vendor GFI Software, via email. "What a social engineer is trying to do is getting you to trust what they are saying. The more authentic they can make it seem the more successful the attack will be."
There have been many social engineering attacks in the past that tricked users into downloading malicious files by passing them as Flash Player updates. A lot of these attacks used spoofed pages that mimicked Adobe's official Flash Player site.
Continued : http://www.pcworld.com/businesscenter/article/256610/browser_feature_can_be_abused_to_misrepresent_download_origin_researcher_says.html
GameReplays invites white-hat hackers to probe site after ..
.. data breach
The owner of GameReplays.org has invited ethical hackers to probe the website for vulnerabilities after a recent compromise that resulted in 10,000 member accounts being exposed.
GameReplays.org is home to an online community of multiplayer game enthusiasts. The site organises professional gaming tournaments and publishes match replays, as well as strategy guides and other tips and tricks.
On Monday, a hacker who claims to be affiliated with Anonymous and uses the Twitter handle EcecusHxc, published a list of 5,000 GameReplays accounts that were copied from the site's database after exploiting a vulnerability.
The leaked information included email addresses and password hashes, as well as the corresponding salts - secondary keys used to encrypt password hashes so that they can't be cracked.
On Tuesday, the hacker published a list of an additional 5,000 GameReplays member emails and passwords, raising the total number of exposed accounts to 10,000.
Continued : http://news.techworld.com/security/3361272/gamereplays-invites-white-hat-hackers-probe-site-after-data-breach/
GameReplays Hacked, 10,000 Members Exposed
McAfee: One in Six PCs Have No Security
"Fully 17 percent of Windows PCs in a McAfee study had no active anti-virus software."
A recent McAfee study found that one in every six personal computers have no protection at all -- 17 percent of PCs analyzed either had disabled anti-virus software, or never had any to begin with. The study analyzed data from an average of 27 to 28 million PCs each month whose users ran the free McAfee Security Scan Plus software for Windows computers.
"Web surfers who install Scan Plus are likely to have a problem with their computers that prompted them to use the technology in the first place -- so they might be less well protected than the general population," notes The Register's John Leyden. "McAfee's figures are thus probably best regarded as indicative rather than definitive."
"PCs in Finland, Italy, New Zealand, Germany and Denmark were most likely to be protected, the study found," writes PCWorld's Cameron Scott. "Those in Singapore, Spain, Mexico, Japan, and the United States were least likely to have active antivirus protection."
The country with the worst rating, McAfee said, was Singapore, with 21.75 percent of PCs unprotected. The U.S. also had a surprisingly low rating, with 19.32 percent of consumers using no security software. At the other end of the spectrum was Finland, where only 9.7 percent of PCs are unprotected.
Also: 17% of the world's PCs are unprotected
McAfee Study: Consumer Alert: McAfee Releases Results of Global Unprotected Rates Study
Targeted Attack: London 2012 Olympics
From the F-Secure Antivirus Research Weblog:
We've come across a malicious Olympic themed PDF earlier this morning while data mining our back end for documents which drop executables (those are never a good thing, unsurprisingly).
The PDF exploits CVE-2010-2883, which affects older versions of Adobe Reader and Acrobat. A typical PDF exploit will launch a clean decoy as part of its attack, and in this case, the decoy is a copy of the London 2012 Olympic schedule circa October 2010. The original source PDF can still be found online at: london2012.com. [Screenshot]
The exploit attempts to make a network connection with a site registered to "student travel" in Baotoushi, China. [Screenshot]
Continued : http://www.f-secure.com/weblog/archives/00002370.html
Related : Olympics-Themed PDF is Actually Malware [WARNING]
Olympics fans targeted with lottery scam
An email purportedly coming from the promotion manager of the London 2012 Olympics has been hitting inboxes, trying to scam recipients into sending personal information and money in order to get the bogus 800,000 GBP (around $125,000) prize they have supposedly won: [Screenshot]
Of course, the lottery and the prize are both non-existent, and the email is just a first step of a so-called "advance fee scam."
"The criminals operating the scam campaign will claim that these fees are unavoidable legal requirements and will insist that they must be paid in full before the prize can be awarded. They will also insist that the fees cannot in any circumstances be deducted from the prize itself. The criminals will invent all kinds of 'expenses' that must be met in advance by the 'winner', including insurance costs, tax obligations and banking fees," Hoax-Slayer explains.
Also, during the email exchange, the scammers often manage to convince their victims to share their personal and financial information, which can then be used to mount other scams and perpetrate identity theft and financial fraud.
Continued : http://www.net-security.org/secworld.php?id=13011
How Mobile Apps are Invading Your Privacy Infographic
From the Veracode Securitiy Blog:
Every week it seems like there is a new story about a popular mobile application having privacy issues that put its users at risk. With millions of mobile apps receiving billions of downloads, it is important that users are aware of the risks they face when downloading and using apps. This infographic uses real world cases to outline the threat to user privacy posed by mobile apps.
Delivering the Windows 8 Release Preview
Steven Sinofsky @ the MSDNs' "Building Windows 8" Blog:
31 May 2012 12:01 PM
Today, Windows 8 Release Preview is available for download in 14 languages. This is our final pre-release, and includes Windows 8, Internet Explorer 10, new Windows 8 apps for connecting to Hotmail, SkyDrive, and Messenger (and many more), and hundreds of new and updated apps in the Windows Store. Since our first preview release last September, millions of people now use the pre-release product on a daily basis and millions more have been taking it through its paces, totaling hundreds of millions of hours of testing. We genuinely appreciate the effort that so many have put into pre-release testing, and of course, we appreciate the feedback too. Direct feedback and feedback through usage contributed to hundreds of visible changes in the product and tens of thousands of under-the-hood changes.
Just nine months ago, we kicked off this blog as a dialog about the design and development of Windows 8. We've talked in depth about building Windows 8, including the features, the designs, and the background behind these. We've done so in over 70 posts totaling over 500 pages if printed out and 34 videos totaling over 90 minutes, all coming directly from engineers of the product. We've had about 18,000 comments from approximately 7,000 people. Over 170 Windows engineers contributed to the dialog, including over 200 comments I posted (though I was out-commented by one other pretty active reader!). Of course, we've been carefully watching the telemetry of the millions of tech enthusiasts using the product at each milestone.
Continued : http://blogs.msdn.com/b/b8/archive/2012/05/31/delivering-the-windows-8-release-preview.aspx
Windows 8 Release Preview Unleashes the Power of Metro [HANDS ON]
Windows 8 Release Preview
Microsoft's Windows 8 Release Preview: What's in and what's out
Refining the recommended system requirements for Windows 8
Final Windows 8 preview released
Facebook users suffer service disruptions
Facebook has suffered a series of service disruptions which left many people unable to use the social network.
The problems meant that the site was unreachable for some people for almost two hours.
Sporadic disruptions were reported by many people and even those who could get through said pages were taking a long time to load.
Facebook apologised but said it had fixed the problem.
News of problems getting at and using Facebook spread quickly as people took to Twitter, news sites and blogs to express their frustration.
"Facebook is acting like its stock. It keeps going down," quipped one Twitter user.
Website watching sites such as Downrightnow and Downforeveryoneorjustme reported that the site was intermittently available for a period of several hours.
In a statement, Facebook said some users "briefly experienced issues loading the site" but these had been resolved and it should be working fine for everyone. It gave no details about what had caused the problems
Continued : http://www.bbc.co.uk/news/technology-18294049
Is Facebook Down? Yes For Some. Site Outages Lasted Over Two Hours
Facebook's Website Suffers Temporary Outage
Flamer: A Recipe for Bluetoothache
From Symantec's Security Response Blog:
W32.Flamer is possibly the only Windows based threat we have encountered which uses Bluetooth. It is yet another indicator that W32.Flamer is not only exceptional, but that it is a comprehensive information gathering and espionage tool. The CrySyS laboratory has previously documented the technical details of Bluetooth in W32.Flamer. But, what does this actually mean for potential victims targeted by Flamer? What can an attacker accomplish using Bluetooth?
The Bluetooth functionality in Flamer is encoded in a module called "BeetleJuice". This module is triggered according to configuration values set by the attacker. When triggered it performs two primary actions:
The first is to scan for all Bluetooth devices in range. When a device is found, its status is queried and the details of the device recorded—including its ID—presumably to be uploaded to the attacker at some point.
The second action is to configure itself as a Bluetooth beacon. This means that a computer compromised by W32.Flamer will appear when any other Bluetooth device scans the local area. And there is more. In addition to enabling a Bluetooth beacon, Flamer encodes details about the infected computer (see Figure 1) and then stores these details in a special 'description' field. When any other device scans for Bluetooth-enabled devices, this description field will be displayed: [Screenshot]
These are the facts of how Flamer uses Bluetooth. And what can the attacker do with this functionality? There are several potential avenues available:
Scenario #1 - Identification of victim social networks
Continued : http://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache
Microsoft Making 'Do Not Track' Default for IE 10
In Ad Network Nightmare, Microsoft Making 'Do Not Track' Default for IE 10
Microsoft announced Thursday that the next version of its browser, IE 10, will ship with the controversial "Do Not Track" feature turned on by default, a first among major browsers, creating a potential threat to online advertising giants.
That includes one of Microsoft's chief rivals — Google.
The change could also threaten the still-nascent privacy standard, and prompt an ad industry revolt against it.
Do Not Track doesn't attempt to block cookies — instead it sends a message to every website you visit saying you prefer not to be tracked. That flag is currently optional for sites and web advertising firms to obey, but it's gaining momentum with Twitter embracing it last week.
The proposal also has the backing of the FTC, which has grown deeply skeptical of the online ad industry's willingness to play fairly with users and has threatened to call for online privacy legislation. After initially opposing the idea, the online ad industry is now seeking to soothe the feds by hammering out rules that aren't too tough on data collection. The hope then is that not many users avail themselves of the tool, and then not much has to change in how ad companies build profiles of users in order to sell premium-priced targeted ads.
Continued : http://www.wired.com/threatlevel/2012/05/ie10-do-not-track/
Also: IE10 will have "Do Not Track" on by default
Confirmed: US and Israel created Stuxnet, lost control of it
"Stuxnet was never meant to propagate in the wild."
In 2011, the US government rolled out its "International Strategy for Cyberspace," which reminded us that "interconnected networks link nations more closely, so an attack on one nation's networks may have impact far beyond its borders." An in-depth report today from the New York Times confirms the truth of that statement as it finally lays bare the history and development of the Stuxnet virus—and how it accidentally escaped from the Iranian nuclear facility that was its target.
The article is adapted from journalist David Sanger's forthcoming book, Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power, and it confirms that both the US and Israeli governments developed and deployed Stuxnet. The goal of the worm was to break Iranian nuclear centrifuge equipment by issuing specific commands to the industrial control hardware responsible for their spin rate. By doing so, both governments hoped to set back the Iranian research program—and the US hoped to keep Israel from launching a pre-emptive military attack.
Continued : http://arstechnica.com/tech-policy/2012/06/confirmed-us-israel-created-stuxnet-lost-control-of-it/
NYT: Stuxnet cyberweapon created by US,Israel to attack Iran
"The United States and Israel created the notorious Stuxnext worm to attack Iran's nuclear facilities, reports The New York Times"
The mysterious origin of Stuxnet, long considered one of the world's most dangerous computer worms, is a mystery no more. In a bombshell piece published today, The New York Times reports that Stuxnet was developed by the United States and Israel, and used by both the Bush and Obama administrations to wreak havoc on Iran's nuclear facilities. Then it accidentally "escaped" into the wild.
Many have long suspected that the U.S. and Israel developed Stuxnet, which successfully (though only temporarily) shut down 1,000 of the 5,000 centrifuges Iran was using to enrich uranium at the Natanz nuclear facility, according to the report. But until now, such assertions remained unconfirmed, as the many cybersecurity experts who analyzed Stuxnet said its code contained little evidence of who developed the worm. In September of 2010, antivirus firm Kapersky Labs concluded that the Stuxnet attack on Natanz "could only be conducted with nation-state support and backing." But that was as far as anyone got in discovering Stuxnet's origins.
Continued : http://www.digitaltrends.com/computing/stuxnet-cyberweapon-created-by-us-israel-to-attack-iran-reports-nyt/
Also: Stuxnet: How USA and Israel created anti-Iran virus, and then lost control of it
Why Antivirus Companies Like Mine Failed to Catch Flame and
Mikko Hypponen - Chief Research Officer @ F-Secure:
A couple of days ago, I received an e-mail from Iran. It was sent by an analyst from the Iranian Computer Emergency Response Team, and it was informing me about a piece of malware their team had found infecting a variety of Iranian computers. This turned out to be Flame: the malware that has now been front-page news worldwide.
When we went digging through our archive for related samples of malware, we were surprised to find that we already had samples of Flame, dating back to 2010 and 2011, that we were unaware we possessed. They had come through automated reporting mechanisms, but had never been flagged by the system as something we should examine closely. Researchers at other antivirus firms have found evidence that they received samples of the malware even earlier than this, indicating that the malware was older than 2010.
What this means is that all of us had missed detecting this malware for two years, or more. That's a spectacular failure for our company, and for the antivirus industry in general.
Continued : http://www.wired.com/threatlevel/2012/06/internet-security-fail/
Ex-MI5 boss loses laptop at Heathrow airport
Stella Rimington, the former Director-General of MI5 (Britain's Security Service), has had her laptop stolen according to media reports.
Dame Stella Rimington made the headlines in 1992 when she was publicly named as the first female chief of MI5, and is believed to have inspired Judi Dench's casting as spy chief "M" in the James Bond films. Dame Stella has since carved herself a career as a spy novelist.
The former boss of MI5 was said by The Sun newspaper to be "very upset" by the theft which occurred as she left Heathrow airport last Tuesday.
The Metropolitan Police's SO15 Counter-Terrorism division is reported to have been informed because of possible security concerns.
Although Dame Stella retired from MI5 in 1996, the concern will be that she may still have the contact details of former colleagues, and no doubt the authorities will want to quickly determine if strong passwords and encryption were in place on the laptop.
Continued : http://nakedsecurity.sophos.com/2012/06/01/mi5-boss-loses-laptop/
Terror cops hunt laptop snatched from retired MI5 spookmistress
Ex-MI5 boss Dame Stella Rimington 'loses laptop at airport'
On Facebook, 'Likes' Become Ads
On Valentine's Day, Nick Bergus came across a link to an odd product on Amazon.com: a 55-gallon barrel of ... personal lubricant.
He found it irresistibly funny and, as one does in this age of instant sharing, he posted the link on Facebook, adding a comment: "For Valentine's Day. And every day. For the rest of your life."
Within days, friends of Mr. Bergus started seeing his post among the ads on Facebook pages, with his name and smiling mug shot. Facebook — or rather, one of its algorithms — had seen his post as an endorsement and transformed it into an advertisement, paid for by Amazon.
In Facebook parlance, it was a sponsored story, a potentially lucrative tool that turns a Facebook user's affinity for something into an ad delivered to his friends.
Amazon is one of many companies that pay Facebook to generate these automated ads when a user clicks to "like" their brands or references them in some other way. Facebook users agree to participate in the ads halfway through the site's 4,000-word terms of service, which they consent to when they sign up.
With heightened pressure to step up profits and live up to the promise of its gigantic public offering, Facebook is increasingly banking on this approach to generate more ad revenue. The company said it does not break down how much revenue comes from such ads. Its early stock market performance — down 22 percent from its offering price — is likely to increase the urgency.
Continued : http://www.nytimes.com/2012/06/01/technology/so-much-for-sharing-his-like.html
The Vulnerabilities Market and the Future of Security
Bruce Schneier @ his "Schneier on Security" Blog:
Recently, there have been several articles about the new market in zero-day exploits: new and unpatched computer vulnerabilities. It's not just software companies, who sometimes pay bounties to researchers who alert them of security vulnerabilities so they can fix them. And it's not only criminal organizations, who pay for vulnerabilities they can exploit. Now there are governments, and companies who sell to governments, who buy vulnerabilities with the intent of keeping them secret so they can exploit them.
This market is larger than most people realize, and it's becoming even larger. Forbes recently published a price list for zero-day exploits, along with the story of a hacker who received $250K from "a U.S. government contractor" (At first I didn't believe the story or the price list, but I have been convinced that they both are true.) Forbes published a profile of a company called Vupen, whose business is selling zero-day exploits. Other companies doing this range from startups like Netragard and Endgame to large defense contractors like Northrop Grumman, General Dynamics, and Raytheon.
This is very different than in 2007, when researcher Charlie Miller wrote about his attempts to sell zero-day exploits; and a 2010 survey implied that there wasn't much money in selling zero days. The market has matured substantially in the past few years.
This new market perturbs the economics of finding security vulnerabilities. And it does so to the detriment of us all.
Continued : http://www.schneier.com/blog/archives/2012/06/the_vulnerabili.html