NEWS - June 08, 2011

Oracle patches critical Java security vulnerabilities

Oracle has released security updates to fix a number of critical vulnerabilities in the Java programming language on the company's scheduled June Critical Patch Update. The Java SE Critical Patch Update June 2011 advisory details a total of 17 vulnerabilities which affect the Java Development Kit (JDK) and the Java Runtime Environment (JRE) versions 6.0 (up to and including update 25), 5.0 (up to and including update 29) and 1.4.2 (up to and including version 1.4.2_31) on all supported platforms.

Oracle gives 9 of the 17 vulnerabilities a Common Vulnerability Scoring System (CVSS) score of 10.0, the highest possible level of severity. According to Oracle, all of these vulnerabilities can be remotely exploited without authentication. In some cases, there are multiple instances of each vulnerablity which can be exploited by untrusted Java Web Start applications or applets. The critical vulnerabilities were found in the 2D graphics, AWT, Deployment, Hotspot, Sound and Swing subsystems.

Oracle say the CVSS rating of 10.0 applies only on systems where the user has administrator privileges, as is typical on Windows; where the user does not have administrator privileges, as is typical on Linux or Solaris, the score falls to 7.5 for the vulnerabilities.

Continued :

Also: Oracle Java 6 update 26 available now
Discussion is locked
Reply to: NEWS - June 08, 2011
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - June 08, 2011
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Sony hack reveals password security is worse than feared

An analysis of password re-use from data spilled via the Sony and Gawker hack reveals that consumer password security is even more lax than we might have feared.

A million Sony users' password/username IDs and 250,000 Gawker login credentials, each stored in plain text, were exposed via separate hacks. In each case hackers posted a subset of these passwords as a torrent.

An analysis by security researcher Troy Hunt revealed that two-thirds of users with accounts at both Sony and Gawker used the same password on both sites. This conclusion is based on a relatively small sample of 88 email addresses found in common between the Sony and Gawker hacks. However, just the data gleaned by Hunt from the Sony hack alone shows this is unlikely to be some sort of statistical quirk. On the contrary, by any metric, consumer password security revealed via the Sony hack is dire.

Half the password sample from the Sony hack used only one character type and only one in a hundred passwords used a non-alphanumeric character, much the same as revealed by the earlier Gawker hack. Only 4 per cent of these passwords had three or more character types.

Continued :

- Collapse -
RSA to replace millions of SecurID tokens - IT should take..

On Friday, Lockheed Martin said they had proof that data stolen from RSA was used in an attempted attack on their systems. On Monday, RSA issued a public notice that Lockheed was correct, and announced that they would start replacing the compromised tokens used by their customers. For those working in the IT world, these two elements are worth paying attention to.

When announced in March, the attack that compromised RSA's SecurID technology sent shockwaves through the security and IT community. The issue at hand was that millions of people, at hundreds of organizations, were exposed due to a targeted attack on a virtual giant in the security space.

Things only got worse as military contractors started reporting breach attempts, and speculation tied them to RSA. Not because of rumor, but as Lockheed's announcement proved, they are all RSA customers.

On Monday, in a letter to the public, RSA's Chairman, Art Coviello, said that they would be replacing SecurID tokens, in an effort to expand their breach remediation efforts and "reinforce" customer trust. It's no secret that this move was expected for some time now. While the mentioned points are legitimate, the third reason for the replacement efforts is an obvious attempt for RSA to repair their public image.

Some customers will have the option to use the RSA Transaction Monitoring service, in the event a token replacement isn't a viable option. This service is the one used by financial institutions to catch account fraud online, so it is likely to be leveraged by its base demographic, as it won't help the larger Enterprise operations.

Continued :

Related :
RSA's SecurID Quandry: Replace or Recall?
Lieberman CEO goes on the warpath - accuses RSA of greed and neglect
- Collapse -
Greek police nab Pentagon hacking carding suspect

Greek police have arrested an 18-year-old suspected of hacking into systems run by Interpol, the FBI, and the Pentagon.

The unnamed Athens-resident teenager - known only by his online handle nsplitter - allegedly began his hacking spree with an attack against the FBI when he was only 15. However, investigators reckon his main stock in trade was using malicious toolbars to plant spyware on victims' machines.

Credit card and banking details entered into these compromised machines was extracted and used to siphon off cash. These illicit funds were allegedly used, not to buy consumer electronics or flashy cars, but to invest in firms listed on the Greek stock exchange.

Authorities in the US, France and Greece began piecing together the hacks in February 2008. This led to a recent raid on the suspect's home - which he shares with his mother - during which funds and computer equipment were seized.

Police also claim to have recovered a makeshift explosive device, flares and shotgun cartridges.

The teenager faces computer hacking, fraud and illegal weapons possession charges, CNN reports.

Also: FBI / Interpol hacker suspect arrested by Greek authorities

- Collapse -
Cyber-Attackers Taking Aim at Cloud and Virtualized..
Cyber-Attackers Taking Aim at Cloud and Virtualized Environments

Cyber-criminals are simultaneously taking advantage of the cloud's benefits to launch attacks as well as targeting organizations' cloud services, security experts said.

As organizations increasingly virtualize their data centers and move their applications to the cloud, attackers are beginning to think, "Let's attack here," Allen Vance, director of product management of the data and applications security group at Dell SecureWorks, told attendees at Cloud Expo during a session on cloud security on June 6. Organizations have to put in measures to handle threats to their virtualized environments when considering a cloud deployment because the environment amplifies the risks, Vance said. Cloud Expo is running from June 6 to June 9 here.

"We are in the middle of a war," Terry Woloszyn, CTO of PerspecSys, told attendees in a different session on cloud security. He compared the current security climate to an "arms race" as cyber-attackers are continuously developing new attack vectors and modifying existing threats, leaving vendors and businesses to play catch-up.

Nowhere is this more evident than the recent game of whack-a-mole Apple has been playing with malware developers behind the fake MacDefender antivirus scam and its many variants over the past few weeks.

A new MacDefender variant appeared within 24 hours after Apple released a security update on June 1 that included the malware definition in the Mac OS X File Quarantine list. After Apple updated definition files to cover the new variant on June 2, yet another one popped up that bypassed the quarantine hours later.

Continued :

Related: Survey: Nearly Half Of Cloud Services Users Have Had A Breach In The Past Year
- Collapse -
Spam from compromised Hotmail accounts


We keep getting ongoing reports from readers about spam being sent from legitimate Hotmail accounts. Like web mail systems in general, Hotmail accounts are targeted to be able to send spam from "trusted" sources. if an e-mail is received from a friend or relative, you are much more likely to open and read it.

These accounts are compromised via many ways, most commonly these days via phishing. The question always is if it is actually a compromised account, or just someone spoofing the "From" address.

Hotmail adds some characteristic headers that can be used to identify the source as hotmail. While they may be faked of course, the allow you to narrow down the chances of the account being compromised.

You should see a "Received" header from a host, using Microsoft SMTSVC. If the e-mail was posted via the web interface, you should also see an "X-Oritinating-IP" header, with the IP address of the sender. Here are some sample headers from an e-mail I sent to myself via hotmail, using the web interface:

Continued :

- Collapse -
Many Stuxnet Vulnerabilities Still Unpatched

The media storm over the Stuxnet worm may have passed, but many of the software holes that were used by the worm remain unpatched and leave Siemens customers open to a wide range of potentially damaging cyber attacks, according to industrial control system expert Ralph Langner.

Writing on his personal blog, Langner said that critical vulnerabilities remain in Windows-based management applications and software used to directly manage industrial controllers by Siemens Inc., whose products were targeted by the Stuxnet worm.

Siemens did not immediately respond to a request for comment on Langner's statement.

Langner, a principal and founder of Langner Communications GmbH is an independent expert on industrial control system security. He was among the first to connect the Stuxnet worm to an attack on uranium enrichment facilities within Iran. He was also among those who pinned responsibility for the attack on the United States and Israel.

Langner's company sells security software and services to firms in the industrial control field. In the past, he has been critical of both the media coverage of the Stuxnet worm and of Siemens response to revelations that software vulnerabilities and other structural weaknesses in its products contributed to the creation of Stuxnet and the success of the attack.

Continued :

- Collapse -
Court: Passwords + Secret Questions = 'Reasonable' eBanking
Court: Passwords + Secret Questions = 'Reasonable' eBanking Security

A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week - if adopted by a U.S. district court in Maine - will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks.

In May 2009, Sanford, Maine based Patco Construction Co. filed suit against Ocean Bank, a division of Bridgeport, Conn. based People's United Bank. Pacto used online banking primarily to make weekly payroll payments. Patco said cyber thieves used the ZeuS trojan to steal its online banking credentials, and then heisted $588,000 in batches of fraudulent automated clearing house (ACH) transfers over a period of seven days.

In the weeks following the incident, Ocean Bank managed to block or claw back $243,406 of the fraudulent transfers, leaving Patco with a net loss of $345,445. Because the available funds in Patco's account were less than the total fraudulent withdrawals, the bank drew $223,237 on Patco's line of credit to cover the transfers. Patco ended up paying interest on that amount to avoid defaulting on its loans.

Patco sued to recover its losses, arguing in part that Ocean Bank failed to live up to the terms of its contract when it allowed customers to log in to accounts using little more than a user name and password. On May 27, a magistrate recommended that the court make Patco the loser by denying Pacto's motion for summary judgment and granting the bank's motion.

Continued :
- Collapse -
A Walkthrough of a FAKEAV Infection in Mac OS X

For some years now, FAKEAV has been a plague in Windows systems. It's only recently that this variant has entered the Mac OS X scene. As was the case with Windows-based FAKEAV, the most common infection vector for Mac FAKEAV is through poisoned search terms.

Take for example the following poisoned search result: [Screenshot]

Accessing the website while using a Mac will lead the user directly to the following page: [Screenshot]

Clicking "OK" in the above page leads to a page which supposedly scans for any virus in the system. [Screenshot]

Continued :

- Collapse -
LulzSec hits US security firm Black & Berg

Cheeky hacking outfit LulzSec has struck again, hitting the website of US security consultants Black & Berg Security - the company run by US National Security Advisor, Joe Black

The merry pranksters hit the site's home page after the ill-favoured company issued a Security Challenge, offering a $10,000 bounty to anyone who could change the home page picture.

Some challenges, it seems, are too good to turn down. But the hacker group declined their rightful reward - the hit was, it appears, just "for the lulz".

Just hours earlier Joe Black, CEO of Black & Berg CyberSecurity Consulting, quipped somewhat cockily to the group on Twitter:

"Black & Berg Cybersecurity Consulting appreciate all the hard work that you're putting in. Your Hacking = Clients for us. Thx ~Joe"

Either it's an attempt at entrapment, or we wonder if he's regretting that one now. Or, more to the point, if President Obama is, having named Black in January as the mastermind behind his adminstration's cybersecurity strategy.

LulzSec's move follows a busy week for the group, which saw it breach security at Infragard, Nintendo, and Sony.

Continued :

CNET Forums