NEWS - June 11, 2012

European League of Legends Game Players Have Their Account Data Compromised

Hackers have stolen account data from the European servers of popular real-time strategy game League of Legends (LoL), the game's developer, Riot Games, announced on Saturday.

According to figures published by Riot in November 2011, there are over 32 million registered accounts on the three LoL servers: North America, EU West (EUW) and EU Nordic & East (EUNE).

"Hackers gained access to certain personal player data contained in certain EU West and EU Nordic & East databases," Riot Games founders Marc Merrill and Brandon Beck wrote in a blog post on Saturday.

The compromised account data included email addresses, encrypted passwords, player names and dates of birth. No payment or billing information was exposed as a result of this security breach, Merrill and Beck said.

For a small number of players, their first and last names, as well as their encrypted security questions and answers, were also compromised. However, security questions and answers are no longer used in LoL's account recovery process, the Riot co-founders said.

Continued :

League of Legends Hacked: You Know The Drill By Now
Passwords pillaged from League of Legends wand-strokers
Discussion is locked
Reply to: NEWS - June 11, 2012
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - June 11, 2012
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Simple authentication bypass for MySQL root revealed

Exploits for a recently revealed MySQL authentication bypass flaw are now in the wild, partly because the flaw is remarkably simple to exploit in order to gain root access to the database. The only mitigating factor appears to be that it depends on the C library that the MySQL database was built with. The bypass, assigned the vulnerability ID CVE-2012-2122, allows an attacker to gain root access by repeatedly trying to login with an incorrect password. Each attempt has a 1 in 256 chance of being given access. The exploits are mostly variations of looping through connecting to MySQL with a bad password around 300 to 512 times.

The vulnerability, which was detailed in a posting by MariaDB security coordinator Sergei Golubchik, is due to a casting error when checking the results of comparing (with the memcmp function) the password given and the expected password. "Basically account password protection is as good as nonexistent", says Golubchik, adding "Any client will do, there's no need for a special libmysqlclient library". Vulnerable versions of MySQL and MariaDB are those compiled with libraries that return integers outside the -128 to 127 range for memcmp. According to Golubchik the gcc built in memcmp and BSD libc memcmp are safe, but the linux glibc sse-optimised memcmp is not safe.

Continued :

Trivial Password Flaw Leaves MySQL Databases Exposed
MySQL flaw allows attackers to easily connect to server
Exploit Available for Trivial MySQL Password Bypass
Flaw in MySQL Allows Attackers to Connect to Server with Incorrect Passwords

See Vulnerabilities / Fixes:
MySQL User Login Security Bypass and Unspecified Vulnerability
MariaDB User Login Security Bypass Security Issue

- Collapse -
Researchers Connect Flame to US-Israel Stuxnet Attack

The sophisticated espionage toolkit known as Flame is directly tied to the Stuxnet superworm that attacked Iran's centrifuges in 2009 and 2010, according to researchers who recently found that the main module in Flame contains code that is nearly identical to a module that was used in an early version of Stuxnet.

Researchers at Russia-based Kaspersky Lab discovered that a part of the module that allows Flame to spread via USB sticks using the autorun function on a Windows machine contains the same code that was used in a version of in 2009, reportedly in a joint operation between the United States and Israel. The module, which was known as Resource 207 in Stuxnet, was removed from subsequent versions of Stuxnet, but it served as a platform for what would later develop into the full-fledged Flame malware that is known today.

The researchers believe the attackers may have used the Flame module to kickstart their Stuxnet project before taking both pieces of malware into different and separate directions. They've detailed the similarities between the modules in Flame and Stuxnet in a blog post.


Diving Into Flame, Researchers Find A Link To Stuxnet
Kaspersky Experts Find Connection Between Flame and Stuxnet

- Collapse -
Microsoft Update Security


Published: 2012-06-11,
Last Updated: 2012-06-11 13:11:21 UTC
by Johannes Ullrich (Version: 1)

One of the important features of last weeks Microsoft certificate patch was that the bad certificate was apparently used to subvert the Windows update process. The complex Windows update architecture represents a huge target to any attacker, and it has held up quite well so far. I do not expect any issues related to the lost certificate this week. However, this would be the last chance for the attacker to use these certificates, and it is a good opportunity to talk about patch security on the day before "black tuesday".

I do recommend that you apply the certificate patch released a week ago today if you haven't done so already. This way, no patch signed by the bad certificate should be accepted tomorrow. Patch tuesday is one of the best dates to launch such an attack as you do expect patches anyway. Don't forget the WSUS patch:

A couple of rules to harden your patch process:

• Avoid patches while "on the road". Apply them in your home / work network whenever possible. This doesn't eliminate the chance of a "Man in the Middle" (MitM) attack, but it reduces the likelihood. If you are on the road for extended periods of time, use a VPN connection. In particular hotel networks and public hotspots frequently use badly configured HTTP proxies that can be compromised and many users expect bad SSL certificates (because of ongoing MitM attacks... ironic, but well, sadly true) in these environments.

• Always validate patches. For Microsoft, this means using Microsoft update which will validate the digital signature applied to patches. Tthe bad certificate broke this process. But it is still a very difficult hurdle to overcome for an attacker.

Continued :

- Collapse -
How Companies Can Beef Up Password Security

Separate password breaches last week at LinkedIn, eHarmony and exposed millions of credentials, and once again raised the question of whether any company can get password security right. To understand more about why companies keep making the same mistakes and what they might do differently to prevent future password debacles, I interviewed Thomas H. Ptacek, a security researcher with Matasano Security.

Ptacek is just one of several extremely smart researchers I've been speaking with about this topic. Below are some snippets from a conversation we had last week.

BK: I was just reading an article by Eric Chabrow, which pointed out that LinkedIn — a multi-billion dollar company that holds personal information on some of world's most important executives — has neither a chief information officer nor a chief information security officer. Is it too much to ask for a company like this to take security seriously enough to do a better job protecting and securing their users' passwords?

Ptacek: There is no correlation between how much money a company or service has or takes in — or whether it's free or not free — and how good their password storage practices are. Nobody gets this right. I think it's a problem of generalist developers writing password storage systems. They may be good developers, but they're almost never security domain specialists. There are very few good developers who are also security domain specialists. So if you're a smart and talented developer but not a security domain specialist, and...

Continued :

- Collapse -
New BIOS rootkit spotted

Towards the end of 2011, a Chinese company detected the first rootkit ever that targeted computers' BIOS in order to be able to reinfect computers over and over again, even after the hard drive is physically removed and replaced.

This BIOS rootkit was dubbed Mebromi (or MyBios), and targeted only the users who had Award BIOS (used by motherboards developed by Phoenix Technologies) on their computers.

Still, as it came bundled with a MBR toolkit, a kernel mode rootkit, a PE file infector and a Trojan downloader, users who didn't have those motherboards and that BIOS were still not spared an infection.

Fast forward to the present, and a second BIOS rootkit - dubbed Niwa!mem - has been detected by McAfee. Initially a rootkit that infected the Master Boot Record (MBR), its latest variant became a "BIOSkit".

"The malware overwrites the original MBR in sector 0 and writes the file to be dropped (the downloader) in hidden sectors. The DLL copies itself to the Recycle folder and deletes itself. The downloader is dropped and executed every time the system is started," the researchers explain.

Continued :

- Collapse -
AMD Responds to CERT Notification on Video Driver Security

Researchers from the Carnegie Mellon Computer Emergency Readiness Team (CERT/CC) have discovered that AMD (or ATI) video drivers are not perfectly compatible with the Microsoft EMET, thus potentially exposing some users. AMD has responded, promising to take care of the problem.

Microsoft EMET is a utility that's designed to prevent cybercriminals from exploiting vulnerabilities in products by leveraging DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) techniques.

The problem occurs because not all software, including AMD's video driver, is compatible with ASLR. While ASLR can be manually enabled for only specific programs, EMET's highest security settings forcefully enables it for all pieces of software installed on a system.

This means that AMD customers who utilize EMET with a specific configuration will experience system crashes because of the incompatibility.

"The most critical example of this is the driver software for AMD and ATI video chips. If ASLR is enabled system-wide on a system that has AMD or ATI video drivers installed, then the machine may fail to boot properly, resulting in a 'BSOD' crash," Will Dormann of CERT/CC explained.

US-CERT, which also released a vulnerability note based on CERT/CC's research, advises users who depend on the security features offered by ASLR to install standard VGA drivers or utilize a different video adapter type.

Continued :

Related: Update: CERT/CC Takes AMD To Task On Driver Security, AMD Responds

- Collapse -
DHL International Delivery email? Beware widespread ..
.. malware attack

Why should malware authors show any creative flair and imagination? There's no need, after all, if tried and trusted methods of infecting computers still work.

Take, for instance, the widespread malware campaign that has been spammed out across the internet today, posing as an email from DHL. [Screenshot - Malware-infected email claiming to come from DHL]

A typical email has a subject line of "DHL Express Parcel Tracking notification [random code]" or "DHL Express Tracking Notification ID [random code]" or "DHL International Notification for shipment [random code]"

The emails read similar to the following:

Hello Dear,

DHL Express Tracking Notification: Mon, 11 Jun 2012 12:14:55 +0200

Custom Reference: 9057425-HRIEI2E4Q8C
Tracking Number: UT09-2041042911
Pickup Date: Mon, 11 Jun 2012 12:14:55 +0200
Pieces: 2

Mon, 11 Jun 2012 12:14:55 +0200 - Processing complete successfully

Shipment status may also be obtained from our Internet site in USA under http: // or Globally under http: //

Please do not reply to this email. This is an automated application used only for sending proactive notifications

Thanks in advance,
DHL Express International Inc.

Attached to each email is a ZIP file, containing the malware. The attached filename can vary, but takes the form DHL_International_Delivery_Details-[random code].zip

Forklift truck. Image courtesy of ShutterstockSophos products detect the Windows malware as Troj/Agent-WMO.

Continued :
- Collapse -
Apple: Androids are much less likely to be running an ...
Apple: Androids are much less likely to be running an up-to-date OS than iPhones and iPads

Apple CEO Tim Cook, and his senior executives, took to the stage at WWDC (Worldwide Developers Conference) in San Francisco earlier today.

As well as announcing upgrades to some of the firm's laptop hardware, and discussing new features coming in Mountain Lion and iOS 6, they also found it impossible to resist taking the opportunity to crow about Apple's success at getting users to run the latest version of its mobile operating system. [Screenshot]

Scott Forstall, Apple's senior vice president of iOS software, told the developers assembled at the conference that over 80% of iPhone and iPad users are running iOS 5. That compares to a paltry 7% of Android customers who are up-to-date and running Android 4.0 (Ice Cream Sandwich) on their smartphones and tablets.

According to the stats that Forstall presented, most Android devices are still running version 2.3 (Gingerbread) of the operating system.

I bought an Android smartphone a few years ago, but ultimately the thing which turned me off the experience was the sheer difficulty in keeping its operating system up-to-date. With Android, you need Google, your cellphone provider and your manufacturer to all agree to push out a new OS update.Apple: Androids are much less likely to be running an up-to-date OS than iPhones and iPads.

The reason for the complexity is that the version of Android for your particular smartphone may have to be tweaked to work properly on your specific device. That requires work by the hardware manufacturer, and then the cellphone provider has to also agree to roll out the update.

Continued :

CNET Forums