NEWS - June 17, 2011

Critical Infrastructure Vulnerable to Holes in Chinese SCADA Software

The U.S. CERT has issued a security advisory firms using industrial control systems software from the Chinese firm Sunway in the U.S. after a researcher discovered remotely exploitable holes that could be used to knock out or take control systems running the company's software. The ICS-CERT, the Computer Emergency Readiness Team for the industrial control sector, issued an advisory on June 14 after heap overflow vulnerabilities were discovered in Sunway's Force Control and pNetPower products by NSS Labs researcher Dillon Beresford.

Sunway patched both holes and released software updates for affected systems.

Beresford has been on a crusade in recent months to call attention to the lax state of application security in the industrial control and critical infrastructure sectors. Recently, ICS CERT issued an advisory covering holes he had discovered in Siemens Step 7 (S7) controllers. Despite the aspiring super power's formidable cyber offensive capabilities, China's infrastructure is extremely vulnerable to cyber attack, Beresford has argued, citing his own research into critical infrastructure deployments within China.

Continued :

Also: US Warns of Problems in Chinese SCADA Software
Discussion is locked
Reply to: NEWS - June 17, 2011
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - June 17, 2011
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Virgin Media warns 1,500 customers of SpyEye infections

Virgin Media has written to 1500 of its broadband customers warning them that their PCs are infected with the SpyEye trojan; the letters include advice on how to cleanse the machine of the infection. In detecting the problem, Virgin cooperated with the UK's Serious Organised Crime Agency (SOCA). While analysing botnet behaviour, the agency identified the IP addresses of computers that had sent personal and banking details back to the controllers of the trojan. These addresses allowed Virgin to identify customers whose machines had been compromised, and then alert them.

This is not the first time that Virgin has warned customers of possible infections on their PCs. A company spokesman told the BBC that in the last year it had warned "several thousands" of customers of possibly serious infections on their systems. According to the BBC, Virgin "is understood to be the first UK ISP to give specific warnings about viruses based on SOCA's advice."

Toolkits for malware such as SpyEye are readily available on the internet, and for prices ranging from $100 to $1,000. SpyEye itself received a boost late last year when the developer of Zeus, another trojan that steals personal and bank login details, apparently handed over his source code to the developer of SpyEye, who then incorporated some of it into his own code.

Continued :

- Collapse -
Hole found in Firefox 4 WebGL implementation

A security hole has been discovered in the WebGL implementation of Firefox 4 by the British security researchers at Context Information Security. The researchers have been continuing their previous work looking for flaws in WebGL and have found they can perform a "memory stealing" attack using WebGL.

This approach allows an attacker to create and save screenshots of what the browser has displayed. This includes all data, not just WebGL content. In their proof of concept, the researchers manage to extract "snapshots" of the graphics card's memory that was previously used to display web pages. The vulnerability is specific to the WebGL implementation in Firefox 4 and does not occur in Google Chrome.

The next version of Firefox, version 5, is due to appear next week, 21 June, and it appears that the bug has been addressed in that version. Users can upgrade to the beta version of the next Firefox now or disable WebGL by going to the about:config screen and changing the webgl.disabled property to true.

Continued :

See Vulnerabilities & Fixes: Mozilla Firefox WebGL Graphics Memory Information Disclosure

- Collapse -
Symantec Uncovers Bitcoin-Stealing Trojan

"Online digital currency is increasingly the target of pirates and digital thieves."

Security firm Symantec is warning that more people may end up like Bitcoin user "Allinvain" and find their Bitcoin digital wallets pilfered by malicious hackers.

Symantec recently discovered a Trojan called Infostealer.Coinbit lurking on the Internet that locates your Bitcoin digital wallet and e-mails its contents to the bad guys. With the information contained in your Bitcoin's wallet.dat file, online thieves can easily steal your Bitcoins. And considering that, at the time of this writing, you could sell one Bitcoin for $16.39, Bitcoin thieves stand to make a tidy profit from their illegal activities.

Bitcoin (BTC) is an online digital currency traded over a peer-to-peer network. The currency uses a system of private and public keys to verify the authenticity of each transaction and transfer Bitcoin balances between users. Similar to the way e-mail encryption works, as long as someone doesn't have your private key (usually a long string of letters and numbers) no one can steal your Bitcoins.

The weak point in the system is that your Bitcoin wallet contains your private key. So once someone has your digital wallet, they also have control of your Bitcoins and can easily transfer the digital money from your account to theirs.

Continued :

Fraudsters steal Bitcoins as currency's value rises
Bitcoin Owners Targeted via Trojans
What's The Deal With Bitcoin?

Related: Close to US$500k stolen in first major Bitcoin theft

- Collapse -
Spies could send hidden messages using Google Suggest

A team of researchers tasked with thinking of new ways to hide messages online have suggested that spies could be sending hidden messages, simply by influencing the phrases generated by Google's Suggest search feature.

NewScientist reports that stenography specialist Wojciech Mazurczyk, from the Warsaw University of Technology in Poland, believes spies would utilise such a visible medium because it would avoid arousing suspicion as million of people would take to their computers to complete a Google search.

Mazurczyk's team turned to Google Suggest to see how effective it would be to hide messages. The feature works by "suggesting" ten phrases or keywords each time a letter is entered into the search box, based on what the popularity of those searches by other Google users.

Realising that they would need to influence the search suggestions directly to encode messages, the team created a piece of malware called StegSuggest that could infect a target computer and intercept the Google Suggest lists exchanged between the search giant and the infected computer. It would then add a random word from a list of 4000 English terms to the end of each of the ten suggestions.

Continued :

- Collapse -
Court Favors Small Business in eBanking Fraud Case

Comerica Bank is liable for more than a half a million dollars stolen in a 2009 cyber heist against a small business, a Michigan court ruled. Experts say the decision is likely to spur additional lawsuits from other victims that have been closely watching the case.

Judge Patrick J. Duggan found that Dallas-based Comerica failed to act "in good faith" in January 2009, when it processed almost 100 wire transfers within a few hours from the account of Experi-Metal Inc. (EMI), a custom metals shop based in Sterling Heights, Mich. The transfers that were not recovered amounted to $560,000.

"A bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier," Duggan wrote. Judge Duggan has yet to decide how much Comerica will have to pay.

The problems for Experi-Metal started when company controller Keith Maslowski responded to an e-mail that appeared to be from its bank, Comerica. The message said the bank needed to carry out scheduled maintenance on its banking software, and instructed the EMI employee to log in at a Web site that appeared to be Comerica's online banking site. Maslowski said the email resembled the annual e-mails Comerica used to send, prompting customers to renew EMI's digital certificates.

Continued :

- Collapse -
Japan makes virus creation illegal

People who write or deliberately spread malware can expect to be fined or receive up to three years in prison, under laws enacted by the Japanese parliament today.

Up until now, you could only expect to feel your collar felt by the computer crime authorities in Japan if the malware you had created had caused some damage, now just the act of writing it would seem to be enough.

Under the new law, police will also be able to seize the email communications of suspects from ISPs, raising concerns amongst the country's privacy campaigners who have warned of the police getting excessive powers.

According to news reports individuals who create and supply computer viruses "without any reasonable excuse" can face up to three years in jail, or a fines of up to ¥500,000 (approximately US $6,000).

Acquisition and storage of viruses is punishable by a prison sentence of up to two years, or

- Collapse -
Google: Our rapid load won't give you anything nasty

Google has downplayed concerns that refinements to its search technology could leave surfers more exposed to search engine manipulation attacks.

Google Inside Search aims to speed up web searches by pre-loading content from remote sites. The so-called Instant Pages technology only works with Google Chrome.

Miscreants often manipulate search engine results so that links to scareware portals and the like appear prominently in search results for newsworthy terms. These search engine poisoning tactics rely on establishing link farms after hacking into portions of popular websites, using search engines' "sponsored" links to reference malicious sites and injecting HTML code, among other tricks.

Scareware affiliates normally rely on potential victims to click on links to malicious sites among search results before they are whisked away towards dangerous domains. However, the Instant Pages technology might remove this requirement, pre-fetching content from malicious websites and "creating a possibility that a user can be exploited by simply searching, without even clicking on a link," warns Dan Hubbard of Websense Security Labs.

Google maintains that is being careful to minimise the possibility of harmful content getting pre-fetched.

"We've thought hard about this issue, and we don't believe there is any additional risk to users," a Google spokesman explained.

Continued :

Also: Security Experts Express Concern Regarding Google Instant Pages

- Collapse -
S.A.P.Z. Botnet, new perspective of attack

Kaspersky Labs Weblog:

A few days ago, we have notified you about malicious activities from the S.A.P.Z. botnet. And we provided evidence that this methodology of attack can be used to affect users of any Latin America bank, or any part of the world.

Now the S.A.P.Z. gang, which may be Peruvian, has resorted to another strategy. It is focusing on the theft of sensitive information, by spreading a variant of Palevo worm, detected by Kaspersky Lab as P2P-Worm.Win32.Palevo.cudq.

The key element of this is that with S.A.P.Z., the cyber-criminals have used the functionalities of an old web application created for the administration of stolen data, called Blackshades. As indicated in this image, now they're not only focusing on Peruvian users, but also others countries such as Chile, Colombia, Spain and USA. [Screenshot]

This web application is very old crimeware in the cyber-crime environment, but clearly the target is Latin America.

In this way, the cyber-criminals have expanded the attack, stealing sensitive information about bank through local pharming using S.A.P.Z., as well as serial numbers of several applications and authentication data from different web services. Here is a short list of the application "victims":

Continued :

- Collapse -
Trojan targets devices with custom Android versions

A Trojan targeting rooted smartphones and those with custom built versions of Android has been spotted on third-party Android markets in China.

Lookout researchers have dubbed it jSMSHider, and in order to install its payloads, the Trojan exploits the fact that system images in most custom ROMs are signed with publicly available private keys in the Android Open Source Project.

"In the Android security model, any application signed with the same platform signer as the system image can request permissions not available to normal applications, including the ability to install or uninstall applications without user intervention," explain the researchers.

That allows the Trojan to install another payload onto the device without asking the user for permission, and the device is not ready to install additional apps, communicate with C&C servers (whose addresses are dynamically changed), open URLs silently in the background and read and send SMS messages.

- Collapse -
Google hardens Chrome 13 and 14

Google is experimenting with blocking sites that mix HTTP and HTTPS scripts and with supporting DNSSEC validation of HTTPS sites in the "canary" and development builds of Chrome and Chromium 14. Google has also detailed the enhancements to security in Chrome 13 which recently entered the beta channel.

Chrome 13 is already introducing a number of new experimental security features. It blocks HTTP authentication for resources within a page where the resources are from a different domain. It also adds a first implementation of Mozilla's Content Security Policy to help mitigate cross site scripting, click jacking and packet sniffing attacks.

In the recently released Chrome 12, HSTS (HTTP Strict Transport Security) was introduced as a user configurable feature. HSTS allows sites to request that users only communicate with them over HTTP. In Chrome 13, Google is going one step further by experimenting with building in sites for which this will always be enabled, initially with It has also reduced the number of Certificate Authorities that can vouch for's certificates, partly in response to the Comodo breach earlier this year.

Continued :

Also: Chrome 14 to Block HTTPS Mixed Scripting by Default

From the Google Online Security Blog: Trying to end mixed scripting vulnerabilities

- Collapse -
The President is finally taking charge? No, a Facebook phish

A warning to all the Facebook users out there - the scammers are after your login details again, this time by spreading a link which purports to be a video of Barack Obama. [Screenshot]

The president is finally taking charge!!

Is this really for real?.

The image used in the message looks like a YouTube video thumbnail, but if you click on the link you are redirected multiple times before finally landing on a phoney Facebook login page.

It may look like Facebook, but it's not the real Facebook. It's designed to phish your username and password from you. [Screesnhot]

Facebook usernames and passwords are an increasingly valuable commodity for cybercriminals - once they have those, they'll be able to log into your account, post messages in your name, spread spam and malware and perhaps raid your profile for personal information that they might be able to use for identity theft.

Worst of all, perhaps, they can pose as you and cause tremendous problems for your friends and family.

Continued :

- Collapse -
Lulz hackers say attacks are entertainment

Computer hackers who have hit the websites of the CIA, US Senate, Sony and others during a month-long rampage said Friday that they were staging the attacks for their own entertainment.

"You find it funny to watch havoc unfold, and we find it funny to cause it," the hacker group known as Lulz Security said in a 750-word online "manifesto."

"For the past month and a bit, we've been causing mayhem and chaos throughout the Internet, attacking several targets including PBS, Sony, Fox, porn websites, FBI, CIA, the US government, Sony some more, online gaming servers," Lulz said.

"While we've gained many, many supporters, we do have a mass of enemies, albeit mainly gamers," Lulz said, adding that they were not concerned.

"This is the lulz lizard era, where we do things just because we find it entertaining," said Lulz, whose name is a derivative of the text shorthand for LOL, or "laugh out loud."

"This is the Internet, where we screw each other over for a jolt of satisfaction," the group said.

Continued :

CNET Forums