Spyware, Viruses, & Security forum


NEWS - June 20, 2012

by Carol~ Moderator / June 20, 2012 1:38 AM PDT
Face.com App Allowed Facebook, Twitter Account Hijacking

Israel-based facial recognition maker Face.com was the internet's flavor for a day Monday when it announced it was acquired by Facebook. Rumors put the price in the $50 to $100 million range.

But what was not widely known was that Face.com's mobile app, KLIK, which allows real-time face-tagging of Facebook pictures, recently suffered a giant vulnerability. A prominent researcher found that the app allowed anyone to hijack any KLIK user's Facebook and Twitter accounts.

Independent researcher Ashkan Soltani said the app granted access to KLIK users' private authentication tokens for users' Facebook and Twitter accounts.

Soltani disclosed the revelation on his blog Monday and said he had shared the vulnerability with the companies before announcing it. It was patched before he publicized it on his site, he said.

Here's what he found:

Continued : http://www.wired.com/threatlevel/2012/06/klik-app-vulnerability/

Also: Face.com Fixes Flaw to Prevent Facebook and Twitter Hijacks

Related: Want to disable Facebook facial recognition? Read this
Discussion is locked
You are posting a reply to: NEWS - June 20, 2012
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - June 20, 2012
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Beware Scare Tactics for Mobile Security Apps
by Carol~ Moderator / June 20, 2012 1:59 AM PDT
In reply to: NEWS - June 20, 2012

It may not be long before your mobile phone is beset by the same sorts of obnoxious, screen-covering, scaremongering ads pimping security software that once inundated desktop users before pop-up blockers became widely-used.

Richard M. Smith, a Boston-based security consultant, was dining out last Friday and browsing a local news site with his Android-based smart phone when his screen was taken over by an alarming message warning of page errors and viruses. Clicking anywhere on the ad took him to a Web site peddling SnapSecure, a mobile antivirus and security subscription service that bills users $5.99 a month. [Screenshot: Mobile Ad for SnapSecure]

"This particular ad takes over the entire screen on my Android phone, so it gives the impression of being rather ominous," Smith said, noting that it was the second time in as many days that he'd encountered the rogue ad. He further explained that the ad just appeared when he browsed to view a new story, and that he hadn't clicked on an ad or anything unusual.

Michael Subhan, vice president of marketing for SnapSecure, said the company traced the ads back to some rogue marketing affiliates that have since been banned from its advertising program.

Continued : http://krebsonsecurity.com/2012/06/beware-scare-tactics-for-mobile-security-apps/

Collapse -
EMET exploit mitigation tool reports the cause of a crash
by Carol~ Moderator / June 20, 2012 4:05 AM PDT
In reply to: NEWS - June 20, 2012

Microsoft's Enhanced Mitigation Experience Toolkit (EMET) now notifies users when a process has been stopped (crashed) because a protective mechanism was activated by the hardening tool. The new feature was introduced with the recent 3.0 release of EMET, which is also designed to be easier to use in enterprise environments.

When the alert window is displayed above the system tray area, this alerts users that an attacker may have tried to exploit a vulnerability in the named process - but it isn't hard evidence of an actual attack. EMET will also write these and other alerts, information and errors into the Windows Application log.

Administrators can now deploy the tool across a network using Group Policies or the System Center Configuration Manager (SCCM). EMET 3.0 can import and export "Protection Profiles" with customised settings for common Microsoft and third-party applications, and three default configuration profiles are included. The company says that EMET has also been tested under the Windows 8 Consumer Preview.

Continued : http://www.h-online.com/security/news/item/EMET-exploit-mitigation-tool-reports-the-cause-of-a-crash-1621983.html

Collapse -
Failure of Anti-Virus Companies to Catch Military Malware
by Carol~ Moderator / June 20, 2012 4:05 AM PDT
In reply to: NEWS - June 20, 2012

I've been reading many blog posts and articles recently, where their authors have expressed varying opinions surrounding Flame. While their opinions may not technically be considered news, it has become part of the news. In the coming weeks, as in the recent past, I will (on occasion) be posting such "articles".

That said.........

Some may remember a prior post referencing Mikko Hypponen's (Chief Research Officer @ F-Secure) publication at Wired.com.:
"Why Antivirus Companies Like Mine Failed to Catch Flame and Stuxnet".

Bruce Schneier @ his "Schneirer on Security" blog disagrees:

The Failure of Anti-Virus Companies to Catch Military Malware

'"I don't buy this. It isn't just the military that tests their malware against commercial defense products; criminals do it, too. Virus and worm writers do it. Spam writers do it. This is the never-ending arms race between attacker and defender, and it's been going on for decades. Probably the people who wrote Flame had a larger budget than a large-scale criminal organization, but their evasive techniques weren't magically better. Note that F-Secure and others had samples of Flame; they just didn't do anything about them."

Continued : http://www.schneier.com/blog/archives/2012/06/the_failure_of_3.html

* * * * * * * * * * *

In response to Mikko Hypponen's post (Flame is Lame) at the F-Secure Weblog: Counterpoint to F-Secure: Flame is Still Lame

Pointed out by Bob Proffitt: How Flame virus has changed everything for online security firms

Collapse -
Syrian rebels targeted using commercial Skype trojan
by Carol~ Moderator / June 20, 2012 4:05 AM PDT
In reply to: NEWS - June 20, 2012

Syrian activists are coming under attack from a new Trojan, based on a commercial spyware application.

Targeted attacks surreptitiously install the BlackShades Trojan onto compromised machines, an advisory by the EFF and Citizen Lab warns. The Trojan is been distributed in via compromised Skype accounts of Syrian activists in the form of a ".pif" file purporting to be an important new video that is actually a malicious executable file. Opening the file on a Windows machine drops a key-logger onto infected machines.

The use of remote surveillance software against activists has been going on amidst the conflict in Syria since February, if not earlier.

Previous attacks have involved a phishing campaign targeting the YouTube or Twitter credentials of high profile Syrian opposition figure and malware tainted files posing as documents regarding the foundation of a Syrian revolution leadership council. Another attack punted infected documents supposedly detailing a plan to assist the city of Aleppo.

Continued : http://www.theregister.co.uk/2012/06/20/syrian_skype_trojan/

Also: Syrian Dissidents Hit By Another Wave of Targeted Attacks

Collapse -
European aeronautical supplier's site infected with 0-day
by Carol~ Moderator / June 20, 2012 4:28 AM PDT
In reply to: NEWS - June 20, 2012
European aeronautical supplier's website infected with "state-sponsored" zero-day exploit

Earlier today, SophosLabs determined that the website of a European aeronautical parts supplier had been hacked, and a malicious attack planted on it which exploited a zero-day Microsoft security vulnerability that has not yet been patched.

We were alerted to the security problem when a Sophos customer attempted to visit the affected website, and received a warning message that a file on the site was infected by code which attempts to exploit the vulnerability in Microsoft XML Core Services which could allow Remote Code Execution (CVE-2012-1889).

SophosLabs experts determined that the hacked website had been breached, and cybercriminals had planted the following four files into a subdirectory:


Just one glance at the the filenames, and the use of the same critical zero-day vulnerability, should make clear the similarities to the incident we reported yesterday of an attack against a European medical company's website.

In both cases, the exploit is allowing what is known as a drive-by install: you can become infected simply by visiting a website with Internet Explorer.

So, what's going on?

Continued : http://nakedsecurity.sophos.com/2012/06/20/aeronautical-state-sponsored-exploit/
Collapse -
Hacker uses malware built-in chat to toy with researchers
by Carol~ Moderator / June 20, 2012 6:07 AM PDT
In reply to: NEWS - June 20, 2012

Malware researchers investigating a Trojan linked in a gaming forum as a how-to video for Diablo III got a surprise when the hacker started chatting with them—through a feature in the malware. Franklin Zhao & Jason Zhou of antivirus company AVG were looking for keylogging code in the malware with a debugger after downloading it to a virtual machine when a chat box popped up. The hacker asked, in Chinese, "What are you doing? Why are you researching my Trojan?"

The malware gave the hacker the ability to monitor the victim's screen, mouse, and keyboard input. It also provided access to other devices. The hacker apparently was online when the two researchers started poking around his code, and he decided to intervene. "I would like to see your face, but what a pity you don't have a camera," he typed to the researchers, as they tried to engage him in conversation. Eventually, he tired of the cat-and-mouse game and remotely shut down their virtual machine.


Collapse -
6 Biggest Breaches Of 2012 So Far
by Carol~ Moderator / June 20, 2012 6:07 AM PDT
In reply to: NEWS - June 20, 2012

Now that we're just about at the halfway point of the year, it is just as good of a time as any to take stock of the data breach environment and start gathering up lessons from others' missteps.

There's plenty to choose from. According to the Privacy Rights Clearinghouse, during the first half of 2012, we have seen 266 breaches that affect more than 18.5 million records. Dark Reading poured through the records and picked a breach for each month of 2012 so far to highlight as the most important exposures to learn from in the first half of the year.

1. Zappos
Time Of Disclosure: January 2012

Records Breached: 24 million records including names, email addresses, phone numbers, last four digits of credit card numbers and encrypted passwords

Incident: A hacker gained access through a Zappos server into the company's internal network to snag personal information that could be used to phish Zappos customers.

Lessons Learned: While there may be no such thing as a good breach, many experts believe Zappos stands as a role model in reducing risk factors following a breach. For one, the encryption the company used for its passwords passed muster. Secondly, the company clearly had an incident response and notification plan in place and used it. In an era where it is not a question of if but when a breach will hit, these are two huge factors to consider.

2. University of North Carolina
Time Of Disclosure: February 2012

Continued : http://www.darkreading.com/insider-threat/167801100/security/news/240002408/6-biggest-breaches-of-2012-so-far.html

Collapse -
DNSChanger: The Blackout is Coming!
by Carol~ Moderator / June 20, 2012 6:07 AM PDT
In reply to: NEWS - June 20, 2012

From the Symantec Security Response Blog:

Malware called DSNChanger has been, and continues to be, in the news and for very good reason. A whole lot of people stand to lose their Internet connectivity if they don't take action before July 9. One of our concerned customers posed Symantec Security Response a number of questions recently in regards to what this threat is, how it works, and what it ultimately means to them (and other users like them). The following are the questions put to us with our responses.

Norton User: What is this DNSChanger making news at the moment?

Symantec Security Response: It is malware that changes the Domain Name System (DNS) settings on the compromised computer, hence the name.

NU: What are these DNS settings and how do they affect me?

SSR: DNS is an Internet service that converts user-friendly domain names into the numerical Internet protocol (IP) addresses that computers use to talk to each other. When you enter a domain name into your Web browser address bar, your computer contacts DNS servers to determine the IP address for the website. Your computer then uses this IP address to locate and connect to the website. DNS servers are operated by your Internet service provider (ISP) and are included in your computer's network configuration. [Screenshot]

Continued : http://www.symantec.com/connect/blogs/dnschanger-blackout-coming

Collapse -
CVE-2012-0217 (MS12-042) applies to other environments too
by Carol~ Moderator / June 20, 2012 6:07 AM PDT
In reply to: NEWS - June 20, 2012


A week ago we covered MS12-042 ("Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2711167)") on the monthly Microsoft patch update cycle. This Microsoft advisory includes two vulnerabilities: CVE-2012-0217 and CVE-2012-1515 (VMware related).

Unfortunately, the official CVE-2012-0217 only makes references to Microsoft Windows OS, but other environments are also affected by this local privilege escalation vulnerability associated to 64-bit Intel processors. From the US-CERT note: "Some 64-bit operating systems and virtualization software running on Intel CPU hardware are vulnerable to a local privilege escalation attack. The vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape." In particular, it affects FreeBSD or Xen (RedHat, SUSE, etc).

More details at "Vulnerability Note VU#649219: SYSRET 64-bit operating system privilege escalation vulnerability on Intel CPU hardware".


Collapse -
Evolved Banking Fraud Malware: Automatic Transfer Systems
by Carol~ Moderator / June 20, 2012 8:11 AM PDT
In reply to: NEWS - June 20, 2012

From TrendLabs Malware Blog:

Banks and other financial institutions have put in stricter controls in an attempt to minimize losses that phishing attacks cause. Cybercriminals have not taken this sitting down by producing a new tool to automate online banking fraud — automatic transfer systems (ATSs).

In the past, malware families like ZeuS and SpyEye used Webinject files to modify the websites of targeted organizations such as banks. A Webinject file is basically a text file with JavaScript and HTML code that contains the code the attacker wants to insert into the targeted websites.

With ATS, however, attackers have taken things to the next level. Instead of merely passively stealing information, ATSs allow cybercriminals to instantly carry out financial transactions that could deplete users' bank accounts without their knowledge. No longer needing user intervention to key in user names and passwords, ATSs allow cybercriminals to automatically transfer funds from victims' accounts to their own ones without leaving traces of their presence.

This research paper contains our preliminary research on ATSs. In the process of conducting research, we were able to find key aspects of ATS attacks, determine some known targets, and dig into the murky underground engaged in producing and selling ATSs.

Our full findings can be seen in the research paper, "Automating Online Banking Fraud," which you may download by clicking the image below:

Continued : http://blog.trendmicro.com/evolved-banking-fraud-malware-automatic-transfer-systems/

New generation of bank Trojans can make invisible transfers
"Man in the Browser" Attack Automates Bank Fraud
Automatic Transfer System Evades Security Measures, Automates Bank Fraud

Collapse -
Twitter account hack epidemic - Don't fall for "CNBC" spam!
by Carol~ Moderator / June 20, 2012 8:11 AM PDT
In reply to: NEWS - June 20, 2012

On June 6, the same day that the infamous LinkedIn password breach was widely reported, there seems to have quietly begun an epidemic of Twitter account hacking.

That afternoon, I got a direct message (DM) from someone I follow saying "You don't need any prior experience!" followed by a link. I have followed this Twitter user for three years and had never received spam from him before.

I replied and soon found out that the person still had control of his account. He changed his password on Twitter (and LinkedIn, on my recommendation) and I suggested he revoke authorization for any apps that he may have recently connected with his Twitter account.

That seemed to have resolved the problem. For him, anyway.

Over the next couple weeks, I received three more direct messages from followers whose accounts had been hacked, each containing a link to a similar site:

Continued : http://nakedsecurity.sophos.com/2012/06/20/twitter-account-hack-cnbc-spam/

Collapse -
MLB.Com Found Serving Fake Antivirus Via Network Ad
by Carol~ Moderator / June 20, 2012 9:07 AM PDT
In reply to: NEWS - June 20, 2012
MLB.Com Found Serving Fake Antivirus Via Malicious Network Ad

Just days after several large Web-based organizations united to fight malicious online ads, MLB.com was spotted serving malicious ads and directing visitors to Rouge Anti-Virus.

Rogue Anti-Virus applications actually generate decent income for some of the criminals who spread them, as they are paid for getting someone to install it, and will sometimes take a cut of the fee if someone registers it.

Once installed on a system the Rogue AV hinder performance, block access to various websites and security applications, as well as open the system for further malicious downloads. If the fake software is registered, not only is there a loss of money, but any personal information submitted during the registration process should be considered compromised too.

In the past, several high profile sites have fallen victim to malicious advertising techniques, where criminals register accounts on legit ad networks, going to far as to run legit ads for a while, and then once in rotation, the legit ads are traded for malicious ones. Once this happens, anyone visiting the domain that happens to come across the ad will be redirected to Rogue AV or any other malicious content the criminal chooses.

Continued : http://www.securityweek.com/mlbcom-found-serving-fake-antivirus-malicious-network-ad
Popular Forums
Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions


Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?