NEWS - June 21, 2011

Dropbox lets anyone log in as anyone - so check your files now!

Customers of cloud-based file storing-and-sharing company Dropbox should check on the data they've entrusted to the service, following the company's admission that it messed up its access controls for several hours.

(Updated: please see footnote below.)

Unlike the majority of data breaches we've reported on lately - where usernames and passwords were stolen, allowing attackers and miscreants to access other people's accounts illegally - Dropbox's "hack" was of a more embarrassing sort.

Apparently, Dropbox published a code update which inadvertently removed the need to authenticate. So you could log in to other people's accounts without knowing their passwords at all. (Dropbox isn't alone in having made this sort of mistake. Facebook did something similar last year, leading to Mark Zuckerberg's own fan page being hacked.)

Continued :

Dropbox left login door open for 4 hours
Dropbox Left Document Storage Accounts Open for Four Hours
Discussion is locked
Reply to: NEWS - June 21, 2011
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - June 21, 2011
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Met Police arrest alleged hacker in Essex

The Metropolitan Police Central e-Crime Unit (PCeU) has confirmed that it has arrested a 19 year old man. The arrest follows an investigation into network intrusions and distributed denial of service attacks on international businesses and intelligence agencies which the police believe were carried out by the same hacking group.

The man has been arrested on suspicion of offences under the Computer Misuse Act and Fraud Act and is currently in custody at a central London police station where he is being questioned. The arrest was part of a "pre-planned intelligence led" operation which saw an address in Wickford, Essex, searched following the arrest. There is, say the police, a significant amount of material which is currently being forensically examined. The PCeU says it has been working on the case in co-operation with the FBI.

Continued :

Also: Met arrest alleged Lulz hacker

- Collapse -
Android NFC Bug Could Be First Of Many

Google is working on a fix for a newly discovered vulnerability affecting Nexus S Android phones that could cause applications on the phone to crash using incorrectly formated Near Field Communications (NFC) transactions.

The issue, which will be discussed at an upcoming technical conference on wireless security, could result in denial of service attacks on Nexus S applications. It isn't considered serious, but it is one of the first publicly disclosed vulnerabilities concerning the NFC features of the Nexus S, and could be the first of many related to NFC -a powerful communications protocol that phone makers, carriers and merchants hope to use for everything from mobile phone payments to information kiosks, experts warn.

The vulnerability was among a handful discovered by Collin Mulliner, a doctoral student at the Technische Universitaet Berlin and a well-known researcher on mobile device security. Mulliner said that vulnerability was one that could allow a malicious NFC tag to send incorrect information to a Nexus S phone. For example: a rogue or misconfigured smart tag could request a memory allocation from a NFC-enabled phone that is in excess of the amount of memory on the phone itself. That could cause the NFC service on Nexus S phones to crash unexpectedly, he said.

Continued :

- Collapse -
Firefox and Thunderbird updates patch security holes

The Mozilla Project has published updates for Firefox, its open source web browser, and the Thunderbird email client to fix several bugs and other critical issues found in previous versions. The latest Firefox 5 rapid release update addresses a total of 8 security vulnerabilities, 5 of which are rated as "Critical" by Mozilla.

Previous versions of the browser (up to and including 4.0.1) contained a bug in a JavaScript Array object that could potentially result in an integer overflow and the execution of malicious code, as well as a crash on multipart/x-mixed-replace images due to memory corruption. A number of critical memory safety hazards in the browser engine have been fixed. Mozilla says that "with enough effort at least some of these could be exploited to run arbitrary code". Other issues include use-after-free errors when viewing an XUL document with script and multiple WebGL crashes. Two moderate holes that could lead to cross-site scripting (XSS) attacks or a violation of the same-origin policy have also been corrected.

The update to the 3.6.x branch of Firefox, version 3.6.18, fixes nearly twenty bugs. These include four of the critical security holes noted above, as well as another critical issue related to multiple dangling pointer problems and a cookie isolation error. On its download page, the project notes that "Firefox 3.6.x will be maintained with security and stability updates for a short amount of time". As such, all users are strongly encouraged to upgrade to Firefox 4.x or later.

Continued :

- Collapse -
Mozilla releases Firefox 5

As expected, the Mozilla Project has released version 5.0 of Firefox. The update to the open source web browser comes just three months after the project's last major version, Firefox 4.0, which suffered a number of delays - Mozilla has adopted a version model similar to that used by Google for its Chrome browser.

One of the most important additions in Firefox 5 is support for CSS animation, a feature that browsers such as Safari have offered for some time. When creating a CSS animation, a developer specifies the animation's duration and name in the CSS rules for the HTML element in question. The @keyframes selector associated with this name is followed by the rules that describe the element's beginning and end points as well as optional intermediate stages.

The Do-Not-Track header preference has been moved "to increase discoverability". On Windows, it can be found under "Tools->Options->Privacy", while on Mac OS X, it is under "Firefox->Preferences->Privacy". This preference allows users to tell web sites that they don't wish to have their browsing behaviour tracked. Whether a site respects this or not is up to its developers.

Other changes include improved canvas, JavaScript, memory, and networking performance, as well as updated standards support for HTML5, XHR, MathML, SMIL and canvas. The "desktop environment integration for Linux users" has also been improved. Introduced in previous Firefox Beta updates, the Firefox development channel switcher has been removed.

Continued :

- Collapse -
A Tumbldown in Spam Links

From the GFI Labs Blog:

"Questions cannot contain links?! - I tried to send a link to someone and Tumblr told me this. SINCE WHEN?!"

Since now, apparently. Tumblr has a feature where you can ask the blog owner a question on, well, anything you like. Depending on settings, the people asking the questions can be registered users or anonymous (something that Tumblr discourages you from doing in the options menu, as the potential for trolling, spam and abuse is high).

Check out Google for the phrase "questions cannot contain links Tumblr": [Screenshot]

People aren't happy - you can no longer post links in questions to blog owners, and this also means you can't post images in replies. Responding with animated gifs and static images is an established method of communication on regular Tumblr blog posts, and this hasn't gone down too well with the userbase.

Why would Tumblr do this?

Well, it seems to be a response to one (or several) recent heavy duty spam attacks. For example, I turned on Anonymous questions on my own blog not so long ago, just to see what came through.

This is what came through.

Continued :

- Collapse -
Twitter account suspension spam could lead to data loss

Have you received an email from Twitter saying that your account has been suspended? Did they ask you to re-verify your account by giving your details to a business partner?

Well, stop right there - and don't do what the email says, because it's a scam designed to steal your personal information and make money for fraudsters.

Naked Security reader Bayani was the first of our readers to send us a tip and tell us that they had been on the receiving-end of this particular spam campaign - but it looks as though it has been distributed quite widely via email. [Screenshot]

Subject: Account Suspension

Twitter is currently upgrading at this time.We dont want to delete your account. Please Re-verify your account by entering your name, email, or zip by one of our business partners below

Click here to complete some free offers

Note All suspended accounts cannot be restored so please complete this offer within 2 days to avoid suspension

The Twitter Team

The emails don't really come from Twitter, and clicking anywhere on the email (it's actually an embedded image rather than text) will take you to survey pages which ask you to give away your personal information.

Continued :

- Collapse -
Botclouds: a cyberattacker's dream

Offloading your software and data to a cloud computing service has never been easier.

Apple last week became the latest tech company - after Google and Amazon - to offer cheap online storage, with its new iCloud service allowing users to access music, documents and other files from any Apple device. But cloud services could also be used to launch attacks, send spam and commit fraud.

"Right now it's just a few attacks, most aren't well publicised and a lot can go undetected," says Kassidy Clark of the Delft University of Technology in the Netherlands. "As long as cloud service providers are not taking proactive steps to prevent these things, I think this trend will increase."

As well as basic online storage, firms such as Amazon, which provides the largest cloud service, also offer virtual computing. This allows people to rent as many "virtual computers" as they need.

Now Clark and colleagues have investigated how the cloud could be used to build a botnet, a network of infected computers under an attacker's control. Traditional botnets are built over time by taking control of ordinary people's computers without their knowledge, but a cloud botnet - or botcloud - can be put together in a couple of minutes just by purchasing space in the cloud with stolen credit card details. "It makes deployment much faster," says Clark, who presented his findings at the CLOSER cloud computing conference in Noordwijkerhout, the Netherlands, last month. "You don't have to wait months for millions of machines around the world to get infected."

Continued :

- Collapse -
Windows Troubles Killer / Salvage System: Rogue of the Week

From the Webroot Threat Blog:

This week's rogue, once again, mimics a system utility and not merely an antivirus product. Either way, the scam is the same: Convince the victim that their computer is broken, then coerce them to pay for useless snake oil.

These rogue system utilities go by the names Windows Troubles Killer or Windows Salvage System; They are, for all intents and purposes, identical programs which have been "skinned" with different names. They actually appear to be a hybrid rogue, carefully blending a customized mix of malarkey and baloney into some sort of shenanigans smoothie. The program claims not only to be able to scan your computer for problems with software settings and other system optimization-sounding stuff, but also to perform some sort of check of your "Computer Safety" and "Network Security." Oh yes, and there's an antivirus component too, just to round out the complete package.

All in all, it's a fairly rudimentary rogue to remove (whether you choose to do it manually or use our software), but it performs some unique system modifications that disable some legitimate security software, turns off some important Windows features, mimics some of Microsoft's own software, and generally acts as a nuisance while reducing the actual security level of an infected computer. I'll detail those after the jump. [Screenshot]

The software installs itself to the %appdata%\Microsoft path, using a random, six-alphabetic-character filename.The icon looks like a wooden shipping crate?because there is no material known to humankind with a better reputation for strength, protection, and durability than wood, amirite? [Screesnhot]

Once installed, the rogue looks like yet another variation on the typical ransomware-type rogue app theme: It starts up with Windows, prevents the Desktop from loading, and only grants access to its "fix error" features if you pay for a license key.

Continued :

- Collapse -
Microsoft says cyber-crime surveys are inaccurate

Microsoft has compared research on cyber-crime losses to surveys on sexual behaviour in an attempt to paint them as inaccurate.

Microsoft researchers Dinei Florencio and Cormac Herle outlined their findings in a paper entitled Sex, Lies and Cyber-crime Surveys, where they drew parallels between these two areas that seem totally unconnected.

The duo particularly highlighted the element of over-reporting. The best example given was how a number of sexual behaviour surveys resulted in findings that men had more female sexual partners than women had male partners, a finding which the researchers claim is erroneous and statistically inaccurate when cross-checked.

Florencio and Herle claim that women tend to under-report, while men tend to over-report, with some Don Juans exaggerating significantly about their sexual experiences, leading to inflation of results. They claimed that this kind of over-reporting can also be found in cyber-crime surveys.

They claimed that losses due to cyber-crime are not independently verified, and that self-reporting means that results can easily be distorted. They also found that the majority of estimates come from a minority of responses, which they argued leads to figures appearing higher than they really are.

Continued :

Also: Microsoft Research: Cybercrime Surveys are Useless

Publication: Sex, Lies and Cyber-crime Surveys

- Collapse -
No such thing as a free meal - McDonald?s scam circulates
.. online

An email scam hitting inboxes across the globe is promoting a free dinner at one of the world's largest fast-food chains. The catch is that you need to print the attached coupon, which is actually an executable for a well-established family of Malware.

Millions of people across the globe will head to McDonald's today. Given the eatery's popularity, some might be tempted to take advantage of an offer circulating via email. The message appears with the subject, "You don't need to pay for your helpings this day", and promises a free dinner on June 27.

"McDonalds invites you to The Free Dinner Day which will take place on 27 June, 2011, in every cafe of ours," the randomly delivered message explains.

According to the scam, the day's free treats include Big N' Tasty with Cheese, Chicken Selects Premium Breast Strips, Premium Caesar Salad, Apple Dippers, and McCafe Mocha Frappe.

"Print the invitation card attached to the letter and show it at the cash desk of any of our restaurants. Every manager will gladly take your card and issue you a tasty dish of Free Day. And remember! Free Day is a whole five free dishes! Thank you for your credence. We really appreciate it," the message concludes.

Continued :

Also: How a free breakfast day at McDonalds can lead to malware danger
- Collapse -
'No evidence' that LulzSec has hacked UK census

Reports that the hacking group LulzSec have stolen millions of records from this year's UK census are being investigated, the UK's Office for National Statistics (ONS) said this afternoon.

"We are aware of the suggestion that census data has been accessed. We are working with our security advisers and contractors to establish whether there is any substance to this. The 2011 Census places the highest priority on maintaining the security of personal data. At this stage we have no evidence to suggest that any such compromise has occurred."

The rumour emerged this morning after website The Next Web reported the contents of a supposed statement from LulzSec on Pastebin, a site where anyone can post anonymous documents. LulzSec has used the site previously to announce its various data breaches, but the group usually accompanies the announcements with a message on its Twitter account. In this case it appears that someone has simply used to LulzSec logo to post their own hoax message.

If census records have been stolen, the implications are incredibly far-reaching. It's unlikely that anyone could have gained access to the full census data, as the millions of paper-based forms won't have been scanned yet, but it's possible that someone could compromise the million or so forms completed online. With the census containing details of your address, date of birth, occupation and more, the potential for identify theft is enormous.

Continued :

- Collapse -
New Type of Android Malware Spotted In the Wild

According to mobile security company Lookout, there is a new version of Android malware in the wild and this one is a little bit different from what has come before.

Known as GGTracker, the application can be downloaded from the mobile browser through an advertisement that brings users to a page that is set up to look like the Android Market. Once a user has downloaded the GGTracker Tracker Trojan it sends SMS messages to premium subscription services that would normally require online registration.

The clever bit in this new malware is the fake Android Market installation screen. Yet, since it is not the actual Android Market, it is doubtful that Google can reach into users phones to automatically disable the Trojan, the way the company did with the DroidDream malware that struck earlier this year. We have contacted Lookout and Google to see if this is a possibility.

Once a user has clicked through to the fake installation page they are prompted to install and application, like a "fake battery optimizer package as and in another a porn app packaged as," according to Lookout. Once a user clicks on the download button, the malicious app will direct the user to install the app via Android's download notification.

Continued :

- Collapse -
Google's New Tool, DOM Snitch, Finds JavaScript Flaws

Google announced on Tuesday the availability of a new free application testing tool, dubbed "DOM Snitch," that it says will help Web application developers find vulnerabilities in client side Web applications.

The new application is a Chrome browser extension that works by injecting hooks into a Web page that signal when that page interacts with browser features that can be manipulated in attack. The tool is designed to allow both Web application developers and QA staff who lack expertise in security to pinpoint insecure application code, Google said.

DOM refers to the "Document Object Model," a common, platform-neutral interface that allows programs and scripts to access and update the content and structure of Web pages and other online documents.

The DOM Snitch product is similar to other free, open source testing tools from Google, including Skipfish, an automated Web application security reconnaissance tool. The tool, which is released in an early, alpha-release form, watches for JavaScript for calls to DOM methods that can pose a security risk in developed application. Those include internal DOM events like onmouseover as well as document.write, set and get document.cookie, and so on. The tool can be run in "Passive," "Invasive," or "Standby" mode, allowing testers to merely snoop on activities taking place inside the DOM of a Web page, or to actually stop the page execution and intercept and modify data on the fly.

Continued :

CNET Forums