HolidayBuyer's Guide

Spyware, Viruses, & Security forum

General discussion

NEWS - March 01, 2011

by Carol~ Forum moderator / March 1, 2011 12:16 AM PST
19 vulnerabilities - Chrome 9 update proves expensive for Google

Google has released version 9.0.597.107 of its Chrome browser, which fixes a total of 19 security vulnerabilities, 16 of them rated as high risk. It was, for example, possible to crash the browser using JavaScript dialogues and SVG files, or to use the address bar for URL spoofing. Also fixed is an integer overflow when handling textareas. As ever, Google is keeping full details of the vulnerabilities under wraps until the bulk of users have switched to the new version.

Google's rewards programme pays discoverers of vulnerabilities up to $1,000. Google paid out a total of $14,000 for this particular update. In total, its security bug bounty programme has now paid out more than $100,000.

Chrome 9.0.597.107 is available to download for Windows, Mac OS X and Linux from google.com/chrome. Users who currently have Chrome installed can use the built-in update function by clicking Tools, selecting About Google Chrome and clicking the Update button.

http://www.h-online.com/security/news/item/19-vulnerabilities-Chrome-9-update-proves-expensive-for-Google-1199922.html

See Vulnerabilities & Fixes : Google Chrome Multiple Vulnerabilities
Discussion is locked
You are posting a reply to: NEWS - March 01, 2011
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - March 01, 2011
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
MorganStanley Attacked by China-Based Hackers Who Hit Google
by Carol~ Forum moderator / March 1, 2011 12:22 AM PST
In reply to: NEWS - March 01, 2011

Morgan Stanley experienced a "very sensitive" break-in to its network by the same China-based hackers who attacked Google Inc.'s computers more than a year ago, according to e-mails stolen from a cyber-security company working for the bank.

The e-mails from the Sacramento, California-based computer security firm HBGary Inc., which identify the first financial institution targeted in the series of attacks, said the bank considered details of the intrusion a closely guarded secret.

"They were hit hard by the real Aurora attacks (not the crap in the news)," wrote Phil Wallisch, a senior security engineer at HBGary, who said he read an internal Morgan Stanley report detailing the so-called Operation Aurora attacks.

The nickname came from McAfee Inc., a Santa Clara, California-based cyber-security firm, which said the attacks occurred for about six months starting in June 2009 and marked "a watershed moment in cyber security." The number of companies known to be hit in the attacks was initially estimated at 20 to 30 and now exceeds 200, said Christopher Day, senior vice president for Terremark Worldwide Inc., which provides information-technology security services.

Continued : http://www.bloomberg.com/news/2011-02-28/morgan-stanley-network-hacked-in-same-china-based-attacks-that-hit-google.html

Also: Morgan Stanley hit by same attackers that breached Google

Collapse -
Gmail back soon for everyone
by Carol~ Forum moderator / March 1, 2011 1:13 AM PST
In reply to: NEWS - March 01, 2011

From the Official Gmail Blog:

Imagine the sinking feeling of logging in to your Gmail account and finding it empty. That's what happened to 0.02% of Gmail users yesterday, and we're very sorry. The good news is that email was never lost and we've restored access for many of those affected. Though it may take longer than we originally expected, we're making good progress and things should be back to normal for everyone soon.

I know what some of you are thinking: how could this happen if we have multiple copies of your data, in multiple data centers? Well, in some rare instances software bugs can affect several copies of the data. That's what happened here. Some copies of mail were deleted, and we've been hard at work over the last 30 hours getting it back for the people affected by this issue.

To protect your information from these unusual bugs, we also back it up to tape. Since the tapes are offline, they're protected from such software bugs. But restoring data from them also takes longer than transferring your requests to another data center, which is why it's taken us hours to get the email back instead of milliseconds.

Continued : http://gmailblog.blogspot.com/2011/02/gmail-back-soon-for-everyone.html

Related :
Gmail accidentally resetting accounts, years of correspondence vanish into the cloud?(update)
Google Gmail outage leaves 150,000 users without e-mail

Collapse -
US raps China's Baidu and Taobao over pirated goods
by Carol~ Forum moderator / March 1, 2011 3:27 AM PST
In reply to: NEWS - March 01, 2011

Two of China's biggest websites, the search engine Baidu and online retailer Taobao, were named as "notorious markets" in a new U.S. government report for allegedly supporting pirated and counterfeit goods.

China's largest search engine, Baidu, was named as an offender for providing online services that provide links to pirated goods via third-party sites. Major record labels have leveled the same accusations, claiming that Baidu "deep links" users to hundreds of thousands of illegal songs hosted on other sites. In 2008, the record labels brought a lawsuit against Baidu, only to see it fail.

Baidu declined to comment on the U.S. report.

China's largest online retailer, Taobao.com, was also named a major offender for allowing merchants to offer counterfeit goods on its website. The report, however, added that the company is "making significant efforts to address the availability of infringing goods through its website."

Continued : http://www.computerworld.com/s/article/9212040/US_raps_China_s_Baidu_and_Taobao_over_pirated_goods

Also: Baidu, Taobao Identified as `Notorious Markets' by U.S. for Helping Piracy

Collapse -
Apple Kickback Offender Pleads Guilty, Forfeits $2.3 Million
by Carol~ Forum moderator / March 1, 2011 3:27 AM PST
In reply to: NEWS - March 01, 2011

"Former Apple employee Paul Devine has plead guilty in a California court to passing Apple's secrets to its partners in exchange for lucrative kickbacks."

Paul Shin Devine, the former Apple employee at the center of a kickback scheme, admitted to defrauding Apple and plead guilty to criminal accounts of wire fraud, conspiracy and money laundering in a Northern California court Feb. 28.

The plea is an about-face from the not-guilty plea Devine made Aug. 16, 2010, after being arrested and charged with more than 23 counts.

The 38-year-old Devine, who worked for Apple as a global supply manager from 2005 until 2010, is accused of having passed confidential company information - such as pricing targets, product specifications, roadmaps, product forecasts and information obtained from Apple's partners - to a number of Asian suppliers in exchange for kickbacks. The scheme earned him more than $2.4 million.

Continued : http://www.eweek.com/c/a/Government-IT/Apple-Kickback-Offender-Pleads-Guilty-Forfeits-23-Million-605655/

Also:
Ex-Apple Manager Pleads Guilty to Fraud, to Hand in $2.25M
Ex-Apple manager pleads guilty in kickback scheme

Collapse -
Intel's acquisition of McAfee now complete
by Carol~ Forum moderator / March 1, 2011 3:27 AM PST
In reply to: NEWS - March 01, 2011

Intel, the world's largest chip maker, has announced that its acquisition of security specialist McAfee is now complete. Under the terms of the deal, first announced in August 2010, Intel agreed to purchase all of McAfee's common stock for $48 per share, valuing the cash deal at a total of approximately $7.68 billion (

Collapse -
Fake Donations for New Zealand Earthquake Victims
by Carol~ Forum moderator / March 1, 2011 3:27 AM PST
In reply to: NEWS - March 01, 2011

On February 22, 2011, a massive 6.3 magnitude earthquake devastated the New Zealand city of Christchurch. As per the official reports, the death toll has reached 75-a number that may yet increase. Thousands of people in New Zealand have lost their homes and search operations are still in progress. Fraudsters, as usual, are taking advantage of this by sending spam mails that request donations. In January, phishers had used the same ploy of asking for fake donations for victims of the Serrana floods. [Screenshot] [[url=
http://www.symantec.com/connect/imagebrowser/view/image/1675541/_original]Screenshot]

The phishing site spoofed the Red Cross website for New Zealand and requested help from end users. Firstly, the phishing site gave details of the earthquake, highlighting the extent of the damage in the city. Secondly, details on how to make a secure online donation were given. Users were notified that upon making an online donation, the user would receive a receipt by email for tax purposes. There were three credit card services to choose from.

To make the donation, users were required to enter certain confidential information. The first field was a drop down menu from which the user had to select the cause for which the donation would be made. The causes included New Zealand Earthquake 2011, Annual Appeal 2011, Australian Floods Fund, Landmine Appeal, Pacific Disaster Preparedness Fund, and General Fund Appeal.

Continued : http://www.symantec.com/connect/blogs/fake-donations-new-zealand-earthquake-victims

Collapse -
Erasing Data from Flash Drives
by Carol~ Forum moderator / March 1, 2011 3:28 AM PST
In reply to: NEWS - March 01, 2011

From Bruce Schneier @ his "Schneier on Security" Blog:

"Reliably Erasing Data From Flash-Based Solid State Drives,"(pdf) by Michael Wei, Laura M. Grupp, Frederick E. Spada, and Steven Swanson.

Abstract: Reliably erasing data from storage media (sanitizing the media) is a critical component of secure data management. While sanitizing entire disks and individual files is well-understood for hard drives, flash-based solid state disks have a very different internal architecture, so it is unclear whether hard drive techniques will work for SSDs as well.

We empirically evaluate the effectiveness of hard drive-oriented techniques and of the SSDs' built-in sanitization commands by extracting raw data from the SSD's flash chips after applying these techniques and commands. Our results lead to three conclusions: First, built-in commands are effective, but manufacturers sometimes implement them incorrectly. Second, overwriting the entire visible address space of an SSD twice is usually, but not always, sufficient to sanitize the drive. Third, none of the existing hard drive-oriented techniques for individual file sanitization are effective on SSDs.

This third conclusion leads us to develop flash translation layer extensions that exploit the details of flash memory's behavior to efficiently support file sanitization. Overall, we find that reliable SSD sanitization requires built-in, verifiable sanitize operations.

Continued : http://www.schneier.com/blog/archives/2011/03/erasing_data_fr.html

Collapse -
Apple iTunes accounts hacked as more rogue developers emerge
by Carol~ Forum moderator / March 1, 2011 6:47 AM PST
In reply to: NEWS - March 01, 2011

It appears that after seven months, Apple is still having difficulty coming to terms with the fact that hackers are targeting iTunes accounts to purchase apps and artificially inflate the revenue received, particularly apps originating from the developer account of "Hongbin Suo".

We exclusively revealed back in July that attackers were compromising iTunes accounts across the world, revealing not just one but a number of different developer accounts that used very similar, if not more "innovative", approaches to stealing users' money. Put simply, the Apple App store was filled with App Farms being used to steal.

Fast-forward to mid-February - We receive a tip from a worried iTunes account holder and Apple's forums begin to fill up with users complaining of transactions being made on their iTunes accounts that they didn't authorise. Reports point to apps from developer accounts Hongbin Suo and GameIsLive, particularly Texas Hold'Em and other Chinese apps which were either paid downloads or made use of Apple's in-app purchasing.

Continued : http://thenextweb.com/apple/2011/03/01/apple-itunes-accounts-hacked-as-more-rogue-developers-emerge/

Collapse -
Password management site plugs info-leak bug
by Carol~ Forum moderator / March 1, 2011 6:47 AM PST
In reply to: NEWS - March 01, 2011

Password management site LastPass has plugged a security hole in its website that created a means to extract the email addresses - though not the passwords - of enrolled users.

The cross-site scripting bug meant that logged-in users induced to visit a malicious site would disclose their email addresses and sites associated with a LastPass account, along with password reminders and a list of IP addresses used to access the site.

The bug was discovered by independent security researcher Mike Cardwell, who was unable to exploit the flaw to extract passwords.

LastPass - which boasts close to a million members - stores website login details in an encrypted container, safeguarded by a master password. Users log in to extract this information either directly via the website or by using a browser extension.

Cardwell reported the information disclosure bug to LastPass, which acted promptly in less than three hours to close the hole. In an advisory LastPass explains how it has improved security to prevent any repetition of the unfortunate incident, including ensuring browsers that support it (Chrome and Firefox 4) will be locked into secure SSL web requests when on the lastpass.com domain.

Continued : http://www.theregister.co.uk/2011/03/01/password_management_site_xss_bug/

Related : Password Management Site LastPass Sports Security Hole

Collapse -
Android's Steamy Window trojan sends SMS to premium numbers
by Carol~ Forum moderator / March 1, 2011 8:56 AM PST
In reply to: NEWS - March 01, 2011

An Android App called Steamy Window is being used by hackers to take over Android phones and run up big texting bills.

Symantec says the app is a free program that Chinese hackers have modified, then re-released into the wild.

In a statement, Vikram Thakur, a principle security response manager at Symantec, said that Steamy Window is the newest in a line of compromised Android apps.

The hackers grabbed a copy of Steamy Windows, then added a backdoor Trojan horse - "Android.Pjapps" to the app's code.

The app was then placed on unsanctioned third-party "app stores" in the hope that punters looking for dodgy apps can find them.

Thakur said that while hacks like this were becoming a dime a dozen this one stood out as a particularly nasty piece of work.

The Trojan planted by the malware-infected Steamy Windows can install other applications, bugger around with the phone's browser bookmarks, and navigate to Web sites and silently send text messages.

The criminals send messages to premium rate numbers and collect commissions.

Continued : http://www.techeye.net/security/androids-steamy-window-trojan-sends-sms-to-premium-numbers

From Symantec's Security Response Blog: Android Threats Getting Steamy

Collapse -
DarkComet RAT author denies BlackHole Mac Trojan is his
by Carol~ Forum moderator / March 1, 2011 8:56 AM PST
In reply to: NEWS - March 01, 2011

To follow up on our post last Friday, I was contacted by the author of the DarkComet RAT Trojan. He seemed quite upset that I suggested the new Mac OS X Trojan BlackHole RAT was related to his Windows creation.

While the BlackHole RAT Trojan seems to be copying the behavior of DarkComet, the lack of functionality and the unsophisticated user interface clearly offended the author, who felt it was necessary to set the record straight.

To make a point, DarkComet's author acknowledges that he is developing his own Mac OS X Trojan, called DarkCometX, that is not yet finished. He provided the following screenshot. [Screenshot]

Learning of two Mac OS X Trojans in less than a week was, admittedly, a bit of a surprise. Technically, in and of itself, writing a Trojan is not illegal. It's all in what you do with it.

Looking at the code and descriptions, though, I think it is clear what the authors expect you to do with their "products."

BlackHole RAT includes text saying things like:

Continued : http://nakedsecurity.sophos.com/2011/03/01/darkcomet-rat-author-denies-blackhole-rat-is-his/

Related : Mac OS X backdoor Trojan, now in beta?

Collapse -
Accused AT&T Hacker Makes Bail
by Carol~ Forum moderator / March 1, 2011 8:56 AM PST
In reply to: NEWS - March 01, 2011

One of the two men accused of hacking AT&T's website to grab personal information about thousands of iPad users has been released on bail.

Andrew Auernheimer was released from custody on Monday on a US$50,000 bond. He will be working for a friend's New Jersey company as a computer consultant while out on bail, according to the U.S. Department of Justice. Auernheimer is not allowed to travel outside of New Jersey and New York and is prohibited from using Internet-enabled cell phones. While on bail, he can use the Internet, but only for work-related tasks, the DOJ said.

Auernheimer, who used the hacker name Weev, and Daniel Spitler were charged with fraud and conspiracy last month in connection with the June 2010 incident, where members of their hacking group downloaded data on about 120,000 iPad users and handed it over to a reporter, saying they had uncovered an important security vulnerability in the AT&T website.

Continued : http://www.pcworld.com/businesscenter/article/220991/accused_atandt_hacker_makes_bail.html

Also: Reputed ATandT Hacker Makes Bail, Released

Collapse -
IE9 Feeds Insatiable User Appetite with 36 Million Downloads
by Carol~ Forum moderator / March 1, 2011 8:57 AM PST
In reply to: NEWS - March 01, 2011

Internet Explorer 9 is "downloading like hotcakes," if they would be downloadable, that is. After almost six months since IE9 made its debut into Beta, one thing is clear, users worldwide have worked out quite an appetite for the next major iteration of IE.

IE9 was downloaded in excess of 25 million times between September 15th, 2010 and February 10th, 2011 when the browser graduated to Release Candidate (RC) stage.

And it appears that the number of downloads is only accelerating, according to the latest statistics provided by Microsoft.

Since IE9 RC was launched earlier this month, there have been over 11 million new downloads of IE8's successor.

IE9 has been downloaded at the rate of a little over 2.5 copies each second, or 150 downloads per minute until March 1st, 2011.

"Since its release on February 10th, the IE9 RC has already been downloaded over 11 million times. Together with the IE9 Beta, IE9 has been downloaded over 36 million times since its initial availability on September 15, 2010," revealed Roger Capriotti, Director, Internet Explorer Product Marketing.

Continued : http://news.softpedia.com/news/IE9-Feeds-Insatiable-User-Appetite-with-36-Million-Downloads-186888.shtml

As Referenced: IE9 Reaches 36 Million Downloads; Internet Explorer Share Grows

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

HOLIDAY GIFT GUIDE 2017

Cameras that make great holiday gifts

Let them start the new year with a step up in photo and video quality from a phone.