NEWS - March 20, 2014

Symantec Security Response Blog:

Security researchers have released a paper (pdf) documenting a large and complex operation, code named "Operation Windigo". Since the campaign began in 2011, more than 25,000 Linux and Unix servers were compromised to steal Secure Shell (SSH) credentials, to redirect Web visitors to malicious content, and to send spam. Well-known organizations such as cPanel and Linux Foundation were confirmed victims. Targeted operating systems include OS X, OpenBSD, FreeBSD, Microsoft Windows, and various Linux distributions. The paper claims Windigo is responsible for sending an average of 35 million spam messages on a daily basis. This spam activity is in addition to more than 700 Web servers currently redirecting approximately 500,000 visitors per day to malicious content.

The paper lists three main malicious components (ESET detection names):

Continued : http://www.symantec.com/connect/blogs/25000-linux-and-unix-servers-compromised-operation-windigo

Related:
10,000 Linux servers hit by malware serving tsunami of spam and exploits
25,000 UNIX servers hijacked by backdoor Trojan
Windigo Linux Analysis - Ebury and Cdorked

A public plea made on Twitter by Runa A. Sandvik, a (former?) developer with The Tor Project has turned the spotlight on a still unresolved issue of an apparently fake Tor Browser app equipped with spyware being offered for download on Apple's App Store. [Screenshot]

The open ticket she linked to on the project's site show that for whatever reason, Apple is not moving fast enough to remove to address the concerns of Tor officials.

They first complained about the fake and malicious app to Apple on 26 December 2013.

Apple has responded on January 3, 2014 by saying that they are giving a chance to the author of the app to defend his offering. But after that, the company has remained silent, and has not responded to additional emails sent by Tor nor removed the app.

Continued: http://www.net-security.org/malware_news.php?id=2739

Related:
Tor Browser in Apple's App Store Still Packed with Spyware and Adware
Fake Tor browser for iOS laced with adware, spyware, members warn
Tor Browser in Apple's App Store Contains Adware and Spyware

A Linux worm that targets routers and set-top boxes is now looking for full-fledged computers to use its new feature, a cryptocurrency mining function, according to Symantec.

Symantec spotted the worm, which it calls Darlloz, in November. It was preloaded with usernames and passwords for routers and set-top boxes that run Linux on Intel's x86 chip architecture and other embedded device architectures such as PPC, MIPS and MIPSEL.

The latest variant of Darlloz, found by Symantec in mid-January, looks for computers running Intel's architecture, wrote Kaoru Hayashi, a senior development manager and threat analyst with Symantec in Japan.

Continued : http://www.cso.com.au/article/540956/linux_worm_diversifies_mine_cryptocurrencies/

Related:
Over 31,000 IoT devices and computers infected by cryptocoin-mining worm
Linux Worm Darlloz Infects over 31,000 Devices in Four Months

The Firefox web browser took a beating during last week's Pwn2Own contest with researchers bringing four zero-day vulnerabilities and exploits to the table, walking away with a collective $200,000 in prize money in the process.

Yesterday, Mozilla capped all four bugs among 18 security advisories addressed in Firefox 28.

Firefox was by no means the only browser targeted during the annual contest; all four leading vendors failed to hold up against some of the best white hat hackers in the world. Two days ago, Google led the charge with the first set of patches addressing vulnerabilities disclosed during Pwn2Own. Google also paid out more than $150,000 to the winners of its Pwnium contest which went after bugs in Chromium and the Chrome OS.

Continued: http://threatpost.com/mozilla-patches-pwn2own-zero-days-in-firefox-28/104889

Related: Mozilla patches 20 Firefox flaws, plugs Pwn2Own holes

Bitdefender's "HOTforSecurity" Blog:

Mobile users of the National Geographic website are targeted with scareware saying they have been infected with malware, according to the Bitdefender Labs. They are then abusively redirected to a Google Play app that would clean their Android device.

The ad poses as a message from the news.nationalgeographic.com page. "Your Android has been infected with a virus," the deceptive alert reads. "Tap OK to remove now."

Such messages end up on the National Geographic official web page through a chain of ad networks, including the Rubicon Project, Google's DoubleClick and AppNexus. [Screenshot]

"Dubious advertising techniques try to redirect users to various apps and downloads," Bitdefender Chief Security Strategist Catalin Cosoi said. "This time, scammers managed to mess with the website of a famous international brand to gain extra-exposure and add legitimacy to their message. From kids to grown-ups - who wouldn't believe National Geographic?"

Continued : http://www.hotforsecurity.com/blog/national-geographic-fans-targeted-with-mobile-scareware-8209.html

Bruce Schneier @ his "Schneier on Security" Blog:

Facebook has developed a face-recognition system that works almost as well as the human brain:

Asked whether two unfamiliar photos of faces show the same person, a human being will get it right 97.53 percent of the time. New software developed by researchers at Facebook can score 97.25 percent on the same challenge, regardless of variations in lighting or whether the person in the picture is directly facing the camera.

Human brains are optimized for facial recognition, which makes this even more impressive.

This kind of technology will change video surveillance. Right now, it's general, and identifying people is largely a forensic activity. This will make cameras part of an automated process for identifying people.

https://www.schneier.com/blog/archives/2014/03/automatic_face-.html

In the wake of one data breach after another, millions of Americans each year are offered credit monitoring services that promise to shield them from identity thieves. Although these services can help true victims step out from beneath the shadow of ID theft, the sad truth is that most services offer little in the way of real preventative protection against the fastest-growing crime in America.

Having purchased credit monitoring/protection services for the past 24 months — and having been the target of multiple identity theft attempts — I feel somewhat qualified to share my experience with readers. The biggest takeaway for me has been that although these services may alert you when someone opens or attempts to open a new line of credit in your name, most will do little — if anything — to block that activity. My take: If you're being offered free monitoring, it probably can't hurt to sign up, but you shouldn't expect the service to stop identity thieves from ruining your credit.

Avivah Litan, a fraud analyst at Gartner Inc., said offering credit monitoring has become the de facto public response for companies that experience a data breach, whether or not that breach resulted in the loss of personal information that could lead to actual identity theft (as opposed to mere credit card fraud).

Continued : http://krebsonsecurity.com/2014/03/are-credit-monitoring-services-worth-it/

Gmail has always supported HTTPS, and even made the communications protocol the default option in 2010. Today Google announces it will always use an encrypted HTTPS connection when you check or send email.

"Today's change means that no one can listen in on your messages as they go back and forth between you and Gmail's servers -- no matter if you're using public Wi-Fi or logging in from your computer, phone or tablet", Nicolas Lidzborski, Gmail Security Engineering Lead says.

"In addition, every single email message you send or receive -- 100 percent of them -- is encrypted while moving internally. This ensures that your messages are safe not only when they move between you and Gmail's servers, but also as they move between Google's data centers -- something we made a top priority after last summer's revelations", he adds.

Continued : http://betanews.com/2014/03/20/google-makes-gmail-https-only/

Related: Google promises always-on encrypted HTTPS connection for Gmail