Spyware, Viruses, & Security forum

General discussion

NEWS - March 22, 2011

Industrial Control Systems: security holes galore

It seems that Stuxnet has given many security experts an interest in the potential holes in industrial control and SCADA (Supervisory Control and Data Acquisition) systems. Security specialist Luigi Auriemma, previously mainly known for detecting holes in games and media players, has released a list of 35 vulnerabilities in SCADA products by Siemens Tecnomatix (FactoryLink), Iconics (Genesis 32 and 64), 7-Technologies (IGSS) and DATAC (RealWin).

The expert's list includes the whole spectrum of potential security issues from remote file downloads and unauthorised file uploads to targeted attacks on services via integer, buffer and heap overflows. Some of the holes can probably also be exploited to inject and execute arbitrary code. The Stuxnet worm also exploited holes in WinCC, the successor to FactoryLink, to remotely infiltrate systems and manipulate the connected controls.

Continued : http://www.h-online.com/security/news/item/Industrial-Control-Systems-security-holes-galore-1212336.html

Also: Dozens of exploits released for popular SCADA programs
Discussion is locked
You are posting a reply to: NEWS - March 22, 2011
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - March 22, 2011
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Apple releases Mac OS X 10.6.7 update

In reply to: NEWS - March 22, 2011

Apple has released the final version of Mac OS X 10.6.7 . This update for Snow Leopard is available to download from Apple's web site and is 475 MB if Mac OS X 10.6.6 has already been installed; the combo update , which includes earlier updates from Mac OS X 10.6, is considerably larger, at 1.12 GB. Apple lists three central points among the new additions: fixes that improve the reliability of the Back to My Mac remote desktop service, that resolve an issue when transferring files to certain SMB servers and that eliminate "various minor" bugs in the Mac App Store ; the latter was introduced with Mac OS X 10.6.6 .

In the software update notes, Apple also recommends the update "for all early 2011 MacBook Pro models". The company says that the update addresses "minor FaceTime performance issues" and improves "graphics stability and external display compatibility". Problems with the new combined DisplayPort/Thunderbolt connector causing display flickering in certain configurations had recently been reported in this context. Some users also reported problems when running their quad-core machines at full load - whether Apple has made changes to resolve these issues has yet to be confirmed.

Continued : http://www.h-online.com/security/news/item/Apple-releases-Mac-OS-X-10-6-7-update-1212226.html

See Vulnerabilities & Fixes : Apple Mac OS X Multiple Vulnerabilities

Collapse -
Apple's silent updates

In reply to: Apple releases Mac OS X 10.6.7 update

Apple has released MacOS X 10.6.7 with several bugfixes and security-patches. This patch bundle also includes a silent update to Apple's built-in Xprotect anti-virus functionality.

With the release of Snow Leopard (Mac OS X 10.6) Apple introduced a basic antivirus protection called ?XProtect". It scans and detect threats when files are downloaded through Safari, Mail, iChat, Firefox and a few more and afterwards executed. The Signature-List is updated via Apples Software Update.

Till now Xprotects database contained signatures for three well-known threats:
- OSX.RSPlug.A: changes local DNS-entries, came through fake video-codecs
- OSX.Iservice: attacks websites (DDoS), came bundled with pirated applications
- OSX.HellRTS: known as HellRaiser, tool which gives the attacker full access ofver the victims system. Version 4.2 public available, version 4.4 sold for 15$ by the creator in underground forums. [Screenshot

New update
The updated signature now includes definitions for "OSX.OpinionSpy". This Trojan came bundled with screensavers and applications hosted on popular download websites for Macs mid of 2010. It is known as Opinion Spy and Premier Opinion. The main aim of the malware is to collect personal data which is sent to various servers. The Trojan runs as root, which means it's capable of doing ?anything" on your computer.

Continued : http://www.securelist.com/en/blog/6141/Apple_s_silent_updates

Collapse -
Play.com spam points to malware downloads

In reply to: NEWS - March 22, 2011

Multiple Reg readers were annoyed at receiving junk mail messages on Monday from addresses they had only registered with online retailer Play.com.

Several of these junk mail sites pointed to black hat controlled domains that served up malware, heightening complaints on online forums (discussion on MoneySavingExpert here) and sparking theories that either Play.com had been hacked or its mailing list had been stolen.

Affected users were sure that Play.com must have been associated with the malware touting emails because they used a unique email address when signing up to the site.

We put in a query to Play.com on Monday but are yet to hear back. However, we have received copies of emails sent to customer by Play.com that apologised for the incident and blamed the breach on an (unnamed) third-party marketing firm.

Continued : http://www.theregister.co.uk/2011/03/22/play_malware_spam/

Collapse -
Play.com: Only customer emails lost in data breach

In reply to: Play.com spam points to malware downloads

Online retailer Play.com has named its marketing partner Silverpop as the guilty party behind the disclosure of customer names and email addresses.

The breach led to distribution of spam to email addresses only registered with the online retailer on Sunday, a development that led to howls of protest from users.

These emails offered supposed software updates from Adobe but actually linked to sites serving up malware.

The offer of the latest version of Adobe Reader X out of the blue and via email is unlikely to have taken in many, since the ruse was neither timely, subtle nor salacious.

Play.com, which issued an apology to users via email on Tuesday morning, has since come forward with an official statement from chief exec John Perkins (below) that seeks to downplay the significance of the admitted breach. In particular the online retailer stresses that the snafu only affected email details, and not credit card details or other sensitive information.

Continued : http://www.theregister.co.uk/2011/03/22/play_blames_marketing_firm_for_spam_snafu/

Also: Data loss at Play.com

Collapse -
The decline and fall of Slammer?

In reply to: NEWS - March 22, 2011

From Kaspersky Lab Weblog:

Me and Slammer (Helkern) go back a long way...to 25 January 2003 to be precise. It was a baptism of fire for me in my new role as a virus analyst at Kaspersky Lab. It was a weekend and I was alone, in charge of monitoring the incoming flow of suspicious files. I had barely been at the company a month.

On that day the Internet suffered one of the biggest virus epidemics in its history - within the space of just fifteen minutes a worm using a vulnerability in MS SQL Server infected hundreds of thousands of computers worldwide and knocked out the Internet in South Korea for a few hours.

Those 376 bytes were the implementation of a so-called 'bodyless' virus, which does not write itself to the system but only stays in the operational memory.

That was more than 8 years ago, but Slammer is still hanging around and is constantly among the leaders in our network attack ratings. Millions and billions of malicious packets are sent out each day searching for victims and generating a considerable amount of junk traffic.

Then something strange happened on 9 March 2011. Our automated threat analysis system, Kaspersky Security Network, recorded a significant drop in the number of attacks. We received the data from our IDS (Intrusion Detection System) module which monitors network attacks. The system also determines the source of an attack.

Continued : http://www.securelist.com/en/blog/424/The_decline_and_fall_of_Slammer

Collapse -
Researcher Overcomes Setback Over 'Cloud Cracking Suite'

In reply to: NEWS - March 22, 2011

"Apparent mis-translation by a German newspaper of English-speaking reports on researcher's Amazon EC2-based password-cracking tool led to raid, frozen bank account"

German researcher Thomas Roth got a phone call with some unsettling news the evening before he was to release a new hacking tool in his presentation at Black Hat DC: he had been served with an injunction for allegedly breaking anti-hacker laws in his country and law enforcement would be raiding his apartment back in Germany.

Roth, who had planned to release at the January conference his new open-source tool that uses Amazon's GPU processing services to crack SHA1-based passwords at high speeds, found himself in a legal quagmire that started with a German publication's mis-translation of English-speaking news reports on his research. The German newspaper incorrectly reported that Roth had said he would be turning a profit as a sort of hacker-for-hire. That led to a German telecommunications firm taking legal action against the researcher: "They misunderstood that I was getting money for doing this ... and illegally breaking into networks," says Roth, a researcher and consultant for Lanworks AG.

His bank account was frozen as a result, and Roth spent the past couple of months in a legal battle trying to clear his name and calling out the German newspaper article for its inaccurate translation of his research and the intent of his tool, which he describes as a quick way to brute-force hack weak, easily guessed passwords. ...

Continued @ Dark Reading

Collapse -
Chip and PIN compatibility leads to insecurity

In reply to: NEWS - March 22, 2011

Over the last few years, banks have been rolling out their new, chip-based payment cards which follow the EMV (Eurocard, Mastercard and Visa) standard to improve the security of card-based payment processing.

In theory, the intelligence of a semiconductor chip should be able to defeat many of the card skimming attacks that were possible with the classic magnetic stripe technology of the older chip-less cards.

A brief look at the back side of the new cards reveals, however, that the magnetic stripe is still present. Apparently it is still necessary to maintain backwards-compatibility with card reader devices that don't support the new technology yet.

In 2006, Cambridge researchers showed that the PIN may be grabbed in clear text by an interception device that eavesdrops the communication between a Point Of Sale (POS) terminal and the chip.

Continued : http://nakedsecurity.sophos.com/2011/03/22/chip-and-pin-compatibility-leads-to-insecurity/

Collapse -
Has Complexity Become Security's Chief Nemesis?

In reply to: NEWS - March 22, 2011

"Study says proliferation of vendors, lack of user awareness are top challenges for security pros"

The sheer complexity of managing the enterprise security environment has become one of the chief obstacles to building a secure environment, according to a study published last week.

An overabundance of vendors and regulatory requirements -- as well as the continuing problem of end user ignorance -- are combining to prevent many large enterprises from building an effective security defense, according to Understanding Security Complexity in 21st Century IT Environments, a new study published by the Ponemon Institute and Check Point Software Technologies Ltd.

According to the survey of over 2,400 IT security administrators around the world, managing complex security environments is the most significant challenge facing organizations today, with over 55 percent of companies using more than seven different vendors to secure their networks.

"A lot of companies would like to consolidate vendors, but it's easier to get budget if you present a problem and then purchase a single product to solve it," notes Larry Ponemon, founder and CEO of the research firm. "Ironically, consolidation is harder to cost-justify than point solutions, because there is a cost associated with consolidation projects. But having so many vendors can be an administrative nightmare on the back end."

Continued : http://www.darkreading.com/security/security-management/229400023/has-complexity-become-security-s-chief-nemesis.html

Collapse -
Ransomeware faking Microsoft to blackmail users

In reply to: NEWS - March 22, 2011

From the Bkis Global Task Force Blog:

Not long ago, my colleague (Nguyen Hong Quang) wrote an entry about a cyber fraud by Russian hackers . Reading that entry, I supposed hackers would continue to expand this fraud in the coming time. As I expected, recently our HoneyPot has collected numerous virus samples used for such sort scams, but with a completely new scenario and on a much larger scale.

If previously, such malwares fake porn videos, this time, they forge the installer and updater of established software like Adobe Flash player, Firefox. Credulously running the "software", you will notice a warning "Windows license locked" upon your next startup. However, this warning is actually a fake notice created by the malwares. This window emerges right after you log onto the system, and it is set at full screen mode, which debars you from closing or switching to other windows, including Windows' task manager. Your computer then no longer can be used. [Screenshot: Warning windows set at Top mode, unable to close]

Still threatening words in the window: "Windows license locked? system reinstallation may lead to the loss of personal data", but this menace is unreal. Such warning, if previously is merely in Russian, this time it appears in various languages, showing hackers' increasing "ambition".

After "threatening" words is the instruction how to escape the trouble, in return for money. This time, the prank fakes Microsoft's Windows Activation by phone: [Screenshot]

In this window, hacker provides quite detailed instructions from how to make a call from home phone, from mobile phone to how to enter the code correctly with a view to fool users more easily.

Curious about this system, I turn myself a prey, making a call. After a while trying all the numbers provided, finally, I managed to connect to a number with Danish country code. I heard a female voice from the switchboard:

Continued : http://blog.bkis.com/en/ransomeware-faking-microsoft-to-blackmail-users/

Collapse -
ISPs urged to block filesharing sites

In reply to: NEWS - March 22, 2011

"Music and film groups in talks with broadband providers over code that would bar access to sites such as The Pirate Bay"

Rights holders from across the music and film industries have identified about 100 websites - including The Pirate Bay and "cyberlocker" sites - that they want internet service providers such as BT to block under new measures to tackle illegal filesharing.

Under a voluntary code that is under discussion, content owners would pass evidence of illegal filesharing sites to ISPs, which would then take action against those sites.

However, the proposals are fraught with complications. ISPs are understood to be open to the idea of cutting off access to some infringing sites, but argue that an impartial judge should decide which get blocked. It is also unclear whether content owners or ISPs would be liable to pay compensation to a site that argues that it has been unfairly censored.

The communications minister, Ed Vaizey, is leading a series of talks with rights holders and ISPs, including BT and TalkTalk, aimed at developing voluntary code on internet policy, including site blocking.

Continued : http://www.guardian.co.uk/technology/2011/mar/22/isps-urged-to-block-filesharing-sites

100 Domains On Movie and Music Industry Website Blocking Wishlist
UK ISPs in talks to block The Pirate Bay and other filesharing sites

Collapse -
Council loses USB stick used to store security codes

In reply to: NEWS - March 22, 2011

Leicester City Council has become the latest organisation to tell to the Information Commissioner's Office (ICO) that it has lost a USB stick containing sensitive personal data.

The drive appears to have contained not only the personal records of 4,000 elderly and vulnerable people in the city but, worse still, the codes to 2,000 small safe boxes on the outside of social housing used to store building keys.

In the light of the immediate security risk, the council is now in the process of changing the codes to counter the possibility that these might fall into the wrong hands.

Exactly what has happened to the drive remains a mystery. The drive reportedly never left the council offices and staff are said to be still hunting for it. Normally used as a backup drive and stored in a safe after use each night, the drive was last seen on Friday 4 March and reported as missing the following Tuesday.

A key issue will be whether the data on the drive was encrypted. A statement by a council spokesperson implied that it had been but this has yet to be confirmed.

Continued : http://www.csoonline.com/article/677785/council-loses-usb-stick-used-to-store-security-codes

Collapse -
Student used spyware to steal passwords, change grades

In reply to: NEWS - March 22, 2011

A former high school senior from Orange County, California, has pleaded guilty to charges that he installed spyware on school computers in order to boost his grades.

Omar Kahan, of Coto de Caza, California, was one of two Tesoro High School students arrested three years ago in connection with the incident. The other student, Tanvir Singh, pleaded guilty in September 2008. Khan's guilty plea came as his trial was finally set to start this week.

Prosecutors say that in his senior year of high school, Khan developed a habit of breaking into school offices to steal tests and mess with the school's computers. He "installed spyware devices on the computers of several teachers and school administrators throughout his senior year," the office of the Orange County District Attorney said in a news release.

These passwords gave him access to the tests and the ability to boost his grades. Khan changed his Spanish, calculus and English grades from C's and D's to A's and a B+ and altered the grades of 12 other students, prosecutors said.

Continued : http://www.computerworld.com/s/article/9214898/Student_used_spyware_to_steal_passwords_change_grades

Collapse -
Sensitive data easily swiped from eBayed mobiles

In reply to: NEWS - March 22, 2011

Second-hand mobile phones sold on by their owners often contain extensive personal and sensitive data that leave sellers open to identity theft and other privacy risks.

Pre-owned mobile phones and SIM cards purchased on eBay or from shops were checked using readily available equipment to see what personal information was left on the handsets. Around half the handsets and chips examined by ethical hacker Jason Hart still held sensitive information.

Hart was able to recover all sorts of interesting nuggets using a mobile phone SIM Reader (something that can be bought from most electric stores), SIM recovery software and forensic examination software.

A total of 247 pieces of data were recovered from a total 19 of the 35 mobile phones and 27 of the 50 SIM cards. Data left on these handsets and communication devices included many photos (including pornographic images), bank details, login details for social networking sites and PIN numbers as well as private texts and emails.

Continued : http://www.theregister.co.uk/2011/03/22/sensitive_data_ebayed_mobiles/

Collapse -
Firefox 4 finally finished and freed

In reply to: NEWS - March 22, 2011

The developers at Mozilla have released the final version of Firefox 4 after over eight months in beta. The new version boasts a streamlined user interface and support for various HTML5 features. Other new features include Panorama, a new way to manage multiple tabs; app tabs, smaller persistent tabs for frequently used web applications; Sync, a web-based bookmarks (and more) synchronisation service; and, an integrated web developer console.

Under the hood, Firefox 4 includes JaegerMonkey, a faster JavaScript engine; hardware accelerated rendering and a new Add-on SDK which allows for updates without restarting the browser. There are also privacy protection features such as the "Do Not Track" header which is sent to web sites to request that the site does not track the user's activity; this has yet to be implemented by any sites but is part of various proposals to the US authorities to address privacy issues.

For more about Firefox 4, see our feature article "What's new in Firefox 4". Firefox 4 is available to download in over 80 languages and for Windows, Mac OS X and Linux.


Collapse -
The Rustock Takedown and Global Spam Volumes

In reply to: NEWS - March 22, 2011

Last week there was widespread media coverage of a successful effort by Microsoft and US Marshals to take down the command and control capabilities of the Rustock botnet. At the time some sources announced a significant drop in spam volumes related to that event. Although X-Force noticed a 35% drop in spam volume on March 16th, spam volumes can fluctuate within a large range on a day to day basis and so this reduction in the volume did not initially appear to be outside of the normal amount of fluctuation that occurs.

Now that several days have passed, this drop seems more significant, as the spam volume has stayed down between 35 and 40% versus its previous average volumes for several consecutive days. It appears that the Rustock takedown likely had a sustained impact on the total volume of spam. It is worth noting, however, that this reduction is only about half as big as the drop that occurred over Christmas, when spammers appeared to have gone on holiday. [Screenshot]

Continued : http://blogs.iss.net/archive/RustockSpam.html

Collapse -
Survey: Millions risk ID theft via social networks

In reply to: NEWS - March 22, 2011

Nearly 13 million American adults who use social networks are more than willing to accept friend requests from strangers of the opposite gender, a new survey from Harris Interactive has found.

According to Harris Interactive, 18 percent of men will accept a woman's friend request, even if they do not know the person. About 7 percent of women will accept an unknown man's friend request. A total of 5 percent of U.S. adults will accept every friend request they receive.

Only 50 percent trust that their connections will keep their information private. Yet more than 24 million Americans leave their personal information "mostly public" on social networks.

The results are based on a survey last month of 1,011 Americans 18 and over, including 387 who are on social networks. ID Analytics, a consumer risk-management firm, commissioned the survey, which was released today.

Leaving personal information public and allowing practically anyone to view your profile is a dangerous prospect, Harris Interactive observed. The company said that the basic information found in a social profile can help "build the dossiers [that criminals] need to beat challenge questions and other security measures on financial accounts." It's a sentiment with which ID Analytics agrees.

Continued : http://news.cnet.com/8301-13506_3-20045787-17.html

Collapse -
Splinter Group Says Document Outs Anonymous Members

In reply to: NEWS - March 22, 2011

The veil surrounding the group Anonymous may be falling, now that a group claiming to have defected from the ranks of the online mischief making group has begun publishing what it claims are the identities of the hacker collective's leadership and their roles in recent high profile hacks, including the theft of e-mail from security firm HBGary Federal.

Late Monday, the group, dubbed Backtrace Security, published a PDF that claimed to identify- or partially identify close to 80 members of Anonymous's leadership by name, and provide mailing addresses, e-mail and social networking accounts for many of those members. The release of the document on the Website, Anonymousdown is the latest in a string of efforts in recent days to poke holes in the wall of anonymity that shields the group's members.

According to the published list, Anonymous's top ranks are made up of some eighty individuals scattered mostly across the U.S., Canada and Western Europe, and as far away as Australia and New Zealand. Some of the identities floated in the list have appeared in print before in connection with the group. For example, the record for 'Kayla,' an Anonymous member who claims to be a teenage girl identifies the user of that 'nick,' or IRC ID, as a New Jersey based hacker Corey Barnhill. That name turned up in a recent Forbes.com profile, as well.

Continued : https://threatpost.com/en_us/blogs/splinter-group-says-document-outs-anonymous-members-032211

Collapse -
Malicious app found in Android Market

In reply to: NEWS - March 22, 2011

To infect a mobile device, the Rootcager/DroidDream Trojan used two known exploits: exploid and rageagainstthecage. If the first one failed to root the device, the malware would attempt to use the second one.

According to researchers from Lookout, another malicious application that uses the exploid exploit has turned up masked as a legitimate calling plan management application on unofficial Chinese app markets.

What's more, a version of the app has also been spotted on the Android Market. But, while the first one contains a binary called zHash that attempts to root a device using the aforementioned exploit, the one found on the official market has the same binary but lacks the code required to invoke the exploit.

Continued : http://www.net-security.org/malware_news.php?id=1672

Collapse -
Rogue AV shows up in Easter Card searches

In reply to: NEWS - March 22, 2011

From the Sunbelt Blog:

Looks like they're starting early with these scams, seeing as Easter isn't until April 24th.

Patrick Jordan came across some dubious links while digging around for printable Easter Cards on .pl domains. These redirect links are lurking at the top of search results, and there seem to be quite a few URLs involved. [Screenshot] [Screenshot]

In the above examples, end-users would hit one of the "it's a trap" landing pages, then be redirected to sites pushing the System Defender rogue. [Screenshot]

Cue Patrick:

"1. Site/url changes almost every 24 to 48 hours.
2. Can make only one run as it then rotates to ad site for 24 hours unless you change your IP.
3. Also, for the last two site/urls they are in the #1 position in the Google results

If you accidentally hit one of these scam sites, don't panic and DON'T open up any executable files presented in the middle of an entirely fake system scan. Just close the prompt, leave the site (shut down your browser with CTRL+ALT+DEL if you have to) and walk away - whistling optional.


Collapse -
"Help us escape Japan" scam mail

In reply to: NEWS - March 22, 2011

From the Sunbelt Blog:

Here's a freshly minted scam mail doing the rounds - this time, claiming to be a victim trying to escape Japan and needing a cool $1,600 to do it.

From: jamainelecottATyahoo.com
Subject: Please Help Life, From Jamaine Lecott

Hello Dear Friend

My Name is Jamaine Lecott

i am in hurry writing you this message and i hope you get it on time, there was very hard quake here in my country northeastern coast in japan. It has been a very sad and bad moment for me and my family here, the present condition that we found myself is very hard for me to explain.i want us to be out of the country immediately i am asking for help of ($1,600 ) only to raise our ticket charge and some other expenses to leave here I will appreciate whatever you can afford to assist me and my family so that we can have food and eat to be out of the country i will be very happy for that , we lost every thing we have Please send the money via Western Union money transfer channel because that is the only way we could be able to get the money fast and leave. which country are you transferring the money from please help us with thanks GOD will help you also and bless you...

ADDRESS.NO A14 Tokyo. northeastern coast japan
My Honest Regard,
Jamaine Lecott

Needless to say, you should not get involved in this.


Popular Forums

Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions


Here's Everything to Know About the 2019 Grammys

Find out how to watch the Grammy Awards if you don't have cable and more.