Spyware, Viruses, & Security forum

Alert

NEWS - May 10, 2012

by Carol~ Moderator / May 10, 2012 1:28 AM PDT
Apple closes numerous holes in Mac OS X and Safari

With the 10.7.4 Mac OS X Lion update and security update 2012-002 for 10.6, Apple has closed numerous critical vulnerabilities in Mac OS X and its components. The most prominent fix in this update sees the Apple developers have stopping Lion from storing plain text passwords. Due to a mistake in the previous update, Lion stored the passwords of users who mounted their home/user directory from a network volume (NFS, AFP or SMB) in the system log unencrypted and readable by anyone with admin or physical access. [Screenshot]

Those who continued to use the first version of the FileVault encryption after upgrading from Snow Leopard to Lion were also affected. The problem was caused by a forgotten debug option being left enabled in the HomeDirMounter. As the update does not have the ability to delete the accidentally stored data, Apple has provided instructions how to track down log files that could potentially contain plain text passwords. The company has also closed a hole in the kernel that, despite FileVault being activated, caused unencrypted files to be left behind when Lion was in hibernation.

Continued : http://www.h-online.com/security/news/item/Apple-closes-numerous-holes-in-Mac-OS-X-and-Safari-1572174.html

Also:
Important Apple security updates for Snow Leopard and Lion - get 'em today!
Apple patches Safari, blocks outdated Flash Player
OS X Lion update addresses FileVault password bug, smooths networking

See Vulnerabilities / Fixes: Apple Safari Multiple Vulnerabilities
Discussion is locked
You are posting a reply to: NEWS - May 10, 2012
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - May 10, 2012
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
PHP devs lob second patch at super-critical CGI bug
by Carol~ Moderator / May 10, 2012 2:50 AM PDT
In reply to: NEWS - May 10, 2012

The developers of PHP have released updates to thwart fresh attacks against systems that use the scripting language to dynamically generate web pages.

All users are encouraged to upgrade to PHP 5.4.3 or PHP 5.3.13, as appropriate, after a serious security bug in PHP-CGI-based setups was disclosed. Developers attempted to fix this long-standing, but only recently discovered, flaw in a new version on 3 May, before deciding the fix was incomplete and releasing a new set of patches on Tuesday, 8 May.

This is just as well because the PHP-CGI vulnerability has become the target of a series of attacks against sites hosted by DreamHost and others over recent days. Attempts to exploit the bug were witnessed by net honeypots maintained by security researchers at TrustWave SpiderLabs. The assaults were ultimately designed to plant backdoors on vulnerable web servers, as an advisory by TrustWave explains.

The PHP-CGI remote code execution bug was discovered by security researchers, who traced the flaw to changes introduced in the codebase way back in 2004. The Eindbazen crew told PHP developers about the bug, and work was going on behind the scenes to develop a fix. However the wheels fell off this project after discussions surrounding the security hole were accidentally made public, exposing the existence of the flaw to world+dog before a patch was ready.

Continued : http://www.theregister.co.uk/2012/05/09/php_cgi_patch/

Also:
Another Set of PHP Releases Pushed Out to Fix CVE-2012-1823 Flaw
PHP team makes another attempt to close critical CGI hole
PHP 5.4.3 and PHP 5.3.13 Released

Collapse -
Police Trojan Crosses the Atlantic, Now Targets USA & Canada
by Carol~ Moderator / May 10, 2012 2:50 AM PDT
In reply to: NEWS - May 10, 2012

From TrendLabs Malware Blog:

The Police Trojan has been targeting European users for about a year. It should come as no surprise that the latest incarnations of this obnoxious malware have started targeting the United States and Canada.

In the latest batch of C&C servers we have analyzed, not only has the list of countries increased but also their targets are now more specific. For instance, UKash vouchers are not available in the U.S., thus the U.S. fake police notification that spoofs the Computer Crime & Intellectual Property Section of the U.S. Department of Justice, only mentions PaySafeCard as the accepted payment method. The criminals also took the time in adding plenty of logos of local supermarkets and chain stores where the cash vouchers are available. [Screenshot]

Beyond the facade of this criminal attack, we know there is a Russian-speaking gang, which we theorized in our last paper, that had a link to the new Gamarue worm making the rounds in recent months. We can now add another compelling link: the fake police domain worldinternetpolice.net announced by the Trojan, has the same registrar as the confirmed Gamarue worm C&C server photoshopstudy10.in. The first time a researcher sees such a link, it might just be pure coincidence. The second and third times, the link starts to solidify.

Continued : http://blog.trendmicro.com/police-trojan-crosses-the-atlantic-now-targets-usa-and-canada/

Collapse -
FBI issues warning on hotel Internet connections
by Carol~ Moderator / May 10, 2012 2:51 AM PDT
In reply to: NEWS - May 10, 2012

The FBI today warned travelers there has been an uptick in malicious software infecting laptops and other devices linked to hotel Internet connections.

The FBI wasn't specific about any particular hotel chain, nor the software involved but stated: "Recent analysis from the FBI and other government agencies demonstrates that malicious actors are targeting travelers abroad through pop-up windows while they are establishing an Internet connection in their hotel rooms.

The FBI recommends that all government, private industry, and academic personnel who travel abroad take extra caution before updating software products through their hotel Internet connection. Checking the author or digital certificate of any prompted update to see if it corresponds to the software vendor may reveal an attempted attack. The FBI also recommends that travelers perform software updates on laptops immediately before traveling, and that they download software updates directly from the software vendor's website if updates are necessary while abroad."

The FBI said typically travelers attempting to set up a hotel room Internet connection were presented with a pop-up window notifying the user to update a widely used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.

Continued : http://www.networkworld.com/news/2012/050912-fbi-internet-259125.html

Related:
What the FBI didn't tell us about the hotel malware threat
Travelers Cautioned When Using Hotel Internet Connections Abroad

Collapse -
FBI fears Bitcoin's popularity with criminals
by Carol~ Moderator / May 10, 2012 2:51 AM PDT
In reply to: NEWS - May 10, 2012

The FBI sees the anonymous Bitcoin payment network as an alarming haven for money laundering and other criminal activity—including as a tool for hackers to rip off fellow Bitcoin users.

That's according to a new FBI internal report that leaked to the Internet this week, which expresses concern about the difficulty of tracking the identity of anonymous Bitcoin users, while also unintentionally providing tips for Bitcoin users to remain more anonymous.

The report, titled "Bitcoin Virtual Currency: Unique Features Present Distinct Challenges for Deterring Illicit Activity," (PDF) was published April 24 and is marked For Official Use Only (not actually classified), but was leaked to the Internet on Wednesday.

In the document, the FBI notes that because Bitcoin combines cryptography and a peer-to-peer architecture to avoid a central authority, contrary to how digital currencies such as eGold and WebMoney operated, law enforcement agencies have more difficulty identifying suspicious users and obtaining transaction records.

Though the Bureau expresses confidence that authorities can still snag some suspects who use third-party Bitcoin services that require customers to submit valid identification or banking information in order to convert their Bitcoins into real-world currencies, it notes that using offshore services that don't require valid IDs can thwart tracking by law enforcement.

Continued : http://arstechnica.com/uncategorized/2012/05/fbi-fears-bitcoins-popularity-with-criminals/

Also: FBI Concerned About the Use of Bitcoins for Illicit Activities

Collapse -
Pirate Bay to Anonymous: Call Your Mom!
by Carol~ Moderator / May 10, 2012 2:51 AM PDT
In reply to: NEWS - May 10, 2012

From F-Secure Antivirus Research Weblog:

UK Courts recently ordered Internet Service Providers to block access to The Pirate Bay. Yesterday, Virgin Media was attacked by some that claim associations to the Anonymous collective.

Well, The Pirate Bay had something to say about the attack on its Facebook page. [Screenshot]

TPB: We believe in the open and free internets, where anyone can express their views. Even if we strongly disagree with them and even if they hate us.

My take: Love thy enemy.

TPB: So don't fight them using their ugly methods. DDOS and blocks are both forms of censorship.

My take: Two wrongs don't make a right.

TPB: If you want to help; start a tracker, arrange a manifestation, join or start a pirate party, teach your friends the art of bittorrent, set up a proxy, write your political representatives, develop a new p2p protocol...

My take: Don't be destructive. Better to be "subversive".

Continued : http://www.f-secure.com/weblog/archives/00002361.html

Related:
Virgin Media website 'hit by cyber attack' following Pirate Bay block
The Pirate Bay: We Do Not Encourage DDOS Attacks

Collapse -
"Fix your hard disk" with fake S.M.A.R.T. Repair tool
by Carol~ Moderator / May 10, 2012 2:51 AM PDT
In reply to: NEWS - May 10, 2012

From the Avast Blog:

Imagine a program that scans your computer, detects some errors, and offers to fix them. There are many legitimate programs that do this (for example, antivirus programs), but there are also many fake programs, which do nothing beneficial - they just pretend to do a scan of your computer, they pretend to fix some errors, but in reality there are no errors and nothing is being fixed. You didn't install such a program, you don't even know how it got installed on your computer. It's just there, wanting to trick you to buy a license.

Have you ever wondered what happens when you "buy" the activation key? Will the program really do something for you, will it just disappear... or, maybe, it will keep annoying you. Let's look at a program called "S.M.A.R.T. Repair". [Screenshot]

If we execute the "S.M.A.R.T. Repair", it disappears from its original location and copies itself into "Documents and Settings" under a randomly generated name, for example "@t)f9K70Sh&Z^.exe" (see figure 2) - this is the first sign of a suspicious behavior. [Screenshot]

Continued : https://blog.avast.com/2012/05/09/%E2%80%9Cfix-your-hard-disk%E2%80%9D-with-fake-s-m-a-r-t-repair-tool/

Collapse -
DHS Appeals to Users Still Infected with DNSChanger
by Carol~ Moderator / May 10, 2012 3:33 AM PDT
In reply to: NEWS - May 10, 2012

The Department of Homeland Security is the latest agency to appeal to U.S. consumers to check their computers for signs of DNSChanger malware before they are knocked offline in a couple of months.

Rand Beers, undersecretary for the National Protection and Programs Directorate, implored users to test their home and office computers for the trojan, which infected more than 4 million machines in 100 countries before law enforcement officals took down the sophisticated fraud ring. As part of "Operation Ghost Click," authorities took command of implicated DNS servers and redirected compromised computers to surrogate servers. Those servers now must be taken down July 9 by court order. At that time, any machine still tethered to the temporary servers will be forced offline.

"I encourage everyone to keep your operating system, browser, and other critical software optimized by installing updates," Beers wrote in a blog post on the DHS Web site. "And, you can assess your own computer's susceptibility for the DNSChanger malware at the industry-wide DNSChanger Working Group website. In fact, I just tested my computer at home - the process was simple, straight-forward, and only took a few minutes."

As of last month, 84,000 U.S. computers were still tied to the "clean" servers put up for the FBI by the Internet Systems Consortium. The number worldwide is around 350,000. A Kindsight Security Lab malware report (pdf) released today for Q1 ranked DNSChanger as the most prevalent high-level infection with 1 in 400 households still infected.

Continued : http://threatpost.com/en_us/blogs/dhs-appeals-users-still-infected-dnschanger-050912

Collapse -
FTC Charges Myspace With Breaking US Law in Sharing User's..
by Carol~ Moderator / May 10, 2012 3:33 AM PDT
In reply to: NEWS - May 10, 2012
.. Personal Information

Continuing its crackdown on Internet privacy violations, the Federal Trade Commission charged Myspace on Tuesday with violating federal law by breaching its promise not to share users' personal information, including their Web browsing habits, with advertising companies.

The advertisers that tracked the online browsing habits of Myspace users were not charged, reflecting a general lack of laws governing online privacy. On Wednesday, the Senate Commerce committee will question officials from the F.T.C. and the Obama administration about their recent proposals to require companies to obtain consumers' permission to be tracked online.

The F.T.C. asserted that from January 2009 through June 2010, and again from October 2010 through October 2011, Myspace, a social media Web site, transmitted information, including internal identification numbers of users, and their ages and genders, to outside ad networks that served ads to Myspace.

Continued : http://www.nytimes.com/2012/05/09/technology/myspace-agrees-to-privacy-controls.html
Collapse -
Java drive-by generator used in recent attack
by Carol~ Moderator / May 10, 2012 4:46 AM PDT
In reply to: NEWS - May 10, 2012

A malware delivery campaign that doubles its infections efforts to really make sure the users get compromised has been recently spotted by F-Secure researchers.

One of them landed on a website that poses as a "Gmail Attachment Viewer", which tries to make the visitor run the offered application.

The pop-up warning from Windows identifies it as a "Microsoft" app but says that the app's digital signature cannot be verified and that the app's publisher is "Unknown".

If the user does choose to run the app, he is faced with a Cisco Foundation invitation to attend a conference, while the download and the quiet installation of a malicious binary is performed in the background.

Curiously enough, the message contains an embedded link that, if clicked, again tries to download the same malware.

The researcher does not mention how she ended up on the site in question in the first place, and what type of malware is actually pushed onto the user, but points out that the infection is generated using iJava Drive-by Generator: [Screenshot]

Continued: http://www.net-security.org/malware_news.php?id=2101

Collapse -
Twitter hack breaches thousands of accounts
by Carol~ Moderator / May 10, 2012 4:46 AM PDT
In reply to: NEWS - May 10, 2012

A Twitter hacker on Monday revealed thousands of user names and passwords for the microblogging site, but here's the good news: Most of the compromised accounts appear to be spam.

Word of the breach began spreading Tuesday after hacking news and activist hub Airdemon posted a dispatch saying 55,000 accounts had been compromised. It linked to Pastebin pages containing the allegedly compromised user names and passwords.

A Twitter representative said the company is investigating. He also downplayed the extent of the potential breach, which hit a small sliver of Twitter's 140 million active users.

"It's worth noting that, so far, we've discovered that the list of alleged accounts and passwords found on Pastebin consists of more than 20,000 duplicates, many spam accounts that have already been suspended and many login credentials that do not appear to be linked (that is, the password and username are not actually associated with each other)," Twitter spokesman Robert Weeks said.

Continued : http://money.cnn.com/2012/05/08/technology/twitter-hack/

Also:
Twitter Debunks Reports of 55,000 Hacked Accounts
Thousands of Twitter passwords allegedly exposed

Collapse -
Fraudulent Apps and Fake AV Found on Google Play
by Carol~ Moderator / May 10, 2012 5:04 AM PDT
In reply to: NEWS - May 10, 2012

Researchers from the security firm AegisLab discovered more than 15 fake antivirus and free SMS applications on Google's recently rebranded content market place, Google Play.

The applications are redirecting users to a third party site run by the app's developer. AegisLab researchers could not say for certain whether the fraudulent apps were designed with malicious intent, or if the developer is merely trying to drive traffic to his site.

The applications appear to have been uploaded by one developer who operates under the handle Thasimola. According to AegisLab, the developer used AppsGeyser, an Android application webkit, to automatically generate the fake apps.

When AegisLab published its report on Tuesday, the writer noted that the number of fake apps had been increasing. As of now, Thasimola's developer profile is unreachable. Whether or not Google took action on the account is not clear.

You can read the AegisLab report here.

http://threatpost.com/en_us/blogs/fraudulent-apps-and-fake-av-found-google-play-051012

Also: Fake mobile AV apps offered on Google Play

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?