15 total posts
Time to disable WebGL ?
(Related to above post, "New graphics engine imperils users of Firefox and Chrome")
From SANS Internet Storm Center:
Last Updated: 2011-05-11 13:53:47 UTC
by Swa Frantzen
WebGL ? I had never heard of WebGL before and I'm sure quite a few among our readers are in the same boat. Yet it is implemented in Firefox 4, Chrome and Safari browsers and apparently even turned on by default in Firefox 4 and Chrome. Yet, there's something wrong with its security.
So what is WebGL?
It's a way to let components on webpages display 3D models using the full power of the graphics card in the computer. Effectively this exposes some portions of the graphics card's software via the browser to the Internet.
US-CERT recommends to turn off WebGL in the browsers that do support it (Firefox 4, Chrome, Safari (not enabled by default))
I've looked on my mac how to enable/disable WebGL in Firefox 4, Chrome and Safari, but have been unsuccessful so far as to find even a mention of WebGL in any of them [see below].
References and far more detail:
Thanks go to James for the heads-up.
Update: how to disable webgl in firefox 4.0.1:
Type about:config in the address bar. And toggle the webgl.disabled variable to true.
I can confirm this stops webgl from working on demo sites that explain how to use webgl such as http://www.webkit.org/blog-files/webgl/SpiritBox.html. Shows a spinning box if you have webgl, and a rectangle if you don't.
Update: how to disable webgl in chrome:
It needs the --disable-webgl argument on the command line
Update: we will from now on need to keep a much more careful eye on the security issues of graphic card drivers, and get these updated if and when they fix security issues.
Thanks, Carol!! This IS Important Info
that I'm going to Flag as an Announcement for my readers.
I allowed the auto scan, then update to FF 4.x for the Vista as well as the XP SP2 machines and thought them a bit strange/didn't particularly like the interface afterwards, so reverted them BOTH back to FF 3.6.16 (the latest of the 3 series) during the 3 days I had access to them.
Glad I did. Since they're not here now, I can't confirm series 3 doesn't have WebGL but I don't believe it does.
Thanks again!! Sandy
Windows Malware Morphs into Financial Fraud Platform
We recently identified a little known Windows malware platform that has been in circulation for some time, but was never previously recognized for its financial fraud capabilities. We named it Sunspot.
It is currently targeting North American financial institutions and has already achieved SpyEye and Zeus-like infection rates in some regions. There are confirmed fraud losses associated with Sunspot, so the threat is real. Sunspot is another example of the growing list of financial malware that is flooding the Internet. In addition to Sunspot, Trusteer alone also has discovered several malware platforms over the past 18 months including Silon, OddJob and several others.
Sunspot targets 32-bit and 64-bit Windows platforms from Windows XP through Windows 7, and is capable of installing in non-administrator and administrator accounts. Once installed, it targets Internet Explorer and Firefox browsers. This is a very modern malware platform with sophisticated fraud capabilities. Equally concerning, the detection rate for Sunspot by leading anti-virus programs is painfully low. According to a Virus Total analysis, only nine of 42 anti-virus programs tested, or 21%, currently detect Sunspot.
It can carry out man-in-the-browser attacks including web injections, page grabbing, key-logging and screen shooting (which captures screenshots of the mouse vicinity as a user types his/her password on a virtual keyboard). We were able to decrypt and analyze its configuration, which includes instructions to execute the following fraud focused actions:
Continued : http://www.trusteer.com/blog/windows-malware-morphs-financial-fraud-platform
Emergency alerts from President Obama on your mobile phone?
Mobile phone users could soon find themselves receiving emergency text messages warning them of terrorist attacks and natural disasters, under plans announced in the United States yesterday.
The Federal Emergency Management Agency (FEMA) and Federal Communications Commission (FCC) have announced the "Personal Localized Alerting Network" (PLAN) which will see new handheld devices fitted with special chips to receive the alerts, which will be sent by state and local authorities. The system is designed to supersede all other phone traffic, In an attempt to avoid delays.
According to the FCC, users will be able to opt out of all alerts apart from those sent by the US president.
(What makes messages from the US president so special, I wonder?)
In many ways this can be viewed as a logical progression from the other methods that authorities have used to communicate with their citizens in times of emergency - such as alerts via television and radio broadcasts. The wide adoption of cellphones makes it a natural way to pass on an important official message whether it be about a flood, a fire or a missing child.
But an obvious concern about the PLAN system is this: if it's an easy way to communicate a message to many people in a particular city or area, could it be abused by cybercriminals?
Continued : http://nakedsecurity.sophos.com/2011/05/11/emergency-alerts-obama-on-your-mobile-phone/
Security distribution BackTrack 5 released
The BackTrack development team has announced the availability of BackTrack 5, its security-focused Linux distribution, while shrugging off a denial-of-service (DoS) attack on its web server the day before. According to the developers, the latest release "has been built from scratch, and boasts several major improvements over all our previous releases".
BackTrack offers more than 300 penetration testing tools to enable users and administrators to test the security of items ranging from web applications to RFID systems. The tools include LAN and WLAN sniffers, password crackers, vulnerability scanners and the Metasploit exploit framework.
BackTrack 5 (BT5), code-named "Revolution", is based on the latest Long Term Support (LTS) release of Ubuntu, version 10.04 "Lucid Lynx", and uses the 2.6.38 Linux kernel, which has been patched with "all relevant wireless injection patches".
Continued : http://www.h-online.com/security/news/item/Security-distribution-BackTrack-5-released-1241332.html
Also: BackTrack 5 released
The dirty dozen spam-relaying countries revealed
There's a zombie invasion going on - and it could have infiltrated your business, your home office, or even the corner of your bedroom.
Of course, it's not the kind of zombies beloved by the movie theatres but instead the problem of compromised computers being controlled by a remote hacker.
Many members of the public still haven't understood that spammers don't use their own PCs to send spam - instead they create botnets of commandeered computers around the globe (also known as "zombies"), which can be used to relay spam, send out malicious links and even launch distributed denial-of-service attacks.
If they did understand the problem, maybe they would put more effort into protecting their computers. [Screenshot: Spam Dashboard]
Sophos has today published a new report, revealing the top twelve spam-relaying countries around the world. We call the list the "dirty dozen", and because virtually all spam is sent from compromised PCs, it's a pretty good indication of where the botnets have got the tightest hold.
Continued : http://nakedsecurity.sophos.com/2011/05/11/dirty-dozen-spam-relaying-countries/
Microsoft Exploitability Index Makes Debut May Patch Tuesday
"Overhauled Microsoft Exploitability Index Makes Its Debut with May 2011 Patch Tuesday"
Not all Microsoft technologies should be treated equally when it comes down to assessing the exploitability risk of vulnerabilities affecting them.
This is precisely what the Redmond company focused on when introducing an overhaul to the Exploitability Index, namely a division between older product and the latest technologies available.
Announced earlier this month, the revamping is designed to illustrate the security evolution of Microsoft's newest releases compared to their predecessors.
The software giant makes a point out of bulletproofing new products with additional security mitigations, and the evolved Exploitability Index will reflect just that.
"Microsoft is expanding its Exploitability Index to help customers on newer platforms better assess risk," a Microsoft spokesperson told Softpedia.
"The company will continue to offer an aggregate exploitability rating for each vulnerability across all previous product versions, but will also specifically break out Exploitability Index information for Microsoft's latest products.
"This new system demonstrates the value of the security protections and mitigations available by default for new products. Check out the MSRC blog post for more details on this change, which helps customers more easily prioritize security updates."
Continued : http://news.softpedia.com/news/Overhauled-Microsoft-Exploitability-Index-Makes-Its-Debut-with-May-2011-Patch-Tuesday-199716.shtml
Related : Updated Exploit Index for Microsoft
MSRC Blog Post: Exploitability Index Improvements
Ghosts remain: Osama Bin Laden may be haunting your PC
G Data Security Blog:
We have reported numerous times about the dangers that lure around as soon as any kind of special holiday is around or a hot topic floods the news. And, as expected: Recently, there has been various malware connected to Osama Bin Laden. Let's have a look at two examples:
The whole world wanted to see a proof of his death, and the spammers are willingly providing it: [Screenshot]
The file linked to is a downloader - In this particular case it downloaded several files (one DLL-file and two exe-files), executed the exe-files to install an IE "Add-On" and sends back a message to the server, including the computer's name, to report the infection.
The files are detected as follows:
IE "Add-On": Gen:Variant.Kazy.20476
The installed browser plug-in, a BHO, has full access to the data a users enters and can therefore harvest and steal information - in this case, especially online banking details.
The MS Word document spreading malware:
This text document was designed to execute remote code in Microsoft Word and Microsoft Outlook by using a vulnerability (described in CVE-2010-3333) to drop and execute an embedded malicious exe-file.
Internet censorship bill empowers US government, copyright..
"New Internet censorship bill empowers US government, copyright holders"
A new bill that is yet to be introduced to the US Congress would, if passed, give both the Justice Department and private copyright holders the ability to cripple websites they can prove is "dedicated to infringing activities."
A new bill, soon to be introduced to the US Congress, seeks to give both the Department of Justice and private copyright holders broad powers to censor websites, reports Tech Dirt, who received a leaked summary of the bill. Dubbed the "Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act" or the PROTECT IP Act, the bill is a reiteration of an earlier bill, known as COICA, which failed in the Senate late last year.
Like its predecessor, the PROTECT IP Act provides the legal mechanisms for the US government - and now, private citizens - to shutdown websites, and/or cut off their ability to process payments or display advertising. The bill specifically defines sites that may be subject to the law as those "dedicated to infringing activities." Citizens rights advocates argue that, while the definition is more narrow than the language in COIPA, it still leaves countless sites that aren't breaking any laws subject to devastating consequences enabled in the bill.
One of the most troublesome aspects to critics is that the PROTECT IP Act allows private citizens to obtain the necessary paperwork to stop advertisers from displaying ads on a particular site, as well as cut off the site's ability to process credit cards, PayPal, or any other type of payment. This stipulation in the bill, argue critics, appears ripe for abuse, and a splitting headache for everyone involved.
Continued : http://www.digitaltrends.com/computing/new-internet-censorship-bill-empowers-us-government-copyright-holders/
Free Subway gift card spam spreading on Facebook
We've received a number of questions from Facebook fans of Sophos regarding messages that have spread across the social network claiming to offer a $100 gift card for the Subway sandwich chain.
Here's a typical message: [Screenshot]
Free Subway Gift Cards - Limited Time
Get Your Free Subway Gift Card Now! Click for Details
So, what's going on here? Well, the first thing to realise is that it's not something endorsed by Subway.
Although the link you click through to has no qualms about using Subway's logo, and images of meals you can purchase at Subway, it's actually from an independent third party company. [Screenshot: Subway Gift Card Webpage]
Many people will probably be so keen to receive $100 worth of Subway meals that they won't read the small print at the bottom of the page:
Continued : http://nakedsecurity.sophos.com/2011/05/11/free-subway-gift-card-spam-spreading-on-facebook/
Mentally ill file-sharer had 'low self-esteem'
Freetards, beware. A file-sharer convicted of copyright infringement has had her mitigating pleas of mental illness rejected by a Scottish Court.
54-year-old nurse Anne Muir pleaded guilty to sharing £54,000 worth of songs over P2P after an investigation by the BPI and IFPI. But her defence lawyer argued that - in mitigation - she was suffering depression and had low self esteem, as well as having some obsessive-compulsive traits. She admitted to downloading 30,000 songs - in order to build up her self-esteem. She was found with over 24,000 karaoke songs on her PC, and almost 8,000 tracks.
"Learning this new technology and picking up new skills gave her self-esteem a boost. But to be allowed into the network she had to have a certain number of files already," her lawyer argued.
The Pirate Party of Scotland supported this.
"It is disgraceful that Mrs Muir should have been so pursued in such an aggressive and potentially damaging way, rather than given the support she needs in this difficult time," said the Pirate Party's Laura-Anne Riach.
Quite right: social services should step in. Muir should have been given free songs to cheer her up, forgoing the 79p per song demanded by the tyrannical copyright industries and their heartless, jackbooted henchmen.
Continued : http://www.theregister.co.uk/2011/05/11/freetard_karaoke_nurse_had_low_self_esteem/
English website of a major Russian newspaper Pravda ("The Truth") has been hacked. [Screenshot]
There are no visible changes done to the site. Instead, the page silently loads exploit scripts that try to infect the user via vulnerabilities in Java. If succesful, the visitors computer gets hit by a bot that allows outsiders to access and use the computer.
An attack like this is particularly devious. An end user might go to the same news website every morning for years, learning to trust it. Then one day it has become dangerous and will take over your computer, just by opening your favourite page.
Five years ago, if somebody managed to break into a major site like this, they would typically delete all content and post stupid pictures on the front page. Nowadays they do an invisible modification on the site, trying to stay undetected as long as possible, hoping to gain access to thousands of visitors computers.
We expect the site to get cleaned shortly. [Screenshot]
Continued : http://www.f-secure.com/weblog/archives/00002156.html
Also: Russian News Website Pravda Infects Visitors
AV software: perception versus reality
The StopBadware Blog:
AV-Comparatives is a non-profit independent lab in Austria that attempts to accurately evaluate anti-virus software. This is harder than it sounds. In fact, an entire organization called the Anti-Malware Testing Standards Organization (AMTSO) sprung up a couple years ago to provide guidance on accurately testing security software. (Note: I serve on the advisory board of AMTSO.)
AV-Comparatives recently conducted an interesting survey of visitors to their site. They attempted to filter out spam responses and those from people within the AV community, which I guess means they mostly captured consumers and tech geeks that care enough about the subject to look up reviews of AV products.
To me, the most interesting bit of the survey was the question "Which type of tests are you most interested in?" Respondents were asked to choose up to four types of tests from a field of twelve. Let's look at a subset of the results:
Detection Rate (On-Demand) Test
By far the highest vote getter, 84% of respondents chose this as the type of test they're most interested in. Note that this is a test that searches for and finds malware that is already on your computer when you choose to run a scan. It doesn't evaluate the ability of the software to protect your device from being infected in the first place.
Oddly, 77% of respondents felt that AV vendors should try harder to improve AV software's performance impact on computers, yet only 51% wanted to see more testing of AV software's performance impact. Don't they say that what gets measured gets done?
Continued : http://blog.stopbadware.org/2011/05/06/av-software-perception-versus-reality
Microsoft stops ID-ing phones in jab at Google
Microsoft will stop identifying specific mobile devices that use its location-tracking services, a change that differentiates its Windows Phone 7 from Google's competing Android operating system.
Under a new policy, outlined in a letter (PDF) sent to members of Congress on Monday, Microsoft has already stopped storing and using unique identifiers collected from devices that use Windows location services to pinpoint nearby coffee shops or get driving directions. What's more, devices running a forthcoming Windows update will no longer send the identifiers to the company's location service at all.
"We believe that, when designed, deployed and managed responsibly, the location-based feature of a mobile operating system should function as a tool for the user and the applications he or she elects to use, and not as a means to generate a database of sensitive information that can enable a party to surreptitiously 'track' a user," Andy Lees, president of Microsoft's mobile communications business, wrote. "Without a unique identifier, or some other significant change to our operating system or practices, we cannot track an individual device."
Lees made many of the same points in a recent blog post.
The change comes as Congress and privacy advocates scrutinize similar location services offered by phones running Google and Apple OSes. As previously reported, when Android phones have location services enabled, they collect the MAC address, signal strength and GPS coordinates of every wireless network they see and zap it to Google servers, along with the unique ID of the handset.
Continued : http://www.theregister.co.uk/2011/05/11/windows_phone_unique_id/