NEWS - May 18, 2011

Apple's Mac App Store Puts Users At Risk

Users of Apple Inc.'s Mac App Store - a feature added to Mac OS X v10.6 Snow Leopard and built into the upcoming v10.7 Lion operating system-may be putting their computer's security at risk.

Third-party Web browser maker Opera has released version 11.11 of its software, which fixes a "critical" security issue. Mac users who have downloaded Opera through the App Store may find themselves using a copy of Opera that is now two versions old, 11.01, which was released back in March and is vulnerable to the security bug patched in 11.11. Users who rely on the App Store to tell them whether their software is up-to-date may not be aware of the security risks and may continue to use an unsafe version of the Opera browser.

I have notified Apple and Opera about this issue. An Opera representative acknowledged that "We are waiting for the App store to approve the next version of Opera for Mac. For now the only solution is to go to".

Opera is not the only software in the Mac App Store that's outdated. For example, the current version of Amazon's Kindle app is 1.5.1, while the version in the App Store is still 1.2.3, which was released in January. Amazon does not publicly disclose its changelog, so there is no easy way to know whether any security issues exist in Kindle for Mac version 1.2.3.

Continued :

Also: Mac App Store exposes users to security risks, claims researcher

See Vulnerabilities & Fixes: Opera Frameset Handling Memory Corruption Vulnerability
Discussion is locked
Reply to: NEWS - May 18, 2011
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - May 18, 2011
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Police arrest journalist after publishing security story

"Police admit to arresting journalist after publishing security story"

A reporter for the Sydney Morning Herald was arrested for covering a talk during an IT security conference on Tuesday. The arrest was confirmed by the journalist himself, Ben Grubb, and the Queensland Police. Based on available information, the arrest was likely used to obtain any information used by Grubb for his story, which was stored on his confiscated iPad.

The story Grubb published was based on a talk given during BSides Australia, which took place alongside the AusCERT conference. During the talk, security expert Christian Heinrich demonstrated how he was able to guess the URL needed in order to obtain private photos posted on Facebook.

As proof, he obtained images of an alleged rival's wife, HackLabs director Chris Gatford. In addition, he leveraged Flickr's API to obtain images of Gatford and one of his children. Out of respect, the child's image was obstructed.

According to Grubb's report, "The presentation has caused many in the security industry to question whether the example demonstrated was 'unethical', especially as it's well-known among the security community that Heinrich and Gatford do not enjoy each other's company."

The talk's aim was to prove that no matter how strict the security settings are, content posted to social networks is never truly secure.

"That was because Facebook and many other social networking websites used what is known as a content delivery network (CDN), which usually operates outside a social network's own servers to deliver content quickly," Grubb reported.

Continued :

Journo was arrested, says Qld cop
Journalist arrested for article on Facebook privacy flaw

- Collapse -
Qakbot family of malware blamed for data breach

In Massachusetts, a Malware infection that spread to a possible 1,500 systems within the Office of Labor and Workforce Development (OLWD) is to blame for a data breach assumed to have exposed 1,200 employer records, an agency statement says.

The Departments of Unemployment Assistance and Career Services were infected sometime in April. On Monday, the OLWD discovered that the initial cleanup efforts failed to remove the Qakbot Malware. Because of this, it's possible that the Malware harvested confidential information.

Qakbot has been around for some time. First discovered in 2009, the Malware spreads via several sources, including network shares. At one time it leveraged vulnerabilities in Apple's QuickTime and Internet Explorer to target victims.

Qakbot is able to gather various kinds of data on an infected system including OS and network information, keystrokes, stored FTP and email login details, targeted banking data, as well as usernames and passwords stored within a browser.

"While W32.Qakbot has multiple capabilities, its ultimate goal is clearly theft of information. Identification theft is big business in the underground world of cybercrime and the more data a threat can steal, the bigger the profit that can be made," Symantec's profile on the Malware explains. [Source]

Continued :

Also: Qakbot Virus Causes Possible Data Breach at Mass. Agencies

- Collapse -
Sony CEO Warns of 'Bad New World'

After spending weeks to resolve a massive Internet security breach, Sony Corp. Chief Executive Howard Stringer said he can't guarantee the security of the company's videogame network or any other Web system in the "bad new world" of cybercrime.

Mr. Stringer's comments in a phone interview Tuesday, ahead of a New York roundtable discussion with reporters, come on the heels of a trying month for Sony. The company partially restored two of its online game systems and a streaming movie and music service over the weekend after shutting the services for several weeks when a breach compromised the personal information of more than 100 million account holders.

While Sony has restored part of the PlayStation Network-an online game system for its PlayStation 3 videogame console-in the U.S. and Europe and bolstered security measures, Mr. Stringer, 69 years old, said maintaining the service's security is a "never-ending process" and he doesn't know if anyone is "100% secure."

He said the security breach at PSN, Sony Online Entertainment, an online game service for personal-computer users, and its Qriocity streaming video and music network his company could lead the way to bigger problems well beyond Sony, or the gaming industry. He warned hackers may one day target the global financial system, the power grid or air-traffic control systems.

Continued :

PlayStation Related: PlayStation Network Log-Ins Down After Reported Password Exploit

- Collapse -
Sony: PlayStation Log-In Downtime Not Another Hack

Sony on Wednesday denied that it disabled log-ins for the PlayStation Network today due to another hacking incident.

"Contrary to some reports, there was no hack involved. In the process of resetting of passwords there was a URL exploit that we have subsequently fixed," Patrick Seybold, Sony's senior director of corporate communications and social media, wrote in a blog post.

Online log-ins are still down for, PlayStation forums, PlayStation Blog,, Music Unlimited via the web client, and all PlayStation game title Web sites. Users still have access via the PlayStation 3 and PSP devices.

"Consumers who haven't reset their passwords for PSN are still encouraged to do so directly on their PS3. Otherwise, they can continue to do so via the Web site as soon as we bring that site back up," Seybold wrote.

Seybold did not provide a timeline for when that might occur or elaborate on the URL exploit that prompted the downtime. But according to Eurogamer and, there was a glitch with Sony's PlayStation Network password system that allowed a hacker to change your password armed only with your PSN account email address and date of birth.

"We for rather obvious reasons do not want to elaborate further on the exact details of the exploit, on the off chance that when the web based interface for PSN is restored the exploit has not been patched," according to, which alerted Sony to the exploit.

Continued :,2817,2385579,00.asp

- Collapse -
SpyEye Trojan attacks Verizon's online payment page

Trusteer discovered a configuration of the SpyEye Trojan targeting Verizon's online payment page and attempting to steal payment card information. The attack took place between May 7th and 13th.

Amit Klein, Trusteer's CTO explained that, "SpyEye uses a technique called "HTML injection" to modify the pages presented in the victim's browser, in this particular case the injected HTML is used to capture the following credit card related data."

"The attack is invisible to Verizon customers since the malware waits for the user to logon and access their billing page and only then injects an authentic-looking replica webpage that requests this information. Since the user has logged on and has navigated to the familiar billing page they have no reason to suspect this request for payment information is suspicious," Klein added.

The information stolen includes:

• First name, last name
• Street address, City, state, zip
• Phone number, phone type
• Email address
• Country of citizenship
• Social Security Number
• Date of Birth
• Mother's Maiden Name
• Card number, expiration date and CVV.

While this attack is not technically new, it continues a financial malware trend we have been tracking in recent weeks: a shift away from stealing usernames and passwords to stealing payment and credit card data.

Continued :

- Collapse -
Facebook Videos Now Leading to Fake YouTube CAPTCHAs

Facebook survey scams continue to mutate, and the latest development is pretty sneaky. Scammers have designed an offsite page that displays a very convincing YouTube CAPTCHA screen which is completely fake. Similar to fake video pages that we've written about before, this fake CAPTCHA test page uses the Facebook OpenGraph API to spread to your friends' walls and then serve up several survey links.

It starts with something unremarkable, a video link on a friend's wall: [Screenshot]

The "Dad walks in on daughter" is very familiar to those of us who monitor Facebook scams on a daily basis. In previous incarnations it would lead to a fake video preview page. Instead, today it leads to this: [Screenshot: Fake CAPTCHA Page]

which looks enough like a real CAPTCHA to fool many people. Pressing the 'submit' button executes code that posts the malicious video link to all of your friends' walls. Once done, the user is sent to some scammy surveys:

Continued :

- Collapse -
Online criminals trading in Twitter

F-Secure Weblog:

Surely nobody would sell stolen credit cards on Twitter?

Except they do.

For example, check out Mr. SshoaibAhmed: [Screenshot]

Let's follow the link... [Screenshot]

Indeed, he seems to sell credit card info, most likely collected with keyloggers from infected home computers.

The prices of stolen credit cards range from $2 to $20, depending on the country where they were stolen from: [Screenshot]

"vis" stands for VISA, "mas" for MasterCard, "dis" for Discovery, and "amex" for American Express cards.

Alternatively, if you'd rather not use stolen credit cards yourself, you can have him buy you iPhones, iPads and laptops with stolen credit cards and ship them to you. In practice, the thief will log into an online store, then purchase an iPad as a gift purchase, giving your address as the delivery address and paying for the good with a stolen credit card. An iPad bought like this goes for $150.

Continued :

- Collapse -
I just saw my money flying away... far away...

From BitDefender's Malware City Blog:

Online shopping is becoming more and more commonplace. With today's wild daily schedules, people need to find ways to save time. How about some shopping and paying online? Gladly. In this study I tried to find out more about people's habits as far as online shopping and paying methods are concerned, as well as to determine the extent of their awareness about credit cards credentials being cybercriminals' preferred target..

The study comprises 2 parts: a survey conducted on 2,210 users and a challenge: would I be able to find credit card credentials on the internet or, at least buy them from "generous" persons?

Part 1: Hello, do you accept the cybercriminal's transaction?

Aiming to find out more about peoples' habits when it comes buying online, a survey was carried out using a sample of 2,210 individuals (age rank: 18-65 years). Don't take this study as representative for the entire online buyer community, but more as a snapshot of humans' approach to online shopping.

The first question of the survey aimed to determine if the interviewed people buy things online and if they use online paying methods for their purchases. 97% of respondents answered affirmatively, and only 3% declared that they had never used online shopping methods. The study also revealed some of respondents' purchasing preferences: electronics (including games) - 78%, clothes and cosmetics -43% (especially women) and various gifts (including flowers) - 32%. When it comes to paying for these things, 98% of respondents use several online methods. Moreover, in order to save time, they use the same methods to pay different bills (utilities, taxes, reservations, etc).

Continued :

- Collapse -
Some sites struggle to stay up due to Heroku attack

A potential DDoS attack on Heroku, the Ruby platform-as-a-service provider now owned by, is creating availability issues for its customers.

The problems started on Monday when Heroku reported that a small number of users, primarily those that point a root domain to Heroku via static Internet Protocol addresses, were getting connection errors.

Via its status page, Heroku later told customers that it was working closely with its network service provider to mitigate availability issues coming from what it believed was a distributed denial-of-service attack. "The current attack protection procedures have reduced the effects of this attack to intermittent issues," according to the status page.

Heroku did not reply to a request for further information.

Affected customers took to Twitter with their complaints. "The current @heroku issue has screwed me in a pretty emphatic way. Deeply unhappy about it," one user, John Barnette, wrote on Twitter.

Continued :

- Collapse -
It's the human threat, stupid

Anyone who has worked to defend enterprise secrets from theft knows that the answer to success certainly doesn't come from technology alone.

Few know this better than Eric O'Neill. O'Neill is the former FBI operative who worked as an investigative specialist and played a crucial role in the arrest and conviction of FBI agent Robert Hanssen for spying against the U.S. for the former Soviet Union and Russia. The 2007 movie " Breach" was based on O'Neill's experience investigating Hanssen.

"The human element is usually the weakest link," O'Neill said yesterday at the 2011 Computer Enterprise and Investigations Conference (CEIC) 2011.

That's not to say IT security isn't important. It is. In fact, the forensic analysis of a Palm Pilot played a crucial role in the apprehension of Hanssen, as it detailed the location and time of his next drop to the Russians. And the explosion of electronic devices has become crucial to fighting both the spying of nations and of corporate espionage. "Spies previously had to first photocopy or photograph the material they wanted, then make arrangements for drops and payments," O'Neill said. "Today they just capture it on their phone and email it to anywhere in the world."

It's also probably no surprise that an attacker today is likely to start their attack with their web browser. "When you think of hackers, the hackers will spend some time social engineering their targets rather than spend hours of hacking," he said. "If I were to try to steal from you, I would examine your personnel, and today I'd start on Twitter, Facebook, and look at as many people involved with you that I can find," O'Neill said. "I would look for people who talked about how they hated their boss. I'd find out where they like to hang out and I'd go see what they had to say," he said.

Continued :

- Collapse -
Point-of-Sale Skimmers: Robbed at the Register

Michaels Stores said this month that it had replaced more than 7,200 credit card terminals from store registers nationwide, after discovering that thieves had somehow modified or replaced the machines to include point of sale (POS) technology capable of siphoning customer payment card data and PINs. The specific device used by the criminal intruders has not been made public. But many devices and services are sold on the criminal underground to facilitate the surprisingly common fraud.

POS skimmers typically are marketed and sold in one of three ways: Pre-compromised POS terminals that can be installed at the cash register; Fake POS devices that do not process transactions but are designed to record data from swiped cards and PIN entries; or Do-it-yourself kits that include all parts, wiring and instructions needed to modify an existing POS terminal.

I spoke at length to a POS skimmer seller who has been peddling POS modification devices on an exclusive underground fraud forum for more than a year. From the feedback left on his profile it is clear he had many satisfied customers. Buyers specify the make and model of the POS equipment they want to compromise (this guy specializes in hacking VeriFone devices, but he also advertises kits for devices manufactured by POS makers Ingenico, Xyrun, TechTrex).

Continued :

- Collapse -
Google Quick to Patch New Security Flaw

Google is moving quickly to fix the security hole that affects most Android phones reported by German researchers at Ulm University on Tuesday.

The security flaw makes Android devices using version 2.3.3 or below vulnerable to Wi-Fi snooping of authToken identifications used by Google services and sites like Facebook and Twitter. In a statement by a Google spokesperson, the company said it is "starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts."

The fix is a server side update that will force authTokens in calendar and contacts applications to be sent over Hypertext Transfer Protocol Secure (HTTPS). Google is still currently looking into to how to patch the vulnerability within the Picasa photo sharing application.

When the DroidDream malicious applications became a widespread problem in the Android Market, Google went straight into phones remotely to disable the harmful applications and the bootloader they had installed. This recent security vulnerability is not a malicious application but rather a problem with authentication in what are supposed to be safe (and frequently used) applications. The fix to transfer information over a secure will be able to patch that vulnerability.

"This is not a bandaid," said a Google spokesperson. "This is a fix and will not require an OTA update or any action from device owners."

Continued :

Related: Android Security Hole a Problem for 99% of Users, Researchers Say

- Collapse -
AppleCare support rep talks: Mac malware is "getting worse"

Ed Bott @ ZDNet:

Over the weekend, I got an e-mail from an AppleCare support rep, who was responding to my recent reports of Mac malware being found in the wild. At least one prominent voice in the Mac community dismisses these reports as "crying wolf." The view from inside an Apple call center says it's for real:

I can tell you for a fact, many, many people are falling for this attack. Our call volume here at AppleCare is 4-5x higher than normal and [the overwhelming majority] of our calls are about this Mac Defender and its aliases. Many frustrated Mac users think their Mac is impervious to viruses and think this is a real warning from Apple. I really wish I could say not many people will fall for this, but in this last week, we have had nothing but Mac Defender and similar calls.

I contacted this person and arranged an interview. I've edited our conversation to remove any details that might identify this individual or the call center location, but otherwise this is a verbatim transcript.

EB: Until this latest round of fake AV software started, what was a typical week like for you?

AC: There's usually about 600 or so of us spread around 14 centers for CPU support. Before this started happening, we had 7-12 minutes between calls generally. Now we're lucky to have any time between calls.

We started getting a trickle of calls a couple weeks ago. However, this last week over 50% of our calls have been about it. In two days last week I personally took 60 calls that referred to Mac Defender.

EB: Do you have a support database that you share for cases like this?

AC: What do you mean? As in articles for new issues we're running into?

EB: Yes, there must have been a point where you noticed that a lot of people were dealing with this Mac Defender thing and that it wasn't just your calls.

Continued :

- Collapse -
Facebook profile: No, it doesn?t work!

Kaspersky Labs Weblog:

We are currently investigating a new malicious campaign on Facebook mostly targeting French-speaking users. When visiting infected users' profiles, you see the following: [Screenshot]

Translation: Wow, it really works! Find out who is viewing your profile!

The various links that are used rotate quite fast and lead unwitting victims to a website that explains what they need to do. Here's what it looks like: [Screenshot]

Basically, there are 2 steps.

• The first one is to copy a Javascript code using CTRL+C
• The second is to visit, paste the Javascript in your address bar and press "Enter".

In order to ensure the victims do this, there is an animated file (GIF) describing each step in detail; the cybercriminals obviously want to target users with limited computer knowledge as well. They warn users that it can take up to one minute to process.

Once that is done, the victims will spread the campaign on their own walls. Interestingly, on the various sites that tell the victims how to infect themselves, the bad guys have added a statistic service. This page offers quite a lot of interesting information.

For example, here is a graph of the number of visits in the past 24 hours:

Continued :

- Collapse -
Obama warns: "Hack us, and we'll bomb you"

Barack Obama has revealed his ultimate strategy for dealing with hackers who carry out cyber-attacks against the US government: he'll bomb them.

Writing in a personal foreword to the document International Strategy for Cyberspace (PDF), released by the White House yesterday, the President outlined the measures his country would take to "preserve the character of cyberspace and reduce the trheats we face". And the bad news for would-be cyber-terrorists is that hacking into US systems could be enough to trigger a military response.

"States have an inherent right to self-defense that may be triggered by certain aggressive acts in cyberspace," the policy document states.

"Certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners," it goes on. "When warranted, the United States will respond to hostile acts in cyberspace as we would any other threat to our country."

The document continues with a stark warning: "The United States will ensure that the risks associated with attacking or exploiting our networks vastly outweigh the potential benefits."

The policy statement goes on to suggest that the US even reserves the right to exact retribution against threats based in 'friendly' countries, as it did recently in the case of Al-Q'aeda head Osama Bin Laden, shot dead within a few hundred metres of a major military academy in US ally Pakistan.

Continued :

- Collapse -
Winwebsec gang responsible for FakeMacdef?

Microsoft Malware Protection Center:

We've noticed a few odd rogue security software applications recently - although this type of threat is nothing new, these samples are interesting because they target the Mac OS X operating system.

There have been several variants of a threat, which we detect as Rogue:MacOS_X/FakeMacdef, going around this month. As you would expect with any rogue antimalware product, it tries to trick users into thinking that they are infected with something which only it is able to remove? for a price.

The product, which calls itself MacDefender, is being distributed in much the same format as its Windows-based cousins: through an imitation scanner interface which runs within the browser, similar to that described in this blog post. It typically depicts a Windows XP system running through an anti-malware scan, however there have been reports of one that impersonates the Mac OS X finder.

Malware is delivered to the user irrespective of whether they click through the UI, or click on the fake Cancel button. This distribution component reads the client's useragent in order to discern the operating system, and then serves up a malicious application designed for that operating system (that is, if you're running on Windows, the site will serve up Win32/Winwebsec, but if you're on a Mac you'll get MacOS_X/FakeMacdef).

Some Mac users have reported that the malware is automatically being downloaded and started when they land on the imitation scanner pages. This may be related to Safari's "open safe files", which we recommend you disable (click on the link for more information).

Continued :

CNET Forums