17 total posts
Apple catches up with Java security updates
Apple has released Java updates for versions 10.5 and 10.6 of Mac OS X, patching a number of security holes and bringing its two latest versions of OS X up to date. The updates include Java 6 Update 20 from mid-April, which patched a remotely exploitable security vulnerability that affected Java when running in a 32-bit web browser.
The Java for Mac OS X updates also include other previously missing Java 6 updates, including Java 6 Update 18 which included more than 350 bug fixes and added support for Windows 7, as well as Ubuntu 8.04 LTS Desktop Edition, SUSE Linux Enterprise Server 11 and Red Hat Enterprise Linux 5.3. Java 6 Update 19 from the end of March addressed a total of 26 vulnerabilities, some of which were rated as critical. Previously, the latest versions of Mac OS X were only updated to Java 6 Update 17, released in early December .
More details about the updates, including a full list of closed vulnerabilities, can be found in Apple's security advisories. The updates are available via Apple's built-in Software Update service. Alternatively, Java for Mac OS X 10.5 Update 7 and Java for Mac OS X 10.6 Update 2 are available to download from Apple's web site. All users are advised to update as soon as possible.
Continued here: http://www.h-online.com/security/news/item/Apple-catches-up-with-Java-security-updates-1002827.html
See Vulnerabilities & Fixes: Apple Mac OS X update for Java
Zeus is forwarding Adobe updates again
From Websense Security Labs:
Websense Security Labs ThreatSeeker Network has detected a new batch of malicious emails containing Zeus payloads. This campaign is very similar to another which Adobe reported on a couple weeks ago. The social engineering tricks on this campaign have gotten considerably better. The messages appear to be forwarded from a Director of Information Services who apparently received update instructions directly from an associate at Adobe. The message from the Adobe associate states that the update link is to patch CVE-2010-0193 . There are two links in the message that lead to the same IP address hosting a PDF file for instructions and an executable that is meant to be the patch to apply. The executable file named adbp932b.exe (SHA1 0632f562c6c89903b56da235af237dc4b72efeb3) has minimal coverage of about 7% . [...]
The kicker in these messages is actually the update.pdf (SHA1 d408898e33c207eceea6d5b2affdac8ec266f77e) document. What would be expected of a malicious email with a PDF document is that it would contain an exploit of some sort that would attempt to do damage and take over the recipient's computer. This case is much different from that, probably because the attackers are working more of the social engineering angle and counting on the weakest link in the security chain, which would be the end user. The document is actually benign and provides the same link as the email to download the "security patch" and tells you to "Click run in each window that appears". Sharp eyes will actually notice that the IP leading to the malicious application and the IP showing in the screen shot of the document aren't actually the same site. This ploy of a non-malicious PDF document that looks authentic is an attempt to convince recipients that the instructions contained within are authentic. [...]
Continued (with an update) here: http://community.websense.com/blogs/securitylabs/archive/2010/05/18/zeus-is-forwarding-adobe-updates-again.aspx
New AutoRun Worms Utilize Action Key
From TrendLabs Malware Blog:
Autorun.inf is prevalently used by worms as an autostart technique. Through this file, the worm is able to automatically execute whenever an infected drive is accessed. Over time, users have been able to think of workarounds to manually remove the malware file while preventing it from executing. Some of these are:
Using command prompt to manually delete the file
Using Windows Explorer (right-clicking then choosing Explore)
Similarly, malware proponents also continue to find new techniques to proliferate their malicious creations despite workarounds that users employ to prevent them from automatically running on their systems. One way by which this is done is through the use of autorun.inf?s Action Key.
Action Key is one of the parameters in autorun.inf, which is only supported in removable and fixed drives. Its main purpose is to specify the text that appears in the AutoPlay dialog for the handler representing the program specified in the open or shellexecute entry in the media?s autorun.inf file. [...][...]
Continued here: http://blog.trendmicro.com/new-autorun-worms-utilize-action-key/
Fraud Bazaar Carders.cc Hacked
Carders.cc, a German online forum dedicated to helping criminals trade and sell financial data stolen through hacking, has itself been hacked. The once-guarded contents of its servers are now being traded on public file-sharing networks, leading to the exposure of potentially identifying information on the forum?s users as well as countless passwords and credit card accounts swiped from unsuspecting victims.
The breach involves at least three separate files being traded on Rapidshare.com: The largest is a database file containing what appear to be all of the communications among nearly 5,000 Carders.cc forum members, including the contents of private, one-to-one messages that subscribers to these forums typically use to negotiate the sale of stolen goods. Another file includes the user names, e-mail addresses and in many cases the passwords of Carder.cc forum users.
Continued here: http://krebsonsecurity.com/2010/05/fraud-bazaar-carders-cc-hacked/
UK regulator warns targets over share scam sucker list
"Turning up the heat on boiler room fraudsters"
A UK regulator is taking the unusual step of contacting 38,000 potential share fraud targets after recovering a "suckers list" used by boiler room fraudsters.
The Financial Services Authority plans to write to the thousands of people on the list (which contains phone numbers, names and addresses) warning them that their details are circulating among boiler room share fraud scammers. Boiler rooms normally operate outside the UK, outside the reach of regulators and compensation schemes. Fraudsters use high-pressure sales techniques to sell non-tradeable, overpriced or non-existent shares.
Target lists maintained by the fraudsters sometimes feature notes on an intended mark's interests and list of blue-chip shares they already hold. The list is thought to be in active use.
Jonathan Phelan, the FSA's head of unauthorised business, explained: "This is the biggest list we've ever recovered and by acting quickly and contacting every single person on it we're hoping we can stop people losing money. Boiler room fraudsters often sound professional so it's easy to be drawn in by their overblown claims and give them money to invest. The reality is however that the shares are worthless or don't exist and the money is lost forever."
Continued here: http://www.theregister.co.uk/2010/05/19/share_scam_sucker_list_warning/
Final Lost episode to distribute rogueware...
"Lost, Ronnie James Dio, and so on and so forth, to distribute rogueware"
From the PandaLabs Blog:
It seems that false antivirus have found in the BlackHat SEO attacks a usual means to be distributed. That?s the case of the rogueware MySecurityEngine which is using a varied medley of subjects, some of them arousing people?s interest, like the successful series Lost, whose final episode will be on 23rd of this month, or the recent death of the singer Ronnie James Dio.
Some of the keywords that can lead you to malicious websites are the following:
Lost New Episode April 27
Lost New Episode Time
Lost New Episode Online
Lost New Episode Tonight
Lost New Episode Stream
Lost New Episode Guide
Lost New Episode Preview
........ If you follow the link of any of the malicious results, you?ll be redirected to websites like www.1.saveppc2<blocked>d.xorg.pl or wwww.1.bestfast<blocked>31p.xorg.pl from which a file called PACKUPDATE_BUILD107_195.EXE is downloaded and which is detected as Adware/MySecurityEngine.
Continued (with complete list) here: http://pandalabs.pandasecurity.com/lost-ronnie-james-dio-and-so-on-and-so-forth-to-distribute-rogueware/
Watch_video.zip malware attack
From Graham Cluley's Blog:
Heads up folks! There's a major new malware attack happening right now.
Email messages are being spammed out with a variety of lurid x-rated subject lines. Attached to the emails is a file called watch_video.zip, which contains malware that (at the time of writing) is not being detected by most anti-virus products. [...]
Here's an example of a typical email: [...]
I'm reliably informed that Joyce Oliveira is a Brazilian porn star. I can't comment on whether she is in the habit of forgetting to wear her underwear or not. Emails with other subject lines can have different message bodies, albeit all of a similar pornographic nature.
In my examinations so far, I've found all of the messages (regardless of different subject lines and message bodies) contain the phrase:
Open attached file to watch video
Continued here: http://www.sophos.com/blogs/gc/g/2010/05/19/watchvideozip-malware-attack/
Daily Telegraph website hit by Canadian Pharmacy spammers
Spammers have created their own blogs on the website of one of the UK's leading newspapers, and stuffed it with adverts to purchase drugs from Canadian Pharmacy stores.
A post by blogger Paul Carpenter, an SEO consultant, brought my attention to the problem which is affecting the website my.telegraph.co.uk.
According to Paul, The Daily Telegraph was alerted to the problem of spammers clogging up its personal blogs some weeks ago, but sure enough when I visited this afternoon the problem was still present. [...]
Clicking onto one of the blogs takes users to a webpage promoting so-called Canadian Pharmacies. [...]
I say "so-called" because many times the gangsters behind these sites are actually Russian cybercriminals, making millions of pounds from promoting websites that flog counterfeit medicines.
Continued here: http://www.sophos.com/blogs/gc/g/2010/05/19/daily-telegraph-website-hit-canadian-pharmacy-spammers/
60% of Facebook users consider leaving over privacy
Will changes to Facebook's privacy settings be enough to address user concerns?
A poll of 1588 Facebook users conducted by Sophos has revealed the extent of member concerns over the popular social network's privacy settings. The online survey shows that almost two thirds of Facebook users are considering leaving, with 16% of those polled claiming to have already stopped using Facebook as a result of inadequate control over their data.
The poll asked Facebook users: Do you think you will quit Facebook over privacy concerns?:
Possibly: 484 - 30%
Highly likely: 469 - 30%
Already have: 254 - 16%
No: 191 - 12%
Don't think likely: 190 - 12%
Facebook has faced growing criticism over changes to the way that the social network can share user data across its site and with other websites. Concerns have centered on the complexity and 'opt-out' approach to sharing member information with wider networks.
Continued here: http://www.net-security.org/secworld.php?id=9311
Facebook to Launch ?Simplistic? Privacy Choices Soon
Reacting to the latest privacy backlash, Facebook will be rolling out new ?simplistic? privacy options for its users in the coming weeks, according to Facebook head of public policy Tim Sparapani.
?Now we?ve heard from our users that we have gotten a little bit complex,? Sparapani said in a radio interview Tuesday. ?I think we are going to work on that. We are going to be providing options for users who want simplistic bands of privacy that they can choose from and I think we will see that in the next couple of weeks.?
While it?s not clear what those options will look like or if they will be presented to existing users, one supposes that at least new users will be given some broad options to choose from along the lines of ?I?m an exhibitionist,? ?I like sharing with a lot of people, but not everybody? and ?I?m a private person who just wants to share with friends and family.? Currently, new users are set to very public defaults, including having their profile information shared with other online services such as Yelp and Pandora.
Continued here: http://www.wired.com/epicenter/2010/05/facebook-simple-privacy-choices/
Also: Facebook says it will make privacy settings easier
LifeLock CEO said to be victim of identity theft 13 times
"Publicly posting SSN resulted in Todd Davis' identity being misused"
A CEO who publicly posted his Social Security number on billboards and TV commercials as part of a campaign to promote his company's credit monitoring services was the victim of identity theft at least 13 times, a news report says.
The Phoenix New Times reported that Todd Davis, CEO of LifeLock Inc., which is based in Tempe, Ariz., was victimized numerous times by identity thieves who apparently used his Social Security number to commit various types of fraud.
Davis has previously admitted that he was the victim of an identity theft once in 2007, when a man in Texas used his Social Security number to take out a $500 loan which wasn't repaid and ended up being handled by a collection agency.
The New Times reported that Davis has been a victim of similar ID theft at least a dozen more times.
Continued here: http://www.computerworld.com/s/article/9176951/LifeLock_CEO_said_to_be_victim_of_identity_theft_13_times
Symantec to buy VeriSign's security unit for $1.3B, reports
VeriSign has been shopping for buyers, Reuters adds
Security vendor Symantec Corp. is reported to be close to buying Internet infrastructure services vendor VeriSign Inc.'s security business for $1.3 billion.
The Wall Street Journal quoted unidentified sources who are said to be close to the deal as saying it would give Symantec control of VeriSign's $410 million authentication business, which provides a range of encryption technologies and services.
A Reuters report late Tuesday also quoted an unnamed source as saying that VeriSign had been shopping for a buyer for its security unit recently.
Meanwhile, other news reports fueled the speculation by adding that VeriSign CFO Brian Robins had abruptly pulled out of a JP Morgan investors conference on Tuesday afternoon.
Continued here: http://www.networkworld.com/news/2010/051910-symantec-to-buy-verisigns-security.html
Microsoft reveals govt patch previews
Microsoft has launched a pilot program for governments and critical infrastructure providers to gain access to in-depth technical information about operating system patches before they are released on the second Tuesday of each month.
Senior security program manager lead at the Microsoft Security Response Centre (MSRC), Steve Adegbite, yesterday launched the Defensive Information Sharing Program (DISP) and the Critical Infrastructure Protection Program (CIPP) at the AusCERT 2010 security conference in Queensland.
Microsoft currently provides security vendors such as Kaspersky, McAfee and Symantec with some of this information, but not all of it. Finer details of a vulnerability don't normally get disclosed to the vendors, and that's detail Adegbite said governments would find useful in knowing as soon as it was available.
Continued here: http://www.zdnet.com.au/microsoft-reveals-govt-patch-previews-339303269.htm
Also: Microsoft to Share Vulnerability Details with Governments
Technical details of Street View WiFi payload controversy
From Errata Security:
The latest privacy controversy with Google is that while scanning for WiFi access-points in their Street View cars, they may have inadvertently captured data payloads containing private information (URLs, fragments of e-mails, and so on).
Although some people are suspicious of their explanation, Google is almost certainly telling the truth when it claims it was an accident. The technology for WiFi scanning means it's easy to inadvertently capture too much information, and be unaware of it.
This article discusses technically how such scanning works.
There have been many controversies surrounding Street View. The first is about the images the cars take. They often contain private information, such as the license plates of cars parked on the side of the road. Google keeps improving algorithms to fix this, such as automatically covering license plates within images.
Continued here: http://erratasec.blogspot.com/2010/05/technical-details-of-street-view-wifi.html
Prior Post: Google stops sniffing Wi-Fi data after privacy gaffe
Also : Google Street View Faces Investigation in France and Italy
My Wordpress blog got injected - again!
From Websense Securitiy Labs:
At the beginning of the week and last week the WPSecurityLock Web site published alerts on prominent Wordpress injections. These injections redirect the visitor to a scareware site which falsely claims to have found an infection, i.e. a Rogue AV Web site. Here is a video that shows what exactly is going on from the user's perspective when accessing a compromised Web site with this attack: [...]
The injection attacks are still ongoing. Dancho Danchev reported a domain which is related to this attack at the end of last month. The domain kdjkfjskdfjlskdjf.com is directly related to the ongoing attacks and still appears on injected sites. Another set of domains is losotrana.com, holasionweb.com, indesignstudioinfo.com and zettapetta.com.
Checking the number of hits with our ThreatSeeker ? network over this past weekend revealed more than 23,000 infected pages with this kind of attack, and it's still growing. The malicious code is injected by the attackers into PHP files on the server. Typically an infected PHP file will start with this line of code at the top of it: eval(base64_decode( . Below is a screenshot showing how an infected page looks on an injected server: [...]
If you're running a Wordpress installation it's highly recommended to check every PHP file for a possible injection.
The injected code is encoded with Base64. Once you decode the content you get this output: [...]
Continued here: http://community.websense.com/blogs/securitylabs/archive/2010/05/19/My-Wordpress-blog-got-injected-_2D00_-again_2100_.aspx
Man accused of DDoSing conservative talking heads
'FrostAie' the (alleged) Pwn Man
Federal prosecutors have accused a man of carrying out a series of botnet offenses including attacks that brought down the websites of conservative talking heads Bill O'Reilly, Ann Coulter and Rudolph Giuliani.
Mitchell L Frost was an undergraduate student at the University of Akron at the time of the distributed denial-of-service (DDoS) attacks, which lasted over a five-day period in March 2008, prosecutors alleged in court documents. The attacks on billoreilly.com, anncoulter.com and joinrudy2008.com "rendered each website inoperable, at least temporarily, and required intervention and repair by the owners of such sites, and caused damages or losses which exceeded $5,000," they wrote.
Continued here: http://www.theregister.co.uk/2010/05/19/bill_oreilly_ddos_attacks/
Also: Man Charged With Attack on Bill O'Reilly Web Site