NEWS - May 24, 2011

Virus Attack on Dow Jones Network Raises Suspicion of Insider Malice

The suspicion that a vengeful insider launched a virus attack on Dow Jones' corporate networks demonstrates how easily a disgruntled current or former employee can hold a network hostage.

Dow Jones was hit by a sophisticated computer virus days after approximately two dozen IT staff members were laid off, prompting speculation that the malware was a form of vengeful insider sabotage. Even if a malicious insider was not to blame for the Dow Jones virus infection, a recent survey found that organizations are very vulnerable to such attacks.

The computer virus hit Dow Jones' corporate networks on May 12, two days after 34 employees represented by the Independent Association of Publishers' Employees were laid off, Adweek reported May 20. Most of the laid-off staff were part of the IT department.

"Everybody's saying that somebody left it as a going-away present," a Dow Jones employee told Adweek.

Continued :
Discussion is locked
Reply to: NEWS - May 24, 2011
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - May 24, 2011
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Trend Micro Researchers Identify Vulnerability in Hotmail

A couple of days ago, my colleagues reported an attack that appears to be targeted and that involves email messages sent through a Webmail service. Upon further investigation, we were able to confirm that this attack exploits a previously unpatched vulnerability in Hotmail. Trend Micro detects the malicious email messages as HTML_AGENT.SMJ.

The said attack simply requires the targeted user to open the specially crafted email message, which automatically executes the embedded script. This then leads to the theft of critical information, specifically email messages and information about the affected user's personal contacts. The stolen email messages may contain sensitive information that cybercriminals can use for various malicious routines.

The script connects to http://www.{BLOCKED}{user account name}{number} to download yet another script.

The nature of the said URL strongly suggests that the attack is targeted. The URL contains two variables-{user account name}, which is the target user's Hotmail ID, and {number}, which is a predefined number set by the attacker. The number seems to determine the malicious payload that will be executed, as we've found that the information theft routines are only executed when certain numbers are in the {number} field.

Continued :

- Collapse -
LinkedIn slashes cookie lifespan after research exposes..
LinkedIn slashes cookie lifespan after research exposes security flaws

LinkedIn said it would reduce the persistence of cookies it uses to identify users of the business-focused social networking site following the discovery of security issues with the site that create a possible means for fraudsters to hijack profiles.

Security researcher Rishi Narang discovered that LinkedIn session cookies are transmitted over an unsecured HTTP connection even in cases where users follow the option of signing in over a secure (SSL) connection. These cookies remain active for up to a year. Hackers who captured these cookies, perhaps using a tool such as Firesheep to sniff out cookies transmitted over open Wi-Fi connections, would be able to obtain unauthorised access to other users' accounts.

The LEO_AUTH_TOKEN cookie grants access to an associated account irrespective of whether or not users are logged in at the time, Narang warns. These cookies work for up to a year or until a user changes their password and logs in using this new password, generating a fresh authentication token. LinkedIn boasts more than 100 million registered users, a factor that inevitably makes it of interest to miscreants.

Continued :

Related : LinkedIn is careless with access cookies
- Collapse -
"You cannot show the customer how to stop the process"
Apple support to infected Mac users: "You cannot show the customer how to stop the process"

ZDNet writer Ed Bott has posted the latest instructions to Apple tech support personnel regarding users calling in with active fake anti-virus "MacDefender" infections.

Bott says he acquired the documents by talking with two anonymous Apple support representatives about how Apple is coping with the first widespread attack against OS X users. According to his sources Apple has received an estimated 60,000 tech support calls related to the infections.

It has been encouraging that many Apple customers have been taking this attack seriously and taking preventative measures like installing our free anti-virus program for OS X.

Apple is apparently telling support reps to tell customers:

Continued :

Related : AppleCare support rep talks: Mac malware is "getting worse"
- Collapse -
OMG CNN Confirmed Osama Is Alive - Scam spreads on Twitter

From Websense Security:

If you are seeing tweets right now from Twitter users, you may be misled into thinking that U.S. news organization CNN has revealed that Osama bin Laden is alive.

The tweets lead to a phishing page. Websense customers are protected from this scam by ACE, our Advanced Classification Engine.

Tweets are being posted by users right now at the rate of several hundred tweets per second and include:

omgg osama is alive!!! cnn confirmed that he's still out there Sad(
I cant BELIEVE osama is still alive - CNN confirmed he around stillll
OMG CNN confirmed that they found Osama alive still ! ! !

[Screenshot] Tweets lead to a bit. ly redirector that takes the user to a convincing phish page designed to harvest the user's Twitter account credentials.

Screenshot of the phish page: [Screenshot]

A user who enters credentials is then taken to a YouTube video related to the topic of the scam, a CNN video discussing the news "'Osama is alive' say protestors."

Continued :

- Collapse -
Do-not-track off to slow start, Mozilla adds Android support

Whenever an average consumer is confronted with the idea of "opting in," typically they don't bother. They are not aware they have a choice, it's too complicated to follow through or they simply don't understand the importance.

A great example of this is Facebook's introduction of HTTPS via opt-in back in January. In a post on the Facebook developer blog, Naitik Shah points out that 9.6 million Facebook users are now using HTTPS on the service.

This sounds like a big number, but it is less than two percent of Facebook users, a rather dismal example of why security and privacy should be the default, not the alternative.

Similarly this week there has been talk of the ad industry's voluntary do-not-track HTTP header. At a privacy conference Mozilla's Alex Fowler noted that only one to two percent of Firefox users have enabled the do-not-track option.

Introduced in Firefox 4, the do-not-track option is rather difficult to locate. Fowler said that in future updates the do-not-track option will "be much more prominently displayed." [Screenshot]

Continued :

- Collapse -
Facebook Spam Now Plays Your Favorite Music

TrendLabs Malware Blog:

Wouldn't it be cool if you had immediate access to your favorite music and bands? What if these are readily available on your favorite social networking site? [Screenshot]

Unfortunately, spammers also find this cool. We recently noted messages and wall posts circulating on Facebook that promote a supposed new music player feature. Below is a screenshot of what these spammed messages typically look like. [Screenshot]

The script used in this spam run is now detected by Trend Micro as JS_FBJACK.B. Similar to other previously reported Facebook spam runs, once users access the alleged link, they are redirected to a site that tells them to follow several steps. The first of which is to copy a particular snippet of code onto their browser address bars, reminiscent of the "See You? In 20 Years!" Facebook attack, which spread via multiple features.

Once done, the malicious script accesses the affected user's Facebook friends list. From this list, it creates wall posts and sends chat messages to the accumulated Facebook contacts. The wall post and message read:

Continued :

- Collapse -
Spammers establish their own fake URL-shortening services

For the first time ever, spammers are establishing their own their own fake URL-shortening services to perform URL redirection, according to Symantec.

This new spamming activity has contributed to this month's increase in spam by 2.9 percentage points, a rise that was also expected following the Rustock botnet takedown in March.

Under this scheme, shortened links created on these fake URL-shortening sites are not included directly in spam messages. Instead, the spam emails contain shortened URLs created on legitimate URL-shortening sites.

These shortened URLs lead to a shortened-URL on the spammer's fake URL-shortening Web site, which in turn redirects to the spammer's own Web site.

To make things more interesting, these new domains were registered several months before they were used, potentially as a means to evade detection by legitimate URL-shortening services since the age of the domain may be used as an indicator of legitimacy making it more difficult for the genuine shortening services to identify potential abuse.

Continued :

- Collapse -
New Siemens SCADA Vulnerabilities Kept Secret

From Bruce Schneier @ his "Schneier on Security" Blog:

SCADA systems -- computer systems that control industrial processes -- are one of the ways a computer hack can directly affect the real world. Here, the fears multiply. It's not bad guys deleting your files, or getting your personal information and taking out credit cards in your name; it's bad guys spewing chemicals into the atmosphere and dumping raw sewage into waterways. It's Stuxnet: centrifuges spinning out of control and destroying themselves. Never mind how realistic the threat is, it's scarier.

Last week, a researcher was successfully pressured by the Department of Homeland Security not to disclose details "before Siemens could patch the vulnerabilities."

Beresford wouldn't say how many vulnerabilities he found in the Siemens products, but said he gave the company four exploit modules to test. He believes that at least one of the vulnerabilities he found affects multiple SCADA-system vendors, which share "commonality" in their products. Beresford wouldn't reveal more details, but says he hopes to do so at a later date.

We've been living with full disclosure for so long that many people have forgotten what life was like before it was routine.

Before full disclosure was the norm, researchers would discover vulnerabilities in software and send details to the software companies -- who would ignore them, trusting in the security of secrecy. Some would go so far as to threaten the researchers with legal action if they disclosed the vulnerabilities.

Continued :

- Collapse -
Look Carefully at the Web Address

F-Secure Antivirus Research Weblog:

What a stupid phishing site.

This site goes to great lengths to make sure you double-check that the URL you're on is

And it isn't. [Screenshot]

This has got to be one of the stupidest phishing attacks I've ever seen.

Nobody will ever fall for that.

Except they will.

You see, people aren't reading e-mail on their computers any more. They are reading it on their phones. So they'll receive the phishing scam e-mails on their phone and they'll open the scam sites on their phones.

Let's have a look at what the site looks like on iPhone, Android and Nokia devices. [Screenshot] [Screenshot] [Screenshot]

Now it isn't very obvious any more. (And it's particularly well formated for iPhone?)

As you can see, the small screen estate on smartphones makes phishing easier.

Continued :

- Collapse -
Fake virustotal website propagated java worm

The infection strategies using java script technology are on the agenda and that because of his status as a "hybrid", criminals looking to expand its coverage of attack recruiting infected computers regardless of the browser or operating system you use.

In terms of criminal activities, the techniques of Drive-by-Download by injecting malicious java script in different websites, are a combo of social engineering that requires users to increasingly sharpen the senses of "detection".

During this weekend, we encountered a fake website of the popular system analyzes suspicious files Virustotal, by Hispasec company, touted to infect users through the methods mentioned above. [Screenshot]

A view of users, the website looks the same way as the original. However, hidden in the source the parameters needed to infect the system through a java applet through which discharge completely silent malware detected by Kaspersky Lab as Worm.MSIL.Arcdoor.ov.

Continued :

- Collapse -
Sony Ericsson Store Hacked and Data Leaked

A hacker claims to have hacked Sony Ericsson's Canadian eShop and published data allegedly extracted from the website's database.

The hacker, who goes by the handle of Idahc and says he's from Lebanon, has posted a partial database dump on

"I am Idahc a Lebanese hacker and I am Back. I hacked The database of with a simple sql injection," the hacker told Softpedia in an email that also includes a screenshot of the attack.

The dump exposes customer real names, email addresses and password hashes. It's not immediately clear if the hacker also managed to extract other, more sensitive, information.

It doesn't seem that Sony or it's subsidiaries can get a break from these attacks and every one of their online properties are fair game for hackers.

Sony Ericsson is a joint venture between Sony and Ericsson established in 2001 and is currently the sixth largest mobile phone manufacturer in the world.

We said in a previous article that the series of Sony compromises has become a sort of game and this is exactly the impression left by Idahc who writes: "Hackers vs Sony - we are the winners."

Continued :

- Collapse -
Every day is a Birthday Party at Myspac(dot)com

You'd have thought Myspace would have snapped up myspac(dot)com, but it seems to have scampered past them in the night like a small scampery thing that scampers.

The Myspac(dot)com URL will bounce you through a whole bunch of different locations including 1939(dot)com, social-survey-spot(dot)com and socialrewardcenter(dot)com.

When you hit that last one, the "Social Reward Center" tries to make you feel all bad about not taking part in their birthday celebrations.

Did I say "birthday celebrations"? I sure did, because it's their sixth birthday! [Screenshot]

Hooray! Wouldn't you feel bad if you didn't get involved?

The answer, of course, is "no". It isn't their birthday unless they have one every day as their site seems to claim, and even the Queen only has two a year (unless you're in Australia, in which case she has at least three).

What do they want you to do? Well, funny you should ask:

Continued :

- Collapse -
New hack on Comodo reseller exposes private data

Yet another official reseller of SSL certificate authority Comodo has suffered a security breach that allowed attackers to gain unauthorized access to data.

Brazil-based ComodoBR is at least the fourth Comodo partner to be compromised this year. In March, the servers of a separate registration authority were hacked by attackers who used their access to forge">]forge counterfeit certificates signed with Comodo's root signing key. Comodo admitted that two more of its resellers were hit in similar attacks, although no keys were issued.

Comodo has so far declined to name the resellers.

The SQL-injection attack on ComodoBR exploited vulnerabilities in the company's web applications that allowed the hackers to pass database commands to the website's backend server. The attackers posted two data files that appeared to show information related to certificate signing requests, in addition to email addresses, user IDs, and password information for a limited number of employees.

Comodo president and CEO, Melih Abdulhayoglu, said Comodo systems were never compromised. He also said no certificates were issued as a result of the breach, and that the reseller had no access to Comodo databases.

Continued :

- Collapse -
ZeroAccess Rootkit Latest in Line of x64 Malware to Appear

Never ones to be left behind as progress marches on, attackers are beginning to develop more and more tools aimed specifically at exploiting 64-bit machines. The latest entry into the field is an x64 version of the ZeroAccess rootkit, a nasty piece of malware that's been circulating for some time and has a number of interesting capabilities, including anti-forensics and kernel-level monitoring.

The new version of ZeroAccess, which also is known as Max++, is not all that different from previous iterations, in that it's designed to remain persistent on infected machines via rootkit hooks burrows down into the lower levels of the operating system. The malware typically is installed on users' machines via drive-by downloads that aim to exploit any one of a number of known vulnerabilities, often bugs in Adobe Reader or Java.

Once the malware is on a machine, it will perform a check to see what the specifications are of the PC. Specifically, it looks at whether it is on an x64 machine and if so, then it will load a module that contains a dropped designed just for that platform, according to an analysis by Kaspersky Lab researcher Vasily Berdnikov.

Continued :

CNET Forums