Alert

NEWS - May 25, 2011

Microsoft finds 427K email addresses on knocked-out Rustock server

Microsoft investigators uncovered a cache of more than 400,000 email addresses on one hard drive it seized in March when it led an organized takedown of the Rustock botnet, according to court documents.

In a status report submitted Monday to a federal judge, Microsoft spelled out the results of its ongoing investigation into the hardware obtained by the U.S. Marshals Service and other law enforcement agencies.

The takedown of Rustock -- a huge botnet responsible for sending as many as 30 billion spam messages daily -- was orchestrated by Microsoft , and backed by warrants that let authorities in the U.S. and elsewhere seize the hackers' command-and-control (C&C) servers.

"Additional evidence of the system's role in spam-dissemination was also uncovered, including custom-written software relating to assembly of spam emails and text files containing thousands of email addresses and username/password combinations," Microsoft told U.S. District Court Judge James Robart in the May 23 filing. "One text file alone contained over 427,000 email addresses."

Continued : http://www.networkworld.com/news/2011/052411-microsoft-finds-427k-email-addresses.html

Also: Microsoft Uncovers 400K Tainted Email Addresses on Rustock Hard Drives
Discussion is locked
Follow
Reply to: NEWS - May 25, 2011
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - May 25, 2011
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Apple publishes Mac Defender removal details, promises fix

Apple has published a knowledgebase document (HT4650) on its support web site that details how users can avoid or remove the latest Mac Defender malware. It had previously been reported that Apple had advised its technical support representatives not to help customers with Mac malware.

In the support article, Apple describes the fake anti-virus application, which also goes under the name "Mac Security" or "Mac Protector", as a phishing scam that has specifically targeted Mac users. The document goes on to note that its "ultimate goal is to get the user's credit card information which may be used for fraudulent purposes".

Apple says that it will release an update for Mac OS X that will automatically find and remove Mac Defender and its known variants. The company notes that, once installed, the update will "help protect users by providing an explicit warning if they download this malware". Users will be able to install the update via Mac OS X's built-in Software Update function "in the coming days".

Continued : http://www.h-online.com/security/news/item/Apple-publishes-Mac-Defender-removal-details-promises-fix-1250118.html

Also:
Apple admits scareware problem, at last
Apple to directly combat MacDefender scareware

Related: Apple support to infected Mac users: "You cannot show the customer how to stop the process"

- Collapse -
Dear Apple: Welcome to team anti-malware

From Sophos' Naked Security Blog:

It was brought to my attention today that you've now published a knowledge base article explaining how to remove the prolific MacDefender fake security software and it's various iterations.

While I cannot speak on behalf of an entire industry, I think all of us welcome you with open arms to the team tasked with helping the computer using community stay safe online.

I have to admit though, as a newbie, it appears that you may have some confusion in your terminology.

You state in your article:

"A recent phishing scam has targeted Mac users by redirecting them from legitimate websites to fake websites which tell them that their computer is infected with a virus."

In our business phishing has a very specific definition. According to Wikipedia the agreed upon definition of phishing is:

phish

- Collapse -
Chrome 11 update patches critical holes

Google has released version 11.0.696.71 of its Chrome web browser, a maintenance and security update that addresses a total of four security vulnerabilities, two of which are rated as critical: the new version fixes a critical memory corruption bug in the GPU command buffer and an out-of-bounds write problem in blob handling discovered by Kostya Serebryany of the Chromium development community.

A high-risk exploit - a stale pointer in floats rendering - won Martin Barbella $1,000 for reporting the vulnerability to Google as part of its Chromium Security Reward programme; that exploit along with a low-risk bug that bypassed the pop-up blocker have also been closed. Further details of the vulnerabilities are being withheld until "a majority of users are up-to-date with the fix". Four bugs have also been fixed, including a regression affecting LinkedIn.com and a stats issue related to Mac plug-in crashes.

Details about the security update can be found in a post by Google Chrome Product Manager Karen Grunberg on the Google Chrome Releases blog. Chrome 11.0.696.71 is available to download for Windows, Mac OS X and Linux. Users who currently have Chrome installed can use the built-in update function by clicking Tools, selecting About Google Chrome and clicking the Update button.

http://www.h-online.com/security/news/item/Chrome-11-update-patches-critical-holes-1250075.html

See Vulnerabilities & Fixes : Google Chrome Multiple Vulnerabilities

- Collapse -
Sony Says Hacker Stole 2,000 Records From Canadian Site

The problems keep coming for Sony. On Tuesday the company confirmed that someone had hacked into its website and stolen about 2,000 customer names and e-mail addresses.

Close to 1,000 of the records have already been posted online by a hacker calling himself Idahc, who says he's a "Lebanese grey-hat hacker." Idahc found a common Web programming error, called an SQL injection flaw, that allowed him to dig up the records on the Canadian version of the Official Sony Ericsson eShop, an online store for mobile phones and accessories.

The hacker got access to records for about 2,000 customers, including their names and e-mail addresses and a hashed version of users' passwords, said Ivette Lopez Sisniega, a Sony Ericsson Mobile Communications spokeswoman. "Sony Ericsson has disabled this e-commerce website," she said in an e-mail message. "We can confirm that this is a standalone website and it is not connected to Sony Ericsson servers."

Other than the names and e-mail addresses, no personal or banking information was compromised, she said.

Continued : http://www.pcworld.com/article/228597/sony_says_hacker_stole_2000_records_from_canadian_site.html

Also: Sony Ericsson acknowledges Canadian e-commerce site hacked

Related: Sony Ericsson Store Hacked and Data Leaked

- Collapse -
iOS Encrypted Backups Are Now Crackable

It's possible to encrypt an iOS backup using iTunes. However, a piece of software has just been released which allows the encryption to be cracked, therefore giving someone full access to the data stored in your backup.

I suggested some reasons why to encrypt your iOS backups before, the main one being that your data is then protected. But this new software, called Phone Password Breaker Tool, is available to anyone wishing to pay a small fee for it. It's being marketed as a tool to 'recover' password-protected devices, but it could also be used as a way for hackers to get access to your phone backups.

Able to get past the encryption on backups of both Apple's iOS devices and BlackBerry devices, Phone Password Breaker will not only reveal the password set on the backup, but also extract passwords for mail accounts, websites and third-party applications - data that could be of great interest to malicious characters.

Luckily, the software requires the device to be physically connected to the computer in order to crack the encryption. That's good news, since a hacker will need access to both the device and your computer - and if you're sensible with your hardware, that isn't likely to happen.

Continued : http://gigaom.com/apple/ios-encrypted-backups-are-now-crackable/

- Collapse -
Blocking JavaScript in the Browser

Most Web sites use JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. To protect yourself, it is critically important to have an easy method of selecting which sites should be allowed to run JavaScript in the browser.

It is true that selectively allowing JavaScript on known, "safe" sites won't block all malicious scripting attacks: Even legitimate sites sometimes end up running malicious code when scammers figure out ways to sneak tainted, bogus ads into the major online ad networks. But disallowing JavaScript by default and selectively enabling it for specific sites remains a much safer option than letting all sites run JavaScript unrestricted all the time.

Firefox has many extensions and add-ons that make surfing the Web a safer experience. One extension that I have found indispensable is Noscript. This extension lets the user decide which sites should be allowed to run JavaScript, including Flash Player content. Users can choose to allow specific exceptions either permanently or for a single browsing session.

The Noscript extension makes it easy to place or remove these restrictions on a site-by-site basis, but a novice user may need some practice to get the hang of doing this smoothly. For instance, it's not uncommon when you're shopping online to come across a site that won't let you submit data without fully allowing JavaScript. Then, when you enable scripting so that you can submit your address and payment information, the page often will reload and clear all of the form data you've already supplied, forcing you to start over. Also, many sites host content from multiple third-party sites, and users who prefer to selectively enable scripts may find it challenging to discover which scripts need to be enabled for the site to work properly.

Continued : http://krebsonsecurity.com/2011/05/blocking-javascript-in-the-browser/

- Collapse -
Banks profit from spam

F-Secure Weblog:

While doing some spam research couple of years ago, we did a series of test purchases from spam emails.

We bought pills, software, cigarettes etc. We were a bit surprised that almost all of the orders went through and actually delivered goods. Sure, the Windows CD we got was a poor clone and the Rolex was obviously fake, but at least they sent us something.

We were carefully watching the credit card accounts we created for our tests but we never saw any fraudulent use of them.

Most surprising outcome from this test was that we didn't see more spam to the email addresses we used to order the goods.

Our findings were reinforced by an excellent new study (pdf) published by University of California researchers (with an impressive list of authors).

The researchers not only did test purchases from spam, they also tracked down the botnets used to send the emails, the hosting systems to host the spam sites and the banks that moved the money. [Screenshot]

One of the most interesting details in the study is this: almost all spam sales worldwide are handled by just three banks.

The banks? They were:

Continued : http://www.f-secure.com/weblog/archives/00002164.html

- Collapse -
Cookie law deferred for one year

UK websites are being given one year to comply with EU cookie laws, the Information Commissioner's Office has said.

The UK government also sought to reassure the industry that there would be "no overnight changes".

The EU's Privacy and Communications Directive comes into force on 26 May.

It requires user's consent before using cookies - the text files that help organise and store browsing information.

Technically all firm must comply with the law but the UK has said that it needs more time to find a workable solution.

The government said that it was looking for a "business-friendly" solution and believed in light-touch regulation.

"We recognise that some website users have real concerns around online privacy but also recognise that cookies play a key role in the smooth running of the internet," said communications minister Ed Vaizey.

Continued : http://www.bbc.co.uk/news/technology-13541250

Also: UK Companies Get a One-Year Break from European Cookie Law

- Collapse -
Windows 8 release date announced

Shy and retiring Microsoft CEO, Steve "there's a kind of hush" Ballmer has softly whispered to a gaggle of Japanese developers that Windows 8 will be out in time for 2012.

He whispered a time frame which indicated that the new OS would be in the shops in time for the end of the Mayan calender and will be the operating system of choice when the world ends.

It is the first time that Vole has given a time frame for the operating system and the first time that he has mentioned the OS by name.

According to ZDnet, Ballmer said that Windows 7 PCs will sell over 350 million units this year and in Windows 8 there was a lot more coming.

He said that over the rest of the Year, Mcrosoft is going to do a lot of talking about Windows 8 and where it will go.

Apparently there will be Windows 8 on "slates and tablets" as well as PCs. Yep, in Steve speak there is a difference between slates and tablets. We are not sure what that is, but we are sure that the man who has lead Vole to such sterling financial figures lately must know what he is talking about.

Continued : http://www.techeye.net/software/windows-8-release-date-announced

- Collapse -
Unpatched IE bug exposes sensitive Facebook creds

A security researcher has devised an attack that remotely steals digital credentials used to access user accounts on Facebook and other websites by exploiting a flaw in Microsoft's Internet Explorer browser.

Independent researcher Rosario Valotta demonstrated his "cookiejacking" proof of concept last week at the Hack in the Box security conference in Amsterdam. It exploits a flaw that's present in all current versions of IE to steal session cookies that Facebook and other websites issue once a user has entered a valid password and corresponding user name. The cookie acts as a digital credential that allows the user to access a specific account.

The proof of concept code specifically targets cookies issued by Facebook, Twitter and Google Mail, but Valotta said the technique can be used on virtually any website and affects all versions of Windows.

"You can steal any cookie," he told The Register. "There is a huge customer base affected (any IE, any Win version)."

Continued : http://www.theregister.co.uk/2011/05/25/microsoft_internet_explorer_cookiejacking/

- Collapse -
Be Cautious with ?Activate Dislike Button? of Facebook

Bkis Global Task Force Blog:

Recently, lots of Facebook users have been deluded into clicking on "Activate Dislike Button".

Taking advantage of users' desire for Facebook's Dislike button, several spam messages about the activation of the Dislike button have appeared to take control of users' Facebook accounts for spreading spam messages. [Screenshot]

If users click on "Activate Dislike Button", their browsers will be redirected to http: //lnktrn.ch/dislike, a fake Facebook's page where users are requested to copy a code before executing it on their browsers to enable the "Dislike" button. [Screenshot]

The code is in fact an encrypted Javascript one. Upon analysis, we found out that the code is tasked with sending spam messages to friends on the victim's Facebook accounts. The messages say: "Facebook just <keyword> dislike button! Click <onword> 'Activate Dislike Button' below to enable it on your <apterm> !". There, <keyword> is arbitrarily selected among the following: "added the", "launched", "released the"; <onword> may be either "on" or "On"; while <apterm> is a random word from "profile" and "account".

Continued : http://blog.bkis.com/en/be-cautious-with-activate-dislike-button-of-facebook/

- Collapse -
New MacGuard malware variant gets slightly easier to install

The Mac Defender malware has just gotten one step closer to your hard drive, no longer requiring a password in it's installation process. Security firm Intego has released a new memo stating that a variant of the Mac Defender malware, dubbed MacGuard, doesn't require an admin password during it's installation process.

This streamlines the process of installing the malware on unsuspecting users' machines, although it does not totally automate the process.

The Mac Defender malware is a malicious fake antivirus that propagates itself through links among the top results for searches. When a link is clicked, it downloads itself automatically and begins the install process. Previously, the user would have to interact with the installer by clicking next, then enter their admin password before it would infect the machine. Now, the user must still choose to install it, but the password step has been done away with. [Screenshot]

The new MacGuard variant is also different in that once it's installed, it downloads a payload from the web, the purpose of which is unclear but most likely has to do with recording and transmitting credit card numbers or other personal information.

Continued: http://thenextweb.com/apple/2011/05/25/new-macguard-malware-variant-gets-slightly-easier-to-install/

Intego Security Memo: New Mac Defender Variant, MacGuard, Doesn't Require Password for Installation

CNET Forums