General discussion

NEWS - November 05, 2010

Microsoft responds to Firesheep cookie-jacking tool

The Firesheep developers continue to be under fire for releasing their cookie-jacking plug-in. However, in doing so they have already made Microsoft promise that it will fully convert its Hotmail / Windows Live email service to SSL. According to a report from US news web site Digital Society, the services are to be converted before the end of November.

The current default is that only the log-in data is encrypted in the browser, but subsequent pages and log-in cookies are transmitted in plain text. Firesheep can collect these details, for instance, on public Wi-Fi networks, and make them available to access accounts without authorisation. The tool is so easy to operate that even those who are new to scripting can wreak havoc with it in such places as a local coffee shop.

Tools like FireShepard try to frustrate Firesheep's data collection activities by flooding the Wi-Fi network with junk, which causes the plug-in to crash. However, this counter-attack doesn't solve the basic problem. Plug-ins such as HTTPS Everywhere for Firefox can, at least, automatically redirect connections to SSL-encrypted pages - but only if this is supported by the server.

Discussion is locked

Reply to: NEWS - November 05, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - November 05, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Rival calls foul over Microsoft's delivering MSE via Windows
'Rival calls foul over Microsoft's delivering Security Essentials via Windows Update'

"Trend Micro says Microsoft's offer of free antivirus software in update service may be unfair competition"

Microsoft this week began offering U.S. customers its free antivirus program via Windows' built-in update service, a move one major security firm said may be anticompetitive.

Last Monday, Microsoft started adding Security Essentials to the optional download list seen by U.S. users running Windows XP, Vista or Windows 7 when they fired up the operating system's update service. The move followed an Oct. 19 kickoff of a similar program in the U.K.

"Commercializing Windows Update to distribute other software applications raises significant questions about unfair competition," said Carol Carpenter, the general manager of the consumer and small business group at Trend Micro, on Thursday.

"Windows Update is a de facto extension of Windows, so to begin delivering software tied to updates has us concerned," she added. "Windows Update is not a choice for users, and we believe it should not be used this way."

If Windows doesn't detect working security software on the PC, Microsoft adds Security Essentials to the Optional section of Microsoft Update, a superset of the better-known Windows Update, or to Windows Update if it has been configured to also draw downloads from Microsoft Update.
- Collapse -
Researcher to Release Web-based Android Attack

A computer security researcher says he plans to release code Thursday that could be used to attack some versions of Google's Android phones over the Internet.

The attack targets the browser in older, Android 2.1-and-earlier versions of the phones. It is being disclosed Thursday at the HouSecCon conference in Houston by M.J. Keith, a security researcher with Alert Logic. Keith says he has written code that allows him to run a simple command line shell in Android when the victim visits a website that contains his attack code.

The bug used in Keith's attack lies in the WebKit browser engine used by Android.

Google said it knows about the vulnerability. "We're aware of an issue in WebKit that could potentially impact only old versions of the Android browser," Google spokesman Jay Nancarrow confirmed in an e-mail. "The issue does not affect Android 2.2 or later versions."

Version 2.2 runs on 36.2 percent of Android phones, Google says. Older phones such as the G1 and HTC Droid Eris, which may not get the updated software, could be at risk from this attack. Android 2.2 is found on phones such as the Droid and the HTC EVO 4

- Collapse -
Japan's Government Struggles with Internet Leaks

The Japanese government scrambled on Friday to find out how video of an altercation between a Chinese fishing trawler and the Japan Coast Guard ended up on YouTube. Its appearance marked the second time this week that sensitive government information was leaked on to the Internet.

Several video clips posted to YouTube show a Sept. 7 incident that occurred near a disputed island chain and resulted in the captain of a Chinese fishing boat being arrested.

In the most dramatic of the clips, a coast guard vessel is sailing alongside the fishing boat, blaring its siren and shouting in English and Chinese for the fishing boat to stop. The two ships then collide. In another clip the Chinese boat collides side-on with a coast guard vessel.

Japan and China regularly argue over the islands, but the disputes are usually small in scale. This time, with the arrest of the Chinese captain, things escalated and prompted protests in both countries.

Relations between the two countries were just beginning to improve after the incident at sea, with a meeting planned on the sidelines of an economic summit in Japan next week. The appearance of the video online threatened to put back these bilateral efforts, but the Chinese government appears to have taken the video in its stride and has been removing copies of the video from domestic video sites.

- Collapse -
EU Seeks Stronger Online Privacy Laws

"The European Commission wants to strengthen rules governing the collecting and use of personal data online."

The European Union wants to overhaul its privacy laws and tighten Web users' control over their information on social networking and other sites.

The push for new rules follows continued concerns about online privacy due spotlighted by recent controversies, such as the situation with Google Street View. On Nov. 3, the U.K.'s Information Commissioner ruled there was a "significant breach of the Data Protection Act" when Google Street View vans collected private information from unprotected wireless networks.

"The protection of personal data is a fundamental right," said Vice President Viviane Reding, EU Commissioner for Justice, Fundamental Rights and Citizenship, in a statement. "To guarantee this right, we need clear and consistent data protection rules. We also need to bring our laws up to date with the challenges raised by new technologies and globalization. The Commission will put forward legislation next year to strengthen individuals' rights while also removing red tape to ensure the free flow of data within the EU's Single Market."

The commission is accepting public input on the rules through Jan. 15 via the Commission's Website. The rules, the commission proposed, should require that businesses clearly tell customers how, why, by whom and for how long their data is collected and used. People should also be able to give their informed consent to the processing of their personal data.

EU wants tighter online privacy
EU Unveils Strong Online Privacy Rules

- Collapse -
Two suspected ZBot mules arrested in Wisconsin

Computer crime authorities are continuing to mop up suspected members of the ZBot malware gang, alleged to have hijacked computers around the world and stolen millions of dollars from online bank accounts.

Dorin Codreanu and Lilian Adam, both originally from Moldova, have been arrested in Wisconisn, and are due to be transferred to New York City to face charges of comitting bank fraud. The men, both 21 years old, are believed by the authorities to be "money mules", used to transfer money from accounts, once they have been compromised through use of malware. Codreanu is also alleged to have recruited other mules.

ZBot, also known as Zeus, is a family of malware that can hijack your computer, making it part of a criminal botnet. Over the past few years cybercriminals have used different versions of ZBot to steal money from online bank accounts, login details for social networking sites and email/FTP information.

Graham Cluley's post continued @ Sophos' Naked Security

Also : Two 21-year-old ZBot mule suspects cuffed in Wisconsin

- Collapse -
Wells Fargo, BoA Cited For Lax Mobile App Security

Days after publishing a report on serious security lapses in the PayPal mobile payments application for the iPhone, a Chicago firm has released an analysis that finds similar problems in a mobile banking applications by Bank of America and Wells Fargo.

The report, published on Thursday by ViaForensics, surveys mobile banking applications for a range of institutions and for both the iPhone and Android platforms. While most passed muster with the firm, the analysis by the company's AppWatchdog platform found a number of flaws in Wells Fargo's banking application for the Android platform. They include insecurely stored login information as well as insecure application data - a broad category that could include account numbers, balances and transfer information or user data. Bank of America's application for Android was also found to store application data insecurely.

ViaForensics provides security analysis and testing services for software development firms, including those developing products for mobile applications. The firm's discovery of security holes in the PayPal application for iPhone prompted a patch for that application. The flaws were reported in the Wall Street Journal just days after ViaForensics disclosed them to the vendor - a breach of so-called "responsible disclosure" policies that ViaForensics said was necessary to protect mobile application users.

Prior (Related) Post: PayPal rushes out patched iPhone app

- Collapse -
Origami trojan takes shape in Russia, Ukraine

A new banking trojan, called Origami, is being used to attack bank customers in Russia and Ukraine, according to Joe Stewart, director of malware research at SecureWorks Counter Threat Unit.

The attacks on Russian and Ukrainian bank customers is a switch for bank trojans, which tend to originate in Russia and Ukraine and attack Western targets.

At the DLP Russian 2010 conference in Moscow this week, Stewart explained that there had been an ?unspoken rule? among Russian trojan developers not to infect Russian computers. But times are changing.

Stewart said that the Origami trojan currently has limited distribution, but it is a ?highly capable credential-stealing trojan?.

The SecureWorks researcher supplied a ?heat map? of Origami trojan infections. Most of the infections were centered around the Russian capital of Moscow and the Ukrainian capital of Kiev, but there were also concentrations in eastern Ukraine, as well as Belarus, Lithuania, Moldova, and Germany.

Stewart explained that anti-virus software is only 20% effective against a credential-stealing trojan like Origami.

- Collapse -
Huge Numbers Of People Hack Into Loved Ones' Accounts

If this survey is anything to go by, web users are a sneaky and mistrustful lot when it comes to the significant others in their lives.

Anti-virus software maker BitDefender surveyed 1500 people and asked respondents whether they had ever tried to hack into somebody else's social network account by illicitly retrieving the respective person?s password.

The survey suggested that nearly nine out of 10 web users (89% of respondents) had searched for a password hacking method on the internet. Only 11% said they were not interested in this type of tool. Of the people who had searched for the software, 98% had gone on to install it and try to use it.

- Collapse -
PHP Attack Hits GoDaddy-Hosted Sites Again

In a recurring pattern, GoDaddy-hosted sites running PHP applications may be under attack again as hackers inject malicious code onto their sites.

Web administrators who host their domains on GoDaddy should check their source code again for rogue code that downloads malware, according to a security research firm.

Sucuri Security updated its Oct. 30 post warning about the latest malware attacks on GoDaddy-hosted sites with another note on Nov. 3. The research company was investigating reports of "another related outbreak of exploited sites on GoDaddy," read the update.

The affected sites generally ran some kind of PHP Web application , such as Zen Cart eCommerce or popular CMS packages including WordPress, Drupal and Joomla, according to a post on GoDaddy?s blog . In a series of injection attacks, hackers were embedding malicious code into the site?s Web application, often through blog comments, according to Chris Drake, chief executive of security-conscious Web host provider FireHost.

According to Sucuri Security, the code, when executed, inserted a single line of PHP code into every PHP file on the infected site: eval(base64_decode, followed by a string of random-looking characters, that hides actual PHP code that is being run. This command basically sets up a redirect to a malware site running rogue JavaScript code that automatically downloads fake antivirus and other scareware onto the visitor?s computer, said the security firm.

Also : GoDaddy-hosted websites injected with malicious code

- Collapse -
A Different Spin On Sleuthing Stuxnet

"Black Hat Abu Dhabi speaker to present homegrown tool and approach to tracing the origins of Stuxnet "

Conspiracy theories have run rampant ever since the Stuxnet worm was discovered this year, with speculation ranging from an inside job at Siemens to a nation state-sponsored targeted attack against Iran's nuclear operations. But what still doesn't add up with any of these scenarios is how Stuxnet spread outside the facility's SCADA systems to Windows machines around the world.

Stuxnet has been under the microscope for months as researchers around the world have picked apart and analyzed the malware's makeup and possible intent. No one knows for sure who is behind it nor its specific goal, but fingers have been pointed at Israel, the U.S., France, Germany, and England as a nation-state targeting Iran's nuclear activities.

But the trouble with all of the speculation is that much of comes out of anti-malware analysis that looks at what the code did and how it affected victim machines versus who was actually responsible for writing it, says Tom Parker, director of security consulting services at Securicon. "That makes sense, of course, because a lot of business demands answering those questions. But it's not a good idea to use those same tools for attribution," says Parker, who will offer up a different method for malware attribution in a talk at Black Hat Abu Dhabi next week.

Also: Black Hat promises new exploit techniques, Stuxnet insight

- Collapse -
Sick of call centres? Don't worry, it gets worse...

For the past couple of years, cybercrooks have been going beyond fake anti-virus software, also known as scareware. After all, fake software can reach only so far.

They've found another way to scare you out of your cash: fake technical support centres. OK, the support centres are real enough. But the "support" is fraudulent. That begs the question, how do you tell?

That's a question which Sean Richmond, a product expert and trainer here at Sophos in Sydney, is regularly asked by the techies he trains. So I decided to put the same question to him in a podcast. Now you can play it to your friends and family if they ask you! [Podcast]

To explain: you can imagine how fake support calls might unfold. The caller is working with Windows, or Microsoft, or your ISP, to help protect the world from cybercrime. He's not selling you anything. He's giving you free advice.

Then he takes you to parts of the operating system you might not have seen before. Open the Event Viewer on Windows, or the Console application on your Mac, and you will see a never-ending list of dangerous-sounding errors of all sorts.

Next thing, you've been frightened into letting the scammer get remote access to your computer - and paying for the privilege with your credit card. Naturally, he will "fix" your computer. So although you've just incurred an unexpected support expense, you might even end up feeling relieved.

Continued @ Sophos' Naked Security

- Collapse -
Banload Trojans pose as .txt files

It seems there's a couple of trojans doing the rounds that are using a (semi) cunning disguise: [Screenshot:]

If you move in tech circles, watching people dress executables up as .txt files isn't going to be new to you but I guarantee you?ll have a relative who hasn't heard of that one before. It's always worth a mention to a less computer savvy individual!

VirusTotal results are patchy at the moment - 19/43 for the business file, which isn't brilliant but a more robust 27/43 for play.txt (we detect them both as Trojan.Win32.Generic!BT). There are lots of versions of Banload, but typically you're dealing with something attemping to download data theft / banking malware to the infected computer. I'm told a number of websites hosting these files have been taken down in the last hour or two, but I imagine they'll be back soon enough.

Continued @ the Sunbelt Blog

- Collapse -
Hacker Extorted Teenage Girls with a Webcam Trojan

The FBI has issued a warning about a cautionary incident.

A 31-year-old Californian man was arrested for infecting computers with a backdoor trojan. He was sending the trojan via e-mail to people he had friended online. The malware was typically made to look like a video file. In reality it dropped a backdoor that gave the attacker control of the victim's PC. Then the attacker searched for explicit pictures from victims' computers. If he found any, he downloaded them, and used the images in an attempt to extort more pictures and videos from them. Many of the victims were teenage girls.

Now FBI is trying to find more on the case. The hacker used a variety of screen names and e-mail addresses, which are listed below. If you have seen them online and have information that might help in the case, please contact the investigators working on the case.

Suspect screen names and e-mail addresses:

Continued @ the F-Secure Weblog

- Collapse -
Boffins devise early-warning bot spotter

Researchers have devised a way to easily detect internet names generated by so-called domain-fluxing botnets, a method that could provide a first-alarm system of sorts that alerts admins of infections on their networks.

Botnets including Conficker, Kraken and Torpig use domain fluxing to make it harder for security researchers to disrupt command and control channels. Malware instructs infected machines to report to dozens, or even tens of thousands, of algorithmically generated domains each day to find out if new instructions or updates are available. The botnet operators need to own only a few of the addresses in order to stay in control of the zombies. White hats effectively must own all of them.

It's a clever architecture, but it has an Achilles Heel: The botnet-generated domain names - which include names such as,, and - exhibit tell-tale signs they were picked by an algorithm rather than a human being. By analyzing DNS, or domain name system, traffic on a network, the method can quickly pinpoint and disrupt infections.

Also : New Technique Spots Sneaky Botnets

CNET Forums

Forum Info