Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - November 06, 2014

Nov 6, 2014 5:57AM PST
Where've you been? Your smartphone's Wi-Fi is telling everyone

"Ars performs a DIY signals intelligence test with smartphone "probe" requests."

Every time you use Google or Apple mobile location services, you're not just telling the services where you are. You're also shouting many of the places you've been to anyone who happens to be listening around you—at least if you follow Google's and Apple's advice and turn on Wi-Fi for improved accuracy.

Wi-Fi is everywhere. And because of its ubiquity, Wi-Fi access points have become the navigational beacons of the 21st century, allowing location-based services on mobile devices to know exactly where you are. But thanks to the way Wi-Fi protocols work, mapping using Wi-Fi is a two-way street—just as your phone listens for information about networks around it to help you find your way, it is shouting out the name of every network it remembers you connecting to as long as it remains unconnected.

Continued : http://arstechnica.com/information-technology/2014/11/where-have-you-been-your-smartphones-wi-fi-is-telling-everyone/

Discussion is locked

- Collapse -
Feds Arrest Alleged 'Silk Road 2' Admin, Seize Servers
Nov 6, 2014 6:08AM PST

Federal prosecutors in New York today announced the arrest and charging of a San Francisco man they say ran the online drug bazaar and black market known as Silk Road 2.0. In conjunction with the arrest, U.S. and European authorities have jointly seized control over the servers that hosted Silk Road 2.0 marketplace. [Screenshot]

On Wednesday, agents with the FBI and the Department of Homeland Security arrested 26-year-old Blake Benthall, a.k.a. "Defcon," in San Francisco, charging him with drug trafficking, conspiracy to commit computer hacking, and money laundering, among other alleged crimes.

Benthall's LinkedIn profile says he is a native of Houston, Texas and was a programmer and "construction worker" at Codespike, a company he apparently founded using another company, Benthall Group, Inc. Benthall's LinkedIn and Facebook profiles both state that he was a software engineer at Space Exploration Technologies Corp. (SpaceX), although this could not be immediately confirmed. Benthall describes himself on Twitter as a "rocket scientist" and a "bitcoin dreamer."

Continued: http://krebsonsecurity.com/2014/11/feds-arrest-alleged-silk-road-2-admin-seize-servers/

Related:
US Attorney's office: Whoops, Silk Road 2.0 hired a fed [Updated]
Alleged operator of Silk Road 2.0 arrested, faces narcotics charges
Feds Seize Silk Road 2 in Major Dark Web Drug Bust

- Collapse -
WireLurker Mac OS X Malware Shut Down
Nov 6, 2014 6:08AM PST

WireLurker is no more.

After causing an overnight sensation, the newly disclosed family of Apple Mac OS X malware capable of also infecting iOS devices has been put to rest. Researchers at Palo Alto Networks confirmed this morning that the command and control infrastructure supporting WireLurker has been shut down and Apple has revoked a legitimate digital certificate used to sign WireLurker code and allow it to infect non-jailbroken iOS devices.

"WireLurker is gone," said Ryan Olson, intelligence director at Palo Alto. "What's important about this attack is the precedent it set by some new techniques presented in this attack that were actually pretty effective."

The ultimate goal of the WireLurker attacks, which were limited to China, is unknown but the malware was capable of stealing system information and data stored on mobile devices. Other personal information such as credentials or banking transactions was spared.

Continued : http://threatpost.com/wirelurker-mac-os-x-malware-shut-down/109204

Related:
800 million Apple devices threatened by 'WireLurker' malware
Double trouble for Apple, as two software security flaws discovered

- Collapse -
OS X Yosemite sports serious privilege escalation bug
Nov 6, 2014 6:09AM PST

A Swedish researcher has unearthed a serious bug that affects the newest version of OS X - version 10.10, or Yosemite - and which could allow attackers to gain complete control of the target's Mac machine.

It's a privilege escalation bug he dubbed Rootpipe, but declined to explain why, as the explanation could reveal details that would help attackers find it and create an exploit.

The existence of the flaw has been indirectly confirmed by Apple when they asked the researcher to delay publishing details about it until January 2015, after a fix for the bug is released and pushed out to users.

TrueSec researcher Emil Kvarnhammar says he found the flaw while preparing for two security events at which he wanted to demonstrate one. As not many POC for OS X bugs are published and most affect older versions of the OS, he thought he would try to find one himself.

Continued : http://www.net-security.org/secworld.php?id=17581

Related:
Unpatched bug in Mac OS X gives root access to untrusted people
Rootpipe flaw in OS X could allow hackers to completely take over your Mac
Double trouble for Apple, as two software security flaws discovered

- Collapse -
Google open sources nogotofail, a network testing tool
Nov 6, 2014 6:09AM PST
Google open sources nogotofail, a network traffic security testing tool

In their quest to make users, the Internet, and digital devices in general more secure, a number of big Internet companies have recently announced a new collaboration that will focus on making open source projects "easier for everyone".

Some companies have begun open sourcing their own projects. For example, Facebook recently did it with osquery, a framework that allows developers to explore and analyze operating systems.

Netflix released some of its internally developed tools for detecting planned attacks on target infrastructure.

Continued : http://www.net-security.org/secworld.php?id=17584

Related : Google releases "nogotofail" to detect HTTPS bugs before they bite users
- Collapse -
Government Requests for Facebook User Data Increasing
Nov 6, 2014 6:26AM PST

Facebook's latest transparency report shows that U.S law enforcement agencies issued a greater number of total requests for user data related to criminal investigations in the first six months of 2014 than they have over any previous such period.

This report, per Justice Department reporting guidelines, breaks down into essentially two sections: very specific data about the number of requests for criminal investigative information and broad ranges of data concerning national security investigations.

"We respond to valid requests relating to criminal cases," Facebook officials said in a statement. "Each and every request we receive is checked for legal sufficiency and we reject or require greater specificity on requests that are overly broad or vague."

Continued: http://threatpost.com/government-requests-for-facebook-user-data-increasing/109177

Related: Government Requests For User Data Rise 24% in First Half of 2014, Facebook Says

- Collapse -
The psychology of Facebook scam victims
Nov 6, 2014 7:02AM PST

A two-year study of over 850,000 Facebook scams by antivirus software provider Bitdefender has revealed that scammers have infected millions of users with the same repackaged tricks. The in-depth study was conducted on scams spreading across the UK, the US, Europe and beyond. [Screenshot]

The team of behavior analysts and psychologists at Bitdefender analyzed the top five scam categories and revealed there is no such thing as a typical victim profile: anyone can fall victim to a Facebook scam, such as the classic 'guess who viewed your profile' ruse.

The analysis also revealed a lack of understanding about Facebook's functionality. While almost half of social media e-threats prey on users' curiosity to check who has viewed their profile, almost one in three scams attract victims with features that Facebook doesn't even have, such as dislike buttons and different timeline colours.

Continued: http://www.net-security.org/secworld.php?id=17573

- Collapse -
The proof is in the cookie
Nov 6, 2014 7:03AM PST

"Malwarebytes Unpacked" Blog:

During the past few weeks, we have heard a lot about malvertising, the technique of delivering malware through booby-trapped adverts.

Ad networks and ad agencies of all kinds have been involved in massive campaigns that serve malware onto visitors.

The case we are going to talk about today seemed rather typical and not particularly interesting at first sight. It turned out to be the exact opposite, and showed us how far the bad guys can go to disguise an attack. The picture below illustrates the overall workflow:

Continued: https://blog.malwarebytes.org/malvertising-2/2014/11/the-proof-is-in-the-cookie/

- Collapse -
Still Spamming After All These Years
Nov 6, 2014 7:03AM PST

A long trail of spam, dodgy domains and hijacked Internet addresses leads back to a 37-year-old junk email purveyor in San Diego who was the first alleged spammer to have been criminally prosecuted 13 years ago for blasting unsolicited commercial email.

Last month, security experts at Cisco blogged about spam samples caught by the company's SpamCop service, which maintains a blacklist of known spam sources. When companies or Internet service providers learn that their address ranges are listed on spam blacklists, they generally get in touch with the blacklister to determine and remediate the cause for the listing (because usually at that point legitimate customers of the blacklisted company or ISP are having trouble sending email).

In this case, a hosting firm in Ireland reached out to Cisco to dispute being listed by SpamCop, insisting that it had no spammers on its networks. Upon investigating further, the hosting company discovered that the spam had indeed come from its Internet addresses, but that the addresses in question weren't actually being hosted on its network. Rather, the addresses had been hijacked by a spam gang.

Continued : http://krebsonsecurity.com/2014/11/still-spamming-after-all-these-years/

- Collapse -
Banking Trojan DRIDEX Uses Macros for Infection
Nov 6, 2014 8:21AM PST

TrendLabs Security Intelligence Blog:

Included in our predictions for the upcoming year is that more severe online banking and other financially-motivated threats will arise. It seems that we didn't have to wait for 2015 to see proof of this prediction. We recently came across banking malware that features new techniques to cast a wider net for victims and avoid detection. This malware, known as DRIDEX, is being touted as the successor of the banking malware CRIDEX.

The appearance of DRIDEX comes a couple of years after CRIDEX's entry in the threat landscape. Both CRIDEX and DRIDEX steal personal information, specifically related data to online banking. DRIDEX is considered as the successor because it uses a new way to steal information—via HTML injections.

However, there is a major difference between the two. CRIDEX malware is one of the payloads associated with exploit kit spam attacks. DRIDEX, on the other hand, relies on spam to deliver Microsoft Word documents containing malicious macro code. The macro code downloads DRIDEX onto the affected system.

Continued: http://blog.trendmicro.com/trendlabs-security-intelligence/banking-trojan-dridex-uses-macros-for-infection/

Related:
'Dridex' malware revives Microsoft Word macro attacks
Dridex-laden spam emails targeting First World bank users

- Collapse -
EFF: VPNs will crumble Verizon's creepy supercookie stalkers
Nov 6, 2014 8:22AM PST

"Now that ad networks are jumping on the privacy vulnerability"

The Electronic Frontier Foundation says Verizon's silent supercookies, which always follow subscribers around the internet, are being abused by creepy advertisers to push targeted ads.

The EFF says people should start using encrypted VPNs by default to claw back their privacy, because opting out of the system is not enough.

Two years ago Verizon started stamping a unique identifier token header (UIDH) on each website visit made by subscribers via its cellular data network. As the name suggests, the identifiers are unique to each person, allowing website owners to quietly build up profiles on people using these ID codes.

Continued : http://www.theregister.co.uk/2014/11/06/mobile_vpns_will_save_you_from_verizons_creepy_tracker_advises_eff/

Prior (related) post: Verizon's 'Perma-Cookie' Is a Privacy-Killing Machine

- Collapse -
Crypto attack that hijacked Windows Update goes mainstream..
Nov 6, 2014 8:23AM PST
.. in Amazon Cloud

"Collision attack against widely used MD5 algorithm took 10 hours, cost just 65 cents."

[Screenshot] Underscoring just how broken the widely used MD5 hashing algorithm is, a software engineer racked up just 65 cents in computing fees to replicate the type of attack a powerful nation-state used in 2012 to hijack Microsoft's Windows Update mechanism.

Nathaniel McHugh ran open source software known as HashClash to modify two separate images—one of them depicting funk legend James Brown and the other R&B singer/songwriter Barry White - that generate precisely the same MD5 hash, e06723d4961a0a3f950e7786f3766338. The exercise - known in cryptographic circles as a hash collision - took just 10 hours and cost only 65 cents plus tax to complete using a GPU instance on Amazon Web Service. In 2007, cryptography expert and HashClash creator Marc Stevens estimated it would require about one day to complete an MD5 collision using a cluster of PlayStation 3 consoles.

Continued : http://arstechnica.com/security/2014/11/crypto-attack-that-hijacked-windows-update-goes-mainstream-in-amazon-cloud/

Related: Crypto collision used to hijack Windows Update goes mainstream