General discussion

NEWS - November 09, 2010

Pianist loses over $6 million in bizarre computer virus-related scam

A court has heard that a couple conned at least $6 million from the great-grandson of an oil industry tycoon after he brought his virus-infected computer in for repair.

Although the victim's name has not been released by the authorities, the media has named him as jazz pianist and composer Roger Davidson, an heir of oil tycoon Conrad Schlumberger.

According to media reports, prosecutors in Westchester (NY), charged 36-year-old Vickram Bedi and his girlfriend Helga Invarsdottir. The couple are said to have tricked the composer into believing that while investigating the virus they had found evidence that his life was in danger.

Bedi and his 39-year-old girlfriend were arrested last week at their home in Chappaqua, as they were preparing to leave for Iceland.

Now, you're not going to believe this next bit. I didn't at first either..

Continued @ Naked Security

Also : Oil heir loses $6m in 'CIA-Opus-Dei' malware murder scam

Discussion is locked

Follow
Reply to: NEWS - November 09, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - November 09, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Barracuda Networks Launches Bug Bounty Program

Following the lead of Mozilla and Google, Barracuda Networks is launching a bug bounty program that will pay out cash rewards for vulnerabilities found in the company's own products.

The move by Barracuda, a maker of mail security and data protection products, is the first such bug bounty program offered by a pure security technology vendor. Mozilla and Google are the two most prominent examples of general technology companies that offers rewards for vulnerabilities, and both of those companies have seen their programs succeed in the last year. In fact, both Google and Mozilla have raised the prices that they pay for the most severe bugs, with Mozilla shelling out up to $3,000 and Google paying as much as $3,133.7 for bugs.

Barracuda officials said they'll match Google's top price for severe bugs and the minimum bug bounty will be $500. The company will only pay out rewards for bugs that are disclosed privately to Barracuda, although once the bug is fixed, the researcher is free to disclose it publicly. Bugs found in barracuda's Spam and Virus Firewall, Web Filter, Web Application Firewall and NG Firewall are eligible for the cash rewards.

Bugs that are in scope for the reward program are vulnerabilities that compromise confidentiality, availability, integrity or authentication. Those would include vulnerabilities such as remote exploits, privilege escalation, cross site scripting, code execution, command injection

http://threatpost.com/en_us/blogs/barracuda-networks-launches-bug-bounty-program-110910

- Collapse -
Body Armor for Bad Web Sites

Hacked and malicious sites designed to steal data from unsuspecting users via malware and phishing are a dime a dozen, often located in the United States, and are a key target for takedown by ISPs and security researchers. But when online miscreants seek stability in their Web projects, they often turn to so-called "bulletproof hosting" providers, mini-ISPs that specialize in offering services that are largely immune from takedown requests and pressure from Western law enforcement agencies.

Until recently, you more or less had gain access to and lurk on the right underground forums to be able to rent services from bulletproof hosting providers. These days, it's becoming easier to find these badware havens advertising out in the open. Last week, I traced the activities of one particular service frequented by criminals back to a bulletproof provider whose slogan says it all: "You'll Never Get Any Abuse From Us!"

Of course, just how insulated this particular provider's services are and how much illicit activity you can get away with while using them depends largely on how much you?re willing to shell out each month. For example, an entry level "default bulletproof server" allows customers to host things like rogue online pharmacies, replica, gambling, and MP3 sites for $270 per month. But this service level bars customers from hosting nastier content, such as malware, spyware, adware, exploits, viruses, and phishing sites.

http://krebsonsecurity.com/2010/11/body-armor-for-bad-web-sites/

- Collapse -
RockMelt and Facebook - friends with each other, but what..
...about you?

A new browser called RockMelt just launched. It's already generating breathless publicity.

But is it really a new browser? And is it even a novel idea? Or is it just Flock, "the award winning social web browser", in new guise?

Flock is based on Firefox, whilst RockMelt is based on Chromium. That means that neither really counts as a new browser. And I'm not sure that creating a browser build which integrates even more tightly with your social networking life - notably, Twitter and Facebook - really counts as novel, though it does sound like a new way to let you make even more egregious blunders with your Personally Identifiable Information than ever before.

Unlike Chrome Beta releases, or those from Firefox, the RockMelt Beta is quite the opposite of what social networking seems to be all about. It's not open or inclusive at all. You have to ask for an invitation. And guess how you do that?

By installing a Facebook app. This application requires access to your basic information, the right to send you email, and the right to post to your wall.

http://nakedsecurity.sophos.com/2010/11/09/rockmelt-and-facebook-friends/

RockMelt Related: RockMelt browser slithers onto interwebs
- Collapse -
Symantec Releases Free Norton DNS Tool

Symantec presented a beta version of the free Norton DNS tool as part of their Norton Everywhere initiative this spring. Norton DNS is now out of beta, and it remains free for all to use.

DNS, the Domain Name System takes a human-readable domain name like pcmag.com and translates it into an IP address like 208.29.69.144. At its simplest, a secure DNS service prevents server-side attacks that can redirect normal web traffic to malicious sites. Most such services promise to process DNS requests faster than default servers and thus speed your surfing.

Norton DNS does more than just ensure that domain names are translated correctly. It relies on Symantec's site reputation services to identify and block dangerous sites such as phishing sites and those hosting malware. Your computer never comes close to connecting with these dangerous sites.

There are other options for secure DNS. OpenDNS offers a free basic service and paid plains aimed at business as well as the DNS-based FamilyShield Parental Controls. Comodo Secure DNS is free but pays for itself in part by redirecting site-not-found errors to ad-related search pages. Sunbelt's ClearCloud DNS service, now in beta, manages to do without the ads. Google's Public DNS made a splash last year. How do you choose?

http://www.pcmag.com/article2/0,2817,2372326,00.asp

- Collapse -
Hotmail security improves with full-session HTTPS encryption

From Windows Live Blog:

Beginning today, Hotmail is providing you with the option to enhance the security of your entire Hotmail session with HTTPS data encryption (via secure socket layers, or SSL), which is currently used to help secure your Hotmail sign-in. Today?s update joins a series of other recent security updates, with which Hotmail offers advanced security safeguards to help protect your email account from hijackers and fraud.

Also starting today, SkyDrive, Photos, Docs, and Devices pages all automatically use SSL encryption, transferring all their data over HTTPS. By using a connection with advanced security features, you can be even more confident that your account is safer from hijackers, and your private information is less likely to fall into someone else?s hands.

To enable HTTPS for your Hotmail inbox, calendar, and contacts, go to https://account.live.com/ManageSSL. Once you enable this feature, all of your future connections to Hotmail will be delivered over SSL.

Some connections to Hotmail won?t be available if you turn on HTTPS, including:
Outlook Hotmail Connector
Windows Live Mail
The Windows Live application for Windows Mobile (version 6.5 and earlier) and Symbian

http://windowsteamblog.com/windows_live/b/windowslive/archive/2010/11/09/hotmail-security-improves-with-full-session-https-encryption.aspx

- Collapse -
Antitrust case against Microsoft over AV would be...
'longshot,' says expert

Another rival punches Microsoft for distributing free antivirus software through Windows' update service

Trend Micro isn't the only rival unhappy with Microsoft about Security Essentials' new distribution channel. Panda Security took its shots Monday.

"If [Microsoft's] objective is truly to protect users from malware, then why doesn't Microsoft allow [Security Essentials] to install in pirated copies of Windows?" asked Luis Corrons, the director of Panda's research lab, in a Monday post to a company blog. "Even Microsoft itself acknowledges that malware infections are more prevalent in illegal copies of Windows." As Corrons noted, Microsoft blocks users running counterfeit copies of Windows from installing Security Essentials. And the company has explained some countries' high PC infection rates by claiming that users running bogus Windows are leery of patching their systems.

"While Microsoft wants us to think it is doing this out of the goodness of their hearts, the reality is that the measure will have little impact as millions and millions of unlicensed Windows PCs will continue spreading viruses and infecting the rest of us," argued Corrons.

Corrons also knocked Security Essentials' quality -- a common tactic by rival antivirus vendors -- and called on Microsoft to make Windows more secure, not waste its time distributing security software.

"Microsoft's security resources should work on making the OS more secure, not just putting a Band-Aid on it," Corrons said. "Microsoft should make a serious development effort to secure the OS from the ground up, and not limit the security tools currently available to its users."

http://www.networkworld.com/news/2010/110910-antitrust-case-against-microsoft-over.html?page=2

Also see: Rival calls foul over Microsoft's delivering Security Essentials via Windows Update
- Collapse -
iPhone's Safari dials calls without warning, says researcher

A security researcher says the way the iPhone handles certain URL schemes could pose a security risk

A security researcher is asserting that Apple has made a poor security decision by allowing its Safari browser to honor requests from third-party applications to perform actions such as making a phone call without warning a user.

Safari, like other browsers, can launch other applications to handle certain URL protocols. These might be in clickable links, or in embedded iframes.

An iframe containing a URL with a telephone number, for example, will cause Safari to ask if the user wants to make a phone call to that particular number, wrote Nitesh Dhanjani, a security researcher, on the SANS Application Security Street Fighter blog. Users can tap a button to make or cancel the call.

But Dhanjani found that behavior changes in some cases. For example, if a user has Skype installed and stays logged into the application, Safari does not give an alert when it encounters a Skype URL in an iframe, and immediately starts a Skype call, he said.

http://www.networkworld.com/news/2010/110910-iphones-safari-dials-calls-without.html

Also see:
Insecure Handling of URL Schemes in Apple's iOS
Malicious URLs Pose Mobile Hijacking Risk

- Collapse -
A new twist on Facebook phishing

From Trend Micro Countermeasures blog:

Facebook users have alerted me to some worrying looking unsolicited direct messages they have been receiving today.

The messages, which purport to come from "FB Customer Care" warn that the unsuspecting victim is due to be "disconnected from our server due to several violations". The nature of the violations is unspecified, but helpfully the scam artists (for that is indeed what they are) do offer a link where you can "Confirm your identity"

If a user is concerned enough to click the link in the message they will be taken to a replica of the Facebook website claiming to represent Facebook Security. As you can see from the screen grab below, it's not just about Facebook credentials. These enterprising fraudsters are also after your date of birth and email credentials too!

- Collapse -
JetBlue tickets scam spreads via Facebook, tricks Jezebel

Facebook users are seeing lots of messages claiming to link to a special JetBlue Airways offer, claiming they can get free tickets. Unfortunately, anyone who clicks on the link is in danger of signing-up for a premium rate mobile phone service.

The messages look something like this (the precise wording may vary):

JetBlue Airways
Your Free Trip
2 Free JetBlue Airways Tickets - Facebook Users Only


The scam has been spread more widely, in part, because the Facebook page belonging to Jezebel.com (a women's lifestyle blog, part of the Gawker network) passed on the message to its 30,000+ fans.

If you were to click on the link you are taken to a webpage (with a large version of the JetBlue Airways logo in the background) which asks you to "Facebook Connect" with the site in order to access the alleged special offer.

If you do that then Facebook asks if you want to give permission for an application called "JetBlue Family" to gain access to your account information, including the right to email you and post messages to your wall.

Proceeding further, however, takes you to page which attempts to make money for the scammers - either in the form of a revenue-generating survey or, in my case, a page which tries to trick you into signing up for an expensive premium rate cell phone service (charged at ?4.50 per week).

http://nakedsecurity.sophos.com/2010/11/09/jetblue-tickets-scam-spreads-via-facebook-jezebel/

- Collapse -
Lost all respect for Miley Cyrus?Facebook survey scam spread
virally

From Sophos Blog:

Toni, one of the members of the Sophos Facebook page, just got in touch with me asking if I'd seen the latest scam spreading virally across the social network.

Users are seeing messages posted by their online friends about teen popstar Miley Cyrus. They look like the following:

SICK! I lost all respect for Miley Cyrus when I saw this photo

We have seen a number of different URLs being used in the messages, but they all redirect to a page which shows a traffic sign-like image of the word "respect" crossed out in red.

The page also says "SICK! I lost all respect for Miley Cyrus when I saw this photo" followed by a large flashing graphical button labelled "CLICK HERE" under the message "Please click here, then ALLOW to see the photo." [...]

If you do click on the "CLICK HERE" button you will be taken to a standard Facebook application permissions dialog, which asks for you to approve the third-party app to access your personal data, send you emails, post status messages and pictures to your wall.

It's hard to believe that people would allow this to happen, but if you're desperate to see a picture of Miley Cyrus which will make you lose all respect for her (the mind boggles..) then you may well click further on.

Unfortunately continuing is a mistake, as you will be lead directly to a CPALead survey, which earns the scammers money every time one of their dumb questionnaires is answered.

The scammers only need a few people to complete their survey to make it financially worthwhile to build rogue applications like this - that's why there are so many of them. If only Facebook took a tougher line about the applications it allowed on its network.
- Collapse -
Microsoft Plugs Office Holes, But No IE Fix Yet

Microsoft Corp. today issued three bundles of updates fixing at least 11 security vulnerabilities in its software, mainly flaws in Microsoft Office products. But the company did not release an update today to remedy a critical flaw built into in all versions of the Internet Explorer Web browser that is now being exploited by at least one common, automated hacker toolkit.

Two of the updates address Office bugs, including one that is limited to older versions of PowerPoint and PowerPoint Viewer. Only one of today's patches earned a "critical" rating, Microsoft's most serious. But experts are warning that this critical Office vulnerability is likely to be used in targeted e-mail attacks against Microsoft Outlook users.

"One of the most dangerous aspects of this vulnerability is that a user doesn't have to open a malicious email to be infected," said Joshua Talbot, security intelligence manager for Symantec Security Response. "All that is required is for the content of the email to appear in Outlook's Reading Pane. If a user highlights a malicious email to preview it in the Reading Pane, their machine is immediately infected. The same holds true if a user opens Outlook and a malicious email is the most recently received in their inbox; that email will appear in the Reading Pane by default and the computer will be infected."

Microsoft did not issue an update to fix a zero-day flaw in Internet Explorer that bad guys are exploiting to break into Windows computers. Last week, the software giant warned that crooks were exploiting the flaw in targeted attacks, and that it had no intention of issuing a fix for the security hole outside of its normal monthly patching process (the second Tuesday of each month -- today -- is Patch Tuesday).

http://krebsonsecurity.com/2010/11/microsoft-plugs-office-holes-but-no-ie-fix-yet/

Also see:
Microsoft Security Advisory (2458511)
Heads up... 0-day in an exploit kit; Danger to IE users climbs as hacker kit adds exploit
Security Patch Won't Fix Notorious IE Flaw

- Collapse -
BlackSheep Not the Best Protection Against Firesheep

Firesheep works by sniffing unencrypted Wi-Fi networks and commandeering sessions. If you're using Facebook, for example, on the same open Wi-Fi network as a Firesheep attacker, they can take over your session and use Facebook as if they were you.

BlackSheep works by sending out a fake session and looking on the network for reactions typical of Firesheep's. If it finds them, it warns you to be careful and, in fact, to disconnect.

DarkReading cites Robert Graham, chief executive of Errata and developer of sidejacking tool Hamster, on the weaknesses of the BlackSheep approach. BlackSheep, it seems, is tailored specifically to Firesheep and not to sidejacking in general. Graham says that the Electronic Frontier Foundation's HTTPS Everywhere plugin gives better protection, but like Firesheep and BlackSheep, it's Firefox-only.

The real answer is that you shouldn't use open Wi-Fi networks or, if you do, use a VPN inside them so that your traffic isn't unencrypted on the air. As Graham said, "[A]ny company solving this problem without encryption is providing snake oil."

http://www.pcmag.com/article2/0,2817,2372386,00.asp?kc=PCRSS05079TX1K0000992

Also see: Zscaler Releases Blacksheep to Fight Firesheep

- Collapse -
Facebook Finds A New Way To Liberate Your Gmail Contact Data

That huge sucking sound you hear is Facebook, piling data from third parties into its mouth as fast as it can while it remains stubbornly greedy about releasing its own data to anyone it doesn't like. Which is mostly Google these days, since Yahoo and AOL completely surrendered and Microsoft actually owns part of them.

Google shut them down last week, restricting API access and effectively blocking contacts exports to Facebook in any automated way. This is, I wrote, the true beginning of data protectionism.

Now Facebook has found a way around that restriction. They're leveraging a Google feature that lets users download their own data for their own use -- part of Google's golf-clap worthy data liberation effort. They've hacked a solution around the block by giving users a direct deep link to the download feature. And then users can upload that file directly to Facebook.

Can Google block this? One engineer I spoke with says yes, but it will be difficult

http://techcrunch.com/2010/11/08/facebook-finds-a-new-way-to-liberate-your-gmail-contact-data/

Also see: Google Blocks Facebook From Importing Contacts

- Collapse -
Steve Ballmer reveals his secret Twitter account

"Quietly" is not a word that would usually describe any action performed by Microsoft CEO Steve Ballmer. But quietly is exactly how Ballmer has conducted himself on Twitter, a site he joined over a year ago unbeknown to most of the technology world.

Just a few days ago, Ballmer was speaking in Kiev, Ukraine, and according to a transcript on the Microsoft website, Ballmer responded to an audience member who asked "when are you going to start tweeting?"

Ballmer said: "I have a Twitter account. I'm just very private about who I really am on Twitter."

At that point, Ballmer took out his Windows phone and made only his third tweet: "I love kpi," KPI standing for Kiev Polytechnic Institute, the site of his speech.

"All right. I love KPI. Now you know how to find me on Twitter," Ballmer said, adding "I should have written Kiev Polytechnic because most people in the U.S. will think KPI means I love key performance indicators. But you know the truth. Steve B. Microsoft up on Twitter."

http://www.networkworld.com/community/blog/steve-ballmer-reveals-his-secret-twitter-acco

- Collapse -
LimeWire Resurrected By Secret Dev Team

Last month, the Gnutella-based file-sharing client LimeWire was effectively outlawed after a U.S. federal judge granted a request from the RIAA to shut the software down. Now, not even a month later, LimeWire is back as good as new. Not only has a secret dev team reanimated the hugely popular client, but they have also made a few significant changes which make it better and more streamlined than before.

http://torrentfreak.com/limewire-resurrected-by-secret-dev-team-101108/

Also see: Judge slaps Lime Wire with permanent injunction

- Collapse -
Social apps, security problems

Users of Orkut - the large social network in Brazil are again a target of attacks - this time the problem was malicious Apps, small applications that can be added in the user's profile and executed directly in the browser. Some apps were able to do a redirection when loaded in the user's profile, leading to phishing pages. Simply visiting an affected profile was enough to be redirected; no other user interaction was needed. During these attacks we collected and blocked more than 50 phishing domains used in this malicious scheme - it's believed that approximately 150,000 profiles had their IDs stolen.

Currently more than 16,000 apps are available to be installed in a Orkut profile - and some bad guys were able to publish malicious apps in the Apps Directory, even while Google reports that all of them are checked before publishing. One of the main malicious apps used in these attacks was "ChateTVOnline", an app that promises the ability to watch TV channels.

In the source code of the app it is possible to see the main cause of the problem: when installed in a profile it's possible to run external code, not hosted on Orkut servers. It allows the developer to make redirections to phishing domains.

After being installed in the user's profile the malicious app will run every time someone enters the profile and the redirection will occur. All the accounts stolen were used to spread the attack, adding automatic scraps, which are short messages, in some communities asking other users to install the malicious app or to visit the affected profile.

Around 50 phishing domains were used in this malicious scheme. In just one of them, goooble.com.br, a typosquatting of google.com.br we found more than 440 users ID stolen.

http://www.securelist.com/en/blog/4102/Social_apps_security_problems

- Collapse -
Internet firms must be accountable for data: execs

Internet companies need to be more accountable for the mass of personal data collected from users to guard against cybercrime, industry executives said on Tuesday.

"Information is the currency of growth, but it's also increasingly become the currency of crime," Peter Cullen, chief privacy strategist for Microsoft Corp, said at the Family Online Safety Institute's annual conference.

"People have very high expectations when it comes to companies in terms of how they collect, use, store and most importantly protect their information," Cullen said.

Companies must hold themselves to high standards when handling consumers' personal information and invest more in internal structures to ensure privacy, he added.

Michael Fertik, founder of the online reputation-management company ReputationDefender, called for U.S. regulations that mandate opt-in defaults to give consumers greater control of their "digital dossier."

"It's remarkable how deep the data sets are about each of us, and it's disturbing," Fertik told Reuters, citing websites that track users' locations.

Companies such as Google Inc, Yahoo Inc, Facebook and Microsoft collect personal data that is often used in advertising or passed on to third parties without users' knowledge.

Fertik advocated limits on how long companies can keep personal data on consumers, warning that over time the data could be used beyond advertising, such as assessing health care premiums based on how often a person frequents fast food restaurants.

http://www.reuters.com/article/idUSTRE6A90BR20101110

CNET Forums

Forum Info