13 total posts
Facebook account-protection push opts for scare tactics
Facebook has quietly begun testing new account-protection features but the scary wording of prompts to try out the technology might easily be mistaken for a sophisticated phishing attack.
Users of the social network might be offered the protection via an ad in the side panel which reads: "Your account protection is very low - increase protection". Clicking through the ad leads to a page on Facebook that encourages users to submit a second email address and a phone number. In some cases it also asks users to change their security question.
The phone number is requested even if users have previously deleted this information from their profile, making it appear like a push to get users to add their phone numbers on the basis that this will speed account recovery if something goes wrong.
Gmail recently introduced a similar procedure for webmail account recovery, and the basic approach is fair enough, though some will be understandably wary of handing over their phone number to either Gmail or Facebook.
It's far easier to fault Facebook for the vague and scaremongery warning that comes with the account protection push. Saying to users "Your account protection is very low - increase protection" mimics the approach of phishing scams, which are certainly not unknown on Facebook. Trend Micro warned of one such phishing scam only earlier this week.
Google, Facebook duke it out over user data
Google alerts users to Facebook contacts 'trap'
ATM skimmers come in all shapes and sizes, and most include several components - such as a tiny spy cam hidden in a brochure rack, or fraudulent PIN pad overlay. The problem from the thief's perspective is that the more components included in the skimmer kit, the greater the chance that he will get busted attaching or removing the devices from ATMs.
Thus, the appeal of the all-in-one ATM skimmer: It stores card data using an integrated magnetic stripe reader, and it has a built-in hidden camera designed to record the PIN sequence after an unsuspecting customer slides his bank card into the compromised machine.
The model displayed here is designed to work on specific Diebold ATMs, and can hold a battery charge for two to four days, depending on ambient temperature and the number of customers who pull money out of the hacked ATM.
Functionally, it is quite similar to the all-in-one model pictured in the very first skimmer post in this ATM skimmer series, although its design indicates it may be identical to the one pictured here, which was found on a Wachovia ATM just a couple of miles from my home earlier this year.
Apple smashes patch record with gigantic update
"Fixes 134 flaws with Mac OS X update, 55 in Flash alone"
Apple on Wednesday patched more than 130 vulnerabilities in Mac OS X, smashing a record the company set last March when it fixed over 90 flaws.
The update for OS X 10.6, aka Snow Leopard, and OS X 10.5, better known as Leopard, was Apple's first since September and the seventh for the year.
Calling the update "huge," Mac vulnerability expert Charlie Miller pointed out that even with a staggering 134 patches, there were plenty of flaws still around.
"Apple releases huge patch, still miss all my bugs," said Miller in a tweet late Wednesday . "Makes you realize how many bugs are in their code, or they're very unlucky."
Security Update 2010-007, offered on its own to Leopard users but combined with non-security changes in version 10.6.5 of Snow Leopard, boasted 46% more patches than the biggest to date .
But Apple's patch numbers were inflated by the fixes for a whopping 55 vulnerabilities in Adobe's Flash Player. Unlike other operating system vendors, Apple bundles Flash with its OS and maintains the popular -- and frequently flaw-filled -- media player using its own update mechanism.
PGP Disk Encryption Bricks Upgraded Macs
Some Apple Mac users who rushed to upgrade their systems with the company's latest security patch were left to scramble for help after a conflict with disk encryption software from PGP rendered the upgraded Macs un-bootable.
Reports of users who were unable to boot their Macs after upgrading their Mac OS X systems to the 10.6.5 version began appearing in PGP support forums on Wednesday.
"Do NOT apply 10.6.5 if you are running PGP FDE on Mac. Myself and at least one other person I know of directly can no longer boot," wrote a PGP Forum member using the name GeorgeStarcher on Wednesday afternoon.
That message was followed by those from other users, also reporting "bricked" unbootable Macs following the upgrade.
"I can also verify that 10.6.5 bricked my WDE Macbook Pro. It's frozen at the boot screen. Looks like a wipe and reinstall is necessary," posted a user with the handle Static416.
By Wednesday evening, PGP - now a division of Symantec Corp. - had posted an alert warning customers using its Mac Whole Disk Encryption (WDE) product not to upgrade.
"MAC WDE customers should not apply the recent Mac OS X 10.6.5 update. Compatibility issues may prevent the system from successfully booting. We will provide a detailed update as soon as a solution has been identified," the post, signed PGP Technical Support, read.
PGP WDE customers who need to upgrade were advised to first decrypt their drive, apply the 10.6.5 update and then re-encrypt it, PGP said. Symantec has not yet responded to a request for comment from Threatpost.
FCC Investigating Google Data Collection
The Federal Communications Commission is investigating whether Google Inc. broke federal laws when its street-mapping service collected consumers' personal information, joining a lengthy list of regulators and lawmakers probing what Google says was the inadvertent harvesting of private data sent over wireless networks.
Key Republicans and Democrats in Congress have indicated that the privacy issues raised by Google's Street View data collection could be a factor when lawmakers consider new Internet privacy legislation next year.
Rep. Joe Barton of Texas, a senior Republican lawmaker, suggested last week on C-SPAN that Google's data collection wasn't accidental and that it was "something to look at."
The FCC opened its investigation earlier this year. "As the agency charged with overseeing the public airwaves, we are committed to ensuring that the consumers affected by this breach of privacy receive a full and fair accounting," said Michele Ellison, the chief of the FCC's enforcement bureau, in a statement confirming the investigation.
The FCC doesn't generally disclose details of its investigations publicly.
In May, the FCC received a complaint from Electronic Privacy Information Center, a privacy advocacy group, asking it to investigate whether Google violated federal communications law designed to prevent electronic eavesdropping. Intentional violations of the law could result in fines of up to $50,000 for each violation.
Get hacked and spill the beans, anonymously
A new Web site could help turn security breach guesswork into science.
Database breaches, social engineering attacks, and hacking incidents happen at companies every day, but very few end up being reported publicly. That's because organizations fear - and rightly so - damage to their reputation, public humiliation, and loss of customer confidence.
But this silent victim syndrome means that others can't learn from the missteps of victims and that the industry as a whole doesn't have a good grasp on the scope of the problem.
In a first-of-its-kind effort, Verizon Business is launching a public Web site for reporting security incidents that could crack open the self-defeating secrecy of data breaches.
"This will benefit the overall community," Alexander Hutton, a principal of research and intelligence at Verizon Business, told CNET in an interview. "The valid data helps us all learn from mistakes."
Verizon is officially launching today its Veris information-sharing site where network or security professionals can provide detailed information about an incident and get back a report that illustrates via charts, graphs, and other information how the reported incident compares with others.
Fake AV scams via Skype Chat
The Fake Anti-Virus guys are currently peddling their "goods" via alarming messages posted on Skype chat. Messages look like this:
'Thursday, November 11, 2010
[1:59:08 PM EDT] Online Support: WINDOWS REQUIRES IMMEDIATE ATTENTION
URGENT SYSTEM SCAN NOTIFICATION! PLEASE READ CAREFULLY !!
hxxp://www. updatevr. com/
For the link to become active, please click on 'Add to contacts' skype button or type it in manually into your web browser !'
I added the spaces to the URL to keep you from clicking - visit at your own risk. The site redirects a couple times, and then offers the "usual" fake AV for only 19.95. Thanks to ISC reader John for the sample.
Making Web Users Botnet-Resistant
"HackMiami researchers create 'botnet-resistant code' to thwart botnets from stealing valuable data "
What if you could outfit visitors to your website with a coat of anti-botnet armor? A pair of researchers has come up with coding techniques that they say ultimately renders infected user machines useless to botnet operators harvesting data.
Peter Greko and Fabian Rothschild, both members of the HackMiami hackerspace, here today showed how they studied samples of the Zeus and SpyEye Trojans as well as just how the cybercrime underground uses this code for botnets. They then used that intelligence to write code for Web servers that mitigates these botnets. Their premise is that most client machines are infected, anyway. "What we've done is make it really hard for botmasters to use any information they collect from client machines," Rothschild said.
Their hope is to convert these methods into software modules for the OWASP Enterprise Security API (ESAPI), an open source Web app security control library aimed at making secure code simpler to write. "We want to talk to the ESAPI project and see if we can come up with modules for them," Greko said.
The techniques they developed don't prevent a bot infection, but rather stymie the botmaster from ultimately gathering any useful information from the victim. Zeus, for instance, collects logins, passwords, cookies, VIEWSTATE parameters, and any other information passed via a POST request in HTTP. There are four different options, which range from obfuscating data to encrypting it. "What we've done is come up with ways to make it really hard for botmasters to use any information they collect from client machines," Rothschild says.
Facebook App Links to Malware
McAfee Labs learned today that a malicious Java applet was being linked through a Facebook application.
Users don't have to install the Facebook app on their profiles to be be exposed to this threat. On browsing to a specific Facebook application page displayed in an Eastern European language, the page connects to a malicious site that hosts a signed Java applet that claims to be "Sun_Microsystems_Java_Security_Update_6" and is published by "Sun Java MicroSystems." [Screenshot]
The only indication of suspicious activity is the fact that the digital signature cannot be verified by a trusted source. The warning also requests permission from the user to run the applet. [Screenshot]
This social engineering technique is becoming common on malicious sites, as the warning allows the publisher to be spoofed when unverified, and it does not highlight the risk implications by allowing the applet to run. Only when the user clicks on "More Information" can we read the fine print that explains that "security restrictions normally provided by Java" will not be applied.
Continued @ McAfee Blog Central
Malware spam soars as crooks club together
Spam is increasingly being used to distribute malware, according to figures from security firm Kaspersky.
The security firm said email distribution of malware threats had soared in the third quarter of the year, and that 4.6% of all spam messages now contained some sort of threat, up from 1.9% in the second quarter.
According to the report, the worrying trend shows that spammers are now linking more closely in "partner programs" that specialise in malware and cybercrime.
"The increase in the volume and quality of mass malicious mailings confirms that spammers and cyber criminals have started acting in unison to create complex infection strategies," said Darya Gudkova, head of content analysis and research at Kaspersky Lab.
"These include connecting a victim computer to a botnet, sending out spam, stealing personal information and so on."
Kaspersky's research showed the most common threats came from fake notifications from resources such as Twitter, Facebook, Windows Live Messenger, MySpace, and a number of popular online stores.
Report From Kaspersky: Spam in the Third Quarter of 2010
UPDATE: Facebook API flaw discovered
Social-networking services provider Sendible says it's uncovered a major flaw in how Facebook works and is cooperating with Facebook to fix the issue.
Sendible said in a blog post late Tuesday night that it noticed the problem when "one of our users sent an update to a few popular Facebook pages, assuming they would appear to come from his profile. Instead, they posted as if they had come from the page itself." Sendible adds, "Usually these posts appear as the Facebook user and not as the Facebook page itself."
When Sendible contacted the user, he replied: "I wanted to post only a few facebook walls as a fan ? and for some reason, posted as the page Owner. Weird."
TechCrunch yesterday got wind of the problem after the news site received "about a half dozen tips" about Facebook pages "including Google, Coca-Cola, YouTube, South Park, the Daily Show, Team Coco and others are now sending out a malicious link to all of their following that reads 'Change Your Facebook Background Here!', adding it would be advised not to click on it." TechCrunch said those that clicked on the link were directed "to a page outside of Facebook that asks you for information about you," and reported that the bottom of the page read "Powered by AWeber Email Marketing."
Yesterday, TechCrunch surmised that the Facebook app Sendible , which has a service that lets fans of Facebook pages update multiple pages at once, was "compromised in a major way."
However, Sendible refuted that, saying it has actually "helped discover a security flaw in Facebook's API." Sendible said no user accounts were compromised and that it was not hacked.