General discussion

NEWS - October 18, 2010

Sandboxed Adobe Reader to Ship Next Month

Adobe announced that the next major version of its PDF products, which includes the much awaited sandboxed Adobe Reader, will be released next month.

Dubbed Acrobat X, the new product family will include Adobe Reader X, Acrobat X Suite, Acrobat X Pro, and Acrobat X Standard.

From a security perspective the release will be very important, because of the new sandboxing technology enabled by default in the products.

Adobe Reader can be found on most of the world's computers, but because of this ubiquity, the program is one of the preferred targets of criminals, who exploit it to infect users with malware.

And Adobe Reader was never in short supply of critical arbitrary code execution vulnerabilities, bringing the company a lot of criticism from the security community for failing to secure its code.

Also see: Adobe Details Proposed Reader 'Sandbox' Security

Discussion is locked

Reply to: NEWS - October 18, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - October 18, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Facebook Privacy Issues - again

Media report about a new privacy leak on facebook which has been found just recently. It is possible to find out with which persons someone is in contact with ? therefore one just has to create a fake account using a known email address of the person to spy upon. Facebook doesn?t verify whether the address is real so the new account can already be used. Up to 20 contacts are visible according to the reports.

This is also possible for persons that don?t use facebook at all, as their address can be imported by other users via the friend finder feature. So it is a good idea to delete such data if the friend finder has been used to find contacts through the email provider. This is very well hidden ? users have to start the invite process and can press on ?more about? next to the claim that facebook doesn?t store the email password. On the then appearing web page it is possible to remove those imported contacts.

- Collapse -
Facebook gets poked in latest privacy gaffe

Facebook?s privacy rules aren?t as watertight as the company would have its users believe, after the Wall Street Journal uncovered that some of the social network?s most popular apps have siphoned off personal information to ad firms and internet tracking outfits.

According to the report, many Facebook apps have transmitted identifiable details about individual users to around 25 companies, in effect breaking the terms laid down by the Mark Zuckerberg-run website.

The privacy breach, which gives advertising and internet tracking firms access to people?s names, affects a huge number of Facebook app users.

Worse still, the newspaper found that users whose profiles have rigorous privacy settings have also had their details exposed.

It said that the 10 most popular Facebook apps, including Farmville and Texas HoldEm Poker, were transmitting users? IDs to external firms.

Game Network Inc?s Farmville was found to also be transmitting personal details about a user?s Facebook "friends" to advertisers and internet tracking companies.

- Collapse -
Zeus botnet gang targets Charles Schwab accounts

Attacks vulnerable PCs to steal full access to investments, cash

Criminals are using a Zeus botnet to pillage Charles Schwab investment accounts, a security researcher said Friday.

The attacks show that while authorities were arresting more than 100 members of one Zeus gang, rivals were adding lucrative investment accounts to their usual targets of online banks.

"They're expanding their horizons," said Derek Manky, project manager for cybersecurity and threat research at Sunnyvale, Calif.-based Fortinet. "We've seen some discussion of investment accounts [being targeted] by Zeus, but I've never seen proof that they actually are."

The Zeus infections stem from messages posing as LinkedIn reminders that include disguised links to malicious sites. Those sites then hit the Windows PC with numerous drive-by exploits, looking for one that works. Among the exploited vulnerabilities: the Windows Help & Support Center bug disclosed in June by a Google security engineer and patched by Microsoft in July.

- Collapse -
Earn a Diploma from Scam U

Since the dawn of the Internet, tutorials showing would-be scammers how to fleece others have been available online. But for novices who can't be bothered to scour the Net for these far flung but free resources, the tricks of the trade now can be learned through the equivalent of community college classes in e-thievery, or or via intensive, one-on-one online apprenticeships.

Take the program currently being marketed on several fraud forums ? it's called Cash Paradise University. For $50, a newbie scammer can learn the basics of online fraud, such as hiding one's identity and location online, and how to obtain reliable stolen credit card numbers. For a $75 fee and an investment of about 2 to 3 hours, one can become fluent in the ways of "Skype carding," or selling hacked and newly-created Skype accounts that have been loaded with funds from stolen credit cards.

- Collapse -
Notorious Anonymous hacktivists launch fresh attacks

Latest counter-offensive after TorrentReactor and other TT sites attacked

Hacktivists from the loosely-banded Anonymous took out the UK Intellectual Property Office and a Portuguese music industry website over the weekend during the latest phase of an ongoing campaign against the entertainment industry.

The and were both rendered inaccessible by floods of spurious traffic in the latest phase of Operation: Payback is a *****. The campaign is a response by activists to attempts by the entertainment industry to attack file-sharing and torrent tracker sites.

The campaign was sparked off by outrage over the appointment of a tech firm hired gun in India by the Bollywood entertainment industry. Aiplex Software said it was prepared to launch DDoS attacks at Torrent tracker sites that ignored its legal nastygrams.

Cue outrage on 4chan and the launch of reprisal attacks, which have previously affected the MPAA, RIAA and (most notoriously) law firm ACS:Law. The UK-based solicitors' email database was exposed during ham-fisted attempts to restore the site following a secondary denial of service attack partially provoked by ACS:Law's dismissive response to the first wave of attacks.

Panda Security has maintained a detailed scorecard showing the targets of attack, and the resulting site downtimes, in a blog post here.

- Collapse -
Finnish firm finds hard-to-detect online attacks

All network security equipment, the strongest of which is used by the financial industry, is exposed to a new kind of online attack, Finnish data security vendor Stonesoft said on Monday.

Stonesoft said it has found a new threat category -- advanced evasion techniques (AETs) -- which simultaneously combine different evasions in several layers of networks, and in the process become invisible for security gear.

While evasions -- tools hackers often use to penetrate network security -- are nothing new, AETs package them in new ways to let attackers bypass most firewalls and intrusion detection and prevention systems (IPS) without being detected.

This could give them access to data on secure corporate networks and allow them to plant further attacks.

"From the point of view of cybercriminals and hackers, advanced evasion techniques work like a master key to anywhere," said Klaus Majewski, business development chief at Stonesoft.

"Current protection against advanced evasion techniques is next to zero. This is a new thing and there is no protection against it currently," Majewski said.

Security experts at ICSA Labs, part of Verizon Communications Inc, have tested the new evasions and have found the risk is real.

CNET Forums

Forum Info