General discussion

NEWS - October 23, 2010

Apple Closes FaceTime For Mac Security Hole

iTunes account access has been disabled in settings of the video-calling software beta, which reportedly closes the security gap.

Apple appears to have addressed a security flaw in FaceTime for Mac beta by disabling the ability to view one's iTunes account settings in the video-calling software.

As of late Thursday, the View Account section of the software, accessible through Preferences, had been disabled, eliminating a vulnerability that had been widely reported earlier in the day. Apple did not respond to a request for comment Friday.

Related news: FaceTime for Mac opens giant Apple ID security hole

Discussion is locked

Reply to: NEWS - October 23, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - October 23, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Adobe unbundles Flash Player from Mac OS X bundle; Java next

Daring Fireball?s John Gruber brings us news that Apple will ship all new Mac OS X machines without Adobe Flash Player pre-installed.

Apple has already started shipping the new MacBook Air models without the Flash Player installed and Gruber reports the company plans to nuke the software from all new machines.This follows an announcement that the Apple-produced Java runtime will not be maintained may also be removed from future versions of Mac OS X.

The decision to remove Flash Player and Java from the Mac operating system is most likely driven by security considerations. Apple has had problems in the past with keeping up to date with both Flash Player and Java security patches.

I asked Mac security guru Dino Dai Zovi for his response to the news that Oracle Sun?s Java software may be removed from future versions.

Here?s his response:

"In the early days of Mac OS X, Java was treated as an equal alternative to Objective-C for application development with a Cocoa-Java bridge. This was deprecated in 10.4, however. Since then, Java has largely been supported primarily for web-based Java applets.

These days, Java applets are primarily used to install malware on Windows machines, but they may also be used for interactive features in web applications that HTML alone cannot provide. Apple has historically had a several month lag-time in releasing security updates for the Apple-maintained port of Java, which puts Mac users at risk from exploits of these publicly known vulnerabilities over this time. Apple has clearly decided that it is no longer worth their effort to maintain this port themselves and would rather let Oracle assume that responsibility.

I think Apple users would be safer with Java being an optional third-party install as it is rarely needed on the modern web and this would not subject Mac users to the window of vulnerability before Apple is able to release their Java security updates.

- Collapse -
AMTSO Plans Individual Subscriptions

According to the charter of the Anti-Malware Testing Standards Organization (AMTSO), membership is open to "any corporation, institution or unaffiliated individual interested in participating in this organization," with the further requirement that those requesting individual membership not be affiliated with any member organization. The main stumbling block for individuals wishing to join is the 2,000 euros per year membership fee.

For a big corporation like an antivirus vendor or an independent testing lab, that fee is just another cost of doing business. For an interested individual, it's probably a show-stopper. Yet AMTSO really does want and need input from the consumers who buy products from the vendors, academics who study results from the testers, and IT experts from companies not focused on security, among others.

At the meeting just concluded in Munich, the group approved in principle a new form of connection for individuals?a yearly subscription (price to be determined). Subscribers will gain full access to AMTSO's e-mail discussion groups and will also be able to attend full AMTSO meetings in a non-voting capacity.

Three times per year the group meets to work on new documents defining standards and best practices for anti-malware testing and vote on acceptance of completed standards documents. The Board of Directors reports on past successes and future plans. And the Reviews Advisory Board, charged with evaluating how well published anti-malware tests do or don't follow the AMTSO's guidelines, reports on its activities.,2817,2371275,00.asp

- Collapse -
Google:Wi-Fi Sniffing Collected Whole E-Mails,URLs,Passwords

Google on Friday said that it collected entire e-mails, URLs, and passwords when its Street View cars accidentally sniffed unencrypted Wi-Fi networks.

While most of the data collection was "fragmentary, in some instances entire e-mails and URLs were captured, as well as passwords," Alan Eustace, senior vice president of engineering and research at Google, wrote in a blog post.

Eustace said the company is "mortified" by what happened and wants "to delete this data as soon as possible."

In May, Google admitted that equipment attached to its Street View cars had inadvertently collected personal information that consumers sent over unencrypted wireless networks. The revelation prompted inquiries from privacy officials all over the world.

Initially, Google said it "collected only fragments of payload data" because the company had not yet analyzed the collected information in detail. Since then a number of external regulators have inspected the data as part of their investigations, at which point the e-mails, URLs, and passwords were discovered.,2817,2371329,00.asp?kc=PCRSS05079TX1K0000992

- Collapse -
Report: Click Fraud Skyrockets

Click fraud is at its highest rate ever, according to an analysis of third quarter figures by Austin-based Click Forensics.

"During the past quarter, we saw a growing volume of click fraud flow through a more diverse number of sources, including mobile proxies," Paul Pellman, chief executive of Click Forensics, said in a statement. "As advertising in videos, social networks and mobile devices continues to grow, advertisers will need to pay close attention to the quality of traffic they receive."

According to the report, the click fraud rate was 22.3 percent in the third quarter, up from 18.6 percent in the previous quarter and 14.1 percent from the year before. In fact, instances of click fraud have been growing steadily ever since Click Forensics began collecting cost-per-click data in 2006, the report said.

Japan, the Netherlands, Philippines, and China showed the largest volume of click fraud, respectively.

The quarterly study is drawn from billions of clicks from the most popular search engines, social networks, ad Web sites and publishers, as well as an analysis of Web traffic across over 300 ad networks.,2817,2371230,00.asp?kc=PCRSS05079TX1K0000992

- Collapse -
Game Trojans' Biggest Tricks in 2010

It's appropriate that this year?s Blizzcon, the two-day celebration of all things World of Warcraft, takes place during National Cyber Security Awareness Month. No other game is as heavily targeted by thieves as WoW, so we thought this would be as good a time as any to run down some of the malware threats that face gamers. 2010 has been a big year for Trojans that steal game passwords or license keys.

The people who create malware targeting online games show no signs of relenting, nor are they laying down on the job. Innovation is the name of the game, and password-stealers this year innovated their infection techniques to make them more effective and even harder to detect.

Two-factor authentication tokens, such as the Blizzard Authenticator, do a great job of preventing fraud. If you play WoW, the seven or so bucks the Authenticator costs can prevent a lot of headaches if your account becomes compromised by either a Trojan or a phishing Web site. The Authenticator displays a series of numbers that change about once a minute, and a gamer needs to enter these numbers along with a username and password to play the game.

However, while gamers who play Blizzard's games might find themselves at reduced risk of phishing thanks to the Authenticator, other companies that operate the kinds of massively-multiplayer games most targeted by phishing pages and malware are also targets for theft, and don't yet offer an equivalent method of securing login credentials.

One technique that emerged this year ties the malicious keylogger to one or more of Microsoft's DirectX libraries. DirectX is the engine in Windows that most 3D games use to render graphics, play sound effects, and manage game controllers. Trojans that hook into DirectX always load when DirectX is in use, and since DirectX is always loaded when you play a game, it means the "sleeper cell" game phishing Trojan doesn't wake up and do its job until you're playing a game. We published a definition in May, Trojan-PWS-Cashcab, which defeats this technique, and you can also simply reinstall DirectX over the top of itself to break the infection.

Another technique that was rarely used before this year is for the keylogger to replace the Input Method Editor (or IME) on the infected computer.

- Collapse -
Marketers Can Glean Private Data on Facebook

Online advertising offers marketers the chance to aim ads at very specific groups of people ? say, golf players in Illinois who make more than $150,000 a year and vacation in Hawaii.

But two recent academic papers show some potential pitfalls of such precise tailoring.

Both papers focus on Facebook ads and show that in certain circumstances, advertisers ? or snoops posing as advertisers ? may be able to learn sensitive profile information, like a person?s sexual orientation or religion, even if the person is sharing that information only with a small circle of friends. Facebook does not share such information with advertisers.

The papers come amid an intense focus on vulnerabilities in Facebook?s privacy safeguards.

In one paper (PDF), researchers from Microsoft in India and the Max Planck Institute for Software Systems in Germany found that it was possible for an advertiser to find the stated sexual preference of Facebook users.

The researchers created six nearly identical Facebook accounts, three for men and three for women. The one significant difference was that in one account for each gender, the profile specified that the user was ?interested in? people of the same sex. [...]

In a separate study (PDF), Aleksandra Korolova, a researcher at Stanford, said she was able to find the age and sexual orientation of specific Facebook users by tailoring certain ads to their profiles.

She said an attacker could use the technique to find other profile information that was not public, including relationship status and political and religious affiliation. She also said that the technique could be used on other social networks or Web sites, like Google and MySpace.

- Collapse -
Govt plans to cut internet services in case of cyberattacks

Indian law enforcement and national security officials are drawing up plans that will give them technology capabilities to cut off all internet services during emergencies.

After a series of recent meetings on cyber security held at the prime Minister?s Office at South Block, all government departments have been asked to jointly work on developing technologies and also invest in enhancing R&D capabilities to enhance the Centre?s control on internet services within the country, officials aware of the development told ET.

Officially, these steps are aimed at protecting Indian infrastructure from cyber attacks, but analysts fear that this may lead to greater government controls over internet as in China. Globally many countries are working on securing their communication networks from crippling cyber attacks that target the IT infrastructure of banks, airports, railways and government offices, all of which are often connected to the internet.

- Collapse -
Hackers hit Hetzner

Hetzner hit by network intrusion which may have allowed unauthorised access to hosting management systems

Hetzner yesterday informed subscribers that they suffered a network intrusion which may have allowed unauthorised access to their hosting management systems.

Hetzner proactively addressed the issue, informing hosting subscribers of the security breach and asking them to update their passwords to avoid potential future problems.

It is still unclear how the hacker gained access to Hetzner?s systems. "Despite intensive investigation we are still unable to determine how the intruder gained access to our network. Hetzner has changed all access details. While there have been further attempts by the intruder to gain access, we can confirm that they have been unsuccessful," Hetzner said.

- Collapse -
Dear Microsoft: Please Stop Pushing Potentially Unwanted...
Software through Windows Update

One of my home machines is Windows 7 Enterprise x64. A few days ago an interesting thing started happening. Windows Update (WU) traybar is notifying that there is a new "Important Update" that needs to be installed. I have it configured for manual update because I want to decide what gets installed and what doesn't. So I open the WU console and look at the details of the "Important Update" and to my surprise its not an update at all but rather a bunch of new software which I don't really want in the first place nor have already installed on my machine, so it doesn't need updating.

It seems Microsoft is reverting to using WU to push unwanted software, kinda like what adware, spyware and rogue software does. I guess if you can't convince users to download and install your software the next best thing is to push it down their throats whether they like it or not. Nice move MSFT!

I decide to un-check the "Important Update" and forget about it. But to my (second) surprise, the WU notification from the traybar does not disappear as it normally does when you decide not to install an update. I open the WU console again and, surprise surprise, the "Important Update" is still there checked by default (even though I already told it I don?t want it), ready to be installed as soon as a user hits the "Install Updates" button.

The "important" software bundle is named Windows Live Essentials 2011 and at a 160MB size includes the following:
? Messenger
? Photo Gallery
? Mail
? Movie Maker
? Writer
? Family Safety
? Windows Live Mesh
? Messenger Companion
? Microsoft Outlook Hotmail Connector
? MS Outlook Social Connector Provider for Messenger
? Microsoft Silverlight
? And as a BONUS you also get: Bing Toolbar for your browser, agreeing to a new Service Agreement and a new Privacy Policy updated a couple of months ago and asking you to provide personal information.

Searching around a bit I found a couple of interesting blog posts by Microsoft. One here saying that the install will only be shown as "Recommended Update" or even "Optional Update", which is not true as it is showing as an "Important Update". But more interestingly, here and here there's hundreds of users complaining not only about the tactics of the installation but also about the buggy software and how this "update" has changed their preferences, lost their business contacts, lost functionality previsouly used in other software, etc.
- Collapse -
iPhone Jailbreak Tool Sets Stage for Mobile Malware

The success of a group of hackers in compromising the security of Apple's iPhone may set the stage for more malware for the popular handset, including rootkit-style remote monitoring tools and data stealing malware.

In a presentation at the ToorCon Hacking Conference in San Diego on Saturday, Eric Monti, a Senior Researcher at Trustwave's Spider Labs demonstrated how the same kind of vulnerabilities and exploits that allowed a team of hackers to "jailbreak" iPhones and iPads from Apple's content restrictions could be used to push rootkit-style malware onto those devices and intercept credit card data from an iPhone-based transaction.

For his presentation, Monti designed a proof of concept iPhone rootkit, dubbed "Fat" by modifying the original jailbreakme code to create a stripped down remote monitoring application.

"Fat" was an effort to learn from the work of the team that created jailbreak by "weaponizing" the code, Monti said in an interview with Threatpost. Among other things, the researcher removed system prompts created by the jailbreakme app and added a rootkit feature to remotely control such key iPhone features as the microphone, camera and geolocation services, as well as SMS, he said.

The program is harmless and the vulnerabilities in question were patched by Apple in early August. However, Monti warns that more and more high value applications on the iPhone will increase the attractiveness of the platform for malicious parties, including banking and e-commerce.

- Collapse -
Russian Hacker Builds 70 Terabyte Home Computer

Ever find yourself deleting some files to make room for your overgrown media collection? Thanks to a new hack from a Russian PC enthusiast you should have plenty of room for your MP3 collection, along with the collections of everybody else you know. The hack consists of an array of 60 hard drives and the whole thing holds a whopping 70 terabytes of data.

That translates to 70,000 DVD-quality movies or, if you?re more musically inclined, somewhere in the neighborhood of 24 million songs. Of course, that kind of storage space doesn?t come easy. Besides the 60 drives themselves the rig requires 40 cooling fans to keep the temperature under control.

The final package may not win any awards for case design but the whole thing has a certain kind of stark utilitarian beauty to it.

CNET Forums

Forum Info