Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - October 30, 2014

Oct 30, 2014 4:10AM PDT
Hackers Are Using Gmail Drafts to Update Their Malware and Steal Data

In his career-ending extramarital affair that came to light in 2012, General David Petraeus used a stealthy technique to communicate with his lover Paula Broadwell: the pair left messages for each other in the drafts folder of a shared Gmail account. Now hackers have learned the same trick. Only instead of a mistress, they're sharing their love letters with data-stealing malware buried deep on a victim's computer.

Researchers at the security startup Shape Security say they've found a strain of malware on a client's network that uses that new, furtive form of "command and control"—the communications channel that connects hackers to their malicious software—allowing them to send the programs updates and instructions and retrieve stolen data. Because the commands are hidden in unassuming Gmail drafts that are never even sent, the hidden communications channel is particularly difficult to detect.

Continued : http://www.wired.com/2014/10/hackers-using-gmail-drafts-update-malware-steal-data/

Discussion is locked

- Collapse -
Microsoft Warns of Crowti Ransomware
Oct 30, 2014 4:25AM PDT

Researchers with Microsoft have spotted a spike in Crowti, a ransomware similar to Cryptolocker that encrypts files on victims' machines and then asks for payment to unlock them.

The malware has existed for several months but it wasn't until mid-October that Microsoft's Malware Protection Center noticed its biggest swell to date. The campaign infected 4000 different systems at its peak, with the bulk of those, 71 percent, confined to machines in the United States. [Screenshot]

Similar to CryptoWall, a fairly recent Cryptolocker variant, Crowti uses a valid digital signature to appear legitimate and then, once installed, demands users pay in Bitcoin to purportedly decrypt their files.

Continued : http://threatpost.com/microsoft-warns-of-crowti-ransomware/109075

- Collapse -
Latest Android encrypted by default, adds "smart" device..
Oct 30, 2014 4:26AM PDT
.. locking

"Google reveals features designed to make Android "Lollipop" more secure"

The latest version of the Android operating system, Lollipop, adds encryption by default, along with a variety of easy-to-use ways to lock and unlock the phone and a more secure foundation to help protect devices against current threats.

In a blog post published on Tuesday, Google described the features, which will begin shipping with the Lollipop operating system in new Android devices in the coming weeks. While some of the capabilities, such as encryption, are already included in the current Android OS, the new version will turn them on by default.

Many of the security features were born of Android's open-source foundations and the fact that other researchers and companies can create and test new security features for the operating system, Adrian Ludwig, lead security engineer for Android at Google, said during a briefing on the security features.

Continued: http://arstechnica.com/security/2014/10/latest-android-encrypted-by-default-adds-smart-device-locking/
- Collapse -
Watch Online Ad Fraud "Bots" in Action
Oct 30, 2014 4:26AM PDT
The Forensiq Botnet Project

VIDEO: https://www.youtube.com/watch?v=IiVZC8eM_xE

Watch Online Ad Fraud "Bots" in Action

"The online advertising industry is battling an ongoing fraud problem. Industry analysts estimate marketers waste millions of dollars a year buying Internet ads that aren't delivered to real humans, but to hijacked computers known as "bots" instead."

"Scammers create bots by infecting users' computers with pieces of code known as malware, which is used to control users' machines in the background, usually without their knowledge. Scammers use such malware to send armies of zombie computers to websites of their choosing, loading ads in the process that are never actually visible to real consumers."

To demonstrate exactly how bot traffic is created, ad fraud company Forensiq intentionally infected a computer of its own with malware, and figured out a way to expose and record what that malware was doing behind the scenes.

Continued: http://blogs.wsj.com/cmo/2014/10/14/watch-online-ad-fraud-in-action/

Related : Ad Fraud Botnet Video

[ Hat-tip to R. Proffitt ]
- Collapse -
PUP Download Site Makes Use Of Virtual Assistant
Oct 30, 2014 4:27AM PDT

"Malwarebytes Unpacked" Blog:

You know how you visit a website and suddenly there's a person talking at you from the bottom right hand corner of the screen about how you should buy product X or make use of service Y?

We recently saw a page asking visitors to upgrade their media player, which Malwarebytes Anti-Malware detect as PUP.Optional.SaferInstall (VirusTotal 12 / 53). It looks a lot like many similar download sites out there [1], [2], with one curious addition standing over on the right hand side: [Screenshot : Virtual assistant]

A virtual assistant! She isn't very interactive, instead launching into a recorded voiceover after a minute or so of the visitor doing nothing on the webpage. She says:

Continued : https://blog.malwarebytes.org/online-security/2014/10/pup-download-site-makes-use-of-virtual-assistant/

- Collapse -
How to Tell Data Leaks from Publicity Stunts
Oct 30, 2014 4:27AM PDT

In an era when new consumer data breaches are disclosed daily, fake claims about data leaks are sadly becoming more common. These claims typically come from fame-seeking youngsters who enjoy trolling journalists and corporations, and otherwise wasting everyone's time. Fortunately, a new analysis of recent bogus breach claims provides some simple tools that anyone can use to quickly identify fake data leak claims.

The following scenario plays out far too often. E-fame seekers post a fake database dump to a site like Pastebin and begin messaging journalists on Twitter and other social networks, claiming that the dump is "proof" that a particular company has been hacked. Inevitably, some media outlets will post stories questioning whether the company was indeed hacked, and the damage has been done.

Fortunately, there are some basic steps that companies, journalists and regular folk can take to quickly test whether a claimed data leak is at all valid, while reducing unwarranted damage to reputation caused by media frenzy and public concern. The fact-checking tips come in a paper from Allison Nixon, a researcher with Deloitte who — for nearly the past two years — has been my go-to person for vetting public data breach claims.

Continued : http://krebsonsecurity.com/2014/10/how-to-tell-data-leaks-from-publicity-stunts/

- Collapse -
ASUS Wireless Routers RT Series Vulnerable to MiTM Attacks
Oct 30, 2014 4:28AM PDT

Bitdefender's "HOT for Security" Blog:

The ASUS wireless routers from the RT-series have been found vulnerable to a Man-in-the-Middle attack, as they download updates via HTTP without an encryption protocol, in clear-text, according to a blog post by David Longenecker's.

"The ASUS RT- series of routers rely on an easily manipulated process to determine if an update is needed, and to retrieve the necessary update file," Longenecker said. "Since the router downloads via HTTP instead of HTTPS, there is no way to validate that the server at the other end is in fact the ASUS server and not an impostor."

The ASUS RT router series update flow contains two simple steps. The first downloads a clear-text file list with the latest firmware builds. Then it parses the downloaded file to check for a newer available firmware update. If a new firmware update is available, it passes to step two, when the router downloads the firmware package.

Continued : http://www.hotforsecurity.com/blog/asus-wireless-routers-rt-series-vulnerable-to-man-in-the-middle-attacks-10702.html

- Collapse -
"Assume every unpatched site running Drupal 7 compromised"
Oct 30, 2014 4:40AM PDT

Content management system Drupal has issued a chilling public service announcement to website admins and internet users who might visit the hundreds of thousands of sites running its software.

According to the company, "automated attacks" started to hit websites running Drupal version 7 within a matter of hours of it disclosing a highly critical SQL injection vulnerability on October 15th. [...]

If a site using a vulnerable version of the Drupal CMS is attacked, hackers could steal information from the site or open backdoors to allow them continued remote access to the system.

Continued : http://grahamcluley.com/2014/10/assume-unpatched-websites-running-drupal-7-compromised/

- Collapse -
White House unclassified network hacked, apparently by ..
Oct 30, 2014 5:16AM PDT
.. Russians

"US officials learned about a breach of the Executive Office net from an ally."

The unclassified network of the Executive Office of the President—the administrative network of the White House—was breached by attackers thought to be working for the Russian government, according to multiple reports. The Washington Post reported that an investigation is ongoing, and White House officials are not saying what data, if any, was stolen from the computers on the network. "We are still assessing the activity of concern," an unnamed White House official told the Post.

According to the Post's anonymous sources, the breach was discovered in early October after a friendly foreign government alerted US officials. The network's virtual private network access was shut down, and some staff members were told to change passwords. "We took immediate measures to evaluate and mitigate the activity," the Post's source at the White House said. "Unfortunately, some of that resulted in the disruption of regular services to users. But people were on it and are dealing with it."

Continued : http://arstechnica.com/tech-policy/2014/10/white-house-unclassified-network-hacked-apparently-by-russians/

Related:
White House hit by "sustained" cyber attack, hackers breach unclassified network
White House network breach was likely nation-sponsored
- Collapse -
Facebook gives away homebrewed OS monitoring tool
Oct 30, 2014 5:16AM PDT

"Osquery watches for operating system state changes that might indicate a security issue"

Facebook has released an open-source tool for monitoring operating system state changes across very large infrastructures, which could help engineers quickly diagnose performance and security issues.

The tool, called Osquery, allows administrators to run SQL-based queries on operating system characteristics stored in a high-performance database, collecting data such as running processes, loaded kernel modules and open networking connections, wrote Mike Arpaia, a Facebook software engineer.

In the last few months, Facebook let other companies try Osquery after "it became clear to us that maintaining insight into the low-level behavior of operating systems is not a problem which is unique to Facebook," he wrote.

Continued: http://news.techworld.com/security/3583355/facebook-gives-away-homebrewed-os-monitoring-tool/

Related:
Facebook open-sources osquery, an OS analysis tool
Facebook Open Sources Host Monitoring Tool, Increases Internet Defense Prize

- Collapse -
Apple Pay Competitor CurrentC Hacked
Oct 30, 2014 8:49AM PDT

Merchant Customer Exchange (MCX), the developer of the mobile payment system called CurrentC, is notifying some users that their email addresses have been stolen by hackers.

"Within the last 36 hours, we learned that unauthorized third parties obtained the e-mail addresses of some of you. Based on investigations conducted by MCX security personnel, only these e-mail addresses were involved and no other information," read the emails sent out by the company to affected individuals.

MCX says the breach affects participants in the CurrentC pilot program and those who have expressed interest in the product. The company has advised impacted users to be on the lookout for phishing emails, and avoid clicking on links or attachments contained in suspicious messages.

Continued: http://www.securityweek.com/apple-pay-competitor-currentc-hacked

Related :
Apple Pay rival CurrentC hacked
CurrentC mobile payment system hacked, user info stolen

- Collapse -
Chip & PIN vs. Chip & Signature
Oct 30, 2014 8:50AM PDT

The Obama administration recently issued an executive order requiring that federal agencies migrate to more secure chip-and-PIN based credit cards for all federal employees that are issued payment cards. The move marks a departure from the far more prevalent "chip-and-signature" standard, an approach that has been overwhelmingly adopted by a majority of U.S. banks that are currently issuing chip-based cards. This post seeks to explore some of the possible reasons for the disparity.

Chip-based cards are designed to be far more expensive and difficult for thieves to counterfeit than regular credit cards that most U.S. consumers have in their wallets. Non-chip cards store cardholder data on a magnetic stripe, which can be trivially copied and re-encoded onto virtually anything else with a magnetic stripe.

Continued : http://krebsonsecurity.com/2014/10/chip-pin-vs-chip-signature/

- Collapse -
Chrome set to disable and remove SSLv3 in upcoming releases
Oct 30, 2014 8:50AM PDT

"The next version of the Google Chrome browser expected in six weeks will arrive with support to fallback to SSLv3 disabled by default."

Chrome 39, due to be released in six weeks' time, will be the first step in Google's plan to remove SSLv3 support from its Chrome browser.

Earlier this month, Google discovered a flaw in SSLv3, dubbed Padding Oracle On Downgraded Legacy Encryption (POODLE), that allowed an attacker to conduct a man-in-the-middle attack in order to steal cookies. Although SSLv3 has long been made obsolete by Transport Layer Security, the potential impact of POODLE was large, due to handshaking procedures that occur when setting up a secure connection between HTTP servers and clients to establish a common protocol to communicate.

Continued: http://www.zdnet.com/chrome-set-to-disable-and-remove-sslv3-in-upcoming-releases-7000035260/