16 total posts
Apple Mac OS X unable to revoke SSL certificates properly
A programming glitch in Apple's OS X operating system is making it hard for Mac users to tell their computers not to trust digital certificates, exacerbating an ongoing security problem with a Dutch certificate authority that was recently hacked.
Mac users began reporting problems when they tried to revoke digital certificates issued by DigiNotar, a Dutch company whose servers were compromised last month and used to issue fraudulent digital certificates. Mac users revoked the certificates on their computers, but still saw some sites that used those certificates being marked as trustworthy.
Digital certificates are an important part of the way the Internet works, and are essential whenever two computers try to connect using the HTTPS protocol. The problem is that Apple's operating system does not allow users to revoke DigiNotar certificates properly, and marks some websites as trustworthy when it shouldn't.
Continued : http://news.techworld.com/security/3300602/apple-mac-os-x-unable-to-revoke-ssl-certificates-properly/
Hurricane Irene clickjacking scam on Facebook
States in the USA, such as Vermont and New Jersey, are continuing to deal with heavy flooding in the aftermath of Hurricane Irene.
And we weren't surprised to find internet scammers attempting to profit from other people's misery.
For instance, here is a clickjacking scam which at the time of writing is still active on Facebook. [Screenshot]
This Facebook page reads:
VIDEO SHOCK - Hurricane Irene New York kills All
All? Hmm.. that would be a rather fanciful claim even for the most sensationalist tabloid report. But maybe it will be enough to make you click further. [Screenshot]
BAM! Too late. You've been clickjacked. Even before you've had a chance to notice that the page is suddenly talking you into Italian, the webpage has taken your click onto what you thought was the video's play button and secretly behind-the-scenes tricked you into saying you "Like" the page - thus promoting it to your online Facebook friends.
If you were running an add-on like NoScript for Firefox you would have been protected by a warning message:
Continued : http://nakedsecurity.sophos.com/2011/09/01/hurricane-irene-clickjacking-scam-on-facebook/
DigiNotar breach - the story so far
From SANS ISC:
I've been following the DigiNotar story as it evolved for a few days now with growing concern and increasing alarm.
I'm by far not privy to the inside information to be able to really assess and audit the situation, so this is purely based on what is publicly known. Being a Dutch native speaker I have access to what the press in the Netherlands writes about it with the subtle nuances that an automated translation will not capture. I do lack the resources to independently double verify everything and as such some errors might still be in it, consider this a best effort at creating some overview and leading up to conclusions with the limited information that is available.
If we do attract the attention of DigiNotar and/or Vasco: please do contact us, we'd love to talk to you and get more information!
So who is DigiNotar and what do they do when all is normal?
DigiNotar is a CA. They sell SSL certificates, also the EV kind.
But there is more that's mostly of interest to those in the EU or the Netherlands only:
They are also (I'm simplifying a bit, I know) an accredited provider in the EU and provide qualified certificates and approved SSCDs to customers to create digital signatures that -by law- in the EU are automatically considered to be qualified digital signatures and as such they are automatically equivalent to manual signatures. This status forces regular 3rd party audits against the relevant Dutch law and standards such as ETSI TS 101 456.
They also provide certificates services under the PKIOverheid umbrella in the Netherlands. This has even more and stricter rules. e.g. Things that are suggested in the ETSI standards, but not mandatory, can become mandatory for PKIOverheid.
DigiNotar is a 100% daughter company of Vasco (since Jan 2011), so if you see Vasco sometimes doing things like press releases regarding the incident, that's why.
So what do we know in a chronological order ?
Continued : http://isc.sans.edu/diary.html?storyid=11500
Morto worm sets a (DNS) record
Symantec Security Response Blog:
There has been a lot of coverage of the recent RDP capable W32.Morto worm, but one of the more interesting aspects of the worm's behavior appears to have been overlooked. Most malware that we have seen recently has some means of communication with a remote Command and Control (C&C) server. The actual vector of communication tends to vary between threats. For example, W32.IRCBot uses Internet Relay Chat channels whereas the recent high profile threat, Trojan.Downbot, is capable of reading commands embedded in HTML pages and image files. W32.Morto has added another C&C communication vector by supplying remote commands through Domain Name System (DNS) records.
DNS is primarily used to translate human readable URLs, such as "Symantec.com", into numerical network identifiers (188.8.131.52). Every URL on the Internet is eventually resolved to an associated IP address using this system, typically using a DNS A record for IPv4. The A record is what we usually think of when we discuss DNS. These records map domain names to their associated IP addresses with a PTR record used for the inverse operation of IP to host. But DNS is not limited to these records types; there are a number of record types that have been defined in various RFCs over the years to address the changing needs of the system. The record type that W32.Morto uses for its communication protocol is the TXT record.
The DNS TXT record type was originally used to allow human readable text to be stored with a DNS record and later evolved to store machine useable data. To experiment with this, you can use the Microsoft nslookup.exe tool. By querying the TXT record type for "Symantec.com" you can retrieve the SPF information associated with the Domain.
Continued : http://www.symantec.com/connect/blogs/morto-worm-sets-dns-record
Related: Windows Remote Desktop worm "Morto" spreading
Drive by Download Using Python Script to Attack VoIP Phones
From NSS Labs Blog:
Lately we have been seeing TrojansVOIP trojan downloading and installing the SIPVicious suite that is primarily used to audit SIP based VoIP System. This is a good example on how the toolset developed with good things in mind is misused by malware authors. For starters, SIPVicious suite is a set of tools that can be used to audit SIP based VoIP systems. It currently consists of five tools:
1. svmap - this is a sip scanner. Lists SIP devices found on an IP range
2. svwar - identifies active extensions on a PBX
3. svcrack - an online password cracker for SIP PBX
4. svreport - manages sessions and exports reports to various formats
5. svcrash - attempts to stop unauthorized svwar and svcrack scans
The Trojan is delivered by a drive by download that redirects the user to the Black Hole exploit kit. An example of this is hxxp://annbortakimcastollvivi.c0m.li/forum.php?tp=6324c408a06dda2b. The aforementioned URL is injected as an Iframe to benign sites. Once a user navigates to a benign site, the Iframe is loaded into the browser and then redirects the user.
Continued : http://www.nsslabs.com/blog/2011/08/drive-by-download-using-python-script-to-attack-voip-phones.html
HotFile forced to hand over user data to MPAA
"Judge sits on the side of media cartel, again"
HotFile has been ordered by a US judge to hand over details of its affiliates and those who have uploaded and downloaded content from its servers.
HotFile is one of the most popular 'data locker' services on the Internet and the Motion Picture Association of America (MPAA) has made it a priority to eradicate the service. Earlier this year the MPAA had asked HotFile to hand over details on its affiliates and users including IP addresses, however the outfit faught the demand through the courts.
The MPAA claimed that it needs HotFile's data in order to show that the hosting outfit was encouraging and profiteering from sharing files that allegedly broke copyright laws. HotFile had claimed by handing over the data to the MPAA it would be breaking privacy laws. However a US District Court judge Adalberto Jordan saw it differently, handing down a ruling that effectively means HotFile will have to pass on just about everything it has, apart from its source code.
Judge Jordan wrote in his ruling that: "To prove this rampant [copyright] infringement, the movie studios need to do a statistical analysis showing that most of the content uploaded and downloaded on hotfile.com infringes some copyright or another".
HotFile pays its affiliates when content they upload gets downloaded. The MPAA wants the details of the firm's top 500 affiliates, effectively going for those that feed HotFile with cash and content.
Continued : http://www.thinq.co.uk/2011/8/31/hotfile-forced-hand-over-user-data-mpaa/
Also: Hotfile Ordered To Share User Data With The MPAA
Fake stores on other search engines
From Zscaler Research:
A few weeks ago, I showed that even search engines focused on eliminating spam from their search results fail to remove spam pages leading to fake online stores. I was curious to get a broader pictures of how different search engines deal with this issue. Since the fake stores exist in several languages (English, French, German, etc.), this issue affects web users in many countries.
I decided to check how spam pages for "Buy Windows 7 key" (or its translation) are displayed in the first two pages (20 results) for various search engines. For reference, the numbers for the 3 main search engines in the US are:
• Google: 7 + 5 = 12
• Bing: 5 + 5 = 10
• Yahoo: 6 + 8 = 14
• Yandex: 10 + 10 = 20
Yandex contains a lot of blackhat spam in general, much more than Google and not just for fake stores. While Google has cleaned up search results for popular queries, especially spam leading to fake AV pages, I have seen no progress on Yandex. [Screenshot]
• Baidu: 10 + 10 = 20
A lot of the spam pages are hosted on Chinese websites (for example):
Continued : http://research.zscaler.com/2011/08/fake-stores-on-other-search-engines.html
Diginotar Keeping TorProject In The Dark On Fraudulent Certs
A co-founder of The Tor Project says his organization is being kept in the dark about the status of a dozen fraudulent SSL certificates issued in its name by a compromised root server operated by Diginotar. The bogus certificates could be used to carry out man in the middle attacks, or trick unsuspecting Internet users into downloading a compromised version of the Tor anonymity software.
The post, by Tor Project co-founder Jacob Appelbaum, is just the latest to raise troubling questions about Dutch certificate authority Diginotar's handling of the security breach that resulted in the creation of hundreds of fraudulent digital certificates for leading online services, including Google and Mozilla, makers of the Firefox browser.
Most of the coverage of the breach to date has focused on man in the middle attacks linked to a forged Google.com certificates. However, Diginotar and its parent company, Vasco, have admitted that the breach involved dozens of firms, not just Google. However, the exact number of fraudulent certificates issued is unknown. Diginotar hasn't released a comprehensive list of certificates. A report by the Dutch Web site nu.nl on Wednesday named the Tor Project as one of a host of leading services, along with Yahoo.com, Wordpress.com and Mozilla, as targets of the hackers.
Continued : http://threatpost.com/en_us/blogs/diginotar-keeping-tor-project-dark-fraudulent-certificates-090111
WikiLeaks Threatens To Sue Over Guardian Leaks
WikiLeaks is preparing to bite the hand that feeds it publicity, for disclosing the password to its leaked cables
Wikileaks is threatening to sue The Guardian newspaper over the disclosure of decryption passwords for the whistleblowing organisation's stash of leaked messages.
The newspaper has a confidentiality agreement with Wikileaks that allows access to the stolen US Embassy messages that fell into Wikileaks' possession.
Book Published Last February
The revelation was made in a book co-written by the newspaper's investigations editor David Leigh, and published by The Guardian last February. In a description of how WikiLeaks founder Julian Assange transferred the files from his netbook to the computer of a Guardian journalist, the base encryption password and a suffix password are spelled out in the clear.
In a statement, which details a redacted (censored) version of the section of the book, WikiLeaks stated, "A Guardian journalist [Leigh] has negligently disclosed top secret WikiLeaks' decryption passwords to hundreds of thousands of unredacted, unpublished US diplomatic cables."
Continued : http://www.eweekeurope.co.uk/news/wikileaks-threatens-to-sue-over-guardian-disclosures-38453
'Anon member' claims credit for WikiLeaks takedown
A Twitter user who claims affiliation to the infamous Anonymous hacktivist collective has claimed responsibility for launching denial of service attacks that floored WikiLeaks on Tuesday night.
The attack against the whistle-blowing site occurred at the same time as less high-profile assaults against Pastebin and 4Chan, the anarchic image board and birthplace of Anonymous.
Anonymous began with attacks against the Church of Scientology three years ago, but only gained mainstream fame when it launched denial of service attacks in support of WikiLeaks and against financial service firms that shut down accounts maintained by the whistle-blowing websites.
Continued : http://www.theregister.co.uk/2011/09/01/anon_wikileaks_takedown_claim/
The big, bad browser quiz
Unrelated to Fraudulent Certificates, WikiLeaks, Hacks, OR .. Facebook! :
Internet Explorer, Firefox, Chrome, Safari -- you know the names of these Web browsers, but do you really know them?
From the time Marc Andreessen and Eric Bina came up with the first graphical Web browser Mosaic, the browser has been the world's portal to the World Wide Web. Everybody uses browsers, but how well do you really know their history and the ins and outs of what makes them unique? Take this short quiz, keep track of your score and see how you stack up at the end.
Browser Quiz: http://www.networkworld.com/slideshows/2011/090111-browser-quiz.html
Free tool for testing net neutrality
IT security specialist Dan Kaminsky has announced N00ter, a tool for identifying artificial brakes on data traffic implemented by ISPs. Kaminsky first described N00ter at the Black Hat and DefCon security conferences in Las Vegas. He intends to make it available to download free of charge within the next few weeks. N00ter, hacker speak for neutral router, will tell users whether their ISP is slowing traffic to and from individual web sites and giving preferential treatment to other web sites. Until now, there has been no way for a normal web user to tell if his or her ISP is manipulating their quality of service.
N00ter provides what Kaminsky describes as "incontrovertible" evidence if a provider is interfering with transfer rates to and from specific servers. Put simply, the N00ter client communicates with a special proxy and measures packet delivery times. Kaminsky has told heise Security, The H's associates in Germany, that he has had the broker hosted by a professional hosting company which permits IP spoofing. Spoofing is a key requirement for N00ter to work. In a subsequent step, the proxy sends packets to the client with spoofed source addresses - in his presentation Kaminsky uses bing.com and google.com as examples.
Continued : http://www.h-online.com/security/news/item/Free-tool-for-testing-net-neutrality-1335031.html
AVG Internet Security 2012 released
AVG announced the availability of AVG Internet Security 2012, the latest edition of its internet security software.
In addition to AVG's multi-layered protection, utilizing signature-based antivirus, heuristics and behavior-based threats detection, AVG 2012 comes with the all-new AVG Accelerator and AVG Advisor features as well as additional protection technologies.
AVG Accelerator optimizes file and video downloads on selected sites to minimize waiting time. Responding to our users' request for a fast and smooth content download while online, AVG Accelerator enhances user experience to provide peace of mind.
AVG Advisor constantly monitors the computer and proactively advises the user with available remedies and optimization possibilities for various computer problems they may have.
Key footprint achievements of AVG 2012 compared to previous AVG Internet Security 2011:
Continued : http://www.net-security.org/malware_news.php?id=1823
Also: AVG Free 2012 turns to performance tuning
Lawsuit says Microsoft tracks customers without consent
Microsoft allegedly tracks the location of its mobile customers even after users request that tracking software be turned off, according to a new lawsuit.
The proposed class action, filed in a Seattle federal court on Wednesday, says Microsoft intentionally designed camera software on the Windows Phone 7 operating system to ignore customer requests that they not be tracked.
A Microsoft representative could not immediately be reached for comment.
The lawsuit comes after concerns surfaced earlier this year that Apple's iPhones collected location data and stored it for up to a year, even when location software was supposedly turned off. Apple issued a patch to fix the problem.
However, the revelation prompted renewed scrutiny of the nexus between location and privacy. At a hearing in May, U.S. lawmakers accused the tech industry of exploiting location data for marketing purposes -- a potentially multibillion-dollar industry -- without getting proper consent from millions of Americans.
Continued : http://www.reuters.com/article/2011/08/31/us-microsoft-lawsuit-idUSTRE77U6BT20110831
Hoax Email Purporting to Be FTC Spreads Malware [WARNING]
A malicious email is circulating that purports to come from the U.S. Federal Trade Commission and leaves computers infected with malware. The FTC began receiving reports of the viral scam Thursday afternoon.
David Torok, the FTC's associate director for planning and information, says the FTC can't yet tell the frequency of the email or confirm any trends among the recipients. Several callers have been small business owners who could be more likely to click on the links as the message is addressed "Dear business owner."
The email's subject line says "URGENT: Pending Consumer Complaint!" The body reads:
"Dear business owner, A consumer complaint has been filled against your company. Your company is being accused of trying to commit fraud against the complaint's filling party. The full text of the complaint file can be viewed on the FTC website, in PDF format, by visiting the following link."
After a malicious link, the reader is urged to call a FTC help hotline, use a secure online complaint form or email complaints to the FTC. It's likely that people worried about their business's supposed fraudulent activity would be most likely to respond to the message.
"One business owner said when they clicked on the link their computer immediately froze - that's never a good sign." Torok says, demanding a careful examination.
Continued : http://mashable.com/2011/09/01/ftc-malware/