Alert

NEWS - September 05, 2012

Anonymous Leaks Apple UDIDs Following Alleged Hack of FBI

UPDATE --The Antisec arm of hacktivist group Anonymous published one million unique device identifier numbers, or UDIDs, for Apple devices, including iPhones and iPads, on Monday night. The group alleges the slew of information was swiped from a laptop belonging to the FBI earlier this year.

In a post on Pastebin, Anonymous maintains that the list of UDIDs originally contained information on 12,000,000 devices but later trimmed it down to 1,000,001 and stripped personal data like full names, cell numbers, addresses and ZIP codes from the file.

Each UDID is followed by what Anonymous claims is a Push Notification Service DevToken, along with the device's name and type associated with the UDID.

According to the Pastebin post, the group unearthed the UDIDs after compromising the laptop of an FBI agent in March and exploiting the same AtomicReferenceArray hole the Flashback Trojan used earlier this year in Java. A file, "NCFTA_iOS_devices_intel.csv," then yielded a list of 12,367,232 UDIDs.

The FBI denied that the bureau ever had the data or that Anonymous was able to compromise an agent's laptop.

Continued : https://threatpost.com/en_us/blogs/anonymous-leaks-apple-udids-following-alleged-hack-fbi-090412

Related:
FBI hits back at Anonymous - your claims are TOTALLY FALSE
Hackers leak 1 million Apple UDIDs allegedly stolen from FBI laptop
FBI denies AntiSec's Apple UDID database claims
Apple Device ID Leak: A 'PR Scam by Anonymous'?
Discussion is locked
Follow
Reply to: NEWS - September 05, 2012
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - September 05, 2012
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Hacker steals $250k in Bitcoins from online exchange..
.. Bitlfoor

The future of the up-and-coming Bitcoin exchange Bitfloor was thrown into question Tuesday when the company's founder reported that someone had compromised his servers and made off with about 24,000 Bitcoins, worth almost a quarter-million dollars. The exchange no longer has enough cash to cover all of its deposits, and it has suspended its operations while it considers its options.

Bitfloor is not the first Bitcoin service brought low by hackers. Last year, the most popular Bitcoin exchange, Mt.Gox, suspended operations for a week after an attacker compromised a user account and sold all of his Bitcoins in a firesale that temporarily pushed the price down to zero. The site survived the attack and remains the leading Bitcoin exchange today. Hackers made off with another $228,000 in Bitcoins from online services earlier this year.

Bitcoin's peer-to-peer design means that transactions are irreversible. Once a transaction appears in the blockchain, the global record of Bitcoin transactions, no one has the authority to reverse it. And the pseudonymous nature of Bitcoin makes it difficult to trace stolen Bitcoins to their new owners.

Continued : http://arstechnica.com/tech-policy/2012/09/hacker-steals-250k-in-bitcoins-from-online-exchange-bitfloor/

Also:
Future of top US Bitcoin exchange in doubt after hackers grab $250,000
BitCoin exchange BitFloor loses $250,0000 after unencrypted keys stolen
Bitcoin Exchange Hacked, $US250K Stolen, Trading Operations Suspended
Virtual Bank Robber Gets Away with $250,000 in Bitcoin Heist
- Collapse -
Pirate Bay founder to be deported from Cambodia

Cambodian police have confirmed that they plan to deport Gottfrid Svartholm Warg, the Swedish co-founder of The Pirate Bay file-sharing website, who was arrested on Monday.

The country's deputy national police chief, Sok Phal, said the decision was made after visiting Swedish officials presented legal documents on the case against him. They are now waiting for the approval of the country's interior minister.

Warg, 27, who has been living in Cambodia for several years, was sentenced to 12 months in prison for copyright violations in 2009. Swedish authorities issued an international warrant against him after he failed to show up for the start of his jail term.

Cambodia and Sweden do not have an extradition treaty, so it is unclear which country he will be deported to.

"We just know we will deport him. As to which country, that would be up to the Swedish side," police spokesman Kirth Chantharith said in a statement.

Continued : http://news.techworld.com/security/3379275/pirate-bay-founder-be-deported-from-cambodia/

Also:
Pirate Bay co-founder arrested in Cambodia
Cambodia To Deport Pirate Bay Co-Founder Gottfrid Svartholm
Pirate Bay Co-founder Arrested in Cambodia

- Collapse -
Report: Mobile Security Apps Generally Effective

Over the past couple of months, researchers at AV-Comparatives.org torture-tested mobile security products from fourteen well-known vendors. They used real phones, not emulators, for the test, specifically Samsung Galaxy S plus phones running Android 2.3. For once, every tested product did well. The earned good or great detection scores against real-world malware, with no score lower than 93 percent and many much higher. The products all did well in the rigorous battery-drain test too.

Avast, Bitdefender, ESET, F-Secure, Ikarus, Kaspersky, Qihoo, Trend Micro, and TrustGo all detected 98 to 100 percent of the samples. AV-Comparatives suggests these be considered equally effective, without worrying about tiny differences in the actual scores. Lookout, McAfee, Sophos, and Webroot all fell into the next sample range, from 93 to 98 percent detection. This is still a good result, according to the report. Click the image below for a full chart of results.

Continued : http://securitywatch.pcmag.com/none/302302-report-mobile-security-apps-generally-effective

Also: AV test lab examines Android security programs

- Collapse -
McAfee Threats Report Shows Largest Malware Rise in 4 Years

"Mobile "Drive-by Downloads", Use of Twitter for Control of Mobile Botnets, and Mobile "Ransomware" Among the Latest Trends "

McAfee today released the McAfee Threats Report: Second Quarter 2012, which found the biggest increase in malware samples detected in the last four years. McAfee Labs detected a 1.5 million increase in malware since Q1 2012 and identified new threats such as mobile "drive-by downloads", the use of Twitter for control of mobile botnets, and the appearance of mobile "ransomware".

Through proprietary research and investigation, McAfee Labs has been witness to rapid growth in its database or "zoo" of malware samples. With the malware sample discovery rate accelerating to nearly 100,000 per day, McAfee has identified key malware variants affecting a range of users globally.

"Over the last quarter we have seen prime examples of malware that impacted consumers, businesses, and critical infrastructure facilities," said Vincent Weafer, senior vice president of McAfee Labs. "Attacks that we've traditionally seen on PCs are now making their way to other devices. For example, in Q2 we saw Flashback, which targeted Macintosh devices and techniques such as ransomware and drive-by downloads targeting mobile. This report highlights the need for protection on all devices that may be used to access the Internet."

Continued : http://www.marketwatch.com/story/mcafee-threats-report-shows-largest-malware-rise-in-four-years-2012-09-04

Related:
McAfee Sees Biggest Increase In Malware Attacks in the Last Four Years
Mobile Malware Is Up - Way Up - in McAfee Q2 Threat Report

- Collapse -
A Handy Way to Foil ATM Skimmer Scams

I spent several hours this past week watching video footage from hidden cameras that skimmer thieves placed at ATMs to surreptitiously record customers entering their PINs. I was surprised to see that out of the dozens of customers that used the compromised cash machines, only one bothered to take the simple but effective security precaution of covering his hand when entering his 4-digit code.

In February 2011, I wrote about geek gear used in a 2009 ATM skimmer incident at a Bank of America branch in California. The theft devices employed in that foiled attack included a card skimmer that fit over the real card acceptance slot, and a hidden ball camera.

I recently obtained the video footage recorded by that hidden ball camera. The first segment shows the crook installing the skimmer cam at a drive-up ATM early on a Sunday morning. The first customer arrives just seconds after the fraudster drives away, entering his PIN without shielding the keypad and allowing the camera to record his code. Dozens of customers after him would do the same. One of the customers in the video clip below voices a suspicion that something isn't quite right about the ATM, but he proceeds to enter his PIN and withdraw cash anyhow. A few seconds later, the hidden camera records him reciting the PIN for his ATM card, and asking his passenger to verify the code.

Continued : http://krebsonsecurity.com/2012/09/a-handy-way-to-foil-atm-skimmer-scams/

- Collapse -
Watch this - the funniest spam video you'll ever see [VIDEO]

We all want our friends and family to learn more about how better to secure their computers.

But the eternal challenge is how can we make the advice interesting and engaging for a non-techie audience, and not make the mistake of endlessly droning on using buzzwords they are unlikely to understand.

The video below about spam - made by the folks at "Glove and Boots" - manages to make what could be a tremendously dry topic, funny and informative instead.

Best of all.. it features puppets called Mario and Fafa.

The video is very funny, but it does make one mistake which is sure to upset the folks at Hormel Foods.

Spam wasn't named after the canned precooked meat product, but instead a Monty Python sketch where characters keep singing "Spam spam spam spam spam".

Hormel foods aren't quite keen that their product, called SPAM® with capital letters, isn't mixed up with the internet nuisance of unsolicited commercial email. So I doubt they would be that happy to see cans of SPAM® feature so prominently in the video.

Continued : http://nakedsecurity.sophos.com/2012/09/05/funniest-spam-video/

- Collapse -
Google suspicious sign-in alert contains a trojan

Unknown attackers are attempting to persuade email recipients to open attachments that contain a trojan by claiming to be from The Google Accounts Team. A new email supposedly from "accounts-noreply@google.com" with the subject "Suspicious sign in prevented" is being sent en masse claiming that a hijacker has attempted to access the mail recipient's Google Account. The message says that the sign-in attempt was prevented but asks users to refer to the attached file for details of the attempted intrusion.

However, instead of containing information such as the IP address of the log-in attempt, the attached zip file contains a Windows executable file that will install a trojan onto a victim's system. While Google does sometimes send emails like this to users, they never contain attachments; users that receive such an email are advised to delete them. According to VirusTotal, the trojan is currently only detected by just half of 42 anti-virus programs used by the online virus scanner service.

http://www.h-online.com/security/news/item/Google-suspicious-sign-in-alert-contains-a-trojan-1698349.html

Also: Google users targeted with malware-laden "Suspicious sign in" notices

- Collapse -
Broadcaster Al Jazeera Knocked Offline With DNS Attack

Websites of broadcaster Al Jazeera were offline as of late Tuesday as the media outlet continued to suffered from an attack against Domain Name System (DNS) servers.

Al Jazeera's main website was also defaced at one point, according to a screenshot captured by Zone-H.org, which tracks website vandalism. A group calling itself Al-Rashedon claimed responsibility, displaying a Syrian flag and large red stamp reading "Hack."

Babar Mustafa, a senior software engineer with Al Jazeera, wrote on Twitter that "DNS [Domain Name System] poisoning issues are being resolved by our provider."

ISPs often provide DNS services to their customers. Tampering with DNS settings can be particularly harmful, since users can be redirected to a fake website even though a correct domain name has been typed into a web browser. The type of attack is know as DNS "poisoning."

Continued : http://www.pcworld.com/businesscenter/article/261891/broadcaster_al_jazeera_knocked_offline_with_dns_attack.html

- Collapse -
Tips For Java Junkies

From the F-Secure Antivirus Research Weblog:

So, according to our recent poll, only 12% of you don't have Java Runtime Environment (JRE) installed. And the rest of you (88%) are Java junkies to one degree or another. [Screenshot]

Okay, well, for the 41% of you that have Java installed and also have browser plugins enabled, we hope you're at least using Java via Google Chrome, which prompts the user for permissions each time it comes across Java. [Screenshot]

Are you a Firefox user? Perhaps Plugins Toggler, an extension by Trinh Nguyen will encourage you to disable Java in your browser. [Screenshot]

It's a very simple and easy to use toolbar button that lets you open and "toggle" any installed plugins. So then you could leave Java disabled by default, but enable it when needed without having to dig through options menus. [Screenshot]

(A dedicated Java toggler button extension would be nice. Hint, hint.)

If you're now tempted to limit your Java plugins, why stop there? Why not inhibit all of your plugins? (As in Adobe Flash.)

Google Chrome includes an option for "Click to play" in Content settings (chrome://chrome/settings/content). [Screenshot]

Continued : http://www.f-secure.com/weblog/archives/00002419.html

- Collapse -
Perfecting the Fake - Android Edition

From the F-Secure Antivirus Research Weblog:

When fake AVs used to take the limelight, their user interface started from pretty-crappy-and-obviously-rogue-AV and ended up with a very convincing design. It took a while for the miscreants to get there, but they really poured some work in an attempt to perfect the design in order to get a wider victim-base.

It looks like the websites for fake android applications are taking the same road. For quite some time, they have been using the same website layout template. Examples of the latest applications they mimic are: Android Office, Winamp, Doodle Jump, DrWeb, Mass Effect, and Nova 3. [Screenshot]

However, that trend could be changing. We have already seen some fake applications that dropped the template act altogether in order to create a more polished design [Screenshot]

Say, for example, this Chrome and fake Chrome websites. Without the word fake, would you be able to spot the difference? [Screenshot]

Continued : http://www.f-secure.com/weblog/archives/00002420.html

- Collapse -
Gameover ZeuS

From the F-Secure Antivirus Research Weblog:

Excerpted from our Threat Report H1 2012:

In the last year ZeuS has separated into more than one separately developed crimeware families after the source code for version 2.0.8.9 was leaked. An interesting development is a peer-to-peer version of ZeuS, which has been dubbed "Gameover".

The Gameover peer-to-peer (P2P) version was the second ZeuS derivative to appear in the wild and uses a peer-to-peer network to fetch configuration files and updates from other infected computers. The extensive changes incorporated into the derivative focus almost exclusively on the configuration file, and appear to be aimed at hindering retrieval and analysis. Many of the changes are to code sections that have been unaltered for years, such as the binary structure and compression method, which has not changed since 2008 (version 1.2).

The date this version was released to the public can be estimated from the registration data for the domains created by its Domain Generation Algorithm (DGA). The trojan uses these domains as "backup servers" if it cannot connect to other machines on the P2P network. As the first domain registration occurred on September 5th 2011, the trojan was likely let loose close to that date. These backup servers only host another list of infected machines from which the trojan could retrieve the actual configuration file. This backup system means that the configuration file is never stored on an external web server, but is handled entirely within the botnet itself.

All analyzed P2P samples have contained the same RSA public key used to check the digital signatures of incoming files.

Continued : http://www.f-secure.com/weblog/archives/00002421.html

- Collapse -
New Attack Uses SSL/TLS Information Leak to Hijack HTTPS
.. Sessions

There is a feature supported by the SSL/TLS encryption standard and used by most of the major browsers that leaks enough information about encrypted sessions to enable attackers decrypt users' supposedly protected cookies and hijack their sessions. The researchers who developed the attack that exploits this weakness say that all versions of TLS are affected, including TLS 1.2, and that the cipher suite used in the encrypted session makes no difference in the success of the attack.

The attack was developed by researchers Juliano Rizzo and Thai Duong, the same pair who last year released details of a similar attack on SSL/TLS and wrote a tool called BEAST, which also gave them the ability to decrypt users' cookies and hijack sessions with sensitive sites such as e-commerce or online banking sites. That attack targeted a specific problem with the AES (Advanced Encryption Standard) algorithm as it was implemented in TLS 1.0 and SSL 3.0 and were able to use the BEAST tool to grab encrypted cookies from active user sessions that were supposedly protected by SSL/TLS.

Continued : https://threatpost.com/en_us/blogs/new-attack-uses-ssltls-information-leak-hijack-https-sessions-090512

CNET Forums