NEWS - September 07, 2012

Two Microsoft Security Updates Await In Advance of Certificate Key Length Changes

Microsoft is promising a light load of security updates for next Tuesday's monthly patch release in an attempt to give Windows administrators and security teams time to prepare for an October change to certificate key length requirements.

Angela Gunn of Microsoft's Security Response Team announced today that Microsoft expects to release only two bulletins next week, both rated important addressing privilege escalation vulnerabilities in Microsoft Visual Studio Team Foundation Server 2010 Service Pack 1, Microsoft Systems Management Server 2003 Service Pack 3 and Microsoft System Center Configuration Manager 2007 Service Pack 2. The bulletins will be released Tuesday at 1 p.m. ET.

September is usually a light month for Microsoft updates and this is no exception, not that Windows managers won't be busy with the certificate key length changes Microsoft communicated in June. At the start of the summer, Microsoft announced that it will release the requirement changes in its monthly update scheduled for Oct. 9.

Continiued :

Get ready: Microsoft is raising the bar for encryption keys
Microsoft to release two updates on Tuesday
Microsoft gives users a patch break, and time to prep for certificate slaying

Related: Security Bulletin Advance Notice for: September 2012
Discussion is locked
Reply to: NEWS - September 07, 2012
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - September 07, 2012
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Sleuths Trace New Zero-Day Attacks to Hackers Who Hit Google

[Screenshot: Graphic showing how the Elderwood gang conducts its attacks]

It's been more than two years since Google broke corporate protocol by revealing that it had been the victim of a persistent and sophisticated hack, traced to intruders in China that the company all but said were working for the government.

And it turns out the hacker gang that hit the search giant hasn't been resting on its reputation; it's been busy targeting other companies and organizations, using some of the same methods of attack, as well as a remarkable menu of valuable zero-day vulnerabilities. The attackers used at least eight zero-days in the last three years, including ones that targeted the ubiquitous software plugin Flash and Microsoft's popular IE browser.

Researchers at Symantec traced the group's work after finding a number of similarities between the Google attack code and methods and those used against other companies and organizations over the last few years.

The researchers, who describe their findings in a report published Friday, say the gang — which they have dubbed the "Elderwood gang" based on the name of a parameter used in the attack codes — appears to have breached more than 1,000 computers in companies spread throughout several sectors - including defense, shipping, oil and gas, financial, technology and ISPs. The group has also targeted non-governmental organizations, particularly ones connected to human rights activities related to Tibet and China.

Continued :

Google Hackers Exploit Eight Zero-Days To Hit Defence Firms
From spear phishing to watering holes

- Collapse -
'Elderwood' Crew, Tied to Google Aurora Attack, Targeting..
'Elderwood' Crew, Tied to Google Aurora Attack, Targeting Defense, Energy, Finance Companies

UPDATE --The same team that attacked Google in the Aurora campaign in 2009 is still active and has been conducting a long-term campaign targeting defense contractors, financial services companies, energy companies, human rights organizations and government agencies using a seemingly inexhaustible supply of zero day vulnerabilities. The crew is using a variety of techniques to go after its targets, most notably compromising legitimate Web sites frequented by employees of the targeted organizations and then delivering exploits for one or more of their stockpiled zero-day bugs, researchers say.

The team behind these operations appears to be in the top tier of professional attack teams, possessing the ability to do original research to find new vulnerabilities in popular applications such as Adobe Flash and Internet Explorer, and then write exploits for those flaws, as well. Researchers at Symantec have been tracking the group, which they've dubbed the Elderwood gang, for some time, and have seen the crew using previously unknown vulnerabilities in rapid succession over the course of the last couple of years in attacks aimed at defense contractors, government agencies and other high-value targets.

The number of groups doing their own research and finding zero days and then writing exploits for them is virtually impossible to know, given the structure of the cybercrime underground, but it is thought to be a small number relative to the overall population of attackers. That kind of research takes time, money and high-level technical skills that many groups solely interested in stealing money just don't have.

Continued :
- Collapse -
Arizona man going to jail for selling access to botnets

A 30-year-old Phoenix man was sentenced Thursday to 30 months in prison for using botnets and selling access to them, the US Department of Justice announced.

Joshua Schichtel, allegedly connected to a group of hackers who used denial-of-service attacks to target businesses, was sentenced in US District Court for the District of Columbia. Schichtel was allegedly a member of the so-called DDOS mafia, a group of hackers that attacked websites on behalf of a business owner, but 2004 charges in California were dropped because prosecutors didn't file an indictment by the required deadline.

He pleaded guilty on 17 August 2011, in Washington, DC, to one count of attempting to cause damage to multiple computers without authorisation by the transmission of programs, codes or commands, a violation of the US Computer Fraud and Abuse Act.

Continued :

Botnet master gets 30-month prison term for renting out infected PCs
Botnet operator sent to prison

- Collapse -
Microsoft puts Win 8 users at risk with missing Flash update

"Last month, Adobe released a batch of critical security updates for Flash Player. Those updates are available for every modern browser except one. Microsoft has yet to release the update for IE 10 in Windows 8, and may not do so until next month."

This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform. Adobe recommends administrators install the update as soon as possible. (for instance, within 72 hours).

If you use Windows 7 (or earlier) with any modern browser and you've enabled automatic updates, you already have the latest Flash security fixes. Ditto if you use a Mac.

But if you're using Internet Explorer 10 on any version of Windows 8, including the RTM bits available via MSDN or TechNet and the enterprise preview, you are at risk. You cannot manually update the version of Flash baked into IE 10. Only Microsoft can do that.

Microsoft made a bold design decision with Internet Explorer in Windows 8, adding Adobe's Flash Player to the browser as a built-in component instead of a third-party plugin. That design echoes Google's decision long ago to include Flash Player in every version of Chrome.

Continued :

Also: Internet Explorer 10's bundled Flash leaves users exploitable

- Collapse -
Is Opera *really* the safest browser?

An online poll conducted on the Naked Security site has come up with an interesting finding: Opera, a relative minnow in the web browser market, is reckoned to be a more secure browser than the likes of Google Chrome, Mozilla Firefox and Internet Explorer. [Screenshot]

We were interested in discovering which browser our readers would recommend to friends or family who had suffered a computer security problem.

The poll opened on the morning of Monday 3rd September, and saw Chrome and Firefox take an early lead with Internet Explorer, Safari and Opera lagging far far behind.

Everything changed yesterday, however, as Opera surged in its share of the vote. The Norwegian browser - which had earlier only been receiving less than two votes every hour suddenly was receiving five votes every minute!

Impressive for a browser which has a much smaller marketshare than the big players. [Screenshot]

So, what happened? Had thousands of people suddenly woken up to the realisation that Opera *was* their favourite browser, and that they should vote for it instead of Chrome or Firefox?

Continued :

- Collapse -
Mozilla updates Firefox 15 to fix private browsing problem
Mozilla has released an update to version 15 of Firefox to correct a bug in the web browser's Private Browsing feature. Private Browsing is intended to allow users to browse the internet without saving any data about the sites and pages they've visited. However an error in the recent Firefox 15.0 release meant that Firefox was storing sites visited in its cache while Private Browsing was enabled.

According to the Bugzilla entry for the problem, upon turning off Private Browsing mode, this cached information could still be manually accessed or read by using a Firefox add-on such as CacheViewer Continued or other tools.

Firefox 15.0.1 is available to download for Windows, Mac OS X and Linux from the project's site. Existing users should receive an automated update notification; alternatively, users can manually check for the update.

See: Mozilla Firefox v15.0.1 Released - September 06, 2012
- Collapse -
Win 8 'doesn't move the needle' on security, says Symantec

Symantec said Windows 8 "doesn't move the needle much" on security as it rolled out new versions of its antivirus software and promised to provide users with several so-called "Modern" apps for the new operating system.

On Wednesday, the security developer released new versions of its consumer titles Norton AntiVirus, Norton Internet Security and Norton 360.

The new programs are optimized for Windows 8's traditional desktop environment -- the side of the new OS that looks much like Windows 7 -- said Gerry Egan, senior director, product management, in an interview. When Windows 8 ships in late October, Symantec will offer a trio of apps specific for the tile-based user interface (UI) once known as "Metro" and now often referred to as "Modern."

Those apps, which have not yet been given final names, will include one that connects to Symantec's cloud-based back-end management system to give users a view into the security health of Windows and the hardware; another that uses the company's "whitelist" technology to sniff out suspicious data and files, including corrupted Modern apps; and a third that uses Internet Explorer 10's (IE10) engine inside a customized browser that Egan said will let customers "surf online securely."

Continued :

- Collapse -
Will Your Android Device Catch Malware? Depends on ..
.. Where You Live

We've all seen the alarming headlines of how fast mobile malware is growing, but according to Lookout Mobile, the likelihood of an Android owner actually catching malware varies widely by country. In the U.S., the chances are less than one percent; in Russia, where infection rates are highest, it shoots up to 42 percent.

Russia is followed by Ukraine 28 percent, China 7.6 percent, and Israel with 2.6 percent. Users in France and Germany are relatively safe, running a 0.4 percent and 0.3 percent likelihood. Click to enlarge the latest heat map from Lookout:

[Screenshot: Mobile Malware Infection Rate - June 2012]
"There are a lot of numbers out there in the AV industry, that we frankly believe are exaggerated, overblown, or presented without the right context," said Derek Halliday, senior product manager at Lookout.

Lookout combined two figures to calculate these odds: the incidence of app-based threats and the incidence of Web-based threats. For app-based threats, Lookout totaled all threats detected by new Lookout users within their first week of use, and divided that figure by the total number of registered users who'd been using Lookout for at least a week. This rate was captured monthly. It also included for the first time threats caught right after an app download as well as threats from sideloaded apps (apps that come from outside the official app stores).

So what explains the more alarming claims of other threat reports?

Continued :
- Collapse -
Report: Toll Fraud Emerges as Android's Number One Threat

Mobile malware continues to run rampant, thanks to a growing glut of toll fraud malware - apps that have been engineered to bill its victims through premium SMS services. The malware type eclipsed spyware this year as the largest application-based threat according to mobile security firm Lookout who found it made up 79 percent of the malware it detected over the past year.

"The prevalence of Toll Fraud grew explosively from 29 percent of the application-based threats in Q3 2011 to more than 62 percent in Q2 2012," reads one part of the firm's State of Mobile Security 2012 report, posted today on the company's blog. [Screenshot]

FakeInst, a type of toll fraud malware, has dominated mobile phones over the last six or seven months. Opfake, a FakeInst variant, has even been seen meshing with copies of Opera's Mini browser as of late. [Screenshot]

Lookout posits copies of the SMS Trojan have earned the malware's authors approximately $10 million over the last nine months, mostly from victims in Russia and Eastern Europe.

Continued :

- Collapse -
Opera Starts Blocking Extensions from Third-Party Sites, ..
.. Citing Security Risks

Opera is going the Google route and is limiting the places where you can install extensions from. Unlike Google though, it's not a complete block, but it's not that much better either.

Of course, the move is listed as a security conscious one and it is to some degree, but it's also designed to get developers to put their extensions in the Opera Addons gallery and not host them by themselves.

The move was announced a few weeks back and it's now becoming a reality, in the latest Opera 12.50 experimental snapshot. Users will not be able to install any addons from outside of at all, by default.

Before they can install an addon from a third-party location, they have to add that domain to a whitelist. The whitelist will only contain the official Opera location by default.

"Having studied how people install and use extensions we came to the conclusion that current security dialog is somewhat deficient, in that many users will simply click-through it and add new repositories to the trusted list, without fully understanding the consequences of such an action," Opera explained.

Continued :
- Collapse -
Tool Allows Mac OS X Hackers With Root Access to Easily..
.. Extract Keychain Data

A new tool allows Mac OS X attackers with root OS access to easily steal the keychain password data of logged in users and reinforces the dangers of granting administrative privileges to applications without serious consideration.

The tool is called keychaindump and was created by Finnish software developer Juuso Salonen, the author of the Radio Silence firewall for Mac OS X.

The Mac OS X keychain is a password management system designed to allow the storing and accessing of user passwords for various types of accounts and applications in a secure manner.

"The passwords in a keychain file are encrypted many times over with various different keys," Salonen said Wednesday in a blog post. "Some of these keys are encrypted using other keys stored in the same file, in a russian-doll fashion."

"The [master] key that can open the outermost doll and kickstart the whole decryption cascade is derived from the user's login password using PBKDF2 [a cryptographic key derivation function]," Salonen said Wednesday in a blog post

Continued :
- Collapse -
Symantec claims losses from cybercrime exceed $100 billion

According to Symantec's 2012 Norton Cybercrime Report (PDF), worldwide, private individuals have suffered approximately $100 billion (more than £69 billion at the current exchange rate) in financial losses as a result of cybercrime. In the period from July 2011 to July 2012, losses averaged $197 (£124) per victim.

A total of 556 million adults are reported to have fallen victim to malware, phishing or similar virtual crimes. The report claims that there are 1.5 million victims of cybercrime each day, or about 18 per second. The security specialist's report also states that two-thirds of internet users have been caught out by cybercriminals at some point in their lives, and almost half (46%) were victims during the period covered by the report. The results reveal that many of those affected are victims of their own carelessness. Around 40% of people don't use complex passwords or don't change their passwords regularly.

Continued :

Also: 2012 Norton Cybercrime Report Presents a Worrisome Scenario

- Collapse -
Google beefs up its security by acquiring VirusTotal
Google beefs up its security by acquiring online virus scanner VirusTotal

Google has just acquired VirusTotal, a free security service that analyzes suspicious files and URLs, for an undisclosed amount. According to VirusTotal's announcement, the two companies had been partners for quite some time, and now VirusTotal will continue to operate independently, reaping the benefits of Google's resources.

Per the agreement, which was spotted by Mikko Hypponen, VirusTotal states that it will maintain its partnerships with outside antivirus companies and security experts. As for Google, this move clearly shows its interests in beefing up its security resources, making this acquisition relevant to nearly all of its services, like Gmail, where files and links are constantly exchanged.

From VirusTotal:

Our goal is simple: to help keep you safe on the web. And we've worked hard to ensure that the services we offer continually improve. But as a small, resource-constrained company, that can sometimes be challenging. So we're delighted that Google, a long-time partner, has acquired VirusTotal. This is great news for you, and bad news for malware generators, because:

• The quality and power of our malware research tools will keep improving, most likely faster; and
• Google's infrastructure will ensure that our tools are always ready, right when you need them.

Continued :

CNET Forums