Alert

NEWS - September 26, 2012

Yet another Java flaw allows "complete" bypass of security sandbox

"Flaw in last three Java versions, 8 years worth, puts a billion users at risk."

Researchers have discovered a Java flaw that would let hackers bypass critical security measures in all recent versions of the software. The flaw was announced today by Security Explorations, the same team that recently found a security hole in Java SE 7 letting attackers take complete control of PCs. But this latest exploit affects Java SE 5, 6, and 7—the last eight years worth of Java software.

"The impact of this issue is critical—we were able to successfully exploit it and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6, and 7," Adam Gowdiak of Security Explorations wrote, claiming the hole puts "one billion users" at risk.

Gowdiak wrote that Security Explorations successfully pulled off the exploit on a fully patched Windows 7 32-bit computer in Firefox, Chrome, Internet Explorer, Opera, and Safari. Although testing was limited to Windows 7 32-bit, Gowdiak told Computerworld that the flaw would be exploitable on any machine with Java 5, 6, or 7 enabled (whether it's Windows 7 64-bit, Mac OS X, Linux, or Solaris).

Continued : http://arstechnica.com/security/2012/09/yet-another-java-flaw-allows-complete-bypass-of-security-sandbox/

Also:
Critical Java flaw affects nearly one billion users
One Billion Users Affected by Java Security Sandbox Bypass Vulnerability, Experts Say
Newly-Discovered Java Vulnerability Enables Bypass of Security Sandbox
Discussion is locked
Follow
Reply to: NEWS - September 26, 2012
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - September 26, 2012
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Chinese Hackers Blamed for Intrusion at Energy Industry..
.. Giant Telvent

A company whose software and services are used to remotely administer and monitor large sections of the energy industry began warning customers last week that it is investigating a sophisticated hacker attack spanning its operations in the United States, Canada and Spain. Experts says digital fingerprints left behind by attackers point to a Chinese hacking group tied to repeated cyber-espionage campaigns against key Western interests.

The attack comes as U.S. policymakers remain gridlocked over legislation designed to beef up the cybersecurity posture of energy companies and other industries that maintain some of the world's most vital information networks.

In letters sent to customers last week, Telvent Canada Ltd. said that on Sept. 10, 2012 it learned of a breach of its internal firewall and security systems. Telvent said the attacker(s) installed malicious software and stole project files related to one of its core offerings — OASyS SCADA — a product that helps energy firms mesh older IT assets with more advanced "smart grid" technologies.

Continued : http://krebsonsecurity.com/2012/09/chinese-hackers-blamed-for-intrusion-at-energy-industry-giant-telvent/
- Collapse -
Security fixes dominate in Google's Chrome 22

Although there are only a few enhancements in the latest Chrome release, version 22, there are also more than 40 security holes closed, including one that garnered the discoverer $10,000 in bounty. Among the changes are further enhancements for Chrome's support for the Windows 8 operating system, and better support for HiDPI screens such as Apple's MacBook Pro Retina display.

Chrome 22 closes more than 40 security holes, of which one is considered to be critical and 19 are rated as "high severity" by the company. Google sometimes pays out special rewards for bugs found outside of Chrome: in this case, the company rewarded Eetu Luodemaa and Joni Vahamaki from Finnish software firm Documill for a critical Windows kernel memory corruption vulnerability with $5,000. Well-known security expert Sergey Glazunov, who won this year's Pwnie Award for the Best Client-Side Bug, received $15,000 in total for two UXSS vulnerabilities in frame handling and V8 JavaScript bindings.

Continued : http://www.h-online.com/security/news/item/Security-fixes-dominate-in-Google-s-Chrome-22-1717660.html

See Vulnerabilities / Fixes : Google Chrome Multiple Vulnerabilities

- Collapse -
Rent-to-own PCs captured users' most intimate moments
Rent-to-own PCs surreptitiously captured users' most intimate moments

"Spyware installed on more than 420,000 PCs even recorded customers having sex."

Seven rent-to-own companies and a software developer have settled federal charges that they used spyware to monitor the locations, passwords, and other intimate details of more than 420,000 customers who leased computers.

The software, known as PC Rental Agent, was developed by Pennsylvania-based DesignerWare. It was licensed by more than 1,617 rent-to-own stores in the US, Canada, and Australia to report the physical location of rented PCs. A feature known as Detective Mode also allowed licensees to surreptitiously monitor the activities of computer users. Managers of rent-to-own stores could use the feature to turn on webcams so anyone in front of the machine would secretly be recorded. Managers could also use the software to log keystrokes and take screen captures.

"In numerous instances, data gathered by Detective Mode has revealed private, confidential, and personal details about the computer user," officials with the Federal Trade Commission wrote in a civil complaint (pdf) filed earlier this year. "For example, keystroke logs have displayed usernames and passwords for access to e-mail accounts, social media websites, and financial institutions."

Continued : http://arstechnica.com/security/2012/09/rent-to-own-pcs-surreptitiously-captured-users-most-intimate-moments/

Also:
FTC: It's Not Cool To Put Spyware On Rent-To-Own Computers Without Customer Consent
Rent-to-Own Laptops Secretly Photographed Users Having Sex, FTC Says
Rent-to-own laptops were spying on users
Rental computers spied on and photographed users, FTC claims
- Collapse -
Researcher Finds 100k IEEE.org Passwords in Plain Text on..
Researcher Finds 100k IEEE.org Passwords Stored in Plain-Text on Public FTP Server

A Romanian computer scientist discovered that the Institute of Electrical and Electronics Engineers (IEEE) was storing its members' usernames and passwords in plaint-text on a publically accessible file transfer protocol (FTP) server.

Radu Dragusin claims the collection of nearly 100,000 credentials had been accessible on the FTP server for at least one month before his discovery. Among those exposed are employees of Google, Apple, IBM, Oracle, Samsung, NASA and Stanford University to name a few. In addition to the username-password combinations, discovered last Tuesday, all visitor activity on the site for logged-in members was publicly available as well.

The IEEE is a professional association "dedicated to advancing technological innovation and excellence for the benefit of humanity." It is the keeper of the 802.11 wireless networking standard. According to their website, the group boasts 400,000 members from more than 160 countries. Dragusin reported the flaw to the IEEE and they fixed the problem.

Dragusin writes that the noticeable failure in this incident belongs to the IEEE's Web administrators who did not restrict access to the webserver logs on both ieee.org and spectrum.ieee.org. The FTP directory in question contained 100GB worth of logs. Until Monday when the issue was resolved, anyone who happened upon ftp://ftp.ieee.org/uploads/akamai/ could view these webserver logs, which documented more than 376 million HTTP requests.

Continued : https://threatpost.com/en_us/blogs/researcher-finds-100k-ieeeorg-passwords-stored-plain-text-public-ftp-server-092512

Also:
Trade group exposes 100,000 passwords for Google, Apple engineers
IEEE data breach exposes 100,000 plain text passwords
IEEE Exposed 100k Plaintext Usernames, Passwords on FTP Server
- Collapse -
Bogus Facebook photo notification carries malware

A new Facebook-themed spam campaign is targeting the social network's users, trying to trick them into opening the attached file: [Screenshot]

"The attached ZIP file has the name New-Photo-with-You_on_Facebook_PHOTOID13O8WHZL.zip and contains the 77 kB large file New_Photo_with_You_on_Facebook.gif.exe," warn MX Lab researchers.

The file is currently detected as malicious by 20 of the 43 AV solutions used by VirusTotal, although they can't seem to agree on just what kind of Trojan it actually is. Still, if there's one thing you can be sure of is the fact that the file is definitely bad news.

Users are advised to always be extra careful when viewing notifications seemingly coming from social networks. In this case, the spoofed "Facebook

http://www.net-security.org/malware_news.php?id=2277

- Collapse -
Wells Fargo recovers after site outage

"The banks appears to be the latest victim in a string of cyberattacks on U.S. financial instiutions"

Wells Fargo's website experience intermittent outages on Tuesday, while the hacker group claiming responsibility threatened to hit U.S. Bancorp and PNC Financial Services Group over the next two days.

Wells Fargo apologized on Twitter for the disruption, saying it was working to restore access. By Wednesday morning, the site appeared to be functioning.

A group calling itself the "Mrt. Izz ad-Din al-Qassam Cyber Fighters" said it coordinated the attacks, and planned further ones on U.S. Bancorp on Wednesday and PNC Financial Services Group on Thursday, according to a post on Pastebin.

The method used against Wells Fargo could be a distributed denial-of-service attack, which bombards a website with traffic in an attempt to make it unreachable, although the bank did not indicate the cause.

The group said the cyberattacks are in retaliation for the 14-minute video trailer insulting the Prophet Muhammad, saying the attacks will continue until the video is removed from the Internet. The attacks will last eight hours starting at 2:30 p.m. GMT, the group wrote.

Continued : http://www.computerworld.com/s/article/9231721/Wells_Fargo_recovers_after_site_outage

- Collapse -
If you see 'URGENT tax rebate download' in an inbox, ..
.. kill it with fire

"Top spear-phishing email phrases revealed"

FireEye has put together a list of the most common words and phrases that appear in fake emails designed to infect corporate networks and steal data.

The security firm said that the list spotlights the social engineering techniques that feature as a key component of so-called spear phishing attacks. Hackers tend to use words that create a sense of urgency in a bid to trick unsuspecting recipients into downloading malicious files.

The top word category in email-based attacks relates to express shipping. Words such as "DHL", "UPS", and "delivery" featuring in a quarter of overall attacks. Urgent terms such as "notification" and "alert" are included in about 10 per cent of attacks. Some attacks mix and match terms from these two popular categories such as "UPS-Delivery-Confirmation-Alert_April-2012.zip", one example cited by FireEye.

Email-based attacks increased 56 per cent between Q1 2012 and Q2 2012, according to FireEye. The security firm claims these attacks often get through multiple layers of defence - including anti-virus, firewalls and intrusion prevention systems - to reach corporate desktops.

Continued : http://www.theregister.co.uk/2012/09/26/spear_phishing_hooks/
- Collapse -
iPad 2 Spam Targets Gmail Users

From the GFI Labs Blog:

Just a heads up that the following missive is dropping into mailboxes right now related to "winning an iPad 2", courtesy of a site called mygmailrewards(dot)com: [Screenshot]

Where will the website in question send you? Well, it's region specific so depending on where you're located when visiting you may end up at this survey page offering up all sorts of Apple products: [Screenshot]

Elsewhere, you might land on the following "this website is dead" splash: [Screenshot]

Continued : http://www.gfi.com/blog/ipad-2-spam-targets-gmail-users/

- Collapse -
Samsung Fixes Remote Wipe Flaw in Galaxy S III Smartphones

Smartphone developer Samsung has reportedly fixed a flaw in one of its newest phones, the Galaxy S III, that allows attackers to remotely wipe the phone's contents.

The patch addresses a flaw presented at the Ekoparty Security Conference in Argentina late last week that showed how easy it was to remotely reset an S III phone and apparently kill the phone's SIM card. Ravi Borgaonkar, a researcher in the Security in Telecommunications department at the Technical University Berlin, demonstrated an attack that exploited Unstructured Supplementary Service Data (USSD). USSD code is essentially a series of numbers used by mobile service providers to relay messages to GSM phones.

In his talk, which can be seen online here, Borgaonkar showed how a line of USSD code could be sent to a phone via NFC, QR code, SMS, or web link, that resets the device to its factory condition. According to reports, the problem lies in the way the phone's TouchWiz touch interface handles the codes and may affect more phones than the Galaxy S III. Borgaonkar also claims a separate set of code can be sent to wipe out a phone's SIM card. Both attacks take less than three seconds.

Continued : https://threatpost.com/en_us/blogs/samsung-fixes-remote-wipe-flaw-galaxy-s-iii-smartphones-092612

Related: 'Dirty USSD' Hack Wipes Samsung Phones. Is Yours Vulnerable?

CNET Forums