|
Information Security News We have decided that you, our subscribers, would be better served if we simply update this news bulletin with timely and
important messages as they arise. New and significant threats don't tend to wait until we have time to publish our
newsletter! Recent bulletins are posted below. In case you missed our earlier ones they are still available in our
archives.
For more definitions check out our Glossary Bulletins posted 03/11/2010 Twitter to vet links with goal of curbing phishing attacks New service hopes to reduce the amount of phishing attacks Twitter on Tuesday launched a new service designed to curb phishing links delivered in the microblogging site's direct messages and email notifications. URLs will be checked against a blacklist of fraudulent sites, such as ones hosting phishing attacks, malware or bogus, spam-related merchandise, the company said. The links will be shortened using Twitter's new URL shortener service, twt.tl, so bad domains can be easily identified in the future. For more information, please click on the following link below. Bulletins posted 03/09/2010 Microsoft releases security advisory Flaw in Internet Explorer 6 and 7 allows remote code to be executed Microsoft is investigating new, public reports of a vulnerability in Internet Explorer 6 and Internet Explorer 7. Our investigation has shown that the latest version of the browser, Internet Explorer 8, is not affected. The main impact of the vulnerability is remote code execution. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue. For more information about this flaw, please click on the following link below. Bulletins posted 03/08/2010 SPAM E-Mail with subject - DPRK has carried out nuclear missile attack on Japan Email regarding nuclear attack on Japan comes with Zeus trojan attachment. We have received notice from the Washington State Computer Incident Response Center regarding the latest wave of email spam with a subject line saying Japan has been hit by a nuclear missile. An attachment has also been sent with the email that is named "report.zip". Once unzipped the file then becomes "report.exe" which is an installer file for the Zeus Trojan.
DO NOT open this attachment! If you have received this email, please delete it. If you opened the attachment you should notify your service desk or call for professional help to clean up your computer and change all of your passwords immediately. Bulletins posted 03/04/2010 Microsoft Warns: Don't Hit F1 in Windows XP Ignore sites that nag to press the Help key, says zero-day bug advisory. Microsoft told Windows XP users today not to press the F1 key when prompted by a Web site, as part of its reaction to an unpatched vulnerability that hackers could exploit to hijack PCs running Internet Explorer (IE). In a security advisory issued late Monday, Microsoft confirmed the unpatched bug in VBScript that Polish researcher Maurycy Prodeus had revealed Friday, offered more information on the flaw and provided some advice on how to protect PCs until a patch shipped.
If you are prompted to hit the F1 key while visiting a website, please do not hit it. For more information, click on the link below. Bulletins posted 02/26/2010 Seattle City Light Warns Of Billing Scams Seattle City Light says con artists posing as utility bill collectors are targeting some of their customers again. City Light said several customers with Asian-sounding last names recently reported phone calls from con artists claiming to be City Light employees who were ready to disconnect their electricity, said spokesperson Scott Thomsen. In the scam, the callers claimed there were problems with payment of the customers' bill and asked for a credit card payment to resolve the matter. In some instances, the caller also asked for Social Security numbers
As we always remind you, never give out your social security number over the phone. Bulletins posted 02/25/2010 Scareware scams ride the back of killer whale tragedy Supposed footage of Wednesday's fatal Sea World killer whale attack in Florida actually points at sites distributing scareware. Dawn Brancheau, 40, a trainer at Sea World in Orlando, lost her life yesterday after a killer whale attack. Miscreants have wasted no time is exploiting the tragedy, as so many before it, by setting up malware traps designed to ensnare the unwary. Black hat search engine trickery is once again being used to drive traffic to these sites, by planting links to malware portals in Google results for searches terms related to the tragedy, such as "killer whale video pictures". Users who follow poisoned links will be warned of supposed security risks on their PCs in an effort to persuade them to try and then buy fake anti-virus software of little or no utility, Just about any newsworthy tragedy is likely to be used as a theme to promote scareware portals these days, one of the easiest mechanisms for cybercrooks to make money.
As we always remind you - expect these types of scams everytime there is any kind of breaking news - and don't fall for the scareware tactic. If you get one of these pop-ups, you need to shut down your browser immediately and do not respond to them. Trying to just close the pop-up will not work. More Adobe updates out this week Adobe patches critical bug in Flash, Reader download tool. Adobe on February 23 patched a critical vulnerability in the Windows utility used to download the company's two most popular products, Adobe Reader and Flash Player. It was the second time in the last six weeks that Adobe fixed a flaw in Download Manager, the program it installs on PCs when customers download Reader or Flash Player.
This is another important update that you should definitely ensure has been installed on your computer if you use Adobe products. Bulletins posted 02/24/2010 Twitter users hit with phishing scam Latest Twitter scam sent message with attached link. There is another widespread phishing attack hitting users of Twitter today. Messages asking "This you????" followed by a link are being sent via the system to unsuspecting users. If you click on the link you are taken to a fake Twitter login page, where hackers are just waiting for you to hand over your credentials. In fact, they can automatically post the phishing message from your account as soon as you hand over your details.
For more information on this or to view the full article, please click on the link below. If you have clicked on the link, change your password immediately. Bulletins posted 02/23/2010 Criminals Hide Payment-Card Skimmers Inside Gas Station Pumps Wave of recent bank-card skimming incidents demonstrate how sophisticated the scam has become Criminals hid bank card-skimming devices inside gas pumps -- in at least one case, even completely replacing the front panel of a pump -- in a recent wave of attacks that demonstrate a more sophisticated, insidious method of stealing money from unsuspecting victims filling up their gas tanks. Some 180 gas stations in Utah, from Salt Lake City to Provo, were reportedly found with these skimming devices sitting inside the gas pumps. The scam was first discovered when a California bank's fraud department discovered that multiple bank card victims reporting problems had all used the same gas pump at a 7-Eleven store in Utah.
For more information on this or to view the full article, please click on the link below. If you have installed this software, please contact your service desk. Darkreading.com -Kelly Jackson Higgins Fake Anti-virus software uses plane crash to scam users. Fake anti-virus software used to steal identity. News of another plane crash shook Americans on Thursday morning. Reportedly, a begrudged pilot, furious with the Internal Revenue Service (IRS), intentionally crashed a small plane on the building that housed the agency’s office in Austin, Texas. Although the said incident was tagged “an isolated event” and not an act of terrorism, cybercriminals launched their own “terrorist” attack by scaring unknowing users using another FAKEAV variant to gain profit. Using the usual blackhat search engine optimization (SEO) techniques FAKEAV peddlers use, this variant immediately tops search results when users try to find news updates about the said incident. Clicking the malicious link leads to the download of TROJ_FAKEAV.LGJ.
For more information on this or to view the full article, please click on the link below. If you have installed this software, please contact your service desk. Old scam found on Skype Pump and Dump scam hits Skype Trend Micro security experts have not seen pump-and-dump spam campaigns in a fairly long time. In fact, some of the most recent attacks of this kind were last seen last year. In a pump-and-dump attack, spammers raise the stock prices of companies they own shares in by sending spammed messages with misleading or outright untrue positive news about the said companies. Once the companies’ real stock prices have sufficiently risen, the spammers will then sell or dump their own shares to gain profit.
For more information on this or to view the full article, please click on the link below. If you receive a message in Skype with a link, do not click it. Bulletins posted 02/22/2010 Twitter Phishing Scam Latest Twitter phishing scam obtaining user information through direct messaging A Twitter phishing attack is spreading rapidly today, attempting to obtain Twitter logins via Direct Messages. If you receive a message reading “lol, is this you”, and linking to a site called “bzpharma”, do not click the link.
For more information on this or to view the full article, please click on the link below. If you have fallen victim to this scam, please change your password immediately. Bulletins posted 02/19/2010 Apple iPhone Warranty Scam Symantec has recently observed phishing scams targeting Apple iPhones in order to gain serial numbers, IMEI, model, and capacity, etc. What is an IMEI? An IMEI (international mobile equipment identity) is a 15-digit unique number used by GSM networks to identify valid devices. Every GSM, WCDMA, or iDEN mobile phone (and even the odd satellite phone) has an IMEI. It can be found under the battery of the device or by typing *#06# on the mobile. If your phone or device is lost or stolen you can report it to your service provider, providing the IMEI number. The service provider can then blacklist the IMEI number, rendering the device unusable in that country.
For more information on this or to view the full article, please click on the link below. Bulletins posted 02/18/2010 BBB Alerts Consumers About U.S. Census Workers BBB Alerts Consumers about U.S. Census Workers: Be Cooperative, But Cautious! For years, Better Business Bureau has educated consumers about not giving out personal information over the telephone or to anyone who shows up at their front door. With the U.S. Census process beginning, BBB advises people to be cooperative, but cautious, so as not to become a victim of fraud or identity theft. The first phase of the 2010 U.S. Census is under way as workers have begun verifying the addresses of households across the country. Eventually, more than 140,000 U.S. Census workers will count every person in the United States and will gather information about every person living at each address including name, age, gender, race and other relevant data. “Most people are rightfully cautious and won’t give out personal information to unsolicited phone callers or visitors, however the Census is an exception to the rule,” said Steve Cox, BBB spokesperson. “Unfortunately, scammers know that the public is more willing to share personal data when taking part in the Census and they have an opportunity to ply their trade by posing as a government employee and soliciting sensitive financial information.”
For more information on this or to view the full article, please click on the link below. Bulletins posted 02/16/2010 Adobe releases critical patch today. Latest patch addresses issues with Adobe Reader and Acrobat. Adobe is planning to release an update for Adobe Reader 9.3 for Windows, Macintosh and UNIX, Adobe Acrobat 9.3 for Windows and Macintosh, and Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh to resolve critical security issues, including the Flash Player issue described in Security Bulletin APSB10-06. Adobe expects to make these updates available on February 16, 2010. For more information on this or to view the full article, please click on the link below. Malware Authors Apologize For Broken Rootkit Malware authors release an updated rootkit, compatible with latest Microsoft patch. On last November we've blogged about a new rootkit spreading around the net. That rootkit, called TDL3 or TDSS or Tidserv (there are many different names for the same malware, as often happens between various security companies) was pretty scaring because of the new way it compromised the system, by using both improved and new tricks. After a couple months, we're here to raise again the alarm against this threat, which has been improved by their creators. Fact is that the team of coders behind this rootkit is working hard to improve its creature. During these months they never stopped to update it, by releasing every day - sometimes even more times a day - new updated and rebuilt droppers able to evade generic detection signatures.
For more information on this or to view the full article, please click on the link below. Microsoft has also released information about this malware which can be found be clicking on the link below. Bulletins posted 02/12/2010 Olympics Starts Today - So Do the Scams! As with any big media event the Olympics that started today in Vancouver, BC are already generating a host of scams. We've come to expect this of course, but just wanted to warn you to watch for scams in email or in search results online, etc. If you're searching for the latest video or scores from Vancouver, be very careful about following any links - and if you get a pop up saying you have a virus, shut everything down right away.
As with all media events - just be aware that the criminals are ready and waiting to take advantage of you. Bulletins posted 02/10/2010 Mozilla jumped the gun, add-on malware turns out to be false-positive Latest add-on in Mozilla Firefox turns out to be false-postive Late last week Mozilla reported that it had discovered two malware-ladened add-ons for the Firefox browser being offered on the official download site. It now turns out that one of add-ons labeled as toxic was in fact clean. The add-on in question was Sothink Video Downloader 4.0. This add-on was incorrectly labeled as malware because one of the scanners that Mozilla had used to check all the add-ons available for download threw up a false-positive.
For more information on this or to view the full article, please click on the link below. Bulletins posted 02/08/2010 Too Many People Reuse Logins, Study Finds The recent Twitter hack raises the challenge of generating secure and unique passwords you can remember. An analysis of real-world online behavior has warned of the unsettling phenomenon that led to this week's high-profile Twitter login scare. Far too many people reuse the same logins for more than one site. Using statistics gathered from the bank login protection software that runs on 4 million PCs over the last year, security vendor Trusteer found that 73 percent of users were using the password for their online bank sites to access at least one other website. Sixty-five percent compounded this risky behavior by using the same ID, while nearly half were lax enough to reuse both.
For more information on this or to view the full article, please click on the link below. Bulletins posted 02/05/2010 Social networks are a danger zone Latest report shows criminal insight regarding social network security It seems that everybody is on some kind of social network these days. Checking out what our friends are doing has become part of daily routine. In today's world, they are the ideal tool for keeping in touch, but they also represent one of the biggest sources of danger. Social networks - especially Facebook have seen an adoption rate so high that every other technology pales in comparison. They can be accessed not only through a computer, but also via mobile devices, and that makes them eminently accessible.
For more information on this or to view the full article, please click on the link below. Net-Security.Org -By Zeljka Zorz Microsoft slates colossal Windows patch next week Ties record with 13 security updates, plans to fix 26 bugs in Windows, Office Microsoft today said it will deliver a record-tying 13 security updates on Tuesday to patch more than two dozen vulnerabilities in Windows and Office. The company will ship a total of 13 updates next week, five of them pegged "critical," the highest threat ranking in its four-step scoring system. The 13 updates will tie the record from October 2009, when Microsoft issued the same number of bulletins, but fixed a total of 34 vulnerabilities. According to Jerry Bryant, a senior manager with the Microsoft Security Response Center (MSRC) , next week's updates will patch 26 flaws.
For more information on this or to view the full article, please click on the link below. Bulletins posted 02/04/2010 Fake Microsoft Outlook Update Installs Trojan Fake Outlook Update Installs Malware A malicious spam campaign caught by Panda Labs is using a fake Microsoft Update notice to trick victims into installing a Trojan. While well crafted, the attack still provides dead giveaways. But despite the lack of any obvious typos or grammatical errors, the e-mail does contain some clear clues. First, neither Microsoft nor any other company I know of sends patches or updates as e-mail attachments. But unless you happen to follow the breathless excitement of Patch Tuesdays, you might not pick up on that clue
For more information on this or to view the full article, please click on the link below. If you have installed this attachment, please contact your service desk. IE Flaw Gives Hackers Access to User Files, Microsoft Says Flaw in Internet Explorer Allows Access to Files Microsoft warned on Wednesday that a flaw in its Internet Explorer browser gives attackers access to files stored on a PC under certain conditions. "Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location," Microsoft said in a security advisory.
For more information on this or to view the full article, please click on the link below. IDG News Service -By Sumner Lemon Fake Firefox update spreads unwanted app Installs successor to notorious to Zango Toobar. The successor program to the notorious Zango spyware Toolbar is being used to target users of Mozilla's Firefox with fake browser updates, a security company has alleged. According to a warning put out by eSoft, the reprised Hotbar app, run as of May last year by a new entity called Pinball Corp, is being fed to users via a fake but convincing Firefox update page. The update page - which users would come to through a search engine for the latest updates - looks identical to the genuine page in everything bar the version it is claiming to offer (3.5 where the most recent is 3.6) and some misspelling.
For more information on this or to view the full article, please click on the link below. If you have this software installed, please contact your service desk. Crooks try to romance users with Valentine's Day spam Valentine's Day spam targets users Eat your heart out, cupid. Valentine's Day still is nearly two weeks away, but the lover's holiday is already attracting the attention of the web's criminal element. Researchers at Trend Micro on Monday said they have spotted two spam campaigns - one promoting a fake gift card promotion, the other counterfeit watches - in the wild, Maria Alarcon, an anti-spam engineer, said Monday in a blog post. As Valentine's Day nears, internet users should expect the scams to get more malevolent.
For more information on this or to view the full article, please click on the link below. If you have received an unwanted Valentine's Day email, please contact your help desk and change your passwords immediately. Bulletins posted 02/03/2010 Apple Releases Patches for iPhone and iPod Touch Apple patch plugs iPhone, iPod Touch holes Apple issued a patch on Tuesday for the iPhone and iPod Touch that plugs five holes, including several that could allow an attacker to take control of the device remotely.
For more information on this or to view the full article, please click on the link below. Facebook labelled biggest corporate security risk Facebook considered to be the biggest threat to corporate security Sophos has published new research that indicates that corporate IT departments view Facebook as by far the biggest security risk for businesses, which might explain why so many ban usage of the social networking site. Among 500 firms that were polled, 60% thought that Facebook was the biggest danger, compared to 18% for MySpace, 17% for Twitter, and 4% for LinkedIn. It's not clear where the extra 1% has gone - Friendster, perhaps? The reason for the danger is the plethora of malware, spam and phishing risks on the network. On top of that, Facebook is the biggest social network out there - ten times larger than Twitter with a massive 350 million users.
For more information on this or to view the full article, please click on the link below. Most consumers reuse banking passwords on other sites Password recycle fail leaves consumers ripe for harvesting The majority of online banking customers reuse their online-banking login credentials on other websites, according to a new survey on password insecurity. Online security firm Trusteer reports that 73 per cent of bank customers use their online account password to access at least one other, less sensitive website. Even worse, around half (47 per cent) use the same online banking username and password for other website logins.
For more information on this or to view the full article, please click on the link below. Bulletins posted 02/02/2010 Facebook, Twitter, Social Network Attacks Tripled in 2009 Social Network Attacks On the Rise As more organizations allow employees to use social media like Facebook and Twitter at work, cybercrime attacks on these networks have exploded, according to a report released Monday by IT security firm Sophos. Reports of malware and spam rose 70 percent on social networks in the last 12 months, the security survey reveals. Sophos' investigation, titled "Social Security," finds 57 percent of users report they have been spammed via social networking sites, and 36 percent reveal they have been sent malware via social networking sites. The "Social Security" survey is part of Sophos' 2010 Security Threat Report, which looks at current and emerging computer security trends.
For more information on this or to view the full article, please click on the link below. Report says U.S. needs new approach for security New Report Calls for New Approach to Security The United States needs a new approach to secure cyberspace and prevent a "digital Pearl Harbor or 9/11," concludes a new report issued Monday by the Cyber Secure Institute, a nonprofit cybersecurity analysis and advocacy organization. A new report titled "Cyberwarfare and Cyberterrorism: The Need for a New U.S. Strategic Approach," authored by retired Gen. Eugene Habiger of the U.S. Air Force, concludes that that the public and private sector must deploy secure systems that are properly tested and certified to withstand sophisticated cyberattacks In addition, the government must ensure that the privately-owned critical infrastructure systems are secured, as well as coordinate a public awareness campaign to promote personal cybersecurity, such as the use of stronger passwords.
For more information on this or to view the full article, please click on the link below. SC Magazine -By Angela Moscaritolo Botnet Floods Major Websites With Fake SSL Connections DDoS-like traffic surge against CIA, Chase, Google Chrome, FBI, and others has researchers puzzled by Pushdo botnet's plans A spamming botnet known for keeping a low profile has been hammering hundreds of Websites -- including the CIA, Chase, Mozilla Labs, Twitter, SANS, Google Chrome, and the FBI -- during the past week with an unusually conspicuous amount of phony traffic that has researchers rushing to analyze its next move. The Pushdo botnet, a.k.a. "Cutwail" and "Pandex," has been flooding those sites with bogus SSL connections that stop short of requesting anything from the Website. The infected bots begin to initiate an SSL connection with some "junk" traffic and then disconnect, according to The Shadowserver Foundation. Shadowserver and other researchers have been monitoring the activity, which increased traffic by several million hits across several hundred thousand IP addresses, according to Shadowserver.
For more information on this or to view the full article, please click on the link below. Bulletins posted 02/01/2010 Bugs & Fixes: Adobe Reader Phishing Scam Want to avoid becoming the victim of a phishing scam? It's usually easy, because most scammers are too inept or too lazy to do a decent job of the deception. Case in point: I received an e-mail this week, purportedly from Adobe, announcing "a new version of PDF Reader/Writer." (Even though it was Windows-only software, the general advice regarding phishing applies to Mac users as well.) It took me all of about two seconds to determine that this was almost certainly a phishing expedition. First of all, Adobe's product is not called "PDF Reader/Writer," it's called "Adobe Reader" or "Adobe Acrobat." Actually, the e-mail itself could not be entirely consistent about the name, also listing it as "Adobe PDF Reader- Writer." Second, the e-mail message was poorly formatted, including having adjacent duplicate redundant links. Adobe would never send out anything this messy. Third, the return e-mail address was "adobe2010support.2@gmail.com." There is no way that Adobe would use a gmail.com address. The company have its own adobe.com domain.
For more information on this or to view the full article, please click on the link below. How to Protect Your Reputation Online Ever wanted to protect your reputation online? Several months ago when Twitter introduced its lists feature, social media consultant Allen Mireles checked to see which lists included her. "I wanted to see if the lists I was on were a reflection of how I wanted to be viewed on Twitter," she says. She found two surprises: A porn star had included her on a list and another user listed her under "people I've seen naked" -- a surprise, she says, because she had never met the person.
For more information on this or to view the full article, please click on the link below. Black Hat Attendees Scrutinize Adobe Flash, Website Flaws Foreground Security's senior security researcher Michael Bailey, for instance, intends to perform live attacks against some of the top Web sites to show they can be compromised by exploiting what he says are design flaws in Adobe Flash. Several months ago when Twitter introduced its lists feature, social media consultant Allen Mireles checked to see which lists included her. "I wanted to see if the lists I was on were a reflection of how I wanted to be viewed on Twitter," she says. She found two surprises: A porn star had included her on a list and another user listed her under "people I've seen naked" -- a surprise, she says, because she had never met the person. "The point I will try to make is Flash is just as exploitable as any point on the Web," says Bailey, adding the two dozen or so Web sites he may target have been notified in advance of the weaknesses he's detected. While declining to name the specific sites that may be subject to his probes, he says they will include social-networking sites, major news outlets as well as technology companies.
For more information on this or to view the full article, please click on the link below. Bulletins posted 1/29/2010 Phishing scam targets users of Adobe PDF Reader E-mail messages claim to offer a download of Adobe Reader A new phishing scam is trying to fool people into thinking it comes from Adobe, announcing a new version of PDF Reader/Writer. The message is making its way into e-mail boxes today, and the real Adobe urged any recipients to simply delete it. The phishing scam has a subject line "download and upgrade Adobe PDF Reader – Writer for Windows," includes a fake version of Adobe's logo and provides links that would lead to malicious code or other trouble if a victim clicked on them. The e-mail appears to come from Adobe newsletter@pdf-adobe.org, which is part of the scam. "It has come to Adobe's attention that e-mail messages purporting to offer a download of the Adobe Reader have been sent by entities claiming to be Adobe," the company said in a statement warning about it. "Many of these e-mails are signed as 'Adobe PDF' (or similar), and in some instances require recipients to register and/or provide personal information. Please be aware that these e-mails are phishing scams and have not been sent by Adobe or on Adobe's behalf."
For more information on this and good tips to avoid being a victim, or to get a link for the real Adobe download, please see full article. Network World -By Ellen Messmer Symantec slaps Trojan alert against Spotify Symantec has apologised over a cock-up that resulted in the incorrect classification of streaming music service Spotify as a Trojan on Thursday. A misfiring anti-virus definition update caused Symantec's Norton security software to wrongly classified Spotify program files as malign and shuffled them off into quarantine. Symantec responded quickly to the problem by issuing a fix that quashed the false alarm. Even after they update their security software, Symantec users may still have to reinstall Spotify in order to listen to the service again.
For more information on this and good tips to avoid being a victim, or to get a link to see how this problem has effected others, please see full article. www.theregister.co -By John Leyden Fake virus alert spreads massively across Facebook, reports PandaLabs In the last 24 hours, PandaLabs has detected the massive propagation among Facebook users of a fake virus alert. The truth is, this is just another attempt to infect users with fake antivirus programs. The fake warning is distributed via email and users are forwarding it or publishing it on Facebook walls, thereby further spreading the hoax. The text of the fake warning reads as follows:
The fake antivirus (or rogueware) in this case is cold LivePcCare. Here are a couple of screenshots and the links to Flickr.
For more information on this, or to get a link to see how this problem has effected others, please see full article. If you have fallen for this contact your service desk and change your passwords! Panda Security -By Panda Security PayPal email scam still claiming victims A email scam using images of WA Police logos, PayPal and overseas law enforcement agencies to threaten recipients with legal action unless they send money offshore is still rife in WA. The scam - which targets people selling high-value goods such as vehicles online - first surfaced about two months ago, but WA Police say despite publicity, some people are still falling prey. Victims receive an email claiming the sender cannot collect the item trying to be sold with excuses including that they are out of the country or working offshore. The scammers ask the victim for a fee of between $650 and $1200 so a "delivery agent" can collect the goods, as they cannot pay the delivery agent directly themselves. They claim this money will then be credited into the victim's PayPal account. If the victim pays, they then gets another fake email, purporting to be from the online payment service, saying the funds are being held, along with the sale amount, in their account. However, if the victim does not pay the fee, they get an email threatening legal action from Australian police, with a claim of collaboration between PayPal and Australian police agencies. The email contains WA Police logos, badges and banners, as well as a "link" to the WA Police website. However, clicking on the link takes victims to the London Metropolitan Police website.
For more information on this, please see full article. If you have fallen for this contact your service desk and bank and change your passwords! Bulletins posted 1/28/2010 Identity Thieves Successfully Targeting Wealthy Victims, Study Says Affluent individuals who live 'the good life' are 43 percent more likely to be victims, according to Experian. If you're a security pro, then you might think the most likely victims of identity fraud are those with the most poorly protected systems and the least knowledge of computer security. Identity thieves are drawn to the easiest targets, right? Wrong, according to a study issued today by Experian, a company that does both identity fraud protection services and marketing demographics services. In fact, the most likely victims of identity fraud are those with the most money, the study says. The study -- which was created using Experian's unlikely combination of identity fraud incidence statistics with basic consumer demographics -- indicates that identity thieves are successfully targeting the wealthy and affluent, regardless of the systems and software they use.
For more information on this and good tips to avoid being a victim, please see full article. Congressional Web Sites Hacked Near Obama Speech More than two dozen Congressional Web sites have been defaced by the Red Eye Crew, a group known for its regular attacks on Web sites. The sites, some of which were using the Joomla content management system (CMS), were wiped of their regular content and replaced with a message coarsely expressing disapproval for U.S. President Barack Obama. Democrats seemed to be predominantly targeted. The attacks came around the same time as Obama gave his first State of the Union address on Wednesday night. The Red Eye Crew has defaced thousands of Web sites, and some of the attacks have been recorded by Zone-H, a Web site that keep tracks of defacements, according to the blog of the Praetorian Security Group. The latest attacks had not been listed by Zone-H yet.
For more information on this and good tips to avoid being a victim, please see full article. Bulletins posted 1/27/2010 iPhone hacker puts PS3 crack online Details of how to hack Sony's Playstation 3 have been released online by a hacker best known for cracking Apple's iPhone. "Hopefully, this will ignite the PS3 scene, and you will organise and figure out how to use this to do practical things, like the iPhone when jailbreaks were first released," he said. Hotz said he had managed to hack the PlayStation 3 after five weeks of work with "very simple hardware cleverly applied, and some not so simple software". PlayStation 3 consoles typically only run software that has been digitally signed by Sony.
For more information on this and good tips to avoid being a victim, please see full article. pcadvisor.co.uk -By Martyn Williams 3D Secure Online Payment System Not Secure, Researchers Say A widely deployed system intended to reduce on-line payment card fraud is fraught with security problems, according to University of Cambridge researchers. The system is called 3-D Secure (3DS) but known better under the names Verified by Visa and MasterCard SecureCode. Implemented and paid for by e-commerce vendors, the systems require a person to enter a password or portions of a password to complete an on-line purchase. As a reward for investing in the systems, merchants are less liable for fraudulent transactions and are stuck with fewer chargebacks. But banks such as the Royal Bank of Scotland are now holding consumers to a higher level of liability if fraudulent transactions occur using either system, said Steven J. Murdoch, a security researcher at the University of Cambridge. That is despite what Murdoch and security engineering professor Ross Anderson contend are several flaws with 3DS. They wrote a seven-page paper on the topic, which Anderson presented on Tuesday at the Financial Cryptography and Data Security conference in Tenerife on Spain's Canary Islands.
For more information on this and good tips to avoid being a victim, please see full article. Bulletins posted 1/26/2010 One day after latest fix, Microsoft investigates new IE flaw A day after releasing an out-of-band security bulletin for a vulnerability in Internet Explorer notably exploited in the recent series of Chinese-based attacks against Google and 30 other tech companies, new flaws have been discovered in Microsoft's browser. Boston-based research firm Core Security Technologies has outlined a set of vulnerabilities in Internet Explorer that hackers can link together to remotely exploit a Windows PC. None of the vulnerabilities are serious enough to compromise a machine alone, but a hacker could take control of a PC by exploiting all of them at once. "There are three or four ways to conduct this type of attack," Jorge Luis Alvarez Medina, a security consultant with Core, told Reuters, though he admitted he was uncertain whether any hackers had already exploited his findings. "Microsoft is investigating a responsibly disclosed vulnerability in Internet Explorer," a Microsoft spokesperson told Ars. "We're currently unaware of any attacks trying to use the vulnerability or of customer impact, and believe customers are at reduced risk due to responsible disclosure." After the investigation, Microsoft will either provide a security update on Patch Tuesday, or an out-of-cycle update like it did with the last IE flaw (less likely in this case). The Microsoft spokesperson took the opportunity to make the now-familiar recommendations that IE users upgrade to Internet Explorer 8 and to enable Automatic Updates.
For more information on this and good tips to avoid being a victim, please see full article. arstechnica.com -By Emil Protalinski Making Your Passwords Harder on Hackers Even though passwords are critical to keeping prying eyes out of our computers, many people pick passwords that are very basic and hence, way too easy to crack, according to new data. A recent analysis by computer security company Imperva showed one-out-of-five people choosing the simplest of passwords, such as 123456 or abc123 to protect their computers
For a full list of ideas on this and good tips to avoid being a victim, please see full article. Bulletins posted 1/22/2010 New Twist On Counterfeit Check Scheme Targeting U.S. Law Firms These particular fraudsters are targetting Law Firms, but we have seen this scam in the past and it could happen to you! The FBI continues to receive reports of counterfeit check scheme targeting U.S. law firms. As previously reported, scammers send e-mails to lawyers, claiming to be overseas and seeking legal representation to collect delinquent payments from third parties in the U.S. The law firm receives a retainer agreement, invoices reflecting the amount owed, and a check payable to the law firm. The firm is instructed to extract the retainer fee, including any other fees associated with the transaction, and wire the remaining funds to banks in Korea, China, Ireland, or Canada. By the time the check is determined to be counterfeit, the funds have already been wired overseas. In a new twist, the fraudulent client seeking legal representation is an ex-wife "on assignment" in an Asian country, and she claims to be pursuing a collection of divorce settlement monies from her ex-husband in the U.S. The law firm agrees to represent the ex-wife, sends an e-mail to the ex-husband, and receives a "certified" check for the settlement via delivery service. The ex-wife instructs the firm to wire the funds, less the retainer fee, to an overseas bank account. When the scam is executed successfully, the law firm wires the money before discovering the check is counterfeit.
For more information on this and good tips to avoid being a victim, please see full article. Intelligence Note - Internet Crime Complaint Center (IC3) Tor software updated after hackers crack into systems Privacy-conscious users of the Tor anonymiser network have been urged to upgrade their software, following the discovery of a security breach. Two of seven directory authorities and a metrics data server were compromised in a hack discovered earlier this month, Tor developer Roger Dingledine explains. The three servers were taken offline and refurbished following the hack. Project volunteers have taken steps to harden systems and prevent a repetition of the hack, the significance of which has been downplayed. Attackers reportedly used Tor's systems solely as a launchpad for other attacks, without realising that the same servers also hosted Tor code depositories. These were left unaffected by the breach. "It appears the attackers didn't realize what they broke into - just that they had found some servers with lots of bandwidth," Dingledine explains. "The attackers set up some ssh keys and proceeded to use the three servers for launching other attacks."
For more information on this, please see full article. RockYou hack reveals most common password: '123456' A recent analysis of 32 million passwords, obtained in the RockYou.com hack, has revealed that the most commonly used password on the site was ‘123456,' After analyzing the data, researchers at Imperva Application Defense Center determined that 290,731 individuals used ‘123456' as their password. The second most common password, used by 79,078 individuals was ‘12345,' and the third most popular password, used by more than 76,790 individuals, was ‘123456789.' “It was surprising,” Amichai Shulman, CTO at Imperva, told SCMagazineUS.com on Friday. “We expected to see weak passwords, but we did not expect the magnitude of this.” The passwords were obtained in December by a hacker with the alias 'igigi,' who was able to break into the database of RockYou, a provider of applications and services for social networking sites, through an SQL injection vulnerability. The hacker obtained the RockYou credentials of all users, totaling more than 32.6 million, then posted them online with no other identifiable information.
If that's your password - CHANGE IT!!! See the article for more information: Bulletins posted 1/20/2010 Mobile Phone Phishing Attacks We are beginning to see reports of attacks on mobile phones that indicate this will be the next big security problem. At least nine credit unions were subject to a mobile phone phishing attack that sought to lure credit union members into giving up their financial information to fraudsters. The attack both speaks to the appeal of mobile banking as well as the pressing need to continue to develop its security. The thieves launched the attack using downloadable applications that they wrote and branded with logos from the financial institutions, which included a number of banks as well as credit unions. They launched the applications on Google’s Android mobile phone platform that Google is using as the operating system for its own phone and that a number of different cellular phone networks have offered on their own phones as well. In the attack, a mobile phone user would have seen that the application was available on the Android Marketplace and purchased it for about $1.50. The user then would have likely logged on to his or her account with the application, which would then capture their password and other information to add to the credit or debit card information that the user had already provided when purchasing the application. Thankfully, this scam was noticed early and stopped before it could do much damage. But it reminds us to be very careful about what we use our mobile devices for.
For more information on this, please see full article. Be careful about adding new applications to your mobile device, especially if they involve sensitive information like banking or credit card data. Credit Union Times -By David Morrison Bellingham WA - Industrial Credit Union Warns of Text Fraud Texting fraudulent messages is a new attack strategy that is becoming more common. The Industrial Credit Union reports that some members have been getting fraudulent cell phone text messages. The messages claim that the member’s account has been suspended, and the trouble can be cleared up by calling a phone number provided to report personal credit card and account numbers. In a warning on its Web site, ICU says it is not sending out the text messages, and no other local credit union is doing so, either.
For more information on this, please see full article. Anti-fraud agencies advise consumers to talk to a live representative of their bank or credit union before responding to any such message. The Bellingham Herald -By John Stark National Center for Disaster Fraud to Coordinate Haitian Fraud Complaints As we always expect, the vultures show up immediately to try to take advantage of the latest disaster. Scammers didn't waste much time finding ways to defraud people trying to help the poor victims in Haiti. The following is a bulletin from the FBI, posted on January 18th. The FBI and the National Center for Disaster Fraud (NCDF) have established a telephone hotline to report suspected Haitian earthquake relief fraud. The number is (866) 720-5721. The phone line is staffed by a live operator 24 hours a day, seven days a week. You can also e-mail information directly to disaster@leo.gov. The National Center for Disaster Fraud was originally established by the Department of Justice to investigate, prosecute, and deter fraud in the wake of Hurricane Katrina, when billions of dollars in federal disaster relief poured into the Gulf Coast region. Its mission has expanded to include suspected fraud from any natural or man-made disaster. More than 20 federal agencies, including the FBI, participate in the NCDF, allowing it to act as a centralized clearinghouse of information related to Haitian relief fraud. The FBI continues to remind the public to apply a critical eye and do their due diligence before giving contributions to anyone soliciting donations on behalf of Haitian victims. Solicitations can originate from e-mails, websites, door-to-door collections, mailings and telephone calls, and similar methods.
Before making donations of any kind please see the rest of this bulletin for a great list of guidelines and suggestions: Mozilla Releases Thunderbird 3.0.1 As part of Mozilla’s ongoing security and stability update process, Thunderbird 3.0.1 is now available for Windows, Mac, and Linux for free download from getthunderbird.com
We recommend that anyone using Thunderbird upgrade to this release as soon as possible. Microsoft Releasing an Out-of-band Security Patch for IE Microsoft will release a patch this week for the Internet Explorer exploit that has was used against Google and other organizations last month, as well as fixing some vulnerabilities rated Critical that are not currently under active attack.
The update will be released on Thursday morning 1/21. We recommend updating your Microsoft systems as soon as possible. Apple Update Crushes a Dozen Security Bugs Apple released patches on Tuesday Jan 19 to address several different bugs and problems, some with third party applications.
If you are using the Apple operating system we recommend applying these patches as soon as possible Bulletins posted 1/12/2010 Mozilla Pushes Out Firefox 3.6 Release Candidate To The Masses Mozilla on Sunday said that the Firefox 3.6 release candidate is now available for downloading. Release candidate builds are supposed to be less buggy than beta builds but may have a few lingering compatibility and stability issues. Firefox 3.6, an update from the current stable version 3.5.7, was suppose to be made available in Q4 2009, but Mozilla pushed back its target release date last month. The next major Firefox release, version 4.0, was also pushed back until late 2010 or early 2011, with a beta due this summer. Firefox 4.0 includes a project called Electrolysis, which will launch each tab window under a separate process, an innovation that first appeared in Google Chrome. This will help make Firefox more secure and more stable. Firefox 4.0 may also bring user interface changes.
For more information on this, please see full article. Dark Reading -By Thomas Claburn Group Behind Twitter Hack Takes Down Baidu.com The group that took down Twitter.com last month has apparently claimed another victim: China's largest search engine Baidu.com. Baidu.com was offline late Monday, but at one point it displayed an image saying "This site has been hacked by Iranian Cyber Army," according to a report in the official newspaper of the Chinese Communist Party and other Web sites. With more than half of China's Internet search market, Baidu is by far China's most-used search engine. The company could not immediately be reached for comment. Not much is known about the Iranian Cyber Army, which first gained notoriety with its December 18 Twitter attack. Hacking groups such as this are constantly defacing Web sites, but it is extremely rare for them to take down a site as widely used as Twitter or Baidu.com. According to security experts, Baidu's domain name records appear to have been tampered with. On Monday, the company was using domain name servers belonging to HostGator, a Florida ISP, instead of the Baidu.com nameservers the company normally uses. "It looks like their domain account credentials may have been snagged," said Paul Ferguson, a researcher with the antivirus vendor Trend Micro. That's the same technique that was used to hijack Twitter, when Iranian Cyber Army hackers were apparently able to log in to the account used to manage Twitter's DNS records and redirect visitors to another Web server that posted a message similar to the one spotted on Baidu.com. That attack knocked Twitter offline for more than an hour. Baidu's domain name registrar, Register.com, could not be reached immediately for comment.
For more information on this, please see full article. If you have fallen under attack, contact your service desk and change your passwords. Bulletins posted 1/11/2010 Researcher Rates Mac OS X Vulnerability 'High' Flaw in versions 10.5 and 10.6 can be exploited by a remote attacker, says SecurityReason Proof of concept exploit code was posted today by a security researcher at SecurityReason to demonstrate a vulnerability in versions 10.5 and 10.6 of Apple's Mac OS X operating system. The vulnerability is a potential buffer overflow error arising from the use of the strtod function Mac OS X's underlying Unix code. It was first reported by researcher Maksymilian Arciemowicz last June. SecurityReason's advisory describes a flaw in the libc/gdtoa code in OpenBSD, NetBSD, FreeBSD, and MacOS X, as well as Google Chrome, Mozilla Firefox and other Mozilla software, Opera, KDE, and K-Meleon. SecurityReason's advisory rates the vulnerability's risk as "high" and claims that the flaw can be exploited by a remote attacker. A spokesperson for SecurityReason wasn't immediately available to characterize the likelihood that this vulnerability could be exploited.
For more information on this, please see full article. Be careful if you are using a Mac OS, and make sure to keep your system up to date. Dark Reading -By Thomas Claburn False Facebook charge group used to spread malware A false rumour suggesting that Facebook is to start charging is being used to bait malware traps. Thousands of disgruntled punters, angry at the $4.99 a month charge for using the social networking site that will supposedly kick in from June (or July, according to other false reports) have been induced to visit "protest group" sites in response to spam emails. However, in reality, there is no such plan and the protest pages often contain malware, as urban myth debunking site Snopes warns: The protest page was a trap for the unwary; clicking on certain elements of it initiated a script that hijacked users' computers. Some of those who did venture a click had their computers taken over by a series of highly objectionable images while malware simultaneously attempted to install itself onto their computers. Snopes published its warning on 31 December, but groups on Facebook itself protesting the supposed upcoming charges remain active almost two weeks later. A quick check on one such UK group contains no scripting unpleasantness directly, but it does link to numerous third-party sites whose provenance remains suspect. Searching for "Facebook charges July 2010" leads to fake blog entries as well as some legitimate results, evidence of an ongoing black hat SEO campaign of a type commonly used to punt rogue security scanner software over recent months. We asked Facebook what steps it intended to take, if any, against groups spreading the false rumour and will update this story as and when we hear more.
For more information on this, please see full article. If you have become a victim of a facebook attack, contact your service desk and change your passwords as soon as possible. www.theregister.co -By John Leyden Facebook attacks prompt investments in social networking security Facebook and other social networks, in response to constant bombardment from phishers, spammers and other cybercriminals, are beefing up security teams and deploying new cyberdefenses. The security investments represent a concerted effort by social networks to fight back against attackers, who are hell-bent on exploiting these popular platforms to peddle porn and pharmaceuticals, spread malware or simply extract the potentially lucrative user data contained in them. Among the key new technologies being deployed by social networks are network traffic anomaly systems, which monitor out-of-control Web applications, and other security tools that scan user-generated pages for malicious content. "Most of these defenses are invisible to users, and while malicious actors are constantly attacking the site, what you see is actually a very small percentage of what's attempted," said Facebook spokesperson Simon Axten. "We¹ve built numerous defenses to combat phishing and malware, including complex automated systems that work behind the scenes to detect and flag Facebook accounts that are likely to be compromised." Axten said Facebook has focused its resources on monitoring user-generated content and detecting traffic spikes from Web applications tied into its framework. He said the popular social network now has the ability to take action if its systems detect an unusual surge in messages sent in a short period of time, or messages with links that could potentially send users to attack websites.
For more information on this, please see full article. If you have become a victim of a facebook attack, contact your service desk and change your passwords as soon as possible. Bulletins posted 1/8/2010 Microsoft to patch single Windows 2000 vulnerability Microsoft is starting off the new year by giving most Windows administrators a break, announcing plans to release a single update correcting a critical vulnerability affecting Windows 2000 during its regular patching schedule next week. No vulnerability details have been released, but Microsoft said it gave the flaw a low rating for all other platforms. "Customers with Windows 2000 systems will want to review and deploy this update as soon as possible but, as we will show in our release guidance next week, the Exploitability Index rating for this issue will not be high which lowers the overall risk," said Microsoft security program manager Jerry Bryant, Microsoft security program manager, wrote in the Microsoft Security Response Center blog. Bryant said it would not patch a vulnerability in the protocol that handles messages between devices on a network for its newest Windows 7 operating system. A denial-of-service (DoS) vulnerability contained in the Server Message Block (SMB) was discovered in November. It affects both Windows 7 SMBv1 and SMBv2. Microsoft engineers are continuing to test a patch for the flaw. The hole enables an attacker to crash a Windows 7 machine. In its advisory, Microsoft said the Windows 7 DoS vulnerability could be exploited if a victim visits a malicious website. It also affects users of Windows Server 2008. In December, Microsoft addressed five vulnerabilities in Internet Explorer, including a serious zero-day flaw, a flawed ActiveX control that enabled attackers to gain access to a victim's system. Microsoft issued six bulletins in December, three critical, repairing 12 vulnerabilities across its product line.
For more information on this, please see full article. Be on the look out for the patch if you are still using Windows 2000. SearchSecurity.com -By SearchSecurity.com Staff Office.Microsoft.Com Search Results Can Lead To Rogue Anti-Virus Websense Security Labs™ ThreatSeeker™ Network has detected that search results on office.microsoft.com can lead users to a Rogue AV page. Users looking for information related to help with Office products on Microsoft’s own site are being targeted. Users may be unaware that, when they type in search queries on the site, Microsoft scours its own Web site for results, but also pulls in results from the broader Web. As the URL for the search results begins with http://office.microsoft.com, this is particularly troubling for users who trust sites simply because of their reputation. The malicious URL is a redirect to a very real-looking virus scan and warning page presented by a Rogue AV program (SHA1: 6489c54e30af18801a9e83a5855fa639f3bae0b8). The executable used in the exploit is currently recognized by 1 of the 41 AV engines on Virus Total.
For more information on this or to see a video, please see full article. If you have fallen for this scam, contact your service desk and change your passwords as soon as possible. Microsoft Security Bulletin Advance Notification for January 2010 Microsoft Security Bulletin Advance Notification issued: January 7, 2010 Microsoft Security Bulletins to be issued: January 12, 2010 This is an advance notification of security bulletins that Microsoft is intending to release on January 12, 2010. This bulletin advance notification will be replaced with the January bulletin summary on January 12, 2010. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification. To receive automatic notifications whenever Microsoft Security Bulletins are issued, subscribe to Microsoft Technical Security Notifications.
For more information on this or to see a full list of patches, please see full article. Be on the look out Jan 12 for the big Microsoft patch. Email services that failed to block spear phishing message revealed Outlook Express and IronPort amongst those breached. Following a spear phishing experiment that saw smartphones fall victim to an email claiming to be from Bill Gates, the creator of the experiment has revealed the email services that failed to block the message. Writing on the Dark Reading website, PacketFocus CEO Joshua Perrymon said that he was able to get his spoofed message through to the likes of Microsoft Outlook 2007, Microsoft Exchange, Outlook Express and Cisco IronPort. Perrymon said that he got a 100 per cent degree of success with sending the email. He also hit those using GoDaddy's hosted email, Voltage, RackSpace/MailTrust hosted email, Webroot SaaS Email Security, Verizon Email Cloud Filtering with MessageLabs, a Linux and SpamAssassin configuration, SonicWall's Email Security appliance, LinuxMail with greylisting, Opera Mail and Mozilla Thunderbird. Perrymon said: “Email-based attacks are probably one of the most effective in today's hacker bag of tricks. The email security industry gets by with stopping most spam and known phishing attacks.
For more information on email attacks, please see full article. If you have become a victim of an email attack, contact your service desk and change your passwords as soon as possible. www.securecomputing.net -By Dan Raywood Ransomware - Buy Back Your Own Files The preliminary work is done by a program we detect as Trojan:W32/DatCrypt, which makes it look as if certain files — mostly Microsoft Office documents, video, music and image files — on the infected system had been "corrupted". Think about this from the users point of view. "Oh my god I've lost my important files!" "Thank god I found this great product that recovered them perfectly for just $89.95" "I'm going to recommend Data Doctor to all my friends". Effectively, user is forced to pay a ransom for his own files and the user doesn't even realize he's paying a ransom. This scheme works on the assumption that the user wants the affected files badly enough to be willing to pay to recover them — and that the user hasn't prudently saved copies of these files elsewhere. The attack would probably lose its bite if the user could just say, "oh well…", delete the "corrupted" files and retrieved the backups.
For more information or to see the full GUI of this, please see full article. If you have become a victim of a ramsomware attack, contact your service desk and change your passwords as soon as possible. Remember to backup your files regularly. Security Cam App Turns Your IPhone Into a Security Camera Developer Crowded Road has had a rather difficult time getting its Security Cam App approved. In fact, its claim its app was submitted to Apple back in December of 2008, yet was just approved recently. This lengthy approval time shouldn't be too surprising, as the idea of turning one's iPhone into a possible spying device could be a troubling concept to some. Security Cam offers two camera-related functions: frequency capture, which lets you set a specific frequency for how often the iPhone's camera will take a photo, and audio trigger, which takes a photo whenever a customizable, pre-defined level of noise is detected. A third mode, frequency and audio, combines the two features, taking photos at predetermined intervals as well as whenever the sound threshold is met. All photos are time and date stamped. While these features sound reasonably useful, a few nice additions to see in the future would be motion activation and a video-recording option. The app's $1 price tag may be enough to earn it a fair amount of downloads, but the biggest stumbling block Security Cam will have to overcome is convincing users that they have no better use for their iPhones than as makeshift security cameras.
For more information please see full article. Bulletins posted 1/7/2010 Flaw could allow attacker to decrypt protected USB drives Several flash drive manufacturers recently issued warnings about a flaw which could allow an attacker to access encrypted data on a supposedly secure USB drive. Secure flash drives utilize 256-bit AES hardware-based encryption to protect sensitive information. The vulnerability, which affects certain secure Kingston, SanDisk and Verbatim flash drives, is present in the mechanism used to verify an individual's password. “A skilled person with the proper tools and physical access to the drives may be able to gain unauthorized access to data contained on [certain] Kingston Secure USB drives,” Kingston said in an advisory on its website. The flaw is not present in the hardware or firmware in affected devices but is part of the drive's application on a user's computer, according to SanDisk's alert, which includes an update to address the issue. Verbatim issued a similar advisory, which also directs users to a site where they can download an update.
For more information on this and to see a full list of hardware that might be in danger, please see the full article. Individuals should contact Kingston technology support to receive an update on their hardware. www.scmagazineus.com -By Angela Moscaritolo Another PDF attack targets Adobe zero-day vulnerability Security researchers at Trend Micro Inc. have discovered another malware variant attempting to exploit a PDF zero-day vulnerability identified last month in Adobe Reader The malware, being delivered in malicious PDF email attachments, targets a JavaScript vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions. It then drops a downloader onto the victim's machine, which attempts to use Internet Explorer to receive commands, Jessa De La Torre, a threat response engineer with Trend's research team, explained on the company's Malware Blog. "Once connected, a malicious user may execute any command on the affected system," De La Torre said. Researchers discovered the Adobe zero-day vulnerability in Reader and Acrobat Dec. 15, but the software maker has held back on pushing out a patch to users until its regularly scheduled patch update, due out Jan. 12. "We estimated that delivering an out-of-cycle update would require somewhere between two and three weeks," Brad Arkin, Adobe's director of product security and privacy wrote in a blog entry. "Unfortunately, this option would also negatively impact the timing of the next quarterly security update for Adobe Reader and Acrobat scheduled for Jan. 12, 2010." Until the patch is released, users are being advised to disable JavaScript and warned not to open files from untrustworthy sources. Since the vulnerability was made public, security researchers have been analyzing a number of malicious PDF files attempting to exploit the flaw.
For more information on the new Adobe danger, please see the full article. Be on the lookout for the patch coming on Jan 12. Until then be careful when using Adobe. Bulletins posted 1/6/2010 CoffeeScript brewing as variation on JavaScript The open source project, still in the alpha stage, reflects what JavaScript could look like with a syntax to match its features. CoffeeScript, billed by its creator as "unfancy JavaScript," is in development as a language that compiles into JavaScript but offers a different sense of style. Still in an alpha stage of development, CoffeeScript offers array comprehensions similar to Python and makes JavaScript statements viable as expressions, said Jeremy Ashkenas, who recently began developing CoffeeScript and put out an updated version designated as release 0.2.0 on Monday evening. Documentation on the 0.2.0 releasee can be found at this Web page. But CoffeeScript, which is open source, is not recommended now for use in deploying applications, given its newness. "I'm not suggested that anyone use it for real projects at this point," Ashkenas said. "The language is still changing a good deal." Potential uses, though, could include Web development or server-side JavaScript development. "The basic idea is that JavaScript has a really nice sort of core object model and a really nice object-oriented model and functional nature," Ashkenas said. "But a lot of that is hidden behind its syntax, which it gets from Java, mostly." "The problem with that is the syntax doesn't match the core concepts in the language," and is not as elegant or useful as the concepts are, he said. CoffeeScript reflects what JavaScript could look like with a syntax to match its features, said Ashkenas, who, aside from working on CoffeeScript, is lead developer at DocumentCloud. Featuring a compiler written in Ruby, CoffeeScript does not add any special methods or objects but compiles directly into vanilla JavaScript, he said. The language tries to make JavaScript capabilities, such as function literals, for describing a function, easier. Lexical scoping, for handling local variables, is featured as well. "Basically, in CoffeeScript you can't accidentally great a variable," Ashkenas said. This feature provides for stronger security. A Python-style whitespace capability is featured in version 0.2.0 for closing spaces. Version 0.2.0 also features object comprehensions, for looping over properties of an array or object and deriving a comprehension based on them. For more information on this, please see the full article. Be careful when using open source anything, any product can have harmful side effects. Kingston recalls some USB drives due to security flaw Kingston Technology is recalling certain models of its DataTraveler secure USB flash drives in order to update firmware on the thumb drives after a security company found a flaw that could allow a hacker to gain access to the user's password. On its Web site, Kingston stated that "a skilled person with the proper tools and physical access to the drives may be able to gain unauthorized access to data contained on" some Kingston Secure USB drives. According to Kingston, the security flaw involves the way the drive processes the password. German security company SySS GmbH apparently created a script that revealed the password authentication method. A Kingston spokesperson said the company could not comment on any specifics surrounding the security flaw as "anything we say gives other hackers fuel and clues" as to how to break into the drive's security features. The affected models include the DataTraveler BlackBox; DataTraveler Secure --Privacy Edition; and DataTraveler Elite -- Privacy Edition. Currently, owners of the drives are being directed to a the company's drive update site for information about returning the drives or updating the firmware. For more information on this, please see the full article. Bulletins posted 1/5/2010 Facebook Cuts Off Access to Profile-Killing Service For them, there was the Web 2.0 Suicide Machine, a service that didn't just delete Facebook profiles, it actually disemboweled them. Deleting your Facebook profile is easy. Just follow the link and submit your request. But merely disappearing from Facebook might not be cathartic enough for people who've grown to despise social networking. For them, there was the Web 2.0 Suicide Machine, a service that didn't just delete Facebook profiles, it actually disemboweled them. The operators of SuicideMachine.org claim (via the L.A. Times) that Facebook is blocking the Web app's IP address, making it impossible for users to activate the service. Activating the Suicide Machine unleashes a script that systematically removes friends, groups and, coming soon, wall posts. The automated process transpired before users' eyes. Profiles were then added to one last group, the "Social Network Suiciders," and, lest users reconsider signing back on to your Facebook account, the passwords were changed, leaving accounts inaccessible. Suicide Machine says one user's profile, with 1,000 friends, took less than an hour to commit automatic suicide, when it would have taken over 9 hours manually. Facebook reportedly blocked Suicide Machine's IP address because it "has been associated with abusive behavior," but not before 500 people successfully used the service, removing more than 50,000 friends from their profiles. Suicide Machine's operators are trying to devise a workaround. The site is seeking supporters who know how to set up a proxy server. Meanwhile, jaded social networkers can still cut themselves out of Twitter, MySpace, and LinkedIn. To date, 203,736 Tweets have been deleted using the service. I wouldn't be surprised if a couple people used the Suicide Machine maliciously, for instance by killing the profiles of ex-boyfriends or girlfriends. Would that count as Facebook murder? For more information on this, please see the full article. Mac Security Reality-check: Scams In the endless debates about Mac security--is the Mac platform inherently safer than Windows? In the endless debates about Mac security--is the Mac platform inherently safer than Windows? what security measures should Mac users take?--one point is often overlooked: The biggest chink in computer security isn't necessarily in the computer itself. Rather, the weak spot is often the computer operator--in other words, you. Gullibility, greed, momentary lapses in attention, and other human frailties can all be easier to exploit than any vulnerabilities in computer code. Which means that, while your Mac and iPhone can indeed be vulnerable, there are things you can do to keep them safe. In the days that follow, I'll explain the 13 security threats that I think owners Macs and iPhones really do need to worry about. For each of them, I've got advice on how to avoid being victimized. First up: scams, fraud, and financial threats. For more information on all of the threats that mac owners need to worry about, please see the full article. If you have fallen under attack, contact your service desk and change your passwords. 10 Free, Must-Have Windows Tools for IT Pros No Windows geek or PC support pro should be without these must-have utilities -- and they're all free. They say you can tell a lot about a person by the tools they bring to the job. If you're a professional plumber or a carpenter, people will expect you to carry the right tools for the task at hand. The same holds true for IT pros. Those in the know will judge you by the depth and sophistication of the technical toolkit you bring to a support call. To help you make a good first impression and to cement your reputation as a seasoned troubleshooting guru, I offer the following list of my top 10 must-have Windows utilities for PC support professionals. Some you probably already know. Others you may have heard of only in passing. But all deserve your consideration for a place in your PC support and diagnostics toolkit. For the list of free tools and links to download them, please see the full article. Make sure that when using and installing any kind of program that you know where it is from and what is really being installed. PC World -By Randall C. Kennedy New Year, New Attacks Against Adobe Zero-Day Crooks are once again exploiting the zero-day hole in Adobe Reader and Acrobat to install a remote-control Trojan on victim machines. The attacks start with a malicious .pdf that the Internet Storm Center has analyzed in depth. The ISC is a volunteer organization that tracks Internet attacks. As the ISC notes, "malicious PDF documents are not rare these days," and attacks typically attach them to e-mails. But targeted attacks only sent to a small number of victims are often missed by security programs, and the attack sample sent in to the ISC was initially detected by only six out of 40 antivirus vendors, according to the analysis. This particular attack attempts to install the PoisonIvy Trojan, which allows an attacker to gain remote control over an infected PC. It also drops off a harmless .pdf file named baby.pdf and then opens it with Reader, a bit of digital sleight-of-hand intended to disguise the attack. The Adobe flaw has been under attack since it was disclosed last month. In its security bulletin, Adobe notes that for some combinations of Windows and Reader versions, this security hole will only allow for crashing Reader instead of installing malware. In the bulletin, Adobe says it will release an update on January 12th, but until then the ISC suggests disabling Javascript in Reader and Acrobat (instructions in the bulletin). Using an alternate .pdf reader such as Foxit should also help mitigate the threat. Be on the lookout for the patch on January 12th. For a link to download the suggested PDF reader, please see the full article. If you have fallen under attack, contact your service desk and change your passwords. Bulletins posted 1/4/2010 Underground Services Let Virus Writers Check Their Work I have often recommended file-scanning services like VirusTotal and Jotti, which allow visitors to upload a suspicious file and scan it against dozens of commercial anti-virus tools. If a scan generates any virus alerts or red flags, the report produced by the scan is shared with all of the participating anti-virus makers so that those vendors can incorporate detection for the newly discovered malware into their products. For $1 per file scanned (or a $40 monthly membership) av-check.com will see if your file is detected by any of 22 anti-virus products, including AVAST, AVG, Avira, BitDefender, NOD32, F-Secure, Kaspersky, McAfee, Panda, Sophos, Symantec and Trend Micro. “Each of them is setten [sic] up on max heuristic check level,” av-check promises. “We guarantee that we don’t save your uploaded files and they are deleted immediately after the check. Also, we don’t resend your uploaded files to the 3rd person. Files are being checked only locally (without checking/using on other servers.” In other words: There is no danger that the results of these scans will somehow leak out to the anti-virus vendors. The service claims that it will soon be rolling out advanced features, such as testing malware against anti-spyware and firewall programs, as well as a test to see whether the malware functions in a virtual machine, such as VMWare or VirtualBox. For safety and efficiency’s sake, security researchers often poke and prod new malware samples in a virtual environment. As a result many new families of malware are designed to shut down or destroy themselves if they detect they are being run inside of a virtual machine. For more information on this, please see the full article. Make sure that when using and installing any kind of program that you know where it is from and what is really being installed. If you have fallen under attack, contact your service desk and change your passwords. IIS configuration error leads to increased threat, Microsoft says Microsoft said an Internet Information Services (IIS) parsing extension issue,which could lead to a vulnerable system, is not a flaw that can be patched, but an IIS configuration error that can be avoided by following best practices. The software giant issued an update on its blog last week, giving links outlining best practices for configuring the IIS Web server. A security expert warned last week about the discovery of a parsing extension vulnerability that could be exploited to pass malicious code and ultimately gain control of the Web server. The issue was described as an error in the way IIS 6 handles semicolons in URLs. But Microsoft's Christopher Budd explained on the company's Security Response Center blog that the issue is a IIS configuration error that could lead to a vulnerable system. The out-of-the-box, default configuration will not enable an attacker to bypass content filtering software to upload malicious code on the Microsoft Web server. "This is not the default configuration for IIS and is contrary to all of our published best practices," Budd wrote. "Quite simply, an IIS server configured in this manner is inherently vulnerable to attack." Budd added that users of IIS with both "write" and "execute" privileges on the same directory should review best practices and make changes to mitigate similar threats to the Web server. For more information on this, please see the full article. If you have fallen under attack, contact your service desk and change your passwords. techtarget.com -By SearchSecurity.com Staff Waldec spreading through fake New Year's e-cards Cybercriminals behind the Waledac botnet have begun using a New Year's-themed campaign to capture more victims, security experts warned Thursday The botnet is spreading spam messages that contain the subject line “Happy New Year 2010” and provide a link for what the email claims to be a New Year's greeting card, Mikko Hyppönen, chief research officer at anti-virus provider F-Secure, told SCMagazineUS.com on Thursday. The campaign began early Thursday. If followed, the link directs users to a domain that attempts to exploit known vulnerabilities in Adobe Flash and Reader and Internet Explorer, Hyppönen said. Attackers are banking that users will have at least one of these programs not up to date with the latest patches. The payload in this particular campaign is Trojan-Downloader:W32/Agent.MUG, a version of the Waledac trojan, Hyppönen said. Once the trojan is installed, the user will become part of the Waledac botnet. Doing so gives attackers full access to a user's machine and the ability to steal data from the PC. An infected system can also be remotely commanded to download fake anti-virus programs, send spam, or participate in distributed denial-of-service attacks, Randy Abrams, director of technical education at anti-virus vendor ESET, told SCMagazineUS.com on Thursday in an email. “In virtually all cases, the fake e-card is easy to spot if a user realizes that legitimate e-cards always have the name of the sender in the subject line," Abrams said. “The fakes may not have a name at all or say something like ‘a friend', ‘a coworker' and so on.” For more information on this, please see the full article. Make sure that when using and opening any kind of program or attachment, that you know where it is from and what is really being installed or displayed. If you have fallen under attack, contact your service desk and change your passwords. Bulletins posted 12/31/2009 Zeus, Koobface, Conficker: How to fight Cisco highlighted the top security threats of 2009 by presenting Cybercrime Showcase Awards as part of its Annual Security Report. Two positive and two not-so-positive categories were included. Awards went to the Conficker Working Group for the "Cybercrime Sign of Hope" and Washington Post journalist Brian Krebs as the "Cybercrime Hero." Zeus and Koobface won the "Most Audacious Criminal Operation" and "Most Notable Criminal Innovation" awards, respectively. Threats like Conficker, Zeus and Koobface may be audacious, notable and innovative, but traditional tried-and-true methods of defence continue to be the best means for fighting back. The top three technological things enterprises can do to protect themselves are "basic, tried-and-true, dyed-in-the-wool" solutions, said James Quinn, senior research analyst at Info-Tech Research Group Ltd. For more information on this, please see the full article. Make sure that when using and installing any kind of program that you know where it is from and what is really being installed. If you have fallen under attack, contact your service desk and change your passwords. Computerworld -By Jennifer Kavur Google Chrome OS: Hot Target for Hackers in 2010 Google's Chrome OS will be "poked" by hackers in 2010, in large part because it will be the "new kid on the block," a security researcher predicted today Chrome OS will be targeted by attackers, probably even before it's officially released, said Sam Masiello, the director of threat management at antivirus vendor McAfee. "It'll be the new kid on the block, that's one of the primary drivers why we think cybercriminals will target Chrome OS," said Masiello. "The same thing happened to Windows Vista and Windows 7 , even before they were finished. Since Chrome OS is new, it's going to be of interest to security researchers, and it's going to be poked by cybercriminals as well." Google 's operating system was announced in July and released as open-source in November, but is not slated to be available on netbooks until late in 2010. Another reason hackers will likely target Chrome OS is its reliance on HTML 5, the still-unfinished revision of HTML (Hypertext Markup Language) that aims to replace the current crop of rich media plug-ins, such as Adobe Flash and Microsoft 's Silverlight, with advanced features developers can build right into sites. For more information on this, please see the full article. Make sure that when using and installing any kind of program that you know where it is from and what is really being installed. If you have fallen under attack, contact your service desk and change your passwords. Computerworld -By Gregg Keizer RockYou Sued Over Data Breach MySpace apps like "Pieces of Flair" and "SuperWall," after the company admitted to having lost over 30 million individuals' personal identification data to a hacker. An Indiana man sent a popular social networking app maker a great big "piece of flair" yesterday -- in the form of a class-action lawsuit. Alan Claridge sued RockYou, creators of spamtastic Facebook and MySpace apps like "Pieces of Flair" and "SuperWall," after the company admitted to having lost over 30 million individuals' personal identification data to a hacker. The incident -- one of 2009's top data disasters -- went unacknowledged by RockYou for almost two weeks. Remember when it used to be okay to write your computer's user name and password on a sticky note and slap it on your monitor? Oh right -- that was never okay. But that was basically what RockYou did with all of its confidential data. Instead of encrypting or taking any reasonable measure to defend itself, RockYou kept all of its stored personal data in plaintext files. Yes: .txt docs. "RockYou recklessly and knowingly failed to take even the most basic steps to protect its users' PII (personally identifiable information) by leaving the data entirely unencrypted and available for any person with a basic set of hacking skills to take the PII of at least 32 million customers," the lawsuit states. So it was remarkably easy for the hacker known as "igigi" to exploit RockYou's SQL injection vulnerabilities (basically "poor coding"). You may remember that term from earlier this year when Heartland Payment Systems went whoopsie with millions and millions of credit card numbers. According to a copy of the lawsuit obtained by Wired, "igigi" scampered away with "the e-mails and passwords of approximately 32 million registered RockYou users." For more information on this, please see the full article. Make sure that when using and installing any kind of program that you know where it is from and what is really being installed. If you have fallen under attack, contact your service desk and change your passwords. 2010 Security Outlook: Reply Hazy, Try Again Security researchers, experts don't show much agreement on the coming year's threats Every year, Dark Reading editors are subjected to a hail of email from vendors, researchers, and analysts offering "predictions" for the coming year. While some of these predictions are based on actual data gathered by researchers who analyze security trends, the vast majority of these predictions often seem a bit random, if not completely arbitrary. We suspect the widespread use of Ouija boards, crystal balls, tea leaves, and chicken entrails. Seriously, folks, is this the best the security industry can do? Some of these predictions include shocking new insights, such as "the malware threat will continue to increase" and "use of botnets will grow." Duh. Tonight's forecast: dark. As a service to you, our readers, we combed through the many lists of predictions in an effort to find a few that are actually forward-thinking. This is by no means a comprehensive list, and it's pretty darn subjective -- but, hey, so are most of the predictions. For more information on how to improve your security, please see the full article. Make sure that when using and installing any kind of program that you know where it is from and what is really being installed. If you have fallen under attack, contact your service desk and change your passwords. Bulletins posted 12/30/2009 More attacks expected on Facebook, Twitter in 2010 Social-networking sites like Facebook and Twitter can expect more attention from cybercriminals in 2010, according to a new report (PDF) released Tuesday by McAfee Labs. Also at risk are users of Adobe Systems products including Acrobat Reader and Flash. And move over Microsoft; the security firm predicts that Google's Chrome OS will "create another opportunity for malware writers to prey on users." The company also anticipates smarter and more dangerous Trojans that "follow the money," as well as a "significant trend toward a more distributed and resilient botnet infrastructure that relies much more on peer-to-peer technologies." In a recorded interview (scroll down for audio) David Marcus, McAfee Labs' director of security research and communications, said that he expects "an explosion of Facebook and other services targeted by cybercriminals." In addition to malware like Koobface that spreads among Facebook users' friends list, Marcus expects an increase in rogue Facebook applications. "When you click yes to 'do you want to allow this application to access your Facebook account,' you're giving that application access to all the data in your Facebook account," he said. Facebook vets the third-party applications that it distributes, but rouge developers are finding other ways to get people to install unauthorized apps. "A lot of the spammers and scammers will send fake Facebook application requests to users' inboxes," he said. Marcus recommends that you only install apps from within Facebook by clicking "browse more applications" in the Facebook application installer." For more information on this, please see the full article. Make sure that when using and installing any kind of program that you know where it is from and what is really being installed. If you have fallen under attack, contact your service desk and change your passwords. news.cnet.com -By Larry Magid Font Should Users Worry About New Cellular Hack? Most business users still receive "good enough" protection for their calls. How concerned should business users be about wireless security now that another group claims to have cracked the security scheme used by 80 percent of the world's cellular telephones? Not very, unless you are doing something very illegal or highly sensitive, in which case all bets are off. Specifically, the cipher used by the General System for Mobile Communications (GSM) has reportedly been cracked by a German researcher, who presented his findings Sunday at a hacker conference in Berlin. GSM is the algorithm used by most of the world's cellular devices, including the AT&T and T-Mobile networks in the U.S. This is not the first time someone has claimed to have cracked GSM encryption, but it is the most serious challenge so far. GSM has been used for 21 years and was first cracked in 1994. The German researcher, Karsten Nohl, says the 64-bit A5/1 encryption method is no longer capable of protecting the world's cellular communications. You can download a PDF of his presentation. Real-time monitoring of calls would be possible with specialized receivers, antennas, and about $30,000 of computing hardware, Nohl said. Such tools are already available to government and Nohl said he believes criminals have the technology, too. For more information please see the full article. If you have fallen under attack, contact your service desk and change your passwords. Bulletins posted 12/29/2009 Adobe will be top target for hackers in 2010, report says McAfee also predicts more sophisticated social networking attacks and targeting of HTML 5 Adobe Systems' Flash and Acrobat Reader products will become the preferred targets for criminal hackers in 2010, surpassing Microsoft Office applications, a security vendor predicted this week. "Cybercriminals have long picked on Microsoft products due to their popularity. In 2010, we anticipate Adobe software, especially Acrobat Reader and Flash, will take the top spot," security vendor McAfee said in its "2010 Threat Predictions" Hackers usually target the most widely used products in order to achieve the maximum impact. For a long time that has made Microsoft their primary target. But the software giant has tightened security in its recent OS releases, leading hackers to look for additional targets Adobe's CTO acknowledged recently that his company's software is being attacked more frequently, and said the company has stepped up its efforts to respond. For more information on this, please see the full article. Make sure that when using Adobe to always use the most updated one. If you have fallen under attack, contact your service desk and change your passwords. IDG News Service -By James Niccolai Hackers Show It's Easy to Snoop on a GSM Call Computer security researchers say that the GSM phones used by the majority of the world's mobile-phone users can be listened in on with just a few thousand dollars worth of hardware and some free open-source tools. In a presentation given Sunday at the Chaos Communication Conference in Berlin, researcher Karsten Nohl said that he had compiled 2 terabytes worth of data -- cracking tables that can be used as a kind of reverse phone-book to determine the encryption key used to secure a GSM (Global System for Mobile communications) telephone conversation or text message. While Nohl stopped short of releasing a GSM-cracking device -- that would be illegal in many countries, including the U.S. -- he said he divulged information that has been common knowledge in academic circles and made it "practically useable." Intercepting mobile phone calls is illegal in many countries, including the U.S., but GSM-cracking tools are already available to law enforcement. Knoll believes that criminals are probably using them too. "We have just basically copied what you can already buy in a commercial product," he said. The flaw lies in the 20-year-old encryption algorithm used by most carriers. It's a 64-bit cipher called A5/1 and it is simply too weak, according to Nohl. Using his tables, antennas, specialized software, and $30,000 worth of computing hardware to break the cipher, someone can crack the GSM encryption in real time and listen in on calls, he said. If the attacker was willing to wait a few minutes to record and crack the call, the total cost would be just a few thousand dollars, he said. Because even discussing wiretapping tools can be illegal in the U.S., researchers have steered clear of this type of work. But after consulting lawyers with the Electronic Frontier Foundation, Nohl and his collaborators set upon a way of conclusively disclosing the flaws in the GSM system without --they believe -- breaking the law. The group has developed a next-generation standard called A5/3 that is considered much more secure. That's the standard that is used on 3G networks to carry Internet traffic. For more information on this, please see the full article. If you have fallen under attack, contact your service desk and change your passwords. IDG News Service -By Robert McMillan Batch conversion saves slow QuickTime clips Recently, I saw an advertisement for free high definiton (HD) video motion backgrounds (in full 1920x1080 HD resolution) from Footage Firm. After visiting the site, it turns out that “free” is a relative term—the free HD motion background DVDs are about $9 each, with “shipping and handling” charges. Still, at that price, the backgrounds, with 25 different backgrounds per DVD, were a relative bargain ($15 to $40 per HD background is a more typical cost). Since my intended use for these backgrounds is in assorted home video projects, I wasn’t overly concerned about broadcast quality, and the demos on the site showed quality that was more than sufficient for my needs. So I took a bit of a gamble, and ordered three of the “free” collections, for a total of 75 HD backgrounds in glorious 1920x1080 resolution. On first inspection, using Quick Look in the Finder, the backgrounds looked great, and well worth the money. When I opened the first one to play it, though, there was a problem: the frame rate was abysmal—anywhere from one to five frames per second (fps), where 30fps would be considered ideal. Just to make sure it wasn’t an anomaly on one Mac, I tried it on four different machines, running both OS X 10.5 and 10.6. I had similar horrid results on all four machines. I even tried looking at them in Windows 7 via Fusion 3, but things weren’t much better there. At these low frame rates, the backgrounds were unusable, and I thought I might be out my $25 investment. Then I looked at the Movie Inspector window (Command-I in QuickTime Player), and was surprised to see the format listed as JPEG 2000. I’d never heard of JPEG 2000 being used for video, and wondered if the format was causing my playback speed problems. As a test, I used QuickTime Pro (a $30 upgrade that enables more features in QuickTime Player) to export one of the movies to a new file, switching from JPEG 2000 compression to Animation, a very high quality alternative. The result? The modified file played back perfectly at 30fps. Unfortunately, the file was also quite large—the exported file was nearly triple the size of the original. On the advice of a friend in the video business, I tried again, but used Photo JPEG as the compression format. The results here were much better: The frame rate was 30fps with no perceptible differences from the original, at less than double the file size. For more information on this, please see the full article. Be careful when buying things online that look too good to be ture. Macworld.com -By Rob Griffiths Pressure increasing for Microsoft to patch IIS 0 day Microsoft IIS 0Day Vulnerability in Parsing Files (semi-colon bug). Secunia has confirmed the vulnerability "on a fully patched Windows Server 2003 R2 SP2 running Microsoft IIS version 6. Other versions may also be affected". It should be mentioned that if you don't think you're vulnerable because you are running a non-vulnerable version of IIS, the vulnerable functionality may have been made available by your webmaster when deploying IIS. After reading up on related posts and IIS issues, the nature of the vulnerability is such that it's going to be widely exploited soon, quite successfully, and not only by the usual suspects, but more effectively by the specialized groups of attackers that are after unrestricted access to your protected network, and, of course, the other groups after more mundane items like bank accounts. For more information on this, please see the full article. If you have fallen under attack, contact your service desk and change your passwords. isc.sans.org -By Patrick Nolan Six uses for a dead iPod Nothing lasts forever, and iPods are no exception. Like all electronic devices, your iPod will eventually take a trip to the big Apple Store in the sky. But that doesn’t mean you can’t still use it. There are many components that can die in an iPod: the hard drive, the flash memory, the screen, the backlight, or the actual digital signal processor (the chip that converts bits and bytes to notes). You can also ruin your headphone jack, making it impossible to listen to music by that route. Failures to any of these components can result in a dead iPod but, in some cases, even without going for a fix-up, you can still use the iPod in some way. For more information on this, and to see the six ways to get the most out of a dead iPod please see full article. Bulletins posted 12/28/2009 Good Guys Bring Down the Mega-D Botnet Chalk up one for the defenders. Here’s how a trio of security researchers used a three-step attack to defeat a 250,000-pronged botnet. For two years as a researcher with security company FireEye, Atif Mushtaq worked to keep Mega-D bot malware from infecting clients' networks. In the process, he learned how its controllers operated it. Last June, he began publishing his findings online. In November, he suddenly switched from defense to offense. And Mega-D--a powerful, resilient botnet that had forced 250,000 PCs to do its bidding--went down. Targeting Controllers The bots receive marching orders from online command and control (C&C) servers, but those servers are the botnet's Achilles' heel: Isolate them, and the undirected bots will sit idle. Mega-D's controllers used a far-flung array of C&C servers, however, and every bot in its army had been assigned a list of additional destinations to try if it couldn't reach its primary command server. So taking down Mega-D would require a carefully coordinated attack. Synchronized Assault Mushtaq's team first contacted Internet service providers that unwittingly hosted Mega-D control servers; his research showed that most of the servers were based in the United States, with one in Turkey and another in Israel. The FireEye group received positive responses except from the overseas ISPs. The domestic C&C servers went down. Next, Mushtaq and company contacted domain-name registrars holding records for the domain names that Mega-D used for its control servers. The registrars collaborated with FireEye to point Mega-D's existing domain names to nowhere. By cutting off the botnet's pool of domain names, the antibotnet operatives ensured that bots could not reach Mega-D-affiliated servers that the overseas ISPs had declined to take down. Down Goes Mega-D MessageLabs, a Symantec e-mail security subsidiary, reports that Mega-D had "consistently been in the top 10 spam bots" for the previous year (find.pcworld.com/64165). The botnet's output fluctuated from day to day, but on November 1 Mega-D accounted for 11.8 percent of all spam that MessageLabs saw. Three days later, FireEye's action had reduced Mega-D's market share of Internet spam to less than 0.1 percent, MessageLabs says. FireEye plans to hand off the anti-Mega-D effort to ShadowServer.org, a volunteer group that will track the IP addresses of infected machines and contact affected ISPs and businesses. Business network or ISP administrators can register for the free notification service. Continuing the Battle Mushtaq recognizes that FireEye's successful offensive against Mega-D was just one battle in the war on malware. The criminals behind Mega-D may try to revive their botnet, he says, or they may abandon it and create a new one. But other botnets continue to thrive. Until that happens, "we're definitely looking to do this again," Mushtaq says. "We want to show the bad guys that we're not sleeping." For more information on this, please see the full article. If you have fallen under attack, contact your service desk and change your passwords. Home Networking: How to Avoid Traffic Jams In many households today, broadband Internet connections are used not only for e-mail and Web browsing, but also to stream music and video, play online games and/or perhaps make voice calls using a VoIP (Voice over Internet Protocol) service. You may have several PCs on your home network, as well as some combination of a gaming console like the Xbox 360, an iPhone or other handheld device, and perhaps a streaming music player such as the Squeezebox or a streaming video player such as the Roku. While some of these devices may have a wired connection to your router, most tap in wirelessly. So what happens when one person wants to listen to music, another wants to watch a movie and still another wants to play an online game all at once? If you've never tweaked your router's firmware, you might experience performance problems. What's more, many wireless routers leave the factory with some of their best features disabled. I'll show you how to change your router's configuration so that you can take full advantage of its capabilities. Why router settings matter By default, a wireless router maximizes the rate at which it transfers data. This is desirable when you're transferring files from point A to point B using a protocol like TCP because you want to move files as fast as possible. If the router begins dropping too many packets, it simply throttles its link rate down until the packet loss abates -- and then it begins ramping up all over again. For more information on how to make the most of your home network, please see the full article. Bulletins posted 12/24/2009 Feds Need To Push Forward On Cybersecurity, Says Former FBI CIO Key to any plan is to focus on hardware, software, and people, and to understand that cybersecurity is a risk management effort, says Zal Azmi Key to any plan is to focus on hardware, software, and people, and to understand that cybersecurity is a risk management effort, says Zal Azmi Former FBI CIO Zal Azmi's call came only days before the Obama administration named its cybersecurity coordinator. "Strategically, what we are lacking right now is an actionable game plan," said Azmi, who is now senior VP for government contractor CACI's cyber solutions group. "I have so many studies in my office that you wouldn't believe, but we need to be more focused. We need to put our heads together and get an actual plan going." There have been a number of government cybersecurity plans put forward over the last several years, including 2004's National Strategy to Secure Cyberspace and 2008's largely classified Comprehensive National Cybersecurity Initiative. The plans have been gutted or otherwise disappeared off the public scene. Now, the Obama administration, is pushing its own comprehensive plan. In a video posted after his appointment as White House cybersecurity coordinator this week, Howard Schmidt said President Obama had tasked him with creating a comprehensive cybersecurity strategy, which will likely grow out of the administration's 60-day cybersecurity review finalized earlier this year. Azmi said that the key to any plan is to focus on hardware, software, and people, and to understand that cybersecurity is a risk management effort. "There are things you have control over, and things you don't," he explained. For more information on this, please see the full article. InformationWeek -By J. Nicholas Hoover DDoS Attack on DNS Hits Amazon and Others Briefly Internet users in Northern California were unable to reach properties including Amazon.com and Amazon Web Services for a time Wednesday evening, as their DNS provider was targeted by a distributed denial-of-service attack. The attack came as North American consumers rushed to finish online shopping ahead of the end-of-year holiday season. Amazon Web Services (AWS) was the first to signal something was amiss. Its status page indicates that at 5:43 p.m. Pacific Time on Wednesday its staff was investigating reports of DNS (Domain Name System) resolution errors from customers trying to reach its S3 cloud storage service. The problem persisted until 6:38 p.m. Pacific Time, but in the meantime the S3 service continued to operate, AWS said. However, staff at Neustar, the owner of Amazon's DNS provider UltraDNS, was aware of the problem around an hour earlier, at 4:45 p.m. Pacific Time. "At 7:45 p.m. Eastern Time we noticed an abnormal spike in queries and immediately identified it as a DDoS attack," said Allen Goldberg, vice president of corporate communications at Neustar, in an e-mail. The company was able to analyze the attack pattern and take steps to limit its effects within minutes of identifying the problem, he said. For more information on this, please see the full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. IDG News Service -By Peter Sayer Hackers Claim Victory in Cracking Amazon Kindle DRM Amazon.com's Kindle e-book reader is coming under assault by hackers, who say they've figured out ways to export protected content for use on other devices. Amazon sells content for the Kindle in an ".azw" format, some of which is has DRM (digital rights management) technology, which prevents a file from being transferred to an unauthorized device. But one hacker, who goes by the handle "I love cabbages," with a heart to designate "love," developed a program called "Unswindle" that can convert books stored in the Kindle for PC application into a different file format that can then be imported to another device. Unswindle must be used with MobiDeDRM, another hacker program that can convert protected Amazon content. The blogger wrote that a new version of Kindle for PC doesn't appear to interfere with Unswindle. "We'll see if Amazon throws out another new build in short order," I love cabbages wrote on Tuesday in an update to a Dec. 17 blog post. For more information on this, please see the full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Bulletins posted 12/23/2009 Pupils bypassing school internet security Many young people are using 'proxy servers' to get round their schools' internet security systems. The free services offer instant access to banned websites, including online games and social networking. Figures suggest the use of proxies has risen sharply in recent years. Security experts are warning that pupils who log on put themselves at risk of cyber crime. It sounds like an obscure, techy area of computing that only geeks would know about. But when we asked pupils in one secondary school classroom who had heard of proxy servers, every hand went up. These 'secret tunnels' to the internet are a way of life for teenagers across the UK. As schools employ increasingly sophisticated software to stop them accessing 'non-educational' websites, the proxies offer a quick, easy way to bypass those restrictions. “It's just a box that says 'type in the website that is blocked'. You type it in and it brings it up,” said a senior pupil, who wanted to remain anonymous. Web-based proxy servers disguise a user's activity from school monitoring software. For more information on this, please see the full article. Make sure that your security policy is up to date and enforced. Proxies can be open doors to security flaws. Newsbeat technology -By Iain Mackenzie Pharma link spammers invade Live Space Cybercrime affiliates of unlicensed pharmaceutical websites have begun moving on from attacks purely designed to poison Google search engine results, and are now targetting Microsoft's web properties. Search engine poisoners are actively making use of Microsoft’s Windows Live Spaces blog hosting environment, net security firm eSoft reports. Miscreants are creating accounts which they use only to push links to the pharma-fraud sites. As a result the search engine ranking of these spamvertised sites is pushed up. In addition, spam emails contain the URLs of fake blogs, from which surfers are redirected onto penis pill sites. The tactic is designed to evade spam filters that might already have blacklisted the fraudulent website. The misuse of fake blogs on Live Spaces is a refinement of the well established practice of link spamming: posting "comments" on legitimate blogs that supply links to dodgy pharmaceutical websites and the like. Attacks similar to the Live.com blogspamming for fraudulent pharmacy sites have also recently been thrown against both Yahoo and Blogger sites, eSoft adds. The security firm adds that the recent Google job spam scam also infiltrated Microsoft's Life Space environment. Whatever the distribution method, its clear these cybercriminals will continue to evolve new ways of advertising their bogus sites. For more information or to get a link, please see the full article. www.theregister.co -By John Leyden Facebook Trojan: Brazen, but (Luckily) Benign Third-party application called "Phutos" was able to mimic Facebook's native functionality. This past weekend, a Trojan mimicked Facebook's native functionality and sent notifications on the user's behalf. While Facebook says that the application was harmless, its ability to break through a boundary of trust on the platform alarmed me. The Trojan came to my attention on Saturday after I received several Facebook notifications (in the form of a red number in the bottom right of the page) telling me that friends had commented on my photos. It was the same notification that I receive on a day-to-day basis. When I clicked on the notification, it attempted to load an application called "Phutos," which wanted access to my personal information and social network. I declined. A few minutes later, another notification appeared, but I was not taken to the application screen after I clicked on it. That seemed fishy, so I decided to review my applications. "Phutos" was under my list of recently used applications-even though I never authorized its installation. At that point, I uninstalled the application and notified Facebook of my findings. Obviously, I also had some questions for it. For more information on the Facebook Trojan, please see the full article. If you have fallen for or seen something like this, notify your service desk and Facebook support. Bulletins posted 12/21/2009 Adobe warns of critical Flash Media Server vulnerability Adobe Systems Inc. issued an advisory Friday warning of two critical Flash Media Server (FMS) vulnerabilities that could be used by attackers to alter streaming videos or set up attacks within Flash-based content. The FMS server is used by enterprises to stream Flash videos and other content. Adobe said FMS versions 3.5.2 and earlier contain a denial-of-service (DoS) flaw that could enable attackers to crash the server and possibly execute malicious code. A directory traversal vulnerability could allow an attacker to upload malicious code on the server and set up attacks within Flash video code. Attackers continue to target Adobe products because the software is widely used and not always upgraded with the latest Adobe updates. Security researchers have also been devoting a lot of time to finding vulnerabilities in the company's software. While antivirus vendors push out signatures that can detect malware attempting to exploit vulnerabilities, experts warn that new malicious code is developed daily and not all attacks can be detected. Adobe issued another advisory last Tuesday warning of ongoing PDF attacks targeting a zero-day vulnerability in Adobe Reader and Acrobat. Some security firms have detected limited email attacks containing malicious PDF files attempting to exploit a remote code execution vulnerability in Reader and Acrobat 9.2 and earlier versions. Adobe has reportedly said it did not plan an emergency patch to repair the hole because it did not want to disrupt its quarterly update process. For more information on this, please see the full article. Make sure that you always keep your antivirus software current and up to date and be on the lookout for a patch to fix this. Security News -By SearchSecurity.com Privacy Worries on Facebook? Just Wait Carnegie Mellon University researcher Tom Mitchell says that privacy risks "on a scale that humans have never before faced" hinder real-time data analysis that could be used to solve health, traffic and human behavior problems. Of course, privacy in an increasingly online world continues to grab headlines, the latest regarding Facebook's controversial privacy setting changes. Mobile marketers have also gotten the attention of privacy defenders. Mitchell, head of the Machine Learning Department in CMU's School of Computer Science, says privacy will be a growing concern as data mining techniques once used largely for relatively behind-the-scenes scientific and financial analysis expand to usage related to more personal activities. Such expansion could include monitoring smartphones for the purpose of reducing traffic congestion or even giving people a heads up if they've been near someone with a contagious disease, Mitchell says (some of these uses are already happening in a limited way). While privacy concerns are considerable, Mitchell says that technical solutions can be developed to address such concerns. For example, one way to protect data privacy is to mine data across organizations without aggregating it in one repository (separate organizations would analyze data, then encrypt the results before pooling it with others' results). For more information on this, please see the full article. Make sure that you always keep your antivirus software current and up to date to help keep your computer safe when on social networking sites. Network World -By Network World Staff Twitter's DNS Provider Denies Hack Hackers redirected Twitter.com's traffic to a rogue Web site for more than an hour early Friay by accessing its DNS records using an account assigned to Twitter, the company that manages Twitter's DNS (Domain Name System) servers said. Twitter initially blamed the early-Friday hour-long blackout of its site on changes made to the company's DNS records, which act like a telephone directory to match the twitter.com domain name with the IP addresses used by its servers "Twitter's DNS records were temporarily compromised, but have now been fixed," the company said on its service status page at 2:30 a.m. ET. "We are looking into the underlying cause and will update with more information soon." The status page has not been revised with more information since then. Twitter uses a New Hampshire firm, Dyn Inc., to manage its DNS records, which match Twitter's domain name (twitter.com, and numerous others) with the IP addresses of its servers. For more information on this, please see the full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Bulletins posted 12/18/2009 Lab Test Results: Symantec, Kaspersky Lab, PC Tools, AVG, Detect The Most Zero-Day Attacks AV-Test finds detection rates of 83 to 90 percent, but rival lab says rates are actually 29 to 64 percent Top Internet security suite products scored high when detecting zero-day attacks during a three-month period, according to new data released today from independent German lab AV-Test, with Symantec and Kaspersky Lab finding 98 and 97.5 percent, respectively. AV-Test tested 10 zero-day threats during a three-month period on Windows XP SP3 machines running Symantec Norton Internet Security 2010, Kaspersky Internet Security 2010, PC Tools Internet Security 2010, AVG Internet Security 9.0, G Data Internet Security 2010, Panda Internet Security 2010, Avira Premium Security Suite 9.0, McAfee Internet Security 2010, CA Internet Security 2010, F-Secure Internet Security 2010, BitDefender Internet Security 2010, and Trend Micro Internet Security 2010. AVG caught 92.2 percent of the threats, followed by G Data, 90 percent; Panda, 90 percent; Avira, 87.7 percent; McAfee, 87.2 percent; CA, 86.7 percent; F-Secure, 85.8 percent; BitDefender, 84.3 percent; and Trend Micro, 83.3 percent. "The majority of the products are performing 97 to 99.9 percent in large on-demand scanner tests. The products are often tested against millions of old samples which have not been seen spreading or distributing during the past few months. However, when ... current, zero-day [samples] are used ... the products show very different results," says Andreas Marx, CEO of AV-Test. "These results reflect the product capabilities in a much better way, as they simulate what the user would see in a real-world infection scenario. The results differ a lot now, and no product scored 99.9 percent anymore." But Rick Moy, president of NSS Labs, another independent test lab, says the recent AV-Test numbers are inflated. "There's no way AV products are catching 98 percent of attacks," he says. "This seems counter to the [results of the] real-world testing we do." Moy says a more realistic rate of zero-day detection for an AV product would be 29 to 64 percent, which is the range his lab got in its recent tests of AV products. And vendors tell him off the record that they typically can catch about 40 to 45 percent of zero-day attacks, Moy says. For more information on this, please see the full article. Make sure that you always keep your antivirus software current and up to date to avoid any problems down the line. DarkReading -By Kelly Jackson Higgins Internal Twitter Credentials Used in DNS Hack, Redirect Twitter’s website went offline for about an hour Thursday, with many tweeters redirected to a defacement page boasting “This site has been hacked by Iranian Cyber Army.” Twitter acknowledged the 10 p.m. takeover, one in a series of security lapses to hit the popular microbloging service. Twitter said its DNS records “were temporarily compromised.” Tom Daly, the chief technology officer at Dyn, a New Hampshire-based DNS company that services Twitter, blamed the redirect on Twitter. He said somebody using a “set of valid Twitter credentials” redirected the site. “From our perspective, it was a perfectly valid username and password combination that was logged in with,” Daily said in a telephone interview. “The only credentials that were compromised were Twitter’s.” Daly declined to identify the name of the Twitter employee whose account was breached. Among other statements, the unknown group wrote this on the redirected site: “U.S.A. Think They Controlling And Managing Internet By Their Access, But They Don’t, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To….” The hijacking came nearly six months after the microblogging service, with some 20 million users, helped Iranian protesters plan presidential election results. In a bid to help the protesters, the Obama administration convinced Twitter to delay scheduled June maintenance that would have tentatively taken Twitter offline.
For more information on this, please see the full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. www.wired.com -By David Kravets Mozilla Rolls out Latest Firefox Beta The Mozilla development community has rolled out the latest beta of its Firefox 3.6 browser. In addition to the usual round of bug fixes, Firefox 3.6 beta version 5, comes with a number of new features and performance enhancements. The browser offers the ability for users to easily reskin the browsers with a new visual theme. The new version can also run scripts asynchronously, which should speed load times of pages that have multiple scripts. The new release also aims to appease cutting-edge developers, with support for various new standards. It supports an HTML 5-based application programming interface that provides a standardized way for Web applications to ask a user to select files from the user's machine. Through a CSS (Cascading Style Sheets) specification, it allows multiple backgrounds to be overlaid on one another. It also supports the Web Open Font Format, a compressed file format for fonts. Firefox 3.6, code-named "Namoroka," is based on the Gecko 1.9.2 layout engine. Over 70 percent of the Firefox third-party add-ons have been upgraded to work with 3.6, Mozilla officials report. While Firefox 3.5.6. is the current recommended version for day-to-day use, users interested in testing the beta can download it from the Mozilla site. Those who already have the Firefox 3.6 beta should have the next version automatically downloaded and updated shortly. For more information on this, or get a link to the beta, please see the full article. Researcher Cures Poisoned BlackBerry With Kisses A security researcher in Asia has braved Internet worms and poisoned applets to rid BlackBerry smartphones of spyware with Kisses, a free software application. Kisses detects spyware and hidden programs on BlackBerry devices to show users exactly what's going on inside their mobile phone. Why use it? Because spyware can be purchased by anyone from vendors such as FlexiSPY and Retina-X Studios. For US$50, just about anyone can travel with you and your mobile phone and listen to your conversations, read your texts and even track your location via GPS (global positioning system). The tricky part is installation. Someone, your boss, spouse, business rival or thief, needs physical contact with your handset to plant spyware from these vendors, one reason password protection is so important. It hurts that spyware vendors offer tricks-of-the-trade advice, including the simple act of giving you a new smartphone, with their spyware inside, as a gift. Makes you wonder if Santa was generous with the new iPhone this year or just really wants to know if you've been naughty or nice. This is where Sheran Gunasekera comes to the rescue with Kisses. The software detects and removes FlexiSPY and Mobile Spy software on BlackBerry devices. It may not necessarily be able to remove all available spyware (there's a lot) but it will at least show you any hidden applications so you can seek help. For more information on this, please see the full article. Bulletins posted 12/17/2009 Mozilla closes critical bugs with Firefox 3.5.6 Mozilla on Tuesday issued an updated version of its Firefox web browser to fix several vulnerabilities. Firefox 3.5.6 closes a number of “critical” flaws, which could allow an attacker to crash a victim's browser or run arbitrary code on an affected computer. This is the first time Firefox has been updated for security since late October. Of the seven security bulletins released by Mozilla as part of the update, one listed as critical addresses several stability bugs in the browser engine used in Firefox that could cause a crash. “Some of these crashes showed evidence of memory corruption under certain circumstances, and we presume that with enough effort, at least some of these could be exploited to run arbitrary code,” Mozilla said in its bulletin. For more information on this, please see the full article. We recommend updating Firefox as soon as possible if you are running it. SC Magazine -By Angela Moscaritolo Adobe confirms Reader flaw, advises on workarounds Adobe has confirmed a zero-day vulnerability in its Reader and Acrobat software and plans to release a patch on Jan. 12 for the dangerous bug. According to an an advisory issued late Tuesday, the vulnerability impacts version 9.2 and earlier for Windows, Mac and UNIX platforms. A successful exploit can allow an attacker to crash or take control of a targeted system. As users await an updated version of the popular PDF management products, the company recommended IT administrators utilize the JavaScript Blacklist Framework, which offers granular control over the execution of specific JavaScript API calls. Individual users, meanwhile, simply can opt to disable JavaScript in Reader and Acrobat by unchecking the "Enable Acrobat JavaScript"option. In addition, customers can leverage Data Execution Prevention (DEP), a Vista and Windows 7 security feature that prevents an application from executing code in certain memory regions. The functionality also is available on Windows XP Service Pack 3. For more information on this, please see the full article. If you have Adobe Reader installed on your computer you should use the work arounds listed above and be sure to install the patch when it comes out. Bulletins posted 12/16/2009 RockYou password snafu exposes webmail accounts Millions of user passwords to social networking sites have been exposed, after a serious SQL injection flaw on the Rockyou.com website left login details - stored in plain text - up for grabs. RockYou - which develops apps for social networking sites including Facebook, Bebo and MySpace - stored usernames, passwords and email addresses in plain text. That's bad enough in itself, but then an SQL injection flaw on RockYou's website exposed the information to prying eyes. Amichai Shulman, chief technology officer with the data security firm Imperva, said the passwords exposed will often be the same as those users utilise for webmail accounts associated with their social networking profiles, creating yet more potential problems. "The bad news is that the SQL injection flaw could have allowed hackers to access the 32 million entries of user names plus passwords in the Rockyou.com database... since the user names and passwords are by default the same as the user's webmail account — such as Hotmail, Yahoo or Gmail — this is a major lapse in security," Shulman said. "The vast majority of subscribers to Rockyou.com are using the same credentials on the site as their regular Web email service. The users are young and security is not top of their minds, but nonetheless companies need to keep them protected and ensure their details are safe. With the popularity of web 2.0 tools, companies may focus more on becoming successful quickly at the expense of security," he added. For more information on this, please see the full article. www.theregister.co -By John Leyden Attacks spread malware with help from AppleInsider Malware purveyors are exploiting web vulnerabilities in appleinsider.com, lawyer.com, news.com.au and a dozen other sites to foist rogue anti-virus on unsuspecting netizens. The ongoing attacks are notable because they use exploits based on XSS, or cross-site scripting, to hide malware links inside the URLs of trusted sites. That's something application security expert Mike Geide doesn't see often. As a result, people who expect to visit sites they know and trust are connected to a page that tries to trick them into thinking their computer is infected. "What's interesting ... is the fact that it's embedding iframes to redirect people," Geide, who is a senior security researcher at Zscaler, told The Register. "Typically, cross-site scripting is just that - it embeds script tags so it will embed javascript to run." The last chunk of test is hexadecimal-encoded HTML that redirects users to ask5 .eu (a space has been added for your protection). A series of redirect links ultimately leads to a site that looks similar to a Microsoft Windows screen with a popup claiming the PC is overrun with malware. The user is prompted to download rogue anti-virus to fix the imaginary problem. While it's not the most convincing attack we've ever seen, there's nothing to stop attackers from using the same technique to push web-based exploits, say the Adobe Reader zero-day attack that's now circulating in the wild. The links work because appleinsider.com and the rest of the sites being abused fail to filter out harmful characters used in XSS attacks. For more information on this, please see the full article. www.theregister.co -By Dan Goodin DKOM Opens Door to Malware Rootkits Much malware comes with a kernel rootkit component. Subverting the Windows kernel is indeed the best way to conceal malicious activities on infected systems. To achieve this, many types of malware load malicious device drivers that enjoy full access to all kernel objects. However, this technique is somewhat noisy, and loading a new driver is not really stealthy. At McAfee Labs we recently ran across a W32/IRCBot.gen.ac sample that uses Direct Kernel Object Manipulation (DKOM) to hide itself without loading a new driver. This technique seems impossible at first sight because modifying kernel memory pages from userland is not allowed. However, W32/IRCBot.gen.ac takes advantage of an undocumented function exported by ntdll.dll that provides debugging functionalities at the kernel level. NtSystemDebugControl(), despite being undocumented, has been known for many years. It provides simple functions such as reading from and writing to any location within the kernel memory. And this is exactly what a piece of malware needs to manipulate kernel objects. W32/IRCBot.gen.ac starts by checking what version of Windows it’s running on. This technique won’t work under Windows Vista or Windows 7. If the infected machine is not running Windows XP, W32/IRCBot.gen.ac gives up and doesn’t try to hide itself. Accessing kernel memory from userland is really bad, but it appears this hole has been plugged in later versions of Windows. Using this method of calling NtSystemDebugControl() to access kernel memory is not trivial, and we don’t expect this technique to be used widely. And this is a good thing because according to Artemis, Windows XP is still the most widely deployed operating system in corporate environments. My colleagues Igor Muttik and Dmitry Gryaznov, and Joel Yonts of Advanced Auto Parts demonstrated this during McAfee’s Focus 09 conference Nevertheless, I offer another reminder that the bad guys never hesitate to exploit any feature, whether documented or not, as long as they can gain control over innocent machines. For more information on this or to see a list of rootkits or screen shots, please see the full article. www.avertlabs.com -By Romain Levy Google Doodle poisoned by scareware slingers Scareware slingers have begun hiding links to rogue anti-virus sites behind Google Doodle. The development leaves surfers who click on Google's picture of the day at risk of being exposed to sites that run fake security scans, before strong-arming users into buying worthless software in order to clean-up non-existent security risks Scammers have been manipulating the search engine ranking of terms in the news to promote scamware portals for months. In the latest twist to this wheeze, fraudsters poisoned the sites offered up to surfers who clicked on Google's front-page Doodle sketch, dedicated to the 150th anniversary of birth of the creator of the Esperanto language, L. L. Zamenhof, on Tuesday. The latest variant to previous black hat search engine optimisation techniques resulted in links to hacked pages on legitimate websites, including a hair Salon in New Jersey and a science fiction site. Users visiting these sites via Google (and only via Google) are redirected towards scareware scam portals. Tainted results appeared among the top five to 10 search results for people who clicked on the Google doodle link on Tuesday, according to security researchers at Barracuda Networks. "Poisoning as a trend is nothing new, but in this particular case, it's a search where you actually click on Google's logo and you get results back from sites where half of the links have been compromised," Dave Michmerhuizen, a research scientist at Barracuda Networks, told MacWorld. Google, which stated other search engines are also targeted by black hat search engine optimisation techniques, said most of the tainted links were quickly removed from its index. Google uses a combination of continuously-refined automated and manual processes to clean-up its index, a spokesman for the search engine giant added. Google and security researchers are in a continuous battle against distributors of rogue anti-virus scanners, one of the most prevalent information security threats contaminating the internet at present. FBI estimates out this week suggest that the scareware market brought in $150m in illicit income over an unspecified period. For more information on this or screen shots, please see the full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. www.theregister.co -By John Leyden Firefox, Opera, Safari browsers top list of high risk software Mozilla Firefox, Apple Safari and Opera browser appear in an annual list documenting highly used, high risk software as a result of serious vulnerabilities discovered in the browsers this year The browsers appear on a list of 11 applications deemed a high risk to enterprises. Mozilla had 44 vulnerabilities reported in 2009, some of which could cause a denial of service (DoS) and enable attackers to gain access and control a victim's machine. By contrast, Apple Safari had six serious vulnerabilities reported, including flaws that enable man-in-the-middle attacks, remote code execution and denial-of-service attacks. Opera had only two vulnerabilities reported, but they were serious enough -- allowing remote code execution if the browser attempts to process a malicious JPEG image -- to warrant its standing on the list. In addition to Firefox and Opera, Bit9's risky software list includes Adobe Systems's Flash and Macromedia players, Acrobat and Reader PDF software, Sun Java Runtime Environment, Apple's QuickTime, RealNetworks's RealPlayer and Cerulean Studios' Trillian instant messenger client. "We're not listing out the worst offenders, but the top applications that we think people should be concerned about," said Tom Murphy, chief strategy officer at Bit9. Security experts have been trying to turn attention onto end-user applications, which are commonly targeted by attackers to gain a foothold into enterprise systems. The SANS Institute released a report in September citing vulnerabilities in Web-facing end user applications as a major threat. The report used data from TippingPoint's intrusion prevention systems and Qualys Inc.'s vulnerability data to lay out the increasing threat posed by the poor patching of client-side applications. The report found that two attack vectors -- client-side vulnerabilities and Web application flaws -- are often coupled together. All the applications on the Bit9 list run on Microsoft Windows, are well known in the consumer space and are frequently downloaded by individuals. The software must have contained at least one critical vulnerability listed in the U.S. National Institute of Standards and Technology's (NIST) official vulnerability database. Murphy said the applications pose an additional risk to enterprises because they rely on the end user to manually patch or upgrade the software to eliminate a vulnerability. Microsoft's Internet Explorer browser does not make the list because it can be centrally updated by IT administrators using tools provided by Microsoft. Despite the move by vendors to improve patching times through the deployment of more automated updates (Firefox and Java have such methods), they still rely on some end user interaction and keep IT out of the process, Murphy said. Other software makers, Google for example, use a silent auto update that pushes out patches even faster to users. "There are a lot of self-updating applications but it's at the expense of the end user to make that happen," Murphy said. "We're targeting this list not so much at the end user but for IT so they know what applications are running in their environment that need to be patched and that they don't have full control over." Other applications, which made the list in the past, are either being targeted less by attackers or are not the focus of security researchers. The popular VoIP application, Skype was dropped from the list in 2009 since no vulnerabilities were reported in the NIST database. Two antivirus vendors, Symantec's Norton Antivirus software and Trend Micro's OfficeScan product also didn't make the list this year. "The list has been getting shorter as the applications are getting maintained a little better by the vendors and they're more mature as well," Murphy said. For more information on this list, please see the full article. Bulletins posted 12/15/2009 Hackers Brew Self-Destruct Code to Counter Police Forensics Hackers have released an application designed to thwart a Microsoft-packaged forensic toolkit used by law enforcement agencies to examine a suspect’s hard drive during a raid. The hacker tool, dubbed DECAF, is designed to counteract the Computer Online Forensic Evidence Extractor, aka COFEE. The latter is a suite of 150 bundled, off-the-shelf forensic tools that run from a script. Microsoft combined the programs into a portable tool that can be used by law enforcement agents in the field before they bring a computer back to their forensic lab. The script runs on a USB stick that agents plug into the machine. The tools scan files and gather information about activities performed on the machine, such as where the user surfed on the internet or what files were downloaded. Someone submitted the COFEE suite to the whistleblower site Cryptome last month, prompting Microsoft lawyers to issue a take-down notice to the site. The tool was also being distributed through the Bit Torrent file sharing network. This week two unnamed hackers released DECAF, an application that monitors a computer for any signs that COFEE is operating on the machine. According to the Register, the program deletes temporary files or processes associated with COFEE, erases all COFEE logs, disables USB drives, and contaminates or spoofs a variety of MAC addresses to muddy forensic tracks. For more information on this, please see the full article. Adobe Reader Under Zero-Day Attack Symantec yesterday confirmed that a new zero-day vulnerability, which means there is not yet any patch available to fix the flaw, in both Adobe Acrobat and Readerunder is under active assault. An Adobe post says the company is currently investigating. Per Symantec, the current attacks install a Trojan named Trojan.Pidief.H. The infection rate is "extremely limited," according to Symantec, and its risk assessment level is very low, which suggests the threat is for now restricted to targeted attacks. Combining a targeted attack with a zero-day vulnerability can deliver a one-two knock-out punch. A targeted attack against a specific company or person is usually personalized, often with the recipient's real name, and better crafted than the usual mistake-ridden scam e-mail. So the e-mail stands a much better chance of evading a person's natural suspicions. Then, if you're successfully tricked into opening an e-mail attachment that delivers a zero-day attack, it's guaranteed to find the software hole it goes after, as long as the relevant software is installed. Potential victims can only hope their antivirus product detects the attack, but security software typically has a much lower detection rate for small-scale targeted attacks. The only good thing about targeted attacks is that there aren't many of them, compared to the slew of non-personalized attacks and scams. But be extra wary of e-mailed .pdf files all the same, and keep an eye out for a patch from Adobe. You can also upload any .pdf (or other file) to Virustotal.com for a second-opinion malware scan, but again, many antivirus programs will miss new targeted attacks. For more information on this, please see the full article. Hackers are defeating tough authentication, Gartner warns Security measures such as one-time passwords and phone-based user authentication, considered among the most robust forms of security, are no longer enough to protect online banking transactions against fraud, a new report from research firm Gartner Inc. warns. Increasingly, such measures are overwhelmed by online criminals looking to pillage bank accounts using valid login credentials stolen from customers, the report said. Going forward, banks need to quickly implement additional layers of security to protect their customers from falling victim to online fraud, said Avivah Litan, Gartner analyst and the report's author. Gartner's warning comes amid a sharp uptick in fraud involving the exploitation of valid online banking credentials. In August, NACHA- the Electronics Payments Association issued an alert , warning members about attacks involving the theft of online banking credentials, such as usernames and passwords mostly from small- and medium-size businesses. Cybercriminals used the stolen credentials to take over corporate accounts and initiate unauthorized transfers of funds via electronic payment networks, NACHA said in its warning. NACHA, with more than 11,000 financial institutions as members, oversees the Automated Clearing House (ACH) electronic payments network. For more information on this, please see the full article. Bulletins posted 12/14/2009 Social network searches could be a hacker's dream The race to include up-to-the-minute postings from popular social networks atop search results from Google, Microsoft Bing and Yahoo Search should trigger a boon — for spammers and cybercriminals. That's the consensus of search and tech security experts following Google's announcement that it has now matched Microsoft's and Yahoo's recent moves to integrate Twitter micro-blog entries prominently in search results. The Big Three search services are also moving to incorporate Facebook postings into search results in near real-time. Meanwhile, spammers and hackers are out in force. Spam accounts for 88% of all e-mails, and the number of newly compromised websites detected and blocked by Symantec's MessageLabs division averaged 2,465 per day this year, up nearly 8% from 2,290 in 2008. Links to corrupted websites continue to turn up in search results. And spam messages and infectious postings continue to infest social networks. Combining the two seems likely to tilt the advantage to the bad guys. "This is just going to amplify the bad effects and make it easier for spammers and hackers to get their stuff to the top of search results," says Michael Greene, security analyst at PC Tools. Google uses "automated and manual processes" to weed out malicious links, and warns users when a website appears to be compromised, says spokesman Nate Tyler. Spokesmen for Microsoft and Yahoo said they, too, take great pains to deliver safe results. "We will continue to improve and refine these systems," says Google's Tyler. Yet anyone can now post a Twitter message on a hot topic, say, "Copenhagen." In less than a minute, a reference to that tweet will appear as part of the results for anyone Googling "Copenhagen." It's simple to attach spam or a link to a corrupted website, says Danny Sullivan, editor in chief of SearchEngineLand.com. Tainted posts moving quickly and intermittently into search results could be very hard to filter. "It's an entirely new cat-and-mouse game," says Sullivan. For more information on this, please see the full article. Fake Microsoft Endorsement Fuels Scareware A new scareware package tries to sell bogus antivirus software to its victims using an apparent endorsement of the software by Microsoft A variant of the infection that urges users to buy DefenceLab antivirus software now also directs them to a Microsoft support page where a display describes a new threat and recommends using DefenceLab antivirus to clear it and protect against it. The problem reportedly does go away, but experts say that doesn't mean the virus that created it is removed and won't cause more problems later. The criminals behind the malware also poison Google search results so when victims search for ways to remove the malware, sites for buying the bogus antivirus software come up first. For more information on this, please see the full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Facebook Still a Hotbed of Identity Theft, Study Claims IT security firm Sophos has announced its latest probe into how easy it is to steal identities via Facebook and found that user negligence is worst in 2009. "We assumed things would be better in 2009 but the situation is worse. This really is a wake-up call," said Paul Ducklin, head of technology, Sophos Asia-Pacific (Sydney). Ducklin, who led the Facebook probe, said they created two fictitious users with names based on anagrams of the words "false identity" and "stolen identity." He said 21-year-old "Daisy Felettin" was represented by a picture of a toy rubber duck bought at a US $2 shop; 56-year-old "Dinette Stonily" posted a profile picture of two cats lying on a rug. Each sent out 100 friend requests to randomly-chosen Facebook users in their age group. Within two weeks, a total of 95 strangers chose to become friends with Daisy or Dinette -- an even higher response rate then when Sophos first performed the experiment two years ago with a plastic frog. Worse still, Ducklin said, in the latest study, eight Facebookers befriended Dinette without even being asked. Ducklin said 89% of the 20-somethings and 57% of the 50-somethings who befriended Daisy and Dinette also gave away their full date of birth. "Nearly all the others suppressed their year of birth, but this is often easy to calculate or to guess from other information given out," he said, adding that even worse, just under half of the 20-ish crowd, and just under a third of the 50-ish crowd, gave away personal information about their friends and family. For more information on this, please see the full article. If you have giving your information to someone who has befriended you on any kind of social networking site, notify your service desk immediately and change your passwords. Computerworld Philippines -By Tom S. Noda Adobe Flash's security woes: How to protect yourself Adobe’s Flash Player software is on 99 percent of Internet-connected desktops, offering up multimedia and video capabilities on a multitude of popular Web sites such as YouTube. But the Adobe Flash platform has been beset by a rash of security problems that give intruders potential access to computers running the software. Issues have included one recent vulnerability described as “frighteningly bad” by a security expert. Technologists, however, disagree on the severity of Flash’s weaknesses. Some say Flash is merely a victim of its own success, attracting attention from those with bad intentions but being no worse off than other software platforms when it comes to its inherent security. An alternate opinion is that Adobe simply lacks tight security practices in its internal development procedure and so has become a preferred vector for cyberthieves. Adobe, says Foreground CIO Mike Murray, suffers from immaturity in its software development processes: “Adobe is just big enough that its issues [are starting] to impact the whole Internet.” “They haven’t yet developed the security discipline around their software,” although that is changing, he says. He contends that Adobe is only now coming to grips with the fact that its software’s popularity means it needs to be more security-conscious in development practices, noting that Microsoft had to come to the same realization several years back, which resulted in its Security Development Lifecycle processes. As an example of Adobe’s security naivete, Foreground reported a nuanced issue in which hackers could exploit the Flash and ActionScript same-origin policy for domains, which limits code execution to the domain from which it originated. Through Flash, attackers could disguise malicious code, upload the code to a site, and enable it to steal a password or cause other problems, Murray says. “[Adobe] could fix it if they changed the same-domain origin policy to be more restrictive, but many sites rely on the laxness of that policy,” Murray says. Thus, a fix could cause incompatibilities on Web sites. For more information on how adobe has been working on fixes or to see a list of problems they have had, please see the full article. If you have not patched your Adobe it would be a good idea to, notify your service desk immediately and change your passwords. Bulletins posted 12/11/2009 Choosing Email Security Services? Watch Your Step When it comes to choosing email security services, there are some basic elements to look for -- and some basic elements to avoid. Let's take a look at each. First, virtually all of these services run at least one (and usually more than one) traditional signature-based antivirus product. Of course, that's a bit of a misnomer -- no modern AV product operates solely on signatures. Even though traditional AV systems are no longer in vogue and are ultimately playing a losing game, they still do a lot of heavy lifting, providing protection from malicious attachments. Second, every vendor has some form of IP reputation technology. IP reputation is a mature security measure, though new twists have sprung up around it. Blacklists for bad-acting mail servers have been around for more than a decade, though IP reputation with smarter updates and larger pools of monitored traffic raise the stakes beyond just a simple "Has this host sent spam in the last X hours?" check. Finally, ever since spam has been a problem, spam-blocking software has been steadily learning how to identify it. Drawing from machine-learning, Bayesian inference, and fuzzy fingerprinting, a wide variety of related algorithms are churning through the massive amount of e-mail sent daily to try and predict what's bad before spam hits your network. Encrypting e-mail can mean different things to different vendors, and it's important to know what's being offered. First, forced TLS (transport layer security) encryption is, technically, encryption for e-mail. That said, it encrypts only one mail-server-to-mail-server connection. The receiving mail server may be simply turning around and sending e-mail elsewhere on an unencrypted link. This feature will be attractive to companies interested in only a perfunctory level of compliance with e-mail encryption requirements. State privacy laws may be a motivator here. After all, once a message leaves your mail server, the thinking goes, it's not your fault if the receiving mail server mishandles the e-mail, right? The proper solution -- and one that is increasingly becoming an popular add-on service from many vendors -- is to automatically encrypt the message content or attachment using a standard encryption engine, and rely on some other out-of-band method for transmitting key information. While this can have a significant impact on usability, it does guarantee that e-mail leaving your organization won't be easily sniffed somewhere along the way. For more information on this, please see the full article. Bugs & Fixes: Safe Boot fixes iWork and iWeb crashes A new Apple Knowledge Base article confirms that iWork software (Pages, Keynote, and Numbers)—as well as iLife’s iWeb ’09—may crash when running under Mac OS X 10.6.2. Or, as Apple puts it, the applications may “unexpectedly quit.” The fix is easy: Just do a Safe Boot (or again, as Apple also phrases it, “Startup your Mac in Safe Mode”). To do this, start up your Mac while holding down the Shift key. When done, restart again as normal. That’s it. If you are only casually familiar with a Safe Boot, you may be surprised to learn that this procedure will fix the iWork/iWeb problem. The main purpose of a Safe Boot is to allow your Mac to start up at times when a normal startup results in a crash. It accomplishes this feat by preventing certain software from loading during startup. For example, only “required kernel extensions” will load. Hopefully, by enforcing these restrictions, the startup crash is avoided and your Mac successfully boots. At this point, you can make whatever changes are needed to prevent the crash from returning when you next boot normally. A Safe Boot, however, does even more—automatically performing a series of tasks that may, all by themselves, fix problems unrelated to startup crashes. One of these tasks is to move font cache files to the Trash, forcing the creation of new copies. This, as it turns out, is the critical action needed to fix the iWork/iWeb crashes. Apple notes one final step you may need to do after rebooting normally: “If you use Font Book to manage your fonts, you will need to open Font Book” after restarting again following the Safe Boot. This restores Font Book library information. However, “the state of whether fonts are active or disabled will be lost. You will need to correct this manually.” For more information on how to try this yourself, please see the full article. After Criticism, Facebook Tweaks Friends List Privacy Options Facebook's new privacy controls remain a work in progress a full 24 hours after release and months after they were announced. Responding to criticism over making its users' Friends Lists public, Facebook is rolling out a new option that allows users to protect their Friends List from viewing or searching. When Facebook began rolling out its new privacy platform, users began noticing that their Friends List had become public and could not be hidden. The list includes the identities of everyone the user has "Friended" and some users don't want the information made public. Businesses and their users should exercise special caution because of the relationships--both business and personal--that may be revealed through a user's Friend list. These could be mined by competitors or in some cases used to develop competitive intelligence about a target company. For more information on how to try this yourself, please see the full article. Bulletins posted 12/10/2009 Zeus bot found using Amazon's EC2 as C&C server Add Amazon's EC2 to the roster of cloud-based services being exploited to do the bidding of malware gangs Over the past few days, a new variant of the Zeus banking trojan has been spotted using the popular Amazon service as a command and control channel for infected machines. After marks get tricked into installing the password-logging malware, their machines began reporting to EC2 for new instructions and updates, according to researchers from CA's internet security business unit. Over the past few months, accounts on Twitter, Google's app engine, and Facebook have also been transformed into master control channels for machines under the spell of surreptitious malware. In addition to their high availability and low cost, the sites are attractive because they don't set off alarms when infected machines are observed connecting to them. While it's relatively easy to block channels located in China or based on internet relay chat, blacklisting some of the world's most popular online destinations is another matter completely. According to analysis from Zero Day blogger Dancho Danchev, the cybercriminals behind Zeus appear to have plugged into Amazon's Relational Database Service as a backend alternative in case they lose access to their original domain. DeBolt said the EC2 channel was disconnected after it was brought to the attention of Amazon officials. People who want to report future abuse of cloud-based services offered by the online retailer can use this link. An Amazon spokeswoman didn't respond to an email requesting comment. For more information this, please see the full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Attackers hone Twitterific exploit-site concealer Malware writers have revamped code that uses a popular Twitter command to generate hard-to-predict domain names, a technique that brings stealth to their drive-by exploits. Four weeks ago, when The Register reported Twitter application programming interfaces were being used to generate pseudorandom domain names, none of the addresses checked had actually been registered. Denis Sinegubko, the Russian researcher who discovered the technique, speculates the creators abandoned it because it was buggy and required too much effort. Now, Sinegubko has identified a new version of the algorithm that refines the process. What's more, at least some of the names are now being registered and the sites are being used to push malware. The technique gives the exploit writers a limitless list of of fly-by-night domain names to cycle through in an attempt to complicate the job of white hat hackers trying to thwart the attack. Rather than there being a single address to block or disconnect, the site hosting the malware changes every 12 hours The technique was discovered by analyzing thousands of legitimate websites that had been compromised so they redirected visitors to malicious servers. Sinegubko identified the algorithm by reverse engineering highly obfuscated javascript that was injected into the compromised websites. As the addresses of the sites hosting the malware change, so too do the iframes on the compromised sites. Sinegubko has created a tool to predict what the next domain will be. There's about a 24-hour lag between the time his script generates the domain name and the time it will be used (assuming the prediction is correct) to host the malware. That gives admins plenty of leeway to block the sites before they become active. It also presents fleet-footed white hats with the opportunity to register domain names ahead of the bad guys. For more information this, please see the full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Open source bugs fixed quicker than commercial software Open-source code is more prone to severe flaws than commercial software, but bugs get fixed more quickly, according to revealing new research from application security firm Veracode. V3.co.uk gained exclusive early access to the vendor's Open Source Ratings Database project, a centralised repository of open source security ratings which includes analysis of around 100 popular enterprise applications including Firefox, Apache, MySQL and JBoss. The latest findings from the project rated just 24 per cent of open-source software as meeting an "acceptable level of security", and commercial software marginally worse with 23 per cent. The stats also revealed that 23 per cent of open-source and just five per cent of commercial software contained at least one high severity flaw. Security issues in open-source software typically take less than a week to remediate and report on, or three man hours of effort, according to the research. For more information this, please see the full article. Facebook's New Privacy Settings: 5 Things You Should Know Facebook has begun rolling out its new privacy settings to all of its 350 million users. If you haven't seen it already, you will soon have to go through a wizard that will guide you through the process of confirming your privacy settings. The new settings are supposed to make it easier and simpler to control your information, but the changes are drawing a mix of criticism and praise from privacy watchdogs such as the Electronic Frontier Foundation (EFF), the American Civil Liberties Union of Northern California (ACLU), and the Electronic Privacy Information Center (EPIC). The new privacy controls include some great changes, and some not-so-great changes, but here are five privacy issues you should know about as these settings roll out across Facebook. Facebook's new privacy settings are a mixed bag of better and simpler controls over some information, while loosening the restrictions on others. Of course, if you don't want some of that information to appear, you can always delete it from Facebook (you cannot delete your gender, but you can make it invisible). Facebook's privacy controls may not be perfect, but they will urge users to think even harder about what they're sharing on Facebook, and ultimately that may be a good thing. For more details on the Facebook's New Privacy Settings, please see the full article. Fix Common Windows Problems with One Click Have you ever wished for a magic wand that could make annoying Windows problems disappear? Like, say, a missing Recycle Bin icon, or those pesky Runtime Error messages in Internet Explorer? FixWin is that magic wand. This ingenious free utility requires just over 500K of space, runs without installation, and quickly fixes 50 different Windows glitches--many of which would normally require a trip to the Registry. These are divided among five categories, including Windows Explorer, Internet & Connectivity, and System Tools. Each problem is presented with a brief but thorough description. Here's an example: "CD drive or DVD drive is missing or is not recognized by Windows or other programs." (Been there!) To fix a problem, just click the corresponding Fix button. It really is that simple. And before you get started, FixWin can scan your machine for--and fix--corrupted system files. It also allows you to create a System Restore point before making any changes, a smart addition. Certainly FixWin won't solve all your Windows issues, but if it can correct just one, it's well worth the download. For more details or for a link to get this download, please see the full article. Bulletins posted 12/9/2009 Adware touts $1 bribe to prospective zombies An adware distributor is offering to pay punters $1 to install their software. The bribe comes attached to malware, specifically an application bundle that includes adware and agents that change browser home pages, detected by Sunbelt Software as C4DLMedia and classified as a medium risk threat. The offer of payment is buried in the application's terms and conditions. Even if the adware slingers come through on this offer to pay via PayPal, the amount of the bribe is probably a problem. "In places where a dollar is worth enough to make this worth the effort, there probably isn't any internet connectivity," writes a Sunbelt security researcher. For more information this, please see the full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Facebook Privacy Changes Facebook Privacy Changes Go Live, Beware of "Everyone" As promised, Facebook has begun rolling out new privacy options to its 350 million users.Watch out for the "Everyone" setting. On Wednesday morning, users began seeing a message offering a new, simplified privacy settings page and the ability to set specific options for every post made to Facebook. Especially important is the new "everyone" setting that determines whether a Facebook post will be seen on other services, such as in Google search results. Other settings include "only friends" and "friends of friends." A "customize" option allows users to show or hide a post from specific individuals or user-created lists. The options are available by clicking on a new "lock" icon that appears next to the "share" button when a Facebook user updates their status. Any setting may be chosen as a default and the default option may be changed as desired. Facebook also today updated its privacy policy to reflect the changes. Facebook Simplifies Privacy Options Following through on plans announced a few months ago, Facebook is rolling out changes on Wednesday to its privacy settings intended to make them simpler to adjust and understand by its 350 million end users. In addition to consolidating some privacy options and grouping them in a single interface, Facebook will also provide new tools designed to walk end users through the settings. Also, Facebook users will now be able to establish a privacy setting for every item they post on the site via a drop-down menu. Facebook had indicated its intention to make these changes back in July, when it publicly acknowledged that its privacy controls had become scattered across multiple settings pages and that they lacked consistency. This resulted in confusion among many end users, who then didn't take proper advantage of Facebook's very granular privacy settings. As previously announced, Facebook has done away with its regional network option, which let end users make their profile viewable by others located in their same geography. That has been replaced with four options: friends; friends of friends; everyone; and customized. People can still choose to make their profile open to others in their work and school networks. PC World -By Juan Carlos Perez For more information facebook privacy, please see either of the full articles. Microsoft Update Fixes IE, Windows, Office Bugs Microsoft today patched 12 vulnerabilities in Windows, Office and Internet Explorer (IE), including three critical bugs in the company's newest browser, IE8. Of the 12 flaws fixed in Tuesday's six security updates, seven were rated "critical," the highest severity ranking in Microsoft 's four-step scoring system. Four of the remaining flaws were pegged as "important," one step lower on the scale, while the final vulnerability was labeled "moderate." Security researchers unanimously voted MS09-072 , the five-patch update for IE, as the one that demands immediate attention "That's certainly the one to watch," said Andrew Storms, the director of security operations at nCircle Network Security. "You can't focus enough attention on the IE update. It trumps the bunch." Richie Lai, the director of vulnerability research at security company Qualys, echoed Storms. "MS09-072 affects IE, which is a big attack surface," said Lai, "and the vulnerabilities are primed to be exploited by classic drive-by attacks." "Definitely take a look at that one," chimed in Jason Miller, the security and data team manager for patch management vendor Shavlik Technologies. "Browser attacks are the most prevalent of all attacks." One of the five fixes included in the IE update addressed the zero-day vulnerability that Microsoft confirmed last month after sample attack code that exploited a flaw in IE's layout parser went public Storms applauded Microsoft's speed in quashing the bug. "That was record time for Microsoft, to patch in just two weeks," he said, adding that it usually takes the company a month or more to ready a fix. "The holiday online shopping season had to increase the pressure to patch, but then again, it looks like Microsoft already knew about the bug," said Storms, referring to the credit that Microsoft gave to VeriSign iDefense for reporting the flaw. Look for these updates in your weekly Tuesday update from Microsoft. For more information, please see the full article. Computerworld -By Gregg Keizer Norton Online Backup Adds Mac Support Symantec, which rolled out Norton Online Backup as a standalone service earlier this year, is giving it a major overhaul that adds a bunch of attractive features and fixes some limitations of the original version. The new version supports Macs as well as PCs for the first time. It can back up files even when they're open and in use (a pretty basic feature that the previous iteration lacked) and it now keeps 90 days' worth of old files so that you can roll back to a previous TWOversion if need be. You can now search for those old files as well as browse for them, can restore them to the original computer or any other system, and send them by e-mail. As before, the service is as close to fully Web-based as possible: You do need to download a small app to your Windows PC or Mac. It runs in the background to shuttle data to or fro (and didn't seem to be much of a drag on performance in my test drive). But managing backups, restores, and other aspects of the service is done in the browser, so it's exactly the same experience in Windows and OS X. The new version has a cleaner, easier user interface. Given the extra cost to get sizable quantities of online space for multiple computers-not to mention the inherently slow process of backing data up across the Internet-I think it still makes sense to be selective about what you back up to a service such as Norton Online Backup. Send your irreplaceable files up to the cloud, but use something like a 500GB Seagate FreeAgent Go drive to protect everything else. (Portable hard drives may not be as simple and safe as online backup, but they're faster-and they cost about a tenth of what you'll pay for one year's worth of the same amount of storage with Norton.) For more information, please see the full article. Adobe updates Flash Player, fixes seven serious vulnerabilities Adobe Systems Inc. issued an update to its widely used Flash Player, repairing seven Flash Player vulnerabilities that could be used by an attacker to crash the player and gain complete control of a victim's computer. Adobe issued Flash Player 10.0.42.34 on Tuesday and urged users of Adobe Flash Player version 10.0.32.18 and earlier to upgrade to the latest version or be at increased risk of attack. The Flash Player is a standard plug-in in most browsers. A favorite attack method of choice for cybercriminals is to use automated tools to scan machines for vulnerable versions of Web-based software. According to the latest Adobe security bulletin, the latest Flash Player update fixes a variety of problems, including memory corruption errors, a data injection vulnerability and multiple crash flaws. Adobe engineers also addressed a local file name access flaw in the Flash Player ActiveX control that affects Windows systems. The software makers said it "categorizes these as critical issues and recommends affected users update their installations to the newest versions." Flash Player support for Apple G3 ending Adobe also announced that it would officially end support of Flash Player on Apple PowerPC-based G3 computers in early 2010. The software maker said it planned to release Adobe Flash Player 10.1 for Mac, which includes performance tweaks that don't support the older PowerPC machines. For more information, please see the full article. If you are using an older apple computer, keep in mind that support may be ending for your player in 2010. SearchSecurity.com -By SearchSecurity.com Staff Report finds enterprises failing to protect sensitive data Confidential data remains unprotected in many large enterprises, according to a recent survey released by Enterprise Strategy Group (ESG) on behalf of database security firm Application Security. In the second annual survey of 175 IT and information security professionals from North American enterprises with 1,000 or more employees, 40 percent said most of their data is adequately secured and 11 percent said some confidential data is secured. Two percent of respondents said most confidential data is not secured and another two percent said they did not know. The remaining 40 percent of respondents said they believe that all of their organization's confidential data is adequately protected. In addition, fewer than half of respondents believed that their existing database security controls provide adequate protection for all databases that contain confidential data, according to the survey, released Tuesday. Many organizations have trouble securing databases due to budget constraints and a lack of resources, Thom VanHorn, vice president of global marketing at Application Security, told SCMagazineUS.com on Tuesday. Recently, a database of the Springfield, Massachusetts-based insurance provider Mass Mutual was accessed by an individual without authorization, potentially exposing the personal information of an unknown number of employees. The ESG survey also found that just 37 percent of respondents believe they can meet regulatory compliance requirements and ensure the security of confidential or sensitive information at all times. In addition, nearly 30 percent of organizations surveyed said they have failed a data security compliance audit in this past three years. However, while the number of organizations that were breached went down, the amount of records that were lost rose, Jon Oltsik, senior security analyst with ESG, said in the report. For more information, please see the full article. If you have fallen for this scam, notify your service desk immediately and change your passwords. Website Contact:
|
David Matthews