Donna's SecurityFlash

PayPal to embed X apps in self

2009-11-04T15:43:09Z

iPhone meets Facebook meets 'all of ecommerce'

PayPal X Innovate In Facebook-like fashion, PayPal will open its own website to third-party applications as it continues its quest to "power all of ecommerce."

At its inaugural developer conference in San Francisco on Tuesday - PayPal X Innovate 09 - the eBay-owned outfit took the beta tag off its PayPal X developer platform, a set of APIs for tapping its core payment-processing system straight from third-party apps. And as part of the announcement, vice president of platform Osama Bedier said that at some point in the unspecified future, the company would serve up APIs for plugging applications straight into PayPal.com.

The PayPal site gets about 30 million visitors a month, according to Bedier. "It's where people keep their money," he tells The Reg. "They like to go and look at it."

Put your app there, Bedier says, and you've got built-in eyeballs. "If you're building an application for, say, invoicing, and you put it on idoinvoicing.com, you still have to drive traffic there - as opposed to PayPal.com where we're got those 30 million visitors."

He couldn't help but whip out the Facebook analogy. "It's just like when you log-in to Facebook," he says. "You see the stuff Facebook does and the stuff the community does hand-in-hand."

http://www.theregister.co.uk/2009/11/04/paypal_app_store/

DOWNAD/Conficker Turns 1yr

2009-11-04T14:55:06Z

Worm Exploits MS08-067 Bug

DOWNAD, also known as the Conficker worm, was first seen in the wild taking advantage of the MS08-067 vulnerability. True to form, it propagated via shared networks. Like its predecesors-the Sasser and Nimda worms-it also raised security concerns with regard to a spike in port 445 activity.

A few days after its appearance, reports suggested that the threat had spread. More than 500,000 unique hosts spread across networks in the United States, China, India, the Middle East, Europe, and Latin America fell prey to the threat. Several residential broadband service providers also reported having an even larger number of infected customers.

New Year, New Variant

Improved Domain Generation Functionality

DOWNAD Uses P2P

Infection Peaks

Updated Patches Still Key

More details in http://blog.trendmicro.com/downadconficker-turns-1yr/

DDoS on www.fra.se

2009-11-04T14:54:11Z

The Swedish Signals Intelligence agency (Försvarets Radioanstalt FRA) is currently under a large-scale DDoS attack.

At the moment www.fra.se is inaccessible.

FRA was in the news recently, as Sweden passed a law giving them legal permission to tap Internet traffic passing through Swedish national borders. For example, the majority of Russian international Internet traffic passes through Sweden.

http://www.f-secure.com/weblog/archives/00001808.html

Windows 7 vulnerable to 8 out of 10 viruses

2009-11-04T14:53:32Z

From Sophos:

Now that we in the northern hemisphere have had some time to digest the Windows 7 hype and settle in for the coming winter, we thought we would get some more hard data regarding Windows 7 security.

On October 22nd, we settled in at SophosLabs and loaded a full release copy of Windows 7 on a clean machine. We configured it to follow the system defaults for User Account Control (UAC) and did not load any anti-virus software.

We grabbed the next 10 unique samples that arrived in the SophosLabs feed to see how well the newer, more secure version of Windows and UAC held up. Unfortunately, despite Microsoft's claims, Windows 7 disappointed just like earlier versions of Windows. The good news is that, of the freshest 10 samples that arrived, 2 would not operate correctly under Windows 7.

More in http://www.sophos.com/blogs/chetw/g/2009/11/03/windows-7-vulnerable

hmmm UAC is not to stop malware. Antivirus/Antimalware will. MSRT by MS will remove existing malware but not UAC.

A Single Sign-In for All Your Websites? Google Hopes So

2009-11-04T14:51:02Z

It's one of the basic tenets of online security: Never use the same password/username combo for every website that requires one. The logic is sound, of course. A single security breach could expose your most private information - such as banking and credit card numbers - to the bad guys.

Problem is, who can remember multiple passwords and usernames? Many times I've signed up for a service, returned to the site a few weeks later, and quickly realized that I couldn't remember my login details.

Google and other major online players, including AOL, Facebook, Microsoft Plaxo, MySpace, and Yahoo, are pitching a simpler alternative: A single password/username combo, such as your Google or Yahoo ID, for multiple sites. The concept, based on the industry standard OpenID 2.0 protocol isn't exactly new. In fact, Google announced over a year ago that it would support the single single-in plan.

http://www.pcworld.com/article/181347/a_single_signin_for_all_your_websites_google_hopes_so.html

No!!!

Heads-up about IObit and MBAM issue

2009-11-04T02:19:39Z

Marcin respond to the denial of IObit at http://www.malwarebytes.org/forums/index.php?showtopic=29772 or see the blog of MBAM here
Majorgeeks.com has removed IObit downloads
CNET.com is looking into this and hopefully they will remove IObit at their download site too
WOT have Iobit as yellow at the moment (it was green yesterday)
SiteAdvisor continue to give red to IObit which is good
Norton SafeWeb still have it as green though

Elite Loader Goes Public

2009-11-03T09:58:30Z

From Trend Micro Countermeasure blog:

A few days ago, I got access to the source code of the well-known Elite Loader for free. Yes. It was published on one of the Russian underground forums. It even had a detailed description and screenshots showing how to use the application’s command and control (C&C) server.

Apart from dropping malicious files on infected machines, Elite Loader also allows malicious users to upload additional software to targeted systems to steal passwords or deploy spam or distributed denial of service (DDoS) modules that other cybercriminals can use.
The bot’s C&C also contains significant statistics and makes use of a log-filtering feature to manage module downloads from the bots in different countries. It can also enable or disable target bots based on their location.

The bot’s size is only 8kb, making the dropping process relatively hidden. The bot works perfectly well on the Microsoft XP Service Packs 1, 2, and 3 and Vista OSs and supports multiple job instances.

The malware distribution business seems to have gone public.

http://blog.trendmicro.com/elite-loader-goes-public/

Windows 7 Ship IT award? That's cool

2009-11-03T09:51:42Z

There's Windows 7 Ship It award that was received by Rob Margel: http://blogs.msdn.com/robmar/archive/2009/11/03/i-helped-ship-windows-7.aspx

That's neat looking award. I tested and tried… can you make "Tester Award?" ROFL.

Seriously, nice one! And nice to see your name on it.

Google retrieves coder's Microsoft badge from rubbish bin

2009-11-03T09:45:40Z

Jon Skeet - the Microsoft-happy Google developer whose Mountain View overlords "advised" him to give up his Microsoft MVP badge - has now regained this Ballmerian status symbol after a compromise with Google's "Code of Conduct" police.

"I'm delighted to be able to announce that I'm now an MVP again," Skeet announced Friday on his personal blog.

Skeet is well-known Microsoft .Net obsessive. He's the author of a 424-page tome dedicated to C# coding, and he was first awarded Microsoft MVP status in 2003, tapped as one of the "outstanding members" of Microsoft's "technical communities."

His badge was renewed each year for the next five years. But then he took a job at Google, and when he came up for renewal this fall, someone inside the Chocolate Factory put a foot down.

http://www.theregister.co.uk/2009/11/02/skeet_regains_mvp_status/

Congratulations, Jon! and Welcome Back to MVP Award Program! http://msmvps.com/blogs/jon_skeet/archive/2009/10/30/mvp-again.aspx

Early adopters bloodied by Ubuntu's Karmic Koala

2009-11-03T09:43:39Z

Smooth Windows upgrade it ain't

Ubuntu 9.10 is causing outrage and frustration, with early adopters wishing they'd stuck with previous versions of the Linux distro.

Blank and flickering screens, failure to recognize hard drives, defaulting to the old 2.6.28 Linux kernel, and failure to get encryption running are taking their toll, as early adopters turn to the web for answers and log fresh bug reports in Ubuntu forums.

Reg reader motoh delivered a warning on moving to Ubuntu 9.10 from version 9.04 - Jaunty Jackalope - in comments on our review of the new OS here. "If you upgrade from Jaunty beware. You may have a rough ride. I made my mistake by trying too soon. Wait the usual month," motoh wrote. Angus77 at Ubuntuforums.org agreed: "This is so frustrating! Jaunty was a snap to install."

http://www.theregister.co.uk/2009/11/03/karmic_koala_frustration/

Snow Leopard Update Blocks Intel Atom, Kills Hackintoshes

2009-11-03T09:41:18Z

Mac OS X Leopard 10.6.2 will break your hackintosh. The forthcoming OS update will not run on the Intel Atom processor, a rather petty move from Apple which, if true, will break many netbooks which have been hacked to run as more than passable Macs.

This news comes from Stellarola, the hacker who helped us out extensively with the original (and still the best) Gadget Lab hackintosh. Here’s what he has to say:

In the current developer build of 10.6.2, Apple appears to have changed around a lot of CPU related information. One of the effects of this is Apple killing off Intel’s Atom chip.

http://www.wired.com/gadgetlab/2009/11/snow-leopard-update-blocks-intel-atom-kills-hackintoshes/

China police chief urges harsher Internet controls

2009-11-03T09:37:06Z

China's police chief has called for a reinforced nationwide Internet security system, in the nation's latest effort to oversee the activities of the world's largest online population. "The Internet is developing quickly, there are many loopholes in social management, and maintaining social stability faces unprecedented new challenges," public security minister Meng Jianzhu said in rare public remarks.

"One must... actively establish... a comprehensive prevention and control social security system that covers the Internet and the real world," he said in a speech published on the ministry website Monday. Internet use has expanded at a dizzying pace in China, which now has the world's largest online population of at least 338 million users.

In a bid to maintain control, authorities regularly censor Internet content they deem unhealthy including pornography and violence, but also information critical of the government -- a system dubbed the "Great Firewall of China." But many online users get around the system by using proxy servers that allow them to access blocked sites.

http://news.smh.com.au/breaking-news-technology/china-police-chief-urges-harsher-internet-controls-20091103-huyh.html

Hacker charged in $1m cable ISP customer cloning scheme

2009-11-03T09:34:28Z

MAC spoofing biz flourished for six years

Federal prosecutors have charged a California man with earning $1m over a six-year period by illegally selling products that allowed customers to get high-speed internet service for free.

Ryan Harris, 26, of San Diego sold software and hardware that were designed to fool Charter Communications and other internet service providers into believing the gear belonged to paying customers, the prosecutors allege. Harris and his employees also offered technical support in publicly available chat forums at tcniso.net, the website belonging to their modem-hacking business.

The hack worked by spoofing the media access control address that acts as an electronic serial number for each modem. By replacing the unique address with one known to belong to a paying subscriber, Harris's customers were able to obtain internet service for free.

http://www.theregister.co.uk/2009/11/03/cable_modem_hacking_indictment/

What Windows Autorun Has Wrought

2009-11-03T09:27:53Z

A new report by Microsoft shows that the two most prevalent threats to Windows PCs in the first half of 2009 were malicious programs that have been aided mightily in their spread by a decision by Microsoft to allow the contents of removable media -- such as USB thumb drives -- to load automatically when inserted into Windows machines.

In its latest "Security Intelligence Report," Microsoft counted the number of threats detected by its anti-malware desktop products, and found that the Conficker worm, along with a Trojan horse program called Taterf which steals passwords and license keys for popular computer games, were detected on 5.21 million and 4.91 million Windows computers, respectively.

In April, after the third version of Conficker became front-page news and even fodder for feature story on 60 Minutes, Microsoft announced that its AutoPlay function would no longer support AutoRun for USB drives. Autorun is disabled for USB drives in Windows 7 (the new OS still automatically plays any inserted CDs and DVDs). In late August, Microsoft released a patch that similarly disables Autorun on Windows XP, Vista, Windows Server 2003 and Server 2008 systems.

However, this patch does not appear to have been pushed out through Microsoft's Automatic Updates or Windows Update, so if you'd like to install it, you'll need to visit this link and download the appropriate version for your operating system. Users who install this update will no longer receive a setup message that prompts them to install programs that are delivered by USB thumb drives. Wilders Security Forum has a nice writeup on this patch, and offers some harmless sample code to test whether your Windows box has this feature enabled.

http://voices.washingtonpost.com/securityfix/2009/11/what_windows_autorun_hath_wrou.html

Microsoft: Vista Infected 62% Less Often Than XP

2009-11-03T09:23:48Z

Windows Vista is dramatically more secure than Windows XP, according Microsoft's latest Security Intelligence Report, released Monday. The infection rate of Windows Vista SP1 was 61.9 percent less than Windows XP SP3, the company said.

The report covers the first half of 2009 and is the seventh such twice-yearly report the company has issued. The study found that for all Microsoft operating systems that the most current service pack is always the least infected, based on infections per 1,000 computers running each OS. Windows 7 was not included in the report.

http://www.networkworld.com/news/2009/110209-microsoft-vista-infected-62-less.html

FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule

2009-11-03T09:20:15Z

At the request of Members of Congress, the Federal Trade Commission is delaying enforcement of the “Red Flags” Rule until June 1, 2010, for financial institutions and creditors subject to enforcement by the FTC.

The Rule was promulgated under the Fair and Accurate Credit Transactions Act, in which Congress directed the Commission and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

The Commission previously delayed the enforcement of the Rule for entities under its jurisdiction until November 1, 2009.

http://www.ftc.gov/opa/2009/10/redflags.shtm

Symantec Uncovers Trojan Scheme Using Facebook

2009-11-03T09:17:30Z

Researchers at Symantec find a Trojan that uses Facebook to communicate with a command and control server.

Researchers at Symantec have uncovered a Trojan using Facebook as a coordinator for its command and control server.

The Trojan malware, known to Symantec as Whitewell, is being spread via e-mail through "documents (PDF, or MS Office formats) containing exploits for known vulnerabilities," Andrea Lelli, a security analyst with Symantec Security Response, wrote on a Symantec blog Oct. 31. The malware works by contacting the mobile version of Facebook and using its Notes section. By analyzing the Trojan's code, Lelli found that the Trojan will perform four different actions, depending on the notes' titles that are found.

http://www.eweek.com/c/a/Security/Symantec-Uncovers-Scheme-to-Use-Facebook-to-Relay-Commands-to-Trojan-755029/?

Update released for MS09-054

2009-11-03T09:13:07Z

From Microsoft Security Response Center:

Today we released an update 976749 that addresses two issues with MS09-054 that a limited number customers reported to us through our Customer Service and Support (CSS) group. These two issues can affect the proper display of web pages. For additional details, please refer to Microsoft Knowledge Base article 976749.

Security update MS09-054 was released as part of the October Security Bulletin Release cycle and protects against the vulnerabilities outlined in the bulletin. Also, we’re not currently aware of any attempts to attack the vulnerabilities.

While the number of customers affected by these two issues is limited, after working both with affected customers and our CSS group, we feel the best thing for all customers is to proactively provide this update as widely as possible to help prevent other customers from encountering the issues outlined in the KB.

Because of this, we plan to release this update through the same broad release channels as the original security update, MS09-054. Customers will see 976749 offered by default through Windows Update, Microsoft Update, and Automatic Updates.

Customers who have applied MS09-054 should go ahead and apply 976749. Customers who have not yet applied MS09-054 should apply both MS09-054 and 976749.

http://blogs.technet.com/msrc/archive/2009/11/02/update-released-for-ms09-054.aspx

We have it entered yesterday in CoU calendar and the update is available via WU

Rising Multiple Products Local Privilege Escalation Vulnerability

2009-11-03T09:06:23Z

Vulnerable Systems:
* Rising Antivirus 2009 (21.62.04)
* Rising Internet Security 2009 (21.62.04)
* Rising Personal Firewall 2009 (21.62.04)

Rising installs the own program files with insecure permissions (Users: Full Control). Local attacker (unprivileged user) can replace some files (for example, executable files of Rising services) by malicious file and execute arbitrary code with SYSTEM privileges. This is local privilege escalation vulnerability.

An attacker must have valid logon credentials to a system where vulnerable software is installed.

Disclosure Timeline:
31/08/2009 Initial vendor notification. Secure contacts requested.
31/08/2009 Vendor response
12/10/2009 Vendor response that the release date is unknown
28/10/2009 Advisory released

http://www.securiteam.com/securitynews/6O0060KQ0A.html

IObit denies stealing of MBAM database

2009-11-03T07:57:16Z

IObit was found to steal Malwarebytes Anti-Malware's database. MBAM team is smart enough to add a bait detection signature (Good job Marcin and MBAM team!). IObit respond by making a "Declaration"

We have never used the database of any other companies. And hope Malwarebytes stop spreading malicious rumors for hyping itself. The ridiculousness: who will trust and depend on a security product that can NOT even protect itself?

A legal letter will be released later, which will prove that there is no problem with Intellectual Property Rights.

For the sake of avoiding dispute and possible problems, we have deleted all disputed items in our database temporarily, and have updated IObit Security 360’s database.

Our database is from the online submission form: http://db.iobit.com/deal/sdsubmit/index.php

We also have many various sources of malware samples from warm-hearted users, computer security fans, and major security groups from all over the world. We have admitted that it’s hard to avoid mistakes, like a silly or duplicated name. But there is in no way means we steal Malwarebytes’ or any other's database. We are investigating and tracking on those items which Malwarebytes declared stolen.

We have so many independent and objective reviewing tests and reports; everybody can download and view from the link: http://forums.iobit.com/forumdisplay.php?f=25. We believe that, after viewing these test report, you can judge that if we steal database from Malwarebytes.

Thanks for the always support of IObit users.

http://forums.iobit.com/showthread.php?t=4807

Discussion on the above: