Donna's SecurityFlash

Apple Safari Cross-Domain Cookie Injection Vulnerability

donna — Wed, 23 Jul 2008 19:07:17 GMT

Affected Software:
Safari 3.x
Safari for Windows 3.x

A vulnerability has been discovered in Apple Safari, which can be exploited by malicious people to bypass certain security restrictions.

The problem is that websites are allowed to set cookies for certain country-specific secondary top-level domains. This can e.g. be exploited to fix a session by setting a known session ID in a cookie, which the browser sends to all web sites operating under an affected domain (e.g. co.uk, com.au).

The vulnerability is confirmed in Apple Safari for Windows 3.1.2. Other versions may also be affected.

Solution: Do not browse untrusted web sites or follow untrusted links.

http://secunia.com/advisories/31128/

The Planet offers free backup, discounted data protection and firewalls

donna — Wed, 23 Jul 2008 19:04:54 GMT

The Planet announced three new promotions that offer enhanced data protection and security for Planet Alpha dedicated server customers. For a limited time, new orders of Network Backup and EVault Backup are free for the first 90 days. Both solutions are hosted on The Planet’s world-class managed storage infrastructure and are available in 10GB - 80GB or larger capacities for mission-critical environments.

http://www.net-security.org/secworld.php?id=6344

DNS Flaw Unfixed as Experts Argue Protocol

donna — Wed, 23 Jul 2008 19:03:02 GMT

Speculation continues as to what the ultimate systemic Domain Name System (DNS) flaw could be. This flaw apparently allows Web surfers to be spoofed, directing them to fake Web sites to gain passwords and load malware on their computers.

The flaw was first revealed by Dan Kaminsky, a researcher at security firm IOActive Inc., although Kaminsky largely withheld the technical details of the exploit.

In a Friday morning press conference, Kaminsky said that many of the patches released by various IT vendors and security firms reacting to his bug discovery (reported by CNet News.com) are at best temporary fixes to a more pervasive problem. Kaminsky added that he would be disclosing further findings at the Black Hat security conference in Las Vegas next month.

http://redmondmag.com/news/article.asp?EditorialsID=10069

Beware Fake Anti-Mailware With Fake Editors Choice Awards

donna — Wed, 23 Jul 2008 18:58:10 GMT

From Larry Seltzer of PC Mag:

This isn't news, but it's worth reminding everyone: there is a large category of malicious programs that present themselves as antispyware or antivirus programs. Having already established that they will lie about these things, they may lie about others. For instance, we recently came across one which claims to have won a number of awards, including the PC Magazine Editors' Choice.

http://blogs.pcmag.com/securitywatch/2008/07/beware_fake_antimailware_with.php

Security flaws in online banking sites found to be widespread

donna — Wed, 23 Jul 2008 18:54:00 GMT

More than 75 percent of the bank Web sites surveyed in a University of Michigan study had at least one design flaw that could make customers vulnerable to cyber thieves after their money or even their identity.

Atul Prakash, a professor in the Department of Electrical Engineering and Computer Science and doctoral students Laura Falk and Kevin Borders examined the Web sites of 214 financial institutions in 2006. They will present the findings for the first time at the Symposium on Usable Privacy and Security meeting at Carnegie Mellon University July 25.

http://www.ns.umich.edu/htdocs/releases/story.php?id=6652 via http://blogs.zdnet.com/security/?p=1536

Hackers attack businesses, blogs and Web 2.0 sites

donna — Wed, 23 Jul 2008 18:51:24 GMT

IT security and control firm Sophos has published new research into the first six months of cybercrime in 2008. The Sophos Security Threat Report examines existing and emerging security trends and has identified that criminals are increasingly using creative new techniques in their attempt to make money out of internet users.

Website infection rate three times faster than 2007
Sophos has identified that the number one host for malware on the web is Blogger (Blogspot.com), which allows computer users to make their own websites easily at no charge.
Business websites attacked, office workers at risk, Web 2.0 introduces new threats
Thousand of webpages belonging to Fortune 500 companies, government agencies and schools have been infected, putting visiting surfers at risk of infection and identity theft. High profile entertainment websites such as those belonging to Sony PlayStation, Euro 2008 ticket sales companies, and UK broadcaster ITV are amongst the many to have suffered from the problem.
Attacks via email file attachments, however, have reduced in 2008. Only one in every 2,500 emails examined in the first six months of 2008 was found to contain a malicious attachment, compared to one in 332 in the same period of 2007.

Complete article at http://sophos.com/pressoffice/news/articles/2008/07/security-report.html

Asprox computer virus infects key government and consumer websites

donna — Wed, 23 Jul 2008 18:43:23 GMT

Cyber-criminals have attacked key government and consumer websites, allowing them to steal the personal details of anyone browsing the sites, The Times has learnt.

Eastern European hackers are suspected of placing the Asprox virus on more than a thousand British websites, including those run by the NHS and a local council, in the past two weeks.

Experts described the Asprox virus as an alarming departure from commonplace viruses, which tend to be spread through rogue e-mails and unregulated websites.

Unlike other viruses, Asprox sits undetected on mainstream sites, with any visitor at risk of being infected. The virus automatically installs itself on a visitor's computer, allowing a hacker to access financial information.

http://technology.timesonline.co.uk/tol/news/tech_and_web/the_web/article4381034.ece

RIPN and PCWorld.com response on IP Hijacking in PCWorld.com's IP address

donna — Tue, 22 Jul 2008 01:35:29 GMT

I blog it the other day and the response by the 2 company is at http://www.dozleng.com/updates/index.php?showtopic=16134

The impact of this type of issue to users are:

Disruption
Deception
Disclosure

So it's good that pcworld.com is now on it and taking security measures to avoid it in happening again.

We normally block bad domains and bad IP address. Whenever a good IP address get hijack by another 'entity' (domain), we still trust the owner of legitimate IP address but we need to take action by continue blocking it until we are positive that the owner of the legitimate IP address is "on" it by protecting their content and visitors.

PCWorld.com victim of DNS Cache poisoning?

donna — Sun, 20 Jul 2008 06:53:39 GMT

I sent email to nic contact of pcworld.com today but if anyone has contact with them, please inform them of the issue:

DNS resolver:

removespyware.ru's IP address is resolved as 70.42.185.10

70.42.185.10 is pcworld.com

http://www.dozleng.com/updates/index.php?showtopic=16134

Latest Firewall Challenge results

donna — Fri, 18 Jul 2008 07:54:53 GMT

1. Outpost Firewall Pro 2009
2. Online Armor
3. Comodo Firewall
4. ProSecurity

Outpost Firewall Pro 2009 6.5.2355.316.0597 leads the challenge with 99%, tightly followed by the paid version of Online Armor Personal Firewall 2.1.0.131 with 98% and the best free product – Comodo Firewall Pro 3.0.22.349 with 95%. ProSecurity 1.43, which will be replaced by Real-time Defender in the future, is on the third place with 93%. All these products reached the Excellent protection level. Online Armor Personal Firewall 2.1.0.131 Free and Kaspersky Internet Security 7.0.1.325 are close to the excellent results.

Among the newly tested products, Ashampoo FireWall FREE 1.20 and Webroot Desktop Firewall 5.5.10.20 reached the best network performance results. The worst results were measured with G DATA InternetSecurity 2008.
It seems that Firewall Challenge tests make a big difference between really good products and the rest of the world. Most of the products are filtered in very low levels which means that they probably miss some critical features.
However, it is crucial to know what does it mean if a product succeeds in our tests and what does it mean if it fails. Before you start interpreting the results, you should be familiar with the information on the index page, especially with the methodology and rules. You should also know which kind of products do we test before you start to interpret the results.

http://www.matousec.com/projects/firewall-challenge/results.php

3rd Party ads in CNET have been hijacked

donna — Thu, 17 Jul 2008 17:38:51 GMT

http://www.dozleng.com/updates/index.php?showtopic=16111

Firefox 3.0.1 with security fixes

donna — Thu, 17 Jul 2008 04:27:03 GMT

They announced the 2 yesterday and announced another one:

MFSA 2008-36 Crash with malformed GIF file on Mac OS X

Get v3.0.1 now to take advantage of the security fixes and other program fixes. Release notes here.

Malware and Phished Colonial Bank website

donna — Wed, 16 Jul 2008 17:38:08 GMT

Phishing E-mail: Colonial Vendors and Business Associates

Phishing E-mail: Colonial Bank WebBiz Alert - Update

Phished website with link to malware (auto-download)

Only 9 malware scanner will detect the malicious file:

http://www.virustotal.com/analisis/71edda93864f8daa8abbb2b113f3282a

Mozilla Security Advisories

donna — Wed, 16 Jul 2008 10:48:39 GMT

MFSA 2008-35 Command-line URLs launch multiple tabs when Firefox not running
MFSA 2008-34 Remote code execution by overflowing CSS reference counter

http://www.mozilla.org/security/announce/

http://www.mozilla.org/projects/security/known-vulnerabilities.html

Rogue Software: Antivirus Master

donna — Tue, 15 Jul 2008 22:19:00 GMT

Antivirus Master - Rogue Product
Date Published: Tuesday, July 15, 2008
Category : Rogue Security Software
Also known as: FraudTool.Win32.UltimateAntivirus.m [Kaspersky]
http://ca.com/au/securityadvisor/pest/pest.aspx?id=453137639

Site to block using hosts file and if you are using Outpost Firewall, add it in IP Blocklist:
anvimaster.com - whois result here
anvi-scanner.com - whois result here
scanner.anvi-scanner.com

Note: today's update on IP Blocklist includes the above to be block by Outpost Firewall.

Updated: CoU Updates Search engine in browser's search bar

donna — Tue, 15 Jul 2008 14:14:30 GMT

I have added CoU Calendar search engine for Internet Explorer 7, Firefox and Opera browsers today so I can search using the built-in search bar any posted updates in CoU's Calendar. For CoU members and visitors (guests) who want this also, please follow the guide at http://www.dozleng.com/updates/index.php?showtopic=16074

CoU Updates Search engine in browser's search bar

donna — Tue, 15 Jul 2008 08:25:07 GMT

I have added CoU Calendar search engine in IE and Opera browsers today so I can search using the built-in search bar any posted updates in CoU's Calendar. For CoU members and visitors (guests) who want this also, please follow the guide at http://www.dozleng.com/updates/index.php?showtopic=16074

Sick of Storm Worm news? I'm not

donna — Mon, 14 Jul 2008 16:41:29 GMT

I am not really sick of hearing about Storm Worm news because it's not like EICAR test file yet. Why? Because with EICAR test file, all antivirus will detect it as EICAR but for Storm Worm, um.. not:

It will offer secret_archive.exe file when user visits or clicks such links:

So it is really not like EICAR like yet. Scanners still need to do more work to be able to detect all variants of Storm Worm:

http://www.virustotal.com/analisis/b0d43f3fa36f76695a0e30ee846322df

Well, malware scanners have excuse, EICAR test file has no variant.

In the wild: Rogue Antivirus XP 2008 SPAM

donna — Mon, 14 Jul 2008 16:34:41 GMT

The campaign by bad guys to spread their rogue antivirus program's installer of Antivirus XP 2008 is not only thru trojan infection but also via email SPAM:

Going to the bad link will try to auto-download the installer of Rogue antivirus XP 2008's installer.

In the Wild: UPS Packet Service malware SPAM - ups_invoice.zip

donna — Mon, 14 Jul 2008 16:26:29 GMT

It's in the wild - SPAM with infected file ups_invoice.zip and my inbox has 4 of it today:

63% of malware scanner will detect the infected file, if user mistakenly download retrieve this unwanted email or save or touch that file:

Scan result: http://www.virustotal.com/analisis/07d607ef1cfcd0b67fe27595a71a9452

NOTE: If you will google "UPS Packet" or UPS Paket", you will see the same message posted in newsgroup and forums :(

....really in the wild so be careful guys.