November 2010 - Posts
This proof of concept test has revealed a vulnerability in Safari that will most likely be patched soon. In any browser, please be careful with URLs and ensure you are going to a safe site.
Apple - iPhone Spoofing Vulnerability
QUOTE: Dhanjani shows how the default behavior for Safari is to scroll the page up to display more of its content, causing the address bar to disappear. This behavior is in response to particular Apple HTML META tags from the attack site advertising itself as a mobile site. The spoof page includes a fake address bar at the top which looks like the real address bar after the load.
Kaspersky Labs is reporting a return of GPCODE trojan attacks with greatly improved encryption. These attacks are called ransomware as they require infected users to pay for an encryption key (that may not work anyway). Not only should users avoid potential attacks but they should also fully backup their PCs and have a data recovery strategy formulated to minimize potential loss of information.
GPCODE Malware uses RSA-1024 and AES-256 Encryption
QUOTE: We have received several reports from people around the world asking for help with infections very similar to the GpCode trojan that we detected in 2008. GpCode was initially detected in 2004 and it reappeared almost every year until 2008. Since then, the author has been silent. A few copycats created some imitations of GpCode that were mostly hot air and not real threats because they weren’t using strong cryptographic algorithms.
As we explained before, this type of malware is very dangerous because the chances of getting your data back are very low. It is almost the same as permanent removal of the data from your hard drive. Back in 2006 and 2008, we managed to offer a few ways of recovering and even decrypting your data with our decryption tools.
Now, GpCode is back and it is stronger than before. Unlike the previous variants, it doesn't delete files after encryption. Instead it overwrites data in the files, which makes it impossible to use data-recovery software such as PhotoRec, which we suggested during the last attack.
Preliminary analysis showed that RSA-1024 and AES-256 are used as crypto-algorithms. The malware encrypts only part of the file, starting from the first byte. The malware detection was added today as Trojan-Ransom.Win32.GpCode.ax. Kaspersky Lab experts are working on an in-depth analysis of the recent Trojan and will update you on every discovery that may assist with data recovery.
A new security rogue with limited coverage has emerged that even creates fake BSODs along with false alerting to trick users into paying for cleaning capabilities.
ThinkPoint - Fake Trojan Removal kit
QUOTE: You might want to steer clear of the following fake security program, being promoted as a “Windows Trojan Removal Kit” but actually hijacking your PC in the form of the ThinkPoint rogue. Installing the executable can potentially give you a bit of a headache, with what would appear to the average user to be fake “Blue Screens of Death” and payment nag screens. See here for details on how to get around the supposedly locked up desktop, and check here for some of the many variations on this theme.
Secunia has rated this newly discovered risk as Highly Critical. McAfee will most likely address this concern quickly for the Enterprise version 8 family of products.
McAfee Virus Scan Enterprise - Insecure Library Loading Vulnerability
QUOTE: The vulnerability is caused due to the application loading libraries (e.g. traceapp.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into opening a Word Document with an embedded ActiveX control located on a remote WebDAV or SMB share in Microsoft Office 2003.
Several warnings and an excellent list of best practices can be found in the link below:
FBI Warning - Electronic Scam Warnings and Best Practices for Avoidance
BEST PRACTICES TO AVOID BEING SCAMMED:
* A federal statute prohibits mailing lottery tickets, advertisements, or payments to purchase tickets in a foreign lottery.
* Be leery if you do not remember entering a lottery or sweepstakes.
* Beware of lotteries or sweepstakes that charge a fee prior to delivering your prize.
* Be wary of demands to send additional money as a requirement to be eligible for future winnings.
BEST PRACTICES TO AVOID FRAUD:
* Do not respond to unsolicited (spam) e-mail.
* Do not click on links contained within an unsolicited e-mail.
* Be cautious of e-mail claiming to contain pictures in attached files, as the files may contain viruses. Only open attachments from known senders. Scan the attachments for viruses if possible.
* Avoid filling out forms contained in e-mail messages that ask for personal information.
* Always compare the link in the e-mail with the link to which you are directed and determine if they match and will lead you to a legitimate site.
* Log directly onto the official website for the business identified in the e-mail, instead of “linking” to it from an unsolicited e-mail. If the e-mail appears to be from your bank, credit card issuer, or other company you deal with frequently, your statements or official correspondence from the business will provide the proper contact information.
* Contact the actual business that supposedly sent the e-mail to verify if the e-mail is genuine.
* If you are asked to act quickly, or there is an emergency, it may be a scam. Fraudsters create a sense of urgency to get you to act quickly.
* Verify any requests for personal information from any business or financial institution by contacting them using the main contact information.
Remember if it looks too good to be true, it probably is.
Trend Labs has created a Cloud Security blog and highlights key concerns for corporate users as noted below:
Trend Labs - Is your organization ready for Cloud?
Trend Labs - Cloud Security Blog
QUOTE: Cloud computing is one of the biggest trends in the computing world today. However, security concerns about the cloud make up one of the major reasons why companies are hesitant to migrate their operations to the cloud. Let’s discuss an important puzzle in cloud computing, that is, the problem of authentication. Many authentication schemes are done via the traditional user name-password combination. Problems with relying on these are well-known but, as companies move to the cloud, these become even more important.
Cybercriminals have known the importance of user credentials for a long time now and have worked hard to develop techniques to steal them. The top 2 online banking Trojan families in recent history—ZeuS and SpyEye—both employ a wide range of techniques to steal user credentials. One of the most ingenious of these is the use of screenshots to counter on-screen keyboard safety measures online banks use as an anti-keylogging mechanism.
Saying that ZeuS and SpyEye are scary would be an understatement. Corporations should worry about two particular things—first, any website can be targeted, including those that provide confidential services in the cloud and second, even login pages protected by SSL are not safe. To make matters worse, account-stealing Trojans account for the majority of malware types Trend Micro has discovered so far.
Corporate VMware users should apply this important security update:
VMware ESX third party security update for Service Console
QUOTE: It's an update for VMware ESX 4.1 without patch ESX410-201011001. Here's the problem description right off of their website: Service Console OS update for COS kernel package. This patch updates the Service Console kernel to fix a stack pointer underflow issue in the 32-bit compatibility layer. Exploitation of this issue could allow a local user to gain additional privileges.
Corporate users of Sun's Solaris operating system should apply these important security updates:
Sun Solaris - Security Updates for November 2010
QUOTE: Just in case you missed this on Friday, Sun have released details of three vulnerabilities with Solaris components:
- PERL 5.8 - Safe Perl Modules (safe.pm) - Covers CVE-2010-1168
- Apache - Apache Portable Runtime utility library - Covers CVE-2010-1623
- BZIP2 - Interger Overflow vulnerability - Covers CVE-2010-0405
The "Who viewed your profile" and other major spam campaigns were prominent during the Thanksgiving holiday period. None of these messages are true and they will post muliple messages on the facebook wall for those who click on these links and install these hostile applications
F-Secure: Happy Spamgiving Day
QUOTE: It's Thanksgiving Day in the United States and most folks are probably at home with their families right now. But somebody at Facebook security is probably on the job, because we're observing various spam runs on the site. Spammers are probably timing their efforts in an attempt to take advantage of holiday surfers. This spammer is having a very successful holiday weekend; his public stream now shows a total of more than 686,000 clicks!
Please avoid selecting URLs in the "tiny" or "shortened" format which are currently circulating in some Facebook posts being spammed. The new worm installs randomly named Facebook applications which may make cleanup a little more difficult for FB Admins. Hopefully, this new threat can soon be contained to eliminate the spammed message attacks.
Facebook - New worm spams and installs randomly named applications
QUOTE: Facebook is infested with a new worm, hijacking status updates and spreading like wildfire to other users. Another bit of evidence towards Facebook being insecure, and lax with user privacy and data?
Facebook is littered with a worm, seemingly the same one under different names, created by randomly generated developers, which is spreading links all over the site. Applications like S22BZ5 created by randomly assigned pseudonym ‘Jackson Lasseter’ has nearly 300 people under the grips of the worm. Others, such as replicated application B5DA8G, 9IHJ35 and AU0ZVE have just under 1,000 people inadvertently spreading the worm.
Just in the last 24 hours, I have seen my own friends’ list infiltrated by these worm applications which set status messages via the application without the knowledge of the profile owner, through a shortened link service with an infected GIF file. Once again, this shows Facebook will allow applications which are not verified, that act in a worm or malware like fashion, and allows individual user privacy to become compromised to anyone who can slap together a simple application.
In monitoring developments during the third quarter, Dasient Security noted an increase in malicious web pages as well as web 2.0 security concerns (e.g., Twitter and Facebook).
Dasient Security Report - Malware is everywhere
QUOTE: In Q3 Dasient continued to monitor millions of sites on the Internet for web-based malware infections and malvertisements. Based on the data gathered, we estimate that in Q3 over 1.2 million web sites across the Internet were infected, which is double our estimate from exactly one year ago (see Figure 1 below). The web malware problem continues to grow dramatically as an increasing number of legitimate sites are getting infected.
Looking at the major modes of communication used on the Internet, email was one of the first such major mode of communication, and we saw attackers take advantage of it by distributing viruses as email attachments. Over time, we saw that email became web-based with services such as Hotmail, Yahoo! Mail, and Gmail, and such services had to incorporate anti-virus software on their servers to scan email attachments for malware.
As web page views continued to increase and web pages themselves became more and more interactive via Web 2.0 trends, cybercriminals took advantage of the advent of drive-by-download techniques to infect users without requiring the opening of attachments, thereby allowing them to exploit web pages as an increasingly pervasive malware distribution platform
As we approach 2011, we predict that as the usage specifically of social media web sites continues to grow, drive-by-downloads and rogue anti-virus will be used more aggressively on platforms such as Facebook and Twitter, as evidenced by threats such as the Koobface botnet that continually targets Facebook
The FTC has just issued a bulletin on the increased activities and dangers associated with Online Dating scams
FTC Warns Consumers About Online Dating Scams
QUOTE: The Federal Trade Commission, the nation’s consumer protection agency, warns that scammers sometimes use online dating and social networking sites to try to convince people to send money in the name of love. In a typical scenario, the scam artist creates a fake profile, gains the trust of an online love interest, and then asks that person to wire money—usually to a location outside the United States.
Here are some warning signs that someone you met online could be in it for the money:
-- Wanting to leave the dating site immediately and use personal e-mail or IM accounts.
-- Claiming instant feelings of love.
-- Claiming to be from the United States but currently overseas.
-- Planning to visit, but being unable to do so because of a tragic event.
-- Asking for money to pay for travel, visas or other travel documents, medication, a child or other relative’s hospital bills, recovery from a temporary financial setback, or expenses while a big business deal comes through.
-- Making multiple requests for more money.
The FTC warns consumers that wiring money to someone they haven’t met is the same as sending cash. Once it’s gone, it can’t be recovered.
As a best practice, never respond to emails that appear to come from Facebook by clicking on links or images. Instead go directly into your Facebook account and process any new requests there.
Spammed malware linked into your Facebook photo
QUOTE: This most recent attack technique appears as an arriving email but contains a crafted malicious link. The attack is camouflaged as a Facebook correspondence alerting the victim that a friend “commented on your photo”. Although new security procedures are being implemented to protect Facebook users, cybercriminals will continue to aggressively abuse this and other social networks.
The sender name is counterfeit and the email is NOT a Facebook address. When you run your cursor over the fake Facebook link it then becomes visible that it will redirect to a suspicious page.
Last week, Facebook announced their new Messaging system that will be launching in the next few months. Certainly it will give better control to users, and will possibly minimize some issues but we at McAfee Labs expect spammers and cybercriminals to attempt abuse as well. I’m a firm believer the most powerful tool is still common sense alongside some best practices: be an informed, safe and protected user. Always keep your security software up to date!
A neat reflection on the value security plays in protecting our identity, privacy, and information, as we reflect during the Thanksgiving holiday.
PC Magazine - Try To Be Thankful For Your Security
QUOTE: I'll avoid business products which, I would argue, provide much more defensive power than consumer products. Consumers can still do a good job by following a few basic rules:
• Don't run Windows XP. Run Windows 7 or at least Windows Vista.
• For your everyday tasks, run as a standard, i.e. less-privileged user. If you get a UAC prompt for elevation, pay attention to it. If an application you run doesn't work well in this environment, try to find a replacement. That application is probably badly-designed and you should blame the developers.
• Keep your operating system and applications up to date.
• Run a security suite and keep it up to date.
• Don't install software casually. Look carefully at what you're installing and at what happens in the installation process. Remove software from your system if you're no longer using it.
Corporate Security - Strength of Passwords as Measurement criteria
Having tested password strength in the past, they can be a barometer of how well employees are following security guidelines and awareness programs. It's also a measurement of technical controls as companies should have complex passwords as a requirement.
Corporate Security - Strength of Passwords as Measurement criteria
QUOTE: The strength of passwords used is a good indication of the security posture of an organisation, considering the userid and password combination is in many cases the first and last line of defence. It is quite important to get it right. Most of us know that when we turn on password complexity in Windows it is no guarantee that the user will select a decent password. After all Password is an 8 character password that will pass complexity checking in Windows and not many of us would argue that it is a decent password.
Another element needs to be in place to get decent passwords, user awareness. When you analyse the passwords you can identify whether reasonable passwords are being used and hence determine whether user awareness training has worked, a refresher is needed or all is good. When cracking passwords you will also be able to determine patterns used by users, admin staff, service accounts, resource accounts, helpdesk etc. All useful information in determining the security posture.
Google quickly resolved this unauthorized email harvesting issue. As it strives to better compete with Facebook, security and privacy are always important design considerations as Google continues to bundle numerous services in it's portal for the "one stop" shopping.
Whoa, Google, That’s A Pretty Big Security Hole:
Facebook would probably just consider this a feature, but the rest of us will definitely consider this a big security hole. The creator of a security website emailed us this morning to explain. If you’re already logged in to any Google account (Gmail, etc.), and visit that site, he’s harvested your Google email. And proves it by emailing you immediately.
ISSUE RESOVLED: Google says the issue is now resolved: “We quickly fixed the issue in the Google Apps Script API that could have allowed for emails to be sent to Gmail users without their permission if they visited a specially designed website while signed into their account. We immediately removed the site that demonstrated this issue, and disabled the functionality soon after. We encourage responsible disclosure of potential application security issues to firstname.lastname@example.org.”
I've updated one of my systems to try out the new release and am interested in safety improvements for key products used. Here's hoping this new safety features will help combat the constant stream of malicious PDF attacks.
Adobe 10 - New X Version features Sandbox architecture for improved safety
Adobe Reader X - Download site
QUOTE: Adobe released the Reader X version today. This is the version of Reader that has sandbox feature built-in, there is now a degree of separation between the OS and the potentially malicious PDF files. The same sandbox mechanism had been implemented in Google Chrome and also MS Office. Containment of the harmful files lessen the damage should a successful attack were to happen. Given the amount of 0-day attacks on this software, we recommend our readers on Windows platform to upgrade to this version of Reader soon to leverage the sandbox technologies. While it does not prevent all exploitation, every little bit helps.
SYSTEM REQUIREMENTS FOR WINDOWS
• Intel® 1.3GHz or faster processor
• Microsoft® Windows® XP Home, Professional, or Tablet PC Edition with Service Pack 3 (32 bit) or Service Pack 2 (64 bit); Windows Server® 2003 (with Service Pack 2 for 64 bit; Windows Server® 2008 (32 bit and 64 bit); Windows Server 2008 R2 (32 bit and 64 bit); Windows Vista® Home Basic, Home Premium, Business, Ultimate, or Enterprise with Service Pack 2 (32 bit and 64 bit); Microsoft Windows 7 Starter, Home Premium, Professional, Ultimate, or Enterprise (32 bit and 64 bit)
• 256MB of RAM (512MB recommended)
• 260MB of available hard-disk space
• 1024x576 screen resolution
• Microsoft Internet Explorer 7 or 8; Mozilla Firefox 3.5 or 3.6
• Video hardware acceleration (optional)
Sunbelt has an excellent blog related to security rogue products. It warns of a fake review scam that is designed to promote even non-existant products with a convenient ordering system to purchase these from the site. Victims will be charged but receive no product and it's always best to purchase products from reputable mainstream sources.
Sunbelt: Let the (AV) buyer beware
QUOTE: There have probably been as many scams involving sales of anti-virus security products on the World Wide Web as there have been sales of “prime” real estate (that turn out to be under two feet of swamp water) in Florida.The site Anti-Virus Review, “The No.1 Anti-Virus Internet Network” claims that it has reviewed anti-virus products and presents its “gold”, “silver” and “bronze” award winners: ViraFix, Antivirus Download and Antivirus-Solution respectively.
These aren’t rogue products. These are AV products that apparently DO NOT EXIST. So, to make this long story a bit shorter, these sites all lead to payment pages that look quite similar: “Membership Options and Features.”
At the bottom is a post that was shared with all of my Facebook contacts ... In using this great resource professionally and to learn more about best practices, the following basic techniques can help in avoiding malware, privacy, or content issues:
1. Avoid all LINKS unless you are sure it is safe to visit or LIKE that site
2. Never accept contacts without reviewing their profile page first to ensure they are a good fit
3. Also if you choose to use a Facebook application, ensure it is a safe mainstream application used by many. Remove any questionable applications from your profile (I have zero FB apps as a non-gamer).
4. Never click on FB email links that actually or appear to come from Facebook as this may be a phishing attack or spoofed URLs ... Instead go to Facebook directly to review activity
5. Use the risk management principle of avoidance and always THINK BEFORE YOU CLICK -- I've helped some friends fix infections from Facebook attacks and there is a constant need to think of safety. Don't click or go to places that might be not be safe. And even good and traditionally safe sites can be attacked and injected with malware, so that they become unsafe temporarily until the attacks are discovered and removed.
6. Think about Privacy and ramp up your settings ... Please see last link offered in this more detailed post below for screen-by-screen techniques in improving Privacy settings:
7. Be careful what you say and twice as careful in what you write. While folks should have fun, don't get too carried away in public sharing as it creates a PERMANENT RECORD which may be difficult to remove later (esp. when searching for a job)
QUOTE: VIRUS ALERT - Many have THE BIBLE as a feed and they have just warned to AVOID ALL VIDEO LINKS offered. Their site was highjacked and they have since fixed this issue. PLEASE BE CAREFUL - It is safe to LIKE PLAIN TEXT posts, but please be careful with links, URLs, & Video feeds - unless you are sure it is safe. Also, when accepting new contacts, ALWAYS CHECK OUT PROFILE PAGE first as a safety precaution.
Adobe Acrobat and Reader users should look for a major update on Tuesday (esp. if you use version 9)
Adobe Reader - Major Security update coming on 11/16/2010
QUOTE: Adobe has issued a prenotification security advisory to say that next Tuesday, November 16, they will release security updates for Adobe Reader and Acrobat 9.x. On that day they will release updates for Reader 9.4 and earlier 9.x versions for Windows, Mac and UNIX. They will also release updates for Acrobat 9.4 and earlier 9.x versions for Windows and Mac. The UNIX updates for Acrobat is expected on Monday, November 30. No mention is made of any updates for 8.x versions of Acrobat or Reader. The prenotification specifically says that the updates will include the CVE-2010-3654 issue in Flash, which has been observed in the wild, but it will likely include all the other Flash issues fixed by Adobe in Flash itself last week.
More Posts Next page »