January 2012 - Posts
The Facecrooks security sites warns users to avoid installing apps that report to watch user profile information (as they currently do not exist)
http://facecrooks.com/Scam-Watch/omg-i-just-n0ticed-who-keep-watching-my-profile-and-photos-it-was-really-shocking-to-know-facebook-scam.html
QUOTE: Clicking “Allow” will give the scammer access to your Facebook data at any time and the application will be able to post to Facebook as you. This will allow them to spam their scam messages to all of your friends. This particular application is called “Pr0file Watcher”, but scams like this are known to use multiple Facebook apps. Anytime you install a third party Facebook application, you give the application developer access to your personal data. Always be very selective on the apps you install, and only install them from well-known, trusted sources.
http://facecrooks.com/Internet-Safety-Privacy/why-you-should-not-install-fun-entertaining-facebook-applications.html
QUOTE: We often have readers ask us questions about specific Facebook applications. Some apps generate an enormous amount of spam and can annoy your Facebook friends. Others are outright scams and should be avoided entirely. For example, any application offering to show you who has viewed your profile, who your Facebook stalkers are etc., are guaranteed to be fraudulent. Facebook doesn’t allow developers access to the data required to create apps like this.
http://www.symantec.com/connect/blogs/update-androidcounterclank
QUOTE: Last week, we posted a blog informing Android users of the discovery of new versions of Android.Tonclank, which we have named Android.Counterclank. The blog generated a bit of discussion over whether these new versions should be a concern to Android users. When classifying applications, our focus is on whether users want to be informed of the application's behavior, allowing them to make a more informed choice regarding whether to install it.
Android.Counterclank - SYmantec Malware description
http://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-4046-99
Zscaler analyzes the safety associated with website links as noted below:
PC Magazine: Zscaler - Analyzes URL safety
http://securitywatch.pcmag.com/internet-crime/293516-zscaler-zulu-flags-dangerous-sites
Zscaler - Analyzes URL safety (Home Page)
http://zulu.zscaler.com/
QUOTE: Security experts constantly warn you to avoid clicking links in tweets, emails, Facebook posts, and so on. Even if the sender is a friend, the link might have been added by a virus. So does that mean you can never check out the latest viral video? Sure, you can do that. Just check the URL with ZScaler's free Zulu URL Risk Analyzer first.
This PC Magazine article share good protective approaches:
SuperBowl - Six ways to avoid online scams
http://securitywatch.pcmag.com/none/293485-super-bowl-xlvi-6-ways-to-avoid-an-online-scam
QUOTE: Six methods of protection include:
1. Buy tickets from legitimate or licensed resellers
2. DON'T leave sight of the site
3. Pay using encryption (SSL)
4. Scrutinize your ticket
5. DON'T share personal information
6. 6. DON'T fall for online scams
For more, see 11 Tips for Safe Online Shopping
Trend Labs shares an important holiday warning to be cautious in selecting any link, app, or theme:
FaceBook - Valentines Malware themes circulating
http://blog.trendmicro.com/facebook-valentines-theme-leads-to-malware/
QUOTE: It’s never too early to get ready for Valentine’s day, it seems, even when it comes to malicious attacks. Recently, I came across a scam in Facebook that leverages the upcoming occasion. The said attack begins with a post on affected users’ wall inviting other users to install a Valentine’s theme into their Facebook profile
Trend Labs documents early developments for malware attacks that exploit the Windows Media Player vulnerabilities patched under MS12-004 during the Microsoft January updates. Corporate and Home users should patch promptly and avoid all suspicious objects offered in email or websites
MS12-004 Early malware attacks starting to appear in wild
http://blog.trendmicro.com/malware-leveraging-midi-remote-code-execution-vulnerability-found/
MS12-004 is rated as a highly critical security patch by Microsoft & ISC
http://technet.microsoft.com/en-us/security/bulletin/ms12-004
QUOTE: Earlier today, we encountered a malware that exploits a recently (and publicly) disclosed vulnerability, the MIDI Remote Code Execution Vulnerability (CVE-2012-0003). (Ed. Note: addressed in MS12-004). The said vulnerability is triggered when Windows Multimedia Library in Windows Media Player (WMP) fails to handle a specially crafted MIDI file, consequently allowing remote attackers to execute arbitrary code.
In the attack that we found, the infection vector is a malicious HTML which we found hosted on the domain, hxxp://images.{BLOCKED}p.com/mp.html. This HTML, which Trend Micro detects as HTML_EXPLT.QYUA, exploits the vulnerability by using two components that are also hosted on the same domain. The two files are: a MIDI file detected as TROJ_MDIEXP.QYUA, and a JavaScript detected as JS_EXPLT.QYUA.
The security firm Facecrooks documents a new scam circulating
What does your name mean? Find out here – Facebook Scam
http://facecrooks.com/Scam-Watch/what-does-your-name-mean-find-out-here-facebook-scam.html
QUOTE: What does your name mean? Find out Here – > Installing the application gives the developer access to your basic information. You are also asked on the next screen if you would like to give the application the ability to post to your Facebook Wall. (How nice of them to ask – usually they don’t give you the option The end game of the scam is the follow survey:
More Details in Related links:
Your Ultimate Guide to Facebook Scams and How to Deal with Them
How to spot a Facebook Survey Scam
The new Android Counterclank BotNet has been downloaded over 1 million times and may have infected a large number of users:
Android Counterclank BotNet - Over 1 million downloads
http://securitywatch.pcmag.com/none/293451-millions-download-new-trojan-discovered-in-android-market
QUOTE: Symantec has discovered a new Android botnet that is still thriving in the Android Market and has already been downloaded several million times this year. The Trojan 'Android.Counterclank' was packaged in at least 13 free games published by three different publishers, making it harder to trace. Symantec notified Google on Thursday and at press time, 9 of the apps were still available in Google's official app store.
According to Symantec researcher Irfan Asrar, ‘Counterclank’ can carry out commands from a remote control center on your mobile device. According to Symantec's virus definition, it steals information and can potentially display ads on your device. “When the package is executed, a service with the same name may be seen running on a compromised device. Another sign of an infection is the presence of the Search icon above on the home screen,” Asrar wrote. No information on geographic scope has been given, but Asrar said that the sheer number of downloads, 1-5 million, makes it the most widespread piece of mobile malware found so far this year.
Users should avoid spam messages titled as "Banking security update" and in general be careful with all Spam email messages. A sophisticated HTML based attack has surfaced which uses a malicious JS agent. Plain text viewing of email messages may also improve user safety.
Getting infected just got a whole lot easier, researchers say
http://www.darkreading.com/security/attacks-breaches/232500660/new-drive-by-spam-infects-those-who-open-email-no-attachment-needed.html
QUOTE: According to researchers at eleven, a German security firm, the new drive-by spam automatically downloads malware when an email is opened in the email client. The user doesn't have to click on a link or open an attachment -- just opening the email is enough. "The new generation of email-borne malware consists of HTML e-mails which contain a JavaScript which automatically downloads malware when the email is opened," eleven says in a news release."This is similar to so-called drive-by downloads, which infect a PC by opening an infected website in the browser."
The current wave of drive-by spam contains the subject "Banking security update" and has a sender address with the domain fdic.com. If the email client allows HTML emails to be displayed, the HTML code is immediately activated. The user only sees the note "Loading…Please wait," eleven says. In the meantime, the attempt is made to scan the PC and download malware.
The ISC rates these vulnerabilities with their highest "PATCH NOW" rating
Symantec PC Anywhere - Please patch for critical vulneratilities
http://isc.sans.edu/diary/pcAnywhere+users+patch+now+/12463
QUOTE: Symantec released a patch for pcAnywhere products that fixes couple of vulnerabilities, among which the most dangerous one allows remote code execution. You can see Symantec’s advisory here. Now, for last couple of weeks there have been a lot of rumors about source code of several Symantec’s products that got stolen by yet unknown hackers. Besides a post that listed file names nothing else has been released in public yet, as far as we know. However, Symantec also released a document (available here) that details security recommendations for pcAnywhere users. It is obvious that Symantec is aware of how critical published vulnerabilities are. It makes us wonder if there already have been active exploitation of the published vulnerabilities or Symantec is just extra careful?
This is a beneficial recommendation
ISC - Is it time to get rid of NetBIOS?
http://isc.sans.org/diary/Is+it+time+to+get+rid+of+NetBIOS+/12454
QUOTE: NetBIOS, and its weaknesses that allow extremely easy spoofing have been well known all the way since 2005. I recently discussed NetBIOS with a colleague of mine, Arcel, and this discussion prompted me to see if anything changed with NetBIOS and recent Windows releases. While I was almost certain that the old NetBIOS spoofing attacks do not work any more, I was stunned to see that even the latest and greatest Windows 7 still enable NetBIOS over TCP/IP by default. So what can we do to protect ourselves and our users against this? This is one of those times when auditors that bug you about settings and configuration are really right:
1. Unless you moved everything to Windows Vista or newer, make sure you disable LANMAN hashes. They are insecure and should not be used under any circumstances.
2. Disable NetBIOS over TCP/IP. I don’t think that anything really uses this any more
If you want to learn more about this attack, read the excellent post below and, once you get scared enough, take care of your network and users.
http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
The security site Facecrooks shares an awareness to check charity sites carefully to ensure legitimacy. Donations should always be made to mainstream sites, after careful research to ensure they are received by those truly in need.
Facebook - Some Donation Pages Run by Fraudsters
http://facecrooks.com/Internet-Safety-Privacy/beware-of-facebook-donation-pages-ran-by-fraudsters.html
QUOTE: Facebook has become a rather popular medium for gathering donations. Of course, with the site’s 800 million users, it’s practically guaranteed that you’ll find somebody who is sympathetic to your cause. In fact, Facebook’s so effective that some people have successfully used it as a platform for collecting donations, particularly for medical expenses. Some people have even found organ donors through the site. However, there are always two sides to every coin and the platform is easily abused by scammers.
Below are the most recent results from AV-TEST for both home and corporate products:
AV-TEST DEC 2011 Many Vendor products improve
http://securitywatch.pcmag.com/security-software/292980-many-vendors-improve-in-latest-av-test-report
AV-TEST FULL REPORT
http://www.av-test.org/en/tests/test-reports/novdec-2011/
QUOTE: German antivirus research lab AV-Test.org tested almost two dozen consumer-side security products under Windows 7, rating each for cleanup of existing malware infestations, protection against new attacks, and overall usability. Quite a few of the products improved their scores over the last Windows 7 test several months ago, some of them substantially. Kaspersky is the new leader, with 17 points. That's 1.5 points better than it scored in the last Windows 7 test, and just one point short of the 18-point maximum.
www.zdnet.com/blog/btl/sopa-pipa-postponed-nice-work-everyone/67622
QUOTE: The Stop Online Piracy Act (SOPA), and the PROTECT-IP Act, known as PIPA, have both been postponed from being voted on in the House and Senate respectively. An impending vote on SOPA triggered widespread protests leaving hundreds of millions of Web users without access to their favourite sites. Though both bills have been shelved, both SOPA and PIPA are far from dead. What is clear, however, is that the bills will not return in their current form.
QUOTE: If you want more info Wikipedia has some good links from their Privacy Law page.
http://en.wikipedia.org/wiki/Internet_privacy
http://en.wikipedia.org/wiki/Privacy_law
Some of the other resources around:
While Android malware growth will probably level off, it did increase by a significant rate during 2011. Users should be careful with all applicaitons and links which could potentially compromise Android security.
Trend Labs - How Big will the Android Malware Threat Be in 2012?
http://blog.trendmicro.com/how-big-will-the-android-malware-threat-be-in-2012/
QUOTE: In August 2011, we released our Snapshot of Android Threats, which stated that there was a significant increase in the number of Trojanized Android apps and actual malware targeting the Android platform. In our 12 Security Predictions For 2012, we mentioned that smartphone and tablet platforms, especially Android, will suffer from more cybercriminal attacks.
In our continuous monitoring of this threat, we soon noticed that the problem was growing at an alarming rate. From a mere handful of malicious apps at the start of the year, it skyrocketed to more than a thousand malicious Android apps by the middle of December 2011. The average month-on-month growth rate for the second half of 2011 was more than 60%. If this growth rate is sustained this year, then 2012 will definitely be an “exciting” year for Android. Why is this so? If current trends hold, we may be able to see more than 120,000 malicious Android apps by December.
The first security update of 2012 is now available and should be promptly installed
Microsoft Security Updates - January 2012
http://technet.microsoft.com/en-us/security/bulletin/ms12-jan
http://blogs.technet.com/b/msrc/archive/2012/01/10/january-2012-security-bulletins-released.aspx
ISC Analysis (Two client vulnerabilities are rated as PATCH NOW)
http://isc.sans.org/diary/January+2012+Microsoft+Black+Tuesday+Summary/12361
QUOTE: Today we are releasing seven security bulletins, one of which is rated Critical in severity, with the remaining six classified as Important. These bulletins will address eight vulnerabilities in Microsoft products. Customers should plan to install all of these updates as soon as possible. For those who must prioritize deployment, we recommend focusing first on the sole critical update:
- MS12-004 (Windows Media Player): Vulnerabilities in Windows Media Player Could Cause Remote Code Execution. This bulletin – the only one in January’s set to include multiple CVEs – addresses two issues that could arise if a would-be attacker sent a malicious MIDI or DirectShow file to a targeted user. Both of these issues were cooperatively disclosed to Microsoft, and we know of no active exploitation in the wild. Still, we recommend that customers read through the bulletin information concerning MS12-004 and apply it as soon as possible.
F-Secure highlights this unusual and illegal service
Cheap Professional DDoS Service
http://www.f-secure.com/weblog/archives/00002296.html
QUOTE: Now here's something that you don't see everyday, a YouTube video in which a young woman advertises DDoS services, with a smile. "Hello, Hackers." Please visit our website. Just $2 per hour… Also, easy payment options.
F-Secure highlight's a new social engineering scheme that leads to a malicious website and agents that can compromise Android security.
F-Secure: Unlock Your Phone's Hidden Features!... Not.
http://www.f-secure.com/weblog/archives/00002299.html
QUOTE: Yesterday, we stumbled across this ad from an Android-related site. Clicking this led to a malicious menu entitled "Android Market" The text above mentions that mobile phone manufacturers are known to hide phone functionalities in order to earn money. The idea is that the manufacturers would then earn money through an OS update that unlocks the hidden features. This site claims to check your phone for such hidden features and unlock them. We detect this malware as Trojan:Android/FakeNotify.A (the APK), and Trojan:Java/FakeNotify.C (the JAR).
More Posts
Next page »