November 2010 - Posts

This proof of concept test has revealed a vulnerability in Safari that will most likely be patched soon.  In any browser, please be careful with URLs and ensure you are going to a safe site.

Apple - iPhone Spoofing Vulnerability
http://blogs.pcmag.com/securitywatch/2010/11/iphone_vulnerable_to_web_ui_sp.php
http://blogs.sans.org/appsecstreetfighter/2010/11/29/ui-spoofing-safari-iphone/

QUOTE: Dhanjani shows how the default behavior for Safari is to scroll the page up to display more of its content, causing the address bar to disappear. This behavior is in response to particular Apple HTML META tags from the attack site advertising itself as a mobile site. The spoof page includes a fake address bar at the top which looks like the real address bar after the load.

Kaspersky Labs is reporting a return of GPCODE trojan attacks with greatly improved encryption. These attacks are called ransomware as they require infected users to pay for an encryption key (that may not work anyway). Not only should users avoid potential attacks but they should also fully backup their PCs and have a data recovery strategy formulated to minimize potential loss of information. 

GPCODE Malware uses RSA-1024 and AES-256 Encryption
http://www.securelist.com/en/blog/208188032/And_Now_an_MBR_Ransomware
http://www.securelist.com/en/blog/333/GpCode_like_Ransomware_Is_Back

QUOTE: We have received several reports from people around the world asking for help with infections very similar to the GpCode trojan that we detected in 2008. GpCode was initially detected in 2004 and it reappeared almost every year until 2008. Since then, the author has been silent. A few copycats created some imitations of GpCode that were mostly hot air and not real threats because they weren’t using strong cryptographic algorithms.

As we explained before, this type of malware is very dangerous because the chances of getting your data back are very low. It is almost the same as permanent removal of the data from your hard drive. Back in 2006 and 2008, we managed to offer a few ways of recovering and even decrypting your data with our decryption tools.

Now, GpCode is back and it is stronger than before. Unlike the previous variants, it doesn't delete files after encryption. Instead it overwrites data in the files, which makes it impossible to use data-recovery software such as PhotoRec, which we suggested during the last attack.

Preliminary analysis showed that RSA-1024 and AES-256 are used as crypto-algorithms. The malware encrypts only part of the file, starting from the first byte. The malware detection was added today as Trojan-Ransom.Win32.GpCode.ax. Kaspersky Lab experts are working on an in-depth analysis of the recent Trojan and will update you on every discovery that may assist with data recovery.

A new security rogue with limited coverage has emerged that even creates fake BSODs along with false alerting to trick users into paying for cleaning capabilities. 

ThinkPoint - Fake Trojan Removal kit
http://sunbeltblog.blogspot.com/2010/11/fake-trojan-removal-kit-serves-up.html

QUOTE: You might want to steer clear of the following fake security program, being promoted as a “Windows Trojan Removal Kit” but actually hijacking your PC in the form of the ThinkPoint rogue.  Installing the executable can potentially give you a bit of a headache, with what would appear to the average user to be fake “Blue Screens of Death” and payment nag screens. See here for details on how to get around the supposedly locked up desktop, and check here for some of the many variations on this theme.

Secunia has rated this newly discovered risk as Highly Critical.  McAfee will most likely address this concern quickly for the Enterprise version 8 family of products. 

McAfee Virus Scan Enterprise - Insecure Library Loading Vulnerability
http://secunia.com/advisories/41482

QUOTE: The vulnerability is caused due to the application loading libraries (e.g. traceapp.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into opening a Word Document with an embedded ActiveX control located on a remote WebDAV or SMB share in Microsoft Office 2003.

Several warnings and an excellent list of best practices can be found in the link below:

FBI Warning - Electronic Scam Warnings and Best Practices for Avoidance
http://www.fbi.gov/scams-safety/e-scams

BEST PRACTICES TO AVOID BEING SCAMMED:

  • A federal statute prohibits mailing lottery tickets, advertisements, or payments to purchase tickets in a foreign lottery.
  • Be leery if you do not remember entering a lottery or sweepstakes.
  • Beware of lotteries or sweepstakes that charge a fee prior to delivering your prize.
  • Be wary of demands to send additional money as a requirement to be eligible for future winnings.

 

BEST PRACTICES TO AVOID FRAUD:

  • Do not respond to unsolicited (spam) e-mail.
  • Do not click on links contained within an unsolicited e-mail.
  • Be cautious of e-mail claiming to contain pictures in attached files, as the files may contain viruses. Only open attachments from known senders. Scan the attachments for viruses if possible.
  • Avoid filling out forms contained in e-mail messages that ask for personal information.
  • Always compare the link in the e-mail with the link to which you are directed and determine if they match and will lead you to a legitimate site.
  • Log directly onto the official website for the business identified in the e-mail, instead of “linking” to it from an unsolicited e-mail. If the e-mail appears to be from your bank, credit card issuer, or other company you deal with frequently, your statements or official correspondence from the business will provide the proper contact information.
  • Contact the actual business that supposedly sent the e-mail to verify if the e-mail is genuine.
  • If you are asked to act quickly, or there is an emergency, it may be a scam. Fraudsters create a sense of urgency to get you to act quickly.
  • Verify any requests for personal information from any business or financial institution by contacting them using the main contact information.
  • Remember if it looks too good to be true, it probably is.

Trend Labs has created a Cloud Security blog and highlights key concerns for corporate users as noted below:

Trend Labs - Is your organization ready for Cloud?
http://blog.trendmicro.com/is-your-organization-ready-for-the-cloud/

Trend Labs - Cloud Security Blog
http://cloudsecurity.trendmicro.com/

QUOTE: Cloud computing is one of the biggest trends in the computing world today. However, security concerns about the cloud make up one of the major reasons why companies are hesitant to migrate their operations to the cloud. Let’s discuss an important puzzle in cloud computing, that is, the problem of authentication.  Many authentication schemes are done via the traditional user name-password combination. Problems with relying on these are well-known but, as companies move to the cloud, these become even more important.

Cybercriminals have known the importance of user credentials for a long time now and have worked hard to develop techniques to steal them. The top 2 online banking Trojan families in recent history—ZeuS and SpyEye—both employ a wide range of techniques to steal user credentials. One of the most ingenious of these is the use of screenshots to counter on-screen keyboard safety measures online banks use as an anti-keylogging mechanism.

Saying that ZeuS and SpyEye are scary would be an understatement. Corporations should worry about two particular things—first, any website can be targeted, including those that provide confidential services in the cloud and second, even login pages protected by SSL are not safe. To make matters worse, account-stealing Trojans account for the majority of malware types Trend Micro has discovered so far.

Corporate VMware users should apply this important security update:

VMware ESX third party security update for Service Console
http://lists.vmware.com/pipermail/security-announce/2010/000111.html

QUOTE: It's an update for VMware ESX 4.1 without patch ESX410-201011001. Here's the problem description right off of their website:  Service Console OS update for COS kernel package. This patch updates the Service Console kernel to fix a stack pointer underflow issue in the 32-bit compatibility layer. Exploitation of this issue could allow a local user to gain additional privileges.

Corporate users of Sun's Solaris operating system should apply these important security updates:

Sun Solaris - Security Updates for November 2010
http://isc.sans.edu/diary.html?storyid=10003

QUOTE: Just in case you missed this on Friday, Sun have released details of three vulnerabilities with Solaris components:

  • PERL 5.8 - Safe Perl Modules (safe.pm) - Covers CVE-2010-1168
  • Apache - Apache Portable Runtime utility library - Covers CVE-2010-1623
  • BZIP2 - Interger Overflow vulnerability - Covers CVE-2010-0405

The "Who viewed your profile" and other major spam campaigns were prominent during the Thanksgiving holiday period.  None of these messages are true and they will post muliple messages on the facebook wall for those who click on these links and install these hostile applications 

F-Secure: Happy Spamgiving Day
http://www.f-secure.com/weblog/archives/00002068.html
http://www.f-secure.com/weblog/archives/00002071.html
http://www.f-secure.com/weblog/archives/00002070.html
http://www.pc1news.com/news/1611/do-not-click-on-facebook-scam-message-twin-sister-inside-belly.html

QUOTE: It's Thanksgiving Day in the United States and most folks are probably at home with their families right now. But somebody at Facebook security is probably on the job, because we're observing various spam runs on the site. Spammers are probably timing their efforts in an attempt to take advantage of holiday surfers. This spammer is having a very successful holiday weekend; his public stream now shows a total of more than 686,000 clicks!

Please avoid selecting URLs in the "tiny" or "shortened" format which are currently circulating in some Facebook posts being spammed. The new worm installs randomly named Facebook applications which may make cleanup a little more difficult for FB Admins.  Hopefully, this new threat can soon be contained to eliminate the spammed message attacks.

Facebook - New worm spams and installs randomly named applications
http://www.zdnet.com/blog/igeneration/facebook-infested-with-new-worm-more-proof-site-is-insecure/6955

QUOTE: Facebook is infested with a new worm, hijacking status updates and spreading like wildfire to other users. Another bit of evidence towards Facebook being insecure, and lax with user privacy and data?

Facebook is littered with a worm, seemingly the same one under different names, created by randomly generated developers, which is spreading links all over the site. Applications like S22BZ5 created by randomly assigned pseudonym ‘Jackson Lasseter’ has nearly 300 people under the grips of the worm. Others, such as replicated application B5DA8G, 9IHJ35 and AU0ZVE have just under 1,000 people inadvertently spreading the worm.

Just in the last 24 hours, I have seen my own friends’ list infiltrated by these worm applications which set status messages via the application without the knowledge of the profile owner, through a shortened link service with an infected GIF file. Once again, this shows Facebook will allow applications which are not verified, that act in a worm or malware like fashion, and allows individual user privacy to become compromised to anyone who can slap together a simple application.

In monitoring developments during the third quarter, Dasient Security noted an increase in malicious web pages as well as web 2.0 security concerns (e.g., Twitter and Facebook).

Dasient Security Report - Malware is everywhere
http://www.pcmag.com/article2/0,2817,2373157,00.asp
http://blog.dasient.com/2010/11/normal.html

QUOTE: In Q3 Dasient continued to monitor millions of sites on the Internet for web-based malware infections and malvertisements. Based on the data gathered, we estimate that in Q3 over 1.2 million web sites across the Internet were infected, which is double our estimate from exactly one year ago (see Figure 1 below). The web malware problem continues to grow dramatically as an increasing number of legitimate sites are getting infected.

Looking at the major modes of communication used on the Internet, email was one of the first such major mode of communication, and we saw attackers take advantage of it by distributing viruses as email attachments. Over time, we saw that email became web-based with services such as Hotmail, Yahoo! Mail, and Gmail, and such services had to incorporate anti-virus software on their servers to scan email attachments for malware.

As web page views continued to increase and web pages themselves became more and more interactive via Web 2.0 trends, cybercriminals took advantage of the advent of drive-by-download techniques to infect users without requiring the opening of attachments, thereby allowing them to exploit web pages as an increasingly pervasive malware distribution platform

As we approach 2011, we predict that as the usage specifically of social media web sites continues to grow, drive-by-downloads and rogue anti-virus will be used more aggressively on platforms such as Facebook and Twitter, as evidenced by threats such as the Koobface botnet that continually targets Facebook

The FTC has just issued a bulletin on the increased activities and dangers associated with Online Dating scams

FTC Warns Consumers About Online Dating Scams
http://www.ftc.gov/opa/2010/11/onlinedating.shtm

QUOTE: The Federal Trade Commission, the nation’s consumer protection agency, warns that scammers sometimes use online dating and social networking sites to try to convince people to send money in the name of love.  In a typical scenario, the scam artist creates a fake profile, gains the trust of an online love interest, and then asks that person to wire money—usually to a location outside the United States.

Here are some warning signs that someone you met online could be in it for the money:

-- Wanting to leave the dating site immediately and use personal e-mail or IM accounts.
-- Claiming instant feelings of love.
-- Claiming to be from the United States but currently overseas.
-- Planning to visit, but being unable to do so because of a tragic event.
-- Asking for money to pay for travel, visas or other travel documents, medication, a child or other relative’s hospital bills, recovery from a temporary financial setback, or expenses while a big business deal comes through.
-- Making multiple requests for more money.

The FTC warns consumers that wiring money to someone they haven’t met is the same as sending cash.  Once it’s gone, it can’t be recovered.

As a best practice, never respond to emails that appear to come from Facebook by clicking on links or images.  Instead go directly into your Facebook account and process any new requests there.

Spammed malware linked into your Facebook photo
http://blogs.mcafee.com/mcafee-labs/spammed-malware-linked-into-your-facebook-photo

QUOTE: This most recent attack technique appears as an arriving email but contains a crafted malicious link. The attack is camouflaged as a Facebook correspondence alerting the victim that a friend “commented on your photo”. Although new security procedures are being implemented to protect Facebook users, cybercriminals will continue to aggressively abuse this and other social networks.

The sender name is counterfeit and the email is NOT a Facebook address. When you run your cursor over the fake Facebook link it then becomes visible that it will redirect to a suspicious page.

Last week, Facebook announced their new Messaging system that will be launching in the next few months. Certainly it will give better control to users, and will possibly minimize some issues but we at McAfee Labs expect spammers and cybercriminals to attempt abuse as well. I’m a firm believer the most powerful tool is still common sense alongside some best practices: be an informed, safe and protected user.  Always keep your security software up to date!

A neat reflection on the value security plays in protecting our identity, privacy, and information, as we reflect during the Thanksgiving holiday.

PC Magazine - Try To Be Thankful For Your Security
http://blogs.pcmag.com/securitywatch/2010/11/try_to_be_thankful_for_your_se.php

QUOTE: I'll avoid business products which, I would argue, provide much more defensive power than consumer products. Consumers can still do a good job by following a few basic rules:

• Don't run Windows XP. Run Windows 7 or at least Windows Vista.
• For your everyday tasks, run as a standard, i.e. less-privileged user. If you get a UAC prompt for elevation, pay attention to it. If an application you run doesn't work well in this environment, try to find a replacement. That application is probably badly-designed and you should blame the developers.
• Keep your operating system and applications up to date.
• Run a security suite and keep it up to date.
Don't install software casually. Look carefully at what you're installing and at what happens in the installation process. Remove software from your system if you're no longer using it.

 Corporate Security - Strength of Passwords as Measurement criteria

Having tested password strength in the past, they can be a barometer of how well employees are following security guidelines and awareness programs.  It's also a measurement of technical controls as companies should have complex passwords as a requirement.

Corporate Security - Strength of Passwords as Measurement criteria
http://isc.sans.edu/diary.html?storyid=9997

QUOTE; The strength of passwords used is a good indication of the security posture of an organisation, considering the userid and password combination is in many cases the first and last line of defence. It is quite important to get it right.

Most of us know that when we turn on password complexity in Windows it is no guarantee that the user will select a decent password. If the Password is an 8 character password that will pass complexity checking in Windows and not many of us would argue that it is a decent password.

Another element needs to be in place to get decent passwords, user awareness. When you analyse the passwords you can identify whether reasonable passwords are being used and hence determine whether user awareness training has worked, a refresher is needed or all is good. When cracking passwords you will also be able to determine patterns used by users, admin staff, service accounts, resource accounts, helpdesk etc.  All useful information in determining the security posture. 

More Posts Next page »