DoS vulnerability in Bitcoin: DHS Infrastructure Highlights May 18th
By Kelli Tarala | May 18, 2012
The developers of Bitcoin, the anonymous digital currency system, fixed a flaw in the system that allowed malicious users to perform denial-of-service attacks on a victim’s node, causing it to stop receiving updates from the Bitcoin network. To send and receive payments, Bitcoin nodes encode the transfer information into blocks of data that get aggregated into a globally distributed block chain. Each transaction is cryptographically signed and linked to the previous one. For this system to work, the user’s client needs to communicate with the global network frequently to keep up to date with the transactions that have happened since the last time it was online. If a node is isolated from the network for a significant amount of time, it cannot initiate or receive transfers of bitcoins. The developers did not yet explain how the vulnerability in the Bitcoin software can be exploited — they want to give users sufficient time to patch their clients before releasing information that could be used by hackers to reverse engineer a working exploit. They have, however, released version 0.6.2 of the client that fixes the problem. Backports of the fix for versions 0.5.5 and 0.4.6 are also available. The developers stated the vulnerability cannot be used to compromise users’ wallets.
Full Story:
http://www.h-online.com/security/news/item/DoS-vulnerability-in-Bitcoin-1578558.html
Trojan mimics Chrome installer to steal banking information
Malware impersonating a Google Chrome Installer is stealing data while stripping software used to protect online banking transactions. The trojan at present appears to target users in Brazil and Peru. Trend Micro researchers reported they discovered a malicious file called ChromeSetup.exe hosted in domains such as Facebook, MSN, Globo.com, Terra.com, and Google. Most appear tied to Brazil since .br or br. appears in the URLs. Once downloaded, the malware relays an infected machine’s IP address and operating system to a command and control (C&C) server. Then, when a user tries to access a legitimate site, the trojan TSPY_BANKER.EUIQ intercepts the page request and displays a “Loading system security” dialog box while redirecting them to the fake site. Another component of the “Banker” malware uninstalls software called GbPlugin that is designed to protect bank customers during online banking. “It does this through the aid of gb_catchme.exe — a legitimate tool from GMER called Catchme, which was originally intended to uninstall malicious software,” according to a threats analyst. While analyzing the C&C panel, Trend Micro researchers saw a spike in phone home logs from 400 to almost 6,000 in a 3-hour span — suggesting a malware outbreak or a migration to the C&C server. This represented 3,000 compromised machines, the post said. There is also evidence the malware has evolved since being found in the wild. Initially, it required three components be installed separately. Newer samples suggest all three components are now wrapped into one package.
Full Story:
http://threatpost.com/en_us/blogs/trojan-mimics-chrome-installer-steal-banking-information-051612
IG finds gaps in TSA reporting of security breaches
Only about 4 out of 10 security breaches involving unauthorized access at airports are reported to the Transportation Security Administration’s (TSA) central performance database, according to a new audit. The acting inspector general (IG) at the DHS testified on the gaps in reporting to the House subcommittee on transportation May 16. He presented the results of his office’s recent investigations of security breaches involving unauthorized access at U.S. commercial airports. Those breaches are defined as incidents in which one or more people gain access to a protected-access area of the airport without being screened or inspected under the TSA’s standard operating procedures. The TSA documents the breaches at each airport, and TSA staff is supposed to forward the documents to the agency’s central database. The audit showed inconsistent reporting. “We determined that only 42 percent of the security breaches we reviewed in individual airport files were reported in TSA’s official record,” the IG said. The audit also found corrective action was taken for only 53 percent of the breaches reviewed. The IG also mentioned a related audit that found other gaps in security at the airports, including incomplete vetting and verifications of employee identification information.
Full Story:
http://fcw.com/articles/2012/05/16/tsa-reporting-gaps.aspx
RealPlayer update fixes security vulnerabilities
RealNetworks is warning users about multiple security vulnerabilities in its RealPlayer media player application for Windows; the company says none of the now fixed holes are known to have been used to compromise systems. The released update, Version 15.0.4.53 of RealPlayer, closes three security holes. One hole is related to ASM RuleBook parsing that could be exploited by an attacker to remotely execute arbitrary code, another is a memory corruption problem related to MP4 file handling in the QuickTime plugin used by RealPlayer, and the third is a buffer overrun in the Media parser. RealPlayer Versions 11.0 to 11.1 and 14.0.0 to 15.0.3.37, as well as RealPlayer SP 1.0 to 1.1.5 are affected; RealPlayer for Mac is not vulnerable. RealPlayer 15.0.4.53 — available for Windows 7, Vista SP1, and XP SP3 — corrects these problems.
Full Story:
http://www.h-online.com/security/news/item/RealPlayer-update-fixes-security-vulnerabilities-1578444.html
Worm uses Facebook PMs and instant messaging apps to spread
Researchers from Trend Micro recently reported that a piece of malware, identified as Worm_Steckct.evl, is distributed via a link sent in private messages on Facebook and instant messaging programs. The shortened links contained in the posts point to an archive called “May09- Picture18.JPG_ www(dot)facebook.com.zip” which hides a file named “May09-Picture18.JPG _www(dot)facebook.com.” The .com extension reveals the malware is an executable file. Once it is run, the worm terminates all the processes and services created by security software, ensuring antivirus applications cannot disrupt its processes. Steckct.evl then downloads another worm, detected as Worm_Eboom.ac, which monitors the victim’s browsing sessions. It does not only log the posts and private messages the user creates or deletes on Facebook, MySpace, Twitter, WordPress, or Meebo, but it can also spread by utilizing the user’s active session on these sites.
Full Story:
http://news.softpedia.com/news/Worm-Uses-Facebook-PM-s-and-Instant-Messaging-Apps-to-Spread-270148.shtml
Security vulnerability in sudo’s netmask function patched
The developers of sudo released updates to the privilege elevating utility to patch a bug that allows an attacker to execute commands they should not be able to access on a remote system. Shortly after, they issued a regular update that includes these fixes along with several new features. Sudo versions 1.8.4p5 and 1.7.9p1 fix a security issue in the program that can allow a legitimate user who is included in the sudoers file to run commands on other hosts. When sudo is asked to run a command by a user, it consults sudoers to see if the user has permission. Sudoers rules include the ability to define permission by the host’s IP address by matching with absolute addresses or matching with a netmask specification. It is the matching with netmasks, which are typically used to allocate users permissions by subnet, where the problem lies. The flaw is present in the IP network matching code of sudo versions 1.6.9p3 through 1.8.4p4. The exploit was reported internally through Red Hat’s Bugzilla bug tracking system and was already fixed in Ubuntu by backporting the fix to older versions of the package. Red Hat is also expected to fix its versions of sudo soon. The project advised all users to update to a patched version of the program as soon as possible. Where they cannot upgrade, users are advised to switch to defining host permissions using IP addresses instead of netmasks.
Apache details OpenOffice 3.4 security fixes
Following the release of Apache OpenOffice 3.4.0 the week of May 7, the Apache Software Foundation (ASF) detailed the security fixes included in the new version of the open source productivity suite. According to the ASF, the first stable release of OpenOffice under its governance addresses three security vulnerabilities, all of which are rated as “important.” These include an integer overflow error when handling embedded images and a memory overwrite bug when loading WordPerfect files, both of which could allow for the execution of arbitrary code. The third hole is related to unchecked memory allocations in malformed PowerPoint files that the developers say could be used to cause a denial-of-service. Attacks on all these flaws would require the user to open a specially crafted file. OpenOffice.org 3.3 and the beta version of 3.4 are affected; earlier versions may also be vulnerable. The Security Team advises all users to upgrade to the final 3.4 release.
Full Story:
http://www.h-online.com/security/news/item/Apache-details-OpenOffice-3-4-security-fixes-1578504.html
Avira update puts behaviour recognition on hold
Security firm Avira disabled the ProActiv behavior recognition module in some of its products with an update. A few days after the release of “Service Pack 0” May 14, the company’s security software unexpectedly blocked the access to important systems components. As a consequence, some computers did not start at all, while others could only be booted in secure mode. May 15, Avira announced it solved the behavior recognition problem with an update. Avira said the patch can be installed by updating manually to solve the problem. What the company did not say is the update simply disables the ProActiv behavior recognition module — which is not even listed in the extended configuration dialog once the update is installed.
Full Story:
http://www.h-online.com/security/news/item/Avira-update-puts-behaviour-recognition-on-hold-1578360.html
Disclaimer: The above information largely has been reproduced from the DHS Open Source Daily Report, a full version of which can be found at http://www.dhs.gov/files/programs/editorial_0542.shtm. Enclave Security, LLC and its agents used their best efforts in collecting and preparing the information published herein. However, Enclave Security, LLC, does not assume, and hereby disclaims, any and all liability for any loss or damage caused by errors or omissions, whether such errors or omissions resulted from negligence, accident, or other causes.
Topics: DHS Infrastructure Reports | No Comments »
Avira update fixes Service Pack bug: DHS Open Source Infrastructure Highlights May 17th
By Kelli Tarala | May 17, 2012
Avira said it resolved the problems caused by a Service Pack released for its Windows products earlier the week of May 14. Users are advised to trigger a manual update to download the fix. Once installed, the update should prevent the program from blocking legitimate Windows applications on systems running Avira. May 14, Avira released “Service Pack 0” for all of its Windows products. Once the update was installed, the “ProActiv” behavioral monitoring component in Avira Antivirus Premium 2012 and Avira Internet Security 2012 blocked the execution of essential programs and trusted system processes. Those affected by the problem need to update Avira manually; once the update is installed, the ProActiv module can be reactivated.
Full Story:
http://www.h-online.com/security/news/item/Avira-update-fixes-Service-Pack-bug-1576614.html
Google releases Chrome 19, adds tab sync and patches 20 bugs
May 15, Google released Chrome 19, patching 20 vulnerabilities in the browser. Eight vulnerabilities were ranked “high,” seven were marked “medium,” and five were labeled “low.” Seven of the vulnerabilities were described in Google’s brief advisory as “out-of-bounds” read or write flaws, a category of memory bugs where a function does not check that input does not exceed allocated buffers. Google paid bounties to six researchers for reporting nine vulnerabilities, including two not strictly within Chrome. The 11 remaining bugs were uncovered by Google’s own security team or were credited to Microsoft, or were not significant enough to rate a bounty.
Full Story:
http://www.computerworld.com/s/article/9227196/
QuickTime for Windows update plugs security holes
Version 7.7.2 of QuickTime for Windows was released to address 17 security vulnerabilities in the media player. According to Apple, these include integer, stack, and buffer overflows, as well as memory corruption issues, all of which could be could exploited by an attacker to crash the application or execute arbitrary code on a victim’s system. For an attack to be successful, a user must first open a malicious Web site or a specially crafted file. The company notes that, on Mac OS X, many of the holes were already fixed in Mac OS X 10.7.3 and 10.7.4 Lion, and Security Updates 2012-001 and 2012-002 for Mac OS X 10.6.8 Snow Leopard systems. A majority of these vulnerabilities were discovered by members of TippingPoint’s Zero Day Initiative.
Full Story:
http://www.h-online.com/security/news/item/QuickTime-for-Windows-update-plugs-security-holes-1576777.html
High-ranked sites blacklisted by Google after being hijacked
Zscaler experts scanned the first 1 million Web sites found in Alexa’s top listings and found 621 of them are blacklisted by Google, even though some of them are legitimate Web sites visited by numerous users every day. How can a legitimate Web site get on the Google Safe Browsing list? For instance, subtitleseeker(dot)com, a Web site that offers subtitles for movies and TV shows, is ranked 6,239. The site is not malicious in any way, though Google still cataloged it as such once it detected abnormal activity on it. According to Zscaler, Subtitle Seeker was compromised and altered to host a malicious JavaScript. Other examples include sites that promote “work from home” scams, adult content, and fake antivirus software, but the majority of them were altered to push malicious PDF files, adware, and other types of malware. Some sites were blacklisted because they were found to contain iframes and JavaScripts with malicious intent.
Full Story:
http://news.softpedia.com/news/High-Ranked-Sites-Blacklisted-by-Google-After-Being-Hijacked-269879.shtml
Scammers exploit wannabe demon-slayers hyped by Diablo III
Cybercriminals targeted the release of Diablo III, May 14, with scams themed around the widely anticipated video game. Blizzard’s games systems collapsed due to the higher than expected demand for the game, the London Guardian reported. The software company is attempting to stop pirates from stealing the new role-playing game by forcing users to log into its servers before they can start playing it. This created a bottleneck centered around log-in systems at Blizzard, which struggled to service demand. Technical glitches were an unexpected bonus for scammers, who launched scams featuring the promotion of bogus crack and key-gen sites. These fake sites might potentially be more attractive than they normally would be as gamers struggle to acquire legitimate content through regular channels. Some of the scam sites GFI Software identified included supposed online key purchasing sites that actually install malicious software. Other spam Diablo III-themed links collated by the security firm lead to unrelated flash games, spam linkdumps, and a “donation experiment” where installs of the software offered enter targets into a supposed prize draw giveaway. These various scams are being promoted through the Web at large and social media Web sites, including Facebook and Pinterest.
Full Story:
http://www.theregister.co.uk/2012/05/15/diablo_3_scams/
Pinterest scam toolkits widen the pool of potential scammers
Pinterest scam toolkits are available for sale to inexperienced scammers, according to McAfee. Usually sold on underground forums, these toolkits contain many tools. All actions needed to scam users are included and automated: creating Pinterest invites and mass comments on posts, mass creation of bit.ly links, and scraping Amazon for products based on given keywords and then submitting them to Pinterest. Pinterest scams usually work by luring people in with offers of free gift cards, and the offered links land them either on sites hosting survey scams, on Amazon or other sites (which results in the scammers earning money by referral), or lead them to premium rate trojans (if the Pinterest visitor uses a mobile device to visit the site).
Full Story:
http://www.net-security.org/secworld.php?id=12931&utm
Wikipedia warns users about malware injecting ads into its pages
Visitors to Wikipedia who see advertisements on the site have most likely fallen victim to a browser-based malware infection, Wikimedia Foundation, the organization operating the Web site, said May 14. “We never run ads on Wikipedia,” said the director of community advocacy for the Wikimedia Foundation. “If you’re seeing advertisements for a for-profit industry … or anything but our fundraiser, then your Web browser has likely been infected with malware.” One example of such malware is a rogue Google Chrome extension called “I want this,” the director said. However, similar malicious add-ons might also exist for Mozilla Firefox, Internet Explorer, and other browsers, he said. This type of malicious software is known as click fraud malware and can target multiple Web sites at once.
Full Story:
http://www.computerworld.com/s/article/9227179/
Stolen certificates found in malware possibly targeting Tibetan groups
The recent trend of attackers using stolen digital certificates to make their malicious executables look legitimate is continuing unabated, with researchers now having come across a series of variants of the Etchfro trojan that are using certificates taken from several companies and issued by VeriSign, Thawte, and other certificate authorities. After looking at recent examples of malware signed with stolen certificates, researchers at Norman ASA, a security firm in Norway, noticed there was an aberrant string in one specific optional field included in the stolen certificates. It is unclear what, if any, purpose the string serves, but Norman researchers started searching the company’s malware database, looking for other samples with the same string. The search yielded more than 20 samples with the same atypical string, and each of them included a stolen digital certificate. All of the malware samples, except one, was some version of the Etchfro trojan. The other one is a version of the Gh0st RAT tool.
Full Story:
http://threatpost.com/en_us/blogs/stolen-certificates-found-malware-possibly-targeting-tibetan-groups-051512
Disclaimer: The above information largely has been reproduced from the DHS Open Source Daily Report, a full version of which can be found at http://www.dhs.gov/files/programs/editorial_0542.shtm. Enclave Security, LLC and its agents used their best efforts in collecting and preparing the information published herein. However, Enclave Security, LLC, does not assume, and hereby disclaims, any and all liability for any loss or damage caused by errors or omissions, whether such errors or omissions resulted from negligence, accident, or other causes.
Topics: DHS Infrastructure Reports | No Comments »
Anonymous claims access to classified U.S. databases: DHS Open Source Infrastructure Highlights May 16th
By Kelli Tarala | May 17, 2012
A hacker affiliated with Anonymous claims the collective has access to U.S. classified databases, TG Daily reported May 14. The hacker faces 15 years in prison for assaulting the county Web site of Santa Cruz, California, and is currently hiding out in Canada to avoid prosecution, courtesy of what he describes as a new “underground railroad,” or a network of safe houses across the country. He told Canada’s National Post that the collective has access to “every classified database” in the U.S. government. According to the hacker, the digital keys were handed to Anonymous operatives by the same “people who run the systems.” He emphasized it was only a matter of time before the collective chose to disseminate database contents. Now people are leaking to Anonymous and they’re not coming to us with this document or that document or a CD, they’re coming to us with keys to the kingdom, they’re giving us the passwords and usernames to whole secure databases that we now have free reign over,” he added.
Full Story:
http://www.tgdaily.com/security-features/63368-anonymous-claims-access-toclassified-us-databases
P2P ZeuS variant used to steal debit card details
As revealed by security experts, Visa, MasterCard, Facebook, Gmail, Hotmail,
and Yahoo all have a peer-to-peer (P2P) variant of the Zeus platform in common,
Softpedia reported May 15. For each platform, cybercriminals have made a clever
scenario, Trusteer reported. When targeting Facebook users, attackers use a Web inject to push an offer that urges users to link their Visa or MasterCard debit cards to their social media account. By doing so, the victim allegedly earns cash every time he/she purchases Facebook credits. The attacks against Gmail, Hotmail, and Yahoo customers start with the advertisement of a new authentication service called 3D Secure, allegedly connected to the Verified by Visa and MasterCard SecureCode programs. The Hotmail scheme is somewhat similar with the potential victims being informed of the fact that “Windows Live Inc” is concerned about their security, offering a “100% secure, fast and easy” method of preventing fraud by linking the account to the debit card. In each scenario, the customer is presented with a number of textboxes in which he must enter his debit card number, expiration date, security code, and even the PIN.
Full Story:
http://news.softpedia.com/news/P2P-ZeuS-Variant-Used-to-Steal-Debit-Card-Details-269670.shtml
Sophisticated bogus PayPal emails lead to phishing
PayPal users are being targeted with e-mails purportedly coming from the e-payment giant and asking for their help. The e-mail contains a link that will supposedly take users to PayPal’s log-in page but lands them on a spoofed one. Once users “log in,” they are asked to fill in personal and financial data, including name, birth date, phone number, home address; debit/credit card type, number, expiration date, and card verification number; Social Security number and two security questions and answers. Once submitted, this information is sent to the scammers who can use it to hijack the PayPal account and perform identity theft. Hoax-Slayer warns this scam is a bit more sophisticated than previous ones, as the text of the scam message is rather accurate, and the address of the fake Web site includes “paypal” along with a long string of numbers and letters. “The fake site includes all of the elements and navigation links familiar to PayPal users. However, clicking these links does not lead to another part of the site as expected but simply reloads the same scam form,” a researcher pointed out.
Full Story:
http://www.net-security.org/secworld.php?id=12930&utm
Popular surveillance cameras open to hackers
researcher says. Three of the most popular brands of closed-circuit surveillance
cameras are sold with remote Internet access enabled by default, and with weak
password security — a classic recipe for security failure that could allow hackers to
remotely tap into the video feeds, according to new research. The cameras, used by
banks, retailers, hotels, hospitals, and corporations, are often configured insecurely —
thanks to these manufacturer default settings, said a senior security engineer at Gotham Digital Science. As a result, he says, attackers can seize control of systems to view live footage, archived footage, or control the direction and zoom of adjustable cameras. The researcher and his team were able to view footage as part of penetration tests they conducted for clients to uncover security vulnerabilities.
Full Story:
http://www.wired.com/threatlevel/2012/05/cctv-hack/
Apple scrubs old Leopards of Flashback trojan infections
Apple released patches that defend users of its older Mac OS X 10.5 Leopard operating system against security threats. The May 14 security fixes help defend Mac users on the 2-year-old operating system against assaults by the Flashback trojan. Users of the newer Snow Leopard (10.6) and Lion (10.7) operating systems received equivalent fixes in April. Apple’s Leopard Flashback Removal Security Update is designed to clean Macs running the legacy OS that are not yet running an anti-virus package. In addition, the security update disables Safari’s Java plugin by default. Leopard Security Update 2012-003 disables older versions of Adobe Flash Player, encouraging users to get the latest version directly from Adobe’s Web site. Both updates can be applied via the Software Update feature built into Mac OS X, but will only work if the latest version of that particular track of the operating system, Mac OS X Leopard version 10.5.8, has already been applied. Apple is acting to prevent users of legacy versions of its operating system from harboring the Flashback trojan. Such support is unlikely to continue indefinitely and is likely to disappear entirely once Apple updates Mac OS X 10.7 Lion.
Full Story:
http://www.theregister.co.uk/2012/05/15/mac_leopard_security_update/
How to Earn Money’ apps hide fraud trojan
Cybercriminals are starting to focus their attention on scams that advertise methods and products that rely on applications. Experts from Bitdefender discovered a piece of software called “How to Earn Money,” which can allegedly help users make cash without a hassle. In reality, the shady app hides malware, identified by Bitdefender as Trojan.Fraud.A. Once installed, the program places itself in the Program Files folder, it creates shortcuts, and starts pushing HTML pages that advertise a tool that can help users earn tens of thousands of dollars in just over a month. To gain possession of the tool, users must pay a fee of $37 or $47.
Full Story:
http://news.softpedia.com/news/How-to-Earn-Money-Apps-Hide-Fraud-Trojan-269618.shtml
Fraunhofer Institute finds security vulnerabilities in cloud storage services
The Fraunhofer Institute for Secure Information Technology tested seven cloud storage service providers and published its results in a report. The authors of the report found vulnerabilities affecting registration and login, encryption, and shared access to data for several services. The study looked at CloudMe, CrashPlan, Dropbox, Mozy, TeamDrive, Ubuntu One, and Wuala. The functions examined by Fraunhofer were copying, backup, synchronization, and sharing. Only TeamDrive and Wuala offer all four of these features. CrashPlan and Mozy only offer a backup service — a service not offered by CloudMe, Dropbox, or Ubuntu One.
Avira AV update hangs systems
A faulty update for Avira’s paid-for anti-virus software blocks harmless processes and may, in some cases, stop computers from booting. The update results in the ProActiv behavioral monitoring component becoming oversensitive in treatment of executable files. According to user reports, ProActiv blocks trusted system processes such as cmd.exe, rundll32.exe, taskeng.exe, wuauclt.exe, dllhost.exe, iexplore.exe, notepad.exe, and regedit.exe. In some cases, this results in Windows failing to boot properly. It also appears to be blocking non-OS applications such as Microsoft Office, the Opera Web browser, and Google’s Updater. All versions that include the ProActiv monitoring component are affected, including Avira Antivirus Premium 2012 and the enterprise version; only 32-bit systems are affected, as ProActiv does not currently support 64-bit operating system. Users who installed the update are advised to disable ProActiv. In a statement to the H’s associates at heise Security, Avira confirmed the problem and said developers are working on an automatic update to resolve the bug. The potential scale of the bug is huge — according to Avira, the faulty update was already downloaded more than 70 million times (this figure includes those running the free version of Avira which is not affected). The company stopped distributing the update.
Full Story:
http://www.h-online.com/security/news/item/Avira-AV-update-hangs-systems-Update-1575974.html
Trend Micro reveals top document attack
vectors from April. Trend Micro researchers recently revealed just how prevalent the
use of certain document types is among attackers. By far, the two most popular
document formats for hackers targeting Microsoft Office software are Word and Excel
files, which were used in a combined 90 percent of attacks on Microsoft Office in
April. The biggest reason for this is that the two most reliable exploits used by hackers
targeted CVE-2010-3333 and CVE-2012-0158, which are both Word vulnerabilities.
Full Story:
http://www.securityweek.com/trend-micro-reveals-top-document-attackvectors-
Disclaimer: The above information largely has been reproduced from the DHS Open Source Daily Report, a full version of which can be found at http://www.dhs.gov/files/programs/editorial_0542.shtm. Enclave Security, LLC and its agents used their best efforts in collecting and preparing the information published herein. However, Enclave Security, LLC, does not assume, and hereby disclaims, any and all liability for any loss or damage caused by errors or omissions, whether such errors or omissions resulted from negligence, accident, or other causes.
Topics: DHS Infrastructure Reports | No Comments »
Fake Android antivirus served via Twitter spam: DHS Open Source Infrastructure Highlights May 15th
By Kelli Tarala | May 15, 2012
Security researchers warn that Twitter is being flooded with shady-looking posts that contain links to Web sites hosted on .tk domains. These sites hide malicious elements that target not only PC users, but also Android owners. GFI Labs experts report that while PC users are served broken .jar files, Android customers are tricked into installing a fake antivirus application whose icon replicates a product provided by Kaspersky. First, the cybercriminals post tweets in Russian or English that advertise all sorts of materials, mainly adult content. All the tweets contain a link to a site such as good-graft(dot)tk. Once clicked, the links open a Russian site designed for smartphone and computer owners. Depending on the device from which the Web site is accessed, the victim is served a file called VirusScanner.jar (for PC), or VirusScanner.apk (for Android). Experts revealed the .jar file appears to be broken, since an error is displayed when it is executed. However, this may change at any time, so users should be cautious when presented with such an element. VirusScanner.apk is a rogue antivirus application that displays the Kaspersky logo when it is installed. Identified as Trojan.Android.Generic.a by GFI’s VIPRE Mobile Security, the piece of malware reveals its true purpose during the installation process when it asks permission to access phone calls, messages, and services that cost money.
Full Story:
http://news.softpedia.com/news/Fake-Android-Antivirus-Served-Via-Twitter-Spam-269361.shtml
Avast warns about “FakeInst” and alternative Android markets
The large number of malicious Web sites designed to infect Android devices with the Android:FakeInst SMS trojan made Avast security experts issue another warning to alert users. They advise smartphone owners to beware of fake-looking alternative Android application markets. Researchers found several domains, such as t2file(dot)net and uote(dot)net, which store at least 25 new apps that mask the piece of malware. After users are lured onto these Web sites, they are presented with a phony Downloader program. This app tells the victim the operation may cost money, but the Quit button does not work. Once the installation process begins, there is nothing a user can do except click on the Agree or OK buttons. Once one of these options is selected, an SMS to a premium rate number is sent out. The trojan contains premium numbers for about 60 different countries worldwide. In order to prevent experts from analyzing the malware, its creators used AES encryption to make the file inaccessible.
Full Story:
http://news.softpedia.com/news/Avast-Warns-About-FakeInst-and-Alternative-Android-Markets-269380.shtml
Skype for Linux hotfix plugs security hole
Skype issued a hotfix release for its closed source VoIP, video, and text chat software for Linux, nearly 1 year after the last update arrived. The new version of Skype for Linux, labelled 2.2.0.99, is a minor update that includes an upgraded version of the libpng PNG reference library, which closes a security hole. While specific details are not provided by Skype, this is likely to be the same integer overflow vulnerability that prompted Mozilla to release unscheduled updates for the Firefox Web browser and the Thunderbird news and e-mail client earlier in 2012. According to its developers, the security problem only affects the static package of Skype for Linux downloaded directly from the company; other versions such as those supplied by the Ubuntu Software Centre are not affected by the issue.
Full Story:
http://www.h-online.com/security/news/item/Skype-for-Linux-hotfix-plugs-security-hole-1575232.html
Adobe will issue free security fixes for CS5 apps after all
Adobe reversed its policy that required customers to pay to acquire recent security patches for its Photoshop, Illustrator, and Flash Professional products. The patches cover vulnerabilities that could let a remote user execute malicious code and take control of computers running the products. Adobe originally said customers would need to pay to upgrade to the CS6 versions of the products to receive the fix.
Full Story:
http://news.cnet.com/8301-1009_3-57433231-83/adobe-will-issue-free-security-fixes-for-cs5-apps-after-all/
CERT warns on critical hole in SCADA software by Italian firm Progea
The DHS issued a bulletin May 10 warning about a previously undisclosed, critical vulnerability in Movicon 11, a product used to manage critical infrastructure including the manufacturing, energy, and water sectors. The Industrial Control Systems Cyber Emergency Response Team posted an advisory that warned customers of Progea Srl that a memory corruption vulnerability in the Movicon Human Machine Interface software could allow a remote attacker to knock Movicon devices offline using a specially crafted HTTP POST request sent to the Movicon OPC server component. Progea issued a fix for the problem.
Full Story:
http://threatpost.com/en_us/blogs/cert-warns-critical-hole-scada-software-italian-firm-progea-051112
Global Payments Breach fueled prepaid card fraud
Debit card accounts stolen in a recent hacker break-in at card processor Global Payments were showing up in fraud incidents at retailers in Las Vegas and elsewhere, according to officials from one bank impacted by the fraud. At the beginning of March, Danbury, Connecticut-based Union Savings Bank (USB) began seeing an unusual pattern of fraud on a dozen or so debit cards it had issued. When the bank determined the facility where the purchases took place was a customer of Global Payments, it contacted Visa to alert the card association of a possible breach, according to USB’s chief risk officer. That is when USB heard from a fraud investigator at Vons, a grocery chain in southern California and Nevada. According to the chief risk officer, the investigator said the fraudsters were coming to the stores to buy low-denomination prepaid cards, and then encoding debit card accounts issued by USB onto them. The thieves then used those cards to purchase additional prepaid cards with much higher values. The risk officer said Visa alerted USB that about 1,000 debit accounts it issued were compromised in the Global Payments breach — including the dozen or so card accounts that initially prompted USB to investigate. USB officials said the bank suffered about $75,000 in fraudulent charges, and that it has so far spent close to $10,000 reissuing customer cards.
Full Story:
http://krebsonsecurity.com/2012/05/global-payments-breach-fueled-prepaid-card-fraud/
Bitcoins worth $87,000 plundered in brazen server breach
More than $87,000 worth of the virtual currency known as Bitcoin (BTC) was stolen after online bandits penetrated servers belonging to Bitcoinica, prompting its operators to temporarily shutter the trading platform to contain the damage. The May 11 theft came after hackers accessed Bitcoinica’s production servers and depleted its online wallet of 18,547 BTC, company officials said in a blog post. It said the heist affected only a small fraction of Bitcoinica’s overall bitcoin deposits and that all withdrawal requests will be honored once the platform reopens. It was at least the second time in 10 weeks Bitcoinica has been stung by a computer intrusion. The post went on to warn that a database storing user names, e-mail addresses, and account histories was also accessed, and it also suggested cryptographically hashed passwords may have been compromised. It advised customers who reused their Bitcoinica passwords on other sites to change them. Documents used to legally verify users’ identities are stored on separate servers at a separate data center with a different encryption regimen. According to comments left by Bitcoin’s chief executive in an online forum, hackers penetrated a Web server hosted by Rackspace after they managed to reset a password, most likely through an automated e-mail.
Full Story:
http://arstechnica.com/uncategorized/2012/05/bitcoins-worth-87000-plundered
UGNazi hackers leak data from Washington Military Department
UGNazi hackers breached the site of the Washington Military Department and leaked data from the Web site’s databases. The hackers leaked name servers, MX records, and the names and IP addresses of the subdomains used by the State of Washington. They also leaked around 16 user account details, consisting of usernames and password hashes, including the ones of the site’s administrator. “This is just a continuation of our attack against wa.gov, but other than that, like we said we’re not done with the government or anyone to be exact,” a hacker told Softpedia.
Full Story:
http://news.softpedia.com/news/UGNazi-Hackers-Leak-Data-from-Washington-Military-Department-269244.shtml
Fuzz-o-Matic finds critical flaw in OpenSSL
Codenomicon helped identify a critical flaw in widely used encryption software. A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1, 1.2, and DTLS can be exploited in a denial-of-service attack on both client and server software. The flaw was found with Fuzz-o-Matic, a cloud-based testing platform. The TLS security protocol is the current Internet standard for encrypting and authenticating application traffic. TLS is used by millions of people every day in online banking, e-commerce, e-mail, and Voice-over-IP applications. The OpenSSL is an open-source implementation of TLS and is employed in standard operating systems, Web browsers, e-mail clients, and network devices ranging from WiFi access points and DSL modems to industrial-strength core routers.
Full Story:
http://www.net-security.org/secworld.php?id=12916&utm
Notepad++ web site compromised
Unknown attackers breached the Web site of the popular open source text editor Notepad++ and tried to trick visitors to the site into handing over the credentials to their Facebook accounts. It is currently believed the software downloads were not affected. later, the rest of the Web site appeared to be fixed. When accessed at the end of the week of May 7, the Web site of the project showed defacements by the attackers and also a second window appeared asking for a Facebook login. It appears the hackers were using the official Facebook API in an attempt to gain access to account credentials from visitors to the site. Users who actually entered their Facebook credentials could potentially have provided the attackers with persistant access to all functions on their account such as personal information and the ability to post status messages. In this case, users would have to visit their Facebook account settings to revoke these permissions. Simply changing the account password is not sufficient.
Full Story:
http://www.h-online.com/security/news/item/Notepad-web-site-compromised-1575263.html
Disclaimer: The above information largely has been reproduced from the DHS Open Source Daily Report, a full version of which can be found at http://www.dhs.gov/files/programs/editorial_0542.shtm. Enclave Security, LLC and its agents used their best efforts in collecting and preparing the information published herein. However, Enclave Security, LLC, does not assume, and hereby disclaims, any and all liability for any loss or damage caused by errors or omissions, whether such errors or omissions resulted from negligence, accident, or other causes.
Topics: DHS Infrastructure Reports | No Comments »
Cyber Security model may benefit a new cloud-based network: DHS Open Source Infrastructure Highlights May 14th
By Kelli Tarala | May 14, 2012
In the online struggle for network security, Kansas State University cybersecurity experts are adding an ally to the security force: the computer network itself. Two professors of computing and information sciences are researching the feasibility of building a network that could protect itself against online attackers by automatically changing its setup and configuration. The two researchers were recently awarded a 5-year grant of more than $1 million from the Air Force Office of Scientific Research to fund the study “Understanding and quantifying the impact of moving target defenses on computer networks.” The study, which began in April, will be the first to document whether this type of adaptive cybersecurity, called moving-target defense, can be effective. If it can work, researchers will determine if the benefits of creating a moving-target defense system outweigh the overhead and resources needed to build it.
Full Story:
http://www.net-security.org/secworld.php?id=12911&utm
Business continuity preparedness
Many organizations are struggling to manage data in hybrid physical, virtual, and cloud environments; many still use multiple tools, which are likely to be spread across multiple sites, with just over a third (36 percent) managing three or more different solutions to protect critical data, according to Homeland Security Newswire May 10. Despite 2011 experiencing record levels of environmental, economic, and political upheaval, the 2012 Acronis Disaster Recovery Index findings from the industrial sector revealed that only 53 percent of respondents were confident they could recover quickly in the event of a disaster. Nearly half (45 percent) of those surveyed cited lack of budget and IT resources as their key challenges in data recovery. One in 10 (11 percent) said they spend nothing on backup and disaster recovery, and a quarter stated they do not have sufficient support from senior business executives. In a highly competitive sector where tolerance for downtime is extremely low, only 45 percent said they would not suffer substantial downtime in the event of a serious incident or natural disaster.
Cyber sharing program formally expanded
The U.S. Department of Defense (DOD) and DHS announced May 11 the Defense Industrial Base (DIB) Cyber Pilot program will be opened to all eligible DIB companies. The program, an information exchange arrangement that allows intelligence agencies to share threat information with companies, and companies to share information on attacks with some liability protections, was started in June 2011. It initially included about 20 volunteering companies. Defense officials previously said they intended to increase the number of companies to more than 200, but the announcement means the program will be open to any company in the industrial base that can meet certain minimum requirements and that chooses to join. Specifically, the company must handle DOD information or have access to a DOD network and demonstrate a basic level of information security.
Full Story:
http://www.defensenews.com/article/20120511/DEFREG02/305110001
IC3 2011 Internet Crime Report released
The Internet Crime Complaint Center (IC3) May 10 released its 2011 Internet Crime Report — an overview of the latest data and trends of online criminal activity. According to the report, 2011 marked the third year in a row the IC3 received more than 300,000 complaints. The 314,246 complaints represent a 3.4 percent increase over 2010. The reported dollar loss was $485.3 million. In 2011, IC3 received and processed, on average, more than 26,000 complaints per month. The most common complaints received in 2011 included FBI-related scams — schemes in which a criminal poses as the FBI to defraud victims — identity theft, and advance-fee fraud. The report also lists States with the top complaints and provides loss and complaint statistics organized by State. It describes complaints by type, demographics, and State.
Full Story:
http://www.ic3.gov/media/2012/120511.aspx
University of Maine server hacked, data may have been stolen
A security breach on one of the University of Maine’s servers may have compromised information on people who made purchases through campus-based computer stores at the Orono campus and the University of Arkansas, the university announced in a press release May 10. Early forensic analysis showed information from 2,818 individuals — which included as many as 435 credit card numbers and 1,175 Social Security numbers — was stored on the server. The University of Arkansas had up to 1,007 online-only transaction records on the server, which supported a Web-based tool called Buyers Search Assistant. University of Arkansas officials first learned of the breach April 27 after reading an article believed to have been posted to Softpedia.com by a group of hackers known as Team GhostShell. The post stated the attack was retaliation for a recent law enforcement crackdown on hacking activities.
Full Story:
http://bangordailynews.com/2012/05/10/education/university-of-maine-server-hacked-data-may-have-been-stolen/
Opera 11.64 closes critical code execution hole
Version 11.64 of the Opera Web browser was released, closing a critical hole that could have been exploited by attackers to inject malicious code into a victim’s system. According to the company, some undisclosed formulations of URLs caused the browser to allocate the incorrect amount of memory for storing the address. When the program attempted to store the address, unrelated memory could have been overwritten with an attacker’s data, resulting in a crash and the execution of arbitrary code.
Full Story:
http://www.h-online.com/security/news/item/Opera-11-64-closes-critical-code-execution-hole-1573877.html
Growth of counterfeit parts expected as semiconductor market grows
The number of counterfeit parts that are vital to the computer industry is expected to reach record high levels as the semiconductor industry enters “a phase of accelerating growth,” according to an analysis of trends conducted by information and analytics provider, IHS. “The semiconductor industry is exhibiting the classic signs of the start of a new growth cycle, with tightening supplies, broad-based price increases and a lengthening of lead times for the delivery of products,” said a principal analyst for semiconductors at IHS. “These are prime conditions for suppliers of counterfeit parts, which are eager to fill supply gaps with their fake goods. For semiconductor purchasers, the rise in counterfeits represents a major risk, bringing downsides in terms of financial losses, damage to company reputations and even safety concerns in some products.” And, security problems that could impact homeland security and national defense, authorities added, pointing to bogus computer chips, other parts and counterfeit products that were supplied to the Department of Defense, many of which were substandard and posed series safety and security risks for a wide variety of programs and operations.
APT attackers are increasingly using booby-trapped RTF documents
Booby-trapped Rich Text Format (RTF) documents are one of the most common types of malicious Microsoft Office files that are used to infect computers with advanced persistent threats, according to security researchers from Trend Micro. The company’s statistics show that 63 percent of the malicious Microsoft Office documents intercepted in April exploited vulnerabilities in Microsoft Word. Out of those vulnerabilities, the most commonly targeted ones were CVE-2010-3333 and CVE-2012-0158, which stem from bugs in Microsoft Word’s code for parsing RTF content. This is troublesome because Microsoft just patched a new Microsoft Word RTF parsing vulnerability May 8 that could allow remote code execution.
Full Story:
http://www.infoworld.com/d/security/apt-attackers-are-increasingly-using-booby-trapped-rtf-documents-192891
Disclaimer: The above information largely has been reproduced from the DHS Open Source Daily Report, a full version of which can be found at http://www.dhs.gov/files/programs/editorial_0542.shtm. Enclave Security, LLC and its agents used their best efforts in collecting and preparing the information published herein. However, Enclave Security, LLC, does not assume, and hereby disclaims, any and all liability for any loss or damage caused by errors or omissions, whether such errors or omissions resulted from negligence, accident, or other causes.
Topics: DHS Infrastructure Reports | No Comments »
« Previous Entries