Information Security Newsletter

Bulletins posted 3/13/2009

Fake HUD Website Used For Phishing Scam
Several City employees have recently notified us of a fake Federal Government Housing and Urban Development (HUD) website trying to dupe people into giving out personal information.

The site's Internet address is: http://bailout.hud-gov.us/ and because it appears to be an official US government website, some people might fall for the scam.

Scams of this type have become more and more prevalent as the economy worsens the the ne'er do well criminals take every advantage. Please let your friends and family who might be susceptible to these types of scams know about this and similar criminal activities.

Bulletins posted 3/12/2009

DirectX 11 For XP - Not Really - But Scammers Want You to Think So
If you are a gamer and you follow technology news you probably know that there is no official DirectX 11 for Windows XP or Vista, but virus creators have taken the opportunity to try to fool gamers anxious to see the new features. As of now, Microsoft DirectX 11 (6.01.7000.0000) will be made available on Windows 7 and Windows Vista when officially released in coming months.

But Scammers have posted fake trojan infected DirectX 11 links on blogs and forums. These so called DirectX 11 For Windows XP and Vista installers contain Trojans created in perl scripts. The Trojans were detected by only three lesser known anti-virus scanners on VirusTotal, so you can't count on Antivirus catching them.

If you think you might have already fallen for this trap, your computer might be infected with "W32.Gaobot" Trojan and you should immediately run a removal tool that you can find on Symantec's web site to get rid of it.

Better yet, just be aware of this scam and avoid the temptation to download anything that you aren't sure is real and verifiable.

750 Twitter Accounts Compromised - Used to Send Spam
Approximately 750 Twitter user accounts were recently subverted and used to post spam messages. The posts, intended to drive traffic to a pornographic web site, read "hey! 23/Female. Come chat with me on my webcam thingy here www.chatwebcamfree.com." A quick search of the micro-blogging site reveals a list of users who had their accounts compromised and used to post the spam messages. According to a post by Graham Cluley on his Sophos blog, "the index page of that web site serves up obfuscated JavaScript that loads a variety of pornographic adverts and contains a web form directed to a site called eroticgateway.com."

A Twitter blog post confirming that accounts had been compromised, suggests that it's likely these are brute force attacks succeeding against user accounts with weak password. Twitter says that they have reset the passwords for the compromised accounts, which should prevent any further spam messages from being sent by the attacker. Earlier this year, an 18 year old US student, that goes by the handle 'GMZ', gained access to several accounts by using a brute force attack and made posts to users Twitter home pages. Accounts that were compromised included Fox News, Britney Spears and Barack Obama.

With the growth in popularity of Twitter, the micro-blogging website is becoming a larger target for spammers, phishers and scammers. Users need to be cautious and use strong passwords to help prevent an account take over. Users who suspect suspicious followers or encounter a spammer can advise Twitter by messaging @spam from their account. Twitter users who want to update their settings with a stronger password can do so by visiting http://twitter.com/account/password.

Firmware Patches Close Holes in Apples AirPort and Time Capsule
Apple's firmware version 7.4.1 blocks holes in its Time Capsule and AirPort Extreme Base Station 802.11n, which can be exploited for denial-of-service attacks, for injecting malformed IP packets or for listening in on data traffic.

If you use either of these Apple products we recommend updating the firmware as soon as possible. The 7.4.1 update can be installed using the AirPort Utility 5.4.1, which is typically installed in /Applications/Utilities on Mac OS X.

Apple Releases iTunes v8.1 as Security Update
Vulnerabilities have been reported in Apple iTunes. In one, a remote user can cause denial of service conditions on the target system. While this vulnerability only affects Windows systems, the update also addresses another vulnerability that affects all platforms. A design issue exists in the iTunes podcast feature. A subscription to a malicious podcast may cause an authentication dialog to be presented to the user. This dialog may entice the user to send iTunes credentials to the podcast server.

If you have iTunes installed on your computer, we recommend updating to this latest version as soon as possible.

Bulletins posted 3/10/2009

Microsoft Patches Three Vulnerabilities This March Patch Tuesday
Microsoft released three security bulletins and patches for several vulnerabilities today.

If you run Microsoft operating systems or Office products you should install these patches as soon as possible.

False Alarm on Windows Defender
Since Monday evening, Microsofts Windows Defender spyware detection software has mistakenly raised the Win32/PossibleHostsFileHijack alarm on some clean PCs. According to Microsoft, the error is caused by a flawed signature deployed via automatic update on Monday. Another signature update has now been issued to solve the problem.

Windows Defender is Microsoft's free anti-spyware application and one that we recommend as part of your suite of security tools.

If you use Windows Defender, be sure you have the latest signatures loaded.

Adobe Patch Available
We have just learned that a patch for Adobe is available on their website that will address the serious vulnerability in pdf files that has been reported recently.

Adobe product users should go to their website as soon as possible and download and install the latest version 9.1.

Hackers Disguise Malware as Google News Report of Baseball Death
Heartless hackers have set up a website pretending to be a Google News search result about John Odom's death, which installs malicious software onto your computer.

Baseball player John C Odom became known to millions across America last May after he was traded for ten maple bats. Tragically, the 26-year-old died from an accidental overdose of drugs and alcohol late last year. This news has only just become widely known after the mainstream media stumbled across the story.

The hackers are hoping that people will mistake the link for a genuine report on Google News rather than a website hosting a piece of malicious code. Because if you do visit the page you'll find a Trojan horse called Troj/Reffor-A is downloaded to your Windows PC.

Be aware of these types of scams and be very careful when following links to news stories. Hover over the link to see if the information matches and it looks legitimate before trusting it.

FoxIT Update Defends Against PDF Peril
The PDF vulnerability that has been reported recently is not just an Adobe problem. Targeted attacks against an unpatched flaw in Adobe Reader over recent weeks has stimulated interest in alternative PDF viewers, such as FoxIT.

However FoxIT is also vulnerable to the same type of threat, promoting the release of a security update addressing three security bugs in the software on Monday. The update to FoxIT defends against a JBIG2 symbol dictionary processing error, a stack-based buffer overflow flaw and a security authorization bypass bug.

If you use FoxIT, FoxIT Reader 3.0 and FoxIT Reader 2.3 both need patching.