Information Security Newsletter

Bulletins posted 5/22/2009

FTC Sets Up New Web Site For Scam Prevention
We've all noticed the huge rise in scams trying to take advantage of people's fears and problems caused by the economic crisis. Now the Federal Trade Commission has setup a new web site to help people avoid being victims of these types of scams.

The new site is called "Money Matters" and is meant to help educate the public so they will know when they are being scammed.

A representative from the FTC said, “For the most part, fraud preys on consumers not knowing what is going on and not understanding what is happening. So, if we can get the consumer educated, it is much harder for the bad guys to convince the consumer to fork over their money,”

The new site includes tips and things to watch out for with all the latest scams that are being seen out there, including marketing phone calls like the ones City users have been plagued by in recent weeks.

Use Google or another search engine to locate this site and add it to your bookmarks or favorites. Also, spread the word to your friends and family - especially those who might be vulnerable to these scams.

From WSMV.com

Tvviter - Beware of fake Twitter phishing website
Security vendors have warned about a fake phishing website targeting users of Twitter, designed to convince users to type in their personal details and directing users to ‘Adult Dating Services’ by adding followers to the compromised accounts.

According to Rik Ferguson at Trend Micro, anybody fooled into giving away their account credentials will find at least six new followers appearing on their account.

Links to these profiles will be to redirect users to adult dating site, which would make the scammers money through a pay-per-click affliate scheme.

Twitter and FaceBook are both in the news again today - be careful on these types of user-generated sites, as anything can be left around for you to pick up and it can get nasty!

From ITPro - Asavin Wattanajantra

Report: Over 60 Percent of Websites Contain Serious Vulnerabilities
Most Websites harbor at least one major vulnerability, and over 80 percent of Websites have had a critical security flaw, according to new data released today by WhiteHat Security.

The Website vulnerability statistics, based on Website vulnerability data gathered from WhiteHat's own enterprise clients, show that 63 percent of Websites have at least one high, critical, or urgent vulnerability issue, and there's an average of seven unfixed vulnerabilities in a Website today.

"What we know from this report is that the Web is at least this insecure," says Jeremiah Grossman, CTO of WhiteHat.

"Customers are fixing large swaths of vulnerabilities, but it's really tough to wipe out 100 percent of vulnerabilities, even by class and severity," Grossman says. "And even if you fix nine of 10 cross-site scripting vulnerabilities, you still have one. That's why the percentage of sites likely to have cross-site scripting vulns is" so high, he says.

And all it takes is one XSS vulnerability for an attacker to do his dirty work, he says.

If you happen to be a developer of new web applications, take this to heart. There are good resources out there to make sure you are developing secure sites as well as ways to test your existing sites for vulnerabilities.

From Dark Reading - Kelly Jackson Higgins

A New Attack Against FaceBook
The latest Facebook scheme, which made the rounds starting Wednesday, delivers messages to users that appear to come from their friends. The correspondences, however, are being sent by fraudsters from hijacked accounts. The messages contain links to websites -- such as areps[dot]at and kirgo[dot]at -- that attempt to mimic the Facebook login page, with the hope that potential victims would assume they were logged out and must re-enter their credentials.

Zulfikar Ramzan, in a post on Symantec's Security Response Blog, said criminals prefer phishing attacks because they are easy to perpetrate and can reach so many people.

"In some cases, social networking sites have even trumped financial services sites in the phishing popularity stakes," Ramzan said. "One reason, I believe, for this trend is that phishers have come to better appreciate the impact of using social context within their attacks...After all, if I receive a message purporting to be from a 'friend,' then I'm much more likely to give that message more attention and potentially follow any instructions it contains."

Users can protect themselves by running an updated browser, such as Internet Explorer 8 or Firefox 3, which contains a phishing blacklist, Ryan McGeehan, an incident response manager on Facebook's security team, wrote in a blog post earlier this month. In addition, they should use different login information at each website they visit to prevent stolen credentials from being used to grant a criminal access somewhere else, he said.

From SC Magazine - Dan Kaplan

MAC OS X Vulnerable - Angered by Apple delay, hacker posts Mac Java attack code
In an effort to draw attention to a long-standing security problem in Apple's Mac OS X operating system, a security researcher has posted attack code that exploits the flaw.

The software, which could be used by hackers to run an unauthorized system on a Mac, was posted Tuesday by Landon Fuller, a security researcher in San Francisco. It exploits a nasty bug in the Java software that ships with Mac OS X. This bug was fixed by Java's creator, Sun Microsystems, on Dec. 3, but Apple has still not included the fix in its software updates.

"Unfortunately, it seems that many Mac OS X security issues are ignored if the severity of the issue is not adequately demonstrated," Fuller wrote in a blog posting describing the issue. "Due to the fact that an exploit for this issue is available in the wild, and the vulnerability has been public knowledge for six months, I have decided to release my own proof of concept."

We recommend that any Apple Mac OS X users disable Java Scripts in their browsers until this has been patched.

From Computer World - Robert McMillan

Bulletins posted 5/15/2009

Rapidly Spreading 'Gumblar' Attack Redirects Users' Web Searches
A Web-borne malware attack that redirects users' Internet searches is growing "exponentially," and has already infected more than 2,300 Websites, researchers said today.

Researchers at security company ScanSafe are warning users about an emerging series of Website compromises, collectively dubbed "Gumblar," which are spreading at a rapid rate. In the past week, Gumblar site compromises have grown at a rate of 188 percent, making it one of the fastest-growing infections on the Web, ScanSafe says.

Gumblar, which has been spotted on popular sites such Tennis.com, Variety.com, and Coldwellbanker.com, is believed to be growing rapidly due to its unique combination of characteristics. The malware resulting from Gumblar forcibly redirects search page results to sites other than those users expect. Many of these pages are imitations of the Websites users actually intended to visit.

"For example, if a user is trying to visit Tennis.com via Google, they may be directed to a fraudulent site designed to look like Tennis.com, where a backdoor Trojan will be immediately downloaded," ScanSafe reports. "The Trojan could then allow cybercriminals control of the victim's computer, leading to a myriad of security issues, including personal data theft and stolen FTP credentials. Once cybercriminals are in possession of a victim's FTP credentials, any sites that victim manages can also be targeted for compromise -- a common malware propagation tactic."

One of Gumblar's exploits is to launch a "man-in-the-browser attack," in which the downloaded malware monitors all traffic to and from the browser, Landesman says. From this position, the malware can selectively swap out links in search results, effectively fooling the user into going to an unintended site.

The best advice we've seen to avoid these issues is to disable JavaScript in your browser settings. And just be aware of the potential to be re-directed to a site that isn't the one you expected - check the actual address bar and type in addresses instead of following links.

From Dark Reading - Tim Wilson

Bulletins posted 5/14/2009

Latest Apple Updates Include New Version of Safari
In yesterday's news bulletins we spoke of the 60 security updates that Apple was releasing for MAC OS X, but buried in that story was mention of Safari updates as well.

We wanted to ensure that anyone running the Safari Internet browser knows it was updated at the same time. Apple released Safari 3.2.3, as well as a new public beta of Safari 4 on May 12th.

The updates have security fixes for both Windows and Apple versions of the software where an attacker could potentially crash Safari or execute arbitrary code if you land on a poisoned Web site. They also patch other important security vulnerabilities.

If you're interested in trying out the Safari beta 4 you must first install MAC OS X 10.5.7. All of these updates are available with the Apple Software update application.

If you are using the Safari Internet browser on either Mac or Windows, we recomment updating it as soon as possible.

Bulletins posted 5/13/2009

Twitter users reveal personal information in latest 'trend' for 'porn names'
Many users of micro-blogging website Twitter have inadvertently shared personal information via a new trending topic.

The topic, named ‘Twitterpornnames', based on a popular drinking game, encourages users to reveal the name of their first pet and the street they grew up to create their ‘porn name', that they are then sharing on Twitter.

However industry experts have warned users not to give out their personal details and claimed that the trend, which has been running through most of today, is a scam engineered to steal people's details.

Graham Cluley, senior technology consultant at Sophos, claimed that by revealing such personal details, ‘thousands of people are potentially making life easy for identity thieves eager to mine information from the micro-blogging website'.

Cluley said: “The problem is that many sites (such as web email providers) may ask you what the name of your first pet was if you ever forget your password and wish to reset it. So, a hacker could grab details like your pet's name to try and crack into your email account.

Meanwhile, Rik Ferguson, senior security advisor at Trend Micro, claimed that he was not sure if it was ‘conceived as a phishing scheme at the outset or as a reinvention of the playground/pub conversation', but believed that any disclosure of personal information is unwise.

Ferguson said: “The fact remains, giving out things like your mother's maiden name, name of your first pet, the street you grew up on is a very bad idea. Giving them out online in a public forum that is indexed by search engines is even [worse].

From SC Magazine - Dan Raywood

Massive security updates released for Apple computers
In one of its largest security updates this year, Apple has announced a series of patches for its Mac OS X to address more than 60 vulnerabilities, some of which could enable malicious hackers to remotely hijack Macintosh computers.

“Nearly every component of Apple's OS and its applications are touched by security-related fixes in the latest massive update from Apple,” said Andrew Storms, director of security operations for nCircle, a network security firm, in an email to SCMagazineUS.com. “This is a real wakeup call for everyone that has been touting the Mac OS as more secure than Windows.”

The updates, released Tuesday, included patches for Apple's Safari browser for both the Mac and Windows platforms.

For all of you Apple users out there, we can finally say what we say to the rest of the gang nearly every week: Install these updates as soon as possible!

From SC Magazine - Chuck Miller

Bulletins posted 5/12/2009

Some New and Dangerous SPAM This Week
This week in our SPAM filters and in reports from users we have seen some new and dangerous scams that we want you to be aware of and avoid.

First, we are seeing a lot of what is known as "image spam", or fraudulent marketing emails that come as images (in this case in the .png format) to try to avoid SPAM filters. Some filters will just see an image file in a message and will go ahead and deliver the email. But in those images can be links to poisoned websites or just the usual marketing sites for various "enhancement" products.

The City security team has made the decision to simply block all .png files from email delivery, so we have dealt with the problem here. However, you may well get something like this at home.

Second, our e-mail filtering application has caught and quarantined a message with the subject line, "Western Union Transfer...". This message contains a virus and can be very dangerous to your computer here or at home. It might be tempting to see who transfered what, so we especially want to warn people to avoid opening any messages like these.

Watch for these types of SPAM email and report them to your email provider if you get them. That will help your provider block them more efficiently. And of course, don't click on any links - just delete them!

Tip: The Dangers of USB Flash Drives and other Ultra Portable Storage
USB connected devices have become ubiquitous in our computer centric world. You can find USB flash memory drives in everything from watches to pens to rubber duckies! MP3 players such as the iPod, game consoles, smart phones, and many other devices that can store data can all be connected via the USB port on your computer.

These devices are inherently dangerous for a number of reasons. Many of them automatically start up when you plug them into your computer. The recent Conficker infection used that feature to infect computers via the USB port. It would search for any connected USB devices and copy itself to them and to their auto start feature so that the next computer they were plugged into would be infected immediately.

Just by virtue of the fact that they are so portable and are made to store and transport files between different computers or networks, they are the perfect vehicle for spreading viruses and other malware. They are like the cyber version of an uncovered sneeze in a crowded elevator!

And they are small and portable which means they are also very easy to lose. The TSA collects thousands of these devices at airports every year. This not only puts any data that you store on them at risk from whomever picks it up, but also has been used by penetration testers as a social engineering scheme.

In one penetration test, USB flash drives with viruses on them were left laying in a parking lot of a Credit Union. Within an hour of the organization opening, nearly all of the devices had infected the organization's computers and "phoned home" to the penetration testers. People just picked them up and plugged them into their work computers to see what was on them!

If you use any USB data storage devices, especially the small flash drives, you need to be very aware of these dangers and guard against them. There are software and hardware tools out there that will allow you to encrypt your device and you should always do so if there is any sensitive or confidential data stored on them.

Facebook Attacked with Another Phishing Bug
Last week Facebook users were again under attack from a phishing scheme called mygener.im. The phishing scheme used a message delivered from friends that asked users to visit a malicious website.

Most browsers or web site rating add-ons mark this site as malicious so hopefully if anyone followed the link, they were warned not to open the site. But if you did so anyway you were redirected around the Web to what seemed to be a harmless site at least last week.

Facebook spokespersons said that they thought this was related to another attack a week earlier in which some users were fooled into giving up passwords. But Facebook acted quickly to block the URL and delete the message from inboxes and walls across the site. If your site was used to spread the bad content your password will have been reset.

Bottom line as always is to be cautious if you use these social networking sites. Anyone can make a site look like Facebook, so always check your browser's address bar to make sure it's really a facebook site if you are following a link (if you hover over the link with your mouse it will usually show you where it is directed to in the information bar at the bottom of your screen). Better yet, don't follow any links unless you can be sure it's legitimate.

Social Security Administration Spoofed in Phishing Scam
Scammers have spoofed the Social Security Administration's (SSA) website in a phishing scam targeted at those who will be receiving an economic recovery payment this month.

Under Obama's American Recovery and Reinvestment Act signed into law in February, nearly 55 million individuals receiving Social Security, Supplemental Security Income (SSI), Railroad Retirement or veterans benefits will receive a one-time $250 economic recovery payment this month. Payments, totaling $13 billion, began going out last Thursday and will continue until June 4.

Though some Americans are getting a break from the government, scammers are attempting to get their own payday. The SSA is warning users of a phishing scam in which users are being sent emails that contain links to what appears to be the agency's web page. At the site, users are asked to enter their personal information, including Social Security and bank-account numbers to receive stimulus checks, The Wall Street Journal reported Saturday, citing Mark Hinkle, a spokesman for the SSA.

In response to a request for more information Monday, a SSA spokeswoman referred SCMagazineUS.com to the Office of Inspector General (OIG), which issues advisories about Social Security scams. The OIG has not issued an advisory about this scam.

Wade Walters, assistant inspector general for external relations at the OIG told SCMagazineUS.com Monday that as of today he is not aware of any scams related directly to the economic recovery payment but that individuals should be aware of the potential of this threat.

“Always be mindful that there are scam artists out there and any time the government is sending out checks or there's a new benefit there's an opportunity for thieves to take advantage of that,” Walters said.

The criminals will never stop looking for ways to take advantage and most disgustingly they seem to enjoy targeting the most vulnerable and desperate individuals in these tough times. Warn your friends and family about this and other similar schemes.

From SC Magazine - Angela Moscaritolo