|
Information Security Newsletter Bulletins posted 9/11/2009 2010 Census Cautions Be cautious about giving information to Census workers with the U.S. Census process. The Better Business Bureau (BBB) advises people to be cooperative, but cautious, so as not to become a victim of fraud or identity theft. BBB offers the following advice: If a U.S. Census worker knocks on your door**, they will have a: Ask to see their identification and their badge before answering their questions. However, you should never invite anyone you don't know into your home. **Census workers are currently only knocking on doors to verify address information. Do not give your Social Security number, credit card or banking information to anyone, even if they claim they need it for the U.S. Census. While the Census Bureau might ask for basic financial information, such as a salary range, it will not ask for Social Security, bank account, or credit card numbers, nor will employees Solicit donations. Eventually, Census workers may contact you by telephone, mail, or in person at home. However, they will not contact you by Email, so be on the lookout for Email scams impersonating the Census. Never click on a link or open any attachments in an Email that are supposedly from the U.S. Census Bureau. Mac OS X updated for security Apple on Friday issued two updates -- one for users of Snow Leopard, and another for other Mac OS X users -- to address multiple security vulnerabilities, some of which could lead to arbitrary code execution. The computing giant issued an update to its recently released Snow Leopard platform to address a vulnerable version of Adobe Flash Player that was shipped with the two-week old software, according to Apple release notes. The updated version, Mac OS X 10.6.1, addresses nine previously fixed Flash vulnerabilities, the worst of which could have enabled arbitrary code execution if a user visited a maliciously crafted website. “Its interesting for consumers to have these third-party products [such as Adobe Flash Player] bundled with their operating systems, but now Apple is responsible for them,” Andrew Storms, director of security operations for network security and compliance auditing firm nCircle, told SCMagazineUS.com on Friday. The Flash issue also was addressed in other OS X versions through a separate security update that fixes 33 total vulnerabilities. Security update 2009-005 was issued Thursday for users of the Leopard (Mac OS X 10.5.8) and Tiger (Mac OS X 10.4.11) operating systems, along with Mac OS X Server versions 10.5, 10.4.x (Universal), and 10.4.x (PowerPC), according to Apple release notes. A number of the vulnerabilities affect other third-party applications in OS X, including PHP, SMB and MySQL, Storms said. A vulnerable version of PHP, which is an HTML scripting language used by developers, was upgraded in Leopard. Vulnerabilities also were fixed in the components CoreGraphics, and ColorSync affecting Tiger and Leopard, which could enable arbitrary code execution if a user is tricked into viewing a maliciously crafted image, PDF file or web page. Other security bugs were fixed in the components Alias Manager, CarbonCore, ClamAV, CUPS, InagelO, Launch Services and Wiki Server. These vulnerabilities could enable an attacker to execute arbitrary code, terminate applications, obtain system privileges or access user accounts.
Users need to go to Software Update and ensure they have the latest security updates installed Bulletins posted 9/3/2009 Snow Leopard install downgrades Flash Apple has built a potentially dangerous downgrade into Mac OS X Snow Leopard, according to a security expert. When Apple's updated operating system is installed, it downgrades Adobe Systems' Flash to an earlier, less secure version. Sophos security expert Graham Cluley said Wednesday in a company blog post that Apple installs version 10.0.23.1, which has not been upgraded to protect users against the latest threats. "Mac users who have been diligent enough to keep their security up-to-date do not deserve to be silently downgraded," Cluley said in the blog. "We know that hackers keep finding security holes in Adobe's code--and that's deeply concerning because it is so widely used by many internet users, whether on Mac or PC." Cluley said users need to upgrade Flash Player for Mac immediately to the most current version, 10.0.32.18. Failing to do so could open up users to vulnerabilities that have targeted Flash over the past several months. "This should be done as a matter of priority," Cluley said. "Adobe is the 'new Microsoft' when it comes to security vulnerabilities, with hackers targeting their software looking for vulnerabilities to exploit."
Users need to upgrade Flash Player for Mac immediately to the most current version, 10.0.32.18. Zeus Instant Messaging Trojan Lets Hackers Steal Your Financial Data With the recent release of Mac’s Snow Leopard and the upcoming Windows 7, it’s only natural that hackers gave their viruses an upgrade as well. According to security company RSA, the Zeus trojan virus now employs the use of instant messaging. After the Zeus trojan has gotten a hold of someone’s account, a hacker will automatically receive an instant message notifying him that that his hack was successful. Once installed on a PC, the Zeus virus sends the hacker the user’s log-in information and passwords. Then a module, that can be applied to the virus, can search for information specifically concerning financial institutions. A security company called Damballa estimates that the number of PCs that have been infected with the virus are currently at around 3.6 million, making the Zeus Trojan one of the most aggressive invasive malware viruses around. “The ease-of-use of the Zeus crimeware toolkit for individuals to create their own tailored Trojan botnets has meant that it has become a favored toolkit for entry-level criminals to get involved in the underground economy,” according to Peter Coogan of Symantec, writing on one of the company’s blogs. “The greater availability of this toolkit on underground forums as of late has also led to an increase in its usage.” PC users are at risk to the virus if they do not install the latest security updates and visit a website designed to hunt for weak spots in a software’s defense. The virus can also be installed onto a computer by opening an email embedded with the virus. In this technological generation protecting your computer is almost as important as protecting your house. Keeping up to date with security software allows for some of the necessary protection. IT administrators should also keep tabs on the ZeuS Tracker which is constantly being updated with the latest IPs being used by ZeuS hosts this way they can block them and help protect their network.
Users need to install the latest security updates and visit a website designed to hunt for weak spots in a software’s defense New Version of Download Manager for Adobe Reader Available Virus slingers are taking advantage of the release of Apple's Snow Leopard operating system by offering malware from sites touting operating system upgrades. Dodgy sites supposedly offering Snow Leopard were rigged to push an Apple-specific DNS changer Trojan, detected by Trend Micro as JAHLAV-K. The malware is a MAC OS X mountable Disk Image file (.DMG) that comes contaminated with various malicious scripts, as explained here. Users infected with the Apple specific malware would find their internet connections redirected to phishing sites and other fraudulent endeavours. Some of these bogus sites hosted scareware (fake anti-virus) packages. Fake sites offering the Mac malware were in operation in the run-up to the release of Snow Leopard on Friday. There are more details in a blog on Trend Micro's website, here. A similar attack, detected earlier this week, offered malware in the guise of Foxit PDF Reader software for Apple Macs. The pirated version "Foxit Reader for Mac" comes loaded with the Jahlav Trojan horse, anti-virus firm Sophos warns. Foxit Reader is not yet officially available for Apple Macs. When it does come out, prospective users ought to use the official Foxit website, Foxit advises. "While imitation may be the sincerest form of flattery, we are not happy about the recent malware attacks masquerading as our Foxit Reader," said George Gao, vice president of sales and marketing at Foxit Corporation. "Foxit has always striven to insure that our solutions are secure for our users, and remains committed to address any Foxit product security issue in a professional and timely manner." ®
As mentioned, Foxit Reader is not yet officially available for Apple Macs. When it does come out, prospective users ought to use the official Foxit website. Bulletins posted 9/1/2009 Credit union agency warns of fake CD-ROMs The agency that supervises federal credit unions is warning institutions to be on the lookout for fake fraud alert letters that are accompanied by CD-ROMs containing malware. The National Credit Union Administration (NCUA) issued a legitimate fraud alert this week, announcing that it was aware of at least one federally insured credit union that received the bogus letter. In an ironic twist, the package also contained two CD-ROMs that purportedly contained training material to defend against fraud. However, the fake fraud alert CD-ROMs are malicious, and the NCUA warned against loading them into a computer. "Doing so could result in a possible security breach to your computer system or have other adverse consequences," the alert said. Paula Musich, senior analyst for enterprise security at Current Analysis, told SCMagazineUS.com on Thursday that this is the first time she has heard of a ploy like this, but she is not surprised. Though the risk of sending such a letter via standard mail may be higher than, say, delivering a malware-laden email, the ruse could prove successful for its orchestrators, she said. "It's a novel approach to trying to distribute malware," she said. "Given that it focuses on credit unions, I would hazard a guess that what they're after is access to people's accounts." Citing the recently released IBM X-Force report, which showed a noticeable decline in phishing incidents during the first half of this year, Musich said cybercriminals are finding alternative methods to perpetrating their scams as organizations get better at defending against digital message attacks. "The creativity of these guys, I find amusing," she said.
No action for end user. Symantec discovers Trojan targeting Skype user Symantec discovers Trojan targeting Skype users. Early on August 27, Symantec issued an advisory that they have discovered the availability of source code for a Trojan that targets Skype users. The Trojan, once installed on a system, has the ability to record conversations in progress, and transmit the recording to a third party. The Trojan is being called Trojan.Peskyspy, and can be delivered in any number of ways, including email links and social engineering attacks, where a user is tricked into downloading and installing an application. The Trojan is targeting Windows API hooks, a technique used to alter the planned behavior of an application, which Microsoft has intended to be used by audio applications. The Trojan compromises the machine and then through the hooking technique is able to eavesdrop on a conversation before it even reaches Skype, or any other audio application. Once a machine has been compromised, the Skype Trojan can use an application that handles audio processing within a computer and save the call data as an MP3 file. This MP3 is then sent over the Internet to a predefined server where the attacker can then listen to the recorded conversations. The MP3 is stored locally and encrypted before it is sent off. "Recording the call as an MP3 keeps the size of the audio files low and means there is less data to be transferred over the network, helping to speed up the transfer and avoid detection," Symantec said in their alert. Presently, Symantec is calling the risk posed by this threat quite low, as they have not seen any evidence of compiled versions of the Trojan moving around online.
Symantec says users should follow security best practices, install and keep up-to-date security software, and not click on links in suspicious e-mails. New Version of Download Manager for Adobe Reader Available Virus slingers are taking advantage of the release of Apple's Snow Leopard operating system by offering malware from sites touting operating system upgrades. Dodgy sites supposedly offering Snow Leopard were rigged to push an Apple-specific DNS changer Trojan, detected by Trend Micro as JAHLAV-K. The malware is a MAC OS X mountable Disk Image file (.DMG) that comes contaminated with various malicious scripts, as explained here. Users infected with the Apple specific malware would find their internet connections redirected to phishing sites and other fraudulent endeavours. Some of these bogus sites hosted scareware (fake anti-virus) packages. Fake sites offering the Mac malware were in operation in the run-up to the release of Snow Leopard on Friday. There are more details in a blog on Trend Micro's website, here. A similar attack, detected earlier this week, offered malware in the guise of Foxit PDF Reader software for Apple Macs. The pirated version "Foxit Reader for Mac" comes loaded with the Jahlav Trojan horse, anti-virus firm Sophos warns. Foxit Reader is not yet officially available for Apple Macs. When it does come out, prospective users ought to use the official Foxit website, Foxit advises. "While imitation may be the sincerest form of flattery, we are not happy about the recent malware attacks masquerading as our Foxit Reader," said George Gao, vice president of sales and marketing at Foxit Corporation. "Foxit has always striven to insure that our solutions are secure for our users, and remains committed to address any Foxit product security issue in a professional and timely manner." ®
As mentioned, Foxit Reader is not yet officially available for Apple Macs. When it does come out, prospective users ought to use the official Foxit website. Bulletins posted 8/31/2009 Facebook Announces Privacy Improvement Says Some Changes May Take About a Year. Facebook has announced plans to give users more control over their information and make them better informed about privacy settings. This includes notifications and information about privacy settings and practices, additions to the Facebook Privacy Policy, and technical changes that give users more transparency and control over the info they provide to third-party apps. Facebook's announcement comes as a result of the company working with the Office of the Privacy Commissioner of Canada, which has provided Facebook with a number of recommendations.
"Our productive and constructive dialogue with the Commissioner's office has given us an opportunity to improve our policies and practices in a way that will provide even greater transparency and control for Facebook users," said Elliot Schrage, Vice-President of Global Communications and Public Policy at Facebook. "We believe that these changes are not only great for our users and address all of the Commissioners' outstanding concerns, but they also set a new standard for the industry."
No action for end user. Security Advisories Relating to Symantec Products Security Advisories Relating to Symantec Products - Norton AntiVirus and Symantec Client Security Email Denial of Service Vulnerability Risk Impact: Low Overview Norton AntiVirus and Symantec Client Security are susceptible to an email denial of Service (DoS) attack which could be triggered by a specially crafted email message. Affected Products Norton AntiVirus 2005 through 2008 Norton Internet Security 2005 through 2008 Symantec AntiVirus Corporate Edition 9.0 MR6 and earlier, 10.0 all versions, 10.1 MR7 and earlier, 10.2 MR2 and earlier Symantec Client Security 2.0 MR6 and earlier, 3.0 all versions, 3.1 MR7 and earlier Details Next Generation Security Software notified Symantec that a specially crafted email could potentially create a Denial of Service (DoS) condition on an end user system. The malicious message would require a significantly longer than normal time to process, which could cause the client system to lose connection with the mail server. The email client will try to download the message again the next time it connects to the mail server, and again lose connection. This cycle would be repeated until the malicious message was deleted from the mail server. Symantec Response Symantec has confirmed that this issue exists in the products listed in the Affected Products table above. The vulnerability can be exploited only if the optional Internet Email Scanning feature is enabled on the user’s system. Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit the issue. Mitigation Internet Email Scanning is an optional feature which can disabled if it is not being used. Disabling this feature prevents it from being exploited through this vulnerability. Updating Norton products
Norton product users who launch and run LiveUpdate regularly have already received an update to address this issue. However, to ensure all available updates have been applied, users can manually launch and run LiveUpdate in interactive mode as follows:
Users should take the following actions.
Open any installed Norton product.
Click LiveUpdate.
Run LiveUpdate until all available product updates are downloaded and installed.
A reboot may be required, depending on the existing patch level of the affected computer. New Version of Download Manager for Adobe Reader Available A new version of the download manager for Adobe Reader is live. This new version resolves the Moderate local privilege escalation issue discussed in an Adobe PSIRT blog post on July 22.
Users should download the new version from adobe at http://get.adobe.com/reader/ Security researchers advise that a new mass compromise attack is underway and has affected over 62,000 URLs to date. Security researchers advise that a new mass compromise attack is underway and has affected over 62,000 URLs to date. A rogue IFrame injected into the compromised Web pages loads a cocktail of exploits and malware from other domains. Mary Landesman, a senior security researcher at ScanSafe, has told The Register that the infections are the result of SQL injection attacks. The x.js called from a0v.org has the role of loading exploits from a number of seven other domain names. At the moment of writing this article, Google's Safe Browsing was tagging a0v.org as malicious. "The malware hosting domains were registered on or after August 3, 2009 and include: ahthja.info, gaehh.info, htsrh.info, car741.info, game163.info, car963.info, and game158.info. The most prolific observed by ScanSafe thus far has been ahthja.info," Mary Landesman writes on the company's blog. If exploitation is successful, several malware installers are dropped and executed onto the victim's computer as drive-by downloads. The security researcher warns that "post infection, additional malware may also be downloaded" from a different host. The exploits target vulnerabilities in popular software, including Internet Explorer, Mozilla Firefox, Adobe Flash Player, Adobe Reader and Acrobat or avast! Antivirus. AV detection rates for the malicious executables downloaded during the attack range from poor to moderate on Virustotal. This sort of malware distribution attacks, which involve exploit cocktails, are popular with cybercrooks because end users have historically proven a failure to deploy security patches for software installed on their computers. Just recently, we reported on a similar mass web compromise campaign discovered by network security company eSoft. The point of entry for those attacks seems to be a buffer overflow vulnerability in Webalizer, a popular program for generating web statistics.
Users should make sure they deploy security patches on their computers. ---------------------------------------- |
