Information Security News We have decided that you, our subscribers, would be better served if we simply update this news bulletin with timely and
important messages as they arise. New and significant threats don't tend to wait until we have time to publish our
newsletter! Recent bulletins are posted below. In case you missed our earlier ones they are still available in our
archives. Bulletins posted 7/02/2009 Mozilla Firefox 3.5 officially released Version 3.5 contains multiple security enhancements, such as improved anti-phishing and malware and privacy protection, according to Mozilla. One of the privacy features is called “Private Browsing," which lets users browse the internet without Firefox retaining any data about sites and pages that were visited. No pages are added to the list of sites in the “History” menu, the library window's history list, or the browser's “Smart Location Bar” address list. “We wanted to make sure that our users had control over the information that was being kept by the browser,” Johnathan Nightingale, Mozilla's "human shield," told SCMagazineUS.com Tuesday. "Once the private browsing mode is started, all the work up to that point is unaffected. Firefox is reinitialized, brought up fresh, and nothing you do afterward is ever logged to disk -- no downloads, cookies, no cache – so a record is not there even if power is lost during the session.” Competing browsers' privacy features, such as Microsoft's IE8 InPrivate, Chrome's Incognito and Safari's private browsing mode, do much the same thing, but Firefox handles the operation automatically and more transparently, Nightingale said. Another Firefox privacy tool is called “Clear Recent History,” which gives a user even more granular control. “With this tool, users can clear any given time period of browsing record,” Nightingale said. For even more control, users can erase any record of a particular website with a featured dubbed “Forget About This Site.” This feature can remove all traces of a particular website without disturbing the rest of the browsing history for other sites, Nightingale said. Mozilla Firefox 3.5 is available now for Windows, Linux, and Mac OS X operating systems and we recommend updating to this new version. From SC Magazine, by Chuck MillerBritney Spears Twitpic account hacked; fake death posted The attackers, apparently preying on the fact that several notable celebrities died last week, including Michael Jackson, were able to post a message to Spears' Twitter profile that claimed she, too, had passed away. Twitpic founder Noah Everett, in a blog post Monday, said the attackers used a technique known as brute force to guess the email PINs of about 10 users, which they were able to use to automatically post messages to various Twitter pages. Everett did not address Spears by name in his post. The latest tweet from the celebrity, posted Sunday afternoon, said: Britney's Twitter was just hacked. The last message is obviously not true. She is fine and dandy spending a quiet day at home relaxing. Similar messages also were posted to the accounts of Ellen DeGeneres and Miley Cyrus, according to reports. I want to make it clear that this was not a Twitter issue, but a Twitpic issue, and I take full responsibility for it," Everett wrote, adding that an investigation, in conjunction with internet service providers, is underway to determine the source of the attacks. One more example of the way Twitter and other social media sites are becoming the newest target for scammers. Be aware. From SC Magazine, by Dan KaplanBulletins posted 6/26/2009 Hacked High-Profile Twitter Accounts Still Spreading Malicious Links According to PC World, University of Alabama at Birmingham computer forensic scientist Gary Warner believes that over 1,600 people have already followed the link to a fake porn site that links to a Trojan horse program. This software affect both Macs and PCs, and, if downloaded, essentially turns your computer into a zombie that can be controlled from afar, enabling perps to extract valuable personal information. The scheme also leeched off the compromised accounts of a political blogger, a rising musician, and a gay news site, some of which still have the malicious link available on their Twitter pages. With numerous scams currently afflicting Twitter and Facebook, it's incredibly important to refrain from immediately clicking on links, even if they seem to be from a trusted source. You should also take steps to stengthen and protect your passwords, and to be aware of the current prevalent and popular scams being employed. From Switched, by Warren RiddleNew Scare Tactic E-mail Threatens Legal Action For Fake Accusations The virus campaign calls attention to users' supposed recent activity at sites commonly used to share and download copyrighted movies, music and software. The email content threatens recipients with legal action and includes a link to a "log report" that is actually a virus executable. This is a new twist on the scare tactics we're seeing more of lately. Be aware and inform your vulnerable friends and family. From Enterprise Security TodaySocial Networking Sites Victimizing Families of Deployed U.S. Military Personnel Significant personal data is available through these sites which users join by city, workplace, school and region to connect and interact with other people. The scam involves individuals using these social networking sites to contact relatives of deployed U.S. military personnel, most specifically grandparents. The impostor advises the grandparents that he is returning home on leave from Iraq and asks the grandparents to keep his presence secret so he can surprise his parents. A short time later, the grandparents are again contacted and the impostor advises them that he and a friend are stranded with a broken down car. He then asks the grandparents to wire a significant amount of money to cover the cost of the repairs. As always, caution is advised regarding the posting and protection of personal information on public websites. It is recommended that family members of U.S. Military visit social networking sites in which they have accounts to ensure that no exploitable information is available. Jackson's death to spark massive spam runs In a blog posting by security firm Sophos, the firm reported the first wave of spam messages "employing the sad news in the subject line and body part to harvest victims’ email addresses". The message sender claims to have information about Jackson's death that they want to share with the recipient. Although the body of the spam message does not contain any URLs or other call-to-action links, if replied to it will allow the spammer to harvest the user's email address, said Sophos. Rik Ferguson, senior security adviser at vendor Trend Micro, warned that any event of this magnitude would be expected to generate significant amounts of spam and malware. "We fully expect to see black hat SEO [search engine optimisation] activity and significant spam runs using the news as bait, because people are hungry for details." Black hat SEO manipulation attacks were launched soon after the death of actor Heath Ledger, and have already been seen in the past 24 hours since the death of actress Farrah Fawcett was announced. They involve hackers disguising malicious links as URLs to legitimate sites containing news about a high-profile event in order to push the results higher up the search listings. "Users are advised to exercise extreme caution in searching for related news and information surrounding the deaths of these celebrities." From V3.co.uk, by Phil MuncasterFake News Advertisements Pushing Work at Home and Pharmaceuticals These "news items" are posted on genuine web news sites such as Salon, Slate and Huffington Post. Some of them offer work at home jobs, one of which had the headline: “How I Make $1700 a Week Posting Links on Google.” The article says there is a "whole fake-media empire pushing the story of the massive profits to be made by gaming Google from home: The Boston Weekly News, USA Financial Post, America Finance News, New York Finance News, Ohio Business News, the New York Tribune News, the Bakersfield Gazette, the San Jose Times, and the prestigious New York City Hearld. No, not 'Herald'; Hearld." It goes on to report that people who have fallen for the advertised products are quite often finding unexpected charges on their credit cards. This seems just short of criminal to me, and is certainly exploitive of the more gullible among us. Warn your vulnerable friends and family that they may not get what they expect from these advertisements that pretend to be news items. See the full article at Wired, Threat Level, by Kevin Poulsen Critical Adobe Shockwave flaw affects millions The flaw affects Adobe Shockwave Player 11.5.0.596 and earlier versions. Details from Adobe’s advisory: This vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected system. Adobe has provided a solution for the reported vulnerability (CVE-2009-1860). This issue was previously resolved in Shockwave Player 11.0.0.465; the Shockwave Player 11.5.0.600 update resolves a backwards compatibility mode variation of the issue with Shockwave Player 10 content. To resolve this issue, Shockwave Player users on Windows should uninstall Shockwave version 11.5.0.596 and earlier on their systems, restart, and install Shockwave version 11.5.0.600, available at: http://get.adobe.com/shockwave/. We recommend updating to the latest version after uninstalling older versions as soon as possible. From ZDNet, by Ryan NaraineBulletins posted 6/23/2009 Mozilla released security update for Thunderbird If you already have Thunderbird 2.0.0.x, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting “Check for Updates…” from the Help menu. Due to the security fixes, we strongly recommend that all Thunderbird users upgrade to this latest release. Please note: If you’re still using Thunderbird 1.5.0.x, this version is no longer supported and contains known security vulnerabilities. Please upgrade to Thunderbird 2 by downloading Thunderbird 2.0.0.22 from www.getthunderbird.com. From Donna Buenaventura at Donna's Security Flash BlogTwitter users offered security plug-in (SecureTwitter) The SecureTwitter component is wrapped into SecureBrowsing, a plug-in for either the Firefox or Internet Explorer browsers, said Yuval Ben-Itzhak, Finjan's CTO. SecureTwitter is designed to warn people about links that people post on the micro-blogging service. Because of Twitter's 140-character limit, most of the URLs posted have been shortened using services such as Bit.ly or TinyURL. Those services completely obscure the true destination of the link, which is dangerous since users have no idea that they could be directed straight to a site that will look for software vulnerabilities in order to infect the PC with malware. Even if a URL isn't shortened, it's nearly impossible to tell if a site may host malware since many legitimate sites have been hacked, too. This is a very good product that we recommend highly to anyone using Twitter. You can find more information and the download at securebrowsing.finjan.com. From TechWorld, By Jeremy Kirk, IDG News ServiceBulletins posted 6/22/2009 Mass Mailing Phishing Attempt on BlackBerry Devices The scam comes as an email to your BlackBerry. At least one of them comes from Carol.Barnfather@northumberland.gov.uk. The subject line is "You have exceeded the storage limit for you mailbox". The message itself says: The message then goes on to provide you with a handy link to your "system administrator's" email so you can send your username and password to them! If you get such a message on your City owned BlackBerry, you should report it to the service desk. If you own a personal BlackBerry, be aware of these types of scams and never respond to a suspicious email or follow links. Latest upgrade to iPhone includes 46 security fixes Along with a host of new features, version 3.0 comes fitted with patches for 46 security vulnerabilities. The upgrade fixes everything from heap buffer overflows, multiple memory corruption issues in the handling of PDF files to cross-site scripting flaws, according to Apple. For example, one patch updates the iPhone mail application to enable more user discretion in the loading of remote images within HTML messages. The app was upgraded so that an application cannot cause an alert to appear that could be enlisted to initiate a phone call without the user's knowledge. Another patch fixes what could have led to the disclosure of credentials or application data when users of Microsoft's Exchange server accepted an untrusted certificate. iPhone users should ensure that this update is installed as soon as possible. From SC Magazine, by Greg MastersMac trojan targets game sites to infect users Analysts at Mac security firm Intego said Friday in a blog post that the latest variant of the RSPlug trojan can be found on websites claiming to offer legitimate game downloads. Until now, the trojan was only appearing on pornographic sites or sites hawking pirated software. The newest attack scenario works similarly to previous versions of the malware, Peter James, an Intego spokesman, said in the post. In this case, users who follow the link to a rogue game are brought to another download link, which actually is a trojan. If infected by the malware, computers may have their DNS settings altered, meaning hackers can direct users to anyplace they want. "We recommend that Mac users download software only from trusted sites," James said. "The spread of this trojan horse is such that more and more sites will be providing it instead of real software, and it may become increasingly easy to get fooled. From SC Magazine, by Dan KaplanMicrosoft To Launch Public Beta of Free Antivirus Product on Tuesday Unlike Microsoft's Live subscription-based OneCare consumer offering, Microsoft Security Essentials focuses solely on anti-malware security, detecting and removing viruses, spyware, rootkits, and Trojans, and doesn't bundle in the firewalls or computer maintenance tasks and backup common in many security suites today. And there's no charge or registration required. "This is real-time protection for consumers," says Alan Packer, general manager of Microsoft's anti-malware team. "We were surprised at the number of people out there not running anti-malware software -- a lot of Windows consumers are not protected." This will probably be a recommended product in the future, but unless you like to experiment with your computer it's probably best to wait till it is out of Beta. From Dark Reading, by Kelly Jackson HigginsThat e-mail attachment is not a Twitter invite "The observed messages appear as if they have been sent from a Twitter account; however, unlike a legitimate Twitter message, there is no invitation URL present in the body," a Symantec blog post says. "Instead, the user will see an attachment that appears as a .zip file that purportedly contains an invitation card." The name of the attachment is "Invitation Card.zip" and Symantec identified it as W32.Ackantta.B@mm, a worm targeting Windows computers that was discovered in an e-card virus attack in February, according to Symantec. The worm gathers e-mail addresses from compromised PCs and spreads by copying itself to removable drives and shared folders. As with any other suspicious email attachment, you should never open a link you aren't sure about. Remember Twitter invitations have a URL in the email, not an attachment. But then again, the bad guys may take advantage of that as well and just include a fake URL next time - so remain suspicious of any Twitter invite and type in twitter.com to go to the site yourself if you think it's legitimate. From CNET News, by Elinor MillsBulletins posted 6/16/2009 Credit Union Users Target of Text Scam The UVA (University of Virginia) Credit Union is warning customers about a text message scam targeting their accounts. Credit union officials say the bogus text message claims that your debit card has been blocked and that you need to call a phone number to verify your information. Don't do it. We have seen scams like this via email and can expect that this tactic will be used around here. So if you get a suspicious text message, just delete it. If you think you've been a victim of this type of scam, call your bank immediately. From NBC29.comApple Fixes Java Security Hole The flaw could allow a Java applet to execute malicious code on affected Macs, potentially leading to information theft or a compromised system. In a patch summary posted Monday, Apple states, "Java for Mac OS X 10.5 Update 4 delivers improved reliability, security, and compatibility for Java SE 6, J2SE 5.0 and J2SE 1.4.2 on Mac OS X v10.5." The company also released an update for Mac OS v10.4. In May, Intego, which makes security software for Macs, warned Mac users to disable Java in their Web browsers until Apple got around to fixing the Java vulnerability. If you are running either Mac OS 10.4 or 10.5, you should install this update as soon as possible. From Information Week, by Thomas ClaburnBulletins posted 6/15/2009 Chrome update completes busy browser patch week The most severe of the two flaws involved a "high risk" memory corruption flaw in WebKit, which creates a potential means for hackers to inject hostile code into the sandbox used by the browser. The second flaw involves a less severe information disclosure risk, involving the Drag and Drop functionality built into WebKit. The update completes a busy week on the browser security front with a significant cumulative update for Internet Explorer on Tuesday and a Firefox update on Thursday. In addition, Apple released a beta version of its Safari 4 browser earlier this week. If you use Google Chrome, we recommend updating it as soon as possible. It is set to update itself by default, but you should check to ensure the update has been completed. From The Register, by John LeydenSymantec Warns of Wireless Keyboard Security Threat The warning follows the release of Keykeriki, an open-source "sniffer" project that allows users to remotely decode wireless transmissions. Symantec said that this effectively creates a new type of key-logger that could be used by cybercriminals to steal sensitive data such as user names, passwords and bank details. Symantec warned that, although the creator's intentions appear honorable, making the software code and hardware schematics open to everyone means that criminals could use the software to eavesdrop on wireless keyboard inputs. The criminals would not have to install anything on the host system, but would simply have to be in range of the keyboard's wireless signal. Symantec said that future wireless keyboards should introduce encrypted communication between the device and the receiver, and warned those working on office or public computers to resort to wired keyboards for the time being. From Enterprise Security Today, by Ian WilliamsMore Scamming and Spamming on Twitter A spate of phishing attacks have been followed by myriad other efforts to soak Twitter’s enthusiastic and rapidly growing user base. In the last week, attackers have tapped into popular topics and latched onto popular people to get in front of big Twitter audiences. Their goal: to persuade people to click and visit their Web sites and then hand over personal information, be sold a bill of goods or become infected with a malicious program. The first strategy capitalizes on Twitter users’ penchant for searching for random commentary on news subjects. Last week and this week, attackers have been using hundreds of dummy accounts to tweet messages about popular subjects, including the death of actor David Carradine, “Britain’s Got Talent” singer Susan Boyle, the U.S. rock band Phish as well as airplane crashes and child rape. Links in the messages pointed to malicious video sites pretending to show porn. Visitors who clicked to download a program supposedly needed to watch videos actually installed a fake security application called Privacy Center, which tried to hit them up for money for a full version of the bogus product. Pop culture buzz and shocking breaking news aren’t the only lures, though. Beware any topic that hits Twitter’s list of “Trending Topics.” The hashtag #smx, used to call out news about a search-marketing conference, reached the list last week and was summarily added to blasts of spam tweets. In a blog post, an irritated conference host, Danny Sullivan, said: “We knew this would happen, but it’s annoying and becoming a growing problem. Question is, will Twitter do anything about it, beginning with removing its ‘Trends’ feature?” And on Saturday, Mr. Sullivan became a spammer vehicle when his @sengineland account was used for fake retweets. “Today, it got even more personal,” he said in the post. “Someone is using multiple accounts to retweet things we’ve said — except we’ve never said what they’re putting out.” The purpose? To lend credibility to a message pitching a way to make money on Twitter. The approach is a twist on earlier efforts by Twitter spammers and scammers to hijack the names of well-known people, including Al Gore and Vint Cerf, who can draw gobs of followers. Stars don’t appreciate it; Tony La Russa, St. Louis Cardinals manager, has filed a lawsuit against Twitter after being impersonated. Twitter says the suit is frivolous and it won’t settle. But it plans to experiment this summer with a “Verified Account” seal that will let users know they’re looking at official accounts for public officials, celebs, famous athletes and others who may be impersonated. Other than that, Twitter isn’t saying much about what it plans to do about dross on its site. (It didn’t respond to a request for comment.) But calls for action are growing. The security firm Sophos is advocating for extensive checking of Web links distributed via Twitter as well as search results and trends information. In addition to vetting Web links, Mr. Sullivan argues Twitter should impose restrictions on whose content shows up in searches and trends, keeping out brand-new accounts and those with bad reputations. This is not any real new news, but instead a nice summary of all the ways the scammers are attacking Twitter. Be careful if you use this communications medium. From The New York Times - by Riva RichmondWebsite Contact: David Matthews |
