Behavior of Safari on the iPhone could benefit scammers

A behavior of the Safari browser on the iPhone could be used by phishers and scammers to fool users into believing they have landed on a legitimate site, says Nitesh Dhanjani.

In short, it allows scammers to display a fake URL bar and hide the real one. Users accessing websites from their computers are not in jeopardy, since all popular web browsers do not allow websites to modify in any way the text in the address bar or to hide the address bar itself.


There are two mitigating circumstances that allow alert users to spot the trick:

• While the page loads, the real address bar is visible
• When the page is rendered, the real address bar is visible if the user scrolls up.

Dhanjani set up a proof of concept demo page (http://www.dhanjani.com/ios-safari-ui-spoofing/) where you can surf to with your iPhone to witness that behavior for yourself.

He says that he notified Apple about the issue, but that they could not say when it will be addressed.

Hole in iPhone PayPal app allows account hijacking

PayPal customers that use the payment company's iPhone application to effectuate payments should update it as soon as possible, because a vulnerability that can be exploited to hijack their accounts has been found by a security researcher and confirmed by PayPal.

The flaw doesn't affect the PayPal site or the company's Android application, but the 4+ million people who downloaded the iPhone application so far are in danger of getting their passwords intercepted by a hacker if they connect over unsecured Wi-Fi networks.

Essentially, the flaw makes the application fail to verify the digital certificate of the PayPal.com website and could allow a criminal to "stand" between the user and the site and simply intercept his username and password. Of course, the hacker must be in the same physical location as the user, trick him to connect to a Wi-Fi hotspot that he (the hacker) set up, and wait for him to use the application.

According to The Wall Street Journal, PayPal spokeswoman Amanda Pires said that they haven't yet heard of an instance where this hole was successfully exploited, but also that the company will reimburse every last cent if it happens to anyone.

That is good news, but it's better if you update your PayPal application now and skip any unpleasant surprises, since the patched version has already been made available.

Security - It's not fun sometimes but be thankful it's there

With Thanksgiving long weekend round the corner, here's a post dedicated to IT Security.Security isn't the happiest topic in the tech business. It's not like PCs and phones that get more powerful and cheaper all the time or displays that get bigger and more brilliant. It's mostly a steady stream of bad news or, at best, mitigations of bad situations. But there's still plenty to be thankful for.

It's unfortunate that the basic state of computing is insecure and that you will be attacked if you don't defend yourself. But you can defend yourself and defenses do get better all the time. Combined with some experience and a skeptical attitude, modern software can protect you very effectively.

I'll avoid business products which, I would argue, provide much more defensive power than consumer products. Consumers can still do a good job by following a few basic rules:

• Don't run Windows XP. Run Windows 7 or at least Windows Vista.
• For your everyday tasks, run as a standard, i.e. less-privileged user. If you get a UAC prompt for elevation, pay attention to it.
  • If an application you run doesn't work well in this environment, try to find a replacement. That application is probably badly-designed and you should blame the developers.
• Keep your operating system and applications up to date.
• Run a security suite and keep it up to date.
• Don't install software casually. Look carefully at what you're installing and at what happens in the installation process. Remove software from your system if you're no longer using it.

Can you still get burned if you follow these guidelines? Yes, but it's highly unlikely, certainly far less likely than if you don't take security seriously. The garden-variety attack out there will raise some flag that you can see. Even a high-quality targeted attack like Stuxnet can be stopped by rigorous methods, but such attacks are very rare.

And if you're a Mac user, be thankful for the fact that, by and large, the malware community still doesn't find you to be worth their attention. This situation may be changing slowly, but you're still flying under the radar.

If you put a little money and effort into securing your computers you can do it effectively. So make sure everything's up to date and then be thankful that you'll be able to rely on your systems and then go stuff your face and watch some football.

Warning about "postcard" computer virus

With Thanksgiving and Christmas coming up, friends and colleagues are bound to send out bountiful of online e-greeting cards.

Warnings have been issued this weekend about a highly destructive computer virus which has been released under the guise of a postcard greeting.

It is strongly advised that computer users should not open any message with an attachment entitled “Postcard” or “Postcard from Hallmark”, regardless of who sent it.

The virus opens a postcard image which then 'burns' the whole hard disk C of your computer. Experts say that the virus will be received from someone who has your e-mail address in his/her contact list.

An American computer expert who has a senior position in Microsoft and is related to an Isle of Man resident said, “Even if you receive a mail called “postcard” and it appears to have been sent by a friend, do not open it! Shut down your computer immediately. This is the worst virus announced by CNN.”

The virus has been classified by Microsoft as “the most destructive virus ever”. It was discovered by McAfee on Saturday and so far there is no repair yet for this kind of virus. This virus simply destroys the Zero Sector of the hard disk, where the vital information is kept.

Kids lured to scam site by promises of parental control bypassing

The latest scam to hit Facebook users is one that supposedly offers a completely free proxy service for those who want to bypass parental controls and blocks set up by schools and at workplaces that prevent users from accessing certain sites such as Facebook.

The campaign is specifically targeting kids, luring them into trying out the service located at hxxp://myfatherisonline.com to access Facebook in school.


Of course, when the victims visit the website they can't find the advertised service. Sunbelt researchers have poked around the site and discovered a veritable trove of various scamming attempts.


The victims are faced with an affiliate site containing malware, surveys, quizzes, offers for free iPhones that will try to get them to subscribe to a premium rate service or sign up for spam.

If you have children and they are permitted to have an account on a social networking site, this might be a good idea to chat with them about the various bogus offers that are lurking on those sites.

The enemy in the network card

There's no corner too small for rootkits to hide themselves. Check this out.

Security expert Guillaume Delugré, who works for the Sogeti European Security Expertise Center (ESEC), has demonstrated that a rootkit doesn't necessarily have to infest a computer. The expert used freely available tools and documentation to develop custom firmware for Broadcom's NetExtreme network controller. He was then able to conceal a rootkit within the firmware, making it untraceable by the virus scanners usually installed on a PC.

Delugré's code is executed by the network card's MIPS CPU and can directly communicate with working memory through the PCI interface's Direct Memory Access (DMA) – network cards normally use this functionality to exchange network frames with the driver installed on the computer.

Potential attackers using such a rootkit could remotely access computers or listen to a user's network traffic. Broadcom's NetExtreme controller is mainly used in corporate environments. Network controllers for home users are usually equipped with little, if any, memory and offer limited programming flexibility, which makes them unlikely targets for such an attack.

The attack scenario isn't entirely new: in 2006, John Heasman injected a rootkit into the extended memory of graphics cards and network cards, although his rootkit needed to download code from the net once Windows had started up. Flash memory chips intended for the PC BIOS on a mother board are another potential rootkit hiding place.

Researchers Uncover Holes In WebOS Smartphones

Linux-based platform prone to Web-injection vulnerabilities and targeted attacks for stealing data.

A pair of researchers has discovered multiple flaws in the WebOS smartphone platform, including one that could let an attacker build a mobile botnet or execute other remote attacks.

Orlando Barrera and Daniel Herrera of SecTheory plan to demonstrate their findings tomorrow at the Austin Hackers Association meeting in Texas. The most dangerous of the vulnerabilities is an injection flaw they found on the WebOS version 1.4.X that allows remote command and control, including access to a phone's files or injecting a remote JavaScript backdoor into the phone's Contacts Application to build a botnet.

Read more here.

Korean cross-border attacks exploited to spread malware

The recent cross-border shellings between North and South Korea have left many people wondering what has been going on and what triggered the attacks: North Korean Artillery Attack on a Southern Island

Scareware and malware pushers have been very prompt at poisoning related search results.

Search combinations such as "north korea bombs/attacks south korea", "kim jong il", "korean war", "world war 3", "yeonpyeong island" and "korean news" have been producing results that take users to pages where warnings about infection on their computers are shown and the users are offered to download rogue antivirus solutions, to pages that attempt to hijack their browser through JavaScript or pages that offer Trojans disguised as codecs and bogus updates for Mozilla's Firefox.

The Tech Herald reports that all of the offending compromised domains are using open source CMS software which was not updated and, consequently, vulnerable to attack. They also noted that topics related to Black Friday, Bristol Palin, Dancing with the Stars, and others have been targeted by the same black hat SEO campaign.

Facebook Messaging System Opens New Security Concerns

The next big thing in social media has been revealed in Facebook's new Messages system, which combines email, texting, and instant messaging into one threaded experience. They want to let people talk to each other without having to worry about whether the recipient prefers email or SMS, etc. This also opens the way for new security challenges to be overcome as more and more people start using this new service.

Sophos, an internet security company that advertises a variety of email and encryption services, has released an article concerning the new Facebook Messages system which focuses on the new security issues that need to be considered for people who opt to use it. In it, senior technology consultant Graham Cluley discusses that the burden of security lies more with the user than with Facebook itself. He says, "Before signing up, users need to realize that these new features increase the attack surface on the Facebook platform, and make personal accounts all the more alluring for cybercriminals to break into. Facebook accounts will now be linked with many more people in the users' social circles - opening up new opportunities for identity fraudsters to launch attacks." Basically, spammers now have more of an incentive to hack into Facebook accounts using phishing attacks and exploiting weak passwords.

The other security issue that Cluley discussed was the fact that "users also need to be aware that Facebook will be storing a complete archive of all of their communications with one person - this raises concerns as to how this data could be misused if it fell into the wrong hands." Imagine every conversation you've ever had with anyone being recorded and stored on servers you have no control over. All that vital information in the wrong hands could most certainly spell trouble for anyone unfortunate enough to fall victim to such a situation. For more security-based information about the new Facebook Messages system, check out the Sophos FAQ about it.

Facebook bug compromises top pages

A customer of Sendible, an online marketing service for promoting and tracking brands through the use of social media, e-mail and SMS messaging, has inadvertently discovered a flaw in Facebook API.

Using Sendible's Facebook application, he tried to post messages on a few Facebook walls - as a fan - but apparently the flaw made them be posted as status messages from the owner of the pages.

Before the flaw could be patched, it was apparently discovered also by some users that decided to use it to propagate a malicious link that would supposedly allow the victims to change their Facebook background. This message appeared on a number of Facebook pages of brands and companies like Coca-Cola, Google, YouTube, South Park, The Daily Show and others.


"A few people who did click on the link reported that it took you to a page outside of Facebook that asks you for some information about you," reports TechCrunch. "The bottom of the page reads 'Powered By AWeber Email Marketing'."

It seems that the malicious link in question has been taken down, but people have been reporting that other links were propagated with the help of the flaw.

Sendible claims that its application wasn't hacked. "This is a flaw in Facebook’s API and may affect all third party Facebook applications," it says. "To ensure this doesn’t happen again, we’ve agreed with Facebook to remove the feature on Sendible that allows fans of Facebook pages to update multiple pages at once."

Facebook claims that there was a bug on its platform AND a flaw in Sendible's API:

"We’ve looked into this more. We began removing the posts immediately upon discovering them and shortly after they were made. They were caused by a temporary bug on Facebook that allowed certain posts requested by an application to be rendered when they shouldn’t have.

There was a flaw in Sendible’s API call that caused Sendible to incorrectly request that posts users had intended to make on the Walls of Pages they liked be rendered on behalf of those Pages themselves. This bug caused those requests to go through.

Upon discovering the bug, we immediately began work to fix it. It’s now been resolved, and these posts can no longer be made. Sendible has also fixed the flaw on its end. We’re not aware of any cases in which the bug was used maliciously."

Facebook "love button" app links to malware

If you spot a Facebook post or a message that advertises an application that will let you "unlock" a "love" button if you run it - don't do it. If you do, you will be actually running a malicious Java applet that downloads a password-stealing Trojan.


You don't even have to press a button to install the application - a simple visit to the application's page (which is displayed in Croatian) will trigger a pop-up that will ask you to run the application which - unexplainably - masquerades as a “Sun Microsystems Java Security Update 6":


If this warning fails to arouse your suspicion and you run the application, the Java applet will download an .exe file from a URL passed as a parameter on the website.

"It then saves and executes it as “NortonAV.exe” from the local user profile folder," explains McAfee's expert. "The downloaded trojan payload is a password stealer which search for passwords stored on the user’s machine. It then sends a password log to an e-mail account on gmail.com over an encrypted SMTP/TLS connection."

Facebook "free plane tickets" scams

Don't be tricked by the impossibly good offers that have lately been popping up on Facebook profiles. There are no free ticket giveaways - there's only the possibility of getting your profile abused by the applications that you are required to install in order to receive them.


Supposedly, Delta Air Lines and JetBlue Airways are giving free tickets to Facebook users, but that could not be further from the truth.

Actually, if you click on the offered link you are asked to install a third-party application - "4freedeltatickets" or "JetBlue Family" - that requests you permission to access your basic profile information, send you e-mails, post on your Wall, access your data any time, and manage your events and pages.

According to Graham Cluley, once you've done that you are redirected to a page where the scammers will try to trick you into signing up for a premium rate cell phone service. In the meantime, the application that you have allowed access to your profile has been posting the same message you fell for on your Wall and added you to events:


If you have fallen for the scam, delete the applications in questions (go to Account/Privacy Settings/Applications and Websites), delete every status message and event it has added to your profile, and contact your cell phone provider to notify them of the situation.

Drive-By Downloads: Malware's Most Popular Distribution Method

After years of burying malicious software in email and portable storage media, attackers now favor quick downloads via legitimate websites, researcher say.

WASHINGTON, D.C. -- OWASP AppSec DC 2010 -- Why try to fool users into opening email attachments when you can simply drop a Trojan on them from their favorite websites?

That's the question many malware authors and distributors are asking -- and the obvious answer is spurring most of them to try out the emerging "drive-by download" method, according to a speaker here this week.

"What we're seeing is a fundamental change in the method of malware distribution," said Neil Daswani, CTO of Dasient, which offers a service that detects and eradicates Web-borne malware. "In the old days, we saw executable code in a static file, which was originally delivered via floppy disks and then via email attachments. Now we're seeing active content delivered via drive-by downloads at legitimate sites."

A drive-by download typically begins by injecting a Web page with malicious code, often through JavaScript, Daswani explained. The code generally invokes a client-side vulnerability to deliver shell code, such as the JavaScript-based Heap Spray attack, to take control of the user's machine. From there, the attacker can send a "downloader," which is often custom, zero-day code that isn't recognized by traditional antivirus systems.

Once the downloader is in place, the attacker can deliver his malware of choice, Daswani said. Drive-by downloads are particularly effective for delivering code that can steal end user credentials (such as Zeus), launch a fake antivirus scam (such as Koobface), steal server-side administrative credentials (such as Gumblar), steal corporate secrets (such as Project Aurora), or collect fraudulent click revenue (such as clickbot.A), he noted.

While drive-by downloads are often more effective at infecting end user devices than email attachments, they also give the attacker broader reach, Daswani observed. Drive-by downloads can be used to infect thousands of websites at once, often by hiding in common third-party devices that are distributed to many sites, such as advertisements, widgets, images, or third-party applications.

"A lot of user organizations do a great job of scanning the code they put on their own sites, but they may not scan the code they're posting from third parties," Daswani warned. "The marketing people will add an ad or a widget to a site, and the IT people may not vet it before it's posted."

Many well-known sites are infected by malware, and the most popular sites are generally targeted most frequently, Daswani noted. In the past two years, major government sites, such as the Treasury Department and Environmental Protection Agency, have been infected, causing them to serve up drive-by downloads to their users. The National Institute of Health has been infected five times in the past two years, and the state of Alabama's website has been infected 37 times in that same time period, he reported.

"It's time to recognize that this is the method of choice for many distributors of malware," Daswani said.

ElcomSoft breaks Firefox, Safari, Opera, and Chrome passwords

Another convincing reason why you shouldn't get lazy and let your Internet browser store your passwords.

Elcomsoft Internet Password Breaker now retrieves cached passwords stored in a variety of email clients and Web browsers.

The new update adds Mozilla Firefox, Apple Safari, Google Chrome and Opera Web browsers to the list of supported applications in addition to already supported Microsoft Internet Explorer, Outlook Express, Outlook, Windows Mail, and Windows Live Mail.


In addition, cached logins and passwords, pre-filled forms and AutoComplete information can be extracted from the browser cache or secure storage area.

Elcomsoft Internet Password Breaker makes it easier to migrate between supported Web browsers. The tool reminds users of some of their login and password information that may long be forgotten thanks to the convenience of using the cached forms.

Features:

• Instant password recovery for a variety of applications
• Supports all versions of Microsoft Internet Explorer, including IE7 and IE8
• Supports all versions of Microsoft Outlook and Outlook Express
• Supports Windows Mail and Windows Live Mail passwords
• Instantly recovers passwords cached in Apple Safari, Google Chrome, Mozilla Firefox and Opera Web browsers
• Reveals stored POP3, IMAP, SMTP and NNTP passwords for all supported applications
• Recognizes and works around enhanced security model of Internet Explorer 7 and 8
• Reveals Microsoft Passport information in Windows Live Mail
• Retrieves Microsoft Outlook PST passwords
• Recovers login and password information to a variety of resources.

Android Falls Short In Security Analysis

We've seen enough news about how Apple's iOS is vulnerable to attack. I think it's only fair that we talk about the shortcomings in its biggest competition, Android. According to a report by Coverity, the popular mobile operating system is home to hundreds of bugs in its kernel with a quarter of those bugs listed as 'high risk' that can be used to exploit user privacy.

Coverity Inc. is in the business of scanning software for potential security vulnerabilities. They recently scanned the open-source Android operating system and discovered 359 bugs. 88 of these are listed as high-risk which according to the report, "include four categories that we have found, through experience and consultation with our customers, to be ones that can cause the most damage and are most likely to be fixed first by developers. These include memory corruptions, illegal memory accesses (e.g., reading beyond the bounds of a memory buffer), resource leaks, and uninitialized variables. "

Let's look at how those bugs compare in the open source world. Coverity claims that the industry average 'defect density' is one defect per every 1,000 lines of code. Android has only half that number, which is impressive until you look at the areas those bugs were found. Most of the code in the operating system is a Linux kernel with custom additions added in, and in the Android specific code, the defect density is twice as high.

Fragmentation of accountability is listed as one of the main conclusions of the report. Coverity basically says that, just like the rest of open source software, with so many people contributing so many different elements to the project, it is almost impossible to keep track of who is in charge of fixing what. This is definitely a problem as open source becomes more and more popular.

The Coverity report can be found here.

Free Mac anti-virus for home users

Good news for MAC users out there!

Sophos announced the availability of a free Mac anti-virus product for home users. Based on Sophos's security software, which protects over 100 million business users worldwide, Sophos Anti-Virus Home Edition for Mac is available for consumers to download at no charge.


Sophos Anti-Virus Home Edition for Mac provides automatic detection against existing and new threats for Mac OS X. The free software also incorporates strong disinfection capabilities, capable of removing malware infections that may already be present on the Mac computer.

Sophos Anti-Virus Home Edition for Mac detects both Mac and Windows malware, and is backed by SophosLabs, Sophos's global network of highly skilled researchers and analysts, protecting businesses from known and emerging malware - viruses, Trojans, spyware and rootkits. SophosLabs ensures that Sophos Anti-Virus Home Edition can even proactively stop brand new unseen threats before they can install on your Mac.

Technical requirements:

• Mac with Intel or PowerPC processor
• 256 MB of memory
• 150 MB of available disk space
• Mac with OS X 10.4 (Tiger), 10.5 (Leopard) or 10.6 (Snow Leopard)
• Supports all Apple Mac hardware including iMac, MacBook, MacBook Pro and the new MacBook Air.

Spying app kicked out of Android Market

Secret SMS Replicator, a spying application that forwards contents of a user's text messages to the phone of the person who installed it in the first place, has been booted out of the Android Market.

Once the application in question is installed, there is no visible shortcut or icon to alert the user about the spying that is in progress, so one can see why this would be a problem for Google. According to ReadWriteWeb, the application was banned because it violates the Market's content policy, which says that applications that are guilty of invasion of personal privacy are not allowed to be uploaded.

Zak Tanjeloff, CEO of DLP Mobile (the company that developed the application) said that they developed it for Android because such an app would never be approved by Apple for use on the iPhone and allowed to be sold on its iTunes App Store.

But, as it turns out, the Android Market has similar rules - the only difference is that Apple's approval process will flush such an application out before it is allowed in, and the Android Market allows them in and removes them once they are published. Unfortunately, that gives potentially malicious applications a small window of opportunity to do their bad work.