Care2.com servers breached

Seems like friends around me are getting targeted for some reason. I received an email from a friend, which obviously looks like a phishing email. Here's the sample (click to enlarge):


If this is making its way around, it's got to be on Google. And so it is.

"Yesterday we discovered that Care2.com servers were attacked, resulting in a security breach. The hackers were able to access login information for a limited number of Care2 member accounts. Our team has worked to secure Care2.com against this type of attack from recurring.

To protect Care2 members we are resetting access to all Care2 accounts. The next time you login to Care2, you will be automatically emailed a new password, which will enable you to access your Care2 account as usual.

To secure your privacy, we highly recommend you immediately change your password for any accounts that share the password you previously used on Care2.

We sincerely apologize for this inconvenience. Given our large membership size, we have become a significant target for spammers and hackers over the past few years, and this was the first hacking attempt that successfully breached our protective walls. We take the security of our members very seriously and are taking this extreme step of changing all passwords to reduce the chances of any possible negative consequences."

More details here.

Hacked and discredited: Anonymous takes down Stratfor

The servers of global intelligence firm Strategic Forecasting have been hacked into, allegedly by the Anonymous group. Some Anonymous members claim responsibility, while the group’s press release denies it.

More than 200 GB of Strafor’s internal data were allegedly lifted from its servers before its network was shut down. Strafor’s web server was offline for some 40 minutes, during which the company sent notifications of the security breach to its clients.

While some alleged members of Anonymous claim to have released a cache of information containing private correspondences and credit card data obtained in the breach, a press release from the group says the hack was not its work.

One of the alleged hackers tweeted that the goal of the operation was to use the financial data to steal money and give it away as Christmas donations. "Over 90,000 Credit cards from LEA, journalists, the intelligence community and whitehats have been leaked and used for over a million dollars in donations," the tweet said.

A number of large corporations and government agencies rank among Strategic Forecasting's clients. The firm provides strategic intelligence on global business and economic, security and geopolitical affairs.

Anonymous posted a link to what is believed to be a complete list of Stratfor’s clients. The United States Air Force, Goldman Sachs, and financial broker MF Global were all included on the list.

Stratfor's website was down on Sunday, with a banner telling visitors it was "currently undergoing maintenance."

Hoax: Apple is giving away macbooks

Received this on my IM from a friend. Sometimes I really question the AI of the bots. (click to enlarge)

Double checked on the sources:
http://techjost.com/2011/11/05/spam-alert-apple-is-giving-away-5000-macbooks-today-in-honor-of-him-steve-jobs/

Sometimes I just wanna strike up a proper conversation, so can't they be any cleverer?

iOS flaw allows App Store apps download malicious code

Since the App Store's inception, Apple has been carefully examining applications submitted by third-party developers in order to assure its customers a malware-free experience. Approved apps get signed with Apple's cryptographic seal, and only than can they be downloaded and run by iPad and iPhone users.

But well-known Mac hacker and researcher Charlie Miller has discovered a flaw in Apple's restrictions on code signing on iOS devices which would allow attackers to use applications sneaked into the App Store to download and run additional, unsigned code.

To prove his point, Miller created an app called InstaStock that ostensibly lists stock tickers and submitted it to the App Store. The app was approved by Apple and offered to users. But unbeknownst to the company, the app also contained a hidden payload which takes advantage of the aforementioned flaw.

The app was now capable to "phone home" to a server set up by Miller, from which new code - unapproved by Apple - was downloaded and executed without a hitch. This gave him remote shell access to the device and allowed him to do things like making it vibrate, run a video, and most frighteningly, downloading any file present on it to the server.

Miller, who has managed to sneak the InstaStock app into the App Store back in September, has already notified Apple of the flaw on October 14th.

But, as news that he was planning to demonstrate the attack next week at the SysCan conference in Taiwan broke, Apple reacted immediately: not only has his app been removed from the App Store, but he himself has been booted out of the iOS Developer Program since he violated the agreement that forbids developers to “hide, misrepresent or obscure” any part of the submitted apps.

Miller is, understandably, annoyed by the move. “They went out of their way to let researchers in, and now they’re kicking me out for doing research,” he says. “I didn’t have to report this bug. Some bad guy could have found it instead and developed real malware.”

I guess that his upcoming demonstration can't be executed now - unless he has predicted Apple's reaction and uploaded (or asked someone to upload) a second booby-trapped app.

Why do malicious Android apps come from China?

It seems like every time we hear about a malicious application aimed at Android users, it is always distributed by third-party Chinese app markets.

You might wonder why the Chinese seem to have a preference for these markets over the official Google Android Market, and the answer is simple: given the Chinese government 's often shaky relationship with Google and its penchant for online censorship, access to the official market is often blocked for one reason or another.

"The inconvenience in accessing the Android Market, one not experienced by users from other countries, can be considered a big factor in the Chinese users’ preference in terms of where to download their Android applications," point out Trend Micro researchers.

These third-party stores popped up when access to the official market was impossible. They started as online forums where Android users gathered, shared their knowledge and discussed various topic, but in time some developers begun offering their (often free) applications for download.

Some 20 or so third-party app stores are currently operating in China, and as popular they are with the country's Android users (who represent 16 percent of Chinese smartphone users), most of them are quite small and the people who run them lack the funds to thoroughly test submitted application.

It's no wonder, then, that cyber crooks prefer to use them to disseminate their malicious applications, along with crooks distributing pirated and repackaged applications. And with the continuing growth of Android users, the targeted public keeps getting bigger.

Brazilian ISPs hit with massive DNS cache poisoning attacks

A massive DNS cache poisoning attack attempting to infect users trying to access popular websites is currently under way in Brazil, warns Kaspersky Lab expert Fabio Assolini.

"Brazil has some big ISPs. Official statistics suggest the country has 73 million computers connected to the Internet, and the major ISPs average 3 or 4 million customers each. If a cybercriminal can change the DNS cache in just one server, the number of potential victims is huge," he points out.

And that is exactly what has been happening during last week. Users trying to reach Google, YouTube, Facebook and other popular global and local sites were being faced with pop-up windows telling them to install "Google Defence" and similar thematic software or Java applet in order to be able to access the wanted site:


Unfortunately for those who fell for the trick, the offered software was a banking Trojan - for a long time now the preferred weapon of choice of Brazilian cyber crooks. According to Kaspersky, the same IP address hosted a number of malicious files and several exploits, and targeted users seem to be exclusively from Brazil.

Among the different ways in which a DNS cache poisoning attack can be executed, the simplest option for the attackers is to pay an employee who has access to the DNS records to modify them so that user are redirected to the malicious site. And, as it seems, that is exactly what they did.

Assolini notes that last week the Brazilian police has arrested an employee of an ISP located in the south of the country, and that he stands accused of changing his employer's DNS cache and redirecting users to phishing websites - no doubt at the behest of the people running them. "We strongly suspect similar security breaches will be happening in other small and medium ISPs in the country," Assolini commented.

But random Internet users are not the only one who have been targeted by this type of attack. Employees of various companies have also been seeing similar pop-up windows when they tried to access any website. Once again, they were actually offered a banking Trojan for download.

The attack was made possible by flaws in the networking equipment used by their companies. Routers and modems were accessed remotely by attackers who changed the devices' DNS configurations.

Siri - Can She Spill Your Secrets?

By Default, Yes.
An IT/infosec expert Ben Schorr points out in an article, the feature of the iPhone 4S that everyone is excited about is Siri, the voice-enabled personal assistant. Siri can do some cool things - she can direct you to the nearest gas station, read you your e-mails and help you remember the coffee shop you liked in Seattle the last time you visited - ah, the wonders of GPS.

Unfortunately, Siri has no loyalty - if someone else gets possession of your phone, Siri will obligingly read them your texts or e-mails - or send text and e-mails that appear to come from you. This is true EVEN if you have your phone locked with a PIN.

This recently discovered security flaw can be corrected, but you must take the affirmative step of disabling Siri when the phone is locked - and how many users are going to do that? Unless you take that step, be wary of what you share with the faithless Siri!

Has your account been pwned? New website will tell...

Security researchers have set up a website that allows punters to check whether or not their email addresses have appeared in data dumps slurped from compromised databases.

Hacking attacks on sites including Gawker and the network of Sony’s gaming division have led on to the publication of hundreds of thousands of users’ credentials online, sometimes (but not always) by activists at Anonymous.

That’s bad enough in itself but is even worse for users use the same login details for all their online activity – from email to online banking. Compromised firms normally make some effort to notify affected customers but this does not always happen.

A new site – called Pwnedlist.com - aims to plug this information gap. Users enter a username or email address into the site’s search box to find out if their username has appeared in any recent public data dumps. Users are not prompted to enter their password itself.

You can also use a SHA-512 hash of your email/username as input. Just don't forget to lowercase all characters first.

If a username or email address appears on the list, users are advised not to panic and to simply change their passwords. There’s also sensible advice of offer on password security even if credentials are not on the list.

Zero-Day Exploit Used for DUQU

A report by a Hungary-based security laboratory, indicates that a Microsoft Word document that triggers a zero-day kernel exploit was identified as the dropper for DUQU. Upon successful exploitation, the Microsoft Word file drops the installer files that load the DUQU components that were initially reported a couple of weeks back.

A visual summary as follows:

Details regarding the zero-day exploit used have not yet been disclosed. However, Microsoft is expected to release information on it soon.

More details on this exploit discussed in an article from Trendmicro.

techfest @ Singapore Polytechnic

Name of Event: techfest @ Singapore Polytechnic
Venue: Singapore Polytechnic Convention Centre
Date: 11/9/2011
Time: 2.30pm - 6.00pm

Want to be part of the 1st ever TechFest in SP? Want to be part of an event filled with fun and
laughter? Want to find out what’s next for technology?

Come join us now at TechFest @ Singapore Polytechnic, where regional speakers will be sharing their point of views for the future. Our guest speakers include Ziriad Saibi, Director of Developer and Platform Evangelism (DPE), Microsoft Singapore, and Vincent Quah, DPE Academic and New Markets Lead, Microsoft Asia Pacific. Hear from them first-hand.

Join us now and stand a chance to win attractive prizes such as Xbox Kinect, Arc touch mouse and many more!

This event is open to all Singapore Polytechnic Students, please register at http://bit.ly/sptechfest. For any enquiries, please contact the organising team via sp@student-partners.com.sg.

Over 1000 attended Microsoft TechDays Singapore 2011!

Singapore held its first Microsoft TechDays Singapore on 13 October 2011, which attracted more than 1000 delegates!

If you missed the event, do check out the highlights here:
http://spiffy.sg/developers/over-1000-attended-microsoft-techdays-singapore-2011/

Microsoft TechDays Singapore 2011

The premier technical conference is coming to Singapore!

TechDays Singapore 2011 provides IT Professionals and Developers with comprehensive insights on Microsoft cloud technology and learning opportunities to manage cloud infrastructure, integrate with cloud platforms and develop modern applications.

Check out the details here:
http://www.microsoft.com/singapore/techdays/

Register by 30 September 2011 to enjoy early bird pricing at S$69! (Standard pricing at S$99 applies thereafter). Click here to register now.

Facebook pays bug hunters $40,000 in three weeks

The recently introduced Facebook bug bounty program has proved to be a great success, says Joe Sullivan, the company’s chief security officer.

"We know and have relationships with a large number of security experts, but this program has kicked off dialogue with a whole new and ever expanding set of people across the globe in over 16 countries, from Turkey to Poland who are passionate about Internet security," he added. "The program has already paid out more than $40,000 in only three weeks and one person has already received more than $7,000 for six different issues flagged."

He also pointed out that $500 was the minimum sum received for a discovery of a bug, but that one particular report brought $5,000 to its author. Unfortunately, he didn't disclose how the Facebook security team rates the discoveries and decides on the payout.

In spite of many requests to include bugs found in third-party applications and websites that can be connected to the users' Facebook identity, the bug bounty program remains limited only to bugs that could compromise the integrity or privacy of Facebook user data.

Bug bounty programs have previously been instituted by Google and Mozilla. And even though Adobe and Microsoft still decline to make that step, Microsoft has instituted a competition that aims to amply reward security researchers who develop innovative computer security protection technologies.

Linux source code repository compromised

The Kernel.org website - home to the Linux project and the primary repository for the Linux kernel source code - sports a warning notifying its users of a security breach that resulted in the compromise of several servers in its infrastructure.

The discovery was made on August 28th, but according to the current results of the investigation mounted by the site's team, the break-in seems to date back to August 12 or even earlier.

The attackers are thought to have gained root access on a server via a compromised user credential, and to have escalated their privileges from there. How did they managed to do that, it is still unknown.

After having done that, they proceeded to modify files belonging to ssh (openssh, openssh-server and openssh-clients) and add a Trojan to the system start up scripts so that it would run every time the machine was rebooted.

Luckily for everyone, the Linux kernel source code is unlikely to have been tampered with.

"That's because kernel development takes place using the git distributed revision control system, designed by Linus Torvalds," it is explained. "For each of the nearly 40,000 files in the Linux kernel, a cryptographically secure SHA-1 hash is calculated to uniquely define the exact contents of that file. Git is designed so that the name of each version of the kernel depends upon the complete development history leading up to that version. Once it is published, it is not possible to change the old versions without it being noticed."

"Those files and the corresponding hashes exist not just on the kernel.org machine and its mirrors, but on the hard drives of each several thousand kernel developers, distribution maintainers, and other users of kernel.org. Any tampering with any file in the kernel.org repository would immediately be noticed by each developer as they updated their personal repository, which most do daily."

The 448 users of the site have been notified of the breach and have been advised to change their login credentials and SSH keys.

According to the notice, US and Europe authorities have been notified about the breach and asked to help with the investigation. The administrators have, in the meantime, proceeded to take the servers offline and reinstall them, and to make a thorough analysis of the code within Git (the distributed revision control system) in order to make absolutely sure that nothing was modified.

Facebook Makes a Move Toward Security

Facebook recently published a guide for it's users on how to secure their online accounts from anything that threatens one's Facebook security. Among those covered are Wall, Chat, and Comment spams, weak passwords, fake applications, and account hacking.

Personally, I'm quite happy that Facebook is actually doing something constructive concerning user security, despite it being quite late come to think about it.

Still, better to have something than nothing.

The document guide contains practical tips and cases to illustrate the gravity of the attack if ignored. It also has some great, agreeable points that make it a good reference anyone can recommend to their friends and family who are on Facebook. Feel free to download here and distribute.

Security flaw could expose credit card data

Do you have an account with BofA or Chase? Bank information may be at risk.
If you have a credit card account with Bank of America or Chase, two of the nation’s largest banks, a major security flaw has been exposed that could make your information vulnerable to an Internet crook – or even a nosy neighbor.

Consumer advocate Edgar Dworsky of ConsumerWorld.org, who discovered the flaw, says anyone who knows your phone number and has the last four digits of your Chase or BofA credit card number might be able access your account.

Here’s the flaw Dworsky uncovered: When you call a bank’s automated credit card account information system, the computer uses caller ID to compare the number you’re calling from with the one on the account (usually your home phone).

At BofA and Chase, if the phone number is a match, the verification process is streamlined. Rather than requiring the entire credit card number to be entered, the caller can usually access the account with only the last four digits. In some cases, a zip code is also required.

“The last four digits of your credit card number are just out there so predominantly,” Dworsky says. “If you look at any sales receipt, it always has those last four digits.”

In order for someone to take advantage of this security loophole, they’d have to trick the bank’s computer to make it appear the call is coming from your home phone. Internet “spoofing” sites make this incredibly easy to do. Con artists have been using this technology for years, and it is how those British tabloid reporters were able to hack into so many voicemail systems.

Here's more details of the flaw.

Month-long hiatus

Apologies for the month long hiatus.

Was away traveling and decided to disconnect myself from the Internet world.

Hope I"m back fully recharged.

Cheers!

Happy SysAdmins Day

Friday, July 29, 2011, is the 12th annual System Administrator Appreciation Day. On this special international day, give your System Administrator something that shows that you truly appreciate their hard work and dedication.



Let's face it, System Administrators get no respect 364 days a year. This is the day that all fellow System Administrators across the globe, will be showered with expensive sports cars and large piles of cash in appreciation of their diligent work. But seriously, we are asking for a nice token gift and some public acknowledgement. It's the least you could do.

Consider all the daunting tasks and long hours (weekends too.) Let's be honest, sometimes we don't know our System Administrators as well as they know us. Remember this is one day to recognize your System Administrator for their workplace contributions and to promote professional excellence. Thank them for all the things they do for you and your business.

'War Texting' Attack Hacks Car Alarm System

Researcher will demonstrate at Black Hat USA next week how 'horrifyingly' easy it is to disarm a car alarm system and control other GSM and cell-connected devices.

It took researcher Don Bailey a mere two hours to successfully hack into a popular car alarm system and start the car remotely by sending it a message.

Bailey, a security consultant with iSec Partners, next week at Black Hat USA in Las Vegas plans to show a video of the car alarm attack he and fellow researcher Mat Solnik conducted. His Black Hat presentation is called "War Texting: Identifying and Interacting with Devices on the Telephone Network."

Physical security systems attached to the GSM and cellular networks such as GPS tracking devices and car alarms, as well as traffic control systems, home control and automation systems, and SCADA sensors, are ripe for attack, according to Bailey.

War texting is something that Bailey demonstrated earlier this year with personal GPS locators. He demonstrated how to hack vendor Zoombak's personal GPS devices to find, target, and impersonate the user or equipment rigged with those consumer-focused devices. Those low-cost embedded tracking devices in your smartphone or those personal GPS devices that track the whereabouts of your children, car, pet, or shipment can easily be intercepted by hackers, who can then pinpoint their whereabouts, impersonate them, and spoof their physical location, he says.

His Black Hat research, meanwhile, focuses more on the infrastructure as well as on fingerprinting or classifying these devices among millions of wireless phone numbers. Once those devices have been spotted by an attacker on the network, they then can be abused. Car alarms are vulnerable, for instance, because they connect and idle on Internet-ready cellular networks, and receive messages from control servers, Bailey says.

Bailey declined to reveal the car alarm vendor. He says these and other devices are being exposed to reverse-engineering and abuse via their GSM or cell connections. "Their proprietary protocols [traditionally] were insulated and so obfuscated that you wouldn't necessarily know what was going on under the hood," Bailey says. "[But] car-alarm manufacturers now have to worry about reverse-engineering of their proprietary protocols."

Bailey says an attacker caglean previously undisclosed aspects of the alarm device from the phone network. "Now that they're OEM'ing GSM modules ... they are leaving the whole business exposed. It's serious from that angle: attackers can finally get under the hood easily because they have a foot in the door with GSM," he says.

He plans to release new tools help gather information about these devices. "[The tools] will show how easily you can set up a network connection for mass-scanning over the entire phone network," he says. "The idea of war-texting communication with devices over the telephone network is simple."

Bailey says the car alarm hack just scratches the surface of the inherent danger of having such devices GSM and cell-connected. "What I got in two hours with the car alarm is pretty horrifying when you consider other devices like this, such as SCADA systems and traffic control cameras. How quick and easy it is to re-engineer them is pretty scary," he says.

He says he was able to get enough reconnaissance on a handful of other devices to do the same type of hack. "I didn't bother to reverse-engineer them. Knowing their modules and understanding their design is enough" to pull off a war-texting attack, he says.

So how do you shore up security for these devices? "The real answer is engineering: getting the people designing these systems to analyze their security in a thorough fashion, which they are not doing now," Bailey says.

"Amy Winehouse death video" scams hit Facebook users

The past weekend has been rife with bad news that captured the attention of the greater public, and online scammers have wasted no time in taking advantage of it.

Facebook users have predictably been targeted with various scams. First came the ones exploiting the Oslo bombing news, and then followed those luring victims in with non-existent videos of the last moments of the famous and recently deceased singer Amy Winehouse.

According to Sophos, variations of "Leaked Video!! Amy Winehouse On Crack hours before death", "Video leaked of Amy Winehouse's death!!! Warning: Graphical Content" and "SHOCKING - Amy Winehouse's Final Minutes" messages offering a link to the purported video unsurprisingly take users to pages where they are asked to like the page and to take a survey before being allowed to see it:


If you are one of the people who fell for this type of scam, be sure to remove any trace of it from your account ("Likes and interests" section, for example) and news feed, and to report the scam to Facebook.

Also remember that when it comes to unexpected and often shocking global news, legitimate news sites are always a better source of information than your Facebook friends.

Even when it seems that the offered link is the URL of a legitimate site, it might be better to go to that site by typing in the domain name in and then using the internal search feature in order to find the wanted news item.

Oslo bombing Facebook scams infecting 1 user per second

Websense has found an alarming number of Facebook scams taking advantage of yesterday's tragedy in Oslo, Norway.

Right now it seems to be infecting one user every second. The scam is a form of ‘clickjacking’ that replicates itself on users’ walls after they click on fake posts within their news feed.

Example of viral Facebook exploit:


Users should be cautious when clicking on breaking news trends and stories within search results related to the Oslo tragedy.

Searching for breaking trends and current news represented a higher risk (22.4%) than searching for objectionable content (21.8%), including pornography.

“This Facebook scam is unfortunate, but a very real threat,” said Patrik Runald, senior manager of security research, Websense. “Criminals know how to take advantage of disasters and the hottest news items to get people to click on infected links. Tragedy is just one type of news that the bad guys use to exploit, compromise and infect your computer. Videos are an especially popular lure; we saw the same thing when Osama bin Laden died and when Casey Anthony was acquitted. During times of crisis or breaking news, your best bet is to stick with the largest news organizations you trust. Avoid the potentially dangerous halls of search engines and social media sites, which are more susceptible to compromise.

Google warns users about active malware infection

Google has begun notifying its users that a particular piece of malware is installed on their computers by showing a big yellow notification above their search results (click on the screenshot to enlarge it):



The warning begun popping up yesterday, and does so only for users whose computers have been infected by a particular strain of malware that hijacks search results in order to drive users towards websites that use pay-per-click schemes.

"Some forms of malicious software will alter your computer settings to redirect some or all of your traffic through a proxy controlled by the attacker," Google explains. "When you use Google, the proxy forwards your query to the real Google servers to fetch the search results. If our system detects that a search came through one of these proxies, we display the warning."

For those wondering how they might have gotten infected, the answer is that they have likely been tricked into downloading this software when visiting a site or reading an email.

Or, as Google security engineer Damian Menscher shared with Brian Krebs, the search hijacking malware is part of a fake AV solution users have been tricked into downloading and installing on their computers.

Google is advising users to install or update their antivirus software in order to get rid of the malware, but warn users who don't have an AV solution already installed to be careful when searching for one online - more so since the malware in question is more likely to serve up links to fake AV solutions.

Facebook scammers use Tumblr sites to evade detection

Facebook users are targeted once again by survey scammers, and this time the lure is a video of a woman exposing herself on live television:


There are two versions of the scam. In one, when the user clicks on the play button on the destination page, his click is hijacked and used to "like" the page. In the other, the user is asked to confirm that he is an adult by clicking on the "Jaa" button which actually shares the link with his friends.

"To ensure that this scam continues, the scammers are using Tumblr sites to redirect users to the same Fake YouTube page," explains researcher Satnam Narang. "By redirecting users via Tumblr, the scammers can evade Facebook filters as well as stay off the radar of Facebook’s recent Web of Trust integration."

Other than that, this scam ends on a familiar note - the user is encouraged to fill out surveys in order to get a gift.

Since Facebook still seems to have trouble spotting these types of scams, Narang suggests users to aid the security team by reporting this post if they spot it on their friends' Walls.

U.S. military contractors targeted with malicious PDFs

The last few months have seen a lot of cyber attacks aimed at U.S. military contractors and they are still ongoing.

F-Secure researchers have recently spotted an email obviously directed at military contractors' employees, which contains a malicious .pdf attachment.

"When opened in Adobe Reader, it exploits a known Javascript vulnerability and drops a file called lsmm.exe," they explain. "This is a backdoor that connects back to the attacker, who is waiting at IP addresses 59.7.56.50 and 59.19.181.130."

In order to keep the recipient from suspecting foul play, the file then opens a legitimate-looking call for papers for a conference:


It is known that the RSA hack was executed in order to compromise its SecurID tokens, widely used by a great number of companies that do business with the government. But, as this example shows, there are easier ways to gain access to their computers.

New Hotmail security features against account hijacking

Microsoft has decided to introduce two new security features for its web-based Hotmail service, in the hope that this will make the accounts more difficult to hijack and eventual hijackings spotted faster.

The first one makes the use of extremely common passwords impossible. "Common passwords are not just 'password' or '123456' (although those are frighteningly common), but also include words or phrases that just happen to be shared by millions of people, like 'ilovecats' or 'gogiants,'" explains Dick Craddock, Program Manager at Microsoft.

The feature will be rolled out soon, and it will hopefully prevent successful brute force “dictionary” attacks.

The second one has already been released, and allows users to report compromised accounts to Microsoft immediately after receiving a spam or scam email from a contact's email account.

This can be done in two ways. Either you move the email in question to the Junk folder and you get offered the option of reporting the possible hack, or you mark it with the "My friend's being hacked!" option:


The feature also works for compromised Gmail and Yahoo! Mail email accounts, and Microsoft relays the information to Yahoo! and Google. In the few weeks since its release, this option has proved to be very helpful.

"When you report that your friend’s account has been compromised, Hotmail takes that report and combines it with the other information from the compromise detection engine to determine if the account in question has in fact been hijacked," says Craddock. "It turns out that the report that comes from you can be one of the strongest 'signals' to the detection engine, since you may be the first to notice the compromise."

The timing for the rollout of these feature could not be better - a recent report says that spammers are gradually shifting distribution from botnets to compromised accounts.

Google+ related scams move to Facebook

Scammers continue to take advantage of the great interest raised by the introduction of Google+ and have begun tricking Facebook users into giving them access to their accounts via a rogue application.

Users are lured in by updates on their news feeds seemingly posted by their friends, which "like" the "Google+ - Get Invite" Facebook page. Clicking on the link gets them to said page, where the rogue app by the name "Google Plus - Direct Access" is linked.

Clicking on the link initiates the request for permissions from the app:


There are people who will become suspicious once they see that the app wants to post things on their Wall, have access to their data at any time and be able to send them emails, but there are obviously still a lot of users who fall for these kind of scams.

Once the permission is given, the victim is urged to "like" the page that propagates the app and is encouraged to send and invite to his friends to visit it - in the hope that they will fall more easily for the scam if a friend of theirs appears to be supporting it.

When all this is done, the user is redirected to the official Google+ homepage. But, if he tries to sign-in, he is faced with the notice that the service has currently exceeded capacity.

Researcher Satnam Narang believes that one of the scammers' goals is to build a list of fresh e-mail accounts that may either be sold or used in future scams, but is also quite likely that once the access to victims' accounts will be misused to spread other scams and/or malicious links.

If you have fallen for this scam, be sure to revoke the permissions you gave the rogue app, delete all mentions of it from your account and warn your friends about it. It is also a very good idea to report the scammy page to Facebook by going to the page and selecting the "report page" link.

Analyzing and dissecting Android applications for security defects and vulnerabilities

In March 2011, 58 malicious applications were found in the Android Market. Before Google could remove the applications from the Android Market they were downloaded to around 260,000 devices. These applications contained Trojans hidden in pirated versions of legitimate applications. The malware DroidDream exploited a bug which was present in Android versions older than 2.2.2.

Android device manufacturers and carriers work in tandem to distribute Android-based updates and didn't issue patches for the DroidDream exploit, leaving users vulnerable. Google said the exploit allowed the applications to gather device specific information, as well as personal information.

The exploit also allowed the applications to download additional code that could be run on the device which allowed attackers to potentially gain access to sensitive information.

This article introduces ScanDroid for Android applications, using Ruby code to show how it works and demonstrate how to implement it. This code is a prototype to highlight the capabilities of using ScanDroid.

For simplicity, we will consider three vulnerabilities for an Android application:
1. Read/WritetolocalStorage
2. AccessexternalURL
3. MakeSocketConnection

This document explains the following aspects:

• ScanDroid Overview
• Using ScanDroid
• Using ScanDroid library with interactive Ruby (irb).

Download the complete paper here.

Travelers left 11,000 mobile devices at U.S. airports

Travelers left behind more than 11,000 laptops, tablet PCs, smartphones and USB sticks in airports in the United States during the past year.

Credant was able to gather survey results from a cross-section of some of the busiest airports across the country, including Hartsfield-Jackson Atlanta International (ATL), Dallas/Fort Worth International (DFW), Denver International (DEN), Phoenix Sky Harbor International (PHX) and Las Vegas - McCarran International (LAS).


According to the Federal Aviation Administration, more than 133 million passengers boarded a flight at one of the aforementioned airports in 2010. The vast majority were carrying at least one wireless device, perhaps two or more.

Surprisingly, travelers tend to leave laptops, tablets and smart phones behind at a much higher rate than USB sticks. Credant’s research showed that, 4,416 laptops (37.5 percent), 4,380 tablets/smartphones (37.2 percent) and 2,952 USB sticks (25.1 percent) were left behind.

While security checkpoints are the most popular locations for devices to be left behind, airports also report food courts, baggage claim areas, restrooms and check-in gates also make the list.

Amusingly, laptops, tablets and USB sticks weren’t the only items travelers leave behind at airports. Other items run the gamut from eyeglasses, hearing aids, dentures and baby strollers, to urns, pets, motors, bowling balls, and even prosthetic legs.

The consequences of leaving behind these devices is difficult to quantify, but people traveling for business or pleasure are likely to access their company’s corporate network, favorite website or online merchant, resulting in sensitive information residing on endpoint devices. If unauthorized individuals can obtain one or more of the devices left behind at an airport, and the device is not encrypted, the consequences could be severe.

“Our survey of five airports in the United States shows that travelers are leaving behind their portable devices at an alarming rate. Extending these results across a larger number of airports would indicate that hundreds of thousands of devices are left behind every year,” said Bob Heard, CEO of CREDANT Technologies. “Unsecured data on lost devices can end up in the wrong hands with potential consequences of fraud and identity theft. To combat this it is critical for all devices accessing corporate networks or carrying sensitive information to use encryption software.”

Backdoor in the latest version of vsftpd

Chris Evans, author of vsftpd announced that the master site for vsftpd was compromised and that the latest version of vsftpd (vsftpd-2.3.4.tar.gz) was backdoored.

The backdoor payload is interesting. In response to a :) smiley face in the FTP username, a TCP callback shell is attempted. There is no obfuscation. More interestingly, there's no attempt to broadcast any notification of installation of the bad package. So it's unclear how victims would be identified; and also pretty much guaranteed that any major redistributor would notice the badness.

The official download was promptly moved to Google App Engine.

Breached Fox News Politics Twitter account announces Obama's death

A person or a group going by the name of TheScriptKiddies managed to hack @foxnewspolitics on Twitter and used it to announce fake death of President Barack Obama.

Here are the latest @foxnewspolitics tweets:



FoxNews.com gave the following statement about the hack:FoxNews.com's Twitter feed for political news, FoxNewspolitics, was hacked early Monday morning.

Hackers sent out several malicious and false tweets claiming that President Obama had been assassinated. Those reports are incorrect, of course, and the president is spending the July 4 holiday with his family.

The hacking is being investigated, and FoxNews.com regrets any distress the false tweets may have created.

Thousands of Tumblr accounts compromised

Tumblr users have been targeted with an aggressive phishing campaign in the last week or so and are still being lured into entering their login credentials for access to adult content.

And it seems that the scheme is working very well - GFI researchers have accessed one of the dropzones for the stolen credentials and have discovered a massive amount of data.

What makes this phishing scheme stand out from others is the fact that the scammers are using the compromised Tumblr accounts to set up more and more phishing pages:


Various domains were also used to perpetuate the scam, including tumblriq(dot)com, tumblrlogin(dot)com and tumblrsecurity(dot)com - all registered in the last few weeks to bogus clients.

"The problem has become so pervasive that regular Tumblr users are setting up dedicated anti phishing sites to advise users of the problem," say the researchers.

Also, Tumblr has created an automated reply for people reporting the scheme, in which it advises affected users to reset the password for their account, to remove the fake login template by choosing a new theme and to "unfollow" all the blogs their account is following thanks to the scammers.

"What does somebody want with that many Tumblr logins?" ask the researchers. "We can only guess. The stolen accounts could be used as some form of advert affiliate money making scam, or maybe we could see lots of pages with survey popups pasted over them. There is the very real possibility that the Tumblr accounts are simply a way to test if those users are logging into other services with the same credentials - at that point, everything from email accounts to internet banking sites could be fair game."

Attack of the computer mouse

This attack method is not new. It was tried and tested with flash drives. Finders keepers?

So the next time one finds a ‘branded’ computer accessory (e.g high end razer mouse or solid state HDDs) lying around which seems too good to be true, it usually is.

========================================================

Security firm Netragard has described an attack during which a modified computer mouse was used to infiltrate a client's corporate network. For this attack, the security experts equipped the mouse with an additional micro-controller with USB support (Teensy Board) to simulate a keyboard, and added a USB flash drive to the setup.

When connected to the PC, the Teensy Board's Atmel controller sent keyboard inputs to the computer and ran software that was stored on the USB flash drive. This allowed Netragard to install the Meterpreter remote control software, which is part of the Metasploit framework. To bypass the target system's McAfee virus scanner, Netragard says it used a previously undisclosed exploit.

The crux of the attack was to find a suitable company employee who would, upon receiving the computer mouse, connect it to a company PC without becoming suspicious. The client who ordered the pen test had excluded social engineering attacks via telephone, social networks and email, but Netragard managed to obtain a list of the company's employees via the Jigsaw service. The security experts selected one of the employees and sent the mouse in its original packaging – camouflaged as a promotional gadget.

Attacks that use specially modified USB devices have been around for a while; USB flash drives that are "accidentally" left lying around are often used in security tests. A current study by the US Department of Homeland Security found that 60 per cent of users will naively connect a USB flash drive to their PC to see what is stored on it.

However, using a computer mouse for such an attack is a new idea. Corporate IT security staff may in future be faced with the problem of having to test peripheral devices before they can allow users to connect them to their PCs. Specially modified Android phones can also present themselves as keyboards, and take control, when they are connected to a PC.

1st Annual DEFCON Kids Conference

Seems like USA is preparing to groom their next generation of hackers.
I wonder why we didn't have something similar in SG. :(

http://www.defconkids.org/

I hope it'll be interesting.

Facebook scam baits users with LulzSec suspect photo

Attention to all Facebook users, here's another FB scam bait. Refrain from clicking on the fake links, it doesn't lead you anywhere.

As the hunt for individuals behind LulzSec is underway, and reports about these worldwide efforts spilled over into the mainstream news, cyber crooks have jumped on the opportunity to misuse the curiosity of the public and have set up a Facebook scam targeting them:


The scam was revealed by Sophos' Graham Cluley when he received a request from a British journalist to share the photo of the recently arrested Essex hacker that is thought to have links with the hacking group.

Cluley said to the journalist that he didn't have the photo in question, but the journalist insisted: "But you do have a photo of the hacker! I've seen it on Facebook! But we want an unblurred version!"

This statement led him to investigate the matter, and he unearthed the above pictured scheme. Sure enough, the link used in the story was one who pointed to Cluley's blog post - but the story didn't include a picture of the suspect.

Following the link to the page in question and to the tab labelled "The Picture", he found out that the scam required the victims to "like" and "share" the page before supposedly being redirected to the unblurred picture. Once they did it, they got redirected to a third-party webpage where they were urged to download a program that installs a series of toolbars on the victims' browser.

He doesn't mentioned whether the unblurred photo is shown in the end, but he managed to track it down to a Wired article from 2008.

Chrome extension for identifying insecure code

In a bid to help developers keep their websites clear of security holes, Google has built - and offered for free - a (currently experimental) Chrome extension called DOM Snitch.

The extension intercepts potentially dangerous JavaScript calls. "Once a JavaScript call has been intercepted, DOM Snitch records the document URL and a complete stack trace that will help assess if the intercepted call can lead to cross-site scripting, mixed content, insecure modifications to the same-origin policy for DOM access, or other client-side issues," explains Radoslav Vasilev on Google's Online Security blog.

Sounds like a good tool for all developers, but especially for those who are still unsure of their JavaScript coding capabilities and wish to be sure they are writing secure code.

By using it, not only can developers monitor the DOM modifications as they happen inside the browser, but they can also export the captured modifications in order to show them to and consult with co-workers.

Scaling with Consistency: ISO 27001

Attended a talk today on "Scaling with Consistency: ISO 27001", jointly organised by IT Standards Committee (ITSC) and the Association of Information Security Professionals (AISP).

The guest speaker is Mr Goh Thiam Poh, Operations Director from Equinix Singapore. He shared with us the processes and lessons learnt while pursuing the ISO 27001 certification for Equinix Singapore, and how to manage Information Security consistency and yet be able to scale as the business grows.

Speaker Biography: As Operations Director for Equinix Singapore, Mr Goh Thiam Poh is responsible for the operations performance of the Singapore IBX centres.

Mr Goh has 15 years of management experience in the Telecommunications and Data Centre industry. Prior to joining Equinix, Mr Goh was Director, Hosting Infrastructure Engineering for Singapore Telecommunications Ltd where he led the implementation of the SingTel regional data centres in Singapore, Hong Kong, Taiwan, Japan, South Korean and Australia.

WordPress users endangered by Trojanized plugins

Three popular WordPress plugins have been Trojanized by unknown individuals and made available for download, warned WordPress yesterday.

"Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors," explained Matt Mullenweg. "We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory."

If you use the WordPress platform and have updated one of these plugins in the past two days, you are at risk. You have to upgrade them again - WordPress has pushed out their new, safe versions.

Also, if you have an account on WordPress.org, bbPress.org and/or BuddyPress.org, don't be surprised to find a reset password message the next time you login into your account.

Certification authority reports security breach

Following in the likes of the RSA incident, another certification authority has fallen prey to attackers in need of certificates for phishing authentication pages.


The authority in question is StartSSL, operated by StartCom, and according to the short message posted on their site, the breach occurred on the 15th of June.

"Subscribers and holders of valid certificates are not affected in any form. Visitors to web sites and other parties relying on valid certificates are not affected," it says.

The authority has immediately suspended the issuing of new certificates and has still not resumed services.

The Register reports that Eddy Nigg, StartCom's CTO and COO, has confirmed that the attackers were looking to issue certificates for a list of websites that's very similar to those targeted with the Comodo breach (Gmail, Google, Skype, Yahoo and others), but that they failed to do so.

Nigg also pointed out that the attackers haven't managed to compromise the authority's private encryption key because it is stored on a computer that isn't connected to the Internet.

Dropbox security glitch allowed anyone to access user accounts

Web-based file hosting service Dropbox has confirmed that a bug introduced by a code push allowed anyone to access any user account by simply typing in a random password for a period of nearly four hours.


The bug was detected accidentally by an anonymous user who sent the following information to security researcher Christopher Soghoian:

Hi Chris,

If you're still involved in the Dropbox investigation, there was an interesting development this afternoon. I found I was able to log into my account using an incorrect password, and on further investigation I found I could log in and access files on any of the three accounts I tested (mine and two friends') using any password.

This is corroborated by the admittedly-thin dropbox tech support thread below.

After receiving permission from the sender, Soghoian published the whole email exchange on Pastebin on Sunday morning.

Once the problem was shared with the Dropbox technical support team, it was fixed in a matter of minutes, but that doesn't change the fact that is shouldn't have happened in the first place.

"A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions," Dropbox' Arash Ferdowsi wrote. "We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner."

A recent update says that they have emailed activity-related details to the owners of the accounts that logged on during the period in question, but there is no news on whether the bug was exploited by unauthorized third parties.

This is definitely not a good year for Dropbox. According to Wired, Soghoian has recently filed an FTC complaint against the company, claiming that the service misleads its users by saying that no one at the company had access to the encryption keys needed to open the encrypted files uploaded by the users, when in fact some employees do have access to them and can do it.

With this latest glitch, the company could find itself losing their most precious commodity: the trust of its users.

Android URL Filtering SDK: Secure Web browsing and compliance

Commtouch announced GlobalView URL Filtering for Mobile, which enables real-time protection for mobile device users browsing the Web.


GlobalView URL Filtering is comprised of a Software Development Kit that connects to the cloud-based GlobalView Network. Access to the resources available in the cloud enables the solution to index the sites mobile users actually visit, including dynamic Web 2.0 sites and hundreds of millions of others.

Mobile users benefit from the protection offered by GlobalView URL Filtering without compromising their browsing experience. The Commtouch SDK requires minimal resources, and an adjustable local cache categorizes the vast majority of visited URLs on the device, preventing annoying browser lag.

GlobalView URL Filtering is currently available for operating systems and environments that run a Java Virtual Machine such as Android. Commtouch anticipates adding support for other mobile operating systems such as iOS, QNX and other BlackBerry operating systems, and Windows Phone 7.

Vendors and carriers can leverage GlobalView URL Filtering for Mobile to offer:

Secure web browsing: Mobile users can be protected from phishing sites or sites that download viruses and malicious content.

Regulatory compliance: Organizations can limit their liability, improve productivity and comply with required standards by enforcing Web access policies.

Parental control: Young surfers can be protected from inappropriate Web content such as pornography, gambling, violence and hate sites.

These solutions can be deployed by smartphone, tablet and eBook manufacturers, mobile service providers, as well as Internet security and mobile application developers.

Spam e-books plague Amazon's Kindle store

If you are a regular customer of Amazon's Kindle store, you could already be aware of the fact that spammers are using it to fleece customers out of their hard-earned cash by tricking them into buying bogus e-books.

The scam is made possible by the fact that anyone can publish an e-book on Amazon and offer it for sale. Unfortunately, there is no barrier to publishing as many e-book as one wants, and scammers have jumped at the opportunity.

The scammers can either use an already published e-book, change the title, author and cover and pass it off as a completely different book, or they can use a piece of software that packages public domain content, equips it with a cover and title and submits it for sale.

All in all, the process is very fast and allows scammers to churn out dozens or even more titles a day. Since Amazon doesn't charge for the publishing of e-books or making it available in the store, if the bogus titles are bought even a couple of times, the scammer has earned enough money to justify the time spent on it.

Amazon does try to weed out these books, but a 48-hour approval process obviously allows quite a few of them to slip through unnoticed, mixed with the legitimate titles.

According to Eric Mack, a longer checking process might help with weeding out the offending e-books. Another simple but likely effective solution would be to institute a charge for everyone who wants to publish an e-book on Amazon.

"Charging authors $50, $20 or even just $10 to publish to Amazon would drastically cut back potential profits for spammers, and any author that spent months or years crafting a quality work should have no problem shelling out a small amount to access a global market and ensure that there's fewer titles to weed through," he believes.

iCloud search ends with fake AV

Following Steve Jobs' announcement of Apple's entry into the cloud business, the term "iCloud" has quickly become a trending topic. And cyber scammers - quick as always - have made it their business to poison Google search results tied to the keyword.

A number of these URLs that come up in search results have been found on MyMobi, a news site that covers news about new gadgets. These pages have been cleaned up in the meantime, but that's no guarantee that the criminals won't manage to compromise them again - or other sites for that matter.

Once the users follow the offered link and lans on the compromised page, they get immediately redirected to a malicious page where a script tries to download a file named SecurityScanner.exe onto their computers. If they run it, a fake AV by the name XP Antispyware 2012 gets installed.


"The program contains a registration button. When users click this, the page redirects to a phishing site with a newly created domain that contains the “Choose Plan & Checkout” option to purchase XP Antispyware 2012," explains a Trend Micro researcher. "The FAKEAV malware also blocks Web browsers, Internet Explorer and Google Chrome from surfing the Internet unless users purchase the product."

LulzSec leaked passwords come from Writerspace

Following LulzSec's sharing of a list of 62,000+ random login credentials, people who have been looking into it say that some of them are likely to come from online writing community.


As expected, the passwords used most often include “123456”, "123456789” and “password”. But is the fact that many users have used passwords tied to books ("bookworm", "reader", "reading", "booklover'", and others) has fueled that belief.

"It all points in a clear direction; and if you’re still doubtful, perhaps the smoking gun is the fact that 30 people have chosen 'writerspace' as their password," says Darien Graham-Smith.

And the theory was confirmed by Writerspace: "Today an anonymous group of hackers known as LulzSec posted a list of 62,000 e-mail addresses and passwords. That list included about 12,000 e-mail addresses and passwords from Writerspace members."

They are contacting the owners of the affected accounts and say that their techs are working to insure that their server is as secure as possible. The have also offered some good advice on choosing strong passwords, but I'm not so sure they have been storing the users' passwords as they should have - i.e. encrypted. Well, either that, or their encryption method of choice was weak.

Citigroup data theft the result of a common vulnerability

If the information the NYT has received about the Citigroup breach is correct, and the intrusion was made possible by the exploitation of a vulnerability so frequent and common that it made OWASP's top 10 web application risks list, one wonders how it is possible that the world's largest financial services company hasn't got security experts that would remedy it.

The flaw in question is called insecure direct object reference, and it happens when confidential information is exposed to users because developers did not have the good sense to hide it.

Essentially the process went like this: first, hackers logged into the accountholder website. From there, the attackers used some type of script that allowed them to automatically jump from account to account and harvest any identifiable information merely by changing a portion of the URL. It's not exactly known how the hackers knew to exploit this vulnerability.

A browser and the ability to change the URL string was all that was needed to open hundreds of thousands of accounts to attackers. Oh wonderful.

Once the attackers realized it - I'm guessing one of them probably had an account with Citigroup - it was only a matter of writing a script that would feed random numbers into the URL and every time it successfully accessed an account, the attackers harvested the information contained in it.

If that is true, there is another thing bugging me - why wasn't this "bombarding" the site with requests with bogus combination of numbers over and over again not noticed by anyone? Why wasn't there a mechanism in place that would get triggered by this kind of action?

But maybe, in this case, they couldn't spot it? Maybe the script was written in such a way that the requests were random and spread over a great period of time? One would presume that the attackers would try to get as much information as possible in a short time before the attack was detected, but you never know.

The only thing going for those affected by the Citi hack may be the fact that the attackers do not have expiration dates or security numbers found on the back of the card. This may protect those attacked from serious identity theft, although a lot of other personal information has been disclosed.

All in all, can we now just stop calling it a "sophisticated attack"?

Encrypted voice calling for Android

Cellcrypt launched Mobile for Android, a version of its encrypted voice calling application that runs on Android devices operating over Wi-Fi, GSM and CDMA wireless networks.


Cellcrypt Mobile provides encrypted voice calling for off-the-shelf cell phones using government-certified security in an easy-to-use downloadable application that makes highly secure calling as easy as making or placing a normal phone call.

It is a software-only solution that uses the IP data channel of cellular (2G, 3G, 4G), Wi-Fi and satellite networks and can be deployed to personnel anywhere in the world in as little as 10 minutes.

Cellcrypt Mobile for Android is available immediately on devices supporting Android 2.3 and is interoperable with Cellcrypt running on other devices such as Nokia and BlackBerry smartphones.

"Cellular voice interception is different from other types of data breach,” said Nigel Stanley, Practice Leader, Security at Bloor Research, “if you lose a laptop, USB stick or disk drive it can be fairly obvious that the data has gone missing. But with voice, a successful interception can leave no physical trace so there is little chance of realizing your data has actually been intercepted resulting in disastrous consequences. If you can compromise a cell phone then you are more or less assured that you can collect the most relevant, current and damaging data possible about a user, their business or their private life. By supporting Android devices, Cellcrypt is providing enhanced security for one of the world’s most popular mobile platforms.”

Latest Android Malware Takes Flight With Angry Birds

Malware was embedded in applications that promised to help users cheat their way through Rovio's popular Angry Birds game.

Xuxian Jiang, an assistant professor in computer science at North Carolina State University, last week found 10 applications infected with malware in the Android Market. On June 5, he reported it to Google, which suspended the applications on the same day. Jiang also contacted mobile anti-virus companies and research labs, including Lookout, Symantec, McAfee, CA, SmrtGuard, Juniper, Kinetoo, Fortinet, and others.

What is this latest threat?

In a blog post published last week, Jiang explained that this new malware, which his team named "Plankton" (after the pesky Spongebob character?) doesn't attempt to root Android phones. Rather, it was designed to run in the background secretly.

This particular piece of malware was embedded in applications that promised to help users cheat their way through Rovio's popular Angry Birds game (Angry Birds itself was not infected).

What does it do? Once the malware is fired up by the users, it loads a background service. That background service application scours the device for user data, including the device ID code, and reports it back to a remote server. The server parses the data and then sends a link back to the malware, which downloads an executable and then runs nearly invisible in the background.

The application then starts collecting more data, such as browser bookmarks, browser history, home page shortcuts, and runtime log information.

Full article here.

Cyber Attack Compromises 18 Million WordPress Blogs

Bad news for just about every blogger out there. It seems WordPress, an extremely popular suite of tools for powering blogs, has been the victim of a cyber attack. Automattic, the company that owns WordPress, admitted to the attack this morning and noted that it may have left over 18 million blogs vulnerable.

WordPress founder Matt Mullenweg writes “Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.”

Mullenweg continues “We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.”

Analysts, including Alexia Tsosis of TechCrunch, have suggested that Mullenweg is downplaying the issue. She indicates that everything from Facebook and Twitter passwords to API keys could have been leaked.

So what does this mean to you? Probably nothing. There is a lot of information out there and the chances of your passwords being nabbed are slim. Still, it is about time you get them changed right? You’ve been using the same two passwords since High School and if you haven’t formed that band by now you probably are never going to. Wait, maybe that’s just me.

How We’re Getting Creamed

Attended a webcast last week put on by Ed Skoudis of InGuardians and Cisco titled "Thwarted the Targeted Network Attack".

The webcast is archived and I would recommend checking it out.

Ed titled his section Targeted Attacks: How We’re Getting Creamed.

10 most common iPhone passcodes

The problem of poor passwords is not confined to computer use, and the fact was discovered by an app developer who has added code to capture user passcodes to one of its applications.

"Because Big Brother’s [the app in question] passcode setup screen and lock screen are nearly identical to those of the actual iPhone passcode lock, I figured that the collected information would closely correlate with actual iPhone passcodes," says Daniel Amitay.

It turns out that of the 204,508 recorded passcodes, 15% were one of the most common ten:


Comparing it to the list of most common internet passwords, one can see the similarities. "Most of the top passcodes follow typical formulas, such as four identical digits, moving in a line up/down the pad, repetition," he points out. "5683 is the passcode with the least obvious pattern, but it turns out that it is the number representation of LOVE (5683), once again mimicking a very common internet password: “iloveyou.”

Another pattern that pops out when looking at the list of top 100 most used passcodes is the conspicuous use of numbers that mimic particular decades in the last century - the 1990s and 1980s in particular. Amitay chalks that up to the assumption that most users are between the ages of 11 and 21, as it is very likely that the passcode represents the year of their birth or graduation.

Again, nothing new here - people often use their birth dates (or those of their near and dear) for PINs, passwords and codes, fearing that they would soon forget a random number and choosing one they never could forget.

The conclusion is, once again, that people are predictable and don't think much about security. But the fact that makes Amitay's revelation extremely crucial is that if someone steals or finds a lost iPhone, he has a 15% chance of unlocking the device and accessing the data within before it gets wiped just by trying out the passwords on the aforementioned top 10 list.

Apple includes malware removal in security update

Apple just released Security Update 2011-003 which can be downloaded and installed via Software Update preferences, or from Apple Downloads.

This is a small update weighing just 2.1 MB and requires Mac OS X 10.6.7 to install.


The OSX.MacDefender. A definition has been added to the malware check within File Quarantine.

The system will check daily for updates to the File Quarantine malware definition list. An opt-out capability is provided via the "Automatically update safe downloads list" checkbox in Security Preferences.

The installation process for this update will search for and remove known variants of the MacDefender malware. If a known variant was detected and removed, the user will be notified via an alert after the update is installed.

It took a while for Apple to react properly to the onslaught of Mac Defender and similar fake AV aimed at Mac users, but they finally did it.

If you'd like more information on how to remove Mac Defender, go here.

Phishing forms on Google Docs

Google Docs is a handy online service for creating various types of documents that are hosted by the company in their cloud and can be made accessible to the greater public.

But, as it turns out, the service is not only handy for regular users, but for phishers as well.

F-Secure has unearthed a number of spreadsheets with a form functionality that are apparently designed to act as phishing forms for webmail accounts upgrades, bug reporting, entering of student data and more.


What makes these spreadsheets particularly dangerous is the fact that they are hosted on spreadsheets.google.com, and that domain has a valid SSL certificate and a prominent padlock icon before the address in the URL bar.

This detail could easily fool unexperienced users into thinking they are safe in sharing their personal and financial information.

While digging around, the researchers have also stumbled upon a Google spreadsheet form that is the request form for a Google Voice account transfer, and they couldn't figure out if it was a phishing form or the real deal.

In the end, Google confirmed the validity of the form, but the researchers can be forgiven for thinking otherwise, since it requested the users' Google Voice number, e-mail address and secret PIN code.

Apps with dangerous permissions pulled from Chrome Web Store

Do you trust Google to review and ban potentially malicious applications from its online stores?

The Android Market has already been found offering "trojanized" apps, and now the Chrome Web Store has been spotted offering two popular game extensions that request potentially dangerous permissions of users that want to install them.


The apps in question are named Super Mario World and Super Mario 2 and are not manufactured by Nintendo. The fact that they are asking questionable permissions of the users has been discovered by David Rogers, the blogger behind blog.mobilephonesecurity.org, when he was in the process of installing one of them.

"Installation is pretty instantaneous," says Rogers. "As I looked at the screen, I saw the box to the bottom right. 'This extension can access: Your data on all websites, Your bookmarks, Your browsing history'".

He proceeded to deinstall the extension immediately, and searched for an explanation for the unduly broad permissions. The permission to access the user's bookmarks include the permission to read, change, add to and organize his bookmarks, and the one for accessing the user's browser history is supposedly necessary for the app to be able to open new tabs or windows.

But the worst one is the one that gives access to the user's data on all websites. Not only can the app read every page the user visits (think e-mail, Facebook, online banking), but can also use cookies to request the user's data from various websites - in short, the app can impersonate the user to the website.

Apart from being disappointed that Google has failed to spot the problematic permissions and ban the apps, Rogers really takes issues with the "permissions by default" installation.

"You click one button and it’s there, almost immediately with no prompt. Now, I’m not the greatest fan of prompts, but there are times when prompts are appropriate and install time is actually one of them," he explains. "It gives me the chance to review what I’ve selected and make a decision, especially if I hadn't spotted that information on a busy and cluttered webpage."

While I do think that Google has basically made no grave mistake here - it did, after all show the permissions needed - the problem is that for this system to work as it should is that you need to have careful and judicious users. And let's face it, they don't constitute a majority on the Internet.

Rogers also points out that to the average user, the fact that the Chrome Web Store is operated by Google makes him trust implicitly the downloads from it. In his opinion, this should make Google extremely careful when it comes to evaluating and vetting possibly dangerous apps.

In the end, Google has quietly removed the two apps from the market, but has not commented officially on the action. Let's just hope that they will take Rogers' objections in consideration.

Patch for Android authentication flaw only fixes part of the problem

Very recently, researches uncovered a rather serious security flaw affecting around 99 percent of all Android devices. Issues with the way authentication tokens are stored and transmitted on Android versions older than 2.3.4 (which is the overwhelming majority of users at the moment) made it possible for cybercriminals to intercept those tokens on unsecured wireless connections. By impersonating a familiar hotspot, an attacker merely needs to sit back and wait for unsuspecting Android users to connect and log in to affected services.

Today, however, it was announced that Google was moving quickly to address the flaw, and, since the company is implementing a server-side fix, no action by end users is required. It’s believed that tokens served after the change will be encrypted before being sent to and stored on an Android device. The patch will begin rolling out today and should shore things up with Google Docs and Google Calendar, but it’s not totally eradicating the problem as reported by some outlets.

The Picasa vulnerability is still present in Android 2.3.4 and it remains unpatched for the time being. Google has told ComputerWorld’s JR Raphael that engineers are still investigating that particular issue, but no timetable was given for a possible fix.

Google Chrome sandbox apparently cracked

French security firm VUPEN has announced that its researchers have managed manufacture an exploit able to bypass Google Chrome's sandbox, ASLR and DEP.

It is precisely the sandbox feature what made hackers eschew or fail in their attacks directed at Chrome at Pwn2Own time and time again - since, as researcher Charlie Miller pointed out, it has a "sandbox model that's hard to get out of". The feature is also what secured its reputation as the most secure browser around.

VUPEN researchers have also presented a video that shows the exploit in action with Google Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64), though no details about it can be actually gleaned from it. According to VUPEN, the user only needs to visit a specially crafted web page with the exploit and a number of payloads are automatically executed, which ultimately allows an attacker to execute arbitrary code outside the sandbox at Medium integrity level.

"The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox, it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64)," they simply say, and add that the code and the technical details of the underlying vulnerabilities will not be publicly disclosed, but shared only with their Government customers.

While I understand that various governments will likely pay infinitely more for the details of the vulnerabilities than Google would through it's bounty program, the creation of this exploit, the discovery of this 0day vulnerability, and VUPEN's refusal to share it with the public or Google is extremely bad news for Chrome users.

In the end, we can't know which governments have shelled out for the exploit and how will they use it. If VUPEN doesn't change its mind, I'm afraid the only thing left for Google to do is to try to find out the hole for themselves and patch it, or hope that a researcher more inclined to share with them the details finds it and notifies them.

Poisoned Google image searches becoming a problem

If you are a regular user of Google's search engine you might have noticed that poisoned search results have practically become a common occurrence.

Google has, of course, noticed this and does its best to mark the offending links as such, but it still has trouble when it comes to cleaning up its image search results.

ISC's Bojan Zdrnja took it upon himself to explain how the attackers actually do it, and shows that it is actually rather simple.

For one, they attack and compromise a great variety of legitimate websites - usually those which use Wordpress, since it often has vulnerabilities that can be easily exploited and the legitimate users are often lax when it comes to updating it.

Then, they introduce PHP scripts in the sites' source code. "These scripts vary from simple to very advanced scripts that can automatically monitor Google trend queries and create artificial web pages containing information that is currently interested. That is actually how they generate new content – if you ever wondered how they had those web sites about Bin Laden up quickly it is because they automatically monitor the latest query trends and generate web pages with artificial content," he explains.

They also harvest other sites for images, and embed them into the site. When the scripts detect Google's crawlers, they deliver to them pages containing the automatically generated content, and the pictures end up in the image search database.

"The exploit happens when a user clicks on the thumbnail," says Zdrnja. "Google now shows a special page that shows the thumbnail in the center of the page, links to the original image (no matter where it is located) on the right and the original web site (the one that contained the image) in the background."

Google displays all of this in an iframe, and the browser automatically sends the request to the compromised page. The PHP script inserted in it checks if the user has come from a Google results page, and if he did, it displays another script - this time it's a JavaScript one - that redirects the browser to another compromised site that serves malware.

Users should be careful on what they click, but sometimes it is hard to detect malicious links. Zdrnja advises the use of browser add-ons such as the NoScript for the Firefox browser, but believes that Google could help by not using an iframe to display the results.