Google blames China for Gmail service disruptions

It seems that the active exploitation of the MHTML vulnerability that Google's Security Team reported on earlier this month has a lot to do with recent attempts by the Chinese government to stem its own online revolution movement without appearing to be doing so.


At the time, the developers didn't point the finger towards the Chinese government but simply said that the attacks against their clients appear to be politically motivated. But Google has now decided to speak up and clear the air regarding the recent difficulties that Chinese customers and advertisers have been having with the Gmail service.

"Relating to Google there is no issue on our side. We have checked extensively. This is a government blockage carefully designed to look like the problem is with Gmail," stated Google. China, as usual, did not comment on the accusations.

Security experts seem to agree that the attacks appear to be very sophisticated but that they fail at appearing to be a consequence of difficulties with Google's systems.

Google has not offered many details so far, beside claiming that the problem doesn't rest with them. Obviously, they aren't happy about it, especially since their presence in China has been dogged by a slew of problems, among which the censuring of their search engine's results and the Aurora attacks have been the worst.

RSA hacked, SecurID users possibly affected

In an open letter, Art Coviello, the executive chairman of RSA (the security division of EMC), made public the fact that the company has suffered a breach and data loss following an "extremely sophisticated cyber attack."


Categorizing the attack as an Advanced Persistent Threat - a term that is often associated with corporate espionage and state sponsored attacks - he said that their investigation revealed that the information extracted from the company systems is related to its SecurID two-factor authentication products, which are widely used by government agencies, private companies and other large organizations to add an additional layer of security for when employees log into their companies' networks.

"While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack," said Coviello. "We have no evidence that customer security related to other RSA products has been similarly impacted. We are also confident that no other EMC products were impacted by this attack."

He made sure to point out that customer or employee personally identifiable information has not been compromised, and that they are working with their customers to strengthen the security of their IT systems.

No further details about the incident have been revealed at this time, since the investigation is also mounted by the authorities - very likely by government security agencies. The lack of definite information has resulted in widespread speculation on the Internet.

According to ZDNet, security expert Dan Kaminsky says that it is not impossible that the database that links SecurID serial numbers to seeds (card's factory-encoded random key) has been compromised, which would mean that the attackers would be able to know all generated tokens at any given time and even know which organizations are using them.

Until more details are known, he advises administrators to be on the lookout for unusual use of SecurID on external-facing interfaces.

RSA also issued a set of rather broad recommendations for its customers, but offered no specific details about the compromise.

EMC says it doesn't expect the company to suffer any financial repercussions following the breach, but it seems a little too optimistic since SecurID currently commands around 70% of the two-factor authentication market, and is a major source of revenue for RSA.

Japanese tsunami videos lead to malware

A new Japanese disaster themed campaign is doing the rounds of inboxes.

The e-mails supposedly offer links to videos about "The village that escaped the tsunami", "Struggle for normal life in Japan", "Woman talks about tsunami escape", and "Japan tsunami touches New Zealand".

Also, the e-mails come in different forms - some very amateurish and very obviously fake, others in the form of a notification e-mail from Twitter:


"The webpages linked to from the emails contains malicious Javascript and a Java Applet which attempt to exploit the CVE-2010-0840 vulnerability in the Java Runtime Environment," says Graham Cluley, and advises users to get their daily fix of news from Japan from a legitimate news site.

Twitter gives user always-on HTTPS option

Little by little, Twitter is heading towards a full HTTPS experience for its users by adding a user setting that, when selected, makes all the activities on your Twitter account encrypted by default.

"For some time, users have been able to use Twitter via HTTPS by going to https://twitter.com. We’ve made it simpler for users to do this by adding the option to always use HTTPS," says Twitter's Carolyn Penner.


The box that needs to be checked to make this happen is located in your account's settings.

Although, Penner points out that there are still a few instances when this setting will not force HTTPS. "For example, when accessing Twitter from your mobile browser, you need to go to https://mobile.twitter.com to use HTTPS for now," she advises.

"We are working on a solution that will share the 'Always use HTTPS' setting across twitter.com and mobile.twitter.com, so you don’t have to think about which device you’re using when you want to check Twitter. If you use a third-party application, you should check to see if that app offers HTTPS."

Google Android security tool found repackaged with malware

In a what should actually not be a wholly unexpected turn of events, the Android Market security update - pushed to Android users whose devices where affected by one or more "trojanized" applications found on the official Android marketplace - has itself been repackaged with a Trojan and is being offered on some third-party Chinese marketplaces.

The application, called “Android Market Security Tool”, has been repackaged with suspicious code, and according to the analysis by Trend Micro's researchers, this malicious version opens a backdoor through which device information such as IMEI, its phone number and routine logs is uploaded to a remote URL.
But it doesn't stop there. It can also modify call logs, intercept or monitor messages, download videos, and more, which could also lead to a very high phone bill for the user. One must only take a look at the permissions the application asks for to see that they can be misused in a myriad of ways:

Permissions asked from the legitimate application do not include receiving and sending text messages, pinpointing the location of the device and preventing the phone from sleeping.

Also, the legitimate Android Market Security Tool shows its version to be 2.5, while the malicious application says its version is 1.5. So far, this trojanized tool seems to be aimed exclusively at Chinese Android users.

It bears repeating that checking out any application's permissions before installing it is a good idea, and if you spot something that strikes you odd or with a great potential for misuse, consider not installing it.

I would say that keeping to the official Android Marketplace is also a smart move - despite what happened last week. The odds for avoiding malicious application are better, at least.

Japan earthquake search results already poisoned

It didn't take long for malware pushers to take advantage of Internet users' hunger for news and videos from Japan after it was hit today by the most powerful earthquake in the last 100 years:

According to Trend Micro, a search for the “most recent earthquake in Japan” will yield many search results that take users to pages where they are offered fake AV solutions.As always, users are advised to search reputable news sites for up-to-date news. If you feel you must use Google, at least go to http://news.google.com/ to search, since those results are taken from legitimate sources.As a side note, Google has taken advantage of its search engine popularity to post a Tsunami Alert on the engine's home page for a number of countries that are expected to be hit by waves caused by the tectonic shift.The company has also launched a version of its Person Finder service for people that search for loved ones and friends in the wake of the earthquake.

Japan Tsunami Twitter retweet hoax

Hours after the Japan Tsunami made headlines on International News, it seems that Twitter retweets got a twist of its own.

The original tweets from @bbcbreaking looks like this:

Now, verify the authenticity of the information before you retweet.

Safari And Internet Explorer, First To Fall In Pwn2Own

The Pwn2Own contest, reported earlier by SecurityProNews, has taken place this week and two web browsers have already fallen.According to a ComputerWorld report, Apple's Safari fell to a french security company, the hack only took five seconds to implement.

The team which hacked Safari was able to walk home with a $15,000 cash prize and the MacBook Air they performed the hack on. What makes the hack impressive is Apple released asecurity update for the browser which fixed 64 security flaws.

While the Safari hack was done quickly, many have been greatly impressed by the Internet Explorer exploit. Instead of a company, the IE8 hack was developed by a single person, Stephen Fewer. He's an independent researcher who caught the eye of Aaron Portnoy, one of the TippingPoint's team, the group who put the Pwn2Own contest together.

Fewer had to use a few vulnerabilities to successfully hack IE8 on Windows 7. Here's what Portnoy said of the hack, "The most impressive so far" he continues, "He used three vulnerabilities to [not only] bypass ASLR and DEP, but also escape Protected Mode. That's something we've not seen at Pwn2Own before."

While Safari and IE8 have been hacked, Chrome has remained safe. No one has attempted to hack the browser, so their $20,000 prize is safe. The purse was only available to those who hacked the browser on the first day of the content. If anyone is able to successfully hack the browser now or later on, they will receive $10,000 from Google and $10,000 more from TippingPoint.

Pwn2Own has two more days before all is said and done, which will see hackers make their attempts at Mozilla Firefox, and the four smartphone operating systems: Apple iOS, Google Android, Microsoft Windows 7, and RIM' Blackberry.

iTunes 10.2 fixes multiple security vulnerabilities

iTunes 10.2 comes with several new features, improvements and security fixes.

ImageIO
libpng is updated to version 1.4.3 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. For Mac OS X v10.5 systems, this is addressed in Security Update 2010-007.

A heap buffer overflow issue existed in ImageIO's handling of JPEG images. Viewing a maliciously crafted JPEG image may lead to an unexpected application termination or arbitrary code execution.

A buffer overflow existed in libTIFF's handling of JPEG encoded TIFF images. Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution.

A buffer overflow existed in libTIFF's handling of CCITT Group 4 encoded TIFF images. Viewing a maliciously crafted TIFF image may result in an unexpected application termination or arbitrary code execution.

libxml
A double free issue existed in libxml's handling of XPath expressions. Processing a maliciously crafted XML file may lead to an unexpected application termination or arbitrary code execution.

A memory corruption issue existed in libxml's XPath handling. Processing a maliciously crafted XML file may lead to an unexpected application termination or arbitrary code execution.

WebKit
Multiple memory corruption issues exist in WebKit. A man-in-the-middle attack while browsing the iTunes Store via iTunes may lead to an unexpected application termination or arbitrary code execution.

PDF-Pro multiple vulnerabilities

Several vulnerabilities in PDF-Pro can be exploited by malicious people to compromise a user's system, according to Secunia.


1. The application loads libraries (e.g. dwmapi.dll) in an insecure manner, which can be exploited to load arbitrary libraries by tricking a user into e.g. opening a PDF file located on a remote WebDAV or SMB share.

2. A boundary error in the bundled PDF Reader ActiveX control (ePapyrusReader.ocx) when handling arguments passed to the "open()" method can be exploited to cause a stack-based buffer overflow.

3. Two boundary errors in ePapyrusReader.ocx when handling arguments passed to the "open_stream()" method can be exploited to cause heap-based buffer overflows.

4. A use-after-free error in ePapyrusReader.ocx when handling arguments passed to the "open_stream()" method can be exploited to dereference already freed memory.

5. A use-after-free error in ePapyrusReader.ocx when encountering corrupted arrays in a dictionary can be exploited to dereference already freed memory via a specially crafted PDF file.

6. The unsafe "RemoveFile()" method provided by ePapyrusReader.ocx allows deleting arbitrary files on a user's system.

7. The unsafe "DownloadFTP()" method in combination with the "SetFTPInfo()" method provided by ePapyrusReader.ocx allows downloading arbitrary files to a user's system.

8. The unsafe "UploadFTP" method in combination with the "SetFTPInfo()" method provided by ePapyrusReader.ocx allows retrieving arbitrary files from a user's system.

The vulnerabilities are confirmed in version 4.0.1.758 bundling ePapyrusReader.ocx version 1.6.2.1874. Other versions may also be affected.

Solution: Set the kill-bit for the affected ActiveX control and do not open untrusted PDF files.

Trojan Hiding In Legitimate Security Software

An interesting tactic for hiding a Trojan has recently been spotted by Symantec researchers.

Instead of using entirely their own malicious code, the malware authors have decided to take advantage of the code belonging to the KingSoft WebShield browser protection software (part of the KingSoft Internet Security solution).

"The interesting part of this package is in its configuration, which allows an opportunity for malicious intent," explains researcher Éamonn Young. "Kingsoft WebShield has the ability to lock the home page to a specific domain as well as to redirect URLs based entirely on plain text configuration files. This means that a person with malicious intent can repackage it using malicious configuration files and use this as a home-made Trojan package."

And so they did. The new package contains the legitimate software and its support components, but also two configuration files that practically modify it into the Trojan.

Once the apparently legitimate software is installed and running, one of these files makes it so that the home page is changed to one of the designated URLs - which house advertisement link farms - and locked so that the user can't change it.

The other one makes sure that if a user wants to visit one a number of popular domains listed in it, he is also redirected to one of the aforementioned designated URLs.

The authors of the malware are likely to be Chinese, and so are the targeted users. The misused legitimate software is manufactured by Chinese software developer Kingsoft, and all the websites - the advertisement link farms and the domains from which the user is redirected - cater to Chinese users.

Another interesting thing about this Trojan is that deletes all Quick Launch icons except for the Internet Explorer one. And if there isn't one, it creates it. Since the whole package works as they want to only in Internet Explorer, this is a rather (too) obvious way to make sure the user uses only that browser.

Since Kingsoft WebShield works as it usually does, the user might not spot that there's something wrong with his computer right away upon installation of the tainted package. And even when he finally gets suspicious about the constant redirection,

Save as Draft

it will take a while before he learns how to deinstall it since the uninstaller has been omitted.

All in all, the authors of this improvised Trojan have manufactured an annoying but not very dangerous piece of malware. Unfortunately, it seems to me that it is only a matter of time until someone changes the configuration files again and the users are redirected to more malicious sites.

WordPress Hit By Multigigabit DDoS Attack

WordPress.com has been targeted by an extensive DDoS attack, and the millions of blogs it hosts have been temporarily unavailable or have been experiencing occasional disruptions because of it.

The news comes from Graham Cluley, one of Sophos' security consultants, who got the confirmation directly from Automattic (the company behind WordPress.com).

"Sophos's Naked Security site runs on the VIP version of the WordPress.com platform, and our writers have had some difficulties posting today because of this disruption," he says and shares the information sent to him:

• The size of attack reached multiple Gigabits per second and tens of millions of packets per second
• Automattic workes with its upstream providers in order to establish defense measures
• The attack impacted all three of their datacenters in Chicago, San Antonio, and Dallas

"This is the largest and most sustained attack we've seen in our 6 year history. We suspect it may have been politically motivated against one of our non-English blogs but we're still investigating and have no definitive evidence yet," said Matt Mullenweg, WordPress.com and Automattic founder.

Twitter 11.6 hours survey scam spreading virally

Twitter users should be vigilant following the outbreak of a scam that is spreading links from users' accounts without their knowledge. The scam, which has already caught thousands of Twitter users off guard today, dupes users into clicking on links, believing that it will reveal how many hours they have spent on Twitter.


The offending links are being circulated on Twitter in messages containing the following text:

"I have spent 11.6 hours on Twitter. How much have you? Find out here: [LINK]"

However, if users click on the bit.ly link being used in the message, they are taken to a page which attempts to connect a rogue application called 'Time on Tweeter' with the user's Twitter account.

The application instantly tweets a message from the victim's Twitter feed, claiming that they too have spent 11.6 hours on Twitter, while also directing the victim to a page which presents a revenue-generating survey on behalf of the scammers.

"Affected users need to revoke the rogue application's access to their Twitter account immediately, or it will be able to spew out more links from your Twitter page - which could promote spam sites or link to malicious webpages," advised Graham Cluley, senior technology consultant at Sophos. "Scams like this are very commonly encountered on Facebook, but are more rarely seen on Twitter - meaning that many users will be sitting ducks to this type of attack.

Although Sophos is in contact with bit.ly about closing down the offending link, it's possible that the scammers will use other links and other names for their rogue applications. So be on your guard, and always think twice before allowing a third-party app to have access to your Twitter account."

The Mother Of All Android Malware Has Arrived

Openness – the very characteristic of Android that makes us love it – is a double-edged sword.

Free Android applications bundled up with malware have spilled over into the official Android marketplace.

According to Symantec, the malware in question can root the phone, harvest data and open backdoors - similar to the recent Geimini Trojan spotted lurking on third-party Chinese Android app markets.

"The applications in question are popular free apps, bundled with malware, that have then been republished in the official marketplace under different application and publisher names," says researcher Joji Hamada.

Google has jumped into the fray and removed the applications from the market, but according to Symantec's sources somewhere between 50,000 and 200,000 downloads took place during the four days that the apps were available for download.

This new Trojan has been dubbed Rootcager because of the rageagainstthecage file included in the Android Package containing the affected apps.

Rageagainstthecage is a file that can also be used to legitimately root a phone in order for the users to gain administrative rights, but in this case it's used to allow the Trojan to do things like taking screenshots, harvesting IMEI and IMSI numbers and send them to remote sites, and drop a DownloadProvidersManager Android Package that will further execute downloads in the background.

For the full list of the potentially affected apps, go here. In you think you may have installed one of them on your device, check the installed apps against it or check the “running services“ settings on your phone for the DownloadManageService started by an application.

150,000 Gmail accounts reset and contents deleted

Word about the accidental resetting of Gmail accounts has been spreading on the Internet in the last two days as users Tweeted that their e-mail accounts have been stripped clean of all e-mails, attachments and chat logs collected in them over the years.

Google itself confirmed the glitch and its results, saying that less than 0.08% of the Google Mail user base has been affected. The issues has still not been resolved and some users still can't access their accounts.

Google confirms that "users may be temporarily unable to sign in while we repair their accounts", but doesn't say if the content will be restored, too.

Users are understandably upset. As the number of affected accounts seems to be around 150,000, I expect Google isn't happy, either.

Was it a glitch, a bug, a human error? The company's team is investigating the issue, but there are still no concrete answers as they continue to push out uninformative updates on the situation every two hours.