Slashdot Mirror

← Back to Domains

Domain: threatpost.com

Stories and comments across the archive that link to threatpost.com.

Stories · 644

  1. Spammers 'Gearing Up' Botnets For Holiday Rush

    It · Security · · posted by CmdrTaco · from the black-friday-is-gonna-suck dept. · 30 comments
    chicksdaddy writes "Spam — there's less of it, but it's much nastier, according to the latest statistics from Google's Postini e-mail security service. According to a post on Google's Enterprise blog, the viral content of spam e-mail (both malicious links and attachments) was up 111% from the same quarter in 2009, even as spam volume overall dropped 24%. The Summertime malware push may be evidence of a push to pump up bot networks in advance of the busy holiday online shopping season, according to Google researchers."

  2. Adobe Reader X With Sandbox Due In November

    It · Security · · posted by CmdrTaco · from the i-like-the-dump-truck dept. · 110 comments
    Trailrunner7 writes "Adobe will finally release the new version of its Reader software — which will include the much-anticipated Protected Mode security feature — next month. Adobe Reader X will include a number of other new features in addition to the sandbox feature. Adobe officials have been discussing Protected Mode for several months now and said early on that it would be included in the next version of Reader, but had never set a time line for the release of Reader X. Now, the company says the new version will be available in November, although no specific date was announced."

  3. New Site Aims To Be iTunes For Exploits

    It · Bug · · posted by Soulskill · from the bet-they-won't-cost-99-cents dept. · 55 comments
    Trailrunner7 writes "It's been tried before, but NSS Labs founder Rick Moy says his company's new Exploit Hub — a store front for exploit code — can work. In an interview, he explains why the current market for exploits doesn't work for the good guys, and why zero-day exploits don't help anyone. Above-board markets for software vulnerabilities have been around for close to a decade, but previous efforts to market exploits have had mixed results. The business of selling exploits versus vulnerabilities is fraught with danger, and organizations like WabiSabiLabi have operated eBay-style marketplaces for zero-day exploits for years, but haven't seen exploit writers beating a path to their door. The need for an above-board marketplace that can compete with the black market surely exists, but getting it to work is another matter entirely."

  4. US Reigns As Most Bot-Infected Country

    News · Botnet · · posted by samzenpus · from the we're-number-one dept. · 121 comments
    Trailrunner7 writes "The US has by far the highest number of bot-infected computers of any country in the world, with nearly four times as many infected PCs as the country in second place, Brazil, according to a new report by Microsoft. The quarterly report on malicious software and Internet attacks shows that while some of the major botnets have been curtailed in recent months, the networks of infected PCs still represent a huge threat."

  5. Spammers Using Soft Hyphen To Hide Malicious URLs

    It · Security · · posted by timothy · from the conservative-in-what-you-accept dept. · 162 comments
    Trailrunner7 writes with this excerpt from ThreatPost illustrating the ongoing Spy-vs.-Spy battle between spammers and the rest of us: "Spammers have jumped on the little-used soft hyphen (or SHY character) to fool URL filtering devices. According to researchers, spammers are larding up URLs for sites they promote with the soft hyphen character, which many browsers ignore. Spammers aren't shy about jumping humans flexible cognitive abilities to slip past the notice of spam filters (H3rb41 V14gr4, anyone?). ... The latest trend involves the use of an obscure character called the soft hyphen or 'SHY' character to obscure malicious URLs in spam messages. Writing on the Symantec Connect blog, researcher Samir Patil said that the company has seen recent spam messages that insert the HTML symbol for the soft hyphen to obfuscate URLs for Web pages promoted by the spammers."

  6. Stuxnet Worms On

    It · Worms · · posted by CmdrTaco · from the squirmy-squirmy dept. · 141 comments
    Numerous Stuxnet related stories continue to flow through my bin today, so brace yourself: Unsurprisingly, Iran blames Stuxnet on a plot set up by the West, designed to infect its nuclear facilities. A Symantec researcher analyzed the code and put forth attack scenarios. A Threatpost researcher writes about the sophistication of the worm. Finally, Dutch multinationals have revealed that the worm is also attacking them. We may never know what this thing was really all about.

  7. Stuxnet Analysis Backs Iran-Israel Connection

    It · Security · · posted by Soulskill · from the my-god-has-a-bigger-firewall-than-your-god dept. · 307 comments
    Trailrunner7 writes "Liam O'Murchu of Symantec, speaking at the Virus Bulletin Conference, provided the first detailed public analysis of the worm's inner workings to an audience of some of the world's top computer virus experts. O'Murchu described a sophisticated and highly targeted virus and demonstrated a proof of concept exploit that showed how the virus could cause machines using infected PLCs to run out of control. Though most of the conversation about Stuxnet is still based on conjecture, O'Murchu said that Symantec's analysis of Stuxnet's code for manipulating PLCs on industrial control systems by Siemens backs up both the speculation that Iran was the intended target and that Israel was the possible source of the virus. O'Murchu noted that researchers had uncovered the reference to an obscure date in the worm's code, May 9, 1979, which, he noted, was the date on which a prominent Iranian Jew, Habib Elghanian, was executed by the new Islamic government shortly after the revolution. Anti-virus experts said O'Murchu's hypothesis about the origins of Stuxnet were plausible, though some continue to wonder how the authors of such a sophisticated piece of malware allowed it to break into the wild and attract attention." Symantec has also issued a lengthy and detailed dossier on Stuxnet (PDF).

  8. Microsoft To Release Emergency Fix For ASP.NET Bug

    It · Microsoft · · posted by Soulskill · from the don't-make-us-do-stuff dept. · 73 comments
    Trailrunner7 writes "Microsoft on Tuesday will release an emergency out-of-band patch for the ASP.NET padding oracle attack that was disclosed earlier this month. The patch will only be available on the company's Download Center for the time being, however. The company is taking the step of releasing an emergency fix for the bug because of the seriousness of the vulnerability — which potentially affects millions of Web applications — and the fact that there are attacks ongoing against it already. The patch will fix the flaw in all versions of the .NET framework. Although Microsoft issued guidance about workarounds to defend against attacks on the ASP.NET bug shortly after it was publicly disclosed, the researchers, Juliano Rizzo and Thai Duong, said that the workarounds did not fully protect users against their attack."

  9. Microsoft To Release Emergency Fix For ASP.NET Bug

    It · Microsoft · · posted by Soulskill · from the don't-make-us-do-stuff dept. · 73 comments
    Trailrunner7 writes "Microsoft on Tuesday will release an emergency out-of-band patch for the ASP.NET padding oracle attack that was disclosed earlier this month. The patch will only be available on the company's Download Center for the time being, however. The company is taking the step of releasing an emergency fix for the bug because of the seriousness of the vulnerability — which potentially affects millions of Web applications — and the fact that there are attacks ongoing against it already. The patch will fix the flaw in all versions of the .NET framework. Although Microsoft issued guidance about workarounds to defend against attacks on the ASP.NET bug shortly after it was publicly disclosed, the researchers, Juliano Rizzo and Thai Duong, said that the workarounds did not fully protect users against their attack."

  10. Google Warning Gmail Users On Spying From China

    Tech · Google_Fb · · posted by timothy · from the should-that-be-by-or-from dept. · 215 comments
    Trailrunner7 writes "Google is using automated warnings to alert users of its Gmail messaging service about widespread attempts to access personal mail accounts from Internet addresses in China. The warnings may indicate wholesale spying by the Chinese government a year after the Google Aurora attacks, or simply random attacks. Victims include one leading privacy activist. Warnings appeared when users logged onto Gmail, encountering a red banner reading, 'Your account was recently accessed from China,' and providing a list of IP addresses used to access the account. Users were then encouraged to change their password immediately. Based on Twitter posts, there doesn't seem to be any pattern to the accounts that were accessed, though one target is a prominent privacy rights activist in the UK who has spoken out against the Chinese government's censorship of its citizens. A Google spokesman declined to comment on the latest warnings specifically. The company has been issuing similar warnings since March, when it introduced features to identify suspicious account activity."

  11. Twitter Closes Hole After Attack Hits Up To 500K Users

    It · Security · · posted by CmdrTaco · from the hate-when-that-happens dept. · 135 comments
    chicksdaddy writes "Twitter closed an ugly cross site scripting hole in its Web page Tuesday morning, but not until a fast moving attack, including at least two Twitter worms, compromised hundreds of thousands of user accounts. At its height, the attacks were hitting 100 Twitter users each second, putting estimates of the total number of victims at around 500,000 according to researchers at Kaspersky Lab."

  12. Researchers Demo ASP.NET Crypto Attack

    It · Bug · · posted by timothy · from the theoretical-no-more dept. · 98 comments
    Trailrunner7 writes "The crypto attack against ASP.Net Web apps has gotten a lot of attention this week, and with good reason. Microsoft on Friday night issued a security advisory about the bug, warning customers that it poses a clear danger to their sites. Also on Friday, the researchers who found the bug and implemented the attack against it released a slick video demo of the attack, clearly showing the seriousness of the problem and how simple it is to exploit with their POET tool."

  13. Security a Concern As HTML5 Advances

    Developers · Security · · posted by Soulskill · from the new-armor-with-new-holes dept. · 234 comments
    Trailrunner7 writes "Every technology innovation has its coming out party, and Google Inc.'s recent 'dancing balls' logo experiment was widely interpreted as a high-impact debut for HTML5. But web security experts are warning that the sprawling new web standard may favor functionality over security, enabling a new generation of powerful web-based attacks. They agree that there are security enhancements in HTML5, but all expressed the same concern: that the new specification will greatly increase the 'attack surface' of HTML — providing more avenues by which malicious code can be delivered through the web. 'HTML5 has an enormous amount of functionality. The (specification) is just huge,' said Jeremiah Grossman of security firm WhiteHat. The breadth of the new specification gives him concern. 'I know that we're still finding vulnerabilities in HTML4,' Grossman said."

  14. One Million Sites Infected With Malware In Q2

    It · Security · · posted by CmdrTaco · from the show-me-the-pinkee dept. · 42 comments
    Trailrunner7 writes "More than one million Web domains were infected with malicious code in the second quarter of 2010 — around one percent of all active Web domains, according to new data. The number of infected domains was extrapolated from data gained through a sample scan of what Dasient describes as 'millions of Web sites,' as well as from customer deployments. It suggests that compromises of Web sites are on the rise, as attackers look to push out malicious programs through so-called drive by download attacks."

  15. Google Fixes 10 Bugs In Chrome, Pays $4000 Bounty

    Tech · Google_Fb · · posted by samzenpus · from the $400-flaw dept. · 114 comments
    Trailrunner7 writes "It seems Google's bug bounty program is paying some nice dividends, for both sides. Less than two weeks after releasing version 6.0 of its Chrome browser, Google has pushed out another Chrome release, which includes fixes for 10 security bugs, seven of which are rated either critical or high. Google Chrome 6.0.472.59 comes out just 12 days after the last Chrome release, which fixed 14 security bugs. As part of its bug bounty program, Google paid out $4,000 in rewards to researchers who disclosed security flaws in the browser. Most of the security flaws fixed in the new release are in the Windows version of Chrome, but the most serious bug is only in Chrome for Mac."

  16. New Crypto Attack Affects Millions of ASP.NET Apps

    It · Encryption · · posted by CmdrTaco · from the duck-and-cover dept. · 156 comments
    Trailrunner7 writes "A pair of security researchers have implemented an attack that exploits the way that ASP.NET Web applications handle encrypted session cookies, a weakness that could enable an attacker to hijack users' online banking sessions and cause other severe problems in vulnerable applications. Experts say that the bug, which will be discussed in detail at the Ekoparty conference in Argentina this week, affects millions of Web applications."

  17. New Email Worm Squirming Through Windows Users' Inboxes

    It · Communications · · posted by timothy · from the vermicide-delicious dept. · 473 comments
    Trailrunner7 writes "There appears to be an actual email worm in circulation right now, using the tried-and-true infection method of sending emails containing malicious executables to all of the names in a user's email address book. The worm arrives via emails with the subject line 'Here You Have' or something similar, and the messages contain a link to a site that will download a malicious file to the victim's PC. The malware then drops itself into the Windows directory with a file name of CSRSS.EXE, which is identical to a legitimate Windows file. From there, it's 2001 all over again, as the worm attempts to mail itself to all of the contacts in the victim's Outlook address book."

  18. The Effect of Snake Oil Security

    Tech · Google_Fb · · posted by timothy · from the homeopathic-snake-oil-is-better dept. · 110 comments
    Trailrunner7 writes "Threatpost has a guest column by Robert Hansen (aka Rsnake) about the long-term effects of snake-oil security products. 'I've talked about this a few times over the years during various presentations but I wanted to document it here as well. It's a concept that I've been wrestling with for 7+ years and I don't think I've made any headway in convincing anyone, beyond a few head nods. Bad security isn't just bad because it allows you to be exploited. It's also a long term cost center. But more interestingly, even the most worthless security tools can be proven to "work" if you look at the numbers.'"

  19. NSA Director Says the US Must Secure the Internet

    Yro · Government · · posted by Soulskill · from the self-proclaimed-internet-police dept. · 250 comments
    Trailrunner7 writes "The United States has a responsibility to take a leadership role in securing the Internet against both internal and external attackers, a duty that the federal government takes very seriously, the country's top military cybersecurity official said Tuesday. However, Gen. Keith Alexander, director of the National Security Agency and commander of the US Cyber Command, provided virtually nothing in the way of details of how the government intends to accomplish this rather daunting task. 'We made the Internet and it seems to me that we ought to be the first folks to get out there and protect it,' Alexander said. 'The challenge before us is large and daunting. But we have an obligation to meet it head-on.' It's unlikely that any of Alexander's comments Tuesday will do much to quiet the criticisms of the Obama administration's security efforts thus far. Speaking mostly in generalities, Alexander emphasized the administration's commitment to the Comprehensive National Cybersecurity Initiative, a plan developed by the Bush administration and recently partially de-classified by Obama administration officials."

  20. Nasty Data-Stealing Bug Haunts Internet Explorer 8

    Tech · Msie · · posted by Soulskill · from the waiting-for-the-right-tuesday dept. · 151 comments
    Trailrunner7 writes "There's an unpatched vulnerability in Internet Explorer 8 that enables simple data-stealing attacks by Web-based attackers and could lead to an attacker hijacking a user's authenticated session on a third-party site. The flaw, which a researcher said may have been known since 2008, lies in the way IE8 handles CSS. The vulnerability can be exploited through an attack scenario known as cross-domain theft, and researcher Chris Evans originally brought the problem to light in a blog post in December. At the time, all of the major browsers were vulnerable to the attack, but since then, Firefox, Chrome, Safari and Opera all have implemented a simple defense mechanism. The upshot of this is that if a victim has visited a given Web site, authenticated himself to the site, and then visits a site controlled by an attacker, the attacker would have the ability to hijack the user's session and extract supposedly confidential data. This attack works on the latest, fully patched release of IE8."

  21. Google Releases Chrome 6, Pays $4337 In Bounties

    Tech · Google_Fb · · posted by timothy · from the working-in-the-background dept. · 177 comments
    Trailrunner7 writes "Google has released a new version of its Chrome browser and has included more than a dozen security fixes in the update. The new version, 6.0.472.53, was released two years to the day after the company pushed out the first version of Chrome. Google Chrome 6 includes patches for 14 total security vulnerabilities, including six high-priority flaws, and the company paid out a total of $4,337 in bug bounties to researchers who reported the vulnerabilities. A number of the flaws that didn't qualify for bug bounties were discovered by members of Google's internal security team." (Read on for more, below.) Also on the Chrome front, morsch writes "Chrome 7 for Linux is planned to tie in with the Gnome Keyring and the KDE Wallet to securely store saved browser passwords. Users of the stable version of Google's Webkit-based browser might be surprised to find out that, so far, passwords are stored on the hard disk as clear text. On Windows, Chrome has always used a platform-specific crypto API call for encrypted storage. The corresponding Linux function was never implemented — until now. Unstable versions of Chrome 7 still disable the feature by default; it can be enabled using a parameter."

  22. New QuickTime Flaw Bypasses ASLR, DEP

    Tech · Security · · posted by Soulskill · from the once-more-unto-the-breach dept. · 162 comments
    Trailrunner7 writes "A Spanish security researcher has discovered a new vulnerability in Apple's QuickTime software that can be used to bypass both ASLR and DEP on current versions of Windows and give an attacker control of a remote PC. The flaw apparently results from a parameter from an older version of QuickTime that was left in the code by mistake. It was discovered by Ruben Santamarta of Wintercore, who said the vulnerability can be exploited remotely via a malicious Web site. On a machine running Internet Explorer on Windows 7, Vista or XP with QuickTime 7.x or 6.x installed, the problem can be exploited by using a heap-spraying technique. In his explanation of the details of the vulnerability and the exploit for it, Santamarta said he believes the parameter at the heart of the problem simply was not cleared out of older versions of the QuickTime code. 'The QuickTime plugin is widely installed and exploitable through IE; ASLR and DEP are not effective in this case and we will likely see this in the wild,' said HD Moore, founder of the Metasploit Project."

  23. Researchers Cripple Pushdo Botnet

    Yro · Botnet · · posted by timothy · from the nothing-wrong-with-the-word-cripple dept. · 129 comments
    Trailrunner7 writes with this from ThreatPost: "Researchers have made a huge dent in the Pushdo botnet, virtually crippling the network, by working with hosting providers to take down about two thirds of the command-and-control servers involved in the botnet. Pushdo for years has been one of the major producers of spam and other malicious activity, and researchers have been monitoring the botnet and looking for ways to do some damage to it since at least 2007. Now, researchers at Last Line of Defense, a security intelligence firm, have made some serious progress in crushing the botnet's spam operations. After doing an analysis of Pushdo's command-and-control infrastructure, the researchers identified about 30 servers that were serving as C&C machines for the botnet. Working with the hosting providers who maintained the servers in question, the LLOD researchers were able to get 20 of the C&C servers taken offline, the company said."

  24. Owning Virtual Worlds For Fun and Profit

    It · Security · · posted by samzenpus · from the cash-for-gold dept. · 82 comments
    Trailrunner7 writes "Threatpost has a guest column by security researcher Charlie Miller on the ways in which attackers can easily take advantage of vulnerabilities in virtual worlds and perhaps online games to get control of other players' characters and avatars and even cash out their real-world bank accounts. From the article: 'It turns out that Second Life uses QuickTime Player to process its multimedia. When I started looking into virtual world exploits, with the help of Dino Dai Zovi, there was a stack buffer overflow in QuickTime Player that had been discovered by Krystian Kloskowski but had not yet been patched. In Second Life it is possible to embed images and video onto objects. We embedded a vulnerable file onto a small pink cube and placed it onto a [tract] of land we owned. No matter where the cube was, if a victim walked onto the land and had multimedia enabled (recommended but not required), they would be exploited. The cube could be inside a building, hovering in the air, or even under the ground, and the result was the same.'"

  25. New Firefox iFrame Bug Bypasses URL Protections

    News · Mozilla · · posted by CmdrTaco · from the is-nothing-safe-any-more dept. · 118 comments
    Trailrunner7 writes "There is a newly discovered vulnerability in Mozilla's flagship Firefox browser that could enable an attacker to trick a user into providing his login credentials for a given site by using an obfuscated URL. In most cases, Firefox will display an alert when a URL has been obfuscated, but by using an iFrame, an attacker can evade this layer of protection, possibly leading to a compromise of the user's sensitive information."

  26. New Sandbox Framework For Chromium Released

    Tech · Unix · · posted by Soulskill · from the spicy-security dept. · 109 comments
    Trailrunner7 writes "As applications have become more and more complex in recent years and Web browsers have evolved into operating systems unto themselves, the task of securing desktop environments has become increasingly difficult. And while there's been quite a bit of innovation on Windows security, advances in Unix security have been less common of late. But now, a group of researchers from Google and the University of Cambridge in England have developed a new sandboxing framework called Capsicum, designed specifically to provide better security capabilities on Unix and Unix-derived systems (PDF). Capsicum is the work of four researchers at Cambridge and the framework extends the POSIX API and introduces a number of new Unix primitives that are meant to isolate applications and users and handle rights delegation in a better way. The research, done by Robert N.M. Watson, Ben Laurie, Kris Kennaway and Jonathan Anderson, was supported by Google, and the researchers have added some of the new Capsicum features to a version of Google's Chromium browser in order to demonstrate the functionality."

  27. Two Unpatched Flaws Show Up In Apple iOS

    Apple · Security · · posted by samzenpus · from the rotten-apple dept. · 171 comments
    Trailrunner7 writes "The technique that the Jailbreakme.com Web site is using to bypass the iPhone's security mechanisms and enable users to run unapproved apps on their phones involves exploiting two separate vulnerabilities. One of the vulnerabilities is a memory-corruption flaw that affects the way that Apple's mobile devices, including the iPad and iPod Touch, display PDFs. The second weakness is a problem in the Apple iOS kernel that gives an attacker higher privileges once his code is on a targeted device, enabling him to break out of the iOS sandbox. The combination of the two vulnerabilities — both of which are unpatched at the moment — gives an attacker the ability to run remote code on the device and evade the security protections on the iPhone, iPad or iPod Touch. The technique became public earlier this week when the Jailbreakme.com site began hosting a set of specially crafted PDF files designed to help users jailbreak their Apple devices and load apps other than the ones approved by Apple and offered in its official App Store."

  28. Microsoft To Issue Emergency Fix For Windows .LNK Flaw

    News · Microsoft · · posted by Soulskill · from the tee-plus-two-weeks dept. · 112 comments
    Trailrunner7 writes "Microsoft will issue an out-of-band patch on Monday for a critical vulnerability in all of the current versions of Windows. The company didn't identify which flaw it will be patching, but the description of the vulnerability is a close match to the LNK flaw that attackers have been exploiting for several weeks now, most notably with the Stuxnet malware. The advance notification from Microsoft on Friday said that the company is patching a critical vulnerability that is being actively exploited in the wild and affects all supported Windows platforms. The LNK flaw in the Windows shell was first identified earlier this month when researchers discovered the Stuxnet worm spreading from infected USB drives to PCs. Stuxnet has turned out to be a rather interesting piece of malware as it not only uses the LNK zero day vulnerability to spread, but it had components that were signed using a legitimate digital certificate belonging to Realtek, a Taiwanese hardware manufacturer."

  29. Stuxnet May Represent New Trend In Malware

    It · Security · · posted by Soulskill · from the stux-on-you dept. · 58 comments
    Trailrunner7 writes "As more information continues to come out about the Stuxnet worm and the vulnerabilities that it exploits, it's becoming increasingly clear that this kind of attack may be a preview of the attacks that are likely to become commonplace in the months and years ahead. The most interesting aspect of all of this is the fact that the attackers behind Stuxnet clearly knew about the vulnerability in the Siemens WinCC system before the malware was written. That implies the malware authors had some advance intelligence about the configuration of the Siemens software and knew exactly where there was a weakness."

  30. Microsoft Says No To Paying Bug Bounties

    It · Bug · · posted by timothy · from the like-mel-gibson-in-ransom dept. · 148 comments
    Trailrunner7 writes "In the wake of both Mozilla and Google significantly increasing their bug bounties to the $3,000 range, there have been persistent rumors in the security community that Microsoft soon would follow suit and start paying bounties as well. However, a company official said on Thursday that Microsoft was not interested in paying bounties. 'We value the researcher ecosystem, and show that in a variety of ways, but we don't think paying a per-vuln bounty is the best way. Especially when across the researcher community the motivations aren't always financial. It is well-known that we acknowledge researcher's contributions in our bulletins when a researcher has coordinated the release of vulnerability details with the release of a security update,' Microsoft's Jerry Bryant said."

  31. Microsoft Makes Major Shift In Disclosure Policy

    It · Microsoft · · posted by timothy · from the tread-water-faster dept. · 65 comments
    Trailrunner7 writes "Microsoft is changing the way in which it handles vulnerability disclosures, now moving to a model it calls coordinated vulnerability disclosure, in which the researcher and the vendor work together to verify a vulnerability and allow ample time for a patch. However, the new philosophy also recognizes that if there are attacks already happening, it may be necessary to release details of the flaw even before a patch is ready. The new CVD strategy relies on researchers to report vulnerabilities either directly to a vendor or to a trusted third party, such as a CERT-CC, who will then report it to the vendor. The finder and the vendor would then try to agree on a disclosure timeline and work from there." Here's Microsoft's announcement of the new strategy.

  32. Attackers Using Social Networks For Botnet Control

    News · Security · · posted by Soulskill · from the eighteen-script-kiddies-liked-this dept. · 40 comments
    Trailrunner7 writes "Bot herders and the crimeware gangs behind banker Trojans have had a lot of success in the last few years with using bulletproof hosting providers as their main base of operations. But more and more, they're finding that social networks such as Twitter and Facebook are offering even more fertile and convenient grounds for controlling their malicious creations. New research from RSA shows that the gangs behind some of the targeted banker Trojans that are such a huge problem in some countries, especially Brazil and other South American nations, are moving quietly and quickly to using social networks as the command-and-control mechanisms for their malware. The company's anti-fraud researchers recently stumbled upon one such attack in progress and watched as it unfolded."

  33. Microsoft Has No Plans To Patch New Flaw

    It · Security · · posted by timothy · from the who-uses-usb-drives-anyhow dept. · 217 comments
    Trailrunner7 writes "Microsoft has acknowledged the vulnerability that the new malware Stuxnet uses to launch itself with .lnk files, but said it has no plans to patch the flaw right now. The company said the flaw affects most current versions of Windows, including Vista, Server 2008 and Windows 7 32- and 64-bit. Meanwhile, the digital certificate that belonging to Realtek Semiconductor that was used to sign a pair of drivers for the new Stuxnet rootkit has been revoked by VeriSign. The certificate was revoked Friday, several days after news broke about the existence of the new malware and the troubling existence of the signed drivers."

  34. Mozilla Bumps Security Bug Bounty To $3,000

    News · Mozilla · · posted by kdawson · from the doing-well-by-doing-good dept. · 73 comments
    Trailrunner7 writes "In an effort to enlist more help finding bugs in its most popular software — Firefox, Thunderbird, and Firefox Mobile — Mozilla is jacking up the bounty it pays to researchers who report security flaws to $3,000. 'For new bugs reported starting July 1st, 2010 UTC we are changing the bounty payment to $3,000 US per eligible security bug. A lot has changed in the 6 years since the Mozilla program was announced, and we believe that one of the best ways to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information,' said Lucas Adamski, director of security engineering at Mozilla. In addition to Mozilla, Google also has established a bug bounty program — though at $500 it has been called 'insulting.' None of the larger software vendors such as Microsoft or Oracle have taken that step. Some researchers see that as inevitable, however."

  35. Talk On Chinese Cyber Army Pulled From Black Hat

    Yro · Government · · posted by samzenpus · from the what-cyber-army? dept. · 103 comments
    Trailrunner7 writes "A talk on China's state-sponsored offensive security efforts scheduled for the Black Hat conference in Las Vegas later this month has been pulled after concerns were raised by people within the Chinese and Taiwanese government about the talk's content. The presentation was to be delivered by Wayne Huang, CTO of Armorize, an application security company with R&D operations in Taiwan. The talk was billed as an in-depth, historical look at the offensive capabilities and operations of China's so-called cyber-army."

  36. Spammers Moving To Disposable Domains

    It · Spam · · posted by timothy · from the filling-up-our-landfills dept. · 147 comments
    Trailrunner7 writes "Spammers and the botnet operators they're allied with are continuing to adapt their techniques to evade security technologies, and now are using what amount to disposable domains for their activities. A new report shows that the spammers are buying dozens of domains at a time and moving from one to another as often as several times a day to prevent shutdowns. New research shows that the amount of time that a spammer uses a given domain is basically a day or less. The company looked at 60 days worth of data from their customers and found that more than 70 percent of the domains used by spammers are active for a day or less."

  37. REMnux, the Malware Analysis Linux OS

    Linux · Security · · posted by Soulskill · from the penguins-with-guns dept. · 58 comments
    Trailrunner7 writes "A security expert has released a stripped-down Ubuntu distribution designed specifically for reverse-engineering malware. The OS, called REMnux, includes a slew of popular malware-analysis, network monitoring and memory forensics tools that comprise a very powerful environment for taking apart malicious code. REMnux is the creation of Lenny Zeltser, an expert on malware reverse engineering who teaches a popular course on the topic at SANS conferences. He put the operating system together after years of having students ask him which tools to use and what works best. He originally used Red Hat Linux, but recently decided that Ubuntu was a better fit. REMnux has three separate tools for analyzing Flash-specific malware, including SWFtools, Flasm and Flare, as well as several applications for analyzing malicious PDFs, including Didier Stevens' analysis tools. REMnux also has a number of tools for de-obfuscating JavaScript, including Rhino debugger, a version of Firefox with NoScript, JavaScript Deobfuscator and Firebug installed, and Windows Script Decoder."

  38. Adobe Finally Fixes Remote Launch 0-Day

    It · Security · · posted by kdawson · from the stay-safe-out-there dept. · 82 comments
    Trailrunner7 sends in this excerpt from Threatpost (Adobe announcement here): "Adobe today shipped a critical Reader/Acrobat patch to cover a total of 17 documented vulnerabilities that expose Windows, Mac, and Unix users to malicious hacker attacks. The update, which affects Adobe Reader/Acrobat 9.3.2 and earlier versions, includes a fix for the outstanding PDF '/Launch' functionality social engineering attack vector that was disclosed by researcher Didier Stevens. As previously reported, Didier created a proof-of-concept PDF file that executes an embedded executable without exploiting any security vulnerabilities. The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file." Relatedly, Brian Krebs blogs about the downsides of Adobe's increasingly Byzantine update process.

  39. Google Has Android Remote App Install Power, Too

    It · Google_Fb · · posted by timothy · from the coming-and-going dept. · 278 comments
    Trailrunner7 writes "The remote-wipe capability that Google recently invoked to remove a harmless application from some Android phones isn't the only remote control feature that the company built into its mobile OS. It turns out that Android also includes a feature that enables Google to remotely install apps on users' phones as well. Jon Oberheide, the security researcher who developed the application that Google remotely removed from Android phones, noticed during his research that the Android OS includes a feature called INSTALL_ASSET that allows Google to remotely install applications on users' phones. 'I don't know what design decision they based that on. Maybe they just figured since they had the removal mechanism, it's easy to have the install mechanism too,' Oberheide said in an interview. 'I don't know if they've used it yet.'"

  40. Firefox 3.6.4 Released With Out-of-Process Plugins

    News · Firefox · · posted by kdawson · from the bye-bye-crash dept. · 261 comments
    DragonHawk writes "Mozilla Firefox 3.6.4 went to general release today. The big new feature in this release is out-of-process plugins (OOPP). This means things like Flash, Java, QuickTime, etc., all run in separate processes, so when Flash decides to crash, it won't take your browser out with it. If Flash starts consuming all the CPU it can find, you can kill it without nuking your browser session. I've been using this feature since it was in the 'nightly build' stage, and it was still more stable than 3.6.3, just because Flash was isolated." And reader Trailrunner7 supplies another compelling reason to download 3.6.4: "Security researcher Michal Zalewski has identified a problem with the way Firefox handles links that are opened in a new browser window or tab, enabling attackers to inject arbitrary code into the new window or tab while still keeping a deceptive URL in the browser's address bar. The vulnerability, which Mozilla has fixed in version 3.6.4, has the effect of tricking users into thinking that they're visiting a legitimate site while instead sending arbitrary attacker-controlled code to their browsers."

  41. Mass SQL Injection Attack Hits Sites Running IIS

    News · Microsoft · · posted by Soulskill · from the oft-repeated-headlines dept. · 288 comments
    Trailrunner7 writes "There's a large-scale attack underway that is targeting Web servers running Microsoft's IIS software, injecting the sites with a specific malicious script. The attack has compromised tens of thousands of sites already, experts say, and there's no clear indication of who's behind the campaign right now. The attack, which researchers first noticed earlier this week, already has affected a few high-profile sites, including those belonging to The Wall Street Journal and The Jerusalem Post. Some analyses of the IIS attack suggest that it is directed at a third-party ad management script found on these sites."

  42. Botnets Using Ubiquity For Security

    It · Botnet · · posted by kdawson · from the whack-a-c-and-c dept. · 95 comments
    Trailrunner7 sends in this excerpt from Threatpost: "As major botnet operators have moved from top-down C&C infrastructures, like those employed throughout the 1990s and most of the last decade, to more flexible peer-to-peer designs, they also have found it much easier to keep their networks up and running once they're discovered. When an attacker at just one, or at most two, C&C servers was doling out commands to compromised machines, evading detection and keeping the command server online were vitally important. But that's all changed now. With many botnet operators maintaining dozens or sometimes hundreds of C&C servers around the world at any one time, the effect of taking a handful of them offline is negligible, experts say, making takedown operations increasingly complicated and time-consuming. It's security through ubiquity. Security researchers say this change, which has been occurring gradually in the last couple of years, has made life much more difficult for them. ... Researchers in recent months have identified and cleaned hundreds of domains being used by the Gumblar botnet, but that's had little effect on the botnet's overall operation."

  43. CERT Releases Basic Fuzzing Framework

    It · Security · · posted by timothy · from the this-field-cannot-be-left-blank dept. · 51 comments
    infoLaw passes along this excerpt from Threatpost: "Carnegie Mellon University's Computer Emergency Response Team has released a new fuzzing framework to help identify and eliminate security vulnerabilities from software products. The Basic Fuzzing Framework (BFF) is described as a simplified version of automated dumb fuzzing. It includes a Linux virtual machine that has been optimized for fuzz testing and a set of scripts to implement a software test."

  44. Adobe May Change To Monthly Patch Cycle

    It · Security · · posted by timothy · from the are-you-on-the-patch? dept. · 76 comments
    Trailrunner7 writes "Adobe, which has been under fire for the security of its flagship products, Flash and Reader, for some time now, may be on the verge of changing its patching process to push fixes out on a monthly schedule, which would coincide with Microsoft's monthly Patch Tuesday releases. The change would be the second major adjustment to Adobe's patching process in the last year or so. In 2009 the company moved to a scheduled quarterly patch release process in an effort to give its customers a better chance to plan for testing and deployment. That change was generally well-received. Now Adobe may change the schedule again in order to get patches out more quickly. The company is considering releasing its security fixes for Reader on a monthly schedule, the same day that Microsoft releases its patches."

  45. Why Online Privacy Is Broken

    Yro · Privacy · · posted by Soulskill · from the too-many-people-who-don't-care dept. · 220 comments
    Trailrunner7 writes "One of the more trite and oft-repeated maxims in the software industry goes something like this: We're not focusing on security because our customers aren't asking for it. They want features and functionality. When they ask for security, then we'll worry about it. Not only is this philosophy doomed to failure, it's now being repeated in the realm of privacy, with potentially disastrous effects. A quick search of recent news on the privacy front reveals that just about all of it is bad. Facebook is exposing users' live chat sessions and other data to third parties. Google is caught recording not only MAC address and SSID information from public Wi-Fi hotspots, but storing data from the networks as well. But the prevailing attitude among corporate executives in these cases seems to be summed up by Google CEO Eric Schmidt, who famously said this not too long ago: 'If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place.' If you look beyond the patent absurdity of Schmidt's statement for a minute, you'll find another old maxim hiding underneath: Blame the user. You want privacy? Don't use our search engine/photo software/email application/maps. That's our data now, thank you very much. Oh, you don't want your private chats exposed to the world? Sorry, you never told us that."

  46. How To Go Broke Selling Zero-Day Exploits

    Tech · Security · · posted by Soulskill · from the supply-and-demand dept. · 66 comments
    Trailrunner7 writes "Despite all of the hand-wringing and moral posturing about the public sale of security vulnerabilities, it turns out that not many people are buying or selling vulns, and the ones who are aren't making much money at it. A new survey of security researchers who sell vulnerabilities either publicly or in private, directed sales found that the vast majority of the flaws sell for less than $5,000. Almost none of them sell for much more than $10,000. At those prices, there's little chance that this is going to turn into the chaotic Wild West marketplace that some people predicted. It's a small, mostly controlled market that isn't making anyone rich."

  47. MS To Share Early Flaw Data With Governments

    Yro · Government · · posted by kdawson · from the for-your-eyes-only dept. · 100 comments
    Trailrunner7 writes "Microsoft today announced plans to share pre-patch details on software vulnerabilities with governments around the world under a new program aimed at securing critical infrastructure and government assets from hacker attacks. The program, codenamed Omega, features a 'Defensive Information Sharing Program' that will offer government entities at the national level technical information on vulnerabilities that are being updated in their products." There's a stream the bad guys would dearly love to tap into.

  48. App Store-Aided Mobile Attacks

    Mobile · Cellphones · · posted by kdawson · from the so-simple-a-kiddie-could-do-it dept. · 186 comments
    Trailrunner7 sends along a ThreatPost.com piece that begins "The pace of innovation on mobile phones and other smart wireless devices has accelerated greatly in the last few years. ... But now the attackers are beginning to outstrip the good guys on mobile platforms, developing innovative new attacks and methods for stealing data that rival anything seen on the desktop, experts say. This particular attack vector — introducing malicious or Trojaned applications into mobile app stores — has the potential to become a very serious problem, researchers say. Tyler Shields, a security researcher at Veracode who developed a proof-of-concept spyware application for the BlackBerry earlier this year, said that the way app stores are set up and their relative lack of safeguards makes them soft targets for attackers. ... 'There are extremely technical approaches like the OS attacks, but that stuff is much harder to do,' Shields said. 'From the attacker's standpoint, it's too much effort when you can just drop something into the app store. It comes down to effort versus reward. The spyware Trojan approach will be the future of crime. Why spend time popping boxes when you can get the users to own the boxes themselves? If you couple that with custom Trojans and the research I've done, it's super scary.'"

  49. Microsoft Kills Support For XP SP2

    Tech · Windows · · posted by timothy · from the too-soon? dept. · 315 comments
    Trailrunner7 writes "Microsoft's announcement this week that it is preparing to end support for machines running Windows XP SP2 not only represents a challenge for the thousands of businesses still running SP2, but also is the end of an era for both Microsoft and its customers. It wasn't until 2004 that the final release of XP SP2 hit the streets, but when it did, it represented a huge step forward in security for Windows users. It wasn't necessarily the feature set that mattered as much as the fact that the protections were enabled by default and taken out of the users' hands."

  50. US Needs Secure Coding Office

    News · Security · · posted by CmdrTaco · from the measured-in-klocs dept. · 236 comments
    Trailrunner7 writes "If the United States wants to remain competitive in the global economy and prevent widespread penetrations of its strategic, corporate, and commercial networks, enterprises and government agencies should stop relying on commercial software and go back to writing more of their own custom code. 'If we're going to maintain our place in the world, software is not a strategic problem, it is the strategic problem going forward,' security expert Marcus Ranum said in a speech Tuesday. 'Covert penetration becomes something that you think about on a five, 10, or 20-year scale. Why don't we have a government coding office? We have a government printing office. Why don't we have a strategic software reserve? Our own software is probably a greater threat to us than anything other people can do to us.'"