New P2P Zeus Variant Targets Popular Sites with Bogus Offers

Facebook, Gmail, Yahoo and Hotmail users should beware of rogue rebate offers and new secure payment options aimed at getting them to part with their debit card information.

Earlier this week Amit Klein, CTO of Trusteer, announced the discovery of a peer-to-peer variant of the Zeus platform that leverages trusted relationships and well-known brands to convince users to sign up for convenient services and better secure debit card transactions. On each site, the attack displays a little differently.

"In the first attack against Facebook, the malware uses a web inject to present the victim with a fraudulent 20% cash back offer by linking their Visa or MasterCard debit card to their Facebook account," Klein wrote in a blog post. "The scam claims that after registering their card information, the victim will earn cash back when they purchase Facebook points. The fake web form prompts the victim to enter their debit card number, expiration date, security code and PIN"

The fraudulent message even includes a footnote explaining the debit card PIN is for verification purposes only and should never be disclosed to anyone, including family and friends.

 

In attacks against Gmail, Hotmail and Yahoo users, the malware offers a new  authentication service from Verified by Visa and MasterCard SecureCode supposedly used by 3,000 online stores since January 1, 2012.

Many merchants require a 3D Secure password to complete an online transaction; Klein notes this attack doesn't compromise 3D Secure but instead uses the Visa and MasterCard brands to add credibility.  

The scam that targets Google Mail and Yahoo users claims that by linking their debit card to their web mail accounts all future 3D Secure authentication will be performed through Google Checkout and Yahoo Checkout respectively. It also maintains Hotmail users lacking the 3D Secure code won't be able to use Hotmail to make online purchases. The fraudulent site also claims participation in the program protects against future fraud.

Trusteer officials believe this may be the first time a web injection attack has targeted 3D Secure. A company spokesman on Wednesday said it's not sure how many victims may have fallen for the scam but the numbers could be considerable given the clever social engineering and popularity of the targeted service providers.

Courtesy by Anne Saita

Twitter Implements Do Not Track

Twitter has implemented the Do Not Track header on its site, giving users the option of telling the site that they do not want to be tracked across other sites on the Web. The implementation is being done through the DNT technology in the Firefox browser.

Firefox, like other major browsers, allows users to enable the DNT option, which uses an HTTP header to inform sites that they don't want sites to set cookies that enable persistent tracking across the Web. Sites need to choose to respect that particular header in order to make Do Not Track work on their pages, and that's the change that Twitter has made. 

Twitter officials said on Thursday that they had implemented Do Not Track.

"The Federal Trade Commission's CTO, Ed Felten, just mentioned Twitter now supports Do Not Track. We applaud the FTC's leadership on DNT," Twitter said in a statement. 

Tracking of users through the use of special cookies has been a highly controversial practice, and advertisers have clashed with both privacy advocates and government regulators on the use of tracking cookies. The Federal Trade Commission and other organizations have supported the use of Do Not Track as a way to give consumers the ability to opt out of such tracking. Mozilla and Google have implemented it and Microsoft has implemented a similar system in Internet Explorer.

"Industry has made significant progress in implementing Do Not Track. The browser vendors have developed tools that consumers can use to signal that they do not want to be tracked; the DAA has developed its own icon-based tool and has committed to honor the browser tools; and the W3C has made substantial progress in creating an international standard for Do Not Track. However, the work is not done. The Commission will work with these groups to complete implementation of an easy-to use, persistent, and effective Do Not Track system," the FTC said in a report on privacy in March.

Earlier this year Yahoo said it also would implement DNT on its sites. 

Twitter on Thursday also updated its privacy policy to give users more information on the kind of data they collect and how users can change that.

"When you turn on DNT in your browser, we stop collecting the information that allows us to tailor Twitter based on your recent visits to websites that have integrated our buttons or widgets. Specifically, we remove from your browser the unique cookie that links your browser to visits to websites in the Twitter ecosystem. We then cannot provide tailored suggestions for you," Twitter said in an explanation of the new support for Do Not Track

 

Courtesy by Dennis

Microsoft Ships Seven Bulletins Fixing 23 Bugs

Microsoft released seven bulletins fixing 23 vulnerabilities in their patch Tuesday announcement today. The Redmond, Wash., software giant rated three of the bulletins as ‘critical,’ all of which could lead to remote code execution, and the remaining four as ‘important.’

The first critical bulletin resolves a privately reported bug in Microsoft Office through which an attacker could remotely execute code after the user opens a specially crafted RTF file. Upon successful exploitation, the attacker would possess the same user rights as the current user. Users with fewer user rights would be less impacted than those that operate with administrative user rights.

The second patch resolves three publicly disclosed bugs and seven privately disclosed ones in Microsoft Office, Microsoft Windows, the Microsoft .NET Framework, and Microsoft Silverlight. These could also lead to remote code execution if an attacker can find a way to trick users into opening a specially crafted document or visiting a webpage that embeds TrueType font files.

This set of vulnerabilities fixed by the MS12-034 patch is designed to fix one of the vulnerabilities exploited by the Duqu malware. Microsoft had already patched that bug in other applications, but in the last few months it had discovered that a snippet of code that was part of the CVE-2011-3402 vulnerability was present in other places in Microsoft products, as well.

 

"In the time since we shipped MS11-087, we discovered that several Microsoft products contained a copy of win32k.sys’s font parsing code. Unfortunately, each copy of the code also contained the vulnerability addressed by MS11-087. The most troublesome copy was in gdiplus.dll. We know that several third party applications – 3rd party browsers in particular – might use gdiplus.dll to parse and render custom fonts. Microsoft Office’s version of gdiplus, called ogl.dll, also contained a copy of the vulnerable code. Silverlight included a copy of the vulnerable code. And the Windows Journal viewer included a copy of the vulnerable code," Microsoft said in a blog post today. 

"In addition to addressing the vulnerabilities described in the bulletin, this security update also closes the malicious keyboard layout file attack vector. Windows Vista introduced a requirement that all keyboard layout files be loaded from %windir%\system32. MS12-034 ports that change downlevel to Windows XP and Windows Server 2003 as well."

The last critically rated patch fixes two privately reported vulnerabilities in Windows and the .NET Framework. These could allow for remote code execution on client systems where the user views a specially crafted webpage that can run XAML browser applications. Again, users with fewer rights are less impacted.

As for the four important patches remaining, the first resolves six vulnerabilities in Microsoft office and the second resolves one vulnerability in Microsoft Visio viewer. Both vulnerabilities, if left unpatched, could lead to remote code execution. The last two important patches could both lead to elevation of privileges. The first resolves two bugs in TCP/IP and the second resolves a vulnerability in Windows Partition Manager.

 Courtesy by Brian

Consumer Reports: 13 Million Facebook Users Ignore Privacy Settings

A Consumer Reports investigation indicates 13 million U.S. Facebook users are over sharing -- and likely don't know it. 

That figure represents 8 percent of Facebook's 150 million U.S. users, but it is part of an upward trend in users failing to protect themselves while on the social network -- putting themselves at risk in the real world. For instance, 4.8 million people potentially tipped off burglars by posting plans that pinpointed where they'd be on certain days. Another 4.7 million "liked" a Facebook page about health conditions or treatments that could be used against them by insurance companies.

But despite poor choices, Consumer Reports also blamed Facebook for failing to provide a reader-friendly privacy policy that explains the enormous amounts of data it collects and distributes widely. It also says the company could better manage and package its privacy controls so less savvy users can better control their sensitive data.

"Facebook really is changing the way the world socially communicates and has become a successful service in part by leveraging copious amounts of personal data that can be spread far wider than its users might realize," Consumer Reports Technology Editor Jeff Fox said in a prepared statement. "Our investigation revealed some fascinating, and some disquieting trends – but ones always worth knowing for consumers who wish to keep their personal data under better control."

The investigation involved projections from surveying some 2,000 members of Consumer Reports' interactive consumer online panel, 1,340 of whom were active Facebook users. They were interviewed January 16 to 31, 2012 by the Consumer Reports National Research Center.

It appears one way users protect themselves is to lie. One in four admitted to falsifying information in their profile to mask their true identities. Some do it to hide from employers; others to help prevent identity theft.

But the data points extracted from Consumer Reports' annual "State of the Net" report show people still provide too much information, whether or not they try to conceal their true identities. For instance, 20.4 million include their birth date, including their year, in public profiles. People also should be mindful that employers, college admissions officials, government investigators and, of course, criminals and personal enemies routintely scan Facebook data.

Many Facebook users don't expect the information they post to go beyond their own network of friends, but the report devotes an entire section to how they can lose control of that information, particularly through Facebook apps and games.

"Whenever you run one, it gets your public information, such as your name, gender, and profile photo, as well as your list of friends even if you haven’t made that list public. And if you give the app certain permissions, it can peer deeper into your data and even see information that your friends share with you, unless they have specifically forbidden sharing with apps in their own privacy settings," the report stated.

"The result is that unless you’ve chosen your privacy settings meticulously, a friend who runs an app could grant it access to your information without your knowledge. Given that fact, it’s troubling that our survey found that only 37 percent of Facebook users say they have used the site’s privacy tools to customize how much information apps are allowed to see."

There are signs that Facebook is responding to privacy critics that maintain the company could do more to ensure its 900 million users have more control over their data. For instance, the Tag Suggest feature that uses facial recognition software to scan photos met with strong criticism and was modified to better alert unsuspecting users so they could untag a photo or disable the feature altogether.

But the report also makes it clear users will need to be more proactive about their online privacy by regularly reviewing their Facebook privacy settings and protecting basic information. They also should be sure to limit all past, present and future wall posts to just friends.

Also, Consumer Reports recommends blocking apps and sites that spy on users or allow friends to share another's personal information by using controls that limit the information apps can see. Similarly, you can restrict views of wall posts or items in your profile.

If someone is being stalked, harrassed or impersonated, they can deactive their account, which will make it temporarily inaccessible to everyone but the user. Deleting is another recourse, but one that shuts out everyone -- including the person behind the account.

 

 Courtesy by Anne Saita 

Hotmail Password Reset Bug Exploited in Wild

UPDATE: Microsoft has issued a permanent fix for a previously undisclosed bug in its MSN Hotmail Web email service that could have allowed remote attackers to reset account passwords.

The flaw in the password reset functionality allowed a remote attacker to reset the Hotmail/MSN password with their own values, according to a notice published by Vulnerability Laboratory senior researcher Benjamin Kunz Mejri. It affected Microsoft’s official MSN Hotmail (Live) service. Remote attackers could use the security hole to bypass the password recovery service to setup a new password, according to the notice.

Hotmail is the world’s largest web-based email service provider, touting some 364 million users. The flaw would also allow an attacker to bypass MSN Hotmail's token-based login protection. According to the Vulnerability Laboratory report, the token protection only checks if input values are empty before blocking or closing the web session. Mejri managed to bypass that feature by entering a string of characters, in this case, ‘+++)-.’

“On Friday, we addressed an incident with password reset functionality; there is no action for customers, as they are protected,” a Microsoft spokesperson told Threatpost via email.

According to a report published on WhiteC0de, the exploit was initially discovered by a Saudi Arabian hacker working for Dev-point.com and was, leaked to hacker forums, where it spread quickly. Despite the quick action to fix the flaw, Whitec0de claims it has been widely used to compromise Hotmail accounts. In turn, unauthorized access to those email accounts was leveraged to gain access to social media, financial, and other accounts linked to those addresses.

Survey Finds Secure Sites Not So Secure

A new project that was setup to monitor the quality and strength of the SSL implementations on top sites across the Internet found that 75 percent of them are vulnerable to the BEAST SSL attack and that just 10 percent of the sites surveyed should be considered secure.

The SSL Pulse project, set up by the Trustworthy Internet Movement, looks at several components of each site's SSL implementation to determine how secure the site actually is. The project looks at how each site is configured, which versions of the TLS and SSL protocols the site supports, whether the site is vulnerable to the BEAST or insecure renegotiation attacks and other factors. The data that the SSL Pulse project has gathered thus far shows that the vast majority of the 200,000 sites the project is surveying need some serious help in fixing their SSL implementations.

There is quite a bit of alarming data in what the project has gathered, and one of those pieces of information is that more than 148,000 of the sites surveyed are vulnerable to the BEAST attack, which was developed by researchers Juliano Rizzo and Thai Duong and disclosed last year. Their attack uses what's known as a chosen-plaintext attack against the AES implementation in the TLS 1.0 protocol and enables them to use a custom tool they wrote to steal and decrypt supposedly secure HTTPS cookies. The attacker can then hijack the victim's secure SSL session with a site such as an e-commerce site or online banking site.

The BEAST attack is complex, but it's a serious concern and the fact that three quarters of the top sites that the project surveyed are still vulnerable to the attack is troubling. Sites can protect against the attack by implementing mitigations in their TLS 1.0 deployments, including configuring their servers to only use the RC4 cipher during TLS 1.0 or SSL 3.0 sessions.

 

The other major concern in the data compiled by the SSL Pulse survey is that a third of the sites still support SSL 2.0, a protocol that is considered insecure. Experts recommend that sites not use SSL 2.0 at all because of its weaknesses. 

The Trustworthy Internet Movement, formed earlier this year and backed by Qualys CEO Philippe Courtot, boasts a task force that comprises some of the top SSL experts in the industry, including Ivan Ristic of Qualys, Moxie Marlinspike of Whisper Systems and Twitter and Adam Langley of Google. 

Ristic said in a blog post that while the data compiled by the survey is not definitive, it's a good indication of what's happening on the sites secured by SSL.

"Looking at the SSL Labs grades, which are designed to sum up the quality of SSL configuration, we can see that about 50% (99,903 sites) got an A, which is a good result. Previous global SSL Labs surveys reported about 33% well-configured sites, which means that more popular sites are better configured. Unfortunately, many of these A-grade sites (still) support insecure renegotiation (8,522 sites, or 8.5% of the well-configured ones) or are vulnerable to the BEAST attack (72,357 sites, or 72.4% of the well-configured ones). This leaves us with only 19,024 sites (or 9.59% of all sites) that are genuinely secure at this level of analysis," 

 

Courtesy By Dennis

New Flashback Variant Using Twitter as Backup C&C Channel

The latest version of the Flashback malware that's infecting Macs has a new command-and-control infrastructure that used Twitter as a fallback mechanism in case the normal C&C system isn't available. This is not the first time a botnet has used Twitter for some form of command and control, but it's a good example of the ways in which attackers are always adapting to defenders' actions and changing their tactics.

The most recent version of Flashback, which infects Macs through the exploitation of Java vulnerabilities, has the ability to communicate with two separate tiers of C&C servers. The first type of server is used as a relay for redirecting traffic from compromised machines. Those servers allow the attackers behind the Flashback botnet to hijack users's Web search traffic and push it to servers that they control. The second tier of servers is used to send commands to the infected machines to perform specific actions on the Macs.

Analysts at Dr. Web, a Russian security firm, found that when infected Macs connect to the second type of C&C server, if they don't receive a correctly formatted reply, they will then perform a search on Twitter for a specially formatted string.

"If the control server does not return a correct reply, the Trojan uses the current date to generate a string that serves as a hash tag in a search using http://mobile.twitter.com/searches?q=<string>. For example, some Trojan versions generate a string of the "rgdgkpshxeoa" format for the date 04.13.2012 (other bot versions can generate a different string). If the Trojan manages to find aTwitter message containing bumpbegin and endbump tags enclosing a control server address, it will be used as a domain name. Doctor Web began to take over domains of this category on April 13, but on the following day, Saturday, April 14, the Twitter account registered by Doctor Web analysts for this purpose was blocked," the company said in its analysis of the new version. 

Bot herders began using Twitter for C&C several years ago, with varying degrees of success. Twitter security officials were somewhat slow to catch on to that phenomenon, but have been quicker to respond of late. 

Flashback is by no means the first piece of Mac malware, or even the most inventive. But it's turned out to be the most successful of them, having infected several hundred thousand machines over the course of the last six months or so. There are a number of different versions of Flashback circulating but the one that's caused the most trouble is the one that has been exploiting Java vulnerabilities for the last couple of months. That version is being used in drive-by download attacks, which is a classic attack method for Windows vulnerabilities but hasn't been seen quite as much in the Mac world.

Courtesy by Dennis