Soccer fans around the world are eagerly waiting for the 2010 FIFA World Cup to kick off. Soccer's marquee event will virtually transform host nation South Africa into the mecca for the sport's impassioned followers around the world. Like with any other major world event or cataclysm, the internet's dark alleys are filled with people ready to tax the outpouring of human emotion during the World Cup. It is likely that some of their nefarious plans are already afoot, even though there is a fair bit to go before the start of the event.
Symantec recently discovered a “targeted attack” that quite clearly tries to exploit the mounting soccer fever. Thankfully, the attack was thwarted before it could cause any damage. The attackers tried to drop their malicious payload using an email message ostensibly sent by a legitimate African Safari organiser, Greenlife. To the untrained eye, the sender had attached a “highly informative World Cup Travel Guide” with the message. But in reality the attached file was a modified variant of the real Greenlife's actual PDF guide. The actual PDF document was first debased with malicious code to exploit a recently patched vulnerability in Adobe Reader before being forwarded as an attachment.
“The patch for this critical rated vulnerability was released by Adobe on February 16, 2010. Since then we have observed a large number of targeted attacks attempting to exploit this vulnerability. Proof-of-Concept exploit code is available in the Internet which is contributing to the large number of observed attacks,” Daren Lewis, a Symantec employee wrote on the MessageLabs Intelligence blog.
Targeted attacks are known to be precise and less spammy. For instance, Symantec only has to deal with less than 100 such attacks every day, despite it blocking around 500,000 malicious emails per day. Such attacks usually target organizations, with people at the top of the pecking order more likely to be attacked first. This way the attackers can gain access to a pretty large chunk of that organization's sensitive information. In this case, the malicious email was sent to a person only identified as “a user in a major international organisation that brings together governments from all over the world.”
Adobe last week released a security update for a critical vulnerability in Adobe Flash, but according to security researcher Aviv Raff, installing the update could be cause for concern.
"If you did upgrade to the latest version of Flash from the Adobe website, you very likely have Adobe Download Manager installed," Raff points out.
So what's the big deal? Raff says there's an undisclosed flaw in the way Adobe's Download Manager works, which makes it possible for an "attacker [to] force an automatic download and installation of any executable he desires." In other words, those who download the update end up exposing themselves to a zero-day attack, Raff claims.
Adobe is apparently aware of the issue and is reportedly working with Raff to patch it up. The software maker also downplayed the security risk, saying "the user has to accept a number of prompts before being taken through the installation process," and therefore making it hard for a user to install unwanted and malicious software without their knowledge.
I've been a relatively fortunate mobile phone owner. I've dropped various phones countless times throughout my geek life, including the extended cleaning of my first-ever iPhone by accidentally introducing it to my apartment complex's pool. I've broken countless critical features on my phones as a result of this clumsiness, the smashing of a phone against the car keys in my pocket, and the general wear-and-tear of a semi-busy lifestyle. In college, I had a flip-phone that was anything but, the exterior having been beaten up and bruised enough to transform the phone's external screen into a strobe light of-sorts whenever anyone called. Awesome for parties; useless for caller ID.
I've never lost my phone, though. And every day I board a train to head to work, sit in a taxicab, or go about my business without really paying much attention to where I last put my dialing device, I wonder: Is this it? Will today be the day that some unscrupulous person gets a hold of my iPhone and, by proxy, my entire online life?
In some ways, someone already has.
This isn't some kind of "won't somebody think of the children" scare tactic. It's a simple reality: You're hearing a lot about the wonders of cloud computing at this year's CES. And while that has different applications for the enterprise level than consumer, the practical reality of it for most PC users (and laptop users especially cough-cough-Chrome OS-cough) is that you're taking the data that would otherwise reside on a system within your control and placing it in the hands of another entity.
Cloud applications can be super-useful when you let others run the services that improve your geeky life. Your data, however, is your own--the more consumers coalesce their computing lives into access points, the more this data becomes ripe for abuse... or worse.
There's been a bit of a disagreement in the security community over how serious a recently discovered vulnerability in Microsoft's Internet Information Services (IIS) really is. On one hand, the researcher who discovered the bug labeled it as "highly critical," while at least one other security firm showed far less concern. So what does Microsoft have to say about all this?
"We've completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found there is no vulnerability in IIS," Microsoft wrote in a blog post.
Confused? Microsoft did admit "that there is an inconsistency in IIs 6 only in how it handles semicolons in URLs," but said in order for an attacker to bypass content filtering software to upload and execute malicious code on an IIS server, it would have to already be configured to allow both "write" and "execute" privileges on the directory.
"This is not the default configuration for IIS and is contrary to all of our published best practices," Microsoft added. "Quite simply, an IIS server configured in this manner is inherently vulnerable to attack."
Attackers have a new vulnerability to exploit in Microsoft's Internet Information Services (IIS), which would allow them to execute malicious code on machines configured with the webserver software. According to researcher Soroush Dalili, the bug stems from how IIS parses file names with colons or semicolons. By appending benign file extensions to a malicious file, attackers can effectively bypass filters designed to stop dirty code from getting through, The Register reports.
Dalili said the bug affects all versions of IIS, and while he rated it "highly critical," not everyone agrees with his assessment. Secunia classified the bug as "less critical," which is the security firm's second least "critical" ranking on five-tiered scale.
"Impact of this vulnerability is absolutely high as an attacker can bypass file extension protections by using a semicolon after an executable extension such as '.asp,' '.cer,' '.asa,' and so on," Dalili wrote ."Many web applications are vulnerable against file uploading attacks because of this weakness of IIS.
So why did Secunia only rate it as "less critical?" The company didn't say, noting only that it did confirm the bug on a machine running a fully patched version of Windows Server 2003 R2 SP2 with Microsoft IIS version 6.
The other day, Adobe announced it had discovered a vulnerability in its Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild, and assured users the company was investigating the issue. The good news is that Adobe's security team has finished the investigation. And the bad news? You'll have to wait until at least January 12, 2010 -- the targeted ship date -- to receive a patch.
According to Adobe, it considering stopping everything else and working immediately on an out-of-cycle security update with a one-off fix, but because that would still take between two and three weeks, doing so would knock off the timing of its next planned quarterly security update. So instead the fix will be rolled into the code branch for the next quarterly update.
AutoRun was originally intended to help automatically start programs stored on optical media. However, once USB drives became popular, AutoRun also became a popular way to launch programs from hard disks and thumb drives by working with Windows' built-in AutoPlay functionality. Unfortunately, AutoRun's ability to provide instant launching for programs has also been widely exploited by malware such as the notorious Conficker/Downadup worm and others. Microsoft changed how AutoRun works in Windows 7 RC, but until now, Windows XP, Windows Vista, and Windows Server 2003 have been wide open to USB-based AutoRun attacks. To find out how Redmond's reining in AutoRun, join us after the jump.
Two security researchers on Saturday have warned that if you use cPanel to administer your website or certain Linksys or Netgear routers, you're leaving yourself open to web-based attacks that could potentially take control of your systems.
The attacks are based on CSRF, or cross-site request forgery, which can be exploited simply by surfing to the 'wrong' website, say Russ McRee of HolisticInfoSec.org and Mike Bailey of Skeptikal.org.
"CSRF is bad stuff," Bailey said at the Defcon hacker conference in Las Vegas. "It's a very under-appreciated vulnerability, and it's all over the place. Because it usually gets rated as a pretty minimal issue, it almost never gets fixed, and that means we have these kinds of holes all over."
When visiting a malicous website while logged in to the program, the attack is able to trick cPanel into carrying out sensitive commands by duping the device into thinking they came from the victim. And it doesn't look like this will be fixed anytime soon.
"The response I got from cPanel was we can't fix this because it's a feature," Bailey said. "Apparently, they're worried it's going to break integration with third party billing software, so they can't fix this."
Last month, a hacker calling himself Hacker Croll infiltrated an administrator's email account who works for Twitter, gaining access to the employee's Google Apps account, where Twitter shares spreadsheets and documents outlining business ideas and various financial details, said Biz Stone, a Twitter co-founder.
After doing so, the hacker sent all sorts of confidential documents to a pair of news blogs: TechCrunch and Korben. While the breach and subsequent sharing of information might have been embarrassing for Twitter, analysts say the attack highlights the bigger problem of people using the same password for ever site they visit.
According to security firm Sophos, 40 percent of Internet users use the same password for every website. And with so many personal details floating around social networking sites, it makes it that much easier for hackers to breach someone's account.
"A lot of the Twitter users are much living their lives in public," said Chris King, director of product marketing at Palo Alto Networks, which creates firewalls. "If you broadcast all your details about what your dog's name is and what hour hometown is, it's not that hard to figure out a password."
This won't come as a surprise to power users, but to avoid being hacked, use strong passwords that combine letters and numbers, change your passwords often, and don't use the same password for every site you visit.
Enter about:config in the browser's location bar
Type jit in the Filter box
If you'd rather not mess around with about:config settings, you can still disable JIT by running Firefox in Safe Mode, which is accessible from the Mozilla Firefox folder.