Facebook Search Site Breaches Privacy

Posted on May 17, 2010 by sophieparker

A new site, FacebookSearch, highlights the privacy risks of users who leave their status updates searchable outside Facebook.

The site allows users to search status updates using key words that could be potentially embarrassing, such as ?pulling a sickey?, ?idiot boss? or ?hungover?. And all at the click of a link. Users can also create customised searches of viewable status updates, which return the name and profile picture of those making the updates.

FacebookSearch illustrates the privacy risks of making status updates and wallposts viewable in a similar way to the PleaseRobMe site. PleaseRobMe made use of location updates through services such as FourSqaure (a U.S. location networking site) to show how these may potentially help out burglars. The same security shortcoming was utilized by a site called facebook Graph, which also allowed updates to be seen by anyone using a keyword search.

A Facebook spokeswoman explained that: "This is the search feature of the Graph API, documented here (http://developers.facebook.com/docs/api#search.)"  The ability to search in this way is also possible directly from Facebook. "Only posts (status updates, notes) which are Everyone and Page names are available unless you authenticate with an app (e.g. the TweetDeck app is a desktop client you can use to search over your own status updates)," she added

Facebook has been questioned in recent months about it?s determination to disable privacy settings so that users? information is shared by default. There are literally over 150 privacy options on Facebook, which make locking down a profile pretty bewildering. Even when you think you?ve done it, you probably haven?t.

There have been EU complaints over Facebook?s recent privacy rollback and moves to share user information with 3rd party websites. All this has made, according to Sophos, has made "Delete Facebook account" one of the most popular search terms on Google.

So if you?re at home reading this while pulling a sickey, update with caution, your boss may well be watching you?

Mozilla Plugin Check

Posted on May 12, 2010 by sophieparker

Mozilla has a new service that checks plugins for IE, Chrome, Opera and Safari browsers far any known bugs or vulnerabilities.

A feature rolled out last year that checked that checked for Firefox out of date plug ins has been used as the basis to build this feature off. Currently limited coverage is offered for IE extensions, but Mozilla plan a fuller coverage in the future.

Mozilla’s Director of Firefox Development, Johnathan Nightingale wrote: "We believe that plugin safety is an issue for the web as a whole, so while our initial efforts focused on building a page that would work for Firefox users, the team has since expanded plugin check coverage to work with Safari 4, Chrome 4, and Opera 10.5,"

the idea behind the feature is to serve as a gentle reminder to those users who are still running out of date versions of software that works closely with web browsers such as Flash and Java. Just a week after it?s release, more than half of Firefox installation checked were found to be running vulnerable versions of Adobe?s web animation software. That figure has improved, with over 60% of users now running the most up to date version of Flash. Older versions of Flash are regularly exploited in drive-by malware attacks so so having so many user still running these versions is a problem.

Currently the page does seem to struggle on occasion with what version is in fact the latest when it comes to Flash in different browsers. But that?s not a great surprise considering how confusing Adobe?s patch system is. It is early days, the kinks will probably be sorted in the not too distant future. Mozilla’s approach is pretty impressive though. They are definitely stepping up to the challenge of lowering the number of users out there running insecure apps.

New Attack Method Bypasses Most AV Packages

Posted on May 11, 2010 by sophieparker

Researchers say they have discovered a new way to bypass the built in protection of most  popular AV products. the list includes BitDefender, Trend Micro, AVG and McAfee.

Software security researchers at matousec.com execute the attack by exploiting the driver hooks that the AV burry’s deep inside the windows OS. It essentially works by sending a string of benign code that fools the AV security into thinking it safe, swapping it out for a malicious payload just before it?s executed.

This takes some precision timing, but for systems with multicore processors the ?argument-switch? attack is a fairly reliable one. This is because one thread often can?t keep track of other simultaneously running threads. Therefore, most protection for Windows PCs can be fooled, allowing malicious code that would normally be blocked. All that attackers need is AV software that uses SSDT, or System Service Descriptor Table, hooks to modify parts of the OS kernel.

Matousec researchers wrote: "We have performed tests with [most of] today’s Windows desktop security products,the results can be summarized in one sentence: If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable. In other words, 100% of the tested products were found vulnerable."

Thirty four products have been listed as vulnerable by the researchers. But due to a short amount of time for testing this list is limited. Matousec researchers say that "Otherwise, the list would be endless". This technique even works under a limited account.

However, it does have it?s limitations. The attack requires a large amount of code to be loaded to a target machine. Which means shell-code based attacks or ones that rely on speed and stealth are pretty much impossible in practical terms. The attacker has to have the ability to run a binary attack on a machine. But it may be possible for the attack to hide behind a bit of software, like a vunerable version of Adobe Reader or Java VM. Using it to install malware without arousing the suspicion of the user or AV software.

CSO and Chief Architect of the Metasploit project, H D Moore, has surmised a possible attack: "Realistic scenario: someone uses McAfee or another affected product to secure their desktops. A malware developer abuses this race condition to bypass the system call hooks, allowing the malware to install itself and remove McAfee. In that case, all of the ‘protection’ offered by the product is basically moot."

The technique also makes it possible for a user without administrative rights to kill an installed and running AV program. You can read the full write up of Matousec?s research here.

Small Time ISP Wins Big Time Comp From Spammers

Posted on May 7, 2010 by sophieparker

A small ISP in America has won a lawsuit filled against a company who sent around 25,000 spam e-mails in 18 months. The Internet Service Provider had been awarded nearly $2.6m in compensation.

Whether Asis Internet services will ever actually receive any of the comp is a different matter. But it does show the power of CAN-SCAM, or the Controlling the Assault of Non-Solicited Pornography and Marketing Act. The act allows damages of up to $100 per spam e-mail to be awarded, and that can be tripled for a number of reasons.

Judge Elizabeth D. Laporte of the US District Court in Northern California, passed the judgement against the company Find a Quote. Asis are a 4 strong team based in Garberville, CA, they said 200,00 junk messages were received on a daily basis. Which cost them $3,000 a month to process.

Laporte?s initial calculation fro damages was $865,340, but tripled that to 2.596m. This was because the spammers, of which Edward Heckerson was included, used scripts to send their messages. Laporte wrote:  "Plaintiffs have provided persuasive evidence that Heckerson engaged in conduct that warrants aggravated damages,"

The awarded damages may seem like a phenomenal amount, but it?s not the largest. Last year Facebook was awarded $711m against Spamford Wallace, and and Arizona ISP won $236m against a mom-and-pop spam shop.

Asis was originally claiming $3m, so the award cam a little short. But no-one from the ISP seems to be grumbling.

Volcanic Ash Is Scammers Opp and Other Delights

Posted on May 6, 2010 by sophieparker

Scammers are targeting travellers who were stranded by the volcanic ash last month.

The spam mail invites them to apply for compensation from a Frank Adam fund at the Civil Aviation Authority. And guess what, there is no Frank Adam and no fund. But there is an advance fee for those that get taken in.

Researchers from Scam Detectives say: "You will either be asked for an ‘administration fee’ to release your payment, or be sent a fake cheque and be asked to send the fee by wire transfer once you?ve paid the cheque into your account," . You can find the full write up on their site.

There is also a black hole scam out there in the ether. It claims that the Large Hadron Collider boffins are going to create a black hole. But if you fly to the South pacific you?ll be fine, black holes don?t go there. The flight will only cost you $3,000, send your money now to a travel agent in Mumbai?don?t forget to pack your tin hat.

SharePoint Bug Exposes Sensitive Data

Posted on April 30, 2010 by sophieparker

Microsoft is currently investigating a flaw in older versions of SharePoint Server. An independent security researcher discovered the bug which can easily expose credentials and sensitive data.

The vulnerability has been confirmed in SharePoint 2007, and is likely to be present in earlier versions. the flaw is in XSS, or cross-site scripting. High-Tech Bridge have  warned that it enables the injection of malicious JavaScript into the application by appending commands to the address of the targeted system.

Their advisory states: "The vulnerability exists due to failure in the ‘/_layouts/help.aspx’ script to properly sanitize user-supplied input in ‘cid0′ variable.Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data."

An URL that will target the vulnerability is some thing like this: http://host/_layouts/help.aspx?cid0=MS.WSS.manifest.xml%00%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&tid=X

Microsoft was informed about the flaw by High-tech bridge on the 12th of April, but the public report was only released yesterday. With 17 days notice it?s a bit baffling why security advisory is only in the process of being drafted and not ready to go. XSS bugs are scourge of the web, and by far the most common. Often down played by software makers and web masters as the threat posed by them is minimal. But they are a vulnerability none the less and one that can compromise a heavily fortified defence. take the breach of Apache Foundation for example, no-one saw that coming.

The iPhones Facebook App has also been hit by an XSS flaw. Jon Wedell warned of the bug in his Future Musing blog:

"I’ve removed some of the technical details until Facebook has a chance to address this. Let’s just say you may want to avoid viewing ‘friend’s’ notes using the Facebook iPhone app for now."

Never underestimate the little guys.

Texas Man Busted For Trying To Sell Trained Botnet

Posted on April 29, 2010 by sophieparker

A Texas man has pleaded guilty to charges that he trained a bonnet on a popular ISP so that he could pedal the malware to other crooks.

David Anthony Edwards of Mesquite Texas, had admitted that in 2006 he and Thomas James Frederick Smith, his alleged accomplice, flooded ThePlanet.com with data in order to demo the capabilities of the Nettick botnet. Allegedly the men told one potential client that they had 22,000 infected machines under their control. And that they would sell them at 15 cents a machine with a minimum order of 5,000. Smith has pleaded not guilty, the trial is starts on the 17th of May.

In the plea agreement, Edwards also admitted to hacking servers owned by Webhost, T35.net. They then stole password files and made the credentials of thousands of users available online. Edwards has signed  the document filed in Dallas? US District Court, and also added that they went on to deface the website.

The pair also rebuked T35 admins with the words "How are all the users going to be compensated?" according to an indictment.

Edwards, AKA Z00k, admitted to damages between $5,000 and $10,000. he faces up to 5 years in prison and a $250,000 fine. He will also be made to pay compensation to his victims.

Storm Botnet Is Back In Town

Posted on April 28, 2010 by sophieparker

The infamous Storm Botnet died out 18 months ago, but researchers say it back!

Storm was said to be responsible for 20% of the worlds spam. It began slowing down in Sept 2007 when Microsoft’s Malicious Software Removal Tool started targeting it. Around 271,732 infected PCs were cleaned up in the first month. One year on Marshal researchers declared storm to be dead.

Security researchers at CA say they?ve found a new botnet that looks suspiciously like Storm. It is apparently sending out a “massive volume of spam emails to targeted recipients.” The command and control servers have been analyzed, and results show that it is using Base64 encoded data to send instructions and templates to infected machines. The machines then send out junk-mail about penis pills, dating services and various online pharmacy scams.

Head of CA’s research team, Don DeBolt, said:

“The characteristics and behaviours are very much Storm-related in terms of the command and control and the mechanism that it uses to identify the content of the mail messages and who and how to send them. It’s all utilizing the same tactics and methodologies that the Storm Worm did.”

Storm got it name from the heavy storms that were affecting Europe at the time of it?s debut in 2007. It?s success also paved the way for other botnets that spewed out junk mail such as Srizbi, Rustock and Mega-D which echoed Storm?s tactics. Storm was not only brought down by Microsoft, but researchers found a flaw that let them disrupt it?s command and control channels. CA has found three strains of Storm, but has confirmed that about 25 out of the top 41 AV packages will pick it up.

Scammers Targeting Naive iPad Owners With Backdoor Malware

Posted on April 26, 2010 by sophieparker

A gang of scammers are trying to trick new iPad owners into installing backdoor malware, according to security firm BitDefender.

The scammers are sending out spam e-mails that claim an update is needed for iTunes in order to gain "best performance, newer features and security". Links in the spam mail take targets to a fake iTunes download page.

The page unloads malware called Backdoor.Bifrose.AADY. This then injects itself into the explorer.exe process and steels passwords, serial numbers and other sensitive data. Mac machines are not affected but a windows machine with an Apple device is.

As Apple have have been estimated at selling just over 1 million iPads, and buyers are likely to have a fair bit of disposable income to spend on all those apps. This combination makes for some great opportunities for Cyber crims.

Data Stealing Worm Inside The NHS

Posted on April 23, 2010 by sophieparker

A ravenous data-stealing worm has hit the NHS. But according to researchers who observed the compromise directly, it?s easily detected by off the shelf AV.

Symantec researchers have been monitoring the Qakbot worm since May last year. Symantec cracked two of the six servers that have been used to store data thieved from infected machines. Their report was pretty condemning for the NHS.

"The logs show that there is a significant Qakbot infection on the National Health Service (NHS) network in the UK, This threat has managed to infect over 1,100 separate computers that are spread across multiple subnets within the NHS. We have attempted to contact the affected parties and have no evidence to show that any customer or patient data has been stolen."

But that doesn?t mean the threat of Qakbot stealing data isn?t there, just because it hasn?t yet. Researchers saw 4GB worth of stolen data being siphoned off to the monitored servers. The actual amount of data stolen is likely to be at least 3 times higher.

Qakbot uses vulnerabilities in IE and QuickTime to spread through malicious WebPages. It?s also self propagating once inside a network, and also "moves slowly and with caution, trying not to bring attention to its presence," according to Symantec’s report.

The malware strips a machines hard drive  of any search histories. bank and card info, logon details for websites and it grabs auto complete data. It then uploads them to one of the six servers.

Symantec researchers wrote: "In a nutshell, if your computer is compromised, every bit of information you type into your browser will be stolen,"

Qakbot?s main target is home users, but has found it?s way into plenty of corporate and government machines too. Symantec?s AV picks it up with ease, so it?s assumed that other packages will too.