Microsoft to release an emergency security patch for Internet Explorer zero day flaw

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Microsoft will be releasing an out-of-band patch (on Monday 14 January 2013 in the USA) for the recently-disclosed zero-day hole in Internet Explorer.

? The adjective out-of-band in this context is a bit of a metaphorical stretch, but it's what the industry has settled on. It doesn't mean that the patch will arrive via a different frequency channel, as it might in telecommunications. You can still get the patch using Windows Update. It's just outside the usual schedule of patches issued every month on Patch Tuesday.

Actually, we can't be 100% certain that last December's vulnerability, documented by Microsoft in Security Advisory 2794220, is the one that will be fixed.

All we know from the 1750 words in Microsoft's early announcement boilerplate is that Redmond will be fixing "a security vulnerability in Internet Explorer" that is denoted Critical:

Critical: a vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email.

Nevertheless, I'll assume that tomorrow's fix will deal with Security Advisory 2794220. And on that basis, I urge you to follow Microsoft's own advice:

Microsoft recommends that customers apply Critical updates immediately.

When the crooks are already all over an exploit, as they are in this case, you should give patching your highest priority, even if you already have tools (such as security software) that does a good job of mopping up the trouble.

As we reported already, several websites have already been disseminating malware using this exploit, triggering it with a mixture of HTML, JavaScript and Flash.

Microsoft already published a temporary FixIt tool to protect against this vulnerability. It also recommended its epically-named Enhanced Mitigation Experience Toolkit (EMET) for an layer of mitigation for this and other vulnerabilities, known and unknown.

? EMET is somewhere between a process-hardening tool and a sandbox, forcing security protections onto programs that don't have them by default, and adding an additional layer of protection to software that includes code in which a security holes have been found.

However, there are reports that variants of this exploit exist that work even if you are using EMET, and even after you have run Microsoft's abovementioned FixIt.

Sadly, too, Metasploit, the vulnerabilities-anyone-can-exploit-for-free product, already has what it calls a browser auto pwn plug-in you can download to exploit this vulnerability yourself.

In short, tomorrow's patch is one to push out and then deal with any fallout, rather than the other way around.

By all means, test, digest and deploy. But make this one of those patches you deal with in hours, or in the worst case, days. Not in weeks, and very definitely not in months.

Note also that the 2794220 vulnerability affects neither IE 9 nor IE 10. If you're already using one of those versions, you're sitting pretty.

Both IE 9 and IE 10 include designed-in improvements intended to boost security, so if you're clinging to older versions for legacy reasons, please give earnest consideration to striking camp and setting up afresh.

For a discussion of priorities when patching, why not listen to this Technow podcast, in which Chet and Duck discuss whether you should you lead, follow, or get out of the way when patches roll around:

(19 July 2012, duration 15'25", size 11MBytes)

Follow @duckblog

Sophos Anti-Virus on all platforms blocks malicious files relating to this vulnerability as follows:

• Exp/20124792-B: Various files associated with the exploit

• Sus/Yoldep-A: Seen in related ("Elderwood Project") attacks

• Troj/SWFExp-BF: Flash component used to trigger exploit

• Sus/DeplyJv-A: JavaScript components from related attacks

View the original article here

Windows tablets - easy, one-stop jailbreak now available for everyone. What should Microsoft do? [POLL]

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Earlier this week, Chester wrote an article about what he referred to as the "jailbreaking" of Windows RT.

That "jailbreak" was a means of liberation that allowed you to run traditional desktop-style applications of your own choice, painstakingly worked out by a smart and well-organised hacker (in the benevolent and complimentary sense of the word) called @clrokr.

? Windows RT, very loosely speaking, is Windows 8 ported to the ARM processor and locked down. You can't alter the bootloader (preventing you switching to, say, Android or Linux) and you can't install anything other than Windows-approved apps from the Windows Store. From a flexibility standpoint, Windows RT is to Windows 8 as iOS is to OS X.

The quotation marks around the word "jailbreak" were Chester's own, as it isn't a method for the fainthearted.

You need to: use the Windows RT remote debugger, assemble some ARM code, patch it into memory, find where KERNEL32 is loaded, and use it to help you find the location of an operating system component you'll need in a moment. (You can't guess where it is because of Address Space Layout Randomisation, or ALSR).

That's just the start of the "jailbreak".

Once you've located the needed system function (NtQuery­System­Information), you use it to locate a second system function (TerminalServer­RequestThread) that includes a call to a third function that is exploitable (NtUser­SetInformation­Thread).

Then you set a breakpoint to grab control just after the vulnerable function call, redirect execution to your previously-entered patch, and finally unset the breakpoint and let the operating system go back on its merry way.

Phew. Now you can draw breath.

All this to adjust a single byte in kernel memory: the place where the operating system remembers how much slack it will cut you in respect of code signing.

The lower the value, the more relaxed the system will be. Drop it to zero and you have effectively made Windows RT as liberal as Windows 8.

Despite the complexity, Chester guessed that "someone [would] create a tool to replicate @clrokr's efforts for those with less knowledge of a debugger."

And that's exactly what happened. A helpful coder called Netham45 has already released his RT Jailbreak tool.

In Netham45's own words, it's an "all-in-one program to jailbreak Windows RT tablets using the method recently released by clrokr."

Grab it today if you have a Windows RT tablet and you want the freedom to run desktop applications. A growing list of ported applications has already sprung up on the XDA website.

You can get software such as the TightVNC server and client (so you can do screen sharing), PuTTY (so you can run SSH and administer your UNIX boxen), various text editors popular with coders, and a Nintendo Gameboy emulator (because you know you want it).

That's good news. Isn't it?

? Netham45's jailbreak won't survive a reboot. The secure bootloader ensures that the code signing level gets set back to 8 after a restart. But Netham45 wants you to know that this is not a tethered jailbreak. That would mean you'd need to connect (tether) your tablet to another device, usually a PC, to reboot it. This jailbreak runs from the tablet itself. Netham45 also reminds you that his tool is not intended to assist with piracy, and, for that matter, doesn't.

One question, of course, is, "What will Microsoft do?"

When Microsoft released the Kinect depth-sensing camera a couple of years ago for its gaming platform, the open source community immediately began to work on open-source drivers for it.

At first, Redmond was apparently unamused, to the point of bringing the cops into it:

Microsoft does not condone the modification of its products. With Kinect, Microsoft built in numerous hardware and software safeguards designed to reduce the chances of product tampering. Microsoft will continue to make advances in these types of safeguards and work closely with law enforcement and product safety groups to keep Kinect tamper-resistant.

Two weeks later, when the open source hackers had not only got the Kinect working for themselves, but already adopted it as a groovy technological darling, Redmond changed its mind just as quickly, with one Microsoft "experience creator" effusive with her praise:

I'm very excited to see that people are so inspired that it was less than a week after the Kinect came out before they had started creating and thinking about what they could do.

The issue of whether Microsoft would take legal action against Kinect hackers went from "working closely with law enforcement" to "absolutely not."

How do you think Microsoft will react this time?

Tell us what you think the Legal Beagles in Redmond ought to do by voting in our poll!

Follow @duckblog

View the original article here

Texas student appeals court order to wear "Mark of the Beast" RFID tracking badge

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

A Texas high school student in the US on Tuesday was ordered to wear an RFID tracking badge that she claims bears the "mark of the beast", but by Friday she had turned the case right back around, asking a federal appeals court to overturn the order to either wear a chip-less badge or change schools.

On Tuesday, a lower federal court had concluded that 15-year-old sophomore Andrea Hernandez's right of religion had not been breached by the mandated tag.

A Texas federal judge found that the school's offer to accommodate her by requiring her to wear a neutered ID badge - one stripped of RFID chip - was ample accommodation for her religious objections.

The judge said on Tuesday that Hernandez had two choices: if she wanted to stay at the John Jay High School, she'd be required to wear the badge.

Otherwise, she could pick up and transfer to a new school by January 18, the end of the semester.

In the appeal [PDF] filed on Friday, Hernandez's attorney said that Andrea objects to participating in the school district's so-called "Student Locator Project" on the basis of the Book of Revelation.

The Book of Revelation states that an individual's acceptance of a certain code identified with his or her person as a sign of submission to government authority is a form of idolatry, or submission to a false god.

The school offered to let her wear a de-chipped badge and thereby keep up the pretense of participating in the project, but that's a moot point, given that the badge itself would then be a "mark of the beast" and a tacit sign of her participation in the program, wrote her lawyer:

"By express support for the Project through wearing its visible symbol on her person, Andrea would be expressing support for a program to which she adamantly objects on the basis of her sincere religious beliefs. This, in her view, would be dishonest."

"To Andrea, this 'accommodation' is similar to allowing a religious adherent who must eat a pork-free diet to have his pork-free diet, but to require him to wear a shirt advocating pork."

A one-year pilot test of the tracking IDs was rolled out in October for two purposes: to keep tabs on students' whereabouts at all times, and to make money.

The new system costs about $500,000, but school administrators have said that they're hoping to increase attendance by tracking the students, which could help them to score up to $1.7 million from the state government.

The school district's budget, like most state-financed schools, is tied to average daily attendance.

Hernandez refused to go along with the program, showing up at the school with her father to protest in the fall.

The school tried to suspend her, but the Rutherford Institute, which advocates for civil liberties, filed a petition on Hernandez's behalf.

In November, a district court judge blocked her suspension.

As Wired has noted in its coverage of Andrea Hernandez's battle, there are multiple chipping programs now in use or proposed in schools throughout the US:

A federally funded preschool in Richmond, California, began embedding RFID chips in students' clothing in 2010.An elementary school outside of Sacramento, California, scrubbed a plan in 2005 amid a parental uproar.A Houston, Texas, school district began using the chips to monitor students on 13 campuses in 2004 for the same reasons the school district in Hernandez's case - the Northside Independent School District - implemented the program.

The first impulse of many who disagree with mandated tracking is to suggest that the badges be spun in a microwave for a bit.

That sounds gratifying, but as I've said in the past, I agree with Andrea Hernandez, her father and her legal advisors, who wouldn't be satisfied with merely nuking the tags and the chips.

Rather, they're fighting the mindset that everyone must be monitored and controlled.

Follow @LisaVaas
Follow @NakedSecurity

RFID image, courtesy of Shutterstock

Tags: Andrea Hernandez, appeal, court order, ID cards, John Jay High School, RFID, RFID chip, Rutherford Institute, school, tagging, Texas

View the original article here

Vulnerability reported in Foxit PDF plugin for Firefox - how to mitigate it

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

When you think of PDF vulnerabilities and exploits, the first word that comes to mind is probably Adobe.

That's because Adobe's PDF reader has long been the most prevalent product in the marketplace, and the most heavily targeted by attackers and researchers.

But there are plenty of challengers in the PDF software market, and it's important to remember that just "being different" is not enough to deliver security on its own.

Also, since Adobe released Reader X, with its security-oriented sandbox, crooks and researchers alike have found Adobe's PDF nut much harder to crack.

You can therefore expect other vendors of PDF software to start feeling some of the heat that would probably have been aimed entirely at Adobe in years gone by.

Here's an example: Italian security researcher Andrea Micalizzi has recently sought, and found, a possibly-exploitable vulnerability in the latest Foxit PDF plugin for Firefox.

Micalizzi hasn't actually produced a proof-of-concept exploit, but I was able to reproduce his result at will.

(I used Firefox 18.0 with Foxit Plugin 2.2.1.530 on Windows XP3.)

The crash, which is a side-effect of a stack overflow, pretty much lets you write to a memory location of your choice. That's not good.

Foxit openly promotes its PDF reader as a secure platform that "insures worry free operation against malicious virus [sic]", which may sound like a bold statement in the face of Micalizzi's bug.

But there is still literal truth in Foxit's claim: the bug is not in the PDF reader itself, but in the npFoxitReaderPlugin.dll file that acts as the glue between the browser and the reader.

? The np at the start of the filename stands for "Netscape Plugin", a plugin architecture that originated in the heady days of Netscape Navigator. Ironically, the first example of such a plugin for Netscape was written at...Adobe Systems.

Intriguingly, you don't actually need to feed Foxit a PDF to provoke the crash. You just have to feed it a malformed link that, when clicked, serves up an HTTP reply that advertises itself as a PDF.

The buffer overflow happens in the code that processes the link, triggering a crash when the link includes an overly-long query string.

If a link contains a question mark [?], the query is the text that follows it. The query component is usually used to identify parameters submitted to a server-side script. Below, for example, the query part is the string download=true:

http://example.org/docs/file.pdf?download=true

Foxit has yet to comment on this issue on its security advisories, though I am sure it will soon do so.

I've seen stories online suggesting that, since there's no patch yet, you might consider switching to a different PDF reader.

But since the bug isn't in the reader itself (and there's no exploit yet, anyway), there's a quicker and simpler mitigation you can use that will let you stick with Foxit.

Just turn off the Firefox plugin.

Go to Tools|Add-ons at the Firefox menu, choose the Plugins tab and click the Disable button against the Foxit Reader Plugin for Mozilla.

PDF files will no longer open directly inside your browser. You'll get an intermediate dialog saying:

You have chosen to open: . . .

You will then need to click the OK button.

This loads the file into a separate Foxit reader process, avoiding the buggy code in the plugin DLL.

As Steve Jobs might have said, not that big of a deal.

Follow @duckblog

View the original article here

Apple and Mozilla - 'Just say no to Java'

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

As if advice from SophosLabs own Fraser Howard and the US Department of Homeland Security are not enough reason to ditch Java, Apple and Mozilla have both decided to join the party.

This afternoon, Friday January 11th here on the North American West coast, Apple released an updated malware definition list for their XProtect pseudo-antivirus protection in OS X Snow Leopard and newer.

Instead of identifying a new virus, this updated definition temporarily disabled the Java Web Start browser plugin that enables Java applications to run inside of Safari/Firefox/Chrome.

While the reports have been stating the issue is with Java 7, there are reports from researchers that Java versions 1.4 and higher are all vulnerable to this flaw.

It appears that Apple has learned an important lesson from this time last year. CVE-2012-0507 was fixed by Oracle in February, but Apple didn't make the patch available until April.

The result? Over 600,000 Macs were infected with malware in the interim.

Mozilla is no slouch when it comes to security and has implemented an almost identical procedure. Mozilla has added all current releases of Java to its add-on blocklist.

In Mozilla's announcement they explain that plugins on the blocklist are forced into utilizing Firefox's Click to Play functionality.

This can be a double-edged sword when it comes to known vulnerable plugins.

The advantage to this approach is that you are prompted every time a website wants to launch a Java applet and you can make an informed decision as to whether you truly need that applet.

The problem is you need to be informed and know enough to choose the right option. Most people are conditioned to click through warning messages and may not get the protect they need against drive-by attacks.

It is good to see everyone agree on the risk this vulnerability poses and getting the word out or actively protecting users against the threat.

Want to understand more about Java? Why Java isn't JavaScript? Listen to this Techknow where Paul Ducklin and I explain what you need to know.

Listen now:

(31 August 2012, duration 16'19", size 11MBytes)

http://twitter.com/chetwisniewski

View the original article here

My Birthday Calendar warning spreads quickly on Facebook, generating panic

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Facebook users are spreading a warning to their friends and family online about a supposedly malicious application called "My birthday calendar".

The warning about the birthday app claims that "just a click makes it starts (sic) sending requests to all your friends/contacts".

However, it appears that the warnings are causing much more traffic and wasting more time than the supposedly aggressive Facebook application.

Here's what a typical warning looks like:

WARNING: URGENT! People are getting inquiries allegedly linked to a program called "my birthday calendar". "My birthday calendar" is a malicious application to retrieve data from all profiles. It's very aggressive, just a click makes it starts sending requests to all your friends/contacts. If a request comes from me just ignore it; NOTE please copy and warn your friends

We haven't seen any evidence that a Facebook application called "My Birthday Calendar" is behaving any differently from the many thousands of other Facebook apps.

So, I think it would be appropriate to classify this chain letter as a hoax warning.

Of course, you should always be careful about which Facebook apps you allow to connect with your account, as they can collect varying levels of information about you. If you aren't comfortable with that, don't install the app.

Furthermore, even if you are careful about what Facebook apps you install - are your friends being just as cautious?

It may surprise you to hear that when other Facebook users choose to install apps they can then share the information they can see about you with those apps.

Visit your Facebook privacy settings and untick those options if you wish to limit what information about you your Facebook friends can share with third-party applications.

Don't forget you should join the Naked Security from Sophos Facebook page, where we not only debunk hoaxes and chain letters, but we also keep you up-to-date on the latest security and privacy issues threatening Facebook users.

http://twitter.com/gcluley

Birthday candles image from Shutterstock.

View the original article here

Neil Tennant of Pet Shop Boys has NOT died in a car crash

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Sigh..

Here we go again.

Facebook and Twitter users of a certain age have got themselves into a dither worrying that Neil Tennant, singer with the Pet Shop Boys, had died in a car crash.

What's that? You didn't see the news on the BBC or CNN?

Maybe that's because Neil Tennant, like other celebrities before him, is the victim of an internet hoax.

Facebook and Twitter users have been duped by a false news story claiming to be from "Global Associated News":

Part of the bogus news story reads:

Neil Tennant Singer of Duo Pet Shop Boys died in a single vehicle crash on Route 80 between Morristown and Roswell. He was pronounced dead at the scene by paramedics responding to the vehicle accident and was identified by photo ID found on his body. Alcohol and drugs do not appear to have been a factor in this accident.

Highway Safety Investigators have told reporters that Neil Tennant Singer of Duo Pet Shop Boys lost control while driving a friend's vehicle on Interstate 80 and rolled the vehicle several times killing him instantly.

Does the story look familiar? It should do to regular readers of Naked Security (and if you're not a regular reader - why not sign-up for our free email newsletter?)

Because in the past we have debunked the very similar deaths of Adam Ant, Jim Carrey, Christian Slater, Vanilla Ice, Tom Cruise and others..

The truth is that somewhat tasteless websites exist which allow anyone to automagically generate a fake news story about a death in a car crash. Simply changing the link changes the name of the victim.

Before you know it, internet users are unwittingly forwarding the message without checking their facts, and the tasteless website is earning itself some cash from all of the new traffic seeing its adverts.

If something like this had really happened, you would be able to read about it on legitimate news websites.

Remember folks: you shouldn't believe everything you read on the internet.

Follow @gcluley

View the original article here

Phishing attack against MSN/Hotmail users - a new year, but old tricks still persist

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

It's a brand new year and you would like to think that computer users are getting smarter about securing their systems, and not falling for the age-old tricks used by cybercriminals.

However, we still see our fair share of elementary unsophisticated attacks designed to steal credentials from the unwary.

Take this example, an email which claims to come from the "Windows Live Team" and warns Hotmail/MSN users that their account is at risk of immediate closure after different computers logged into it, and multiple attempts were made to guess the password:

Part of the email reads:

VERIFY THIS EMAIL ADDRESS TO AVOID IMMEDIATE CLOSURE

We have recently confirmed that different computers have logged onto your Hotmail and Msn account and multiple password errors have been entered. We are hereby suspending your account; as it has been used for fraudulent purposes.. Now we need you to reconfirm your account information to us. Click your reply tab, fill in the columns below and send it back to us or your email account will be suspended permanently.

The email, which has the subject line "CONFIRMATION ALERT RESET (2013)" and comes from an unofficial-looking @msn.com email address, urges the user to reply via email with their full name, username, password, date of birth, and country in order to confirm their identity.

In case that seems a little brusque, the would-be thieves who spammed out this email provided some helpful tips at the end of the email about managing email accounts.

Of course, Microsoft would never ask you to confirm your identity in this fashion - especially not by sending your password in an (unencrypted) email.

But less security-savvy computer users might be duped into believing it is true, and respond with all the information the cybercriminals want, before having a chance to think twice.

It's a highly unsophisticated attack - but if it works against just a small number of people that the spammers send it out to, what does that matter?

Don't be a cybercrime statistic, make sure that you, your friends and your family are wise to such tricks and don't share your login information with anybody.

Follow @gcluley

Hat-tip: Thanks to Naked Security reader Jack for forwarding us this phishing email.

View the original article here

Oracle releases patch for latest Java hole - update now!

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The big - no, the vast! the enormous! - security news over the weekend has been CVE-2013-0422.

That's the recent Java security hole that lets Java applets in your browser escape from Java's security strictures.

That means a Java applet (which is usually very limited in the sort of changes it can make to your PC) can infect your PC with malware without so much as a pop-up or an are-you-sure.

This vulnerability became a huge problem in short order because it was quickly included in exploit packs such as Cool EK and Nuclear Pack. Exploit packs are pre-packaged crimeware-as-a-service tools you can rent in order to have your malware distributed for you.

So here's some good news: Oracle has been on the ball and has already come out with a patch. Java 7 Update 11 fixes both CVE-2013-0422 and a second vulnerability.

Oracle's offical repository for the latest version is the Java Downloads for All Operating Systems page.

In the database behemoth's own words:

Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2013-0422 "in the wild," Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

This update also changes the default Java Security Level setting from Medium to High.

As Oracle explains, at the High setting, you are "always prompted before any unsigned Java applet or Java Web Start application is run."

There's not an enormous amount to say about the patch beyond that. Fix early, fix often!

Note that the vulnerabilities Oracle just patched don't apply to standalone Java applications or server-side Java installs. They apply only to applets, which run inside your browser.

Your browser routinely and unavoidably puts you in harm's way, since it inevitably downloads and attempts to parse, process and display, untrusted content.

So, even after updating, I recommend that you turn Java off inside your browser unless you know you need it.

If there are only one or two specific sites for which you need Java, it can be a pain to keep remembering to turn it on, and it's easy to forget to turn it off again afterwards.

In such cases, you may want to consider running two browsers, one with Java enabled and one without.

Of course, if you do this, you need to keep both browsers patched - even (or perhaps especially, since it's the one with Java turned on) the one you only use infrequently.

By the way, if you do turn Java off in your browser, or think you did, it's worth checking.

A handy place to do so is Javatester.org, a web page that attempts to launch a tiny applet to get the answer "from the horse's mouth", as it puts it.

If you have Java turned off, it will confirm this for you.

If you have Java turned on, it will confirmation the precise version number from the Java Runtime Environment (JRE) itself. This means you can be sure you're running the version you expect.

And now? Stop reading, start patching!

Follow @duckblog

View the original article here

Smart octogenarian foils scammer who said he would buy item via PayPal

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Recently an elderly member of my family asked for some help with an online service. Dave (name changed to protect the innocent) is in his eighties and uses his PC for email and browsing but little else.

This is a pretty normal situation for anyone working in IT or even familiar with computers, you quickly become the go-to helper for any and all computer problems.

The request was a simple one: help set up a PayPal account. But there was more below the surface of the apparently simple request.

Dave was helping a friend sell a used household generator. He had found a buyer for the generator and agreed a price. But the buyer wanted to use PayPal for the payment, claiming he'd been scammed using other methods in the past.

Here's the email that the prospective buyer sent Dave:

[Dave], I won't do what you will be requesting for the payment because have been scammed in such a way in 2 months ago but the main problem now is that I can't have a state to state transaction that will not include adequate security level, I can't send any form of cash via western union or Cashier/Certified Check or bank payment for payment to anyone even money order or Debit Card just because have been scammed in such a way in 2 months ago, could you believe the same thing happened to my Cousin in Texas last 3 weeks and is getting too much.Please do think of giving a trial to PayPal to see how it works they are well secured with their services, I assured you will be highly surprised with how everything will work out fine so you can open PayPal account it's free no charges for opening even is very easy to operate well secured.

Expecting your opinion on this. Thanks

Using an online payment system that includes dispute resolution sounds like a reasonable precaution, although a close reading of the PayPal user agreement indicates that their dispute resolution may not cover personal payments.

The language in the email snippet above is similar to that used in various online scams - but Dave doesn't spend all day reading scams on the internet so he took it at face value.

Dave's PayPal account would only be used to receive payment so when setting it up we did not attach a payment method to the account. That way if the account is ever compromised no-one can use it to drain Dave's bank account or make charges to his credit cards.

Once the account was set up Dave contacted the buyer with his PayPal details. That's when things started to look a little fishy.

Within a few minutes Dave received three emails that claimed to be from PayPal. Fortunately, for the purposes of this blog entry, Dave made print-outs of the emails he received (redacted versions of which are reproduced below):

1) Notification that $1,750.00 had been credited to his PayPal account. $1,200 for the generator and $550 for shipping and handling.

2) Notification that a temporary hold has been placed on the payment until a portion of the payment is forwarded to a shipping agent.

3) Instructions for paying the shipping agent.

Dave found this to be confusing but also suspicious and asked me for more advice.

At this point the scam is clear.

Dave is being asked to send $500 by Western Union before the payment for the generator is released to his account. Instead of receiving money he must first make a payment.

This is known as 'advance fee fraud'. The scammer will disappear with Dave's payment and instead of selling a generator he'll be $500 poorer.

There are plenty of clues in these emails to indicate that a scam is in progress, both for the technically proficient user and for the Daves among us.

Let's look at the last of the three emails - the instructions for paying the shipping agent:

From: "service@paypal.intl"

To:

Subject: Payment Assurance: Please Read This And Follow Instructions *** Western Union Scan Receipt Needed For Verification ***

Dear ,

This message is originated from PayPal Company. The payment we received from has been made successfully and the money has been credited into you PayPal account but it will not show in your PayPal account. However, since this money is meant for a purchase or a service that involve a Shipping Company.We have to receive a confirmation that you have sent the pick up agent fee to before the money will be available in your PayPal account for spending. This is due to the large increase in the rate of the online scams recorded few year. We have changed some of our rules and regulation to make sure our clients, are safe from scam, PayPal in conjunction with The FBI and The IFCC has invented certain preventive measure to endure the safety of our customers. As part of our security measures, we regularly screen activity in the our system and discovered that the transaction ID 4WR6072127779652U is legitimate and confirmed. So we will require you to send us the Reference Number as requested and as soon as we have confirmed it,your money will be automatically transfer into your account immediately. Please understand that this is a security measure intended to help protect you and the buyer. We apologize for any inconvenience.

We also want you to understand that we have choose this customer care email address as to monitor the transaction between you and and we want you to know that we have to receive the Western Union Scan Receipt so that we can have your account credited with the fund pending. We want you to know that we have many people on our desk that we attend to and many may not understand the new safety policy that is why we have choose to use email to monitor some transaction... So we will greatly appreciate if you could get back to us here so that we can process and credit your account fully.

Be informed that this transaction is only available and can only be tracked and traced via email,so do reply back to us if you have any question about the transaction and not via phone call.

There is a laundry list of clues here telling us that the email is not
legitimate:

The email addresses in the From: field do not match. Furthermore, the email attempts to explain away the suspiciously non-PayPal-looking email address, but is a little too eager to convince us.There is poor grammar throughout the email. While we might accept this in the earlier personal communications it is unlikely in an official form communication.The email has been sent to confirm that the transaction is legitimate. Most fraud detection systems warn you when fraud is occurring, they don't bother to issue reassurance when nothing is wrong.The payment has been made but will not show in Dave's PayPal account. A perfect way to explain away a payment that never existed.Any further communication must be by email because PayPal's phone support personnel won't understand the anti-fraud program. We can safely assume that's because the anti-fraud program does not actually exist.It is odd that PayPal, a company whose sole purpose is the transfer of funds would require a customer to use Western Union to transfer funds.

The contents of the other two emails also show some suspicious features:

Although a shipping company is named the Western Union payment is to be sent to a private individual at a residential address.The PayPal images that are included to make the email appear legitimate are actually from third party image hosting sites, not from PayPal.

All of these can tip you off that the scheme is a fraud. Dave, however, used the most powerful anti-fraud tool: common sense.

He realized that the agreed price for the used generator plus the supposed shipping fee
was actually more than the cost of a new generator. Why would anyone pay more for an old generator than a new one?

Remember, there are many fraudsters out there but you don't have to be an IT security guru to protect yourself. Just pay attention to what you're doing. If something seems too good to be true or just doesn't make sense then you should keep your money well away from it.

Follow @SophosLabs

Elderly typing fingers image from Shutterstock.

View the original article here

US-wanted "bank hacker" is all smiles as he is arrested at Bangkok airport [VIDEO]

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

An alleged hacker, suspected by the FBI of stealing millions of dollars from online bank accounts, has been arrested by Thai police and paraded in front of the world's media.

24-year-old Hamza Bendelladj, an Algerian national, was detained this weekend at Bangkok's Suvarnnabhumi airport, as he was in transmit from Malaysia to Egypt.

Bendelladj, was brought out handcuffed and beaming broadly in front of TV cameras, seemingly untroubled by the FBI's claims that he hacked into customer accounts at 217 banks and financial companies around the world.

The Bangkok Post reports that a smiling Bendelladj denied claims made by the Thai authorities that he was on the FBI's top-10 most wanted list:

"I'm not in the top 10, maybe just 20th or 50th," the Algerian suspect said with a laugh. "I am not a terrorist."

Here's an NTDTV video report from the press conference:

Two laptops, a tablet computer, a satellite phone and a number of external hard drives were confiscated by police from Bendelladj.

Immigration police chief Pharnu Kerdlarpphon was reported as saying that Bendelladj had claimed he spent his riches living a life of luxury:

"With just one transaction he could earn 10 to 20 million dollars... He's been travelling the world flying first class and living a life of luxury."

Officials in Thailand have said that Bendelladj will be extradited to the United States as soon as possible.

One wonders if he will find that quite so amusing.

Follow @gcluley

View the original article here

Internet Explorer zero-day exploit found on more websites. Fingers point towards Elderwood Project

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Paul Baccas, a researcher at SophosLabs, has uncovered two new sites which have been hit by the recently-discovered Internet Explorer zero-day remote code execution vulnerability.

The attacks bear all the hallmarks of previous infections spread by the so-called Elderwood Project.

First up is a website serving the Uyghur people of East Turkestan:

A folder called "netyanus" had been created on the website, containing the following files:

Helps.htmldeployJava.jsnews.htmlrobots.txttoday.swfxsainfo.jpg

The website has since been cleaned-up of its malware infection, but clearly whoever infected it had an interest in infecting anyone who visited the site.

Sophos products detect the HTML files as Exp/20124792-B.

The file news.html (detected as Exp/20124792-B) decodes the obfuscated zero-day exploit code inside robots.txt, and executes it.

Sophos products detect the SWF file as Troj/SWFExp-BF, the remaining HTML file as Exp/20124792-B, and the obfuscated code hidden inside xsainfo.jpg as the Troj/Agent-ZMC Trojan horse.

As there is currently no proper patch for the Internet Explorer security vulnerability, chances are that a good proportion of people visiting the Uyghur site could have ended up with their computers becoming infected.

If you weren't aware, the Uyghur people of East Turkestan have, like the inhabitants of Tibet, long campaigned for independence from the People's Republic of China and complained about persecution.

At the same time, SophosLabs discovered another infected website - this time, it's the website of an Iranian oil company, based in Tehran.

At the time of writing, the Iranian website is still carrying an infection so we have obscured some of its details in the image above.

On this occasion, the files implanted by hackers code take the following form:

deployJava.jsexploit.htmlnews.htmlrobots.txttoday.swfxsainfo.jpg

Hopefully, if you have been paying attention, some of those filenames will look familiar to you.

You may not be in the habit of visiting websites associated with the Uyghur people, or checking out the websites of Iranian oil firms... but clearly some people and organisations may visit such sites, and could be at risk of having their computers silently infected as a result.

All the same, until a proper patch is pushed out by Microsoft, Internet Explorer users are potentially at risk from attacks which exploit this vulnerability and should take care to ensure that they have layered defences in place to minimise the risk.

Follow @gcluley

Alert image courtesy of Shutterstock.

View the original article here

The TURKTRUST SSL certificate fiasco - what really happened, and what happens next?

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

A few days ago, my colleague Chester wrote an article with the no-punches-pulled headline Turkish Certificate Authority screwup leads to attempted Google impersonation.

Since then, an online discussion and dissection of what happened - or, more accurately, what happened so far as one might tell - has unfolded, and seems to have reached a conclusion - or, more accurately, an acceptable hypothesis.

Let me try to summarise as briefly as I dare.

I'll use some informal terminology, which will probably offend SSL experts everywhere, and which runs the risk of confusing the situation through oversimplification.

But here goes.

A certificate is, well, a plain old SSL certificate. Supersimplified, it's a public key people can use to encrypt traffic to your site, combined with a digital signature that identifies it as yours.

A certificate authority (CA) is a company that adds a digital signature to your certificate, supposedly after verifying in some way that you are who you claim to be.

An intermediate certificate is the SSL instrument that is used by a CA in generating the digital signature on your certificate, so that people can see who vouched for you.

A root certificate is the instrument that is used by a CA at the top level of trust to add a digital signature to the intermediate certificates that are used at the next level of trust down, when your certificate gets signed. That means people can see who vouched for the company that vouched for you.

You aren't expected to verify by hand who vouched for whom in this hierarchy of trust. It all happens automatically when your browser sets up a secure connection.

The CAs at the public root certificate level really are starting points of the tree of trust. Their certificates are pre-loaded in your browser and automatically bestow trust downwards.

So if you have an SSL certificate in the name of EXAMPLE.ORG that is signed by a certificate from, say, GOOD4NE1, and if their certificate is signed by a certificate from, say, TURKTRUST, and if TURKTRUST's certificate is trusted by your customer's browser...

...then your customer's browser (and therefore your customer) automatically trusts your server (and therefore implicitly trusts you).

You vouch for yourself. GOOD4NE1 vouches for you. TURKTRUST vouches for GOOD4NE1. And your browser vendor vouches for TURKTRUST.

What could possibly go wrong?

In the TURKTRUST case, here's what:

1. Back in mid 2011, TURKTRUST introduced a flawed business process which made it possible for the company to generate and ship an intermediate certificate by mistake, when a regular certificate had been requested.

(Hats off to TURKTRUST for publicly documenting in some detail what went wrong.)

2. TURKTRUST made such a blunder, and sent two intermediate certificates to an organisation that had requested two regular certificates. That organisation was EGO, the public transport authority in Ankara, Turkey.

3. EGO realised that one of the certificates was bad, and reported the fact. TURKTRUST revoked it.

The other incorretly-issued intermediate certificate, however, remained valid.

What that meant was that EGO now had the ability, whether it realised it immediately or not, to sign SSL certificates for any domain name it chose, apparently with the imprimatur of TURKTRUST.

And any certificate signed by EGO in this way would uncomplainingly be accepted by almost every browser in the world, because TURKTRUST's root certificate was in every browser's list of presumed-good CAs.

The next chapter in the story, it seems, didn't start until the end of 2012, when EGO decided to implement security scanning of HTTPS traffic out of its network.

It's easy to scan HTTP traffic by using a proxy, but HTTPS traffic is harder to look inside, since the content is supposed to be encrypted end-to-end.

The usual approach is to perform a Man in The Middle (MiTM) attack on your own traffic. The marketing names for this are keybridging or decrypt-recrypt, but it's really just a MiTM.

You split a user's SSL connection into two parts, creating two SSL sessions - one from browser to proxy and the other from proxy to the final destination.

You decrypt inside the proxy, examine the contents, and then re-encrypt for the rest of the journey.

? Keybridging isn't an attack if you do it on your own company's outbound traffic, but you ought to let your users know. It violates the sanctity of the end-to-end encryption you expect in an SSL connection.

The operational pain with keybridging is that your users get a certificate warning every time they make a secure connection to a new site. That's because their SSL connections terminate at your proxy, not at the real sites they intended to visit.

The usual way around this is to create your own private root certificate, upload it to your keybridging proxy, and let the proxy automatically generate, sign and supply placeholder certificates to your own users.

By adding your private root certificate to all the computers inside your network, you suppress the certificate warnings, because your own browsers trust your own proxy as a CA. That means your browsers quietly tolerate the placeholder certificates generated by the proxy.

It's somewhat impure and ugly, but it's practical, and it works.

Things get really troublesome, as you can imagine, when you have a Bring Your Own Device (BYOD) policy, or if you let contractors onto your network, and want (hopefully with both their knowledge and their consent) to scan their SSL traffic along with that of your regular users.

Until they download and install your private root certificate in their browser, thus accepting you as a top-level CA, they'll get certificate warnings.

And so those who don't follow the instructions given by the helpdesk will keep getting certificate warnings, and will keep phoning the helpdesk. Wash, rinse, repeat.

Unless, as luck would have it, you happen to have an intermediate certificate, signed by an already globally-trusted root CA, that you can use for your MiTM.

But that, of course, is never going to happen, not least because any reputable root CA's business processes would prevent it from inadvertently issuing you with an intermediate certificate for that purpose...

...and you can tell where this is going.

On 21 December 2012, EGO turned on SSL keybridging in its web proxy, using the intermediate certificate it had received back in 2011.

The TURKTRUST palaver surfaced, it seems, a few days later, when one of the users on the EGO network, who was using Google's Chrome browser, received a warning about an unexpected certificate claiming to represent a google.com web property.

That's because of a Chrome feature called public key pinning, in which the browser is equipped not only with a list of presumed-good root CAs, but also with a list of known-good Google SSL certificates.

So, even if a presumed-good CA suddenly starts signing certificates claiming to be from *.google.com, the browser will complain.

This helps to protect against the compromise of a root CA, or against deliberately dodgy behaviour by a root CA, or, as in this case, against sloppy business process and buggy behaviour by a root CA.

You'll note that I've said "in this case, against sloppy business process."

Conspiracy theories notwithstanding, I'm inclined to accept that this was a blundering crisis born out of convenience, not an abortive attempt at secret surveillance:

TURKTRUST shouldn't have issued the wrong sort of certificates. TURKTRUST should have been more proactive about tracking down the second certificate once the first was reported.EGO shouldn't have put the wrongly-issued intermediate certificate to the use it did.

What happens next?

According to Google's Ben Laurie, commenting on Chester's earlier article, one part of the answer is Certificate Transparency.

I'll let the proposal summarise for itself:

The goal is to make it impossible (or at least very difficult) for a Certificate Authority to issue a certificate for a domain without it being visible to the owner of that domain. A secondary goal is to protect users as much as possible from mis-issued certificates. It is also intended that the solution should be backwards compatible with existing browsers and other clients.

This is achieved by creating a number of cryptographically assured, publicly auditable, append-only logs of certificates. Every certificate will be accompanied by a signature from one or more logs asserting that the certificate has been included in those logs. Browsers, auditors and monitors will collaborate to ensure that the log is honest. Domain owners and other interested parties will monitor the log for mis-issued certificates.

Briefly put, the idea is to maintain a community-policed list that lets you differentiate between certificates that are supposed to be in circulation, and certificates than have been generated through incompetence or for nefarious purposes.

Of course, certificate transparency will add yet another layer of complexity to an already-complex process, which is a worry.

But it will also inject a layer of enforced honesty, accountability and supervision into the SSL world, which ought to be good for us all.

Follow @duckblog

Update. At 2013-01-08T22:38+11, I corrected a chronlogical error and made some cosmetic changes. I originally wrote that the bad certificates were generated in late 2012. But that was the date at which the remaining bad certificate was first used in EGO's firewall. TURKTRUST's business process wasn't flawed from mid-2011 until late 2012. The problem existed only for a short time in 2011, and the bad certificates were generated back then. More details can be found in Turkish and in English on TURKTRUST's website. Thanks to TURKTRUST for helping me get this right.

View the original article here

Man pretends to be woman on internet, recovers lost phone in double-quick time

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

New York trombonist Nadav Nirenberg is nothing if not a story-teller of the first water.

After leaving his mobile phone in a taxi on the way to a gig on New Year's Eve (Nirenberg claims), he soon noticed that whoever picked it up had logged in a dating site account he no longer uses (Nirenberg assures us), and was looking for love.

In a story that could have come straight out of Leisure Suit Larry in the Land of the Lounge Lizards (and probably would have, if only the world-wide web had existed back in 1987), Nirenberg says that he decided to get even.

So he knocked up a fake female profile in the name of Jennifer Gonzalez, and replied to his imposter to say, "Sure, I'd love to go out with you. Even though you've already told me you're not the bloke whose photo appears in the profile, but rather a friend using someone else's account, yeah, sure, here's my address. Stop on by and we'll hit the town." (Or words to that effect.)

True enough (Nirenberg says), the imposter showed up, dressed for a night out, with a bottle of wine and in a fug of cologne.

Whereupon our cool-thinking brass player snuck up behind our wannabe Leisure Suit Larry with $20 and a hammer in his hand (a strange choice of weapon, but not used threateningly, Nirenberg takes pains to point out) and calmly bought his phone back from Jennifer's now greatly-surprised (and no doubt deeply disappointed) suitor.

In some ways, a happy ending for everyone. Nirenberg got his phone back just in time to land a short-notice gig on New Year's Day, and followed that up with fifteen metaphorical minutes of fame in media outlets around the world. Larry won't be reported to the police (Nirenberg says). Jennifer avoided a dubious night out. All thanks to the magic of online dating.

The only person who didn't get a say in all of this was the girl (as Nirenberg refers to her) whose picture was borrowed for the fake profile.

Once again, truth is stranger than fiction. Unless, of course, there isn't any truth in it at all. In that case, it remains an amusing story.

Except for the bit about appropriating someone else's photo. No matter how harmless that might seem in retrospect, please don't embroil anyone else's identity or personal information in any online trick or trap you might want to spring.

Nirenberg himself expresses surprise at just how quickly his fake persona attracted replies, even posting a screenshot of JennifferInBK's inbox to prove his point.

No matter how harmless this might seem in retrospect, there's nothing that the real Jennifer can now do to disentangle her visage from all that attention. That's hardly fair, is it?

Follow @duckblog

Take the fear out of losing your Android phone with our free Android Security App.

• Automatically scans apps as you install them to block viruses and malware

• Lets you remotely lock or wipe a lost or stolen device

• Warns you about apps that access personal data

• Gives you advice to improve your security settings

View the original article here

Windows RT "jailbroken", shows its Windows 8 roots

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Hey Windows RT, your roots are showing!

Not that it is all that surprising to most people, but the first person to post about jailbreaking a Microsoft Windows RT device says it is a direct port of Windows 8.

Microsoft has gone to some lengths to disguise this fact: no desktop mode applications (except Office, Explorer and IE10), only runs software from the Windows Store and can't install an alternative OS.

The primary difference aside from CPU architecture is that Windows RT has the "minimum signing level" of executable code set to require Microsoft's digital signature.

This ensures no other desktop applications can be loaded and only software approved by Microsoft can execute.

This is the essence of Microsoft's approach to locking down, or jailing, applications. This is hoped to prevent malware from infecting RT devices as well as ensuring Microsoft a tidy profit on application sales.

A security researcher known as @clrokr used their knowledge and access to Windows 8 systems to determine how they might go about changing the minimum code signing level used to implement Microsoft's restrictions.

Being that Windows RT is a direct Windows 8 port made this attack surprisingly easy. Observing memory addresses in Windows 8 and working with a remote debugger they were able to locate the right byte to modify.

While it involves a level of expertise few users possess, I imagine someone will create a tool to replicate @clrokr's efforts for those with less knowledge of a debugger.

The technique @clrokr used can only modify this setting in memory, so it will not survive a reboot. This is similar to jailbreaks on iOS devices known as a "tethered jailbreak".

Jailbreaking your Windows RT device comes with the same caveats as does hacking your Android or iDevice.

While you gain the freedom to run any code you like, you also become responsible for that code and ensuring it isn't doing something you don't want it to.

If jailbreaking Microsoft tablets becomes a popular way to run pirated applications we may begin to see more malicious apps like have been observed on Android.

Let's hope that the goal of unlocking these tablets remains for research and flexibility purposes and we can avoid that unfortunate outcome.

http://twitter.com/chetwisniewski

Open cage image courtesy of Shutterstock.

View the original article here

DHS website falls victim to hacktivist intrusion

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Hacktivist group NullCrew recently announced a succesful intrusion (though intrusionette might be a better word) against a website in the DHS.GOV domain hierarchy.

DHS, of course, is the United States Department of Homeland Security.

The intrusionetted site was studyinthestates.dhs.gov, intended to help foreigners find out if and how they might be able to study at US schools, colleges and universities.

It looks as though the site was vulnerable to what's known as a directory traversal vulnerability.

That's where you construct a URL that persuades the server to navigate to a part of the web server you aren't supposed to be able to access, and to retrieve content from there.

Imagine, for example, that your webserver hosts a file that is available via the URL http://example.org/private.dat, but to logged-in users only.

If the server were to see an unauthorised GET request for /private.dat, you'd expect it to deny the request.

But your server needs to be careful that it doesn't let itself get tricked, for example by a request to retrieve a file such as /subdir/../private.dat instead.

If you start examining the filename from the left, it doesn't look like a file in the root directory, because there's a directory name (/subdir/) first. But the ensuing ../, which denotes "parent directory to the one I am in at the moment", leaps back up one level, thus cancelling out the initial step downwards into subdir.

Filenames with paths that lead upwards in your filing system are always a risk. By climbing upwards, an attacker may be able to wander "up-and-over-and-down" into otherwise-forbidden parts of your web server's directory tree.

In really bad cases, attackers might even be able to hoist themselves out of your web server's directory tree altogether, and into the rest of the filing system.

This might give them access to password and configuration files for the operating system itself, or for other software running on the same server.

Poor handling of upward-leading filenames seems to have been what was wrong on the Study in the States website.

It looks as though a PHP script responsible for a download repository was incautious in its argument handling. A URL of the sort:

http://example.org/known/dir/download.php?file=somename.dat

could be abused with a request like this:

http://example.org/known/dir/download.php?file=../../private.dat

This, it seems, caused the ill-configured download script to navigate upwards in the web server's directory tree, retrieving from the inside a file that would have been blocked if it had been downloaded directly from the outside.

The fault seems to have been patched now, but if NullCrew are to be believed (and let's assume they are), this hole was used to fetch the WordPress configuration file, apparently including the backend database location and password. This configuration file was then published on a publicly-available drop site.

Sadly, if the HTTP headers returned by the Study in the States website are telling the truth, there's still some more patching to be done.

The site reports that it's running Apache 2.2.3 on Red Hat, and PHP 5.3.3. As I write this, those versions should really be PHP 5.3.20 and Apache web server 2.2.23.

Why not use this as a call to action for your own web servers in 2013?

Make sure you're updated with the latest security fixes for all back-end components you use. Attackers read the vulnerability mailing lists, so they already know how to break in to your unpatched servers.Consider running a Web Application Firewall (WAF) to scour inbound web traffic for bogus or risky-looking requests. This helps to shield your web servers from as-yet-unknown attacks.Perform regular penetration tests against your own web properties to make sure that tricks such as directory traversals are blocked and logged.

A quick look at your web server logs will almost certainly reveal a large number of (probably automated) attacks based on weird-looking URLs that the attacker hopes will sneak past your defences.

It's not a matter of if, or even of when, you might get attacked. If you're inviting inbound web requests, you're already under attack!

Follow @duckblog

Running a web server at home?

Why not try out the free Sophos UTM Home Edition?

You get web and email filtering, web application firewall, IPS, VPN and more for up to 50 IP addresses. You can also protect up to 12 Windows PCs on your network with Sophos Anti-Virus!

(Note: registration required.)

View the original article here

John McAfee says he infected laptops with malware, spied and stole passwords from Belize officials

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Twenty years ago, John McAfee ran an anti-virus company.

He's not had anything to do with the company that bears his name (and was subsequently acquired by Intel) since the early 1990s, but that doesn't mean that his involvement with malware has come to an end.

Many people have been following the bizarre story of John McAfee, who has been on the run from the Belize police since mid-November, had his location leaked to the world in a photo's EXIF meta-data, and was hastily deported from his Guatemala hide-out to the United States.

Throughout his escapades, John McAfee has been keeping the internet entertained and informed of his swashbuckling exploits via his blog.

Most recently, John McAfee claims that he gave Belize officials cheap laptops that had been deliberately pre-infected with keylogging spyware.

I purchased 75 cheap laptop computers and, with trusted help, installed invisible keystroke logging software on all of them - the keind that calls home (to me) and disgorges the text files. It also, on command, turns on and off, the microphone and camera - and sends these files on command.

I had the computers re-packaged as if new. I began giving these away as presents to select people - government employees, police officers, Cabinet Minister's assistants, girlfriends of powerful men, boyfriends of powerful women.

I hired four trusted people full time to monitor the text files and provide myself with the subsequent passwords for everyone's email, Facebook, private message boards and other passworded accounts. The keystroke monitoring continued after the password collection, in order to document text input and would later be deleted. So nothing was missed...

67-year-old McAfee goes on to claim that he also hired 23 women and six men as operatives to seduce and spy upon his intended targets.

These men and women were given simple training on how to access and load software on someone's computer while they slept, or ate or made long phone calls etc.

It's dead simple if you're sleeping with someone - "Hey Babe, can I borrow your computer to check my email?" - A little more complex if you're not - but not much.

According to his blog post, the anti-virus veteran ended up living with eight of the female honeytraps, and was nearly killed by one who turned out to be a double agent.

John McAfee's spying didn't stop there, however. According to his blog post he also infiltrated two local phone companies, and paid workers to tap phones and provide lists of who his targets were in contact with.

Is John McAfee telling the truth? Or spinning a fanciful tale for his own entertainment? There is no way, of course, for us to verify John McAfee's colourful story - which goes on to claim that there is an international terrorist conspiracy run from Belize.

But if elements of this story are true (such as the deliberate spreading of keylogging malware and the snooping on sensitive passwords) that is unlikely to be popular with the-powers-that-be in Belize.

Follow @gcluley

View the original article here

"Julian Assange of Wikileaks arrested in London" hoax

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Controversial Wikileaks pinup Julian Assange has been arrested after slipping out of the Ecuadorian embassy in London to seek medical treatment at a nearby clinic.

Or not.

Assange's back-story is familiar by now. Last year, he was on bail in the UK pending extradition to Sweden for arrest on sexual assault charges. But instead of facing the music in Sweden, he popped into the Ecuadorian embassy and asked for asylum. This was granted.

Our self-proclaimed hacktivist was therefore home free, except for the small problem that his new motherland's diplomatic property in London - an apartment in London's upmarket Knightsbridge, across the street from iconic department store Harrods - has no diplomatically-protected access to the outside world.

(Loosely put, Assange would have to exit Ecuador's protection to reach the car park, the nearest point where he could, in theory, get into an embassy vehicle and thus re-enter diplomatic territory. Quite how he would then drive to Ecuador without exiting from the vehicle is left as a thought experiment for the reader.)

Ironically, of course, Assange as good as voluntarily imprisoned himself in an effort to avoid arrest and possible imprisonment. This led to speculation about what might happen if he were to go stir-crazy and require medical attention beyond what the embassy could provide.

Hardly a surprise, then, to see an article pop up on controversial-where-necessary crowd-sourced news site Indymedia UK claiming that Assange had been arrested whilst seeking treatment "at a private medical clinic located just a five minutes [sic] drive from the Ecuadorian embassy."

According to the news piece, allegedly posted by Guardian journalist Conal Urquhart:

Sources close to this reporter have confirmed that WikiLeaks founder and international fugitive Julian Assange has been arrested by Scotland Yard [sic] detectives at a private medical clinic located just a five minutes [sic] drive from the Ecuadorian embassy at Hans Crescent, London. It is believed that Assange had been feeling unwell since before christmas [sic], and after consultation from the in-house doctor he was referred to the specialist clinic. Just before entering the clinic Assange was arrested by undercover Scotland Yard officers who swiftly took him into there [sic] custody. It is beleived [sic] that Assange was then transported to the nearby Chelsea and Westminister [sic] hospital - also in central London. The incident only occured [sic] within the last 45 minutes and details are rapidly unfolding. Even at this early stage it is understood that Assange was being transferred by diplomatic officials from the embassy - and the convey [sic] he was being transported in had diplomatic plates. More information will be made available as it comes in.

Any opinions, publications, comments, information etc [sic] made herein does [sic] not necessarily represent the opinion of this journalist or The Guardian (UK) newspaper.

Conal Urquhart

A brief survey of Mr Urquhart's recent Guardian articles, of course, would quickly reveal several key facts: first, that he knows how and when to use the apostrophe; second, that he is familiar with the difference between adverbs and possessive determiners; third, that he (or at least his subeditor) can spell; fourth, that he can punctuate; fifth, that he understands the rules of number; and sixth, that he is familiar with contemporary English orthography relating to capitalisation.

So whether you're for or against Assange, you can stand down from Wikilert. He's not been arrested. As far as we can tell, he's still learning Spanish in his Knightsbridge flat.

The trolls who posted to Indymedia (which has now relegated the article to "hidden" status for "violating editorial guidelines") have failed.

[How can they have failed when you wrote all this about them? It's enough to make me sic. Ed.]

Follow @duckblog

View the original article here

Zero day vulnerability in Internet Explorer being used in targeted attacks, FixIt now available

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Internet Explorer users beware, there is a new zero day (previously unknown, unpatched vulnerability) attack targeting your browser.

Microsoft has issued an advisory about the flaw and it is being referred to as CVE-2012-4792. Microsoft has also made a temporary FixIt available until it can deliver a formal patch.

The flaw affects users of Internet Explorer 6, 7 and 8, but not 9 or 10 and allows for remote code execution with the privileges of the logged in user.

Another poignant reminder that running your computer as a non-administrative user pays off when new flaws are uncovered.

Non-privileged users will severely limit the damage that can be done using a vulnerability like this one.

The vulnerability was initially
" href="http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html" rel="nofollow">discovered by FireEye on the Council on Foreign Relations website on December 27th, 2012.

SophosLabs has records showing the Council's website infected as far back as December 7th.

We have seen the exploit used on at least five additional websites suggesting the attack is more widespread than originally thought.

The attack appears to be closely related to attacks we reported on last June that were targeting visitors to a major hotel chain.

While the vulnerability being exploited is entirely different, the payload is nearly identical to the hotel attack and others we have associated with the Elderwood Project.

While the attacks appeared to be targeted to a small number of sites, there is no obvious link between the victims.

Some are referring to this as a "watering hole" attack, but the evidence we have doesn't necessarily support that conclusion.

If you use Internet Explorer, be sure you are using at least version 9 to avoid being a victim of these attacks. If you can't upgrade, consider using an alternative browser until an official fix is available.

Microsoft's FixIt is intended as a temporary workaround that could also be considered, but until an official fix is available I recommend avoiding IE 8 and lower.

If further information becomes available, we will publish the latest here on Naked Security.

Sophos Anti-Virus on all platforms blocks this malware as follows:

• Sus/20124792-B: Misc. files specifically associated with this attack
• Sus/Yoldep-A: Encoded payload also seen in other Elderwood Project attacks
• Troj/SWFExp-BF: Adobe Flash component
• Sus/DeplyJv-A: JavaScript components evolved from earlier Elderwood Project attacks

Follow @chetwisniewski

Watering hole photo courtesy of Shutterstock.

View the original article here

Man who hacked Scarlett Johansson's email gets a whopping ten years in prison

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The crook who cracked into the email of numerous celebrities, including Scarlett Johansson and Mila Kunis, has been sent to prison.

A federal judge in Los Angeles, California, sentenced 36-year-old Christopher Chaney, of Florida, USA, yesterday.

Although Chaney had already pleaded guilty, thus sparing the expense and complexity of a trial, and although the prosecution had apparently asked for a sentence of just under six years, Judge Otero hit Chaney with a mammoth ten year stretch.

One report suggests Chaney drew an over-the-odds sentence because he continued his cracking activities even after he knew he was under investigation and his computer had been seized.

As we wrote earlier this year, Chaney's modus operandi seems to have been to use the 'forgot password' feature on his victim's email accounts.

He'd then use publicly accessible information - the sort of stuff many of us share in bits and pieces on social networking sites - to answer his victims' security questions and finish off the password reset.

Having got hold of the new passwords and illegally accessed the accounts, Chaney would activate the 'forward a copy of incoming mail' option. This means he could continue to harvest his victims' private emails, even if they changed their passwords back.

Chaney stole nude photos, lurid text messages and emails. Many of these were then shared with two online celebrity gossip sites.

Interestingly, although Chaney drew a harsh penalty, we haven't heard of anything happening to the gossip sites that willingly went public with the stolen material.

The story might have been different had the gossip-mag journalists been in Australia.

Sydney-based journalist Ben Grubb, for example, was briefly arrested in Queensland, Australia, in 2011, and had his iPad confiscated, after he published a supposedly private Facebook photograph that he had acquired from a security researcher.

The researcher had apparently got hold of the photo - a privacy-protected picture of a rival's wife - as a "proof of concept" for a conference talk about a security flaw in Facebook's privacy system.

The researcher couldn't resist sharing the photo with Grubb, who couldn't resist publishing it online (albeit blurred).

In the end, Grubb wasn't charged, quickly got his iPad back, and was vindicated - at least in the public's eyes - by strong criticism of his arrest.

But Queensland police obviously felt strongly enough to go after Grubb under a Queensland law dating back to 1889, which dispassionately observes that "a person who receives tainted property, and has reason to believe it is tainted property, commits a crime."

And there are two important lessons in that:

• Don't put tainted property online, especially if it affects the privacy of others.

It's easy to say, "But the information's out there now, so the crime of getting it in the first place is already done."

Have some concern and respect for the privacy of others. The way data breaches seem to be going, you may very well need the same sort of concern and respect in return some time soon.

• Review all your account settings if you think you've been hacked.

After a malware attack, an unexpected password change, or anything else which suggests that someone else has been riffling around in your digital stuff, be sure to check your configuration settings.

Be on the alert for changes which might let the crooks carry on their dirty work even after your initial cleanup.

Crooks can add new accounts to your PC, set email forwarding options (like Chaney did), change firewall settings, install remote access software, and much more. If you are unsure what to look for, ask someone you know and trust for help.

Follow @duckblog

Image of hands courtesy of Shutterstock.

View the original article here