Computer Security and OSA

[Alanzo]

Here's an interesting thing.

Click on the large map and see how accurate it is for you.

 

[namaste]

That is interesting.

I have bookmarked it in my 017 HijackThis lookup section.

 

[Bea Kiddo]

Here's an interesting thing.

Click on the large map and see how accurate it is for you.

Wow. It has an option to hide your IP address through a download. Is that a good idea? Is it safe?

I feel like I've been peeped on. Good thing I'm not doing anything weird... (right now...)

 

[Alanzo]

Wow. It has an option to hide your IP address through a download. Is that a good idea? Is it safe?

I feel like I've been peeped on. Good thing I'm not doing anything weird... (right now...)

I don't know if the download is good or not.

 

[programmer_guy]

First OpenSocial app hacked in 45 minutes
Liam Tung, ZDNet Australia
05 November 2007 05:21 PM

Link to article

The first app launched under Google's OpenSocial API program has been taken down, shortly after it was discovered a hacker could use it to change user profiles.

The application was built by third party developer RockYou to run on Plaxo, a social networking Web site which allows its members to update and synchronise Microsoft Outlook, Mozilla Thunderbird and Mac OS X calendars and address books.

A developer who uses the nickname "harmonyguy" alerted Plaxo's vice president of marketing John McCrea to a vulnerability in the RockYou "emoticon" -- icons that represent a user's emotions -- application that Plaxo allowed on its platform as part of Google's OpenSocial API program.

Changing an emoticon may not be a malicious hack, said "harmonyguy", however, he warned that if Google does not stabilise its platform, more damaging hacks are in store.

 

[programmer_guy]

Sunday November 18, 2007
Re: Personal Threats

http://blogs.pcmag.com/securitywatch/2007/11/re_personal_threats.php

It's not uncommon for spam to include false warnings in order to trick the recipient into falling for a scam or phishing attack or installing malware. Now Symantec is reporting that the threats are getting a little more explicit.

A new campaign they describe comes in the form of an e-mail purportedly from a private investigator who has been paid to investigate you. He or she wants you to know your phones are being monitored and they may say who ordered it in their next e-mail.

And to prove they have compromised your phones, they attach a password-protected .RAR file to the message that supposedly contains a recording of your phone conversations. The message includes the password.

I hope you've guessed by now that the file actually contains malware, Trojan.Peacomm.D in Symantec's lexicon. The password protection is to attempt to defeat malware scanning.

 

[programmer_guy]

Handful of bugs squashed in Firefox security fix
By Robert McMillan, IDG News Service
November 26, 2007

Among the fixes Mozilla has released is a patch for the well-known flaw in how Firefox handles .jar files

Link to article

Mozilla has released an update to its Firefox browser, fixing a widely publicized flaw in the open-source software.

The 2.0.0.10 update fixes a handful of memory corruption flaws that crash Firefox and a cross-site request forgery flaw that could give attackers a way to get unauthorized access to certain Web sites.

But the most anticipated bug fix in this release addresses a problem in the way Firefox processes files that are compressed using the .jar (Java Archive) format.

Firefox does not properly check .jar files, giving attackers a way to launch Web-based cross-site-scripting attacks against Firefox users. The bug was first reported in February, but it gained widespread attention in early November when security researchers showed how it could be used in cross-site scripting attacks to run unauthorized code on the victim's PC.

The memory corruption bugs could also have led to more serious problems, Mozilla said in its note on the bugs. "We presume that with enough effort, at least some of these could be exploited to run arbitrary code," the note reads.

This .jar flaw is one of a new category of bugs that have popped up in Firefox and other browsers in recent months. They have to do with the way the browser handles special Web links that are used to launch applications. Known as URI protocol handler vulnerabilities, these bugs can be triggered when software is launched via the browser.

URI protocol handler flaws have been found in Microsoft Internet Explorer, Adobe software, and Google's Picasa software.

 

[programmer_guy]

Monday November 26, 2007
Zero-Day QuickTime Exploit

http://blogs.pcmag.com/securitywatch/2007/11/zeroday_quicktime_exploit.php

A new vulnerability in QuickTime 7.2 and 7.3 leaves users vulnerable to a remote buffer overflow that could compromise the system subject to the privileges of the user running QuickTime. Currently, there is no patch from Apple for this problem.

According to a Symantec analysis of the vulnerability and exploit code that has been publicly-revealed, the exploit works in the stand-alone QuickTime player. With Internet Explorer and Safari, the QuickTime browser plugin does not execute the shellcode in the exploit, but the browser crashes. Firefox is more susceptible; if it is configured as the default handler for multimedia types, the attack can succeed in the browser.

The likely scenarios for attack would be e-mail lures with file attachments likely to launch QuickTime, such as .mov, .qt, qtl., gsm, and .3gp. Browser-based lures where a simple page embeds a QuickTime object would be successful against Firefox.

Symantec reports that blocking outbound connections on TCP 554 at the firewall can be effective against the attack.

---------------------------------------------------------------------------------------

My comment:

TCP 554 = TCP port 554; just my little minor correction to the above.

 

[programmer_guy]

Tuesday, November 27, 2007
Malware redirects: The aftermath

http://blogs.pcmag.com/securitywatch/2007/11/more_malware_redirects_in_sear.php

Hi all, Adam Thomas here from the Malware Research Team. I just wanted to post a follow up to our blog post yesterday regarding malware redirects from search engine results.

Sunbelt Software has uncovered tens of thousands of individual pages that have been meticulously created with the goal of obtaining high search engine ranking. Just about any search term you can think of can be found in these pages.

-------------------------------------------------------------

My comment:

Please click on the link to see the entire article which provides some examples of what these web pages look like.

 

[programmer_guy]

House Votes for No Telco Immunity
By Roy Mark
November 16, 2007

http://www.eweek.com/article2/0,1895,2218334,00.asp

The Senate Judiciary Committee also nixes immunity for carriers that participated in a White House domestic spying program.

Nov. 15 was a bad day for the nation's telephone carriers on Capitol Hill, as two separate congressional votes refused to retroactively grant immunity to the telephone companies that cooperated with the Bush administration's domestic spying program.

In a full U.S. House vote, lawmakers approved the RESTORE Act, a renewal of the FISA (the Foreign Intelligence Surveillance Act). Despite a threat from the White House that it would veto the bill if it didn't provide immunity for the telcos, lawmakers approved the measure 227-189.

In the Senate, the Judiciary Committee approved similar legislation that excludes immunity for the carriers.

"Most significantly, the bill does not provide immunity to telecommunications companies that participated in the president's warrantless surveillance program," Speaker Nancy Pelosi said in a statement. "We cannot even consider providing immunity unless we know exactly what we are providing immunity from. And even then we have to proceed with great caution."

President Bush wants Congress to grant immunity to the carriers that agreed to turn over customer telephone and e-mail records—often without a warrant or subpoena— to the government. The White House launched the warrantless surveillance in the aftermath of the Sept. 11, 2001, terrorist attacks on the United States.

The New York Times first broke the story of the administration's warrantless wiretapping in late 2005, and USA Today later reported that the National Security Agency is using information provided by telephone carriers to mine tens of millions of calling records for data.

 

[programmer_guy]

Canada Fumbles Health Data in Security Breach
By Lisa Vaas
November 26, 2007

http://www.eweek.com/article2/0,1895,2222205,00.asp?kc=EWKNLSTR113007STR5

The data loss includes HIV and hepatitis patient histories for an undetermined number of people.

Canadian health authorities have lost intimate medical data including HIV and hepatitis test results for an undetermined number of citizens in a recent security breach, the government of Newfoundland and Labrador admitted Nov. 26.

According to a media release, on the evening of Nov. 20, a consultant employed by the Provincial Public Health Laboratory was contacted at his home office by an unidentified security researcher. The researcher told the consultant that he was in possession of patient information stored on the consultant's computer. That patient information includes names, MCP (Medical Care Plan) numbers, age, sex, physician and test results for infectious diseases, including HIV and hepatitis.

That information is normally stored on computers within the PHL. In this case, however, a computer was taken home inappropriately, Health Minister Ross Wiseman told news outlets.

"That was an inappropriate use. Obviously, individual computers that are available for work are there for the workplace only," he told CBC News.

The PHL acts as the province's laboratory center for infectious disease surveillance and control, providing lab services to hospitals, clinics and health-related agencies.

The files were accessed through an open Internet connection. Until the forensic investigation has been concluded, there's no way to determine how many patients' data may have been exposed, according to the release.

"This appears to be an isolated situation," Jerome Kennedy, minister of justice and attorney general, was quoted as saying in the release. "The information garnered from our investigation thus far supports this. Because the external computer was not part of the systems and networks of either the laboratory or Eastern Health, which provides IT support to PHL, this breach in no way reflects on the integrity of these systems. We can say unequivocally that all other patient information stored by our government and the regional health authorities was in no way jeopardized by this one situation with one computer external to our networks."

 

[barky]

Wow, lots of good info here. Thanks, PG.

My own PC got Virtumonde a couple of weeks ago, despite all my anti-virus, etc. software. Took two days to find it & kill it. But I learned quite a lot in the process (I'm not much of an O/S guy). Root cause was old Java (1.3 instead of 1.6 -- didn't have the auto-update feature for Java turned on). Now I'm a big fan of Spybot, both for ease of use of their products but also for the wealth of information on their forums.

Curious: are OSA's operations in the computing world illegal? Purposely crashing threads, trying to crack IDs of users, etc. Sounds legally dubious at best.

 

[programmer_guy]

Wow, lots of good info here. Thanks, PG.

You are welcome.

My own PC got Virtumonde a couple of weeks ago, despite all my anti-virus, etc. software. Took two days to find it & kill it. But I learned quite a lot in the process (I'm not much of an O/S guy). Root cause was old Java (1.3 instead of 1.6 -- didn't have the auto-update feature for Java turned on). Now I'm a big fan of Spybot, both for ease of use of their products but also for the wealth of information on their forums.

Yeah... it's good to keep stuff up-to-date. I don't like auto-update but I do like to be automatically notified when updates are available.

Curious: are OSA's operations in the computing world illegal? Purposely crashing threads, trying to crack IDs of users, etc. Sounds legally dubious at best.

No. I don't think that it is as bad as you are wondering (concerning OSA - unless, you are a really big bad SP on their "radar").


And I am no computer security expert - I just like to report these news items for my cyber friends here.

 

[programmer_guy]

Banner ads from major sites
Tuesday, November 13, 2007
by Roger Thomson

http://explabs.blogspot.com/2007/11/banner-ads-from-major-sites.html

Ok, we all know that infective banner ads are not new, but this is more interesting than most because they're currently fairly common from both mlb.com and nhl.com.

These are really hard to track down, because they don't happen every time you visit a site ... it took us hours to get our first capture... but it was both interesting and instructive that when _we_ got a capture, one of our researchers on the other side of the world got one at about the same minute. Now, it was a different fake scanner, and a different path thru the ad network, but it was a startlingly similar style and almost the same time. We don't believe in coincidences.

-----------------------------------------------------

My comment:

Please click and scroll down to the screen replay (with audio commentary as he shows you this.)

 

[programmer_guy]

Click-through cloaking (coming to a hacked site near you)
from Robert Hensing's Blog

Link to article

So yesterday I became aware of a web site that had been compromised and that was employing a concept known as 'click-through cloaking'. The web site in question can be found by going to Google or Live.com and searching for "open voting foundation". The first search result is the site in question. But do NOT click on the search result returned by Google (at least not right now as of .11am on November 8th 2008).

Why is that? If you do - you will be redirected to a bunch of porn and exploit sites via malicious IFRAMEs sent down to your browser by the hacked openvotingfoundation.org web site. If you click through from live.com - you'll get to the actual openvotingfoundation.org web site and nothing bad will happen.

So what's going on here? The openvotingfoundation.org web site was compromised, and the server side pages were modified to inspect the HTTP referrer header of visiting browsers. If the HTTP referrer indicates that the click through to the openvotingfoundation.org web site originated from Google or Yahoo - then the user is whisked away to porn and exploit sites. If the HTTP referrer is blank or is from say live.com - you are allowed to see the web sites content and you're not redirected.

Why would the bad guys do this? To buy time. Think about it - say you arrived at that site via a search engine and you were clueful and you got owned. You're going to give the URL that tried to exploit you to your local IT security geek and he's going to paste it in his browser and visit the site to investigate - and guess what? Nothing will happen to him since he didn't click through to the site from a search engine on 'the list'. So he'll think the problem has been fixed and probably won't report the incident to the people maintaning the site. The bad guys just bought themselves a little more time.

 

[programmer_guy]

Security Suite Smackdown 2008 – Part II
11.06.07

http://www.pcmag.com/article2/0,1759,2212492,00.asp?kc=PCRSS05079TX1K0000992

As always, the reviewlets below are by no means the whole story: Click on the links to read our exhaustive full reviews. Also, please note that a "roundup" is by no means a complete collection of all the security suites. Our Security Suite Smackdown 2008 Part I features reviews of five more suites, and more are coming soon; I'm reviewing them as they trickle onto the market. There'll be at least one more Smackdown this year.

--------------------------------------------------------

My comment:

Click on the link and scroll down to the reviews.

 

[programmer_guy]

Microsoft Report on IE Security Draws Mozilla Rebuttal
By Lisa Vaas
November 30, 2007

http://www.eweek.com/article2/0,1895,2225928,00.asp

Microsoft is patting itself on the back for having had fewer vulnerabilities in IE than have been found in Firefox.

Microsoft has issued a report on Internet Explorer in which it pats itself on the back for having fewer vulnerabilities in its browser than are in the No. 1 competitor, Mozilla's Firefox—a stance that the Mozilla Foundation finds, to put it diplomatically, puzzling.

"It's something you'd expect from maybe an undergrad," he said. "It's very disappointing to see somebody in a senior security position come out and say that because an organization is more transparent about their bugs and fixing them, they're somehow less secure."

-----------------------------------------------------------------------

Please read the entire short article... it exposes yet another instance where Microsoft is not revealing the whole story. This is very typical Microsoft behaviour.

 

[programmer_guy]

Web Hosting Providers Let Security Sag
By Lisa Vaas
December 4, 2007

http://www.eweek.com/article2/0,1895,2227446,00.asp?kc=EWKNLINF120507STR3

Web hosting providers that can't keep DNS servers clean are exposing low-budget government Web sites to malware.

Riddle: What do the city of Plainville, Kan., and the Transportation Authority of Marin County, Calif., have in common?

Answer: a Web hosting provider that can't seem to keep its DNS servers clean.

Both .gov domains in the past few months have seen their sites seeded with redirects to malicious servers in other countries that have pushed pornography, malware, Viagra ads and the like to site visitors.

IPowerWeb/StartLogic hadn't provided input by the time this story posted. Their track records paint a colorful portrait, however: The Better Business Bureau has processed 191 complaints about IPowerWeb in the last three years. StartLogic is not only rated as an "unsatisfactory" business at BBB but also has its own hate site, StartLogicSucks.com, which ranks third in a Google search on "StartLogic."

Because IPowerWeb's servers were vulnerable, criminals were able to register false DNS information, including different site names under the city of Plainville's domain name. Bailey's research turned up other sites with the same problem, also being hosted at IPowerWeb, including at least two other government sites: csm.ca.gov and Bridger-mt.gov.

"Over the last couple of years, this … has become kind of like a criminal enterprise—it's almost aided and abetted by lazy or otherwise unknowing people who are running some of these information security provider shops," said Kettlewell.

ISPs have an imposing amount of infrastructure to secure: Switches, routing, operating systems and DNS servers are the underlying infrastructure, and on top of that comes whatever a customer is hosting. Some ISPs have the staff, training, resources and foresight to configure things correctly. Nazario rattled off a half dozen ISPs that get security done right and deal with problems quickly: Yahoo, AT&T, Amazon, Rackspace and ServerBeach, for example.

For companies that can't afford a larger ISP, Nazario recommends doing due diligence when considering a smaller ISP, including these steps:

* Check the Better Business Bureau listing for any outsourcer. Look for complaints that seem legitimate or recurring.

* Talk to providers you trust, including local ISPs. Ask for the word on the street about a given provider.

* Grill a prospective ISP on security procedures, including if there's a dedicated staff available 24/7 and the process for escalating problems.

* Find out if there's a contact that can be reached right away—without the need to get lost in a phone tree—if either a security researcher or a customer notices something wrong with a site.

* Interview a provider's customers. Ask other customers about specific incidents and if they've been handled to customers' satisfaction.

 

[programmer_guy]

FYI

DNS = Domain Name System

http://en.wikipedia.org/wiki/Domain_name_system

 

[programmer_guy]

Oak Ridge Speared in Phishing Attack Against National Labs
By Lisa Vaas
December 7, 2007

http://www.eweek.com/article2/0,1895,2230297,00.asp?sp=0&kc=EWKNLSTR121107STR2

Oak Ridge National Laboratory warns of a well-orchestrated phishing attack that may have netted personal information.

Oak Ridge National Laboratory has been bombarded by a coordinated phishing attack aimed at multiple national labs and may have unwittingly handed over to attackers the personal information of anybody who visited the lab over a 14-year span, including Social Security numbers.

On Dec. 3, Laboratory Director Thom Mason sent a letter to staff telling them that ORNL was targeted by "a sophisticated cyber-attack" that appears to be part of a larger coordinated attempt to gain access to computer networks at numerous laboratories and other institutions across the country. Los Alamos was also targeted, according to news accounts.

The first phishing e-mail, and first potential data theft, occurred on Oct. 29.

ORNL, managed for the U.S. Department of Energy by UT-Battelle, works on science and technology involved in energy production and national security. ORNL management does not believe that classified data was stolen in the attack, however.

The attack comprised approximately 1,100 targeted phishing attempts crafted to look like legitimate e-mail. The attackers cooked up seven phishing variations, one of which purportedly advertised a scientific conference, another of which posed as a notification about a complaint on behalf of the Federal Trade Commission.

All of the phishing e-mails instructed lab employees to open an attachment for more information or to click on an embedded link. ORNL's investigators now believe that about 11 staff fell for the come-ons and opened the attachments or clicked on the links. That was enough for the attackers to install keyloggers or other types of malware that gave attackers access to systems and the ability to extract data.

Mason said in his letter that attackers potentially gained access to a nonclassified database containing personal information of visitors to the lab between 1990 and 2004. ORNL's management doesn't believe that the attackers managed to get access to classified data.

The attackers may have gotten access to names and other personal information, however, including Social Security numbers and dates of birth. ORNL isn't aware of any identity theft that has arisen from the security breach at this time, but is advising those persons affected to check their credit reports and put a fraud alert on their credit files. The lab is providing contact information for the three major credit reporting bureaus in an advisory posted on its site.