Security researchers from F-Secure have managed to locate an interesting Android hack tool identified as HackTool:Android/UsbCleaver.A,
allows anyone to steal sensitive information from a PC by connecting an
Android phone to it.
The hacker must install an application called USB Cleaver on his/her
Android device. Once executed, the app downloads additional files from a
remote server.
These files are actually various utilities designed to retrieve certain pieces of information from a Windows computer.
When the Android device is connected to the Windows PC, it automatically
starts collecting browser passwords, the Wi-Fi password and network
information.
The app allows the user to select what type of information should be
harvested. The gathered information is copied into a folder from the
Android device’s SD card.
Fortunately, there’s a simple way for users to protect themselves
against such hack tools. That’s because the app creates an autorun.inf
file that triggers the automatic gathering of information.
Linux 3.10 was released by Linus Torvalds last night, bringing with it a new method of SSD caching and some upgrades to the Radeon graphics driver.
The two most significant changes in Linux 3.10 are the aforementioned
SSD caching "and support for the newer Radeon graphics cores' video
decoder," Leemhuis wrote. "The Radeon driver in the Linux kernel now
offers interfaces for interacting with the Unified Video Decoder on
Radeon HD 4000 and later HD graphics cards. An open source UVD driver
which uses this interface will be included in the next major revision to
Mesa 3D (version 9.2 or 10.0). The
kernel now supports the graphics chip on the recently released Richland
processor family, otherwise known as A4, A6, A8, and A10 series APUs.
Linux can also now address Radeon Hainan GPUs." Other changes allow newer Intel GPUs to be overclocked. Systems with Intel GPUs can also now wake from standby faster.
Over 25,000 companies from all over the world rely on Atlassian’s
solutions, including organizations from the automotive, consulting,
education, engineering, entertainment, government, health and other
industries.
According to the advisory
published by Command Five, Crowd users should update their
installations as soon as possible because an exploit for a vulnerability
discovered in 2012 has become widely available.
The security hole can be leveraged by an attacker to retrieve data and
files from the Crowd server by crafting entity URLs. In addition, the
flaw can be leveraged for denial-of-service (DOS) attacks. “If a hacker uses the vulnerability to retrieve a file containing
credentials, they can then authenticate with the Crowd server directly,
or use the exploit again to bypass trusted proxy/remote address
validation as described above,” the advisory reads.
“Successful exploitation of this vulnerability can (but does not
necessarily) lead to a hacker taking full control of an organization
single sign on service, potentially resulting in a catastrophic security
event. Regardless, successful exploitation is likely to enable high
velocity lateral movement within the targeted organization,” researchers
explain. However, the patched vulnerability is not the main concern. Command Five
says there is at least one critical vulnerability in Crowd that hasn’t
been patched. The flaw can be exploited by an unauthenticated remote attacker to take full control of any Crowd server they can connect to.
Cyber criminals can compromise application credentials, user credentials,
data storage, configured directories and dependent secure systems.
The messages that make the rounds on Instagram show pictures of fruit.
The pictures are accompanied by a bogus BBC News message which promotes
an “exclusive offer” for a fruit diet.
In some cases, the spammers continue to trick users by claiming that the diet has been recommended by Dr. Oz.
Unfortunately, the Instagram spam run appears to be highly successful. One of the links has been clicked more than 35,000 times already. “Earlier today a small portion of our users experienced a spam
incident where unwanted photos were posted from their accounts. Our
security and spam team quickly took actions to secure the accounts
involved, and the posted photos are being deleted,”
Facebook, which owns
Instagram, has told Gigaom.Instagram has started resetting the passwords of the impacted users.
Security expert Janne Ahlberg has been closely monitoring
the evolution of the miracle diet spam campaign. Over the weekend, he
reported that spam messages were spotted not only on Twitter, but on
Facebook, Tumblr and Pinterest as well.
According to the WallStreet Journal,Facebookis working ona service thatincludeiPhone usersprovidesnews.Thebusiness newspaperrelies onunnamedsourcesto come.Organization itselffromFacebookReadernewswouldbundlingboth users andpublishers. Facebook wouldalreadymore than a yearworking onthe service.Readerwouldlook likeFlipboard,theapp thatcollectsnewsbased ontheuser preferences.The social networkrefused to commenttothe Journal.Facebook wouldlike toincreasewithReader.Its attractivenessto advertisersin the mobile segment.
According toanonymoussources,MarkZuckerbergpersonally overseethe projectandin contrast tothe development of otherservicesis deliberatelytaken the timeto afull-fledgednews serviceto makeitas good as possibleto workonbothsmartphoneandtabletReader.InitiallytargetedatApple's iOSas a platform.
According to Reuters,
several pieces of spying software have been identified on several
devices owned by Chen, including an iPhone and an iPad he had received
shortly after his arrival to the US from the wife of activist Bob Fu,
the man who runs the Christian group called ChinaAid.
After fleeing to the US last year in May, Chinese activist Chen Guangcheng
was given a fellowship at the New York University. Now that the period
of his fellowship has come to an end, some interesting aspects of the
story have come to light.
The presence of the spyware has been brought to light by NYU professor
Jerome Cohen and another individual familiar with the incident.
While some say that the devices were plagued with spy software right
from the start, others point the finger at the NYU for installing the
applications.
Among the spy applications, technicians found one that secretly turned
the devices into a tracking system, and a password-protected program
that uploaded data to a remote server.
The world has changed, and it is important for us to face certain
realities i.e; there’s a greater reliance on technology,this has led
to significantly less face-to-face interactions,even when such interactions occur, rarely are they wholly honest
conversationsand this leaves most of us desperately resorting to
the web to engage in anonymous discussion boards or to create alias
Twitter accounts just to be heard.
The general idea behind unface.me: engage in anonymous and truthful
discourse with people you already know. This is done by connecting your
Facebook account to an unface.me alias (“AlterEgo”) that you create, and
then interacting with other users from your current network of friends
who also have AlterEgos.
How can this be used toward forming better relationships? Well, for
one thing, it will allow users to be completely honest about themselves.
A lot of topics are difficult to talk about (such as one’s mental
health) and have potential professional consequences (not getting hired
because of a history of depression). Unface.me can give people this
medium for expressing their emotions or thoughts honestly, without fear
of people knowing their true identity.
This anonymity also allows
for the changing of personal behaviors and the development of overall
empathy. As people learn sensitive things about their friends, they may
become more socially aware of and self-identifying with the daily
struggles of others, and thereby change their day-to-day behaviors or
interactions with them. So, the result? Closer bonds with those around
us. We don’t have to sacrifice honesty in the age of social media.
If Dan Humphrey was able to pull off complete anonymity for five years
and end up with a closer set of friends, why shouldn’t we?
Facebook just published a data breach notification on its security blog. You might not immediately notice that from the title of the article,
which announces itself as an "Important Message from Facebook's White
Hat Program." The cloud (bad pun intended) is that Facebook's systems made the fault possible in the first place.
What Facebook seems to be admitting to, in Friday's breach notification message, is that it was careless with the aggregated data accumulated from contact list uploads. The problem, says Facebook, lay in its Download Your Information
(DYI) feature, which exists so you can suck down everything you've
previously entrusted to the social networking giant.
DYI improves availability, because it allows you to make your own off-site backup of everything you've stored on Facebook. It improves transparency, because it acts as a record of everything you've uploaded to Facebook over the years.But there was a bug in DYI, of the data leakage/unauthorised disclosure sort.
Apparently, DYI was capable of letting you download more than you'd uploaded in the first place.
Former NSA contractor Edward Snowden revealed on Saturday that the U.S. is tapping into Chinese mobile carriers to access customers’ text messages.
It’s not just a few messages, either. Snowden told the South China Morning Post that millions of Chinese text messages are being harvested by the U.S. “China should set up a national information security review commission as soon as possible,” Snowden told the paper. Chinese mobile users
sent over 900 billion text messages in 2012, according to government
statistics, so if Snowden’s claims are true, the United States’
surveillance isn’t too extensive in the grand scheme of things. (Chinese
officials likely won’t see the situation in that light though.) The reveal will make an already rocky relationship between the U.S.
and China even more tumultuous. President Obama and China’s new
president Xi Jinping have already had several conversations about cybersecurity relations, and both leaders are also kicking off a series of regular talks between the two countries.
These days, fake Antivirus programs that run under Windows look just as
good as real, valid antivirus tools. They'll run a scan for free—a fast
one, since there's no actual scanning going on. However, to remove the
imaginary malware found by the scan, you'll have to pay up. In a recent
blog post, Symantec researcher Joji Hamada reported that this type of
malware has come to Android, and it's even more aggressive than the
typical Windows fake antivirus. Symantec calls the malware sample
featured in this post Android.Fakedefender, because it installs as a
trial version calling itself Android Defender. The typical Windows-based fake antivirus programs attempt to scare
the user into paying for a registered version by displaying frightening
scan results, hence the name scareware.
They work hard to look just like a valid antivirus, to the point that
some even offer tech support. It's not uncommon for victims to express
outrage when a legitimate security product removes the fake one: "Hey,
that's my antivirus! I paid for that!" Porn Discovered :
In what may be an attempt to
discourage you from seeking help, the fake antivirus reports that it has
detected malware attempting to steal pornographic content from the
phone. How embarrassing! At this point, you can't delete the fake
antivirus and can't launch any other apps. The only way to recover,
short of a hard reset, is to purchase the full version. It's effectively
holding your phone for ransom. Hamada didn't state whether paying the
ransom actually unlocks the phone. F-Secure's Mikko Hypponen has gone on record stating that the biggest threat for Android users is losing your phone,
not malware. Hamada begs to differ, pointing out that malware like this
is really, really hard to remove once it gets a foothold. He advises
running mobile security software to keep threats like this from
installing in the first place.
Malware is a business; people make their living writing and distributing
it. Exploit kits are an effective and streamlined methodology of
distributing malware; they allow the Bad Guys to distribute payloads at a
higher level than we have seen in the past. For this reason we've seen
exploit kits grow in popularity over the last few years.
BlackHole is
the most famous and the most utilized exploit kit these days, but that
doesn’t mean there aren’t others that have the potential to compete with
it. One of them is the Sweet Orange exploit kit, which is presumably
capable of some impressive things.
Developers of Sweet Orange boast that their
creation has a small footprint, a high infection rate, and the ability
to drive 150,000 unique daily visitors to a website.
They claim that around 10% to 25% of those who land on the malicious
website will be infected, meaning that at least 15,000 bots should be
added to the botnet each day.
So far, experts have managed to identify 45 different IP addresses and
367 domains utilized by Sweet Orange, which makes the 150,000 unique
daily visitors forecast sound valid.
The SQL Injection vulnerability, which affected
all MyBB versions, affected the post editing section. The second flaw
allowed brute-force access because the CAPTCHA system was not effective.
An issue which prevented the editor from working in Firefox 16 and newer versions of the web browser has also been addressed.
Users are advised to immediately update their installations, but not before backing up their forum files and databases.
Those who identify similar vulnerabilities are advised to responsibly
disclose them to the vendor via their contact page or via the Private
Inquiries forum.
On Facebook Some posts, claiming that the social
media network has partnered up with Walmart and they’re giving away free
$1,000 (764 Euro) gift cards.
“Hey friends, I got a $1000 Gift Card from WALMART
as a Christmas Gift! Get it right away! -> bil.ly,” the malicious
Facebook posts read.
Users who fall for it and click on the link are taken to a website
where they’re presented with instructions on how to provide their authentication tokens.
Then they’re asked to install a bogus Walmart Facebook app and participate in all sorts of surveys.
By doing what the scammers ask of you, you’re actually allowing them to
post on your Facebook timeline. Furthermore, by participating in the
surveys, you’re helping them make a profit.
If you did make the mistake of installing the Facebook application, then
you could be spamming the message to your friends. Clean up your
newsfeed and profile to remove references to the scam. (click the “x” in
the top right hand corner of the post).
We
came across another sample, called Trojan Upclicker, that went one step further:
using a mouse to evade automated analysis.
Per the code in Figure , the
function SetWinodwsHookExA is called with 0Eh as a parameter. Per MSDN the parameter 0Eh is used to hook a mouse. Pointer fn is the pointer to the hooked procedure in the code.
The Trojan analyzed by FireEye, Upclicker, is interesting because the
malicious code is executed only after the user clicks the left mouse
button and releases it.
Upclicker establishes malicious communication only when this particular action is performed.
Trojan Upclicker establishes malicious communication only when the left
mouse button is clicked and released. Since, in sandboxes, there is no
mouse interaction, the malicious behavior of Upclicker remains dormant
in a sandbox
environment. When the code runs, it waits 300,000 milliseconds, or five minutes, before executing the DecryptCode subroutine. It then waits 20 minutes and executes the ModifyRegistry subroutine. After executing the Network_main subroutine, it waits another 20 minutes. Automated threat analysis systems only spend a small amount of time on one file so they may not detect the code as malware.
For a long time, only two families of such malware have been known:
ZeuS-in-the-Mobile (ZitMo) and SpyEye-in-the-Mobile (SpitMo). ZitMo and
SpitMo work together with their Windows ‘brothers’. Actually, without
them, they would look like trivial SMS spy Trojans. It is necessary to
mention that during the last two years such attacks have been observed
only in some European countries like Spain, Italy, Germany, Poland and
few others.
In order to gain access to online banking
accounts, the attackers need to get a hold not only of the victim’s
username and password, but also of the mobile Transaction Authentication
Number (mTAN) that’s used for two-factor authentication.
But when the mobile version of Carberp Trojan appeared ,such attacks
became real in Russia as well. There is no secret that online banking is
becoming more and more popular in Russia; and banks are very active in
promoting online banking with various authorization methods. Carberp for Windows works in a similar way to the ZeuS Trojan. If a
user tries to login into his online banking account using a machine
infected by Carberp, the malware will modify the transaction so that
user credentials are sent to a malicious server rather than a bank
server. In addition to the login and password, cybercriminals still need
mTANs in order to confirm any money transfer operation from a stolen
account. That is why one of the Carberp modifications (we call it
Trojan-Spy.Win32.Carberp.ugu and we've added detection for it on 11th of
December) alters the online banking web page on the fly, inviting the
user to download and install an application which is allegedly necessary
for logging into the system. And the user can get this link via SMS
message by entering his phone number or by scanning a QR-code .
The CitMo Android Trojan works in almost the same way as ZitMo. It is
able to hide particular SMS messages and resend them to the attacker's
command server. Some versions of ZitMo resend SMS messages to particular
cell phone numbers in addition to various web servers. Known versions
of CitMo and the Windows module of Carberp
(Trojan-Spy.Win32.Carberp.ugu) work only with the remote server
‘bersta***.com’.
State of California has mistakenly published thousands of Social Security numbers on the Internet. The list includes Medi-Cal providers in 25 California counties,
including Amador, Calaveras, Colusa, Nevada, Placer, Sutter, Tuolumne
and Yuba.
The information, belonging to Medi-Cal providers
working for In-Home Supportive Services, had been posted on the Medi-Cal
website for a period of nine days before someone noticed the error.
Individuals from 25 countries are affected by the breach. Those impacted
will be receiving notification letters and they’re being offered one
year of free credit monitoring services.
Additional measures are being deployed to avoid such incidents from occurring in the future.
The confidential information was available on the state's Medi-Cal
website for anyone to see for a period of nine days, before the mistake
was discovered and the numbers removed.Social Security numbers are a key ingredient for identity theft.
This is the second time in the past 5 months when
In-Home Supportive Services providers are affected by a data breach.
Last time, a total of 750,000 people were exposed by a breach at the
Department of Social Services.
Internet Explorer can track your mouse anywhere on the scree,even when you aren’t browsing
A new Internet Explorer vulnerability has been discovered that allows an
attacker to track your mouse cursor anywhere on the screen, even if the
browser is minimized. All supported versions of Microsoft’s browser are
reportedly affected: IE6, IE7, IE8, IE9, and IE10.
Explorer can track your mouse movements anywhere on the screen,even if the Internet Explorer window is minimized. The vulnerability is
particularly troubling because it compromises the security of virtual
keyboards and virtual keypads.. And Microsoft, which was informed of the massive
potential security hole over two months ago, has no plans to fix it.
Which means that as you explore the web, the web can explore you right
back.
Internet Explorer’s event model
populates the global Event object with some attributes relating to mouse
events, even in situations where it should not. Combined with the
ability to trigger events manually using the fireEvent() method, this
allows JavaScript in any webpage (or in any iframe within any webpage)
to poll for the position of the mouse cursor anywhere on the screen and
at any time—even when the tab containing the page is not active, or when
the Internet Explorer window is unfocused or minimized. The fireEvent()
method also exposes the status of the control, shift and alt keys.
Affected properties of the Event object
are altKey, altLeft, clientX, clientY, ctrlKey, ctrlLeft, offsetX,
offsetY, screenX, screenY, shiftKey, shiftLeft, x and y.
For the data to be useful, the attacker would have to know what website
you are currently using. Given that it’s already being used by
advertisers, however, this can’t be particularly hard to achieve. They
can take note of where they place their malicious ads, and an attacker
would of course know the layout of the malicious page they design, or
the legitimate one they hijack for such a scheme.
Many Joomla and some WordPress sites exploited and hosting IFRAMES pointing to bad places :
Fake antivirus threats display a fraudulent scanning result to intimidate users into “purchasing” the fake antivirus program.WordPress and Joomla exploits have existed for years, and cybercriminals
have thus been exploiting them for a long time. Yet the situation may
have gotten slightly more serious as of late, as there appears to be a
bulk exploit tool being used in the wild, targeting sites running both
popular content management systems, and having them serve up fake
antivirus malware to visitors.
The biggest pain is around Joomla users, particularly with extensions
which greatly increase the vulnerability footprint and the one thing
helping WordPress is the really nice feature of 1-button upgrades (and
upgrades which don't tend to break your website.
The IFRAMES seem to have rapidly changing FQDN's that it is using but
the common element is /nightend.cgi?8. Two of the bad IPs that seem to
be frequent offenders are 78.157.192.72 and 108.174.52.38. Ultimately
it pulls FakeAV software to do it's badness.
In other words, if you use WordPress or Joomla, get on the latest
version as soon as possible. It’s unclear how widespread this attack is,
but there is no excuse for using an insecure release of your content
management system.
Make sure all your software is up-to-date and kept that way on a regular basis.
Another phishing scam that relies on the
old “account update” theme is currently making the rounds, attempting to
trick Gmail users into handing over their usernames and passwords.
Image credits: Hoax Slayer users who click on the links contained in the email are taken to a site that almost perfectly replicates the Gmail sign-in page.
Once they provide their usernames and passwords, victims are presented
with a second phishing page on which they’re requested to enter their
phone numbers, which are allegedly needed for verification purposes.
In the final part of the scheme, users are asked to provide an alternate email address.
Cybercriminals are leveraging the fact that it’s not difficult for
internauts to click on a link and log in to their Gmail accounts. This
is why it’s important for users to be suspicious of any notification
that claims to come from Gmail, Facebook or any other popular website.
The message is not from Gmail and the claim that users will lose their
accounts if they do not verify their information is a lie. The email is a
phishing scam designed to steal login information for Gmail and other
webmail accounts as well as trick victims into divulging their phone
numbers to Internet criminals.
Australian Power & Gas Payment Receipt carry a piece of malware that’s disguised as a harmless-looking PDF file.
Australian users should beware of emails
entitled “Approved Payment Receipt” that purport to come from the “team”
at Australian Power & Gas.
Example :
Subject: Approved Payment Receipt
Australian Power & Gas Payment Receipt
Dear Customer, We have recently received a credit card payment from you, for
your Australian Power & Gas account. This payment has been
successfully processed and receipt details are shown below in the
attached file. Transaction Details
Payment Time: Tue, 11 Dec 2012 07:43:54 +0900
Reference One: 2404390362
Reference Two: 01600833
Payment Receipt Number : 3530928186 Note: This payment will appear on your credit card statement with the merchant reference `Australian Power & Gas`. Kind Regards,
The team at Australian Power & Gas
Australian Power & Gas representatives are aware of this spam campaign and they’ve even issued an alert on Facebook to warn their customers about it.
The .zip file attachment harbours a malicious .exe file. Running the
.exe file can install malware on the user's computer. If you receive one
of these bogus emails, do not open any attachments or click on any
links that it contains.
