Scammers seize on tax rebates as phishing lure

Fraudsters have wasted no time jumping on news of a tax mix-up in the UK as a hook for scams.

Up to six million people in the UK had paid the wrong amount of tax as a result of HMRC mistakes with employee PAYE codes. Around 4.3 million are due for a refund while 1.4 million face demands* to hand over an average 1,428 each.

GFI Security has already intercepted scam emails informing prospective marks that they ought to apply for a refund by filling in a form on a fraudulent site that poses as an official Treasury site.

"The website asks for a comprehensivechunk of information including full name, address, DOB, phone number and mothers maiden name," explains GFI security researcher Chris Boyd.

A blog post by GFI Security - containing a copy of the scam email and more details on the attempted con - can be found here. The offending website has been pulled offline but the possibility of copycat scams means surfers need to remain vigilant.

The widespread tax refunds represent a rich seam for miscreants to mine. Other possible tricks, judging from past evidence, could include using promises of a tax refund to make it more likely that scam emails with infected attachments will be opened.

Spammers exploit another Facebook flaw

Spammers have taken advantage of a vulnerability in Facebook to spread auto-replicating links, a trick that makes it possible to spread crud without using social engineering.

Simply clicking on any application spam links was enough to "share" the application to the user's wall, net security firm F-Secure explains, adding that the links had stopped working by late on Monday.

While Facebook has contained this threat, others along the same lines are likely to follow, not least because spammers have taken to web 2.0 sites as channels for crud promotion or (increasingly) to distribute survey scams.

For example, comment spam promoting a survey that supposedly offered an iPad as a prize for completion was brazenly posted to a YouTube channel maintained by Sophos earlier this week, as illustrated by a blog post here.

BugTracker.NET "search.aspx" SQL Injection

BugTracker.NET is a web-based bug or issue tracker. BugTracker.NET is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to "Custom Fields" in the "search.aspx" script before using it an SQL query. BugTracker.NET versions prior to 3.4.4 are affected.

Ref: http://sourceforge.net/projects/btnet/files/btnet_3_4_4_release_notes.txt/view

10.36.32 CVE: Not Available
Platform: Web Application - SQL Injection

BlogMan "id" Parameter SQL Injection

BlogMan is a blogging application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. BlogMan version 0.7.1 is affected.

Ref: http://sourceforge.net/projects/blogman/

10.36.31 CVE: Not Available
Platform: Web Application - SQL Injection

MS probes mystery IE bug

Microsoft is investigating reports of a new bug in Internet Explorer.

Redmond's Security Response Team (MSRT) said on Friday that it was aware of a "publicly disclosed issue involving Internet Explorer", and promised an investigation, without going into details.

Circumstantial evidence suggests Microsoft is referring to a post by security researcher Chris Evans, of Google, to a Full Disclosure mailing list on Friday, hours before MSRT's tweet.

"A nasty vulnerability exists in the latest Internet Explorer 8," Evans wrote. "I have been unsuccessful in persuading the vendor to issue a fix."

"The bug permits for example an arbitrary web site to force the victim to make tweets," he added.

The vulnerability may exist in other versions of IE and appears to be an extension of a cross-browser cross domain theft first documented by Evans via his scarybeastsecurity blog last December. Evans claims Microsoft has been aware of the bug since 2008, producing a harmless proof-of-concept exploit to illustrate his concerns.

Rik Ferguson, a senior security consultant at Trend Micro, explained that the exploit works by stealing the (supposedly secret) credentials for an already authenticated browser session, for example Twitter. "Those credentials are then abused to send arbitrary forged content," Ferguson writes.

The vulnerability might just as easily be used by other services that use URL shortening, according to Ferguson, who says that Opera, Chrome, Firefox and Safari have all already fixed this vulnerability.

iPad scammers hack Kirstie Allsopp's Twitter

iPad scammers managed to reach a huge potential audience last weekend after they took over a Twitter profile maintained by British TV presenter Kirstie Allsopp.

Allsopp, who fronts Channel 4 property programmes Location, Location and Kirstie's Homemade Home, was tipped off about the hack by her followers after the account spewed a series of out-of-character tweets.

The updates encouraged followers of the account to apply for free iPads, a trick designed to lure victims into completing a worthless survey that also attempts to hoodwink surfers into signing up to a 4.50 a week premium rate phone scam.

Allsopp has recovered the compromised KirstieMAllsopp account, changed her password and purged the offending tweets, but cached copies of the messages are preserved for posterity in a blog post by Sophos here.

It's unclear how Allsopp's account - which boasts 47,000 followers - came to be compromised. Possible mechanisms include phishing, password guessing or malware-based attacks.

The posh presenter is far from the first celebrity or public figure to be pwned by hackers on Twitter. Other victims have included Axl Rose, UK politician Ed Miliband and Britney Spears, whose multiple Twitter hack mishaps have made her something of a poster child for celebrity microblogging insecurity.

Browser security warning lookalike pushes malware

Scareware peddlers have developed a new ruse that relies on mimicking browser warning pages.

The malicious code - dubbed Zeven - auto-detects a user's browser before serving up a warning page that poses as the genuine pages generated by IE, Firefox or Chrome. Prospective marks are warned that their systems are riddled with malware to trick them into running a fake anti-virus software package, called Win7 AV. The warnings are generated from malicious scripts planted on compromised websites.

The social engineering scam hinges on the fact a user is more likely to trust a warning and security recommendation ostensibly generated from their browser software than a random "your security is at risk" pop-up. The Win 7 AV scareware package at the centre of the scam is served from a site designed to look like the genuine Microsoft Security Essentials website, right down to a link to Microsoft Malware Protection Centre and a graphic illustrating awards bestowed upon of Redmond's freebie security scanner tool.

A Microsoft blog post - featuring screenshots that illustrate how the malware attempts to trick marks into buying worthless insecurity software - explains the threat in greater depth here.

SQL injections dominate malware in 2010

As Gumblar named 'the most significant malware development in years'.

The number of IPS SQL injections increased substantially in the second quarter of 2010 following a downturn.

Cisco's global threat report for the second quarter of 2010 revealed that IPS SQL injection signature firings increased substantially in the period to coincide with outbreaks of SQL injection-compromised websites. It also claimed that Asprox SQL injection attacks made a reappearance in June of 2010, after nearly six months of inactivity.

Mary Landesman, senior security researcher at Cisco, told SC Magazine that this was one of the most interesting findings of the report, as web-based malware has increased and research showed that vulnerabilities in SQL servers were leading to compromised servers.

Landesman said: “SQL reappears in this period, but we can predict with some certainty where the next wave of SQL injections are coming from using our statistics.”

The report also found that 7.4 per cent of all web-based malware encounters in the first quarter of 2010 resulted from search engine queries, while nearly 90 per cent of all Asprox encounters in June of 2010 were the results of links in search engine results pages.

Asked how this figure was determined, and how it was so low considering that a recent report by Barracuda Networks found that 69 per cent of Google links were malicious, with Bing, Twitter and Yahoo not far behind, Landesman explained that the data was collected on actual user clicks and not overall detections.

She said: “This is based on actual users who encountered malware and on actual events, you can do a search and count a theoretical risk. We are reporting on actual events and I see that as a high figure and the only one that tops it is Gumblar.

“You can have a SQL injection which is only one event, yet it could be millions of sites that are affected overall. The 7.4 per cent figure is reflective of a very high number of websites, we see reports from Twitter, Facebook, web browsing and through email, there are different ways of accessing malicious content.”

The Gumblar ‘botnet' of compromised websites was first detected by ScanSafe, who were acquired by Cisco at the end of 2009, as a collection of websites being used to distribute web-based malware.

Asked if it was still active, Landesman called it "the most significant malware development in years". She said: “We took notice of trusted websites and the themes on the website, and Gumblar took it to a new level with botnets of compromised websites.

“It attacks the site to give it total ownership and can do what the owner wants. The FTP credentials are compromised, malware has got to come from somewhere, one ‘bad' site hosts the malware and all ‘good' sites are outfitted with iFrames that are pointing to the ‘bad' sites and can neuter the attack.

“Now with Gumblar, once you have a backdoor you have a ‘good' site hosting malware and it puts more onuses on the owner of the ‘good' site to get it cleaned up and that is a very hard effort.”

Landesman also commented that a number of copycats of Gumblar have appeared, but while the number of websites being copied is becoming smaller, the overall number of attacks is increasing, and continues to rise at a high rate.

See original article on scmagazineus.com

Secure Computing Magazine

Symantec plugs rap comp's security holes

Hack is Wack gets rickrolled.

Symantec has denied the website of its Snoop Dogg affiliated Norton marketing campaign Hack is Wack has been been penetrated, despite reports of security holes.

"We have found no evidence to date that any intrusion into the site or other areas of Symantec's network or website have occurred," it said in a statement issued to UK technology publisher, The Register.

The security giant allegedly took five days and criticism from the public to plug security holes in the site.

Shortly after it launched its US Norton web campaign, which encouraged would-be rappers to upload their security inspired rhymes for a chance to meet Snoop Dogg's management, members of the public began testing Symantec's microsite for security flaws.

One of the flaws discovered was a relatively common cross-site scripting vulnerability, which allowed content from a third party site to be served on the vulnerable site.

Similar vulnerabilities were exploited by pranksters targeting Australia's major political parties in 2007.

Symantec's pranksters, however, reportedly used the flaw to "rickroll" the website - linking it to an image of 80s pop star Rick Astley.

Hundreds of iPhone users were rickrolled in 2009 after an Australian prankster replaced their wallpaper images with the pop star.

In the US where customer data breaches carry heavy penalties, Symantec was quick to confirm that no customer data had been compromised.

"Symantec takes the security of our website and microsites very seriously, and we have taken the necessary steps to resolve this issue," it said.

Copyright © iTnews.com.au . All rights reserved.

Symantec finally secures HackIsWack

Symantec has belatedly secured its laughable HackIsWack competition website.

The site - a collaboration between the security software firm and rapper Snoop Dogg - is designed to raise awareness about malware and identity theft by providing a forum for a user-generated cybercrime-themed rap competition. The site had a slow start, and currently boasts an underwhelming 22 videos.

Reg commentards have described the campaign as the most comically inept since the Don't Copy that Floppy anti-piracy screed of the 1990s, an earlier rap music meets security multi-purpose fail.

Even more embarrassingly the security giant went live with a branded site that was riddled with security holes, including a cross-site scripting flaw that amusingly lent itself to a rickrolling attack. In a statement issued over the weekend, Symantec acknowledged the problems, which it said were now resolved.

Symantec was made aware of reported vulnerabilities to the Norton Hack is Wack microsite, and we quickly took the necessary steps to enhance security on the site. We have found no evidence to date that any intrusion into the site or other areas of Symantecs network or website have occurred.

To date, Symantec can confirm that no company or customer data has been compromised or exposed. Symantec takes the security of our website and microsites very seriously, and we have taken the necessary steps to resolve this issue.

The statement fails to explain why Symantec went live with an apparently untested and seriously flawed site, which one wag suggested might have been coded by Snoop Dogg rather than an experienced security-aware web developer.

The rickrolling XSS was only the most publicised of the site's many flaws. Security blogger Mike Bailey did a good job last week in compiling a list of numerous flaws present on the site at the time, which included the caching of potentially sensitive data and upload security problems, among others.

Hack is Wack site is chock full of holes. For example, there's the publicly available, indexed cache directory with all that SQL, JSON and other data. There's the XSS vulns (HTML5 only, though it should be simple enough to rewrite), CSRF holes, and the Flash upload issues in the video upload script (a Joomla module that appears to have been used without any quality control or review despite the fact that it's currently in Alpha)

The original XSS rickrolling exploit has been blocked and, we take on trust but have not confirmed, Symantec has also mopped up the other flaws on the site.

TechCrunch purges Zeus malware attack

TechCrunch Europe has cleaned up its website following the discovery of malicious code that left visiting surfers exposed to infection by a variant of the infamous Zeus banking Trojan.

Malign script on eu.techcrunch.com attempted to serve up a malicious PDF file to readers of the news blog. The problem stemmed from a malicious iFrame in a JavaScript file that was used by the site as part of its WordPress blogging software installation.

TechCrunch responded to reports of the problem by purging the nasty code from its site, as explained in a blog post by Sophos (here) and Trend Micro.

Symantec looks to appliance, cloud-based delivery

New products delivered according to enterprise customer demand.

Security software vendor Symantec has launched its NetBackup product in appliance and cloud flavours in a bid to suit enterprise buying trends.

Acquired as part of the Symantec-Veritas merger in 2005, NetBackup was traditionally offered as a backup and recovery software suite.

But "customers are changing the way they purchase products," Symantec's executive vice president and CTO Mark Bregman told iTnews this week.

Symantec today announced its NetBackup 5000 appliance (pictured) and NetBackup Cloud Storage service, which were expected to be delivered from "late 2010".

Built in partnership with Chinese hardware vendor Huawei, NetBackup 5000 could be deployed in less than 20 minutes, instead of "hours to days" of testing, implementation and support processes.

The appliance boasted up to 96 Tb of global deduplication capacity, 99 percent reduction in bandwidth consumption, and support and protection for virtual machines.

"Traditionally, we sold software," Bregman said. "The biggest thing that's new [about NetBackup 5000] is that it's an appliance, which makes it easier for a customer to deploy."

The NetBackup Cloud Storage service was similarly tailored towards enterprise buying trends, integrating Symantec software with the Nirvanix Storage Delivery Network.

It offered an "automated and policy-based backup and recovery solution" for businesses that chose to use the cloud either as a new storage tier, or as a secondary off-site location for disaster recovery.

Bregman said Symantec's cloud delivery model had "three legs": services for end-users; technology for cloud providers; and "enabling technologies" that allowed customers to utilise cloud services.

"You're going to see Symantec offer our intellectual property in many different forms," he told iTnews, noting that it had "no plans to move out of the software business".

"I think there will always be a market for software," he said. "One of the things you can be sure of in this industry is that nothing really goes away."

EnterpriseVault 9.0

The vendor also announced the latest version of its Enterprise Vault archiving technology, and Enterprise Vault Discovery Collector that searched both managed and unmanaged data sources.

Enterprise Vault 9.0 extended content source support to Microsoft Exchange Server 2010, Microsoft SharePoint Server 2010 and Domino 8.5.1.

But despite Symantec's cloud vision, it had yet to extend Enterprise Vault support to cloud-based email services such as Google's Gmail.

"While there are many enterprises talking about moving to cloud-based email, not many have actually done so," Bregman said, explaining that uptime and information management were still concerns.

He said enterprises had shifted from an infrastructure-centric model to an information focus, where data loss was a greater risk than server failure.

Symantec now had its sights set on four main areas, he said, identifying these as archiving, data loss prevention, hosted services, and enabling technology.

Of the security risks facing enterprises today, Bregman noted that there was "no perfect security, ultimately because people are involved".

In light of consumerisation and the increasing use of social networking from within the workplace, Bregman encouraged enterprises to focus on educating, rather than blocking, employees from social sites.

"When I started in the workplace, for a vast majority of people, the only time they'd see a computer would be in the workplace," he said.

"Social networking provides a very useful tool," he said, likening today's social media landscape to email in the early 90s.

Copyright © iTnews.com.au . All rights reserved.

Symantec plugs rap comp's security holes

Hack is Wack gets rickrolled.

Symantec has denied the website of its Snoop Dogg affiliated Norton marketing campaign Hack is Wack has been been penetrated, despite reports of security holes.

"We have found no evidence to date that any intrusion into the site or other areas of Symantec's network or website have occurred," it said in a statement issued to UK technology publisher, The Register.

The security giant allegedly took five days and criticism from the public to plug security holes in the site.

Shortly after it launched its US Norton web campaign, which encouraged would-be rappers to upload their security inspired rhymes for a chance to meet Snoop Dogg's management, members of the public began testing Symantec's microsite for security flaws.

One of the flaws discovered was a relatively common cross-site scripting vulnerability, which allowed content from a third party site to be served on the vulnerable site.

Similar vulnerabilities were exploited by pranksters targeting Australia's major political parties in 2007.

Symantec's pranksters, however, reportedly used the flaw to "rickroll" the website - linking it to an image of 80s pop star Rick Astley.

Hundreds of iPhone users were rickrolled in 2009 after an Australian prankster replaced their wallpaper images with the pop star.

In the US where customer data breaches carry heavy penalties, Symantec was quick to confirm that no customer data had been compromised.

"Symantec takes the security of our website and microsites very seriously, and we have taken the necessary steps to resolve this issue," it said.

Copyright © iTnews.com.au . All rights reserved.

MS probes mystery IE bug

Microsoft is investigating reports of a new bug in Internet Explorer.

Redmond's Security Response Team (MSRT) said on Friday that it was aware of a "publicly disclosed issue involving Internet Explorer", and promised an investigation, without going into details.

Circumstantial evidence suggests Microsoft is referring to a post by security researcher Chris Evans, of Google, to a Full Disclosure mailing list on Friday, hours before MSRT's tweet.

"A nasty vulnerability exists in the latest Internet Explorer 8," Evans wrote. "I have been unsuccessful in persuading the vendor to issue a fix."

"The bug permits for example an arbitrary web site to force the victim to make tweets," he added.

The vulnerability may exist in other versions of IE and appears to be an extension of a cross-browser cross domain theft first documented by Evans via his scarybeastsecurity blog last December. Evans claims Microsoft has been aware of the bug since 2008, producing a harmless proof-of-concept exploit to illustrate his concerns.

Rik Ferguson, a senior security consultant at Trend Micro, explained that the exploit works by stealing the (supposedly secret) credentials for an already authenticated browser session, for example Twitter. "Those credentials are then abused to send arbitrary forged content," Ferguson writes.

The vulnerability might just as easily be used by other services that use URL shortening, according to Ferguson, who says that Opera, Chrome, Firefox and Safari have all already fixed this vulnerability.

BlogMan "id" Parameter SQL Injection

BlogMan is a blogging application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. BlogMan version 0.7.1 is affected.

Ref: http://sourceforge.net/projects/blogman/

10.36.31 CVE: Not Available
Platform: Web Application - SQL Injection

Symantec finally secures HackIsWack

Symantec has belatedly secured its laughable HackIsWack competition website.

The site - a collaboration between the security software firm and rapper Snoop Dogg - is designed to raise awareness about malware and identity theft by providing a forum for a user-generated cybercrime-themed rap competition. The site had a slow start, and currently boasts an underwhelming 22 videos.

Reg commentards have described the campaign as the most comically inept since the Don't Copy that Floppy anti-piracy screed of the 1990s, an earlier rap music meets security multi-purpose fail.

Even more embarrassingly the security giant went live with a branded site that was riddled with security holes, including a cross-site scripting flaw that amusingly lent itself to a rickrolling attack. In a statement issued over the weekend, Symantec acknowledged the problems, which it said were now resolved.

Symantec was made aware of reported vulnerabilities to the Norton Hack is Wack microsite, and we quickly took the necessary steps to enhance security on the site. We have found no evidence to date that any intrusion into the site or other areas of Symantecs network or website have occurred.

To date, Symantec can confirm that no company or customer data has been compromised or exposed. Symantec takes the security of our website and microsites very seriously, and we have taken the necessary steps to resolve this issue.

The statement fails to explain why Symantec went live with an apparently untested and seriously flawed site, which one wag suggested might have been coded by Snoop Dogg rather than an experienced security-aware web developer.

The rickrolling XSS was only the most publicised of the site's many flaws. Security blogger Mike Bailey did a good job last week in compiling a list of numerous flaws present on the site at the time, which included the caching of potentially sensitive data and upload security problems, among others.

Hack is Wack site is chock full of holes. For example, there's the publicly available, indexed cache directory with all that SQL, JSON and other data. There's the XSS vulns (HTML5 only, though it should be simple enough to rewrite), CSRF holes, and the Flash upload issues in the video upload script (a Joomla module that appears to have been used without any quality control or review despite the fact that it's currently in Alpha)

The original XSS rickrolling exploit has been blocked and, we take on trust but have not confirmed, Symantec has also mopped up the other flaws on the site.

iPad scammers hack Kirstie Allsopp's Twitter

iPad scammers managed to reach a huge potential audience last weekend after they took over a Twitter profile maintained by British TV presenter Kirstie Allsopp.

Allsopp, who fronts Channel 4 property programmes Location, Location and Kirstie's Homemade Home, was tipped off about the hack by her followers after the account spewed a series of out-of-character tweets.

The updates encouraged followers of the account to apply for free iPads, a trick designed to lure victims into completing a worthless survey that also attempts to hoodwink surfers into signing up to a 4.50 a week premium rate phone scam.

Allsopp has recovered the compromised KirstieMAllsopp account, changed her password and purged the offending tweets, but cached copies of the messages are preserved for posterity in a blog post by Sophos here.

It's unclear how Allsopp's account - which boasts 47,000 followers - came to be compromised. Possible mechanisms include phishing, password guessing or malware-based attacks.

The posh presenter is far from the first celebrity or public figure to be pwned by hackers on Twitter. Other victims have included Axl Rose, UK politician Ed Miliband and Britney Spears, whose multiple Twitter hack mishaps have made her something of a poster child for celebrity microblogging insecurity.

Browser security warning lookalike pushes malware

Scareware peddlers have developed a new ruse that relies on mimicking browser warning pages.

The malicious code - dubbed Zeven - auto-detects a user's browser before serving up a warning page that poses as the genuine pages generated by IE, Firefox or Chrome. Prospective marks are warned that their systems are riddled with malware to trick them into running a fake anti-virus software package, called Win7 AV. The warnings are generated from malicious scripts planted on compromised websites.

The social engineering scam hinges on the fact a user is more likely to trust a warning and security recommendation ostensibly generated from their browser software than a random "your security is at risk" pop-up. The Win 7 AV scareware package at the centre of the scam is served from a site designed to look like the genuine Microsoft Security Essentials website, right down to a link to Microsoft Malware Protection Centre and a graphic illustrating awards bestowed upon of Redmond's freebie security scanner tool.

A Microsoft blog post - featuring screenshots that illustrate how the malware attempts to trick marks into buying worthless insecurity software - explains the threat in greater depth here.

USB stick with anti-terror training found outside police station

A memory stick containing anti-terror training manuals and other sensitive material was reportedly found on a street outside a Manchester police station.

The Greater Manchester Police-branded stick, which also held personnel files, was found by an unnamed businessman outside a cop shop in Stalybridge, Greater Manchester, the Daily Star on Sunday reports.

The device was branded with the GMP POTU initials of the Greater Manchester Police Public Order Training Unit and contained 2,000 files including some produced by the National Police Improvement Agency about counter-terrorism tactics. Names and ranks of officers were also found on the reportedly unencrypted device after its finder plugged it into his PC.

Superintendent Bryan Lawton, of GMP's Specialist Operations Branch, told the Press Association: "We are aware of an article relating to the finding of a memory stick belonging to GMP by a member of the public.

"We are currently looking into who this device belongs to, what information is contained on it and the circumstances surrounding its loss."

Data security firm Check Point said the incident emphasises the wider problem of poor portable data storage practices among many corporates.

Terry Greer-King, Check Points UK managing director, said: This incident shows yet again why data on USB drives must always be encrypted. Guidelines to staff, and security policies dont stop devices being lost or misplaced, and these simple accidents and human errors will turn into real problems if data isnt protected.

Companies should ensure all data copied to USB sticks and CDs is automatically encrypted, and the use of all non-authorised devices controlled."

Spammers inundate Apple's new social media service Ping

No spam or URL filtering protection evident.

Spammers reacted quickly to Apple's new social media service Ping, with reports of users being bombarded with junk messages.

Ping became available with last week's iTunes 10 update, which also includes fixes for 13 flaws. The new service allows users to create a profile and “follow” friends or artists and share status updates, photos, album reviews and information about music purchases.

Sensing the popularity of the new service, criminals have already pounced. The problem for users is that Apple appears not to have implemented any spam or URL filtering protection in Ping, Chet Wisniewski, senior security adviser at Sophos, told SCMagazineUS.com.

Less than 24 hours after it launched, Ping was inundated by spam. The profiles for U2, Lady Gaga, Justin Bieber, Linkin Park have all been affected by the comment spam.

“Lady Gaga's profile is so clogged with spam that's about all that's in it,” Wisniewski said. “Any time you allow people to post a message, you are going to have spam problems. It's amusing to me that Apple would launch such a major service without considering that.”

Many of the spammed comments seen on Ping attempt to trick users into filling out affiliate marketing surveys with the lure of receiving a free iPhone 4 or other prize for their efforts, he said.

Another problem that could contribute to spam on Ping is the ease of creating a profile, Wisniewski said. The service does not require users to enter a credit card or other identification to participate.

Security experts have for some time warned that spammers aren't just distributing their unwanted messages via email anymore, he added. The comments sections on blogs and forums, as well as Facebook, Twitter and Web 2.0 platforms, are also a haven for spammers.

Apple likely anticipated its new platform would be abused, as it requires user's profile pictures be approved before they appear, Wisniewski said. Apple is also probably filtering for offensive content, so the company probably has a way to stop the spam.

An Apple spokesperson did not respond to a request for comment.

Despite Ping's security issues, researchers recommend users download the iTunes 10 update, as it also closes 13 security holes in WebKit, an engine that is used to render the iTunes interface.

The vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition, according to an advisory posted by the US-CERT.

When users download the update, Ping is not enabled by default.

See original article on scmagazineus.com

Secure Computing Magazine

SQL injections dominate malware in 2010

As Gumblar named 'the most significant malware development in years'.

The number of IPS SQL injections increased substantially in the second quarter of 2010 following a downturn.

Cisco's global threat report for the second quarter of 2010 revealed that IPS SQL injection signature firings increased substantially in the period to coincide with outbreaks of SQL injection-compromised websites. It also claimed that Asprox SQL injection attacks made a reappearance in June of 2010, after nearly six months of inactivity.

Mary Landesman, senior security researcher at Cisco, told SC Magazine that this was one of the most interesting findings of the report, as web-based malware has increased and research showed that vulnerabilities in SQL servers were leading to compromised servers.

Landesman said: “SQL reappears in this period, but we can predict with some certainty where the next wave of SQL injections are coming from using our statistics.”

The report also found that 7.4 per cent of all web-based malware encounters in the first quarter of 2010 resulted from search engine queries, while nearly 90 per cent of all Asprox encounters in June of 2010 were the results of links in search engine results pages.

Asked how this figure was determined, and how it was so low considering that a recent report by Barracuda Networks found that 69 per cent of Google links were malicious, with Bing, Twitter and Yahoo not far behind, Landesman explained that the data was collected on actual user clicks and not overall detections.

She said: “This is based on actual users who encountered malware and on actual events, you can do a search and count a theoretical risk. We are reporting on actual events and I see that as a high figure and the only one that tops it is Gumblar.

“You can have a SQL injection which is only one event, yet it could be millions of sites that are affected overall. The 7.4 per cent figure is reflective of a very high number of websites, we see reports from Twitter, Facebook, web browsing and through email, there are different ways of accessing malicious content.”

The Gumblar ‘botnet' of compromised websites was first detected by ScanSafe, who were acquired by Cisco at the end of 2009, as a collection of websites being used to distribute web-based malware.

Asked if it was still active, Landesman called it "the most significant malware development in years". She said: “We took notice of trusted websites and the themes on the website, and Gumblar took it to a new level with botnets of compromised websites.

“It attacks the site to give it total ownership and can do what the owner wants. The FTP credentials are compromised, malware has got to come from somewhere, one ‘bad' site hosts the malware and all ‘good' sites are outfitted with iFrames that are pointing to the ‘bad' sites and can neuter the attack.

“Now with Gumblar, once you have a backdoor you have a ‘good' site hosting malware and it puts more onuses on the owner of the ‘good' site to get it cleaned up and that is a very hard effort.”

Landesman also commented that a number of copycats of Gumblar have appeared, but while the number of websites being copied is becoming smaller, the overall number of attacks is increasing, and continues to rise at a high rate.

See original article on scmagazineus.com

Secure Computing Magazine

Google pays $8.5m to settle Buzz privacy invasion suit

Google has agreed to pay $8.5 million to settle a class action lawsuit claiming it violated the privacy of Gmail users when it released Google Buzz, a Gmail bolt-on that turned the email service into a Tweetbookish social networking tool.

The suit in question consolidates several civil cases filed against the company over Google Buzz, which was rolled out to all Gmail users in February before it had been publicly tested. By default, Buzz automatically exposed users' most frequent Gmail contacts to the public internet. You did have the option of hiding the list from the public view, but many complained that the checkbox that let you do so was less than prominently displayed.

Within days, Google agreed to move the checkbox to a more prominent position, and it rejiggered the way it handles user contacts. But this didn't prevent a spate of lawsuits.

In settling the consolidated case, Google will create an $8.5 million fund that will be used to distribute awards to organizations focused on internet privacy or privacy education. It will also be used to pay the lawyers and class representatives i.e. the people who sued.

Clearly, Google is desperate to challenge the Facebooks of the world with a widely used social networking service of its own, which would expand its its efforts to collect data on users that can then be used to target ads. But like Orkut before it, Buzz hasn't exactly achieved that goal just judging from anecdotal evidence. Google has not said, however, how many people actually use the service.

Nigerian man gets 12 years for $1.3m 419 scam

A Nigerian man has been sentenced to more than 12 years in US prison for orchestrating an advance payment scam that bilked victims out of more than $1.3m.

Okpako Mike Diamreyan, 31, was ordered to serve 151 months in federal prison and pay a little more than $1m in restitution to the 67 victims he was was convicted of scamming from 2004 and 2009. The rare conviction was the result of his relocation to the US in 2008, when he married an American citizen. Rather than capitalizing on the opportunity to start a new life, he used it to ramp up his email-based scheme, which is often referred to as a 419 scam, after the Nigerian penal code that makes them illegal.

i want to forget america and come back home . . . once i take like 1m or half m i don forget this place, Diamreyan told an accomplice, according to court records. He routinely referred to his marks as "mugu," which means "fool" in Nigerian pidgin.

According to prosecutors, Diamreyan and his accomplice worked doggedly to dupe their victims, calling one victim more than 1,200 times over a two-year period. He claimed to have various consignments stored in Ghana worth millions and promised his marks a 20-percent commission in exchange for financial help in transferring funds to the US. To back up his claims, he provided fraudulent documents.

Ironically, the Nigerian citizen, who sometimes resided in Ghana, only stepped up the scam once he moved to the US, since many of the victims were more comfortable dealing with a person who was already on American soil, prosecutors said. Many of the marks were conned out of hundreds of thousands of dollars.

The prison sentence was at the low end of the 151 months to 188 months prosecutors had sought. The feds argued that a stiff sentence was necessary because Diamreyan was otherwise likely to return to Nigeria, where he would be free to continue the scam with impunity.

Therefore, the only way to protect the public from further crimes by the defendant is to incarcerate him for a lengthy period of time, they wrote in a sentencing memorandum.

Prosecutors said the $1.3m loss to victims was a conservative estimate, because it included only those who had direct dealings with Diamreyan. The feds conceded the likelihood of him paying the restitution was slim. The sentencing memo is here.

Spammers latch onto Ping to pump iPhone survey scams

Spammers have been quick off the mark in exploiting Apple's new iTunes social network to punt survey scams.

Ping only launched on Wednesday but is already being deluged with scams and spam messages, some attempting to dupe surfers into wasting their time completing online surveys under the false promise that they stand a chance of receiving a free iPhone in return for their efforts.

The service, built into the latest version of iTunes, gives users the ability to build networks of friends and share musical tastes or make suggestions. It also allows users to post comments, a facility spammers have been quick to latch onto and exploit for their own nefarious purposes.

Survey scams have become endemic on Facebook over recent months. A lack of filtering on Ping means the fraudsters have gained a new forum through which to peddle scams, net security firm Sophos warns.

"Most of the security industry has been pointing out the migration of spam from an email-only venture to blog/forum comments, Facebook, Twitter and other Web 2.0 platforms," writes Chester Wisniewski of Sophos. "But apparently Apple didn't consider this when designing Ping, as the service implements no spam or URL filtering. It is no big shock that less than 24 hours after launch, Ping is drowning in scams and spams."

Oddly, Apple seems to have anticipated a certain degree of mischief, since uploaded profile pictures only appear after approval, a move designed to prevent Ping plumbing the mucky depths of Chatroulette. Apple is likely to be filtering out other forms of offensive content, and these might be tweaks to block spam, according to Wisniewski. In the meantime, Ping users are advised to be wary, especially about suspiciously generous offers.

More details of the Ping spam attacks, including screenshots, can be found in a write-up here.

Sun Tzu's 13 lessons to combat hackers

AISA national director Keith Price rewrites the art of (cyber) war.

In January, it was discovered that more than 75,000 computer systems in 2500 companies around the world were hacked in one of the largest and most sophisticated attacks by cyber criminals.

And a month later we saw the Australian Parliament website shuttered by hackers protesting the Federal Government's ISP internet filter.

A company's digital presence can be attacked for social and political reasons ("hactivism"), for extortion, espionage and digital graffiti.

To defend ourselves against cyber assaults, we look to military doctrine because much in information security stems from concepts such as need to know, least privilege, defence in depth, diversity of defence, choke point and other war strategies.

When considering the topic I thought of Sun Tzu's Art of War, the 2500-year-old Chinese military treatise. It teaches that success depends on timely information, preparation, organisation, communication, motivation, execution and leadership. General Sun Tzu said wars were won by those who have the greatest competitive advantages and who make the fewest mistakes.

Start your journey through 13 principles from The Art of War applied to cyber warfare by clicking over the page to the first lesson, defending your virtual shop front or dip in at any point using the drop-down index below.

About the writer

Keith Price is the national director of the Australian information Security Association. He started his career more than 20 years ago and he now specialises in ICT risk management, strategy and governance. His experience spans consulting, banking, insurance and utilities in Australia, Britain and the US.

Microsoft freshens retro code lock-down tool

Microsoft has released a new version of a software tool that developers and administrators can use to harden older applications against common vulnerabilities.

Short for Enhanced Mitigation Experience Toolkit, EMET version 2.0 brings several new protections to operating systems and applications such as Windows XP or Internet Explorer 6, which remain widely used even though they are not as secure as more recent releases.

One additional protection is mandatory ASLR, or Address Space Layout Randomization, which loads executable code in different memory locations each time it is called. Making it hard to predict where shell code will be located significantly lessens the severity of attacks that exploit buffer overflows and similar software vulnerabilities.

Version 2 also offers Export Address Table Access Filtering, which is designed to break shell code by blocking access to the application programming interfaces it needs to be executed. The updated program also includes Structure Exception Handler Overwrite Protection (SEHOP), Data Execution Prevention (DEP), Heap Spray Allocation and Null Page Allocation, which were included in Version 1.

Microsoft first rolled out EMET in October.

Microsoft has also refurbished EMET's user interface and offered a 22-page user guide (PDF), as well as this training video. Thursday's announcement is here.

Murdoch Reporters Phone-Hacking Was Endemic, Victimized Hundreds

A phone-hacking scheme involving British royals and reporters working for one of Rupert Murdoch’s tabloid newspapers went far beyond what was previously disclosed and prosecuted, according toThe New York Times.

Andy Coulson, currently media advisor to British Prime Minister David Cameron, is accused of having encouraged the hacking during his tenure as editor of Murdoch’s News of the World paper.

According to the N.Y. Times, reporters working under Coulson targeted hundreds of victims — from Princes Harry and William to government and police officials and numerous celebrities, including soccer star David Beckham and his wife.

Most of the victims are only now learning that their phone voicemail accounts may have been accessed by reporters, four years after the investigation first launched. One young woman, who had previously been the victim in a high-profile sexual-assault case when she was 19, only recently received a letter confirming that her phone number was on a list of potential hack targets kept by News of the World employees.

Scotland Yard is being accused of violating the rights of victims by failing to inform them earlier that they were targeted and of purposely narrowing the investigation to a single reporter and private investigator in order to preserve a special information-sharing relationship law enforcement agents had with the tabloid. The investigation focused only on Clive Goodman, a veteran reporter who covered the royal family, and Glenn Mulcaire, a private investigator who worked for the tabloid.

Access to private voicemail messages occurred in two ways. In some cases, victims had simply neglected to change a default password phone carriers established for every new account. Anyone who knew the default four-digit code for a particular carrier — such as 1111 or 4444 — could access the accounts if they knew the victim’s phone number.

Where victims did change the password, the paper’s private investigators found another way to trick phone carriers into revealing the code. The N.Y. Times story does not detail the second method. In the United States, phone hackers have been known to use caller I.D. spoofing to access a victim’s voicemail. The hacker calls the target’s cellphone after setting their caller I.D. to the same number, which on some wireless carriers will drop the call right into the voicemail retrieval menu.

Although Coulson has long insisted he knew nothing about the illegal activity, sources who worked at the tabloid told the N.Y. Times Coulson not only knew about it, he actively encouraged it. A dozen former reporters said the hacking was so pervasive at News of the World that everyone knew about it. The office cat knew,” one longtime reporter said.

It all began to unravel in November 2005, when three aides to the royal family noticed that new voicemail messages received on their mobile phones were appearing in their mailboxes as if they’d already been listened to and saved. Then stories about Prince William began appearing in News of the World that made them think their phone accounts had been compromised.

Scotland Yard’s counterintelligence division, which handles the security of the royal family, launched an investigation, which ultimately focused on Goldman and Mulcaire. For six months, officials tracked the two suspects as they hacked into the voicemail accounts of royal family members and workers in the royal household.

In one message retrieved from Prince Harry’s phone, his brother William teased him about a minor scandal that hit the papers involving Harry and a stripper. Harry’s girlfriend Chelsy was apparently upset over the incident, and William called to tease his brother. News of the World boldly quoted his voice mail message in a story.

When police raided Mulcaire’s home, they found dozens of notebooks and computer files containing 2,978 complete or partial mobile phone numbers of potential victims, 91 mobile phone PIN codes, and 30 tape recordings made by Mulcaire. Mulcaire and Goodman were charged with conspiracy to unlawfully intercept communications, and that’s where the investigation ended. Police never questioned other reporters or editors at News of the World.

In the course of their investigation, Scotland Yard alerted only five other victims — whose names appeared in the indictments against Goodman and Mulcaire — and a handful of other people “with national security concerns: members of the government, the police and the military.”

George Galloway, a member of Parliament, was among those alerted, as were Gordon Taylor, chief executive of the Professional Footballers Association; Simon Hughes, a member of Parliament; supermodel Elle Macpherson; Max Clifford, a top public-relations agent who often fed exclusive gossip to News of the World but had fallen out with the tabloid shortly before his voicemail account was breached; and Sky Andrew, who represented top soccer stars.

Goodman and Mulcaire pleaded guilty to unlawful interception and were sentenced to several months in prison. They also lost their jobs with News of the World, but then sued for wrongful dismissal.

Mulcaire got 80,000 pounds (about $120,000) from the media outlet, and Goodman received an undisclosed amount. Coulson resigned from his management job, but was then hired as head of communications for the Conservative Party.

Then the lawsuits began. Taylor, one of the victims, sued the media outlet and received 700,000 pounds (more than $1 million) in a settlement, including legal expenses.

Clifford, another victim, didn’t have to sue. Instead he reached an agreement with his old media partner: In exchange for receiving 1 million pounds (about $1.5 million), the PR rep would resume feeding exclusive gossip to the paper.

Now five other victims have filed lawsuits against News Group Newspapers, the Murdoch division that oversees News of the World. The suits will likely increase as more people learn they were victims. Another suit is being prepared against Scotland Yard.

Photo courtesy chrstopher/Flickr

See Also:

• iPhone Jailbreaking Could Crash Cellphone Towers, Apple Claims
• International Phone Hacking Ring Busted; Stole $55 Million Worth of Calls
• Teenage Hacker Is Blind, Brash and in the Crosshairs of the FBI

Evil Eric Schmidt Debuts in Video Targeting Google Privacy

A creepycaricatureof Google CEO Eric Schmidt drives an ice cream truck in this video produced by a consumer group targeting the search giant for its data collection practices.

The video is part of a lobbying effort by Consumer Watchdog to get the government to create a so-called “Do Not Track Me” list “to prevent online companies from gathering our personal information, just as Congress had the Federal Trade Commission create a Do Not Call list to prevent intrusive telemarketers.” The group says they’ve paid to have aversion of the video shown 36 times per day on a jumbotron in Times Square.

It’s not the first anti-Google antic from the group, which is largely funded by legal fees, the Rose Foundation, Streisand Foundation, Tides Foundation and others. Last month the group announced it hadparked outside lawmakers Washington-area residences to determine whether they had unsecured Wi-Fi networks that might have been sniffed by Google as part of the internet giants Street View and Google Maps program.

The group did that in an unsuccessful bid to bring attention to the Google Wi-Fi debacle and get the House Energy and Commerce Committee to haul Google executives in for questioning. Once there, the group wanted Google to explain why, for three years, Google was sniffing data from unencrypted Wi-Fi networks in neighborhoods in dozens of countries.

Google, which owns YouTube, has said that was a mistake, but legal.

Consumer Watchdog’s brief video capitalizes on the Wi-Fi issue and Schmidt’s previous statement about privacy: “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”

See Also:

• Google Wins Viacom Copyright Lawsuit
• Google Books Fosters Intellectual, Legal Crossroads
• Former Prosecutor: Google Wi-Fi Snafu ‘Likely’ Illegal
• Lawyers Claim Google Wi-Fi Sniffing ‘Is Not an Accident’
• Consumer Group Sniffs Congresswoman’s Open Wi-Fi
• Privacy in Peril: Lawyers, Nations Clamor for Google Wi-Fi Data
• Packet-Sniffing Laws Murky as Open Wi-Fi Proliferates

PHP City Portal "login.php" Multiple SQL Injection Issues

PHP City Portal is a PHP-based content management application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user supplied data to the "req_username" and "req_password" parameters of the "login.php" script.

Ref: http://www.securityfocus.com/bid/42536/references

10.35.24 - CVE: CVE-2009-4870
Platform: Web Application - SQL Injection

iTunes update plugs WebKit flaw

The latest version of iTunes for Windows addresses 13 security vulnerabilities, as well as adding much-publicised social networking functionality.

iTunes 10 for Windows addresses flaws in the media player's WebKit browser that were fixed in Safari late last month with version 5.0.1 and 4.1.1 of Apple's browser software.

Apple's advisory on the security content of iTunes 10 can be found here.

Symantec Snoop Dogg rap contest site rickrolled

Symantec's attempts to link up with Snoop Dogg to launch a cybercrime rap contest have descended into farce after it emerged that vulnerabilities with a dedicated site can be easily rickrolled.

The HackIsWack.com site was reportedly taken down for maintenance on Tuesday but still harbours cross site scripting security problems, as illustrated here.

Would-be rappers are invited to post a rap on the topic of cybercrime for a chance to win ticket to a Snoop gig in LA and a laptop running Norton Internet Security 2011. The contest is restricted to US residents and has attracted just seven entries thus far.

The security problems with the site prompted one wag to ask: "Did they hire Snoop Dog as just a spokesman or did he also write the code?" on Twitter, a negative remark embarrassingly replayed on the site because it used the dedicated #hackiswack tag.

Symantec's aims in raising awareness on cybercrime are laudable and it also deserves credit for applying a bit of imagination in a bid to gets its message out to the widest possible audience. However, its execution has been woeful and invited ridicule, even before the musical quality of the entrants is considered.

Phone bugging scandal reignited as NotW suspends reporter

New allegations of phone hacking at the News of the World have resulted in the suspension of one of the Sunday paper's reporters, pending legal and disciplinary action over allegations of tapping into the voicemail messages of an unnamed television personality.

A detailed investigation by the New York Times has reignited a controversy News International officials have long sought to quench. Under scrutiny was the extent of illegal wiretapping of the mobile phones of public figures at the paper at the time it was edited by Andy Coulson, prime minister David Cameron's director of communications.

Coulson edited the tabloid during a time when Clive Goodman, the papers disgraced royal editor, and private investigator Glenn Mulcaire conspired to intercept voicemail messages of public figures and celebrities in order to extract news leads. The duo were convicted of tapping into the voicemail of members of the royal household and jailed back in 2007.

Coulson resigned editorship of the paper over the scandal, which News International has consistently blamed on a rogue journalist who acted without the knowledge or approval of his bosses.

Last year it emerged that News International had made a series of payouts to public figures including football players' union boss Gordon Taylor. A series of investigative pieces by the Guardian provided evidence that the use of mobile phone hacking tactics was widespread at the paper.

The articles prompted the re-opening of a Press Complaints Commission inquiry and an investigation by the House of Commons select committee.

There is also increasing pressure on the Metropolitan police to either reopen their wider investigation, or at least explain why it was dropped so quickly.

The New York Times cites former editors at the paper who said Coulson attended meetings where phone hacking was openly discussed, reopening allegations that the practice was endemic at the time he edited the paper. The NYT further alleges that police investigators failed to act on evidence that phone hacking was widespread at the paper, instead focusing their investigation on Goodman and Mulcaire. According to the paper it's only now, four years after the police investigated the case, that many of the victims are finally being notified.

Many of the hacks carried out relied simply on knowing a target's mobile phone number and hoping that they had not changed the default PIN code used by carriers, though other more sophisticated techniques were also allegedly used.

The NYT story can be found here (free registration required).

Phone bugging scandal re-ignited as NotW suspends reporter

New allegations of phone hacking at the News of the World have resulted in the suspension of one of the Sunday paper's reporters, pending legal and disciplinary action over allegations of tapping into the voicemail messages of an unnamed television personality.

A detailed investigation by the New York Times has reignited a controversy News International officials have long sought to quench. Under scrutiny was the extent of illegal wiretapping of the mobile phones of public figures at the paper at the time it was edited by Andy Coulson, prime minister David Cameron's director of communications.

Coulson edited the tabloid during a time when Clive Goodman, the papers disgraced royal editor, and private investigator Glenn Mulcaire conspired to intercept voicemail messages of public figures and celebrities in order to extract news leads. The duo were convicted of tapping into the voicemail of members of the royal household and jailed back in 2007. Coulson resigned editorship of the paper over the scandal, which News International has consistently blamed on a rogue journalist who acted without the knowledge or approval of his bosses.

Last year it emerged that News International had made a series of payouts to public figures including football players' union boss Gordon Taylor. A series of investigative pieces by the Guardian provided evidence that the use of mobile phone hacking tactics was widespread at the paper.

The articles prompted the re-opening of a Press Complaints Commission inquiry and an investigation by the House of Commons select committee.

There is also increasing pressure on the Metropolitan police to either reopen their wider investigation, or at least explain why it was dropped so quickly.

The New York Times cites former editors at the paper who said Coulson attended meetings where phone hacking was openly discussed, reopening allegations that the practice was endemic at the time he edited the paper. The NYT further alleges that police investigators failed to act on evidence that phone hacking was widespread at the paper, instead focusing their investigation on Goodman and Mulcaire. According to the paper it's only now, four years after the police investigated the case, that many of the victims are finally being notified.

Many of the hacks carried out relied simply on knowing a target's mobile phone number and hoping that they had not changed the default PIN code used by carriers, though other more sophisticated techniques were also allegedly used.

The NYT story can be found here (free registration required).

Sun Tzu's 13 lessons to combat hackers

AISA national director Keith Price rewrites the art of (cyber) war.

In January, it was discovered that more than 75,000 computer systems in 2500 companies around the world were hacked in one of the largest and most sophisticated attacks by cyber criminals.

And a month later we saw the Australian Parliament website shuttered by hackers protesting the Federal Government's ISP internet filter.

A company's digital presence can be attacked for social and political reasons ("hactivism"), for extortion, espionage and digital graffiti.

To defend ourselves against cyber assaults, we look to military doctrine because much in information security stems from concepts such as need to know, least privilege, defence in depth, diversity of defence, choke point and other war strategies.

When considering the topic I thought of Sun Tzu's Art of War, the 2500-year-old Chinese military treatise. It teaches that success depends on timely information, preparation, organisation, communication, motivation, execution and leadership. General Sun Tzu said wars were won by those who have the greatest competitive advantages and who make the fewest mistakes.

Start your journey through 13 principles from The Art of War applied to cyber warfare by clicking over the page to the first lesson, Defending your virtual shop front or dip in at any point using the drop-down index below.

About the writer

Keith Price is the national director of the Australian information Security Association. He started his career more than 20 years ago and he now specialises in ICT risk management, strategy and governance. His experience spans consulting, banking, insurance and utilities in Australia, Britain and the US.

Evil Eric Schmidt Debuts in Video Targeting Google Privacy

A creepycaricatureof Google CEO Eric Schmidt drives an ice cream truck in this video produced by a consumer group targeting the search giant for its data collection practices.

The video is part of a lobbying effort by Consumer Watchdog to get the government to create a so-called “Do Not Track Me” list “to prevent online companies from gathering our personal information, just as Congress had the Federal Trade Commission create a Do Not Call list to prevent intrusive telemarketers.” The group says they’ve paid to have aversion of the video shown 36 times per day on a jumbotron in Times Square.

It’s not the first anti-Google antic from the group, which is largely funded by legal fees, the Rose Foundation, Streisand Foundation, Tides Foundation and others. Last month the group announced it hadparked outside lawmakers Washington-area residences to determine whether they had unsecured Wi-Fi networks that might have been sniffed by Google as part of the internet giants Street View and Google Maps program.

The group did that in an unsuccessful bid to bring attention to the Google Wi-Fi debacle and get the House Energy and Commerce Committee to haul Google executives in for questioning. Once there, the group wanted Google to explain why, for three years, Google was sniffing data from unencrypted Wi-Fi networks in neighborhoods in dozens of countries.

Google, which owns YouTube, has said that was a mistake, but legal.

Consumer Watchdog’s brief video capitalizes on the Wi-Fi issue and Schmidt’s previous statement about privacy: “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”

See Also:

• Google Wins Viacom Copyright Lawsuit
• Google Books Fosters Intellectual, Legal Crossroads
• Former Prosecutor: Google Wi-Fi Snafu ‘Likely’ Illegal
• Lawyers Claim Google Wi-Fi Sniffing ‘Is Not an Accident’
• Consumer Group Sniffs Congresswoman’s Open Wi-Fi
• Privacy in Peril: Lawyers, Nations Clamor for Google Wi-Fi Data
• Packet-Sniffing Laws Murky as Open Wi-Fi Proliferates

Murdoch Reporters Phone Hacking Was Endemic, Victimized Hundreds

A phone hacking scheme involving British royals and reporters working for one of Rupert Murdoch’s tabloid newspapers went far beyond what was previously disclosed and prosecuted, according to the New York Times.

Andy Coulson, who is currently media advisor to British Prime Minister David Cameron, is accused of having encouraged the hacking during his tenure as editor of Murdoch’s News of the World paper.

According to the Times, reporters working under Coulson targeted hundreds of victims — from Princes Harry and William to government and police officials and numerous celebrities, including soccer star David Beckham and his wife.

Most of the victims are only now learning that their phone voicemail accounts may have been accessed by reporters, four years after the investigation first launched. One young woman, who had previously been the victim in a high-profile sexual-assault case when she was 19, only recently received a letter confirming that her phone number was on a list of potential hack targets kept by News of the World employees.

Scotland Yard is being accused of violating the rights of victims by failing to inform them earlier that they were targeted and of purposely narrowing the investigation to a single reporter and private investigator in order to preserve a special information-sharing relationship law enforcement agents had with the tabloid. The investigation focused only on Clive Goodman, a veteran reporter who covered the royal family, and Glenn Mulcaire, a private investigator who worked for the tabloid.

Access to private voicemail messages occurred in two ways. In some cases, victims had simply neglected to change a default password phone carriers established for every new account. Anyone who knew the default four-digit code for a particular carrier — such as 1111 or 4444 — could access the accounts if they knew the victim’s phone number.

Where victims did change the password, the paper’s private investigators found another way to trick phone carriers into revealing the code. The Times story does not detail the second method. In the U.S., phone hackers have been known to use caller I.D. spoofing to access a victim’s voicemail. The hacker calls the target’s cell phone after setting their caller I.D. to the same number, which on some wireless carriers will drop the call right into the voicemail retrieval menu.

Although Coulson has long insisted he knew nothing about the illegal activity, sources who worked at the tabloid told the Times Coulson not only knew about it, he actively encouraged it. A dozen former reporters said the hacking was so pervasive at News of the World that everyone knew about it. The office cat knew,” one longtime reporter said.

It all began to unravel in November 2005 when three aides to the royal family noticed that new voicemail messages received to their mobile phones were appearing in their mailboxes as if they’d already been listened to and saved. Then stories about Prince William began appearing in News of the World that made them think their phone accounts had been compromised.

Scotland Yard’s counterintelligence division, which handles the security of the royal family, launched an investigation, which ultimately focused on Goldman and Mulcaire. For six months, officials tracked the two suspects as they hacked into the voice mail accounts of royal family members and workers in the royal household.

In one message retrieved from Prince Harry’s phone, his brother William teased him about a minor scandal that hit the papers involving Harry and a stripper. Harry’s girlfriend Chelsy was apparently upset over the incident, and William called to tease his brother. News of the World boldly quoted his voice mail message in a story.

When police raided Mulcaire’s home, they found dozens of notebooks and computer files containing 2,978 complete or partial mobile phone numbers of potential victims, 91 mobile phone PIN codes, and 30 tape recordings made by Mulcaire. Mulcaire and Goodman were charged with conspiracy to unlawfully intercept communications, and that’s where the investigation ended. Police never questioned other reporters or editors at News of the World.

In the course of their investigation, Scotland Yard alerted only five other victims — whose names appeared in the indictments against Goodman and Mulcaire — and a handful of other people “with national-security concerns: members of the government, the police and the military.”

George Galloway, a member of Parliament, was among those alerted, as were Gordon Taylor, chief executive of the Professional Footballers Association; Simon Hughes, a member of Parliament; supermodel Elle Macpherson; Max Clifford, a top public-relations agent who often fed exclusive gossip to News of the World but had fallen out with the tabloid shortly before his voicemail account was breached; and Sky Andrew, who represented top soccer stars.

Goodman and Mulcaire pleaded guilty to unlawful interception and were sentenced to several months in prison. They also lost their jobs with News of the World, but then sued for wrongful dismissal. Mulcaire got 80,000 pounds from the media outlet, and Goodman received an undisclosed amount. Coulson resigned from his management job, but was then hired as head of communications for the Conservative Party.

Then the lawsuits began. Taylor, one of the victims, sued the media outlet and received 700,000 pounds in a settlement, including legal expenses. Clifford, another victim, didn’t have to sue. Instead he reached an agreement with his old media partner — in exchange for receiving one million pounds, the PR rep would resume feeding the paper exclusive gossip.

Now five other victims have filed lawsuits against News Group Newspapers, the Murdoch division that oversees News of the World. The suits will likely increase as more people learn they were victims. Another suit is being prepared against Scotland Yard.

Photo courtesy chrstopher/Flickr

See Also:

• iPhone Jailbreaking Could Crash Cellphone Towers, Apple Claims
• International Phone Hacking Ring Busted; Stole $55 Million Worth of Calls
• Teenage Hacker Is Blind, Brash and in the Crosshairs of the FBI

Microsoft freshens retro code lock-down tool

Microsoft has released a new version of a software tool that developers and administrators can use to harden older applications against common vulnerabilities.

Short for Enhanced Mitigation Experience Toolkit, EMET version 2.0 brings several new protections to operating systems and applications such as Windows XP or Internet Explorer 6, which remain widely used even though they are not as secure as more recent releases.

One additional protection is mandatory ASLR, or Address Space Layout Randomization, which loads executable code in different memory locations each time it is called. Making it hard to predict where shell code will be located significantly lessens the severity of attacks that exploit buffer overflows and similar software vulnerabilities.

Version 2 also offers Export Address Table Access Filtering, which is designed to break shell code by blocking access to the application programming interfaces it needs to be executed. The updated program also includes Structure Exception Handler Overwrite Protection (SEHOP), Data Execution Prevention (DEP), Heap Spray Allocation and Null Page Allocation, which were included in Version 1.

Microsoft first rolled out EMET in October.

Microsoft has also refurbished EMET's user interface and offered a 22-page user guide (PDF), as well as this training video. Thursday's announcement is here.

iTunes update plugs WebKit flaw

The latest version of iTunes for Windows addresses 13 security vulnerabilities, as well as adding much-publicised social networking functionality.

iTunes 10 for Windows addresses flaws in the media player's WebKit browser that were fixed in Safari late last month with version 5.0.1 and 4.1.1 of Apple's browser software.

Apple's advisory on the security content of iTunes 10 can be found here.

PHP City Portal "login.php" Multiple SQL Injection Issues

PHP City Portal is a PHP-based content management application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user supplied data to the "req_username" and "req_password" parameters of the "login.php" script.

Ref: http://www.securityfocus.com/bid/42536/references

10.35.24 - CVE: CVE-2009-4870
Platform: Web Application - SQL Injection

Symantec and Snoop Dogg launch cybercrime rap contest

Symantec has teamed up with rapper Snoop Dogg to launch a cybercrime rap contest.

Participants are invited to bust some rhymes on the subject of malware, hacking and botnets for the chance to win an all expenses paid trip to LA to attend a Snoop gig and meet his people, if not the rapper himself. Winners get a Toshiba laptop outfitted (inevitably) with Norton Internet Security 2011.

Would-be rappers are invited to submit a two-minute rap video to www.HackIsWack.com before the 30 September deadline. The winner will be selected on the basis of "originality, creativity and message".

In the meantime the contest is being promoted via Facebook and a dedicated Twitter feed already offering nuggets of wisdom such as "dk man, iz it this spiff or iz @RealWizKhalifa from rollin 20's snoop hood lmmfao. #blackandYellow #dj #bbm".

The exercise has the laudable aim of raising awareness about cybercrime but we can't help fearing the musical results are likely to be dire. When corporate giants team with musical stars to appear "down with the kids" the results are seldom edifying.

Unfortunately early entries to the HackIsWack contest, which launched on Moday, fully vindicate these fears.

Cyber-jihadists deface home of teddy bears' picnic

Geographically mixed-up Algerian hackers made themselves look rather silly by defacing the website of an English stately home instead of Belvoir Fortress in Israel, their intended target.

Cyber-jihadis from a previously unknown group called Dz-SeC commandeered the website of Belvoir Castle to post an anti-Zionist rant along with an image of the Algerian national flag.

Belvoir Fortress was a Christian outpost during the Crusades, as explained in an Israeli government run-down on its history here.

Belvoir Castle, a Royalist stronghold during the English Civil War, by contrast, is best known these days as the host of an annual teddy bears picnic.

We've nothing to do with the Middle-East," a Belvoir Castle spokesman told the Daily Telegraph. "I just help to organise the teddy bears' picnic. It does make more sense that they meant to target the fortress in Israel rather than the castle in Leicestershire.

The defacement has been expunged and the Belvoir Castle website restored to normal operation since the attack.

Feds crack phone clone scam that cost Sprint $15m

Federal prosecutors have uncovered a scam that used tens of thousands of cloned cellphones to defraud Sprint out of $15m in lost long distance revenue.

The operation dates back to at least the latter half of 2009, when cellular customers began complaining that they were billed for international calls they didn't make, according to court documents made public on Wednesday. When Sprint employees looked into the matter, they discovered that many of the calls were made from hundreds of miles away from where the customers lived and within minutes of other calls made from the customers' homes.

Eventually, the Sprint investigators discovered that electronic credentials belonging to tens of thousands of its customers were used to make international calls that would have cost $15m had they been billed at the going rate. What's more, many of the defrauded customers' online accounts were breached so that changes could be made to passwords, international calling features and other settings.

The fraud came to light in a criminal complaint that accused nine Sprint employees of illegally accessing customer accounts more than 16,000 times between January and June of this year. Among the information they took were the MSID, or mobile station ID, and the ESN, or electronic serial number, that are used to uniquely identify each handset on the Sprint network. By plugging the credentials into new cellphones, people were able to make phone calls that were charged to the accounts of the defrauded customers.

The complaint didn't identify the cellular carrier, but Sprint officials confirmed the fraud after its name came up during court hearings on Wednesday.

Sprint regularly monitors and works aggressively to identify and respond to fraudulent activity, Sprint said in a statement. The company has been assisting authorities in this case. Should a Sprint customer notice this sort of suspicious activity on their account, we would encourage them to contact our Care representatives for assistance.

Sprint has credited the defrauded customers for the value of the calls, a press release from the US Attorney in the Bronx, New York, said.

Based on the allegations, the employees charged appear to be low-level operatives who used their access to Sprint's customer database to supply the credentials to people higher up in the scam.

One defendant, Tampa, Florida-based Princetta Dorisma, said a co-worker approached her and offered $1,000 in return for information associated with a range of phone numbers, according to the complaint, which was filed in US District Court for the Southern District of New York. Dorisma received two payments of $500 in exchange for sending the customers' names, cell phone numbers and ESNs associated with each number to an email address specified by the co-worker.

The other defendants named in the complaint are Pedro Rodriguez and Johnny Santana, who worked at Sprint stores in located in the Bronx; Luis Abad, Mathews Angel, Francis Lopez, and Luis Orriols, who worked at a store in North Bergen, New Jersey; and Lesly Esquea and Jacklin Volny, who also worked at a store in Tampa.

They are each charged with one count each of conspiracy to commit wire fraud, access device fraud and aggravated identity theft. If convicted on all counts, they face a maximum of 32 years in prison, in addition to fines.

Data corruption takes ATO website offline

System update gone wrong.

Issues arising from an otherwise normal system update at the Australian Taxation Office (ATO) took its website offline for almost four hours yesterday.

An ATO spokesman said the website became unavailable shortly after 11am. It was restored with limited functionality at 2.45pm.

The spokesman pinned the outage on "data corruption during a normal system update process".

As of 4.30pm, further work was underway to restore full functionality to the site's drop-down menus.

Web information company Alexa found the ATO website to be the 88th most visited site in Australia.

The ATO's outage continued a series of botched IT updates this week that led to Commonwealth Bank ATM and EFTPOS malfunctions and a nine-hour-long online banking outage at Westpac.

Copyright © iTnews.com.au . All rights reserved.

Attorney: Army Disabled Mannings Weapon Prior to Leaks

A civilian defense attorney hired recently by alleged WikiLeaks leaker Bradley Manning says the Army was so concerned about his client’s mental health prior to the alleged leaks that supervisors removed the bolt from his military weapon, disabling it.

Attorney David Coombs told CNN, however, that other than sending Manning to a chaplain for counseling, the Army did little to address its concerns about him.

“The unit has in fact documented a history, if you will, from as early as December of 2009 to May of 2010 of behavior that they were concerned about,” Coombs said, adding that Manning’s immediate supervisor “did document prolonged periods of disassociated behavior, quite a bit of nonresponsiveness from Pfc. Manning. And, again, that progressed from the very beginning of the deployment and deteriorated somewhat toward the end.”

The Army declined to comment. “This case does have worldwide visibility and [Mannings] civilian attorney will do the best he can to defend him and that may bring up other issues other than what is currently known, said Lt. Col. Robert Owen, spokesman for the Army at the U.S. embassy in Iraq. But the U.S. Army is not going to react to every statement that Mannings civilian attorney makes.”

Manning, who is being held in solitary confinement at the Navy brig at Quantico, Virginia, has invoked the Fifth Amendment and is refusing to cooperate with investigators. He’s taking medication for depression and insomnia. Coombs told CNN, however, that his client is aware of the public support for him.

“Obviously, being in solitary confinement is very difficult,” Coombs said. “But the individuals at the confinement facility are very professional. They’re doing a very good job. And he’s aware of all the people who are rallying to his support. So his spirits are relatively good. In addition, he is being treated now by a forensic psychiatrist. And he is responding positively to that treatment.”

Manning is due to be examined by a panel of three mental-health experts to determine what problems he’s suffering from now and may have been suffering from at the time of the alleged leaks.

Coombs also said that he has currently seen nothing that indicates “there’s any evidence” tying his client to the leaks. It was unclear in the interview, however, whether he’s yet received discovery material in the case. Coombs did not respond to requests for comment from Threat Level.

Manning, 22, shows in chats he conducted with former hacker Adrian Lamo, who turned him in, that he was deeply troubled and conflicted. He was socially isolated and estranged from family members and described a number of personal issues that were affecting his emotional stability. He also described a growing cynicism about U.S. foreign policy that motivated his alleged leaks to WikiLeaks.

Shortly after the alleged leaks occurred, Manning was demoted after punching a fellow soldier in the face. Manning told Lamo that as a result of the incident he was “forced” to visit behavioral health personnel for an evaluation.

He’d also been admonished in the past for referencing classified facilitiesin personal videos he posted to YouTube.

Manning was arrested in May after telling Lamo that he was responsible for leaking a classified 2007 video showing an Army Apache helicopter attack in Baghdad, which WikiLeaks published last April. Manning also claimed to have leaked an Army log of half a million military events in Iraq, a separate video of a military attack in Afghanistan in 2009, and 260,000 U.S. State Department diplomatic cables.

Manning was charged last month with leaking the Iraq video, and improperly downloading more than 150,000 State Department cables onto his unclassified personal computer. Hes charged with leaking more than 50 of them. The Pentagon has described Manning as a person of interest in the leaking of the 92,000-entry Afghan war log partially published by WikiLeaks in July.

WikiLeaks has never acknowledged that Manning is a source. Nonetheless the site, as well as a number of other organizations and websites, have been raising funds for Mannings defense.

Manning isn’t the only one facing legal trouble, however.

Swedish authorities announced on Wednesday that they were re-opening a rape case against WikiLeaks founder Julian Assange. Public Prosecutions Director Marianne Ny said there was “reason to believe a crime has been committed” and that the crime was classified as rape.

She also announced she was re-classifying a second “molestation” case against Assange as one of sexual coercion and sexual molestation.

Assange, who was questioned by investigators on Tuesday, has maintained his innocence.

(Image: Anti-war protesters rally for Bradley Manning in Quantico, Virginia last month. Creative Commons photo courtesy mar is sea Y/Flickr)

See also:

• Alleged WikiLeaks Leaker Hires Civilian Attorney
• Mississippi Lawyer Drawn Into WikiLeaks Intrigue
• Cyberwar Against Wikileaks? Good Luck With That
• WikiLeaks Suspect’s YouTube Videos Raised ‘Red Flag’ in 2008
• WikiLeaks Releases Stunning Afghan War Logs Is Iraq Next?
• Suspected WikiLeaks Source Described Crisis of Conscience Leading to Leaks
• U.S. Intelligence Analyst Arrested in WikiLeaks Video Probe

Microsoft releases FixIt for critical flaw in 100 apps

Microsoft has released a software tool that helps system administrators protect PCs against a critical class of vulnerabilities found in more than 100 applications from a variety of software makers.

The FixIt Tool works only on machines that have already installed the workaround Microsoft published last week. The latest point-and-click release is designed to make the previous workaround easier to use and fine-tune a variety of settings that will ensure compatibility with applications such as Outlook 2002, members of the Microsoft Security Response Center said.

The so-called DLL hijacking threat stems from default behavior when Windows tries to load dynamic link library files used by applications that run on top of the operating system. When the current working directory is set to one controlled by the attacker, it's possible to force the OS to execute a malicious file. More than 100 applications made by Microsoft and third-party software makers have been identified as being vulnerable, including Mozilla Firefox and Thunderbird, PowerPoint, Opera and drivers for Nvidia graphics hardware.

Microsoft has yet to confirm which of its applications are vulnerable. A spokeswoman from Mozilla contacted last week didn't have a comment, either.

MSRC's Jonathan Ness and Maarten Van Horenbeeck said that the vulnerability doesn't allow a drive-by attack in which users can get exploited simply by visiting a malicious website. Nonetheless, they said the threat is real, especially for users in settings where Windows file sharing and other advanced networking options are used.

Unfortunately, based on attack patterns we have seen in recent years, we believe it is no longer safe to browse to a malicious, untrusted WebDAV server in the Internet Zone and double-click on any type of files, the wrote. We recommend users only double-click on file icons from WebDAV shares known to be trusted, safe, and not under the control of a malicious attacker,

Vocus acts on DDoS

Deploys Arbor technology in network.

Vocus has taken steps to mitigate future distributed denial of service (DDoS) attacks on its network after coming under attack earlier this year.

The ASX-listed IP transit provider said it had bedded down Arbor's Peakflow SP platform in its network architecture in late July after several months of tests.

The company suffered a DDoS attack in May, months after a DDoS attack on one of its customers also caused flow-on effects on the Vocus network.

Vocus chief technical officer McDonald Richards told iTnews the company had Arbor test gear in its racks when it was hit by the May attack "but the statistics [the gear] was collecting weren't helpful for [mitigating] that attack".

"A number of our customers run hosting businesses," Richards said.

"Unfortunately those particular services tend to attract attention and a fair bit of malicious traffic against them."

He said the company had "no pervasive monitoring" system for traffic that might indicate a DDoS attack prior to it buying Arbor's boxes.

Attacks were manually dealt with, from writing scripts to capture a sample of the increased traffic to "looking in detail at what traffic it was, working out if it was malicious" and working out a way to mitigate it so it didn't impact Vocus customers.

The Arbor system would allow monitoring and mitigation of attacks "in seconds rather than minutes," Richards said.

Arbor said its Peakflow SP platform was "the de facto standard for IP flow-based network security, visibility and analysis".

Copyright © iTnews.com.au . All rights reserved.

Police Kill Hostage Taker Who Besieged Discovery Channel

After a daylong standoff, authorities shot and killed an armed man wearing an explosive device who had taken three hostages at the Discovery Channel’s headquarters in Silver Spring, Maryland, just outside the District of Columbia.

Most of the hundreds of employees, including children at an on-site daycare center, had already been evacuated, police said. The station was airing its normal broadcast. The three hostages were safe and out of the building, the police said.

The 43-year-0ld suspect, James Lee, was killed by a police officer inside the building when he pointed a handgun at one of the hostages, said Montgomery County Police Chief J. Thomas Manger. He said the explosive device “appeared to go off” when the gunman was shot inside the building. Police were combing the building in belief they might find other explosive devices.

“He pulled out the handgun he came in with and pointed it at one of the hostages,” Manger said. “But at that point, our tactical unit moved in. They shot the suspect. The suspect is deceased.”

According to a message on the savetheplanetprotest.com website believed run by Lee, the suspect demanded that the Discovery Channel broadcast its “commitment to save the planet.”

Focus must be given on how people can live WITHOUT giving birth to more filthy human children since those new additions continue pollution and are pollution. A game show format contest would be in order. Perhaps also forums of leading scientists who understand and agree with the Malthus-Darwin science and the problem of human overpopulation. Do both. Do all until something WORKS and the natural world starts improving and human civilization building STOPS and is reversed! MAKE IT INTERESTING SO PEOPLE WATCH AND APPLY SOLUTIONS!!!!

From his website, and his postings on MySpace, Lee appears to be obsessed with the work of American writer Daniel Quinn, author of a trilogy of enviro-philosophy novels. Quinn’s 1992 Ishmael “uses a style of Socratic dialogue to deconstruct the notion that humans are the end product, the pinnacle of biological evolution,” according to Wikipedia. “It posits that human supremacy is a cultural myth, and asserts that modern civilization is enacting that myth.”

Manger, the police chief, said officers were discussing his manifesto with the suspect during the standoff. “He obviously had a number of issues with Discovery,” Manger said.

In a December 2006 post to a MySpace group, Lee described being deeply affected by the trilogy. “I have an idea on how to save the world,” he wrote. “I need people.”

I finished reading the Daniel Quinn books last month. It started off just as a recommendation from a girl who worked at a coffeehouse. After being blown away from his writings, I looked up and saw… nothing. No revolution, no people demanding change, no talk, no news, nothing. There should have been something, right? Nothing.

Then I had an idea of my own. A vision on how the world could be saved. I thought about it and thought about it and it made sense. It was possible. It not unusual but not so common. It was an idea.

So here I am trying to make that idea a reality. Here I am putting my every last cent into that idea. I believe it can be done and I am taking the first few steps to make that idea a reality. So strongly do I believe it can be done that I am putting up all my own personal money, my retirement money.

He did not describe his idea, but Whois records show he registered savetheplanetprotest.com on January 7, 2008. He used the website to promote a sparsely attended February, 2008 rally outside the Discovery Channel headquarters, where he demanded the cable channel adapt its programming to broadcast Quinn’s vision for how to save the planet.

During the sixth day of the protest, Lee created a small riot by throwing money in the air in front of the building. The incident was captured in a YouTube video.

Lee was arrested on the scene after the money-throwing. He resurfaced on the internet two weeks later to express disappointment over how the protest had gone.

“Yeah, I guess the world did not get saved that week as I had hoped,” he wrote. “Was that a failure? Probably. Imagine the police holding me for 2 whole weeks!!! They threw me in the nuthouse for 4 days without bond and then continued to hold me for 2 weeks total until they could ‘verify’ my address and threw me in a homeless shelter. It was total bullshit.”

Updated 17:10 EDT

Photo:Myspace

Fake TweetDeck update on Twitter leads to trojan

Updates sent by hacked Twitter accounts.

Attackers have taken to Twitter to spread malware via links pointing to what they claim is an update to the popular microblogging client TweetDeck.

A number of updates were sent from hacked Twitter accounts urging users to download a file called "tweetdeck-08302010-update.exe."

The tweets began with phrases, such as “Hurry up for tweetdeck update!” or “Download TweetDeck udate ASAP!,” and included a URL beginning with http://alturl.com/. 

The links did not lead to a legitimate TweetDeck update, but instead brought users to a trojan, according to a blog post by Graham Cluley, senior security researcher at Sophos.

Some of the malicious tweets referenced the UK's national Bank Holiday, which occured on Monday. The tweets read, “Critical tweetdeck update Bank Holiday” and “Update TweetDeck! Bank Holiday.”

“TweetDeck itself is a British company and mention of the Bank Holiday might lead one to suspect that the bad guys behind this attack are also based in the UK,” Cluley wrote.

TweetDeck has issued a warning about the fake update and urged users against downloading it. All TweetDeck updates should be downloaded from the company's official website, the company said.

Meanwhile, Twitter said it is resetting the passwords for accounts delivering the bogus tweets.

See original article on scmagazineus.com

Secure Computing Magazine

Hardware hackers defeat quantum crypto

Security researchers using hardware hacking techniques have unearthed generic flaws in supposedly ultra-secure quantum cryptography systems.

The security of quantum cryptography hinges on using the fundamental properties of quantum physics for quantum key exchange. Any attempts to monitor this exchange would inevitably be detected as increased noise on the line and an abandoned data exchange. That principle remains solid and the attack, like others before it, relies on exploiting implementation flaws.

This particular crypto-busting technique, which uses off-the-shelf but expensive hardware, relies on remotely manipulating a photon detector at the receiver's end of a supposedly secure link. Commercial systems from MagiQ Technology's QPN 5505 and ID Quantique Clavis2 systems were demonstrated as potentially vulnerable by a team of computer scientists from Norway and Germany.

Researchers from Norwegian University of Science and Technology (NTNU), the University of Erlangen-Nrnberg and the Max Planck Institute for the Science of Light in Erlangen are working with manufacturers to develop countermeasures. The loophole - which relies on specially tailored bright illumination - is likely to be common in most QKD systems using avalanche photodiodes to detect single photons, the researchers warn.

Unlike previously published attempts, this attack is implementable with current off-the-shelf components, explained Dr Vadim Makarov, a researcher in the Quantum Hacking group at NTNU. Our eavesdropping method worked both against MagiQ Technology's QPN 5505 and ID Quantique Clavis2 systems.

The hack pulled off by the team is complex and might involve an initial outlay of $50,000 or more, potentially within the reach of industrial spies and certainly in the scope of intelligence agencies.

Quantum key distribution systems became commercially available around five or six years ago and are used for the secure exchange of highly sensitive material by banks and governments, so a major up-front investment in equipment and expertise is certainly possible.

The researchers have published their preliminary findings in a letter to the August 29 edition of academic journal Nature Photonics.

An overview of the research, together with pictures of the hacking rig, can be found here.

Survey scammers serve up supposed shelter from survey scams

Cheeky scammers are offering prospective marks an application that supposedly shields them from exposure to survey scams.

Naturally, you first have to fill in a survey to install the script, which is punted through Userscripts(dot)org. Odds are that even after jumping through these hoops users will still be exposed to surveys and, possibly, left at a heightened risk of malware infection.

"'Only install scripts from sources you trust' is on the install box for a reason," security researcher Christopher Boyd, of GFI Security, notes.Boyd's write-up of the scam can be found here.

Survey scams are becoming increasing common on social networks. Scammers (affiliates) profit from wasting surfers' time with the Web 2.0 equivalent of email spam. Often the spammers attempt to hoodwink users into signing up to premium rate SMS services.

A study by F-Secure, published last week, took advantage of the web analytic tools used by scammers to investigate the response rates of survey scams.

For example, one recent social network spam run, themed around McDonalds, attracted 32,000 clicks, and a conversion rate of 40 percent.

F-Secure notes that these sizeable figures are lower than those pulled in by earlier scams. A survey scam that used supposed footage of a teacher beating a disobedient student pulled in 140,000 hits six weeks ago, for example, because users are getting wise to the ruse.

"The 32,000 clicks is far less than similar spam from just two months ago when we saw several examples of viral links that yielded hundreds of thousands of clicks," writes Sean Sullivan, a security advisor at F-Secure.

"Returns are diminishing as people are exposed, develop a resistance, and recognise Facebook spam for what it is."

Despite increased user awareness, however, it's unlikely that survey spam scams will disappear anytime soon, F-Secure warns.

"Social networking spammers don't need to dupe very many people in order to be rewarded for their efforts," said Sullivan. "Many of the surveys lead to SMS subscriptions (particularly outside of the USA) and there's good money to be made.

"And because the conversion rates are better than e-mail spam, you can be certain that it won't be going away any time soon."