McAfee: Trojan targets Windows Mobile
February 26th, 2008
By Larry Dignan & George Ou

McAfee has unearthed a Windows Mobile PocketPC Trojan that disables security, installs via a memory card, can’t be uninstalled and makes itself your home page. According McAfee’s Avert Labs blog, the Trojan has been discovered in China. Here’s how it works according to researcher Jimmy Shah:

WinCE/InfoJack sends the infected device’s serial number, operating system and other information to the author of the Trojan. It also leaves the infected mobile device vulnerable by allowing silent installation of malware. The Trojan modifies the infected device’s security setting to allow unsigned applications to be installed without a warning. The Trojan was packed inside a number of legitimate installation files and distributed widely. It has been distributed with Google Maps, applications for stock trading, and a collection of games.

Considering the penetration of mobile devices in Asia this malware could raise quite a ruckus. Shah reckons that WinCE/InfoJack was created by a web site that may have hired a hacker to create the malware and then distribute it. The Trojan installs as an autorun program on the memory card, installs itself when that memory card is inserted and can’t be deleted. It also becomes your home page.

ZDNET Blogs
complete article

Agency explores feasibility of virtual worlds as terrorist havens
by Daniel Terdiman
February 26, 2008 12:11 PM PST

Over at Wired today, the eagle-eyed Ryan Singel has a story about a new U.S. government initiative intended to root out terrorists working and playing in virtual worlds. As Singel writes, the so-called Data Mining Report from the Office of the Director of National Intelligence includes information about "Reynard," a "seedling effort to study the emerging phenomenon of social (particularly terrorist) dynamics in virtual worlds and large-scale online games and their implications for the Intelligence Community."

The Data Mining Report continues, suggesting, "The cultural and behavioral norms of virtual worlds and gaming are generally unstudied. Therefore, Reynard will seek to identify the emerging social, behavioral, and cultural norms in virtual worlds and gaming environments. The project would then apply the lessons learned to determine the feasibility of automatically detecting suspicious behavior and actions in the virtual world." This leads me to several thoughts.

First, it is by no means a new theory that terrorists either might someday use, or perhaps already are using, virtual worlds to gather, train, look for love or whatever else might occur to them. Of course, it's only a theory. No one has yet proven anything untoward is happening or will happen. That doesn't mean it can't happen, but to date there's been no proof.

Still, the possibility is certainly there, and it can't hurt to have the government spend a little time and money investigating techniques for rooting out any potential terrorist activity in environments like World of Warcraft, Call of Duty 4, Second Life, or elsewhere. Secondly, I have to quibble with the report's assertion that "the cultural and behavioral norms of virtual worlds and gaming are generally unstudied."

CNET Blogs
complete article

Critical Vulnerability Found In VMwares Desktop Apps
February 25th, 2008
By Larry Dignan & George Ou

Core Security Technologies said Monday that it has discovered vulnerability in VMware’s desktop virtualization software that allows an attacker to gain complete control a system and launch executable files on the host operating system. The discovery is notable given that virtualization security is largely uncharted territory.

However, it doesn’t take a rocket scientist to figure out virtualization could be some fertile ground for hackers. Core Security also said that it has released an exploit for the VMware vulnerability to prove it exists. The release of the exploit coincides with VMware’s VMworld Europe show in France. Update: I had wondered about why the exploit was released instead of an advisory being issued.

Here’s what Core Security CTO Ivan Arce had to say: We released a security advisory that includes full technical details and proof of concept code because we believe it to be necessary to help vulnerable users to assess if they are vulnerable or not and to deploy and test their risk mitigation mechanisms. Also, there is a simple workaround to prevent exploitation that is clearly described in our and VMware’s advisory.

Our advisory includes proof-of-concept code (code designed to prove that a vulnerability exists) not a fully functional exploit. Core’s purpose in publishing security advisories is to inform potentially vulnerable organizations of security problems we’ve discovered and to provide guidance on how to address them to minimize their exposure. We’ve been doing that for free, as a way to give back to the IT security community for the past 13 years.

ZDNET Blogs
complete article

EU seeks privacy safeguards with RFID tags
By Ryan Paul
February 22, 2008 - 09:31AM CT

The European Commission has published a preliminary draft with recommended guidelines for Radio Frequency Identification (RFID) tagging. The draft addresses privacy and security issues that arise from RFID adoption and attempts to provide guidance for those pursuing practical implementation of RFID technology.

According to the Commission, the function of the draft is to open a dialogue with major stakeholders and to devise best practices. The draft is not intended to serve as a basis for legislation directly, but in some respects it could potentially help RFID adopters comply with existing privacy and data protection laws in the EU. The draft recommends that RFID adopters conduct and make accessible to the public privacy impact assessment studies that evaluate potential security risks and countermeasures.

The draft also encourages EU member states to devise RFID certification programs in collaboration with private industry and suggests that companies developing RFID technologies could provide individual sets of privacy and security guidelines tailored to the specific applications that their products serve. The draft also says that member states could possibly have professional associations and other organizations that are closely tied to RFID technologies draft codes of conduct for RFID usage and submit them to government data protection oversight bodies for evaluation.

When RFID technologies are installed in public places, the draft suggests, implementors should publish information, including the identity of the operator, the purpose of the technologies, what data is being used and stored, and whether or not the data is available to third parties. According to the draft, public notification could potentially be done by posting a sign with the relevant information.

Ars Technica
complete article

Russia passes China to become malware leader
by Ina Fried
February 20, 2008 4:51 PM PST

Russia has passed China to become the largest generator of spyware and other malicious code, according to a report set to be released on Friday. Security software maker PC Tools says that Russia now accounts for 27.9 percent of such software, compared with China's 26.5 percent.

The U.S., which had been the second largest producer in prior surveys, is now in third place, accounting for a hair less than 10 percent of malware. Russia is also known as a hotbed for junk e-mail, known as spam. PC Tools said that the death of Russian Business Network, a well-known malicious software distributor, has not slowed that country's production of malicious code.

"The vacuum left by the RBN has been filled by other malware distributors," PC Tools malware analyst Sergei Shevchenko said in a statement. "The bottom line is that there are more viruses and spyware coming out of Russia now than ever before and the complexity of this malware is also increasing."

In fact, he said, the now-defunct organization was easier to track than the smaller outfits that are filling its shoes. "Now we are seeing Russian malware hosting services being advertised for servers in Malaysia, China, Panama, Singapore, Thailand, Turkey and India."

CNET Blogs
complete article

Opera screeches at Mozilla over security
By John Leyden
February 18, 2008 16:55 GMT

Opera has taken exception to the manner in which Mozilla handled the disclosure of a security bug that affects both firm's browsers. The moderate severity flaw involving file input controls creates a means to upload arbitrary files, assuming hackers know the full path and name of the file. Mozilla fixed the flaw, along with other more serious bugs, with the release of Firefox 2.0.0.12 on 7 February.

Opera, which is yet to plug the moderate risk flaw, objected to the Mozilla team publishing an advisory on the issue. Claudio Santambrogio, an Opera desktop developer, said the Mozilla team notified it of a security issue only a day before publishing an advisory. This gave the Norwegian software developers insufficient time to make an evaluation. "They did not wait for us to come back with an ETA for a fix: they kept their bug reports containing the details of the exploits closed to the public for a few days, and now opened most of them to everybody," Santambrogio writes.

Santambrogio goes on to attack Mozilla's handling of the issue, arguing that it places Opera users at unnecessary risk. "Opera is as always committed to not only protecting its users, but to making the Web a safe place. We believe in responsible disclosure of vulnerabilities affecting several vendors," Santambrogio adds. Nobody from the Mozilla Corporation was available for comment at the time of going to press.

The Register

After stumbling, Facebook finds a working eraser
By Maria Aspan
February 17, 2008 - 8:40 PM PST

Facebook.com, stung last week by the wrath of members who want to sever their relationships, tripped again when it tried to let them do so. But the company said over the weekend that it had fixed the problems, making it possible--and not too difficult--to delete an account from the site entirely.

The problems, which Facebook described as technical, had to do with a form it introduced last week for users who want to obliterate their accounts. Until then, deleting an account was a fairly cumbersome procedure. But as a few departing users found out, Facebook--a social-networking site that lets people create profiles of themselves and identify other people as "friends"--still had a few bugs left.

Some people who used the form discovered that only certain parts of their accounts had disappeared. Katie Geminder, Facebook's director for user experience and design, said internal adjustments to the tool used to delete accounts had created a technical snag that affected "a small percent" of Facebook users. "None of their information was exposed, but the empty account continued to exist even though all of its data had been removed," she said by e-mail.

The bug was fixed within 24 hours, she said. One such partially deleted user was Matt Dauphin, a 22-year-old office manager for an interior design firm in Tempe, Ariz., who tried to delete his account after reading about the new form last week. He received confirmation by e-mail of the deletion from Facebook's technical support team.

CNET News
complete article

Exploiting QuickTime flaws in 'Second Life
by Robert Vamosi
February 16, 2008 6:02 PM PST

Researchers Charlie Miller of Independent Security Evaluators, and Dino Dai Zovi, turned their attention to Second Life during a Saturday morning presentation at ShmooCon, an East Coast computer hacking conference. The researchers didn't exploit a flaw within Linden Labs' Second Life, but within QuickTime. They showed how an attacker could make money stealing from innocent Second Life victims.

Miller and Zovi are both experienced with flaws within Apple products. Miller published the first Apple iPhone flaw shortly after its release. At last year's CanSecWest security conference, Zovi exploited a QuickTime flaw to win a "PWN to Own" hack-a-Mac contest. While Second Life does not install QuickTime, it invites users to install the player if they want to see multimedia files within Second Life.

What Miller and Zovi realized is that while direct communication between an attacker and a victim within Second Life passes through the servers at Linden Labs, multimedia objects are actually stored somewhere else. Hence, an object with a multimedia link could inject malicious code. In this case, researchers exploited a recent flaw within RTSP tunneling.

For their demonstration, they created "the most evil pink box you will ever see." They could have linked their malicious code to attributes of an avatar's hair, clothes, or anything else. They also could have buried the pink box underground or otherwise hidden it, but both researchers admitted they weren't very good players within Second Life.

CNET Blogs
complete article

Annual IBM security report paints worrisome picture for 2008
By Joel Hruska
February 14, 2008 - 09:07AM CT

IBM Internet Security System's X-Force has released its annual report (PDF) on malware trends and statistics from last year. 2007 saw some significant changes in malware distribution, and there's reason to think that some of these shifts mark the beginning of new attack patterns rather than small abnormalities. The following are some of the highlights from the report:

* Reported vulnerabilities in 2007 were down five percent compared to 2006, but the number of those vulnerabilities that were classified as severe rose by 28 percent.
* Microsoft, Apple, Oracle, IBM, and Cisco reported the most vulnerabilities, but collectively account for only 13.6 percent of all reported vulnerabilities.
* 90 percent of the 2007 vulnerabilities were exploitable from a remote location, up 1 percent from 2006
* Most in-the-wild exploits are being generated by web toolkits. Prevalence of these toolkits has risen dramatically since they appeared in 2006.

Comparative vendor vulnerability: X-Force's report reveals several interesting facts regarding the top five vulnerable vendors and how their flaws (and procedures for fixing them) compare to the rest of the software industry. Despite opinions to the contrary, Microsoft products are not dramatically less secure than their counterparts. Microsoft reported 238 vulnerabilities out of the 6,437 X-Force tracked in 2007 (3.7 percent).

Ars Technica
complete article

Bush to Congress: Pass expanded spy law, already
by Anne Broache
February 13, 2008 - 9:21 AM PST

With Congress seeking more time to finalize a soon-to-expire expansion of the government's electronic spying powers, President Bush on Wednesday issued an ultimatum: No more delays. In a brief morning speech delivered from the Oval Office, the president praised the U.S. Senate's passage on Tuesday of a six-year law that would give the administration more latitude to conduct surveillance without a court order.

The controversial measure would also immunize telephone companies from past and future lawsuits accusing them of illegal cooperation with government spy agencies. The whole package is intended to be a more permanent replacement to the so-called Protect America Act, which is scheduled to expire Saturday.

Complicating the prospects of meeting that deadline, however, is lingering disagreement over that legal immunity for corporations. The House of Representatives opted not to include such a provision in the spy law rewrite it passed last fall, which means the two chambers will have to work out their differences before they can send a final bill to the president. Democratic leaders are now arguing they need more time to do that.

Later on Wednesday, the House plans to vote on a bill that would give the chambers 21 more days to deliberate. But Bush shot down that idea in his speech on Wednesday. He said there's no excuse for the House not to accept the Senate bill, especially since it passed by a vote of 68-29, with members of both parties voting for it (not one Republican voted against that bill).

CNET Blogs
complete article

MS Delivers 11 Patches, 6 Critical; Excel Flaw Left Unpatched
February 12th, 2008
By Larry Dignan & George Ou

Microsoft delivered 11 patches on Tuesday addressing 17 vulnerabilities. Six updates fix critical flaws and five address important vulnerabilities, but an already exploited Excel zero day was left unpatched. Microsoft’s advisory last week noted 12 patches fixing 7 critical vulnerabilities. One critical Windows vulnerability was cut due to quality issues.

A Microsoft spokesman did confirm that this batch of patches didn’t address the Excel flaw that was reported last month. On Jan. 16, the Microsoft Security Response Center confirmed ongoing attacks against Excel. Microsoft at the time recommended that users either run files through a tool that strips out exploit code or block Office 2003 and earlier formats except for those from trusted locations.

Given that Excel resides in every enterprise leaving the flaw unpatched may raise some hackles. A Microsoft spokesman indicated that the Excel patch wasn’t ready for prime time. Here’s Microsoft’s statement sent to me:

Microsoft is always investigating potential and existing vulnerabilities in an effort to help protect our customers. Creating security updates that effectively fix vulnerabilities is an extensive process involving a series of sequential steps. There are many factors that impact the length of time between the discovery of a vulnerability and the release of a security update, and every vulnerability presents its own unique challenges.....

ZDNET Blogs
complete article

Apple issues patches for Leopard and MOAB flaw from 2007
February 11th, 2008
By Larry Dignan & George Ou

Apple on Monday dropped 10 patches addressing eight vulnerabilities in Mac OS X 10.5, also known as Leopard. One patch addresses a Tiger flaw that was described on the Month of Apple Bugs web site almost a year ago. Among the highlights:

Apple issued a patch for an arbitrary code execution flaw that impacts Mac OS X 10.4.11 and its OS X Server counterpart. This directory services issue (CVE-2007-0355) was described on the Month of Apple Bugs web site. Last March Apple fixed a bunch of vulnerabilities that seemed to have vindicated MOAB hackers.

It appears Apple let one vulnerability from that project slip through. Here’s Apple’s description: A stack buffer overflow exists in the Service Location Protocol (SLP) daemon, which may allow a local user to execute arbitrary code with system privileges. This update addresses the issue through improved bounds checking. This has been described on the Month of Apple Bugs web site (MOAB-17-01-2007).

This issue does not affect systems running Mac OS X v10.5 or later. Credit to Kevin Finisterre of Netragard for reporting this issue. Aside from that MOAB flaw in Tiger, the bulk of Apple’s patch haul was designed to plug Leopard.

ZDNET Blogs
complete article

Mozilla delivers patches for Firefox; Plugs flat file vulnerability
By Larry Dignan
February 7th, 2008

Mozilla on Friday delivered its Firefox 2.0.0.12 update including patches that fix a Web forgery flaw, browsing history and forward navigation stealing and the directory traversal via chrome, which has been the most visible vulnerability of late. According to the Firefox security advisory, Mozilla filed the following fixes in its flagship browser:

* MFSA 2008-11 Web forgery overwrite with div overlay
* MFSA 2008-10 URL token stealing via stylesheet redirect
* MFSA 2008-09 Mishandling of locally-saved plain text files
* MFSA 2008-08 File action dialog tampering
* MFSA 2008-06 Web browsing history and forward navigation stealing
* MFSA 2008-05 Directory traversal via chrome: URI
* MFSA 2008-04 Stored password corruption
* MFSA 2008-03 Privilege escalation, XSS, Remote Code Execution
* MFSA 2008-02 Multiple file input focus stealing vulnerabilities
* MFSA 2008-01 Crashes with evidence of memory corruption (rv:1.8.1.12).

The most notable of the bunch is MFSA 2008-05. This fix covered that vulnerability that allowed an attacker to run off with stored cookies and other data contained in flat files. The vulnerability was discovered by researcher Gerry Eisenhaur. On Jan. 29, Mozilla security chief Window Snyder upgraded the vulnerability and set plans for Firefox 2.0.0.12. On Jan. 22, Snyder confirmed a proof of concept vulnerability discovered by Eisenhaur on Jan. 19.

ZDNET Blogs
complete article

Microsoft previews 12 security bulletins, 7 ‘critical’; Excel fix likely en route
by Larry Dignan
February 7th, 2008

Microsoft on Thursday issued advance notice of 12 security bulletins ahead of its February batch of patches with seven critical flaws affecting Vista, Internet Explorer and Office. The most notable patch will likely cover that Excel zero day vulnerability that surfaced last month.

Since Microsoft confirmed the Excel vulnerability and issued an advisory on Jan. 16 it’s a safe bet that its patches on Feb. 12 will cover it. In its advance notification posting, Microsoft said the seven critical bulletins all cover remote code executions vulnerabilities. These bulletins affect Windows XP and Vista, Office, Internet Explorer and Visual Basic.

Here’s a breakdown by product:
* Microsoft’s critical bulletins address remote code execution flaws in Microsoft Office 2004 for the Mac, Microsoft Office 2000 Service Pack 3, Microsoft Word 2000 Service Pack 3 and Microsoft Office Publisher 2002. An important bulletin was issued for Microsoft Office 2003 Service Pack 2, Microsoft Word 2002 Service Pack 3, Word 2003 Service Pack 2 and Microsoft Office 2004 for the Mac.

* Internet Explorer had a few bulletins rated critical due to remote code execution flaws. Versions affected include: IE 5.01 Service Pack (SP) 4 on Windows 2000 Service Pack 4; IE 6 SP 1 when installed on Windows 2000 SP 4; IE 6 for various flavors of XP; IE 6 for Windows Server 2003 (various flavors); IE 7 for XP, Windows Server 2003 and Vista. In a nutshell, if you have IE you’ll need these upcoming patches......

ZDNET Blogs
complete article

US spooks see Sadville as potential terrorist paradiseBy Dan Goodin in San Francisco
February 7, 2008 22:26 GMT

US intelligence officials are growing increasingly wary of Second Life and other virtual worlds, which they say could soon become havens for terrorists, money-launderers and criminals engaged in corporate espionage.

The virtual "communities" offer many of the same amenities of the real world, including banks, multiple currencies, shopping malls and private buildings that can only be accessed with a password. At the same time, the companies operating these virtual wastelands typically don't log conversations between users or keep records of which avatars gather in particular locations.

"Unfortunately, what started out as a benign environment where people would congregate to share information or explore fantasy worlds is now offering the opportunity for religious/political extremists to recruit, rehearse, transfer money, and ultimately engage in information warfare or worse with impunity," according to a paper recently prepared by the government's new Intelligence Advanced Research Project Activity.

It was reported here by The Washington Post. The CIA has already set up several virtual islands where training sessions and unclassified meetings are held. But the IARPA paper calls for more involvement, including tests by cyber warfare experts to gauge how virtual worlds could be used to against terrorists or enemies.

The Register
complete article