Viewing newswire

An exploit for yet another critical Java software vulnerability began circulating online amid reports that the patch Oracle issued two days ago is incomplete.

"Based on our analysis, we have confirmed that the fix for CVE-2013-0422 is incomplete," Trend Vulnerability Research Manager Pawan Kinger wrote in a blog post. Kinger went on to explain that the vulnerability stemmed from flaws in two parts of the Java code base: one involving the findclass method and the other involving the invokeWithArguments() method. While Sunday's patch fixed the latter issue, the findclass method can still be used to get references to restricted classes, leaving a hole that attackers can exploit.

I was just guessing on Monday when I said that the Java security patch pushed by Oracle on Sunday was “too little too late.” This appears to have been a lucky good guess on my part, as word is out now that the Java browser plugin still isn’t safe.

Despite Oracle’s assurances that it’s safe for surfers to go back in the water, security experts remain uncertain about the safety of Java. On Information Week, writer Mathew J. Schwartz quotes at least one security expert who gives the security patch a thumbs up... However, Reuters reports that the same security expert still has reservations about Java security due to other unresolved issues:

The critical Java vulnerability that is currently under attack was made possible by an incomplete patch Oracle developers issued last year to fix an earlier security bug, a researcher said.

According to Gowdiak, the latest vulnerability is a holdover from a bug (referred to here as Issue 32) that Security Explorations researchers reported to Oracle in late August. Oracle released a patch for the issue in October but it was incomplete, he said in an e-mail to Ars that was later published to the Bugtraq mailing list.

When the Homeland Security folks get into the mix and urge all computer users to disable Java in their browsers, you know it’s serious. Indeed, the exploit announced yesterday seems to affect all operating systems, including Linux, and it’s already being exploited. According to Trend Micro the flaw is already being used by blackhat toolkits mainly to distribute ransomware. In a blog posted yesterday, the company advises all users to disable or uninstall Java:

Critical Java zero-day bug is being “massively exploited in the wild” (Updated) ( Dan Goodin, Ars Technica) According to researchers at Alienvault Labs, the exploits work against fully patched installations of Java. Attack files are highly obfuscated and are most likely succeeding by bypassing security checks built in to the program. KrebsOnSecurity said the malware authors say the exploits work against all versions of Java 7.

Dangerous vulnerability in latest Java version (sno, The H Security/Heise online) The latest Java version, Java 7 Update 10 contains a critical security vulnerability which is reportedly already being used for large scale cyberattacks. Users who have Java installed on their computers should deactivate the Java plugin in their browsers without delay.

Yesterday, we got a rare look at how information on your public social media profiles—including Twitter, Facebook and LinkedIn—is being harvested and resold by large consumer data companies.

The latest version of Firefox, version 16, has returned to Mozilla's servers with the release of Firefox 16.0.1 after the discovery of vulnerabilities caused the organisation to remove the just-released open source web browser from circulation.

Mozilla on Wednesday yanked the most recent version of its Firefox browser after discovering a security vulnerability that could provide scammers with access to your browsing history.

Check if your Android device is vulnerable to the USSD attack which can wipe it remotely and read how to protect against it.

All searches performed through the Dash are sent to Amazon and Canonical: "This by itself is a problem because nobody intends to search Amazon for sensitive personal information. For instance, someone might search for a file with a Social Security number or with a specific text string that is in no way intended to be read by anyone else. They're ostensibly searching through their own local file system, after all, and the thought that by default that search string will be sent out to not one, but two, third parties is extremely disturbing."

Researchers have discovered a Java flaw that would let hackers bypass critical security measures in all recent versions of the software. The flaw was announced today by Security Explorations, the same team that recently found a security hole in Java SE 7 letting attackers take complete control of PCs. But this latest exploit affects Java SE 5, 6, and 7—the last eight years worth of Java software.

“The impact of this issue is critical—we were able to successfully exploit it and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6, and 7,” Adam Gowdiak of Security Explorations wrote, claiming the hole puts "one billion users" at risk.

Warning from Microsoft to the entire Internet: make sure that your digital certificates are at least 1024 bits. As of Oct. 9, 2012, longer key lengths are mandatory for all digital encryption certificates that touch Windows systems.

GoDaddy, the domain registrar and Web hosting company, is down, perhaps taking millions of websites down as a result.

Oracle engineers were briefed on critical vulnerabilities in the Java software framework more than four months before the flaws were exploited in malware attacks that take complete control of end-user computers, according to a published report.

The PostgreSQL Global Development Group today released security updates for all active branches of the PostgreSQL database system, including versions 9.1.5, 9.0.9, 8.4.13 and 8.3.20. This update patches security holes associated with libxml2 and libxslt, similar to those affecting other open source projects. All users are urged to update their installations at the first available opportunity.

There exists a conventional wisdom that Linux viruses are non-existent entities. For most Linux users this might be surprising that Linux viruses do exist! Though not in wild, and they are so less in number (when compared to counterpart OSs) that they can be counted on fingers! The post introduces to some popular Linux viruses detected to date on Linux systems to enlighten you with realistic facts so that you can even improve your security!

Back in February, AMD raised the possibility that future processors from the company might include ARM cores. The assumption at the time was that these ARM cores would be used for computation. The company has revealed its first plans for chips combining x86 and ARM cores, but it turns out they won't be used for computing at all: the embedded ARM cores will be used to provide security services.

Last week we wrote about a 0-day exploit with cPanel. Now that all the cPanel servers have auto-updated, and patched the vulnerability, they have released additional info on the security update. They actually fixed 2 major security issues. Both issues were labeled as "important", which seems to be one of the highest, if not the high classification, and includes among other things remote code execution exploits, which thankfully were not the type of these 2 exploits.

Google announced on Tuesday it will begin displaying a warning to users who the internet giant believe are under state-sponsored malware attack. Google has not revealed what criteria or technology will be used to detect the attacks.

cPanel Inc. has released a notice stating to upgrade cpanel via a "cPanel News: Targeted Security Release 2012-05-31 Announcement". These notices are extremely rare and should be taken very seriously. They did not give very many details other than to upgrade ASAP and they would release more specifics shortly, after everyone has a chance to upgrade.

A new warning for Windows users hoping to get a sneak peak at the Windows 8 operating system. Clicking on 'preview' may wipe your computer's hard drive of all information.

Hilarious! - Scott

The FBI today warned travelers there has been an uptick in malicious software infecting laptops and other devices linked to hotel Internet connections.

A popular Firefox add-on appears to have started leaking private information about every website that users visit to a third-party server, including sensitive data which could identify individuals or reduce their security.

Choosing a highly secure password for your email accounts, social networks, wireless networks and any other applications or websites requires a password became a challenge. So, when you choose a password, think about the possibility of cracking it and how long it will take to crack your password. In this post we will have a look at some tips for choosing a secure and strong passwords as much as possible, and we will check a CLI tool for Linux/Unix will helps you to generate a secure passwords in case you can’t figure one out.

If you think that the encryption keys that your smart phone or tablet computer uses to protect data you want to keep others from accessing is secure, well … think again. Crypto researchers have demonstrated that those encryption keys can be stolen using techniques that are not that difficult to assemble.

USB Flash drive is a data storage devices including flash memory integrated with the Serial Bus. USB flash drives are typically removable and rewritable, and physically much smaller than other storage media.

For almost three months, versions of three widely distributed open-source applications from Horde.org contained a backdoor that allowed attackers to remotely execute malicious PHP code on systems that ran the programs.

Intilop’s CTO, K. Masood to Present “How TCP Offload Engines scale up the TCP traffic bandwidth by up to 8x on existing Ethernet Networks”, at the Ethernet Summit in San Jose, CA USA.

The finding, reported in a paper (PDF) submitted to a cryptography conference in August, is based on the analysis of some 7.1 million 1024-bit RSA keys published online. By subjecting what's known as the "modulus" of each public key to an algorithm first postulated more than 2,000 years ago by the Greek mathematician Euclid, the researchers looked for underlying factors that were used more than once. Almost 27,000 of the keys they examined were cryptographically worthless because one of the factors used to generate them was used by at least one other key.

If you have an asterisk phone server running on a public IP, using the freePBX web GUI, and don’t have one of the latest releases it may be vulnerable. Its very common to have freePBX on an Internet routed IP, especially if you have multiple locations using the same freePBX server. And the scary part is, little documentation exists about this vulnerability, and as of right now its not listed on CVE details:

http://www.cvedetails.com/vendor/6470/Freepbx.html

Previously a group of Indian hackers called The Lords of Dharmaraja had posted documents that were pillaged during the hack of an Indian military network... "The memo suggests that, "in exchange for the Indian market presence" mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as "RINOA") have agreed to provide backdoor access on their devices."

OpenSSL has released an alert to warn of at least six security vulnerabilities affecting users of the open source implementation of the SSL and TLS protocols.

WiFi hacking has long been a favorite pastime of hackers, penetration testers, and people too cheap to pay for their own Internet connection.

As we explained in our post on Carrier IQ's architecture, one of the main factors in determining what the Carrier IQ stack does on a particular phone is the "Profile" that is running on that device. Profiles are files that are typically written by Carrier IQ Inc. to the specifications of a phone company or other client, and pushed to the phone by Carrier IQ Inc. using its own command and control infrastructure. To create transparency for the public that has been monitored by the more intrusive variants of this software, we will need a comprehensive library of these Profiles, and to know which ones were pushed to which phones at what times...

In August 2011, Download.com was taken on a new path by their General Manager and V.P. Sean Murphy. They started wrapping legitimate 3rd party software into their own installer which by default installs a wide variety of adware and other questionable software on users machines. It also does things like redirect user search queries and change their Internet home page. At first their installer forced people to accept the malware or close the installer (see screen shot of infected VLC installer in this article). Later they added a non-default "decline" button hidden way on the left side of the panel. Also, the initial installer shown in the previous screen shot claimed the software was “SAFE, TRUSTED, AND SPYWARE FREE”. In an unusual show of honesty, they removed that claim from the rogue installer.

Senator Franken issued this press release making public the responses from carriers (AT&T;, and Sprint) and manufacturers (Samsung and HTC) regarding the Carrier IQ privacy issue. No response yet from T-Mobile and Motorola.

The Debian secuirty team, through Moritz Muehlenhoff, announced on December 6th that the Debian 5.0 (Lenny) operating system will no longer be supported started with February 6th, 2012.

U.S. Senator Al Franken asked software maker Carrier IQ to respond to claims by an independent security researcher that its products collect and transmit potentially sensitive data about millions of mobile phone users.

In a YouTube video posted on Monday, Trevor Eckhart showed how software from a Silicon Valley company known as Carrier IQ recorded in real time the keys he pressed into a stock EVO handset, which he had reset to factory settings just prior to the demonstration.

Jeremy White, Codeweavers Founder has announced that access to the WineHQ database has been compromised.

Today, Juliano Rizzo and Thai Duong presented a new attack on TLS <= 1.0 at the Ekoparty security conference in Buenos Aires. Let's talk about how it works, and how it relates to the Tor protocol.

Short version: Don't panic. The Tor software itself is just fine, and the free-software browser vendors look like they're responding well and quickly. I'll be talking about why Tor is fine; I'll bet that the TBB folks will have more to say about browsers sometime soon.

There is some discussion of the attack and responses to it out there already, written by seriously smart cryptographers and high-test browser security people. But I haven't seen anything out there yet that tries to explain what's going on for people who don't know TLS internals and CBC basics.

This article selects high quality Android software that helps investors keep up to date with the latest stock market news, analyse the markets, and identify stock worth purchasing. We also feature the finest personal finance software available for Android devices, as well as apps that help consumers be more savvy when spending money. Being able to keep on top of your personal finances on your Android smartphone or tablet is a real advantage. All of the software featured in this article is available to download without charge, although some of the developers have also released a paid app which offer more functionality and/or the removal of advertising banners.

Bad news for just about every wordpress blogger out there. Thousands of wordpress 3.2.1 installations are at risk of being compromised. It has been found that the latest version 3.2.1 of WordPress, an extremely popular suite of tools for powering blogs, is vulnerable to XSS injection attack which allows users to inject malicious javascript due to failure to sanitise the comments feild. Without discussing much about what this vulnerability could do to your blog I will jump to how it works and the solution.

The SSL system helps to protect secure communications across the Internet. It's also a technology that relies on trust; specifically, the trust of the SSL Certificate Authority (CA), which may not always be trustworthy, according to security researcher Moxie Marlinspike.

Speaking at the Black Hat security conference, Marlinspike detailed issues with the current CA system and proposed a new system to replace it.

The need to replace the CA system according to Marlinspike was highlighted by the recent attack on CA provider Comodo in March. Marlinspike noted that Comodo is the second largest CA in the world and the attack was able to do a lot of damage. Comodo officially blamed Iran for the attack.

Now here's where some fun stuff starts! I hope many of you have followed my installing Backtrack 5 guide and read up on what ARP is as well as basic Linux commands so you can follow along easily; if not, go read those now!

4.5 million computers infected – range of techniques used to remain undetected

Cloud computing is all the rage today, with everyone from the U.S. Federal government to Apple herding us into a brave new world of remotely hosted data and services. As usual, we're rushing down a road before thinking about where it may lead.

Cross-platform malware is still a rare occurrence, so when it's detected, it usually attracts more attention than the malware engineered to affect only one particular platform. A recent one, detected by McAfee and "named" IncognitoRAT attacks both Windows and Mac OS users. So, how does it manage to do it?

In some ways, all the uproar about Apple saving location data on its iOS device users is old news. Guess what? Big Brother, or Big Google, also collects geo-location information from its mobile, Android-powered devices. It’s like anything else in computing: geo-location can provide great services and resources, but it can also be abused.