Firefox to introduce click-to-play option to protect against dangerous plugins

Jared Wein of Mozilla blogged last month about a new feature he was developing for Firefox 14 called "click-to-play". The idea is to block the default loading of plugins like Java and Flash when surfing to reduce the memory footprint and provide protection against exploitation of plugin vulnerabilities.

       

If you have ever used NoScript, ScriptNo or Flashblock you will be familiar with this idea. When you load a page like YouTube that has an embedded Flash/PDF/Java object, instead of it instantly loading the video you will see a black box with a logo representing the plugin. When you click on the box it will launch the plugin and the video or other content will be rendered.

Writing in ZDNet's Zero Day blog, Dancho Danchev expressed his opinion yesterday that all Firefox's adoption of this technique will accomplish is slowing down the systematic exploitation of plugins and not really provide meaningful protection.

Sorry Dancho, I don't think I agree with you on this one. While Danchev makes some valid points regarding the continuing prevalence of social engineering to propagate threats, implementing more secure default options are always a good thing.

Many drive-by exploits are invisible to the user and don't involve any social engineering. I would argue the vast majority of what we see in SophosLabs doesn't involve trickery, users simply visiting the wrong blog at the wrong time results in malware being installed without the user even being aware that the page contains a Java applet or Flash object.

This may lead the attackers to move toward social engineering more frequently, but isn't that a good thing? Make users aware of the content they are running and give them a chance to make a decision? I am sure many users will still make the wrong decision, but I certainly want the opportunity to make the correct decision rather than be instantly exploited.

The best example I can think of was a malicious PDF file that was part of an investigation I was involved with. The victim would receive an email with a plausible looking link. They click on the link and the website they are directed to pauses for a second, then proceeds to load with the promised content.

What happened? Their browser loaded a booby-trapped PDF without the user even knowing that a PDF file had been downloaded. After exploiting them the page simply redirected them to the originally promised content to allay suspicion.

My opinion? Good on ya' Mozilla. Keep making the bad guys job harder and giving Firefox users better security by default. No single feature wins the war, but every battle counts.

Read More...

Apple update to OS X Lion exposes encryption passwords

Apple's had a rough time lately on the security front. Last month it was caught out having delayed the release of a security update for Java, resulting in more than 600,000 Macs being recruited into a botnet. Now a quality assurance mistake can cause OS X users' FileVault encryption passwords to be exposed.

On Friday, David Emery posted to an encryption mailing list disclosing this flaw in the latest OS X Lion security update, 10.7.3, which was released in February.

It appears that a debug option was accidentally left enabled in FileVault, resulting in the user's password being saved in plain text in a log file accessible outside of
the encrypted area.

Anyone with access to the disk can read the file containing the password and use it to log into the encrypted area of the disk, rendering the encryption pointless and permitting access to potentially sensitive documents. This could occur through theft, physical access, or a piece of malware that knows where to look.

To my knowledge, this only applies to users of Snow Leopard who used the FileVault encryption option for their home directories. It does not impact users of FileVault2 who have turned on Apple's full disk encryption, nor does it impact users who did not upgrade from Snow Leopard.

The best course of action is to implement a full disk encryption solution like Sophos SafeGuard for Mac or Apple's included FileVault 2.

                 

Additionally, vulnerable users who do not encrypt their Time Machine backups risk replicating this log file to their backups, which could mean long-term storage of their unencrypted password.

This proves a very important point when it comes to encryption. While choosing a secure algorithm is important, it's rarely the most important factor. How products store, manage and secure keys and passwords is the most common failure point in assuring data protection.

This incident demonstrates the importance of implementation over technical arguments like key strength and password complexity. That Apple promises AES encryption doesn't mean anything if it chooses to store your password in an accessible log file.

Let's hope Apple is able to fix this problem quickly. However, the possibility that the plain text password has been backed up and the difficulty of ensuring both copies and the original plain text password are securely erased means retrieval could still be possible even after the fix is applied.

Once Apple users receive and apply the fix, they would be well advised to consider this password compromised, change it and ensure it is not used on any other systems.

Read More...

ISPA to launch cyber security code in South Africa

South Africa’s Internet Service Providers’ Association (ISPA) has teamed with Australia’s Internet Industry Association to develop a new voluntary industry code of practice to improve cybersecurity for end users. Known as the ‘icode’, and developed in conjunction with Australia’s Internet Industry Association, the code will provide a consistent approach for South African ISPs to help inform, educate and protect their customers in relation to cyber security.

"The increasing threat of zombied computers - computers which have been essentially hijacked and are under the control of criminals or other third parties - presents a real risk to users. Identity theft, fraud, and increases in spam are all possible consequences of compromised computers." 

By following the code, ISPs will contribute to reducing the number of compromised computers in South Africa and enhance the overall security of the South African and international Internet.

The security code initiative was welcomed by the banking sector, which is intrinsically affected by malware and security breaches.South African Banking Risk Information Centre (Sabric) CEO Kalyani Pillay says the country's banks constantly review security measures to offer Internet users as safe an online banking experience as possible.

The icode is expected to contain four main elements:
- A notification/management system for compromised computers
- A standardised information resource for end users
- A comprehensive resource for ISPs to access the latest threat
information
- A reporting mechanism in cases of extreme threat back to national
security agencies to facilitate a national high level view of attack
status.

Read More...

John McAfee, antivirus pioneer, arrested by Belize police

McAfee antivirus founder John McAfee is reportedly taking legal advice after a raid on his Belize home by police resulted in the software entrepreneur's arrest and the death of his pet dog.

The raid in the early morning of 1 May by the country's armed 'Gang Suppression Unit' (GSU) allegedly involved the doors to McAfee's house being smashed down, his property ransacked, and his dog shot.

After searching the house for drugs and firearms and handcuffing him and his 12 employees, the police detained McAfee for a number of hours before releasing him at 2am the following morning.

The police haven't given a reason for the raid but did reportedly find a cache of weapons including 12 gauge shotguns, handguns, rifles with scopes and ammunition. McAfee said he'd presented permits for all but one of the weapons which were for his company's security.

"The entire day was an incredible nightmare. This is clearly a military dictatorship where people are allowed to go and harass citizens based on rumour alone and treat them as if they are guilty before any evidence whatsoever is obtained," McAfee was reported as telling a local TV station after the raid.

McAfee blamed events on his refusal to donate money to "the local political boss" in his locality. No charges have been made.

"I have a fair amount of money and not much to do. So I spend it where I think it will do go. And I don't ever invest in politics. I don't donate to any political party; I don't have any political affiliations," he said.

Although independently wealthy thanks to his past involvement with the company that still bears his name, the entrepreneur claimed to be being hit badly by the financial fallout from the credit crunch of 2008.

In 2009, his New Mexico ranch was put up for sale to the highest bidder, a period during which he was also reported to have sold properties in Colorado and Hawaii.

He was the subject of a contentious Fast Company article in which it was suggested that he might be exaggerating his financial losses in order to avoid the fallout from a civil suit connected to the death of his nephew in a flying accident. McAfee moved to Belize in 2008.

Still remarkably well preserved for his 66 years, McAfee remains better known for his exploits in helping to form the antivirus industry in late 1980s.

His company, McAfee Associates, was one of a small handful of companies that pioneered protection for PCs against viruses - McAfee is particularly associated with researching the infamous 'Brain' virus of 1986 - a quaint threat by today's standards.

In 1997 the McAfee name disappeared as the company was renamed Network Associates after a merger with Network General. Subsequently relaunched under its original McAfee brand in 2004, the company was finally bought by Intel in 2010 for $7.68 billion.

Read More...

Android malware spreads via Facebook

If you're using Facebook on your Android smartphone, you should be just as careful clicking on links as you would (hopefully) be on a desktop computer.

A few days ago I received a Facebook friend request and, as is usual, used my Android smartphone to check out the details of the person before I decided whether I wanted to become "friends" or not.

As the following video demonstrates, a link on the user's Facebook profile redirected my browser to a webpage that downloaded malware automatically onto my Android phone.

The malware package was called any_name.apk, and appears to have been designed to earn money for fraudsters through premium rate phone services.

Alarm bells definitely rang when I noticed the app was using a class name which attempted to associate it with the legitimate Opera browser app:

com.opera.install

An encrypted configuration file inside the package includes the dialling codes for all supported countries (for instance, the UK is in there) and the premium rate number and text of the SMS message which it intends to send.

Although the app makes a pretence of informing you what it plans to do when you first run the program, it is being pushy in the extreme by installing itself without your permission.

What's even more suspicious is that when I revisted the url on my Android smartphone a few days later, I was redirected to another website which downloaded a different app (allnew.apk) which had the same functionality as the earlier sample, but was non-identical on a binary level.

Clearly someone is busy creating new variants of this malware.

Sophos products detect the malicious app as Andr/Opfake-C.

Note that the malware does not install itself automatically onto the Android smartphone. Instead, what we saw was the malicious APK file downloaded onto the device. There does, of course, remain the risk that a user might be tricked into manually installing the app - perhaps through social engineering.

Read More...

VMware confirms source code leak

VMware has confirmed a leak of source code from the ESX hypervisor. The code was posted on Pastebin on April 8 by a hacker calling himself "Hardcore Charlie."

VMware confirmed the theft yesterday, and said there is a "possibility that more files may be posted in the future." The good news is that the code dates from 2003 to 2004. While VMware ESX is still heavily used, VMware is shifting customers to a newer hypervisor called ESXi, which has a smaller attack surface and is designed to be more secure.

"The fact that the source code may have been publicly shared does not necessarily mean that there is any increased risk to VMware customers," the company said. "VMware proactively shares its source code and interfaces with other industry participants to enable the broad virtualization ecosystem today. We take customer security seriously and have engaged internal and external resources, including our VMware Security Response Center, to thoroughly investigate. We will continue to provide updates to the VMware community if and when additional information is available."

The Kaspersky Lab ThreatPost blog somewhat over-dramatically called the incident the "IT equivalent of the Deepwater Horizon oil spill disaster."

This VMware source code reportedly was stolen from Chinese military contractor CEIEC, the China National Electronics Import-Export Corporation. VMware code wasn't the only target. Although the VMware connection wasn’t verified until yesterday, the hacker Hardcore Charlie told Reuters earlier this month that he hacked into CEIEC seeking information on the US military campaign in Afghanistan, and also that he was a friend of Hector Monsegur, the LulzSec leader who was caught by the FBI and pleaded guilty to criminal hacking charges.

Read More...

Android Network Toolkit (ANTI) Review - Pentest at the push of a button

Recently White-Hat Hacker, Itzhak "Zuk" Avraham, the founder of zImperium unveiled its new app in Blackhat / Defcon19, introducing a new concept where both home users and local IT can have the same tools to, at the push of a button, check for their security faults. The new zImperium product, named Android Network Toolkit (or in short - ANTI), allows professional penetration testers, ethical hackers, IT and home users to scan for security issues in their network.

In a few simple clicks ANTI covers the most advanced attack vectors in order to check for vulnerabilities, even those that up until now could only be performed by top-notch penetration testers. This means that while you might think that you’re safe because you have a firewall on, with ANTI you can check and prove it (or add it to your penetration testing report if you’re doing this as a job). Know if your desktop is easily hackable only a few clicks away by using the ANTI “Penetrate CSE” button, which will perform both MiTM and inject Client Side Exploit to check if you have the latest version of a vulnerable software (e.g: outdated java). You only need to imagine re-producing this using other currently available methods to appreciate why ANTI has gotten so much respect from our community.

“Penetrate CSE” is part of the newly released ANTI3, which covers more vulnerabilities than before. The authors at zImperium will keep improving this product and add even more vulnerabilities in the future.


Upon successful client-side / remote exploitation, the report is updated with the current findings that a specific computer wasn’t patched for a certain vulnerability. Performing MiTM and injecting exploits has never been so easy for the professional penetration tester and is now also available for the home-user and the IT - you don’t have to be a security guru to run security checks!

ANTI runs on Android version 2.1 and up, while CSE vector only one of several capabilities that makes this tool very powerful, especially when it runs on your smart phone!



The app is also capable of mapping your network, scanning for vulnerable devices or configuration issues. It is for use by the amateur security enthusiast home user to the professional penetration tester, ANTI provides many other useful features such as: easy connection to open ports, visual sniffing (URLs & Cookies) and - establishing MiTM attacks (using predefined and user-defined filters), Server Side / Client Side Exploits, Password cracker to determine password’s safety level, Replace Image as visual in demos and Denial of Service attacks. All this is packed into a very user-friendly and intuitive Android app (and soon to be released iOS app).

As zImperium chose to enable ANTI via their website, rather than through the market, thus the APK is installed manually by a few simple steps:
Go to http://www.zImperium.com/anti.html and follow the instructions there. You will receive a download link to your email. Open this link from your smartphone and then install the app as instructed. (Make sure that 3rd Party Applications is enabled in Settings->Applications->Unknown Sources.)

iOS users can join the list of upcoming (public) BETA testers in the same page, by clicking on the Apple icon.

On each run, ANTI will prompt to map the connected network, and when done, it will suggest scanning it for known vulnerabilities and misconfiguration on the targets found. Once a vulnerable target (to remote attacks) is found, it will be marked with red stamp and will appear on the report as a vulnerable device. Displayed in the report is the issue (e.g : MS08-067), how to solve the issue (Windows Update) and how to defend from similar threats in the future (Block port 445 on firewall).

We start by mapping the network - ANTI will scan and detect devices connected to the network. Each device will be displayed with a suitable icon identifying its hardware type and/or the operating system. We can then further scan for vulnerabilities on each of the devices found.

 Now that we have our available targets displayed, we can choose any of them to try and penetrate, connect, or sniff network traffic.

The sniffer captures network traffic and displays images, URL’s, user/password combinations, and cookies - all this is collected from the target in real-time, and displayed on ANTI for viewing and examining. We can click on any of the URL’s/cookies to visit the same site our target is visiting.

ANTI also allows us to connect to open ports on the targets, also displaying the opened ports that were found on previous scans.

After playing a bit with the app, I feel comfortable enough to try and penetrate one of my computers, running Windows7 or Mac OS X that are updated only to 1 month prior to this report. I choose the target and click ‘Penetrate CSE’. This plug-in is injecting javascript code using MiTM into target's traffic and redirect traffic to a URL serving Client Side Exploit. Once the target got exploited, ANTI reveals several functions that can be executed over the exploited target: Send screenshot of the current desktop, execute command. The controller functionality is implemented in a very easy-to-use and fun (!) way, allowing both advanced users and home-users to understand the risks of the found vulnerability - while zImperium censored any real possibility to cause real damage to the target, they allow basic information gathering and real life demos such as ejecting the CD-ROM, or grabbing a screenshot (for the assessment’s final report).

I decided to try the password-cracker on my router. I then realized (the good old hard way) that I better change my password ASAP since it took ANTI less than 30 seconds to crack! Next I executed the cracker on my target running a SQL server and, lo and behold, ANTI didn’t discover the passwords - due to use of high complexity passwords. These results were enough to get me to (finally!) change my router’s password.

There are additional functionalities built into ANTI, such as a unique and fully functional HTTP server that allows publishing files on your device, as well as uploading files to the device, visual traceroute using google-maps, and more.

Once we are done testing, the most important ANTI function is the Report - Everything we have found in the network, vulnerable devices, opened ports, and extra information that will later assist when preparing the assessment report - all is summed up in text and emailed. ANTI3 supports multiple networks so now you can fully use it for your daily penetration tests. And everything is extremely user-friendly!

Download ANTI3 from zImperium website

Read More...

Free Ray-Bans and TOMS shoes spams hit Facebook

Have you seen a message on Facebook saying that free pairs of Ray-Bans or TOMS shoes are being given away to users?

Don't believe it.

The messages, which have become widespread, actually point to scams.

Here are some of the messages that are being seen on unsuspecting users' Facebook walls:

Get a Free Pair of Ray-Bans! (limited time only)!
Current Limited offer

To Celebrate the Summer, We are Giving Away Free Ray-Bans to All Facebook Users!

Get a Free Pair of Toms Shoes! (Limited Time Only)!
Current Limited offer

To Celebrate the Summer, Toms is currently giving away FREE pairs of shows to select facebook users for a limited time!

If you click on the links you will be taken to pages which try to trick you into sharing the link further amongst your Facebook friends. People's excitement over the possibility of a free pair of Ray-Bans sunglasses or a pair of shoes outweighs their common sense it seems.

Before you know it, you're being taken to webpages that ask you to hand over your personal information or take part in an online survey.

The truth is that you're never going to receive that free pair of shoes, or be sporting some Ray-Ban sunglasses. The fraudsters who started spreading the links in the first place earn commission every time they trick someone into completing an online survey.

In some cases they might even ask you to enter your mobile phone number, and then sign you up for an expensive premium rate service.

So be on your guard!

If you were fooled into participating in this scam remove the message from your newsfeed, and delete any messages you may have inadvertently shared with your friends. That way at least you are no longer spreading it with your online chums. You can also report the link as spam - hopefully if enough people do it, Facebook will stop the scams from spreading further.

Make sure that you keep informed about the latest scams spreading fast across Facebook and other internet attacks. Join the Facebook page, share information on threats and discuss the latest security news.

Read More...

Your photo all over Facebook? Naked? Malware campaign spammed out

SophosLabs is intercepting a spammed-out malware campaign, pretending to be an email about a revealing photo posted online of the recipient.

The emails, which have a variety of subject lines and message bodies, arrive with an attached ZIP file (IMG0893.zip) which contains a Trojan horse.

Subject lines used in the spammed-out malware campaign include:

• RE:Check the attachment you have to react somehow to this picture
• FW:Check the attachment you have to react somehow to this picture
• RE:You HAVE to check this photo in attachment man
• RE:They killed your privacy man your photo is all over facebook! NAKED!
• RE:Why did you put this photo online?

The message bodies contained inside the email can also vary. Here are some examples:

• Hi there ,
  I got to show you this picture in attachment. I can't tell who gave it to me sorry but this chick looks a lot like your ex-gf. But who's that dude??.

• Hi there ,
  I have a question- have you seen this picture of yours in attachment?? Three facebook friends sent it to me today... why did you put it online? wouldn't it harm your job? what if parents see it? you must be way cooler than i thought about you man :)))).

• Excuse me,
  But i really need to ask you - is it you at this picture in attachment? I can't tell you where I got this picture it doesn't actually matter... The question is is it really you???.

You can imagine how some people would react if they received a message like this in their email. Many might open the attachment out of curiousity (or even with trepidation that a private photo had leaked onto the internet!) and end up having their Windows computer infected as a result.

Sophos products protect users against the threat, detecting it as Troj/Bredo-VV and Mal/BredoZp-B.

The Bredo Trojan is nothing new, and we regularly see variants of it spammed out widely across the internet using a variety of social engineering lures to trick users into opening the dangerous attachment.

Keep your wits about you, and your anti-virus up-to-date, and you should have little to fear.

Read More...