Advertisement
<a href="http://abaca.com/free_trial.html"><img src="/a-ab/missing.gif" /></a>
  • About the Author
  • About this Blog

    • Latest Warnings

    Latest Warnings / Security Tools / Time to Patch57 Comments
    4
    Apr 12

    Urgent Fix for Zero-Day Mac Java Flaw

    Apple on Monday released a critical update to its version of Java for Mac OS X that plugs at least a dozen security holes in the program. More importantly, the patch mends a flaw that attackers have recently pounced on to broadly deploy malicious software, both on Windows and Mac systems.

    Distribution of 550,000 Flashback-infected Macs. Source: Dr.Web.com

    The update, Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7, sews up an extremely serious security vulnerability (CVE-2012-0507) that miscreants recently rolled into automated exploit kits designed to deploy malware to Windows users. But in the past few days, information has surfaced to suggest that the same flaw has been used with great success by the Flashback Trojan to infect large numbers of Mac computers with malware.

    The revelations come from Russian security firm Dr.Web, which reports that the Flashback Trojan has successfully infected more than 550,000 Macs, most which it said were U.S. based systems (hat tip to Adrian Sanabria). Dr.Web’s post is available in its Google translated version here.

    Continue reading →

    A Little Sunshine / Latest Warnings / The Coming Storm105 Comments
    30
    Mar 12

    MasterCard, VISA Warn of Processor Breach

    VISA and MasterCard are alerting banks across the country about a recent major breach at a U.S.-based credit card processor. Sources in the financial sector are calling the breach “massive,” and say it may involve more than 10 million compromised card numbers.

    Update, 4:32 p.m. ET: Atlanta-based processor Global Payments just confirmed that they discovered a breach in early March 2012. See their full statement and several other updates at the end of this story.

    Original post:

    In separate non-public alerts sent late last week, VISA and MasterCard began warning banks about specific cards that may have been compromised. The card associations stated that the breached credit card processor was compromised between Jan. 21, 2012 and Feb. 25, 2012. The alerts also said that full Track 1 and Track 2 data was taken – meaning that the information could be used to counterfeit new cards.

    Neither VISA nor MasterCard have said which U.S.-based processor was the source of the breach. But affected banks are now starting to analyze transaction data on the compromised cards, in hopes of finding a common point of purchase. Sources at two different major financial institutions said the transactions that most of the cards they analyzed seem to have in common are that they were used in parking garages in and around the New York City area. Continue reading →

    Latest Warnings / Security Tools / Time to Patch44 Comments
    28
    Mar 12

    Critical Security Update for Adobe Flash Player

    Adobe has issued a security update for its Flash Player software that fixes at least two critical vulnerabilities in the widely-used program. At long last, this latest version also includes an auto-updating mechanism designed to streamline the deployment of Flash security fixes across multiple browsers.

    If it seems like you just updated Flash to fix security holes, it’s not your imagination. This is the third security update for Flash in the last six weeks. Flash Player v. 11.2 addresses a couple of flaws  in Adobe Flash Player 11.1.102.63 and earlier versions for Windows, Macintosh, Linux and Solaris, and Adobe Flash Player 11.1.111.7 and earlier versions for Android 3.x and 2.x. Adobe warns that these vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

    My previous posts on Flash updates have been accompanied by lengthy instructions about how to update the program. That’s in part because Adobe has traditionally deployed two separate installers for Windows based systems: One for Flash on Internet Explorer, and another for non-IE browsers. With the release of Flash Player 11.2, Adobe is introducing a new background update mechanism for Windows users that promises to take some of the pain out of updating. Continue reading →

    A Little Sunshine / Latest Warnings / Time to Patch51 Comments
    27
    Mar 12

    New Java Attack Rolled into Exploit Packs

    If your computer is running Java and you have not updated to the latest version, you may be asking for trouble: A powerful exploit that takes advantage of a newly-disclosed security hole in Java has been rolled into automated exploit kits and is rapidly increasing the success rates of these tools in attacking vulnerable Internet users.

    The exploit targets a bug in Java (CVE-20120-0507) that effectively allows the bypassing of Java’s sandbox, a mechanism built into the ubiquitous software that is designed partly to blunt attacks from malicious code. Microsoft’s Malware Protection Center warned last week that new malware samples were surfacing which proved highly effective at exploiting the flaw. Microsoft says the samples it saw loaded the ZeuS Trojan, but thieves can use such attacks to install malware of their choosing.

    According to posts on several underground carding forums, the exploit has now been automatically rolled out to miscreants armed with BlackHole, by far the most widely used exploit pack. An exploit pack is a software toolkit that gets injected into hacked or malicious sites, allowing the attacker to foist a kitchen sink full of browser exploits on visitors. Those visiting such sites with outdated browser plugins may have malware silently installed, and Java is almost universally the most successful method of compromise across all exploit kits.

    According to software giant Oracle, Java is deployed across more than 3 billion systems worldwide. But the truth is that many people who have this powerful program installed simply do not need it, or only need it for very specific uses. I’ve repeatedly encouraged readers to uninstall this program, not only because of the constant updating it requires, but also because there seem to be a never-ending supply of new exploits available for recently-patched or undocumented vulnerabilities in the program.

    Case in point: On at least two Underweb forums where I regularly lurk, there are discussions among several core members about the sale and availability of an exploit for an as-yet unpatched critical flaw in Java. I have not seen firsthand evidence that proves this 0day exploit exists, but it appears that money is changing hands for said code. Continue reading →

    Latest Warnings / Time to Patch28 Comments
    13
    Mar 12

    RDP Flaws Lead Microsoft’s March Patch Batch

    Microsoft today released updates to sew up at least seven vulnerabilities in Windows and other software. The sole “critical” update in the bunch patches a particularly dangerous flaw in all supported versions of Windows that allows attackers to seize control over vulnerable systems remotely without authentication.

    The critical update plugs two security holes in Microsoft’s Remote Desktop Protocol (RDP), a service that is designed to let administrators access Windows systems remotely over a network. The saving grace for these vulnerabilities — which are present in Windows XP, Vista and 7, and Windows Server 2003, and 2008 — is that RDP not enabled by default on standard Windows installations. That means it is far more likely to be a threat to businesses than to consumer systems.

    “It needs to be configured and started by the system’s owner, which then makes the vulnerability accessible; consequently we expect that only a relatively small percentage of machines will have RDP up and running,” said Wolfgang Kandek, chief technology officer for vulnerability management firm Qualys. Continue reading →

    Latest Warnings / Target: Small Businesses / Web Fraud 2.08 Comments
    13
    Mar 12

    Hacked Inboxes Lead to Bank Fraud

    Hacked and phished email accounts increasingly are serving as the staging grounds for bank fraud schemes targeting small businesses. The scams are decidedly low-tech and often result in losses of just a few thousand dollars, but the attacks frequently succeed because they exploit existing trust relationships between banks and their customers.

    Last month, scam artists hijacked private email accounts belonging to three different customers of Western National Bank, a small financial institution with seven branches throughout Central and West Texas. In each case, the thieves could see that the victim had previously communicated with bank personnel via email.

    The attackers then crafted the following email, sending it to personnel at each victim’s respective local WNB bank branch.

    Good Morning,

    Can you please update me with the the available balance in my account and also the information needed to  complete an outgoing wire transfer for me today,i am on my way to my nephew funeral service but i will check my mail often for your response.

    Thanks.

    Wade Kuehler, an executive vice president at WNB, said bank personnel followed up on two of the requests, ignoring the request not to contact the customer via phone. In both cases, the customers were grateful for the contact, saying they had not sent such a request.

    But the thieves struck paydirt with the third attempt, when a sympathetic associate at the bank responded to the message with the requested balance information. The follow-up email from the thieves included instructions to wire money to an account at another bank, and the assistant helpfully processed the transfer.

    Continue reading →

    Latest Warnings / Security Tools / Time to Patch30 Comments
    5
    Mar 12

    Adobe Patches Critical Flash Flaws

    For the second time in less than a month, Adobe has issued an update to fix dangerous flaws in its Flash Player software. The patch addresses two vulnerabilities rated “critical,” but Adobe says it is not aware of active attacks against either flaw.

    The fixes being released today address a pair of critical bugs that are present in Adobe Flash Player 11.1.102.62 and earlier versions for Windows, Mac, Linux and Solaris, Flash Player v 11.1.115.6 and earlier versions for Android 4.x, and Flash Player 11.1.111.6 and earlier versions for Android 3.x and 2.x. Adobe says both flaws in today’s release were reported by Google security researchers.

    For Windows, Mac, Linux and Solaris users, the newest version is 11.1.102.63, and is available through the Player Download Center. To find out which version of Flash you have installed, visit this page. Users can grab the latest version from the Adobe Flash Player Download Center, although if you’re not careful to untick the check box next to whatever “optional” goodies Adobe tries to bundle with Flash Player (the most common is McAfee Security Scan Plus) you could end up with more than you wanted.

    Windows users who browse the Web with Internet Explorer and another browser may need to apply the Flash update twice, once using IE and again with the other browser. Chrome normally auto-updates Flash – often hours or days before the fixes are publicly released for download — although for some reason I still had the vulnerable version 11.1.102.62 installed when Adobe’s security advisory was released today. According to the Chrome Releases blog, Google began pushing out an update last night that includes the new Flash version.

    Today’s update comes close on the heels of a critical Flash patch that closed at least seven security holes, including one that was at the time already being exploited to break into vulnerable systems (that one, also, was reported by Google).

    A Little Sunshine / Latest Warnings27 Comments
    22
    Feb 12

    How Not to Buy Tax Software

    Scott Henry scoured the Web for a good deal on buying tax preparation software. His search ended at Blvdsoftware.com, which advertised a great price and an instant download. But when it came time to install the software, Henry began to have misgivings about the purchase, and reached out to KrebsOnSecurity for a gut-check on whether trusting the software with his tax information was a wise move.

    Five days after Henry purchased the product, blvdsoftware.com vanished from the Internet.

    Several red flags should have stopped him from making the purchase. Blvdsoftware.com claimed it had been in business since 2005, but a check of the site’s WHOIS registration records showed it was created in late October 2011. The site said that Blvdsoftware was a company in Beverly Hills, Calif., but the California Secretary of State had no record of the firm, and Google Maps knew nothing of the business at its stated address.

    Henry said that in years past, he’d always bought a CD version of the software. But this year, he opted for digital download.

    “I was going to download from Amazon — they sell a download-only version — and then I saw the cheaper site and went with them,” he said in an email. He installed the program, but said he didn’t enter any of his sensitive data. For one thing, he never received a license key from Blvdsoftware, and the program he installed didn’t request one. Now he’s wondering if the program was — at the very least pirated — and at worst — bundled with software designed to surreptitiously snoop on his computer.

    Continue reading →

    Latest Warnings / Security Tools / Time to Patch16 Comments
    15
    Feb 12

    Flash Player Update Nixes Zero-Day Flaw

    Adobe has issued a critical security update for its ubiquitous Flash Player software. The patch plugs at least seven security holes, including one reported by Google that is already being used to trick users into clicking on malicious links delivered via email.

    In an advisory released Wednesday afternoon, Adobe warned that one of the flaws — a cross-site scripting vulnerability (CVE-2012-0767) reported by Google –  was being used in the wild in active, targeted attacks designed to trick users into clicking on a malicious link delivered in an email message. The company said the flaw could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website. A spokesperson for the company said this particular attack only works against Internet Explorer on Windows.

    Continue reading →

    Latest Warnings / Security Tools / Time to Patch15 Comments
    15
    Feb 12

    Java Security Update Scrubs 14 Flaws

    Oracle has shipped a critical update that fixes at least 14 security vulnerabilities in its Java JRE software. The company is urging users to deploy the fixes as quickly as possible.

    Java flaws are a favorite target of miscreants and malware because of the program’s power and massive install base: Oracle estimates that Java is installed on more than three billion machines worldwide.

    In an emailed advisory accompanying the new release, Oracle urged users to update without delay. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon a possible.”

    The new versions are Java 6 Update 31, and Java 7 Update 3. To see if you have Java installed and to find out what version you have, visit Java.com and click the “Do I have Java?” link. Existing users should be able to update by visiting the Windows Control Panel and clicking the Java icon, or by searching for “Java” and clicking the “Update Now” button from the Update tab. Continue reading →

    ← Older Entries
    Newer Entries →