شماره: IRCNE2014092316
تاريخ: 93/06/23

يك آسيب پذيري بسيار مهم در توسعه دهنده معروف تجارت الكترونيك براي سيستم مديريت محتواي جوملا به كاربران خرابكار اجازه مي دهد تا دسترسي سوپر ادمين سايت هايي كه از جوملا استفاده مي كنند را بدست آورد.
Marc-Alexandre Montpas، محقق شركت امنيتي Sucuri اظهار داشت: توسعه دهنده VirtueMart كه به كاربران اجازه مي دهد تا خريدهاي آنلاين را بر روي سايت هاي خود تنظيم نمايند بيش از 3.5 ميليون بار دانلود شده است. با دسترسي سوپر ادمين، مهاجم مي تواند دسترسي كامل سايت و پايگاه داده را بدست آورد.
اين مشكل چند هفته گذشته كشف شد و در VirtueMart نسخه 2.6.10 كه در تاريخ چهارم سپتامبر منتشر شده است برطرف شد. صفحه VirtueMart در كاتولوگ توسعه دهنده هاي جوملا به كاربران توصيه مي كند هر كس كه از نسخه هاي پايين تر از 2.6.10 استفاده مي كند بايد به دليل مسائل امنيتي در اسرع وقت به روز رساني مربوطه را اعمال نمايد.
Montpas گفت: توسعه دهنده VirtueMart از كلاس JUser جوملا روش هاي 'bind' و 'save' براي مديريت اطلاعات حساب كاربري كاربران استفاده مي كند. ما فكر مي كنيم كه مشكل در كلاس جوملا مي باشد بنابراين نمي توانيم جزئيات بيشتري را در رابطه با اين مشكل فاش كنيم.

Number: IRCNE2014092308
Date: 2014-09-08

According to “techworld”, a botnet that infects and exploits poorly-maintained Linux servers has been used to launch a spate of large DDoS attacks targeting DNS and other infrastructure, Akamai’s Prolexic division has warned.
Dubbed the ‘IptabLes and IptabLex botnet’ the attack target versions of Apache Struts and Tomcat, as well as some running Elasticsearch that have not been patched against a clutch of vulnerabilities.
Once compromised, the attack elevates privileges to allow remote control of the server from which the malicious code is dropped and run, after which it awaits direction by the bot’s command and control.
The bot had been used to launch a number of DDoS attacks during 2014, including a significant one that reached a peak of 119Gbps, on entertainment websites.
Corralling Linux servers for DDoS is a relatively new tactic and this particular campaign appeared to be in its early stages and prone to instability, Akamai said, urging admins to patch and harden vulnerable Linux servers as soon as possible.
"We have traced one of the most significant DDoS attack campaigns of 2014 to infection by IptabLes and IptabLex malware on Linux systems," said Akamai senior vice president and general manager, Security Business, Stuart Scholly.
"This is a significant cybersecurity development because the Linux operating system has not typically been used in DDoS botnets. Linux admins need to know about this threat to take action to protect their servers."

ID: IRCNE2014072266
Date: 2014-07-26

According to “ESecurityPlanet”, Hoax-Slayer is warning of new phishing emails targeting LinkedIn users, which aim to trick recipients into clicking on a link by claiming that their LinkedIn accounts have been blocked due to inactivity.
"To ensure that your online services with LinkedIn will no longer be interrupted / You will be asked to log into your account to confirm this email address," the phishing email states. "Be sure to log in with your current primary email address."
Recipients who click on the link in the email are taken to a fraudulent LinkedIn login page designed to harvest email addresses and passwords.
"Claiming that account details require updating is a favorite scam ruse," Hoax-Slayer notes. "Be wary of any message that makes such a request. If you receive such a message, do not click any links or open any attachments that it contains."
Pentura managing director Steve Smith told Infosecurity that LinkedIn users should always be wary of any unsolicited emails claiming to come from the company. "LinkedIn is obviously a rich source of personal information which can be exploited for further social engineering attacks, which could prove costly both to the individuals and the organizations concerned," he said.

Number: IRCNE2014072268
Date: 2014-07-27

According to “computerworld”, a ransomware threat that encrypts files stored on the SD memory cards of Android devices has been updated to target English-speaking users with FBI-themed alerts.
The malware app is called Simplocker and was first identified by security researchers from antivirus vendor ESET in early June. At the time it was the first malicious program for Android devices that used file encryption to extort money from victims.
Simplocker is now being sold on underground forums and actively distributed to users, so it's no longer just a proof of concept, the ESET security researchers said Tuesday in a blog post.
A new variant found recently displays a message to victims in English that masquerades as an alert from the U.S. Federal Bureau of Investigation about illegal pornographic content being found on the device.
In addition to expanding the pool of potential victims by adding English language support, the new Simplocker version also has some other improvements, the ESET researchers said.
The previous list of file types encrypted by the malware included mostly images and documents. The new version also encrypts archive files with the .zip, .7z and .rar extensions.
"Many Android file backup tools (which we strongly recommend, by the way) store the backups as archive files," the ESET researchers said. "In case the user has become infected with Android/Simplocker.I, these backups will be encrypted as well."
So not only will users lose access to their documents and pictures, but they will be unable to restore them from backups stored on the same SD card.
The malware installer masquerades as a Flash video player application and requests to be granted device administrator permissions. This makes the new Simplocker much harder to remove once installed.
ESET has updated their free Simplocker Decryptor tool to add support for files encrypted by the new malware variant.

Number: IRCNE2014082273
Date: 2014-08-03

According to “computerworld”, a new program that encrypts files to extort money from users highlights that attackers don't need advanced programming skills to create dangerous and effective ransomware threats, especially when strong encryption technology is freely available.
Researchers from antivirus vendor Symantec recently came across a Russian-language -- for now -- ransomware program of which the core component is a simple batch file -- a command-line script file.
This development choice allows the attacker to easily control and update the malware, said Symantec researcher Kazumasa Itabashi in a blog post Thursday. The batch file downloads a 1024-bit RSA public key from a server and imports it into GnuPG, a free encryption program that also runs from the command line. GnuPG, which is an open-source implementation of the OpenPGP encryption standard, is used to encrypt the victim's files with the downloaded key.
"If the user wants to decrypt the affected files, they need the private key, which the malware author owns," Itabashi said. In public-key cryptography, which OpenPGP is based on, users generate a pair of associated keys, one that is made public and one that is kept private. Content encrypted with a public key can only be decrypted with its corresponding private key. The new ransomware threat that Symantec calls Trojan.Ransomcrypt.L encrypts files with the following extensions: .xls, .xlsx, .doc, .docx, .pdf, .jpg, .cd, .jpeg, .1cd, .rar, .mdb and .zip.
Trojan.Ransomcrypt.L is proof that developing ransomware can be done for little cost and without advanced programming knowledge, which could lead to an increase in the number of such threats in the future.

Number: IRCNE2014082287
Date: 2014-08-11

According to “techworld”, chip makers want to make hardware the first layer of defense against data breaches and other attacks on tablets and smartphones.
Mobile devices are becoming increasingly vulnerable, with more personal information, banking data, passwords and contacts residing on devices without any protection, said presenters at the Hot Chips conference in Cupertino, California, on Sunday.
The NSA revelations and a mounting pile of data breaches have reminded hardware makers that well-designed chips for PCs, servers and mobile devices, can minimize, if not prevent, attacks, said Leendert VanDoom, corporate fellow at Advanced Micro Devices.
Most attacks today exploit software bugs, but it's possible for hackers to isolate keyboards, voice, sensors and even screens, snoop for information and send data back to rogue servers, said Vikas Chandra, principal engineer at ARM's research and development division.
A well-designed system can provide multiple layers to prevent malicious attacks and injection of rogue code, said Chandra, adding that the hardware, security subsystem and software on mobile hardware need to work together.
Besides ARM, chip makers like Intel and AMD are working to bring more security features so mobile devices are shielded from attacks.
Most mobile device users are not tech savvy, and haven't secured devices with passwords or pins. Few devices have security software to prevent malware, and trojans running on social networking apps could collect personal information and send it back to rogue servers, Chandra said.
ARM is improving its security layer called TrustZone to prevent such attacks, Chandra said. The layer establishes a trusted execution environment in which code can be safely executed without affecting the entire system.
It's also important to make sure servers are ready to deal with different security layers in mobile devices and the new authentication techniques, said Ruby Lee, professor of electrical engineering at Princeton University.
ARM's TrustZone has put the stake in the ground for mobile platform integrity, including how to set up wireless transmissions, authentication techniques and others, Lee said.
A lot of hardware security implementations are around secure execution layers, trusted domains and securing DRAM so private keys and cryptographic data can't be stolen in transit. Intel is bringing the ability to identify rootkits and polymorphic viruses at the hardware layer to its upcoming chips so malicious attacks can be identified before they wreak havoc on a system.
System design is important, and the security features need to be chosen wisely.

Number: IRCNE2014082288
Date: 2014-08-12

According to “zdnet”, Adobe has released updates to fix seven vulnerabilities in Flash Player and one vulnerability in Adobe Reader and Acrobat which, the company says, is being exploited in the wild "...in limited, isolated attacks targeting Adobe Reader users on Windows." The OS X versions of Acrobat and Reader are not affected.
Users may update Acrobat and Reader with the Help > Check for Updates menu option. Flash Player users may download the latest version from Adobe at this page. Users of Internet Explorer on Windows 8 and above and of Google Chrome will receive browser updates from those companies with fixed versions of their integrated Flash Player.
The lone vulnerability in Acrobat and Reader for Windows could allow an attacker to circumvent sandbox protection. Users of Adobe Reader 11.x for Windows should update to version 11.0.08. Users of Adobe Reader 10.x for Windows should update to version 10.1.11.
The seven vulnerabilities in Flash affect version 14.0.0.145 and earlier for both Mac and Windows, including the versions integrated into Chrome and IE. The new version will be 14.0.0.176 in most cases. Google Chrome users will get 14.0.0.177 and the NPAPI plugin for Firefox will be version 14.0.0.179.
Flash Player 11.2.202.394 and earlier versions for Linux are vulnerable and users should update to 11.2.202.400.
As is always the case with Flash updates, Adobe AIR and the AIR SDK are also updated.

شماره: IRCNE2014082299
تاريخ: 93/06/08 

محققان امنيتي هشدار مي دهند كه مجرمان سايبري براي هدف قرار دادن صنعت خودرو در اروپا از يك بدافزار سرقت اطلاعات استفاده مي كنند.
با توجه به گزارش جديدي كه توسط محققان شركت سايمانتك منتشر شده است اين كمپين حملات اوايل ماه اوت شروع شده است و ابتدا كسب و كارهاي حمل و نقل، بيمه و اجاره نامه ها براي وسايل نقليه كشاورزي و تجاري را هدف قرار داده است.
در اين حمله مهاجمان بدافزار خود را از طريق ايميل هاي سرقت هويت گسترده كه به نظر مي رسد از شركت Technik Automobile ارسال شده است و قصد دارد تا صاحبان قبلي خودرو ها را شناسايي كند، توزيع مي شود. اين ايميل حاوي يك پيوست با نام TechnikAutomobileGMBH.pdf.zip مي باشد كه به نظر مي رسد حاوي فهرست خودرو ها است اما در واقع حاوي يك نصب كننده تروجان Carbon Grabber مي باشد.
Lionel Payet، محققي در شركت سايمانتك در پست يك وبلاگ نوشت: اين فايل مخرب يك فايل اجرايي را درون بدنه خود رمزگشايي مي كند و كدي را به مايكروسافت Outlook، IE، گوگل كروم و موزيلا فايرفاكس رايانه آلوده شده تزريق مي كند. اين بدافزار API هاي مرورگر را به دام انداخته و اطلاعات را قبل از رمزگذاري شدن و ارسال بر روي شبكه به سرقت مي برد.
مانند ساير بدافزارهاي man-in-the-browser، تروجان Carbon Grabber قادر است تا اعتبارنامه هاي ورودي را از روي خدمات مختلف وب از جمله وب سايت هاي بانكي به سرقت ببرد. هم چنين مي تواند اعتبارنامه هاي مايكروسافت Outlook را به سرقت ببرد و از آن براي ارسال ايميل از طرف قرباني استفاده نمايد.
با توجه به مشاهدات محققان شركت سايمانتك، ايميل هاي جعلي براي مشتريان شركت هاي مورد هدف فرستاده مي شود.
صنعت خودرو اولين هدف اين تروجان بوده است و حدود 48 درصد از مشتريان را آلوده كرده است. با اين حال اين بدافزار شركت هاي ديگري مانند خدمات عمومي، بيمه، خيريه، انرژي، تحقيقات، ارتباطات و توريست را هدف حملات قرار داده است.

شماره: IRCNE2014082295
تاريخ: 93/05/29

با توجه به يافته هاي شركت امنيتي Avast، بدافزار گروگان گير Reveton كه عمدا به كاربران اعلام مي كند كه قوانين را نقض كرده و بايد جريمه پرداخت كنند، ارتقاء يافته است و در نسخه جديد آن از يك تابع سرقت رمز عبور قوي استفاده شده است.
اين بدافزار اغلب رايانه ها را از طريق حملات drive-by download آلوده مي كند. پس از آن كه رايانه كاربران توسط اين بدافزار قفل شود، به كاربران اعلام مي شود كه براي دسترسي به رايانه خود بايد مبلغ چند صد دلار بپردازند.
شركت Avast نسخه اي از اين بدافزار را تجزيه و تحليل كرده است كه داراي يك ماژول سارق رمز عبور Pony است كه مي تواند پول هاي ذخيره شده بر روي رايانه مانند bitcoin را نيز به سرقت ببرد.
اين سارق رمز عبور مي تواند رمزهاي عبور رمزگذاري شده را براي كلاينت هاي FTP،VPN و ايميل، مرورگرهاي وب و برنامه هاي پيام رسان فوري رمزگشايي كند.
اين شركت در پستي در وبلاگ خود نوشت: هم چنين اين نسخه از بدافزار گروگان گير Reveton كه توسط شركت Avast مورد تجزيه و تحليل قرار گرفته است داراري يك سارق ديگر رمز عبور از خانواده بدافزار Papras است. اين برنامه به اندازه Pony موثر نيست اما مي تواند برنامه هاي امنيتي را غيرفعال نمايد.

شماره: IRCNE2014082295
تاريخ: 93/5/29

سايمانتك قصد دارد خط نرم‌افزارهاي امنيتي نورتون را يكي كرده و نه محصول را به يك سرويس آنلاين تبديل نمايد كه مي‌تواند در سيستم‌هاي دسكتاپ و دستگاه‌هاي موبايل مورد استفاده قرار گيرد.
اين محصول كه اكنون نسخه بتاي آن عرضه شده است، به سادگي Norton Security ناميده مي‌شود و سالانه 79 دلار هزينه آن خواهد بود. اين محصول جايگزين Norton Internet Security، Norton AntiVirus and Norton360 و ساير محصولات نورتون خواهد شد.
سايمانتك كه يكي از بزرگترين توليدكنندگان امنيتي جهان است، بيش از يك سال براي تجديد نظر و اصلاح خط محصولات امنيتي خود كار كرده است.
در طول سال‌ها سايمانتك با ظهور تهديدات جديد، اقدام به عرضه محصولات جديد كرده بود، اما كاربران در انتخاب محصول مناسب براي وضعيت مورد نظر خود مشكل داشتند. به اين ترتيب و با اين اقدام جديد، سايمانتك به سردرگمي كاربران خود پايان داده است.
در مجموع سايمانتك سعي كرده است كه Norton Security يك سرويس آنلاين ساده باشد و واسط كاربري آن در جهت مديريت ساده‌تر اين محصول بهبود يافته است.
مشتريان مي‌توانند يك حساب آنلاين Norton Security ايجاد نمايند و سپس محصول مناسب را براي سيستم‌هاي ويندوز يا Apple OS X، يا دستگاه‌هاي موبايل اندرويد يا iOS دانلود كنند.
محدوديتي در مورد تعداد دستگاه‌هايي كه Norton Security مي‌تواند در آنها مورد استفاده قرار گيرد وجود خواهد داشت. اما اين تعداد هنوز مشخص نيست.
Norton Security حاوي عملكردهاي آنتي‌ويروس، ضد جاسوس‌افزار . كنترل هزرنامه خواهد بود. سايمانتك يك ويژگي پشتيباني مبتني بر ابر را نيز به عنوان يك گزينه اختياري ارائه خواهد داد. البته قيمت اين گزينه پشتيبان هنوز مشخص نيست.
مشتريان نسخه‌هاي قديمي نورتون مجبور به كنار گذاشتن محصولات خود نخواهند بود، اگرچه سايمانتك به آنها توصيه مي‌كند كه از محصول جديد استفاده نمايند.
انتظار مي‌رود كه Norton Security در اروپا در اوايل ماه اكتبر و سپس در آسيا- اقيانوسيه عرضه گردد.