ID: IRCNE2014012055
Date: 2014-01-01

According to "cnet", security researchers have found a way to hack SD Cards, the most common form of flash-memory cards used to store data mobile phones and digital cameras, and run software that intercepts data.
Andrew "bunnie" Huang and Sean "xobs" Cross disclosed the approach Sunday in a blog post and talk at the Chaos Computer Congress (30C3). With the attack, a person could run malicious software on the memory card itself. That's because the cards have tiny built-in computers called microcontrollers that are used to oversee the details of data storage.
The result is a "perfect setup for a man-in-the middle attack," Huang said in a video of the talk.
In a man-in-the-middle attack, someone intercepts data that's being transferred from one location to another, potentially scrutinizing or modifying it. Huang and Cross believe their attack could be used to secretly copy data, to modify sensitive data such as encryption keys, or to subvert authentication processes.
The approach works in principle not just with SD Cards, where the researchers demonstrated their approach, but also with other flash-memory devices such as SSDs (solid-state drives) used in place of traditional hard drives in personal computers and eMMC (Embedded Multimedia Controller) storage used in mobile phones.
The specific vulnerability Huang and Cross describe doesn't apply to all flash-memory devices because it's dependent on the specific microcontroller used. However, they believe the approach is generally effective since all flash devices rely on such controllers to figure out how to work around bad memory cells in flash-memory systems.

ID: IRCNE2013122054
Date: 2013-12-30

According to "computerworld", a new malware program that functions as a module for the Apache and Nginx Web servers is being sold on cybercrime forums, according to researchers from security firm IntelCrawler.
The malware is called Effusion and according to the sales pitch seen by IntelCrawler, a start-up firm based in Los Angeles that specializes in cybercrime intelligence, it can inject code in real time into websites hosted on the compromised Web servers. By injecting content into a website, attackers can redirect visitors to exploits or launch social engineering attacks.
The Effusion module works with Nginx from version 0.7 up to the latest stable version, 1.4.4, and with Apache running on 32- and 64-bit versions of Linux and FreeBSD.
The malware can inject rogue code into static content of certain MIME types, including JavaScript and HTML. Attackers can push configuration updates and control code modifications remotely.
The malware can check whether it has root access, something that could allow the attackers greater control over the underlying system. It can also delete the injected content when suspicious processes are detected in order to hide itself, Andrey Komarov, IntelCrawler's CEO, said via email.
While this is not the first malware to function as an Apache module, it is one of the very few so far to also target Nginx, a high-performance Web server that has grown considerably in popularity in recent years.

ID: IRCNE2013122053
Date: 2013-12-25

According to "cnet", researchers have identified a vulnerability in the smartphone that allegedly allows a hacker to easily intercept secure data.
CNET did not immediately hear back from Samsung with a response to the reported flaw, but the company has told The Wall Street Journal and other news outlets that it's looking into the issues and thus far doesn't believe the problem is as serious as the researchers present in their findings.
The report comes not only as many Galaxy S4 phones sit wrapped up under a Christmas tree, but also as Samsung pitches its new Knox security platform, used in the device, to federal agencies like the Department of Defense.
The Knox software offers high-level encryption, a VPN feature, and a way to separate personal data from work data. It also enables IT administrators to manage a mobile device through specific policies and Samsung hopes it will appeal to security-sensitive clients as a replacement for BlackBerry devices.
The alleged vulnerability was discovered earlier this month by researchers at Ben-Gurion University's Cyber Security Labs. Specifically, they say while the Knox is the most advanced security-driven infrastructure for mobile phones, the alleged flaw enables malicious software to track e-mails and record data communications. The flaw was uncovered by Ph. D. student Mordechai Guri during an unrelated research task.
"Knox has been widely adopted by many organizations and government agencies and this weakness has to be addressed immediately before it falls into the wrong hands," he said. "We are also contacting Samsung in order to provide them with the full technical details of the breach so it can be fixed immediately."

شماره: IRCNE2013122053
تاريخ:4/10/92

محققان امنيتي يك آسيب پذيري را در گوشي هوشمند سامسونگ گلكسي S4 شناسايي كردند كه به هكرها اجازه مي دهد تا به راحتي داده هاي امن را رهگيري نمايند.
با توجه به اخبار منتشر شده شركت سامسونگ در حال بررسي اين مساله مي باشد و معتقد است كه اين مشكل به اندازه اي كه محققان در گزارش خود آورده اند، جدي نمي باشد.
اين مشكل نه تنها در سامسونگ گلكسي بلكه در دستگاه هايي از سامسونگ وجود دارد كه از پلت فرم امنيتي Knox استفاده مي كنند. اين نرم افزار رده هاي بالايي رمزگذاري، يك ويژگي VPN و راهي براي جداسازي داده هاي شخصي از داده هاي كاري را فراهم مي كند. هم چنين اين نرم افزار مديران فناوري اطلاعات را قادر مي سازد تا يك دستگاه تلفن همراه را از طريق سياست گذاري هاي خاص مديريت نمايند.
اين آسيب پذيري اوايل ماه دسامبر توسط محققان آزمايشگاه امنيتي سايبري دانشگاه Ben-Gurion كشف شد. محققان اظهار داشتند تا زماني كه نرم افزار Knox به عنوان يك زيرساخت پيشرفته امنيتي براي تلفن هاي همراه مورد استفاده قرار مي گيرد، نرم افزارهاي مخرب مي توانند با سوء استفاده از رخنه كشف شده پست هاي الكترونيكي را رهگير نمايند و ارتباطات داده ها را ثبت كنند.
نرم افزار Knox توسط بسياري از سازمان ها و بخش هاي دولتي مورد استفاده قرار مي گيرد و اين ضعف قبل از آن كه توسط افراد خرابكار مورد سوء استفاده قرار بگيرد، بايد فورا برطرف شود.

ID: IRCNE2013122052
Date: 2013-12-20

According to “EWeek”, Apple released today its first milestone update for the OS X 10.9 Mavericks desktop operating system. Mavericks, Apple's latest OS X release, first became generally available Oct. 22. The new OS X 10.9.1 release includes both stability and security updates.
On the security front, the OS X 10.9.1 update is narrowly focused on Apple's Safari Web browser. OS X 10.9 originally shipped with Safari 7.0, which is now being updated to a patched Safari 7.0.1 release. In total, the Safari 7.0.1 update includes nine security updates for vulnerabilities found within Safari and its core WebKit rendering engine.
Apple patched the CVE-2013-5227 information leakage vulnerability in Safari 7.0.1.
"Safari may have autofilled user names and passwords into a subframe from a different domain than the main frame," Apple warns in its advisory. "This issue was addressed through improved origin tracking."
The WebKit rendering engine received eight security updates for memory corruption-related issues. Apple's advisory notes that it addressed the WebKit memory corruption issues through improved memory handling.
Three of the WebKit memory flaws were reported to Apple via the Google Chrome Security Team. Until recently, Google's Chrome browser shared the same WebKit technology that is used by Apple. Google announced in April its intention to move to its own rendering engine, known as Blink.

ID: IRCNE2013122051
Date: 2013-12-20

According to “ComputerWorldUK”, A fake antivirus program in circulation uses at least a dozen stolen digital code-signing certificates, indicating cybercriminals are increasingly breaching the networks of software developers, Microsoft wrote on Sunday.
The application, branded as "Antivirus Security Pro," was first detected in 2009 and has gone by a handful of other names over the years, according to a Microsoft advisory, which calls it by a single name, "Win32/Winwebsec."
Digital certificates, issued by Certification Authorities (CAs), are used by developers to "sign" software programs, which can be cryptographically checked to verify that a program hasn't been tampered with and originates from the developer who claims to write it.
If a hacker obtains the authentication credentials to use a certificate, they can sign their own programs, which makes it appear the applications come from a legitimate developer.
The samples of Antivirus Security Pro collected by Microsoft used stolen certificates issued "by a number of different CAs to software developers in various locations around the world," the company wrote.
The certificates were issued to developers in the Netherlands, U.S., Russia, Germany, Canada and the U.K. by CAs such as VeriSign, Comodo, Thawte and DigiCert, according to a chart.
Using stolen certificates is not a new tactic, but it is usually considered difficult to accomplish since hackers have to either breach an organisation or an entity that issues the certificates.
One of the certificates was issued just three days before Microsoft picked up samples of Antivirus Security Pro using it, indicating "that the malware's distributors are regularly stealing new certificates, rather than using certificates from an older stockpile."
Microsoft noticed another fake antivirus program, which is called "Win32/FakePav," is also rotating stolen certificates.

ID: IRCNE2013122050
Date: 2013-12-20

According to “CNet”, Imagine going about your daily life and then one day receiving photos of yourself from inside your home. Sound spooky? Well, this really happened to a woman, according to the Washington Post. How did this happen?
Apparently, there's a way for hackers to spy on people via their iSight Webcams in older Apple MacBooks. Typically, when the camera is on a little light is also set off. But, in a newly discovered workaround, this light can be deactivated -- meaning unsuspecting victims have no clue they're being watched.
The Washington Post revealed this new research by Johns Hopkins computer scientist Stephen Checkoway, which shows how people can be spied on with MacBooks and iMacs released before 2008. Using proof-of-concept software, called Remote Administration Tool or RAT, Checkoway was able to reprogram the iSight camera's micro-controller chip so that the light doesn't turn on.
While it could be feasible to do this trick on newer Apple computers or laptops by other brands, it hasn't yet been proven possible.
This is not the first time someone has been remotely spied on with a Webcam, but it is the first known time that it's been done without the warning light being triggered.

Number: IRCNE2013122049
Date: 2013/12/20

According to “zdnet”, Adobe is reporting that "...a phishing campaign is underway involving malicious email purporting to deliver license keys for a variety of Adobe offerings."
Based on other reports, such as this one from MX Lab and this one from Cisco Security Intelligence Operations, the emails are not actually a phishing attack, but contain a ZIP file attachment which itself contains a malicious .exe file.
The file names are License_Key_OR4924.zip and License_Key_Document_Adobe_Systems_____.exe.
The email body, as reported by Cisco is thus:
Subject: Download your adobe software
Message Body:
Hello.
Thank you for buying Digital Publishing Suite, Professional Edition Digital Publishing Suite software.
Your Adobe License key is in attached document below.
Adobe Systems Incorporated.
The MX Lab report shows that there are many variations on the email body. They say the EXE file is 209KB.

Number: IRCNE2013122048
Date: 2013/12/20

According to “techworld”, attackers are compromising Linux and Windows systems to install a new malware program designed for launching distributed denial-of-service (DDoS) attacks, according to researchers from the Polish Computer Emergency Response Team (CERT Polska).
The malware was found by the Polish CERT at the beginning of December and the Linux version is being deployed following successful dictionary-based password guessing attacks against the SSH (Secure Shell) service. This means only systems that allow remote SSH access from the Internet and have accounts with weak passwords are at risk of being compromised by attackers distributing this malware.
"We were able to obtain a 32-bit, statically linked, ELF file," the Polish CERT researchers said Monday in a blog post. The executable runs in daemon mode and connects to a command-and-control (C&C) server using a hard-coded IP (Internet Protocol) address and port, they said.
When first run, the malware sends operating system information -- the output of the uname command -- back to the C&C server and waits for instructions.
"From the analysis we were able to determine that there are four types of attack possible, each of them a DDoS attack on the defined target," the researchers said. "One of the possibilities is the DNS Amplification attack, in which a request, containing 256 random or previously defined queries, is sent to a DNS server. There are also other, unimplemented functions, which probably are meant to utilize the HTTP protocol in order to perform a DDoS attack."
While executing an attack, the malware provides information back to the C&C server about the running task, the CPU speed, system load and network connection speed.
A variant of the DDoS malware also exists for Windows systems where it is installed as "C:\Program Files\DbProtectSupport\svchost.exe" and is set up to run as a service on system start-up.
Unlike the Linux version, the Windows variant connects to the C&C server using a domain name, not an IP address, and communicates on a different port, according to the Polish CERT analysis. However, the same C&C server was used by both the Linux and Windows variants, leading the Polish CERT researchers to conclude that they were created by the same group.

Number: IRCNE2013122047
Date: 2013/12/20

According to “techworld”,
the feared Cryptolocker ransom Trojan has infected at least a quarter of a million PCs worldwide, a success rate probably generating somewhere in the low millions of dollars in ransom payments, a new analysis by Dell SecureWorks has estimated.
Offering some of the first data, Dell SecureWorks recorded 31,866 infected PCs contacting sinkholed command and control servers between 22 October and 1 November alone, over 22,000 of which were in the US with around 1,700 in the UK.
Carrying out the same exercise between 9 and 16 December, the number of infected PCs had fallen to only 6,459, a fall attributed mainly to a lower level of activity by the botnets pushing the malware.
From these numbers, the firm calculated that in the first 100 days of its activity from mid-September, Cryptolocker managed to infect between 200,000 and 250,000 PCs globally, disproportionately in English-speaking countries.
Many of the victims of Cryptolocker’s shakedown have been small businesses rather than consumers; from its first appearance the malware targeted SMEs using subject lines such as ‘consumer complaint’ to engineer employees into opening attachments, the firm said.