شماره: IRCNE2013112027
تاريخ: 09/09/92

به گزارش محققان، گوشي‌هاي هوشمند جديد نكسوس گوگل در برابر حمله‌اي آسيب‌پذير هستند. در اين حمله فرد مهاجم مي‌تواند از طريق ارسال حجم زيادي از پيام‌هاي كوتاه خاص، گوشي را راه‌اندازي مجدد كرده يا ارتباط آن را با شبكه قطع نمايد.
مدير سيستم‌هاي يك شركت هلندي سرويس‌هاي آي‌تي كشف كرده است كه زماني كه يك مهاجم حدود 30 پيام كوتاه خاص كه به آن پيام Flash SMS گفته مي‌شود به گوشي نكسوس 4، نكسوس 5 يا گلكسي نكسوس ارسال نمايد (پيام‌هايي كه به محض رسيدن، بر روي صفحه گوشي نمايش داده مي‌شوند)، اين آسيب‌پذيري مي‌تواند مورد سوء استفاده قرار گيرد. اگر اين پيام‌ها بلافاصله بسته نشوند، گوشي را در مقابل حمله آسيب‌پذير مي‌كنند.
يكي از مشكلات كاربران نكسوس اين است كه با دريافت يك پيام Flash SMS، هيچ صدايي از گوشي در نمي‌آيد و به اين ترتيب مهاجم مي‌تواند پيش از اينكه كاربر متوجه دريافت پيام شود، تعداد زياي از اين پيام‌ها را ارسال نمايد.
اين تعداد زياد پيام كوتاه مي‌تواند مسائل مختلفي از جمله راه‌اندازي مجدد گوشي را ايجاد كند. در اين وضعيت اگر براي قفل گشايي سيم كارت PIN درخواست گردد، تلفن پس از راه‌اندازي مجدد به شبكه وصل نخواهد شد. مشكل ديگري كه ممكن است به وجود بيايد اين است كه برنامه ارسال پيام كوتاه دچار اختلال مي‌گردد، اما سيستم به طور خودكار آن را دوباره راه‌اندازي مي‌كند.
به گفته محققان به نظر مي‌رسد كه اين مسأله فقط گوشي‌هاي هوشمند نكسوس را كه از اندرويد نسخه Ice Cream Sandwich استفاده مي‌كنند تحت تأثير قرار مي‌دهد.

شماره: IRCNE2013112026
تاريخ:09/09/92

مهاجمان از يك آسيب پذيري جديد و اصلاح نشده در ويندوز XP و سرور 2003 سوء استفاده مي كنند تا بتوانند كدهاي دلخواه را با بالاترين حق دسترسي اجرا نمايند. اين آسيب پذيري در NDProxy.sys قرار دارد.
شركت مايكروسافت در راهنمايي امنيتي كه روز چهارشنبه منتشر كرد اعلام كرد كه مهاجمي كه بتواند با موفقيت از اين آسيب پذيري سوء استفاده نمايد مي تواند كد دلخواه را در حالت هسته اجرا نمايد. سپس مي تواند برنامه هاي دلخواه را نصب نمايد، داده ها را تغيير داده، مشاهده نمايد يا حذف كند و هم چنين مي تواند يك حساب كاربري جديد با حقوق كامل مديريتي ايجاد نمايد.
اين رخنه يك آسيب پذيري اجراي كد از راه دور نمي باشد بلكه يك آسيب پذيري Eop يا گرفتن بالاترين حق دسترسي مي باشد.
با توجه به گزارشات مايكروسافت، در حال حاضر از اين آسيب پذيري در حملات هدفمند و محدود استفاده مي شود و نسخه هاي جديدتر از ويندوز XP و سرور 2003 تحت تاثير اين آسيب پذيري قرار ندارند.
شركت مايكروسافت يك راه حل موقت را ارائه كرده است كه شامل غيرفعال ساختن NDProxy.sys مي باشد اما اين مساله باعث مي شود تا خدمات خاصي كه وابسته به TAPI هستند مانند سرويس دسترسي راه دور، تلفن شبكه ايي و شبكه خصوصي مجازي كار نكنند.
مهاجمان با سوء استفاده از اين آسيب پذيري، كامپيوترهايي را مورد هدف قرار مي دهند كه در حال اجراي Adobe Reader بر روي ويندوز XP بسته سرويس 3 مي باشند اما كاربراني كه از آخرين نسخه هاي Adobe Reader استفاده مي كنند در امان هستند.
با توجه به يافته هاي محققان FireEye، اگر سوء استفاده با موفقيت انجام گيرد، فايل اجرايي در دايركتوري موقت ويندوز كپي شده و اجرا مي شود.

ID: IRCNE2013112030
Date: 2013-11-30

According to "computerworld", a new Trojan program that targets users of online financial services has the potential to spread very quickly over the next few months, security researchers warn.
Neverquest has most of the features found in other financial malware. It can modify the content of websites opened inside Internet Explorer or Firefox and inject rogue forms into them, it can steal the username and passwords entered by victims on those websites and allow attackers to control infected computers remotely using VNC (Virtual Network Computing).
Its default configuration defines 28 targeted websites that belong to large international banks as well as popular online payment services. However, in addition to these predefined sites, the malware identifies Web pages visited by victims that contain certain keywords such as balance, checking account and account summary, and sends their content back to the attackers.
This helps attackers identify new financial websites to target and build scripts for the malware to interact with them.
Once attackers have the information they need to access a user's account on a website, they use a proxy server to connect to the user's computer via VNC and access the account directly. This can bypass certain account protection mechanisms enforced by websites because unauthorized actions like transferring money are done through the victim's browser.
The methods used to distribute Neverquest are similar to those used to distribute the Bredolab botnet client, which became one of the most widespread malware on the Internet in 2010.
Neverquest steals log-in credentials from FTP (File Transfer Protocol) client applications installed on infected computers. Attackers then use these FTP credentials to infect websites with the Neutrino exploit pack, which then exploits vulnerabilities in browser plug-ins to install the Neverquest malware on the computers of users visiting those sites.
The Trojan program also steals SMTP (Simple Mail Transfer Protocol) and POP (Post Office Protocol) credentials from email clients and sends them back to attackers so they can be used to send spam emails with malicious attachments. "These emails are typically designed to look like official notifications from a variety of services," Golovanov said.
"We can expect to see mass Neverquest attacks towards the end of the year, which could ultimately lead to more users becoming the victims of online cash theft," Golovanov said.

ID: IRCNE2013112029
Date: 2013-11-30

According to "computerworld", cybercriminals are increasingly using the "Blackshades" malware program whose source code was leaked three years ago, according to an analysis by Symantec.
Blackshades, which Symantec identifies as "W32.Shadesrat," has been infecting more Microsoft Windows computers and is being controlled by hundreds of command-and-control servers worldwide, which deliver instructions and receive information, wrote Santiago Cortes, a security response engineer at Symantec, in a blog post.
Blackshades is a remote access tool (RAT) that collects usernames and passwords for email and Web services, instant messaging applications, FTP clients and more. It has been sold on underground forums since at least 2010.
It's common for hackers to use remote access tools, which can be used to upload other malware to a computer or manipulate files. To avoid antivirus software, the programs are often frequently modified.

ID: IRCNE2013112028
Date: 2013-11-30

According to "computerworld", a new worm is targeting x86 computers running Linux and PHP, and variants may also pose a threat to devices such as home routers and set-top boxes based on other chip architectures.
According to security researchers from Symantec, the malware spreads by exploiting a vulnerability in php-cgi, a component that allows PHP to run in the Common Gateway Interface (CGI) configuration. The vulnerability is tracked as CVE-2012-1823 and was patched in PHP 5.4.3 and PHP 5.3.13 in May 2012.
The new worm, which was named Linux.Darlloz, is based on proof-of-concept code released in late October, the Symantec researchers said Wednesday in a blog post.
"Upon execution, the worm generates IP [Internet Protocol] addresses randomly, accesses a specific path on the machine with well-known ID and passwords, and sends HTTP POST requests, which exploit the vulnerability," the Symantec researchers explained. "If the target is unpatched, it downloads the worm from a malicious server and starts searching for its next target."
To protect their devices from the worm, users are advised to verify if those devices run the latest available firmware version, update the firmware if needed, set up strong administration passwords and block HTTP POST requests to -/cgi-bin/php, -/cgi-bin/php5, -/cgi-bin/php-cgi, -/cgi-bin/php.cgi and -/cgi-bin/php4, either from the gateway firewall or on each individual device if possible, the Symantec researchers said.

ID: IRCNE2013112027
Date: 2013-11-30

According to “CNet”, Google's latest Nexus smartphones are vulnerable to an attack in which someone could force the phones to reboot or lose their network connection by sending them a large number of a certain kind of SMS message.
Bogdan Alecu, a system administrator at Dutch IT services company Levi9, reportedly found that the vulnerability can occur when an attacker sends around 30 so-called Flash SMS messages -- messages that appear immediately on the phone's screen upon arrival -- to the Galaxy Nexus, the Nexus 4, or the Nexus 5. If the messages aren't promptly dismissed, it opens the phones up for attack. Alecu plans to present his findings Friday at the DefCamp security conference in Bucharest, Romania.
One of the problems that Nexus users face is that they won't be automatically alerted with an audio tone when a Flash SMS message is received, which could allow an attacker to send a lot of them quickly before they're noticed or dismissed, PC World reports.
According to Alecu, the SMS overload can result in several issues, including the phone rebooting, which is the most likely outcome. In that case, if a PIN is required to unlock the SIM card, the phone won't connect to the network after rebooting. Another problem that can occur is that the messaging app crashes, but the system then automatically restarts it.
Alecu told PC World that while the issue appears to affect the latest Nexus smartphones running Android versions Ice Cream Sandwich through KitKat, it hasn't worked on other phones he's tested.

ID: IRCNE2013112026
Date: 2013-11-30

According to "computerworld", attackers are exploiting a new and unpatched vulnerability in Windows XP and Windows Server 2003 that allows them to execute code with higher privileges than they have access to. The vulnerability is located in NDProxy.sys.
"An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode," Microsoft said in a security advisory published Wednesday. "An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights."
This is an elevation-of-privilege (EoP) vulnerability, not a remote code execution one, which means that attackers need to already have access to a low-privileged account on the targeted system in order to exploit it.
According to Microsoft, this vulnerability is already being exploited in "limited, targeted attacks," but doesn't affect Windows versions newer than Windows XP and Windows Server 2003.
The company provided a temporary workaround that involves disabling NDProxy.sys, but this will cause certain services which depend on TAPI, like Remote Access Service (RAS), dial-up networking and virtual private networking (VPN), to no longer work.
The exploit targets computers running Adobe Reader on Windows XP with Service Pack 3, but users who have the latest versions of Adobe Reader installed should be protected, they said.
According to the FireEye researchers, if the exploit is successful, an executable file is dropped in the Windows temporary directory and is executed.

شماره: IRCNE2013112025
تاريخ:02/09/92

اخيرا خدمات GitHub يكي از محبوبترين مخزن هاي كد منبع، هدف حملات brute-force قرار گرفته است. در اين حملات برخي از حساب هاي كاربري افشاء شده است.
شاون داونپورت، مهندس امنيت GitHub در پست وبلاگي نوشت: ما پيام هايي را براي كساني كه حساب هاي كاربري آن ها مورد حمله قرار گرفته است ارسال كرديم تا آن ها را از اين قضيه مطلع سازيم. رمزهاي عبور اين افراد تغيير داده شد و توكن هاي دسترسي خصوصي، تفويض اختيار OAuth و كليدهاي SSH همگي باطل شده است.
به كاربران توصيه مي شود تا صفحه Security History حساب كاربري خود را براي تغييرات احتمالي بررسي نمايند و هم چنين احراز هويت دو مرحله اي را فعال نمايند.
داونپورت گفت: GitHub رمزهاي عبور را با استفاده از تابع bcrypt و به صورت امن ذخيره مي كند و هم چنين از مكانيزمي استفاده مي كند تا بتواند جلوي حملات حدس زدن رمز عبور را بگيرد. با اين وجود در حمله اخير براي حدس زدن رمزهاي عبور ضعيف يا رمزهاي عبوري كه در چندين سايت به كار برده مي شود،از 40000 آدرس IP واحد استفاده شده است.
اين امكان وجود دارد كه مهاجمان با استفاده از نام هاي كاربري و رمز عبور افشاء شده از وب سايت هاي ديگر، خدمات GitHub را هدف حمله قرار داده اند.
تعداد دقيق حساب هاي كاربري GitHub كه بايد رمز عبور آن ها تغيير يابد مشخص نشده است. Github قصد دارد تا محدوديت هاي بيشتري را پياده سازي نمايد و به كاربران اجازه ندهد تا از رمزهاي عبور ضعيف و متداول استفاده نمايند. در حال حاضر صفحه ورود به GitHub از كاربران مي خواهد تا رمز عبور آن ها حداقل 7 كاراكتر داشته و حداقل يك حرف بزرگ يا يك عدد در آن استفاده شود.

ID: IRCNE2013112025
Date: 2013-11-23

According to "computerworld", popular source code repository service GitHub has recently been hit by a brute-force password-guessing attack that successfully compromised some accounts.
"We sent an email to users with compromised accounts letting them know what to do," GitHub security engineer Shawn Davenport said in a blog post. "Their passwords have been reset and personal access tokens, OAuth authorizations, and SSH keys have all been revoked."
Users were advised to review their account's Security History page for recent changes made to their repositories or failed log-in attempts and to enable two-factor authentication.
GitHub stores passwords securely using the bcrypt function and uses an aggressive rate limit for log-in attempts specifically to block password-guessing attacks, Davenport said. However, in this recent incident almost 40,000 unique Internet Protocol addresses "were used to slowly brute force weak passwords or passwords used on multiple sites."
This suggests that attackers might have taken lists of usernames and passwords leaked from other websites and used a botnet to try them out on GitHub.
The exact number of GitHub accounts that had their passwords reset was not disclosed and GitHub did not immediately respond to an inquiry seeking clarification.
GitHub plans to implement additional rate-limiting measures and will no longer allow users to log in with "commonly-used weak passwords," Davenport said.
GitHub's sign-up page says passwords need to be at least seven characters long and have at least one lowercase letter and one numeral. Trying some weak passwords that meet that criteria like q1w2e3r4, password1 and iloveyou2 results in a message saying those passwords are "commonly guessed by hackers."

شماره: IRCNE2013112024
تاريخ: 29/08/92

گوگل برنامه اعطاي جايزه به كشف كنندگان نقايص امنيتي خود را گسترش داده و آسيب‌پذيري‌هاي اندرويد را نيز پوشش مي‌دهد.
اين برنامه با كروم شروع شد و به Google Web sites و ساير پروژه‌هاي نرم‌افزاري متن‌باز گسترش يافت. در اين برنامه، افرادي كه حفره‌هاي امنيتي را كشف مي‌كنند جوايزي را از گوگل دريافت مي‌كنند. اين جوايز اغلب چند صد دلار است، اما برخي حملات خاص مي‌توانند جوايز 50 هزار دلاري نيز به همراه داشته باشند.
يكي از اعضاي گروه امنيتي گوگل در وبلاگ خود نوشت كه اين برنامه اكنون به اندرويد نيز گسترش يافته است. به گفته وي، اين برنامه همچنين شامل سه بسته مشهور وب سروري http آپاچي، Nginx و Lighttpd نيز مي‌گردد.