ID: IRCNE2013051857
Date: 2013-05-25

According to “ComputerWorld”, Microsoft brushed off a dubious hacker's claim on Thursday that he stole 47 million account credentials for Microsoft's Xbox Live gaming service.
The hacker, who goes by the Twitter handle "@Reckz0r," wrote on Pastebin that Microsoft stored the login credentials in plain text. The data included email addresses and passwords, he added.
The alleged breach comes just days after Microsoft unveiled the Xbox One, the latest iteration of the gaming system.
"Xbox Live has not been hacked," the company said in a statement. "Microsoft can confirm that there has been no breach to the security of our Xbox Live service."
In a lengthy note on Pastebin, drenched in profanity, Reckz0r wrote "Microsoft is a pest to humanity." He included a link to a 6GB file of the credentials and posted hundreds more in plain text, some of which he wrote dated to around 2009. The newer accounts were contained in the 6GB file, he wrote.
Reckz0r has a track record of posting old data. Last June, he posted a link on Pastebin to a data dump, writing on Twitter that he had "penetrated over 79 large banks" and obtained 50GB of data on MasterCard and Visa cardholders.
A payment card industry source said at the time the data appeared to be old. One person whose data was released told that the information attached to his name was years out of date.

ID: IRCNE2013051856
Date: 2013-05-25

According to “ComputerWorld”, security researchers have identified multiple samples of the recently discovered "KitM" spyware for Mac OS X, including one dating back to December 2012 and targeting German-speaking users.
KitM (Kumar in the Mac), also known as HackBack, is a backdoor-type program that takes unauthorized screen shots and uploads them to a remote command-and-control (C&C) server. It also opens a reverse shell that allows attackers to execute commands on the infected computers.
The malware was initially discovered last week on the Mac laptop of an Angolan activist at the Oslo Freedom Forum, a human rights conference in Norway, by security researcher and privacy activist Jacob Appelbaum.
The most interesting aspect of KitM is that it was signed with a valid Apple Developer ID, a code-signing certificate, issued by Apple to someone named "Rajinder Kumar." Applications signed with a valid Apple Developer ID bypass the Gatekeeper security feature in Mac OS X Mountain Lion, which verifies the origin of files to determine whether they pose any risks to the system.
The first two KitM samples found last week connected back to C&C servers hosted in the Netherlands and Romania. Researchers from security vendor Norman Shark linked the domain names of those servers to the attack infrastructure of a large cyberespionage campaign of Indian-origin dubbed "Operation Hangover."
On Wednesday, F-Secure researchers obtained more KitM variants from a Germany-based investigator. These samples were used in targeted attacks between December and February and were distributed via spear-phishing emails carrying .zip archives, the F-Secure researchers said in a blog post.
Some of the malicious attachments were called Christmas_Card.app.zip, Content_for_Article.app.zip, Interview_Venue_and_Questions.zip, Content_of_article_for_[NAME REMOVED].app.zip and Lebenslauf_fur_Praktitkum.zip.
The KitM installers contained in the .zip archives are Mach-O executables, but have icons corresponding to image and video files, Adobe PDF documents and Microsoft Word documents. This is a trick frequently seen with Windows malware distributed via email.
The newly discovered KitM variants are all signed with the same Rajinder Kumar certificate. Apple revoked this Developer ID last week, after the first samples were discovered, but this won't immediately help existing victims.
"Gatekeeper uses the File Quarantine system, which holds the file in quarantine until it is first executed," Botezatu said Thursday via email. "If it passes Gatekeeper on first run, it will continue to run and never be queried by Gatekeeper again. So, malware samples that have been ran once while the developer ID used for signing them was valid will continue to run on the machines."
Apple could use another malware protection feature called XProtect to blacklist the known KitM binary files. However, other versions that haven't been discovered yet might exist.
In order to prevent the execution of any digitally signed malware file on their computers, Mac users could modify the Gatekeeper security settings to only allow applications downloaded from the Mac App Store to be installed, security researchers from F-Secure said.

ID: IRCNE2013051855
Date: 2013-05-25

According to "computerworld", Google today upgraded Chrome to version 27, touting it as 5% faster as it patched 13 vulnerabilities.
The speed improvement was meager, according to Google, which cited a 5% speed increase overall, with even smaller boosts for tasks like printing.
Chrome 27 also patched 13 vulnerabilities, 10 of them labeled "high," the company's second-most-serious threat rating, two as "medium," and one as "low." The majority were "use-after-free" flaws -- a type of memory allocation vulnerability -- discovered by the Google-built AddressSanitizer fuzzing tool, which the company's security team has used to sniff out bugs in other browsers, including Apple's Safari and Mozilla's Firefox.
Chrome 27 also featured a non-security update of Adobe Flash, which Google bundles with its browser. The Flash fix addressed a problem maintaining connections with audio streams that affected only Macs.
Users can download Chrome 27 from Google's website. Active users can simply let the automatic updater retrieve the new edition.

شماره: IRCNE2013051854
تاريخ:01/03/92

محققان امنيتي آسيب پذيري هاي جدي را در موتورهاي چندين بازي محبوب كشف كرده اند كه مي تواند توسط هكرها مورد سوء استفاده قرار بگيرد تا كنترل سرورهاي آنلاين آن ها را در اختيار بگيرند و به كامپيوترهاي بازيكنان دسترسي يابند.
محققا امنيتي Luigi Auriemma و Donato Ferrante از شركت مشاوره امنيت ReVuln دو آسيب پذيري تخريب حافظه و سرريز بافر را در "CryEngine 3"، "Unreal Engine 3"، "Hydrogen Engine" و "id Tech 4" كشف كردند. اين موتورهاي بازي در بازي هاي ويدئويي مانند "Quake 4"، "Crysis 2"، "Homefront"، "Brink"، "Monday Night Combat"، "Enemy Territory: Quake Wars"، "Sanctum"، "Breach" و "Nexuiz" استفاده مي شوند.
آسيب پذيري هاي كشف شده توسط اين دو محقق مي تواند از طريق ارسال بسته هاي داده دستكاري شده خرابكار براي سرورها و كلاينت هاي بازي منجر به راه اندازي حملات اجراي كد از راه دور و انكار سرويس شوند. به عنوان مثال مهاجمي مي تواند يك سرور جعلي را براي يكي از بازي هاي آلوده تنظيم نمايد و سپس با استفاده از آسيب پذيري اجراي كد از راه دور مي تواند كنترل كامپيوتر كاربراني كه به اين سرور متصل مي شوند را در اختيار بگيرد. هم چنين سرورها مي توانند از طريق ارسال بسته هاي مخرب از يك كلاينت مورد سوء استفاده قرار گيرند. اگر مهاجم بخواهد تعداد بيشتري از بازيكنان را مورد هدف قرار دهد مي تواند فهرستي از تمامي سرورهاي بازي موجود را بدست آورد و با استفاده از آسيب پذيري انكار سرويس در بازي آن ها اخلال ايجاد كند.
اين دو محقق معتقدند كه آسيب پذيري در اين بازي ها مي تواند در حملات هدفمند عليه سازمان ها و يا افراد خاص مورد سوء استفاده قرار گيرد.

شماره: IRCNE2013051853
تاريخ: 01/03/91

به گزارش مايكروسافت، نويسندگان بدافزار گروگان‌گير Reventon توانسته‌اند ماژول جديدي را به اين بدافزار اضافه كنند كه در شرايطي كه قرباني حاضر به پرداخت پول نيست، از تاكتيك ثبت ضربات صفحه كليد به عنوان يك تاكتيك پشتيبان استفاده نمايد.
اين بدافزار كه با استفاده از كيت بدافزاري Blackhole منتشر مي‌شود، كار خود را با يك قفل صفحه نمايش شروع مي‌كند و به بهانه‌اي جعلي كه معمولاً جريمه پليس براي يك جرم كامپيوتري خيالي است، درخواست پول مي‌نمايد.
اما Reventon در پس‌زمينه يك برنامه سرقت كلمه عبور را دانلود مي‌كند كه سيستم را به دنبال گستره متنوعي از كلمات عبور لاگين‌ها از جمله FTP، بازي‌ها، ايميل، پيام‌هاي فوري و هر كلمه عبوري كه با استفاده از مرورگر ذخيره شده باشد زير و رو مي‌كند.
اما نكته اينجاست كه حتي اگر كاربر راهي براي رهايي از دست گروگان‌گير و عدم پرداخت پول پيدا كند، باز هم جزء پنهان به كار خود ادامه داده و كلمات عبور را سرقت مي‌نمايد و بخش ثبت كننده ضربات صفحه كليد نيز به كار خود ادامه مي‌دهد.
چيزي كه تحقيق مايكروسافت نشان مي‌دهد اين است كه اين نوع خاص Blackhole در ژانويه 2013 تأثيرگذاري قابل توجهي داشته است. اين كيت در همين زمان با استفاده از آسيب‌پذيري جاواي CVE-2013-0422 توانست به صدها هزار كامپيوتر ضربه وارد كند.

ID: IRCNE2013051854
Date: 2013-05-22

According to "computerworld", security researchers found serious vulnerabilities in the engines of several popular first-person shooter video games that could allow attackers to compromise their online servers and the computers of players accessing them.
Security researchers Luigi Auriemma and Donato Ferrante from Malta-based security consultancy firm ReVuln found memory corruption and buffer-overflow issues in "CryEngine 3," "Unreal Engine 3," "Hydrogen Engine" and "id Tech 4." These are game engines that are used in video games like "Quake 4," "Crysis 2," "Homefront," "Brink," "Monday Night Combat," "Enemy Territory: Quake Wars", "Sanctum", "Breach," "Nexuiz" and many others.
The vulnerabilities found by the two researchers can be used to launch remote code execution or denial-of-service attacks against game clients and servers by sending maliciously crafted data packets to them.
An attacker could, for example, set up a rogue server for one of the affected games and list it on a master server -- a database of available game servers that gets queried by clients. This would allow him to compromise the computers of any players that join his rogue server by exploiting one of the remote code execution vulnerabilities present in the game engine.
Servers can also be compromised or crashed by sending them malicious packets from a client. If an attacker wants to disrupt a larger community of players, he can obtain a list of available game servers from a master server and crash them at regular intervals by exploiting one of the denial-of-service flaws.
Game vulnerabilities could also be used to compromise the computers of specific individuals or organizations in targeted attacks, the two researchers said.

ID: IRCNE2013051853
Date: 2013-05-22

The developers of the Reveton ransom malware could have added a new module that uses keylogging as a backup tactic in case the victim refuses to pay up, Microsoft has found.
Distributed using the Blackhole Exploit Kit, the malware starts out by throwing up a localised lock screen demanding money on bogus pretences, usually a standard police fine warning for a non-existent computer offence.
In the background, however, Reveton downloads a separate password-stealing component stitched in from an older piece of malware, which scours the system for a wide range of logins; FTP, gaming, email, IM, storage and any passwords stored using the browser are all targeted.
It’s a not a hugely unexpected development but it has one important implication; even if the user finds a way of de-installing the ransom segment of the malware that might not stop the keylogger, which will continue to work.
The innovation could be part opportunistic and part reaction to the increasing success of counter-measures against ransom malware as security vendors finally offer better protection and recovery.
What Microsoft’s research does reveal is that this particular variant of Blackhole was proving hugely effective in January 2013, around the time it started hitting the CVE-2013-0422 Java vulnerability, infecting hundreds of thousands of PCs.

شماره: IRCNE2013051849
تاريخ: 28/02/91

مهاجمان قادر هستند از قفل صفحه نمايش گوشي هوشمند گلكسي نوت II سامسونگ عبور كنند. اين نقص امنيتي به مهاجم اجازه مي‌دهد كه PIN code، كلمات عبور طولاني و حتي ويژگي بازگشايي قفل از طريق بررسي چهره را دور بزند.
هنوز مشخص نيست كه اين نقص امنيتي به اين دستگاه سامسونگ، پلتفورم اندرويد و يا هردو مربوط است. اما به هر حال ممكن است اين نقص محدود به نوت II سامسونگ يا اندرويد 4.1.2 نباشد و كاربران و مديران IT بايد دستگاه‌هاي خود را تست نمايند.
مهاجم مي‌تواند از طريق صفحه نمايش قفل شده، دكمه تماس‌هاي اضطراري را فشار دهد. سپس با فشرده نگاه داشتن دكمه home، صفحه home قفل نشده براي مدت كوتاهي نمايش داده مي‌شود. اين براي مشاهده چيزهايي كه بر روي صفحه home قرار دارند كافي است.
تغيير نرم‌افزار قفل صفحه نمايش نيز درصورتي‌كه همچنان دسترسي به شماره‌گير اضطراري را داشته باشد تأثيري در حل اين مشكل ندارد.
چند هفته پيش نقص امنيتي مشابهي در قفل صفحه نمايش آيفون اپل كه iOS 6.1 را اجراي مي‌كند نيز كشف شده بود. اما برخلاف اپل، هنوز ترميمي براي مشكل گلكسي نوت II عرضه نشده است.

شماره: IRCNE2013051848
تاريخ: 28/02/91

محققان Malwarebytes فريب جديدي را كشف كرده‌اند كه از طريق سرويس پيام فوري مايكروسافت يعني اسكايپ در حال گسترش است.
اين حمله فريبكارانه به‌صورت پيامي از طرف يك كاربر اسكايپ ظاهر مي‌شود كه ادعا مي‌كند كه كاربر قادر است با كليك كردن بر روي لينك موجود در پيغام، نرم‌افزار خود را به اسكايپ Premium ارتقاء دهد.
البته اين فريب اقدام به سرقت اطلاعات حساب كاربر كرده و سپس يك تروجان بانكي شناخته شده را به سيستم وي وارد مي‌كند.
اگرچه اسكايپ و ساير سرويس‌هاي پيام فوري مدت‌ها است كه ابزار مطلوبي براي مجرمان سايبري محسوب مي‌شوند، ولي يك تحليل‌گر بدافزار در Malwarebytes عقيده دارد كه اين حمله خاص غيرمعمول است، چراكه اعتبار قرباني را پيش از ادامه كار بررسي مي‌كند.
وي توضيح داده است كه درصورتي‌كه جزئيات لاگين جعلي يا غلط وارد كنيد، اين بدافزار به كار خود ادامه نمي‌دهد. فقط درصورتي‌كه جزئيات حساب كاربري به‌صورت صحيح وارد شود، صفحه‌اي مشابه صفحه رسمي دانلود اسكايپ به وي نمايش داده مي‌شود كه سعي خواهد كرد يك فايل اجرايي به نام SkypePremiumSetup يا چيزي مشابه آن را نصب نمايد.
يك صفحه popup نمايش داده شده و ادعا مي‌كند كه بسته premium كاربر فعال شده است. اما در حقيقت كامپيوتر قرباني با يك تروجان كه قادر است اطلاعات مالي و بانكي وي را سرقت نمايد آلوده شده است.
علاوه بر اين، اكنون حساب اسكايپ قرباني براي انتشار اين فريب مورد سوء استفاده قرار مي‌گيرد و پيغامي مشابه قبلي براي ليست تماس وي ارسال مي‌شود.

 شماره: IRCNE2013051847
تاريخ: 28/02/91

موزيلا اقدام به عرضه هشت راهنمايي امنيتي همراه با فايرفاكس 21 كرده است. سه مورد از راهنمايي‌هاي امنيتي مزبور حياتي بوده و متعلق به آسيب‌پذيري‌هاي مرتبط با حافظه هستند.
برخي از اين نقايص امنيتي توسط محققان امنيتي گوگل و با استفاده از ابزار متن‌باز Address Sanitizer گزارش شده‌اند.
موزيلا در راهنمايي امنيتي خود نوشت كه يكي از محققان امنيتي گروه امنيتي Google Chrome با استفاده از ابزار Address Sanitizer يك مجموعه از مشكلات استفاده پس از آزادسازي، خواندن خارج از كرانه و نوشتن نامعتبر را كشف كرده است كه در رده‌هاي امنيتي متوسط تا حياتي قرار گرفته‌اند. برخي از اين مشكلات به‌طور بالقوه قابل سوء استفاده هستند و اجازه اجراي كد از راه دور را به مهاجمين مي‌دهند.