ID: IRCNE2012111668
Date: 2012-11-06

According to “CNet”, Facebook disabled a loophole that might have allowed some accounts to be accessed without a password.
The vulnerability, which was posted to Hacker News on Friday, could potentially have allowed an unauthorized user to access another person's Facebook account.
The flaw centered on e-mails sent out by the social network which contained links that, once clicked, would log a user straight into a Facebook account without the need for any secondary authentication, such as entering a password. The e-mails could be discovered through a simple Google search query, with 1.3 million accounts potentially open to the flaw, according to Hacker News.
As well as bringing up the links that could expose Facebook accounts to unauthorized logins, the search query also showed the e-mail addresses associated with accounts.
The search query that found the links -- which were only temporary and set to expire once the intended user clicked on them -- has since been disabled by Google and no longer displays any results.
Facebook engineer Matt Jones said on Hacker News that Facebook does not share the links. "We only send these URLs to the e-mail address of the account owner for their ease of use and never make them publicly available. Even then we put protection in place to reduce the likelihood that anyone else could click through to the account."
"For a search engine to come across these links, the content of the e-mails would need to have been posted online (e.g. via throwaway email sites, as someone pointed out -- or people whose e-mail addresses go to email lists with online archives)," he added.
Most of the links in the search results would already have expired, and Facebook has since disabled the feature for the time being, the engineer said.
"Regardless, due to some of these links being disclosed, we've turned the feature off until we can better ensure its security for users whose e-mail contents are publicly visible. We are also securing the accounts of anyone who recently logged in through this flow."

ID: IRCNE2012111667
Date: 2012-11-06

According to "computerworld", a researcher at North Carolina State University has uncovered a vulnerability that could be exploited to send deceptive text messages from some Android devices, as part of a phishing scheme.
Particularly worrisome is the fact that the vulnerability doesn't need any elevated app permissions in order to function, said NCSU computer science professor Xuxian Jiang.
"The vulnerability allows a running [untrusted] app on the phone to fake an incoming SMS text message with arbitrary content, including the text message itself as well as the 'sending' phone number, which can be your friend in the contact list or simply your trusted banks," Jiang said in an email to Network World.
The flaw is apparently present in the Android Open-Source Project, and some versions of the software ranging from 1.6 (Donut) to 4.1 (Jelly Bean) are vulnerable. Jiang said that his team has been able to exploit it on the Samsung's Galaxy Nexus, Nexus S and Galaxy S III, HTC's One X and Inspire, and the Xiaomi MI-One.
Jiang praised Google for reacting quickly, confirming the presence of the vulnerability within two days of receiving the team's report. In the email, he expressed hope that a rapid patch would be forthcoming.
Jiang did not provide full technical details of the flaw, citing responsible disclosure issues, although he did describe the vulnerability as difficult to detect but easy to exploit, once found.

شماره: IRCNE2012111666
تاريخ: 15/08/91

شركت فرانسوي Vupen كه تخصص ويژه‌اي در كشف آسيب‌پذيري‌هاي موجود در نرم‌افزارهاي مشهور از شركت‌هايي مانند مايكروسافت، ادوب، اپل و اوراكل دارد، در پيغامي در توئيتر يك آسيب‌پذيري جديد در ويندوز 8 را به فروش گذاشته است.
اين شركت آسيب‌پذيري‌ها را به دولت‌ها و شركت‌ها مي‌فروشد، ولي جزئيات را با توليد كنندگان نرم‌افزار تحت تأثير به اشتراك نمي‌گذارد. به عقيده اين شركت، اين اطلاعات به سازمان‌ها كمك مي‌كند كه از خود در برابر هكرها محافظت نمايند.
Vupen مشكلي را جايي در سيستم عامل جديد مايكروسافت يعني ويندوز 8 و مرورگر IE 10 كشف كرده است. اين نقص امنيتي به‌طور عمومي افشا نشده و اصلاح نيز نشده است.
اين كشف Vupen يكي از نخستين مسائل امنيتي ويندوز 8 (كه تنها چند روز از عرضه آن مي‌گذرد) و IE 10 است.
پيغام Vupen در توئيتر نشان مي‌دهد كه اين آسيب‌پذيري به هكر اجازه مي‌دهد كه تكنولوژي‌هاي امنيتي موجود در ويندوز 8 از جمله ASLR و DEP را دور بزند. اين شركت همچنين خاطر نشان كرده است كه اين آسيب‌پذيري با مشكلي در برنامه فلش مرتبط نيست.

شماره: IRCNE2012111665
تاريخ: 15/08/91

بر اساس تحقيقاتي كه اخيرا به انجام رسيده است، يك چهارم بيش از 400 هزار برنامه اندرويد بررسي شده در فروشگاه Google Play، داراي خطرهاي امنيتي براي كاربران دستگاه‌هاي موبايل هستند.
شركت امنيتي Bit9 اين برنامه‌هاي اندرويد را تحت عنوان برنامه‌هاي «سوال برانگيز» يا برنامه‌هاي مشكوك رده‌بندي كرده است، چرا كه مي‌توانند پس از دريافت مجوز از كاربر، به اطلاعات شخصي وي دسترسي پيدا كرده و به جمع‌آوري داده‌هاي GPS، تماس‌هاي تلفني يا شماره‌هاي تلفن و اطلاعات ديگري بپردازند. به گفته يك مدير Bit9، كاربر مجبور است براي اينكه اين برنامه‌ها كار كنند، به آنها مجوز دسترسي به داده‌هاي خود را بدهد. به طور خاص بازي‌ها، برنامه‌هاي سرگرمي و وال‌پيپرها، برنامه‌هايي هستند كه به نظر مي‌رسد قصد جمع‌آوري داده‌ها را دارند، اگرچه كاركرد آنها ارتباط چنداني با اين داده‌ها ندارد.
Bit9 تأكيد مي‌كند كه اين بدان معنا نيست كه اين برنامه‌ها بدافزار هستند، ولي مي‌توانند درصورت سوء استفاده، خرابي قابل توجهي به بار آورند.
گفته مي‌شود كه حدود 600 هزار برنامه در Google Play وجود دارد و Bit9 در حال تهيه يك پايگاه داده «اعتبار» از اين برنامه‌هاي اندرويد است. اين شركت قصد دارد همين كار را در مورد ساير فروشگاه‌هاي برنامه‌ها از جمله فروشگاه‌هاي اپل و آمازون نيز انجام دهد تا بتواند برنامه‌هاي امنيتي موبايل را به شكلي توليد نمايد كه از كاربران بر اساس نمره خطر برنامه‌ها محافظت نمايند.
روش‌هاي مبتني بر اعتبار براي محافظت از كاربران وب بسيار معمول هستند، و اكنون همين كار در مورد كاربران موبايل صورت مي‌گيرد.
Bit9 اين برنامه‌هاي «سوال برانگيز» يا «مشكوك» كشف شده در Google Play را به شكل زير دسته‌بندي كرده است:

• 42% به داده‌هاي موقعيت GPS دسترسي پيدا مي‌كنند و اين برنامه‌ها شامل wallpaper ها، بازي‌ها و برنامه‌هاي سودمند مي‌گردند.
• 31% به تماس‌هاي تلفني يا شماره‌هاي تلفن دسترسي پيدا مي‌كنند.
• 26% به داده‌هاي شخصي مانند ليست‌هاي تماس و ايميل دسترسي پيدا مي‌كنند.
• 9% از مجوزهايي استفاده مي‌كنند كه مي‌توانند براي كاربر هزينه مالي در پي داشته باشند.

Bit9 در اين گزارش، روش خود را براي جستجو در Google Play براي جمع‌آوري اطلاعات در مورد 412 هزار برنامه موبايل شرح داده است.
به گفته Bit9، از ميان 412222 برنامه اندرويد بررسي شده در Google Play، بيش از 290 هزار برنامه حداقل به يك مجوز با خطر بالا، 86 هزار برنامه به 5 مجوز يا بيشتر و 8 هزار برنامه به 10 مجوز يا بيشتر دسترسي پيدا مي‌كنند.

شماره: IRCNE2012111664
تاريخ:15/08/91

بسياري از سرورهاي وب آپاچي از جمله آن هايي كه ميزبان برخي وب سايت هاي محبوب مي باشند، اطلاعاتي درباره ساختار داخلي سايت هايي كه ميزباني مي كنند، آدرس هاي IP بازديدكنندگان، منابعي كه كاربر به آن ها دسترسي دارد و ساير جزئيات حساس بالقوه را افشاء مي كنند زيرا صفحات وضعيت آن ها محافظت نمي شوند.
ماژول mod_status آپاچي يك صفحه "server status" را توليد مي كند كه حاوي اطلاعاتي درباره CPU سرور و بار حافظه و هم چنين جزئياتي درباره درخواست هاي كاربران شامل مسيرهاي فايل هاي داخلي و آدرس هاي IP مي باشد.
Daniel Cid، مدير شركت امنيتي Sucuri گفت: از آن جايي كه اين صفحات مي توانند منابع ارزشمندي براي مديران سرور باشند، افشاي اطلاعات آن مي تواند به هكرها كمك كند تا براي حملات خود بهتر برنامه ريزي نمايند.
محققان Sucuri آزمايشي را انجام دادند كه بيش از 10 ميليون وب سايت را در بر مي گرفت و دريافتند كه 100 وب سايت، صفحات وضعيت سرور را افشاء كرده اند. فهرست وب سايت هاي آلوده شده شامل php.net، metacafe.com، disney.go.com، staples.com، nba.com، cisco.com، ford.com، apache.org و وب سايت هاي ديگر مي باشد. پس از گزارش Sucuri برخي از آن ها اين مشكل را برطرف كردند اما برخي ديگر هنوز اين مشكل را برطرف نكردند.
در نگاه اول، راه حل ساده به نظر مي رسد: به منظور محدود كردن دسترسي به مسير /server-status، دستورالعمل هاي كنترل دسترسي را به فايل پيكربندي سرور اضافه كرده و تنها به آدرس هاي IP اجازه دسترسي داده كه نياز به دسترسي به اين صفحات را دارند. با اين حال مديران سرور بايد پيكربندي كل زيرساخت وب را در نظر بگيرند زيرا ممكن است در برخي از موارد دستورالعمل هاي كنترل دسترسي آپاچي سهوا ناديده گرفته شوند.
شركت هاي بزرگ بايد سرورهاي ذخيره سازي وب را راه اندازي نمايند. هرچند در اينگونه مواقع اگر قوانين كنترل دسترسي آپاچي براي /server-status به كل IP هاي شبكه داخلي اجازه دسترسي دهد، همان مشكل اتفاق خواهد افتاد.

شماره: IRCNE2012111663
تاريخ:15/08/91

برخي از مرورگرهاي وب با استفاده از پسوندهاي به اصطلاح مخرب مورد سوء استفاده قرار مي گيرند. هكرها با استفاده از اين پسوندهاي مخرب مي توانند نشست هاي كاربر را ارتباط ربايي نمايند، فايل هايي را آپلود يا دانلود نمايند و محيط هاي دستگاه هاي جديد تلفن همراه را هك نمايند.
هفته گذشته Zoltan Balazs، مشاور امنيت فناوري اطلاعات در Deloitte مجارستان در كنفرانس Hacker Halted در ميامي درباره موضوعي با عنوان "zombie browsers" سخنراني كرد. او گفت: تا يك سال پيش تنها 10 مورد از پسوندهاي مخرب مرورگر شناسايي شده بودند اما امسال و در حال حاضر 49 مورد از اين پسوندهاي مخرب وجود دارند. او اشاره كرد كه اين پسوندها به سرعت در حال افزايش هستند و توليدكنندگان آنتي ويروس را مقصر دانست. او گفت: هيچ يك از توليد كنندگان آنتي ويروس اين پسوندها را شناسايي نكرده اند و از اين شركت ها درخواست كرد كه براي شناسايي پسوندهاي مخرب بيشتر تلاش كنند.
در اين كنفرانس Balazs توضيح داد كه اين پسوندهاي مخرب چگونه در مرورگرهاي كروم، سافاري و فايرفاكس توسط هكرها ايجاد مي شود. او گفت: هكرها سعي مي كنند تا اين پسوندها را از طريق حملات drive-by downloads مبتني بر وب يا ضميمه هاي آلوده به مرورگرهاي كاربر اضافه نمايند. در نتيجه مي توانند اطلاعات سيستم ها را سرقت نمايند.
Balazs اظهار داشت: تنظيم كردن كنترل ها در برنامه هاي كاربردي مي تواند موثر باشد، به علاوه در كروم اين امكان وجود دارد كه بتوان پسوندهايي كه كاربر استفاده مي كند را كنترل نمود.

ID: IRCNE2012111666
Date: 2012-11-05

"Our first 0day for Win8+IE10 with HiASLR/AntiROP/DEP & Prot Mode sandbox bypass (Flash not needed)." that is part of a recent message on Twitter from Vupen, a French company that specialises in finding vulnerabilities in widely used software from companies such as Microsoft, Adobe, Apple and Oracle.
According to “TechWorld”, Vupen occupies a gray area of computer security research, selling vulnerabilities to vetted parties in governments and companies but not sharing the details with affected software vendors. The company advocates that its information helps organisations defend themselves from hackers, and in some cases, play offense as well.
Vupen has found a problem somewhere in Microsoft's new Windows 8 operating system and its Internet Explorer 10 browser. The flaw has not been publicly disclosed or fixed by the company yet.
Vupen's finding is one of the first issues for Windows 8, released last week, and Internet Explorer 10, although vulnerabilities have since been found in other third-party software that runs on the Windows 8.
Vupen's Twitter message, written on Wednesday, implies the vulnerability would allow a hacker to bypass security technologies contained within Windows 8, including high-entropy Address Space Layout Randomisation (ASLR), anti-Return Oriented Programming and DEP (data execution prevention) measures. The company also indicates it is not dependent on a problem with Adobe System's Flash multimedia program.

ID: IRCNE2012111665
Date: 2012-11-05

According to “TechWorld”, one-quarter of more than 400,000 Android apps examined in the Google Play store pose security risks to mobile-device users, according to new research.
Security vendor Bit9 categorised these Android apps as "questionable" or "suspicious" because they could gain access to personal information to collect GPS data, phone calls or phone numbers and much more after the user granted "permission" to the app. "You have to say 'yes' to the application or it won't run," pointed out Harry Sverdlove, Bit9 CTO. Games, entertainment and wallpaper apps especially seem to want to grab data, even though their functions would seem to have little direct use for it.
Bit9 notes this doesn't mean these apps are malware, but they could do damage if compromised because the user has granted so much permission.
There are said to be about 600,000 apps in Google Play, and Sverdlove says Bit9 is now compiling a "reputation" database of Android apps. The firm is also going to move on to other app stores, including those from Apple and Amazon, in order to create mobile security products that can protect users based on risk-scoring of apps.
Reputation-based approaches have become commonly used throughout the security industry for protecting Web users, for example, against malware-infested sites, and now there's interest in applying similar ideas to analyzing risk associated with mobile apps.
Broken down, Bit9 categorised these "questionable" and "suspicious" apps it found in Google Play this way:

• 42 percent access GPS location data, and these include wallpapers, games and utilities
• 31 percent access phone calls or phone numbers
• 26 percent access personal data, such as contacts and email
• 9 percent use permissions that can cost the user money

In its report, Bit9 describes its methodology as crawling Google Play to collect detailed information about 412,000 mobile apps.
Of the 412,222 Android apps evaluated from Google Play, Bit9 says more than 290,000 of them access at least one high-risk permission, 86,000 access five or more and 8,000 apps access 10 or more permissions "flagged as potentially dangerous."

ID: IRCNE2012111664
Date: 2012-11-05

According to "techworld", many Apache web servers, including those hosting some popular websites, expose information about the internal structure of the sites they host, the IP (Internet Protocol) addresses of their visitors, the resources users access and other potentially sensitive details because their status pages are left unprotected.
The Apache mod_status module generates a "server status" page that contains information about the server's CPU and memory load, as well as details about active user requests, including paths to various internal files and IP addresses.
While this page can be a valuable resource for server administrators, the information it exposes can help hackers better plan their attacks, said Daniel Cid, chief technology officer of web security firm Sucuri.
Sucuri researchers ran a test that involved crawling over 10 million websites and found hundreds of them that expose their server status pages to the whole world. The list of affected websites includes php.net, metacafe.com, disney.go.com, staples.com, nba.com, cisco.com, ford.com, apache.org and many others. Some of them have fixed the problem since Sucuri's report, but many haven't.
At first glance, the solution is simple: add access control directives in the server configuration file in order to restrict access to the /server-status path and only allow access to IP addresses that need to have access to the page.
However, server administrators need to consider the configuration of their whole web infrastructure, because there are some scenarios in which the Apache access control directives could be inadvertently bypassed.
Larger companies might run dedicated web caching servers. However, even in those cases, if the Apache access control rules for /server-status allow access to the whole IP range of the internal network, which includes the caching servers, the same problem would occur.
"You'd have to take extra steps to ensure you didn't expose this," Povey said. "Server-status et al [other server info pages like the one generated by mod_info] is something that is easy to overlook."

ID: IRCNE2012111663
Date: 2012-11-05

According to "computerworld", some Web browsers can be tricked into using so-called malicious extensions that can give hackers the ability to hijack the user's session, spy on webcams, upload and download files, and in the newer mobile-device area, hack into Google Android phones.
Zoltan Balazs, IT security consultant at Deloitte Hungary, spoke about the topic he calls "zombie browsers" during this week's Hacker Halted Conference in Miami. He said up until a year ago, only 10 of these browser malicious extensions were known to exist, but this year has seen 49 new ones already. "It's skyrocketing," Balazs noted, and he faulted the antivirus vendors for allegedly not addressing the issue at all.
"Even after two years, none of the antivirus vendors detect these," he said, saying he's issuing a plea for them "to try harder on detecting malicious extensions."
In his talk, Balazs explained how malicious extensions in Firefox, Chrome and Safari have been created by attackers that try to get them added to the user's browser through Web-based drive-by downloads or infected attachments. The result might be giving the attacker a way to steal data or spy on you, he said.
In terms of advice to companies concerned their user base might fall victim to this, he said setting controls on applications can help, plus in Chrome it's possible to control the extensions the user can use.