IRCNE2011051098
3 May 2011

IDG News Service - The widely publicized hack of Sony's computer networks is worse than previously thought, also affecting 24.6 million Sony Online Entertainment network accounts.
Sony -- which has kept its Sony PlayStation Network offline for nearly two weeks as it investigates a computer intrusion -- took a second gaming network offline on Monday, saying it too appears to have been hacked. It said banking and credit card information belonging to more than 23,000 customers outside the U.S. may have been compromised.
The Sony Online Entertainment network, used for massively multiplayer online games like EverQuest, Star Wars Galaxies and Matrix Online, has been suspended temporarily, Sony said Monday. Add this to the 77 million accounts that may have been compromised last week, and Sony is responsible for one of the largest recorded data breaches.
The entertainment network is separate from the PlayStation Network but both hacks have similar traits, said Mai Hora, a spokeswoman for Sony Computer Entertainment in Tokyo.
In both cases, the stolen data includes customer names, e-mail addresses and hashed versions of their account passwords. That data could be used to spam customers or trick them with phishing e-mails.
Note: Credit card information at PlayStation Network was encrypted.

IRCNE2011051097
3 May 2011

The announcement late Sunday of the death of al-Qaeda leader Osama bin Laden will undoubtedly be one of the most significant news events this year, so malware makers and scammers have quickly latched onto the news that U.S. military forces killed Osama Bin Laden, security researchers said today.
Cybercrooks can trick the search-ranking algorithms of popular search engines by feeding them fake pages to make their sites seem legitimate, increasing the chances that Internet users searching for news land on a site dispensing malware, warned Paul Ducklin, head of technology at IT security firm Sophos, in a post on the company's web site.
Antivirus vendors have spotted multiple threats based on the news, including links that lead to fake security software -- dubbed "rogueware" -- attack code masquerading as plug-ins that users must supposedly download to view video, and attempts to harvest personal information.
Twitter reported that its site carried more than 4,000 messages per second at the beginning and end of Obama's speech. The death of bin Laden, Abottabad, and Navy Seal, the special operations force that killed bin Laden, were among the top topics being discussed on Twitter a couple of hours after Obama's announcement.
Google Trends also reported that "osama bin laden dead" was the hottest search on May 1 in the U.S., followed by some other search items that are related to the death of bin Laden:

• Osama Bin Laden Dead
• Osama Bin Laden Dead 2011
• Osama Bin Laden Dead or Alive
• Islamabad
• Al Qaeda
• Navy Seals
• Obama Address

April 29, 2011
IRCNE2011051095

Computerworld reports that Mozilla on Thursday patched Firefox 4 for the first time, fixing eight flaws, including a major programming oversight that left the browser as vulnerable to attack on Windows 7 as on the 10-year-old Windows XP.
The company also plugged 15 holes in the still-supported Firefox 3.6, and issued its last security update for Firefox 3, which debuted in mid-2008.
Mozilla patched a total of 20 bugs in all versions of Firefox, 17 of them rated "critical," the company's top-most threat warning in its four-step scoring system.
Firefox 4.0.1, the first update to that browser since its March 22 launch, fixed seven critical flaws and one rated "low."
The most important of the bugs was a programming lapse that left Firefox 4 open to less-sophisticated attacks.
"The WebGLES libraries in the Windows version of Firefox were compiled without ASLR protection," stated the advisory labeled MSFA 2011-17. "An attacker who found an exploitable memory corruption flaw could then use these libraries to bypass ASLR on Windows Vista and Windows 7, making the flaw as exploitable on those platforms as it would be on Windows XP or other platforms."
The WebGLES graphics libraries support WebGL, an open-source extension to JavaScript that lets developers render interactive 3-D graphics content.
WebGL is supported in shipping versions of Firefox and Google's Chrome, in a preview build of Opera Software's Opera, and will be backed by Safari in its next upgrade.
The Khronos Group, an industry consortium whose members include Mozilla, Google, Opera and Apple, released the final specification of WebGL 1.0 just last month.
ASLR, or address space layout randomization, is one of the security underpinnings of Windows Vista and Windows 7. It's designed to make it more difficult for attackers to locate addressable memory space that can be used to execute exploits.
"The WebGLES libraries could potentially be used to bypass a security feature of recent Windows versions," Mozilla acknowledged. "WebGL was introduced in Firefox 4; older versions are not affected by these issues."
Mozilla also upgraded older editions of Firefox to 3.6.17 and 3.5.19, noting that the latter was the last security update for the aged browser.
"This is the last planned security and stability release for Firefox 3.5," said Christian Legnitto, who overseas Firefox releases. "All users are encouraged to upgrade to Firefox 4."

شماره: IRCNE2011051095
تاريخ: 12/2/90

موزيلا اولين اصلاحيه خود براي فايرفاكس 4 را منتشر ساخت كه در آن هشت نقص امنيتي اصلاح شده است. از جمله اين نقصها مي توان به يك نقص امنيتي اساسي برنامه نويسي اشاره كرد كه كاربران ويندوز 7 را آنچنان در معرض خطر قرار مي دهد گويي از يك ويندوز XP ده ساله استفاده مي كنند!
اين شركت همچنين 15 آسيب پذيري امنيتي در فايرفاكس 3.6 را برطرف كرده است و آخرين اصلاحيه امنيتي فايرفاكس 3.5 را نيز ارائه كرده است. نسخه 3.5.19 آخرين نسخه اين مرورگر قديمي خواهد بود و موزيلا از اين پس از آن پشتيباني نخواهد كرد.
موزيلا به طور كلي 20 نقص امنيتي را در همه نسخه هاي فايرفاكس برطرف كرده است كه 17 عدد از آنها " بسيار خطرناك" ارزيابي شده اند.
فايرفاكس 4.0.1 اولين به روزرساني اين نسخه از زمان انتشار آن در 22 مارس است كه در آن 7 نقص امنيتي بسيار خطرناك و يك نقص امنيتي با خطر پايين اصلاح شده است.

2011-04-27
IRCNE201104003

ComputerWorld reports that It's been six days and the PlayStation Network is still offline, and now Sony has acknowledged that the problem involved a security breach.
The online multiplayer gaming site, along with Qriocity, Sony's cloud music subscription service, went down last Wednesday and may not be back for another week.
After the outage, Sony told users their sites had been hacked, prompting PlayStation engineers to take them offline to investigate.
Today, the company posted information online admitting that the hack had breached users' account information, including name, address, birth date, purchase history and online ID.
Patrick Seybold, a senior director at Sony, also noted in the blog post that there's no evidence users' credit card information was stolen. However, he added that "out of an abundance of caution," Sony is advising users that their credit card number and expiration date may have been obtained.
"We have discovered that between April 17 and April 19, 2011, certain PlayStation Network and Qriocity service user account information was compromised in connection with an illegal and unauthorized intrusion into our network," the company wrote. "We thank you for your patience as we complete our investigation of this incident, and we regret any inconvenience. Our teams are working around the clock on this, and services will be restored as soon as possible."

شماره: IRCNE2011041094
تاريخ: 07/2/90

شش روز گذشته است و شبكه بازي هاي آنلاين Play Station همچنان آفلاين است و حال سوني تأييد كرده است كه اين مشكل مربوط به نشت داده ها است. اين وب سايت چهارشنبه هفته گذشته از كار افتاده است و ممكن است همچنان براي يك هفته ديگر نيز خارج از دسترس باشد.
امروز سوني اعلام كرد كه حمله مذكور منجر به نشت اطلاعات شده و برخي از اطلاعات كاربران همچون اطلاعات حساب كاربري شامل نام، آدرس، تاريخ تولد، تاريخچه فروش ها و آي دي آنلاين در دست هكرها قرار گرفته است.
يكي از مديران سوني گفته است كه شواهدي مبني بر به سرقت رفتن اطلاعات كارت اعتباري كاربران موجود نيست، اما سوني به صورت غير رسمي از همه كاربران سايت بازي هاي آنلاين play station مي‌خواهد تا احتياطات لازم در اين زمينه را انجام دهند.
طبق گفته هاي سوني بين 17 و 19 آوريل 2011 يك نفوذ غيرقانوني به اين سايت صورت گرفته است و برخي اطلاعات خاص كاربران مورد سرقت واقع شده است.
شركت سوني از كاربران به خاطر صبري كه دارند تشكر كرده و از آنها خواسته است تا به كارشناسان سوني وقت بيشتري براي تكميل تحقيقات دهند.

April 27 2011
IRCNE2011051096

Computerworld reports that Google today patched 27 vulnerabilities in Chrome as it boosted the "stable" build of the browser to version 11 on Windows, Mac and Linux.
The company paid out a record $16,500 in bounties to researchers who reported a majority of the bugs, beating the previous biggest payday by several hundred dollars.
Wednesday's 27-patch update fixed 18 vulnerabilities rated "high," the second-most-severe ranking in Google's scoring; six labeled "medium"; and three pegged as "low."
None of the vulnerabilities was ranked "critical," the category reserved for bugs that may let an attacker escape Chrome's anti-exploit "sandbox." Google has patched three critical bugs so far this year.
Five of the vulnerabilities were identified as "stale pointer" bugs, a term that describes flaws in an application's -- in this case, Chrome's -- memory allocation code. Google has patched numerous stale pointer bugs in the last four months.
Other flaws fixed today could be used by attackers to spoof the contents of the address bar -- a bug that typically gets the attention of phishers and identity thieves -- or to compromise the browser with malicious SVG files.
As is its practice, Google locked its bug tracking database to bar outsiders from viewing the technical details of the just-patched vulnerabilities. The company blocks public access to flaws for weeks or even months to give users time to update.
Today's bounties totaled $16,500, handed out to 11 researchers for finding and reporting 17 of the patched vulnerabilities. Frequent contributor Sergey Glazunov took home $4,000, as did another researcher identified only as "kuzzcc."
So far this year, Google has spent more than $77,000 on bug bounties.
Of the five major browser makers, only Google and Mozilla -- the developer of Firefox -- pay bounties to independent security researchers.
Alongside the security update, Google also moved Chrome's stable channel -- the browser comes in three editions, stable, beta and dev -- to version 11. The upgrade to Chrome 11 came six weeks after Google last refreshed the stable channel to version 10.
Since last summer, Google has been releasing new versions of Chrome approximately every six weeks. Mozilla recently decided to ape that pace. Starting with Firefox 5, now set to ship June 21, it will theoretically put out a new edition at six-to-eight-week intervals.
While Google listed more than 3,700 changes in Chrome 11, the only one it highlighted was the speech input feature.
"Speech input through HTML is one of many new Web technologies in the browser that help make innovative and useful Web applications like Google Translate's speech feature possible," said software engineer Josh Estelle in a Wednesday blog post.
From within Chrome, users can speak into their computer's microphone to translate text into another language through Google Translate.
The combination of Chrome and Google Translate isn't flawless. In several quick tests by Computerworld, the browser and service transcribed most phrases accurately, but in one instance heard "Good morning, sister ship" when the line was actually "Good morning, Mr. Smith."
Chrome 11 can be downloaded for Windows, Mac OS X and Linux from Google's Web site. Users already running the browser will be updated automatically.

شماره: IRCNE2011041093
كشف مشكلات امنيتي در جاوا چيزي است كه اوراكل به شكل روتين و از طريق به روز رساني­هاي امنيتي منظم با آن درگير است. اما مشكلات امنيتي Java.com مساله ديگري است.
محققان امنيتي گروه YGN Ethical Hacker اين هفته در گزارشي عمومي اظهار داشته اند كه Java.com در معرض خطر يك آسيب پذيري تغيير مسير URL دلخواه قرار دارد. YGN اين گزارش را بر روي ليست ايميل عمومي امنيتي Full-Disclosure قرار داده است. اين گروه همچنين براي تاييد ادعاي خود، يك لينك به دموي اثبات اين آسيب پذيري ارائه كرده اند.
به گزارش YGN، اين گروه روز نوزدهم آوريل در مورد اين آسيب پذيري به اوراكل اطلاع رساني كرده است و در روز بيست و سوم آوريل نيز اوراكل در پاسخي ضمن تشكر بابت اين اطلاع رساني، اظهار داشته است كه اين آسيب پذيري را ترميم كرده است.
اوراكل تا اين زمان در اين باره اظهار نظري نكرده است.

شماره: IRCNE2011041092

كمتر از يك هفته پس از تاييد يك نقص امنيتي در Skype براي Android كه باعث نشت اطلاعات كاربران مي­شود، يك به روز رساني فوري براي ترميم اين مشكل عرضه شد.
Skype به مشتريان خود اطلاع داده است كه يك نسخه جديد از Skype براي Android در فروشگاه Android قرار گرفته است كه شامل اصلاحيه اي براي اين آسيب پذيري مي­باشد. اين شركت از كاربران خود خواسته است كه در اولين فرصت ممكن به نسخه 1.0.0.983 به روز رساني نموده و از اطلاعات خود محافظت نمايند. Skype مجوزهاي پايگاه­هاي داده را تغيير داده و به اين ترتيب مشكل را حل كرده است.
اين نقص امنيتي اجازه مي­دهد كه نام كاربري، آدرس ايميل، ليست تماس و لاگ­هاي چت كاربر در معرض افشا قرار گيرند.

مطالب مرتبط:
كاربران Android در معرض خطر آسيب پذيري Skype

شماره: IRCNE2011041091
تاريخ: 28/1/90

شركت سوني پس از 2 روز سكوت بعد، بر رويوبلاگ خود نوشت باوجود تائيد خبر هك شدن، انگشت اتهام خود را به سوي هيچ گروه هكرينگرفت و به طور كلي تنها از يك "نفوذ خارجي" صحبت كرد.
شبكه بازيهاي آنلاين "پلي استيشن" كه حدود 70 ميليون كاربر دارد، توسط گروهي از هكرها مورد حمله قرار گرفته است. عده اي اين هك را كار گروهي به نام هكرهاي بي نام مي دانند. اما اين گروه هر گونه دخالتي در حملات مذكور را رد كرده و گفته است: "اين اولين بار است كه ما دخالتي نداشته ايم."
سوني اطلاعاتي را در مورد اينكه چه زماني اين شبكه به حالت عادي باز مي گردد، در اختيار نگذاشته و اعلام كرده است بدترين خسارتي كه به كاربران رسيده اينست كه از بازيهاي آنلاين محروم شده اند.