It's tax season and if that's not enough to get you down, here's something to get your attention. A slew of scam emails are circulating, purporting to be from the IRS. These emails are targeted to companies and seek additional tax related information.

This warning comes to us from Sunbelt Software, whose CFO received one of the scam emails. The emails are realistic, carrying a certain believability. A screensaver file disguised as a tax refund PDF file (tax_refund_scr) is attached to the email. When the user clicked, a PDF file seems to appear but unknown to the user, malware is also downloaded to steal financial and confidential data.

Check it out here at the Sunbelt Software Blog.

Posted by andreyee in Alerts/Warnings | Permalink | Comments (0) | TrackBacks (0)

Apparently, two weeks ago, the Al Qaeda summoned an "Electronic Jihad" to commence on Nov 11.

In a special Internet announcement in Arabic, picked up DEBKAfile’s counter-terror sources, Osama bin Laden’s followers announced Monday, Oct. 29, the launching of Electronic Jihad. On Sunday, Nov. 11, al Qaeda’s electronic experts will start attacking Western, Jewish, Israeli, Muslim apostate and Shiite Web sites. On Day One, they will test their skills against 15 targeted sites expand the operation from day to day thereafter until hundreds of thousands of Islamist hackers are in action against untold numbers of anti-Muslim sites.

Can you say - "bring it on"? Nah... I don't know if this is legit but either way, I don't anticipate it'll actually register with anyone.

If you're interested, read the entire Debka.com report here.

(HT: Bruce Schneier)

Posted by andreyee in Alerts/Warnings | Permalink | Comments (0) | TrackBacks (0)

On Monday, Adobe released a patch a vulnerability in its Adobe Reader software (v 8.1 or earlier, v. 7.0.9 or earlier) exposed by U.K.-based researcher Petko Petkov. The vulnerability makes it possible for the spread of malicious PDF files resulting in Windows machines being taken over, security controls disabled and additional malware files downloaded.

Although the patch was issued on Monday, problems persist in the wild, since many users don't remember to update their Adobe reader software regularly (guilty as charged!). Symantec has identified the threat as Trojan.Pidief.A. The rogue PDF document is attached to spammed e-mail, and arrives with a filename such as YOUR_BILL.pdf or INVOICE.pdf, said Symantec.

Here are few suggestions by Symantec to protect yourself

- Apply the Adobe issued patches
- Block the delivery of PDF files in email.
- Issue advisory to employees to avoid reading or executing PDF files from unknown or untrusted sources.
- Block access to the network and IP address involved in this attack.

Posted by andreyee in Alerts/Warnings | Permalink | Comments (0) | TrackBacks (0)

Peter Schooff beat me to this post but... hey, it's summer and I'm moving slow.

Independent Security Evaluators, a security consulting group headed up by security expert Avi Rubin, reported on a number of iPhone vulnerabilities. Among the more serious vulnerabilities that can be exploited may result in the following -

- Exploit may redirect placed phone calls to phone numbers designated by attacker.
- Continuous loop of call attempts. Turning off the phone is the only recourse
- Tracking of personal info including calls placed by user.
- Preventing phone from dialing out.

You can read the full report here.

The commercials say "it's not just a version of the Internet...it's the Internet". Well, now we know it comes with vulnerabilities as well...just like the Internet experience we know and love.

Posted by andreyee in Alerts/Warnings | Permalink | Comments (0) | TrackBacks (0)

The Exploit Prevention Lab blog reports on how hackers are using Google sponsored links to infect machines with a variant of the MDAC exploit. Here's how it works -

Popular Google searches like "Better Business Bureau" will turn up a rogue link leading to a malicious site. In the case of "Better Business Bureau" search, the query actually turned up the rogue link as the #1 sponsored site. However, before taking you to the BBB site, it actually sends you to smarttrack.org which sounds innocuous enough...except that it's not.

Smarttrack.org uses a variant of the MDAC exploit to install a backdoor and a post-logger on your system. The postlogger targets the websites of top banks around the world with a phishing attack to entice online banking customers to unintentionally reveal vital information. What makes this both a clever and insidious use of Google links is that most browsers do not provide a preview address with Google sponsored links (the way they do with most other links).

And one other thing - Google suspended the accounts of the malicious sponsored links. Thought I should mention that. If you want to read the latest on this, here is a report with Google's response to this.

Posted by andreyee in Alerts/Warnings | Permalink | Comments (0) | TrackBacks (0)

Just in time for SuperBowl Sunday, Websense reports that the website of Dolphin Stadium , the site of the SuperBowl, has been infected by a trojan malware. Visitors to the site will inadvertantly initiate the execution of a malicious Javascript. The script will download a keylogger onto compromised Windows machines.

Obviously, attackers are taking advantage of the high degree of traffic generated by Superbowl interest. Until further notice, it's probably advisable to avoid the site.

Posted by andreyee in Alerts/Warnings | Permalink | Comments (0) | TrackBacks (0)

A number of security experts have recently reported on a major flaw in the Web browser plug-in for Adobe's Acrobat Reader program. The problem was first discovered by researchers Stefano Di Paola and Giorgio Fedon, who presented a paper on security issues related to Web 2.0 technologies such as AJAX (Asynchronous JavaScript and XML).

The issue centers around how Adobe Reader browser plugin can be made to execute JavaScript code on the client side. This code can then be the trigger for any number of malicious activities. A well written, detailed explanation plus code is available here at GnuCitizen.

The use of Javascript in cross site scripting is raising numerous headaches for security managers, especially with phishing attempts. By taking advantage of cross site scripting vulnerabilities, an attacker may launch malicious code referencing a URL that points to a carefully constructed phishing Web page. So for instance, when you're downloading a pdf report at your online broker's webpage, the attacker could take launch a script to throw up what looks like an official, legitimate request to validate your account number and password. That, my friends is what makes this so scary. The self righteous among us may have sneered in disdain at friends and family that fall for the unsophisticated phishing attempts. But this ability to perform highly contextualized phishing will fool any of us.

While you ponder about the possibility of that exposure, make sure you do this - download Acrobat 8.0 which fixes the vulnerability in the first place.

Posted by andreyee in Alerts/Warnings | Permalink | Comments (0) | TrackBacks (0)

Washington Post's Brian Krebs makes the claim that for 284 days in 2006, there were IE related exploits "in the wild" for which there were no patches available

"For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users"

Does this surprise you? It shouldn't...and it's not all Microsoft's fault either. It's the very nature of the world we live in today where vulnerabilities are discovered and exploits are released weekly. Microsoft just happens to have more software deployed than any other vendor so they're exposed a little more.

A couple of other points -

First, the situation in reality is worse than the 284 days of exposure because most organizations cannot or will not keep up with patching. When you consider databases, application server software, ERP systems on top of the Microsoft OS desktop software, we are reaching a point where patching as a proactive solution to security exploits is hitting a critical juncture. The rate of known vulnerabilities and exploits are reaching a level whereby to keep up a security mananger would have to patch almost every day.

Second, since patching is not a seamless exercise in the life of an enterprise IT organization, most companies patch regularly at fixed intervals - sometimes monthly or more. Mucho exposure. If you ever wonder why you need an IPS system - this "patch gap" window is exactly why. You need to be protected until you get your systems patched ...and by then the patch gap window exposure has moved on.

Posted by andreyee in Alerts/Warnings | Permalink | Comments (0) | TrackBacks (0)

In the past, we've discussed how a result of better Windows security, coupled with the emergence of Web 2.0 applications will lead to potential new targeting by hackers. All the major online entities from Google to eBay have been exploited in some form or other over the past 18 months. Now, MySpace is hit with a worm that uses QuickTime to infect and proliferate.

The exploit takes advantage of a vulnerability with MySpace and Quicktime's support for Javascript. Upon playing the malicious video, the unsuspecting MySpace user will find links on his/her profile altered and replaced with links to phishing Web site. The goal is to solicit more visits to these MySpace phishing sites. As others visit this infected site, their profiles will be infected and the problem proliferates.

Expect more of the same as hackers broaden their scope from Windows and focus on the new crop of Web 2.0 platforms.

For anyone interested, technical details on the attack are available here.

Posted by andreyee in Alerts/Warnings | Permalink | Comments (0) | TrackBacks (0)

In the past, we've discussed how a result of better Windows security, coupled with the emergence of Web 2.0 applications will lead to potential new targeting by hackers. All the major online entities from Google to eBay have been exploited in some form or other over the past 18 months. Now, MySpace is hit with a worm that uses QuickTime to infect and proliferate.

The exploit takes advantage of a vulnerability with MySpace and Quicktime's support for Javascript. Upon playing the malicious video, the unsuspecting MySpace user will find links on his/her profile altered and replaced with links to phishing Web site. As others visit this infected site, their profiles will be changed, the site infected with the mal-video and the problem proliferates. The goal of this attack is to solicit more visits to these MySpace phishing sites where users are tricked into entering their passwords. Should a user succumb, one outcome is that the MySpace account will be used to send pornographic spam.

This won't abate - expect more of the same as hackers broaden their scope from Windows and focus on the new crop of Web 2.0 platforms.

For anyone interested, technical details on the attack are available here.

Posted by andreyee in Alerts/Warnings • Alerts/Warnings | Permalink | Comments (0) | TrackBacks (0)

In the past, we've discussed how a result of better Windows security, coupled with the emergence of Web 2.0 applications will lead to potential new targeting by hackers. All the major online entities from Google to eBay have been exploited in some form or other over the past 18 months. Now, MySpace is hit with a worm that uses QuickTime to infect and proliferate.

The exploit takes advantage of a vulnerability with MySpace and Quicktime's support for Javascript. Upon playing the malicious video, the unsuspecting MySpace user will find links on his/her profile altered and replaced with links to phishing Web site. As others visit this infected site, their profiles will be changed, the site infected with the mal-video and the problem proliferates. The goal of this attack is to solicit more visits to these MySpace phishing sites where users are tricked into entering their passwords. Should a user succumb, one outcome is that the MySpace account will be used to send pornographic spam.

This won't abate - expect more of the same as hackers broaden their scope from Windows and focus on the new crop of Web 2.0 platforms.

For anyone interested, technical details on the attack are available here.

Posted by andreyee in Alerts/Warnings • Alerts/Warnings | Permalink | Comments (0) | TrackBacks (0)

Apparently, this past weekend, someone hacked into the Google Blog and posted an fake message about the discontinuation of the adwords click-to-call test. No particular harm done but it highlights how as online services like blogs, wikis, online auctions, etc.. become more prominent, attacks will quickly follow.

Take heed Google, eBay, Yahoo...hackers are getting bored with Microsoft and coming your way.

Posted by andreyee in Alerts/Warnings | Permalink | Comments (0) | TrackBacks (0)

A vulnerability associated with the Vector Markup Language (VML) was first discovered around September 19th. It was initially discovered when shady pornography websites were exploited resulting in massive loading of adware. Read CNet's article - Porn Sites exploit new IE flaw. The specifics of the vulnerability concern vgx.dll, a component of the VML subsystem.

Since then, Microsoft has apparently seen enough to warrant breaking its usual practice to push out fixes on its monthly Patch Tuesday. It released a new fix together with the following comment in its security advisory MS06-055
"If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
We recommend that customers apply the update immediately."

Microsoft doesn't often break its cycle of monthly Patch Tuesdays but it did this time...perhaps in part due to third party pressure. A number of other groups supplied "unofficial" fixes over a week ago that perhaps forced Microsoft to act. In any case, it was the right thing to do.

Posted by andreyee in Alerts/Warnings | Permalink | Comments (0) | TrackBacks (0)

MySpace.com, the popular social networking site for teens have been under the spotlight for their lack of security controls and safety measures to protect teens against predatory adults who might be seeking an easy target...and they've been taking steps to address that:

http://news.com.com/MySpace+reaching+out+to+parents/2009-1041_3-6059679.html

But now comes a warning of a security problem of a different kind as reported by by Brian Krebs on his Washington Post blog. Adware being served up to unsuspecting visitors to MySpace sites.
http://blog.washingtonpost.com/securityfix/2006/07/myspace_ad_served_adware_to_mo.html

That's no isolated incident, either. The prior week - another adware issue with MySpace was reported. Apparently, a developer from Zango, an adware company has set up fake MySpace profiles to push adware to visitors and presumably ring up adware revenue for them.
http://www.techweb.com/wire/security/190301926

Zango insists that their employee in question acted independently and without their consent but nonetheless it highlights how MySpace is becoming a target for increasing adware abuse and other security attacks.

Granted, compared to safety policies for the MySpace teen community, adware may seem like just a mild annoyance. However, it's just a sign of the kind of IT security risks these unregulated sites pose to unsuspecting visitors and corporate security managers should take note - your employees surfing sites like Myspace can punch a hole in your enterprise security policies. Today it's mostly adware. The real problem is... you just never know what might be served up next.

Posted by andreyee in Alerts/Warnings | Permalink | Comments (0) | TrackBacks (0)