Archive for the ‘Alerts!!!’ Category

Critical Adobe Flash Player Update Nixes 25 Flaws

October 8, 2012

Adobe has issued an update for its Flash Player software that fixes at least 25 separate security vulnerabilities in the widely-installed program. The company also pushed out a security patch for its Adobe AIR software.

The chart below shows the newest patch version numbers released today. Updates are available for Windows,MacLinux and Android systems. Windows and Mac users can grab the latest updates from the Flash Player Download Center, but be on the lookout for bloatware toolbar add-ons that come pre-checked (like McAfee VirusScan). Other OS users should consult the Adobe security bulletinInternet Explorer 10 users onWindows 8 can grab the update via Windows Update or from Microsoft’s site.

Note that Windows users who browse the Web with Internet Explorer and another browser will need to apply the Flash update twice, once using IE and again with the other browser.

Most users can find out what version of Flash they have installed by visiting this link. Google released an updateto Chrome today (22.0.1229.92) that addresses these vulnerabilities on Windows, Mac and Linux; to find out what version of Chrome you have and if updates are available, click the icon with three lines to the right of the browser address bar and select “About Google Chrome.”

Adobe spokeswoman Wiebke Lips said the company was not aware of any exploits in the wild for any of the issues patched in this release. Nevertheless, if you have Flash on your system (and most readers will) it’s a good idea to take of this update soon.


Microsoft patches IE zero-day and Flash flaws in IE 10

September 21, 2012

Microsoft has delivered on its promise and has issued a security update for Internet Explorer to address the zero-day memory-corruption vulnerability in versions 9 and earlier that is currently being exploited in attacks.

The update also takes care of four privately disclosed vulnerabilities that are currently not being exploited.

In addition to this, Microsoft has also released an update for Adobe Flash Player in Internet Explorer 10 on all supported editions of Windows 8 and Windows Server 2012, in order to close two vulnerabilities that could allow remote code execution.

One of them – CVE-2012-1535 – is currently exploited by the Elderwood gang – a hacker group whose activities have been recently exposed by Symantec researchers.

“We recognize there has been some discussion about our update process as it relates to Adobe Flash Player. Microsoft is committed to taking the appropriate actions to help protect our customers and we are working closely with Adobe to deliver quality protections that are aligned with Adobe’s update process,” commented Yunsun Wee, director of Microsoft Trustworthy Computing.

He also announced that with respect to Adobe Flash Player in Internet Explorer 10, users can expect regular updates on a quarterly basis, and additional unscheduled updates if the threat landscape requires it.

“Internet Explorer zero-days have been very rare in recent months. The last IE zero-day was in December of 2010 and it was patched in the February, 2011 patch Tuesday. The good news is that zero days are becoming far less frequent across all Microsoft products,” Andrew Storms, director of security operations for nCircle, commented for Help Net Security.

“Microsoft’s ability to go from advisory to patch release so quickly demonstrates their commitment to providing customers with a secure computing environment. Earlier this year, Microsoft stated that they had enough resources to deliver an IE patch every month if necessary. Those additional resources certainly helped them deliver this patch in record time.”

Users who have not enabled automatic updating are advised to manually check for updates and download and install both of today’s updates as soon as possible.

Security Fix for Critical Java Flaw Released

August 30, 2012

Oracle has issued an urgent update to close a dangerous security hole in its Java software that attackers have been using to deploy malicious software. The patch comes amid revelations that Oracle was notified in April about this vulnerability and a number other other potentially unpatched Java flaws.

The patch fixes a critical flaw in the latest version of Java 7 that is now being widely exploited. Users with vulnerable versions of Java installed can have malware silently planted on their systems just by browsing to a hacked or malicious Web site.

The update brings Java 7 to Update 7, and appears to fix the flaw being exploited and several other security holes. Oracle also released a security update for systems running Java 6, which brings that version to Java 6 Update 35.

Today’s patches are emergency, out-of-schedule updates for Oracle, which previously was not planning to release security updates for Java until October. Although it may appear that Oracle responded swiftly to the discovery of extremely dangerous flaws in its software, Security Explorations — a research firm from Poland —says it alerted Oracle about this vulnerability and 30 others back in April. It’s not yet clear how many of those vulnerabilities were patched in this release.

“We … expected that the most serious of them would be fixed by June 2012 Java CPU,” said Security Explorations CEO and founder Adam Gowdiak told The Register’s Neil McAllister. “But it didn’t happen and Oracle left many issues unpatched with plans to address them in the next Java [updates].”

If you don’t need Java, uninstall it from your system. This program is extremely buggy, and Oracle tends to take its time with security updates, behaving as if it didn’t have hundreds of millions of individual users. If you decide later that you do need Java, you can always reinstall the program. If you still want to keep Java, but only need it for specific Web sites, you can still dramatically reduce the risk from Java attacks just by disabling the plugin in your Web browser. In this case, I would suggest updating to the latest version and then adopting a two-browser approach. If you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.

For browser-specific instructions on disabling Java, click here. If you’re not sure whether your system has Java installed or which version your computer may have, visit and click the “Do I have Java? link.

Windows users can grab the update by visiting the Windows Control Panel and clicking the Java icon (or searching for “Java”). From there, select the Update tab and the Update Now button. Note that the updater may auto-select a toolbar like the “Ask Toolbar;” if you don’t want that as well, de-select it before proceeding. Macand Linux users can get Java 7 Update 7 from this link.

If you plan to keep Java on your system, update it now. The exploit being used in the wild now has been shown to work against Windows, Mac and Linux systems running Java 7 Update versions 1 through 6.

How to Unplug Java from the Browser

August 29, 2012

Below are instructions for unplugging Java from whatever Web browser you may use to surf the Web. These instructions were originally posted as a how-to in response to the constant news of Java exploits.

For Windows users:

Mozilla Firefox: From the main menu select Add-ons, and then disable any plugins with the word “Java” in them. Restart the browser.

Google Chrome: Click the wrench icon in the upper right corner of the browser window, then select Settings. In the search results box to the right in the next screen, type “Java”. A box labeled “Content settings” should be highlighted. Click that, and then scroll down to the Plug-ins section. Click the “Disable individual plug-ins” link, find Java in the list, and click the disable link next to it.

Internet Explorer:

Apparently, getting Java unplugged from Internet Explorer is not straightforward. The U.S. Computer Emergency Response Team (USCERT) lists the following steps, which may or may not completely remove Java from IE:

In the Windows Control panel, open the Java item. Select the “Java” tab and click the “View” button. Uncheck “enabled” for any JRE version listed. Note that this method may not work on Vista or newer systems. As an alternative, you may use one of the following techniques:

Click the start key and type “regedit” in the search box. Double-click the regedit program file when it appears.

– Change the HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Plug-in\\UseJava2IExplorer registry value to 0, where is any version of Java on your system. 10.6.2, for example.

If you are running a 32-bit version of Java on a 64-bit platform, you should set the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Plug-in\\UseJava2IExplorer registry value to 0.

– Run javacpl.exe as administrator, click the “Advanced” tab, select “Microsoft Internet Explorer” in the “Default Java for browsers” section, and press the space bar to uncheck it. This will properly set the above registry value, despite the option being greyed out.

US-CERT has some additional suggestions for removing Java from IE if the above steps do not do the trick. See their advisory for more details.

For Mac users:

Safari: Click Preferences, and then the Security tab (uncheck “Enable Java”).

Google Chrome: Open Preferences, and then type “Java” in the search box. Scroll down to the Plug-ins section, and click the link that says “Disable individual plug-ins.” If you have Java installed, you should see a “disable” link underneath its listing.

Firefox: Click Tools, Add-ons, and disable the Java plugin(s).

Critical Java 0-day flaw exploited in the wild

August 27, 2012
Researchers from security firm FireEye have discovered targeted attacks exploiting a zero-day Java vulnerability to deliver the Poison Ivy RAT onto the unsuspecting victims’ machines.

The vulnerability allows computers to be infected by simply visiting a specially crafted web page, and the malware served in the current attacks contacts a C&C server in Singapore.

The attacks are limited, but it’s only a matter of time until other cyber criminals create their own pages exploiting the flaw.

In the meantime, a module that takes advantage of it has alreadybeen added to the Metasploit Framework, and it works against a fully patched Windows 7 SP1 with Java 7 Update 6, Mozilla Firefox on Ubuntu Linux 10.04, Internet Explorer / Mozilla Firefox / Chrome on Windows XP, Internet Explorer / Mozilla Firefox on Windows Vista and Windows 7, and Safari on OS X 10.7.4.

Researchers from heise Security have also created a PoC page using information that is publicly available.

Oracle is yet to comment on the news, and to say whether it will break its scheduled quarterly patch cycle to issue a patch for the flaw.

In the meantime, users are advised either to disable or remove Java for the time being – or for good.

If you’re a Windows user and you have decided to disable Java, go to your Control Panel, select “Java”, and once the “Java Runtime Environment Settings” dialog box appears, select “Java” once again and uncheck the “Enabled” check box. Needless to say, if in the future you need to use Java again, go through the same steps and check the aforementioned check box.

To completely remove Java from your system, go to the Control Panel > Programs > Programs and Features, find Java, select it and press the “Uninstall” button.

New Adobe Flash Player Update Fixes 6 Flaws

August 21, 2012

For the second time in a week, Adobe has shipped a critical security update for its Flash Player software. This patch, part of a planned release, closes at least five six security holes in the widely-used browser plugin, and comes just one week after the company rushed out a fix for a flaw that attackers were already exploiting in the wild.

Updates are available for WindowsMacLinux and Android platforms. Windows and Mac users will need to update to v. 11.4.402.265 (Linux and Android should users see the advisory for their version numbers). The Flash Player installed with Google Chrome should automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player v. for Windows and Linux, and Flash Player v. 11.4.402.265 for Macintosh. When I composed this post, however, the installation of Chrome on my Mac had not yet updated to the new version Google began pushing out today (a restart of the browser fixed that).

To find out what version of Flash is on your system, browse to this link. The latest version is available at this link, which should auto-detect the version of Flash your browser and operating system needs. Windows users take note: Unless you also want McAfee Security Scan Plus bundled with your Flash update, make sure to uncheck that box before clicking “download now.”

Adobe also has released an update that addresses these vulnerabilities in Adobe AIR. Windows and Mac users will want to update to Adobe AIR Windows users should be able to tell if they have this program installed and its version number from the Add/Remove Programs section of the Windows Control Panel. Determining the presence of AIR and its version number gets a bit more complicated for Mac users.

Good info on protecting your assets!!!

August 3, 2012

Uptick in Cyber Attacks on Small Businesses
by BrianKrebs
New data suggests that cyber attacks aimed at small businesses have doubled over the past six months, a finding that dovetails with my own reporting on companies that are suffering six-figure losses from sophisticated cyber heists.

According to Symantec, attacks against small businesses rose markedly in the first six months of 2012 compared to the latter half of 2011. In its June intelligence report, the security firm found that 36 percent of all targeted attacks (58 per day) during the last six months were directed at businesses with 250 or fewer employees. That figure was 18 percent at the end of Dec. 2011.

“There appears to be a direct correlation between the rise in attacks against smaller businesses and a drop in attacks against larger ones,” said Paul Wood, a security intelligence manager at Symantec. “It almost seems attackers are diverting their resources directly from the one group to the other.”

I’m seeing the same uptick, and have been hearing from more small business victims than at any time before — often several times per week.

In the second week of July, for example, I spoke with three different small companies that had just been hit by cyberheists (one of the victims asked not to be named, and the other didn’t want their case publicized). On July 10, crooks who’d broken into the computers of a fuel supplier in southern Georgia attempted to transfer $1.67 million out of the company’s accounts. When that failed, they put through a fraudulent payroll batch totaling $317,000, which the victim’s bank allowed.

The bank, First National Bank of Coffee County, managed to claw back an unusually large amount — approximately $260,000. The fuel company hired an outside forensics firm to investigate, and found that the trouble started on July 9, when the firm’s controller clicked a link embedded in an image in an email designed to look as though it was sent by the U.S. Postal Service and alerting the recipient about a wayward parcel. The link in the image loaded content from a site hosting the BlackHole exploit kit, which downloaded the ZeuS Trojan to the controller’s PC.

Interestingly, the fuel company and its bank said one of the money mules that the attackers recruited to help launder the stolen funds turned out to be an employee of Wells Fargo from Alabama. Many money mules are simply not the brightest bulbs, and it is usually difficult to prove that they weren’t scammed as well (because more often than not, the mules end up losing money). But one would think people who work for banks should be at least be aware of these schemes, and held to a higher standard. What’s more, if this mule wasn’t complicit then he probably suspected something wasn’t right, because he had the funds sent to an account he controlled at a local credit union in Birmingham — rather than an account at Wells Fargo.

By the way, this is the second time I’ve encountered a money mule working at a major bank. Last year, I tracked down a woman at PNC Bank in Maryland who was hired by a mule recruitment gang and later helped move nearly $4,500 from a victim business in North Carolina to cybercriminals in Ukraine. She claimed she did not understand what she had done until I contacted her.

Another small business hit during the week of July 9 was Hastings, Neb. based Consolidated Concrete, which lost more than $100,000 in a similar cyber robbery. The company learned it was being robbed when one of the money mules contacted them after receiving a large transfer from Consolidated’s accounts.

“We got a heads up from a guy saying that we’d put money into his account,” said Don Phillips, the controller for the concrete company. “He said he knew something was wrong, Googled us and gave us a call.”

The experience of both the fuel company and Consolidated Concrete is a fairly typical, unfortunately. Both companies managed their money online at small, local banks whose principal method for securing commercial accounts is to require a username and password. This is in direct violation of the guidelines issued by regulators at the Federal Financial Institutions Examination Council (FFIEC) last year.

That guidance, issued a year ago and effective as of January 2012, calls for “layered security programs, including methods for detecting transaction anomalies, dual transaction authorization through different access devices, and the use of out-of-band verification for transactions.

What sort of dual transaction authorization was First National Bank of Coffee County using? Would you believe just a username and password? How about Consolidated’s banks? According to Phillips: A cookie placed on the customer’s computer, and a fax or phone call. The cookie protection fails when — as in the case with Consolidated and every other cyber robbery I’ve written about — the attackers have remote control over the victim’s PC; the bad guys can simply tunnel their connection through the victim’s PC.

“The machine itself has to have a cookie on it to be able to proceed, and usually we get a verification — we usually will ask for some sort of verification, either by fax or phone — of any large transfers,” Phillips said. “We usually set up any [payroll batches] on a PC, print it out, and then fax them a sheet that they verify and fax back to us. But I guess that didn’t happen here.”

The message I have been trying to drive home for small business owners is twofold: By all means, shop around if you can and find a bank that offers and advocates additional layers of security. But the best way to avoid a cyberheist is to not have your computer systems infected in the first place. The trouble is, it’s becoming increasingly difficult to tell when a system is or is not infected. That’s why I advocate the use of a Live CD approach for online banking: That way, even if the underlying hard drive is infected with a remote-access, password stealing Trojan like ZeuS, your online banking session is protected.

Email-Based Malware Attacks

June 22, 2012

Nearly every time I write about a small- to mid-sized business that has lost hundreds of thousands of dollars after falling victim to a malicious software attack, readers want to know how the perpetrators broke through the victim organization’s defenses, and which type of malware paved the way. Normally, victim companies don’t know or disclose that information, so to get a better idea, I’ve put together a profile of the top email-based malware attacks for each day over the past month.

Top malware email attacks in past 30 days. Source: UAB

This data draws from daily reports compiled by the computer forensics and security management students at the University of Alabama at Birmingham. The UAB reports track the top email-based threats from each day, and include information about the spoofed brand or lure, the method of delivering the malware, and links to, which show the percentage of antivirus products that detected the malware as hostile.

As the chart above indicates, attackers are switching the lure or spoofed brand quite often, but popular choices include Amazon.comthe Better Business BureauDHLFacebookLinkedInPayPal,Twitter and Verizon Wireless.

Also noticeable is the lack of antivirus detection on most of these password stealing and remote control Trojans. The average detection rate for these samples was 24.47 percent, while the median detection rate was just 19 percent. This means that if you click a malicious link or open an attachment in one of these emails, there is less than a one-in-five chance your antivirus software will detect it as bad.

According to UAB, about two-thirds of the top email-based malware attacks in the past month have used exploit kits, and most frequently that kit was BlackHole. Exploit kits are made to be sewn into the fabric of hacked or malicious sites, so that visiting Web browsers are checked for close to a dozen outdated plugins; any insecure plugins found can be used to silently install malicious software on the vulnerable machine.

It’s not hard to see why so many small to mid-sized organizations get hit with these attacks. When the malware slips past their antivirus, it is often just a question of whether the organization has someone or something in place that is vigilant about applying security updates for things like FlashJava, and Adobe Reader and a host of other programs that hook into the browser.

This is why I continuously implore small business owners to bank online using only a dedicated system that is carefully maintained and not used for anything other than transacting with the bank’s Web site. For those who don’t have a spare computer handy, a Live CD version of Linux may be the best way to go.

If anyone wants to view the spreadsheet above in a downloadable format, here is a PDF versions of it.

Beware of fake Facebook account cancellation emails

May 23, 2012
Fake account cancellation emails are targeting Facebook users and trying to get them infected with information-stealing malware, warns Sophos.
The email looks pretty legitimate at first glance:

While both embedded links point to a Facebook page, it is that of a third-party application running on the Facebook platform.

Users who follow them land there, but are immediately asked to allow a Java applet whose digital signature could not be verified. And even if they answer “No”, the window with the request continues to pop up and pester them.

If they finally agree and run the applet, another window pops up requiring them to download a supposed Adobe Flash update, which is actually the SpyEye Trojan in disguise.

“The social engineering being used by the tricksters behind this malware attack is pretty cunning,” Sophos points out. “They know that people value their Facebook accounts highly, and many would be upset to lose access to them and the digital connections they have built up with friends and family.”

Beware of phone telephone scammers calling on behalf of Google

May 15, 2012

A new phone scam is underway where people are receiving phone calls by people who state that they calling on behalf of Google. These callers state that they received your name and number from the Google Database and that Google had detected that your computer was infected or had a problem. They further stated that they worked for Gooseberry Tech, who has a partnership with Google to offer a free remote troubleshooting evaluation of your computer. If you agree to this evaluation, they will have you download TeamViewer and will then use it to take remote control of your computer. They will then proceed to poke around your computer, look at event viewer, and check your programs. While doing this they will point out “serious” and “alarming” problems on your computer. When they are done scaring you, they go in for the kill by trying to sell you a one-time fix, for $100, or a maintenance contract for $199.

This is not the first time phone scammers have pretended to be from large companies and offering free troubleshooting services. In the past, phone scammers were calling people and stating that they were from Microsoft who had detected that their computer had a problem. They would then offer to remotely fix their computer for a fee. Eventually Microsoft caught wind of this scam and warned about these scammers on theirWindows blog.