Spyware, viruses, & security forum: NEWS - June 15, 2012

"Claim total security for phone, text, email, and more"

Phil Zimmermann and some of the original PGP team have joined up with former US Navy SEALs to build an encrypted communications platform that should be proof against any surveillance.

The company, called Silent Circle, will launch later this year, when $20 a month will buy you encrypted email, text messages, phone calls, and videoconferencing in a package that looks to be strong enough to have the NSA seriously worried. Zimmermann says that surveillance by the state and others has increased vastly over the last few years, and privacy improvement are again needed.

"At the very least I want people, as part of their right in a free society to be able to communicate securely," he said in a promotional video (below). "I should be able to whisper in your ear, even if your ear is a thousand miles away."

The Silent Circle package comes with downloadable applications for smartphones and computers that allows secure communication with other users. A member of the team told El Reg that the encryption architecture was "very, very good," with some of the code coming as a result of seven years of research by team members.

Continued : http://www.theregister.co.uk/2012/06/14/pgp_seal_encrypted_communications/

Also: Phil Zimmermann Returns With Silent Circle Voice and Data Privacy

If the scary email or app notification-and subsequent webpage-is to be believed, you have only a few days to verify your Facebook account or you'll be out of luck. But don't worry, a few days later you will magically get a few more days to verify, and so the scam goes. A Twitter follower with the handle of @chasapple sent us a tip on a app message they received, here's a screenshot of what happens if you clicked the link: [Screenshot]

Notice how target-word-rich this example is, there is scary sounding language about the SOPA ACT (and a few misspelled words and syntax errors, a tip the author probably doesn't speak English as a first language). the call to action is in RED, apparently for added effect. The second thing to note is that the website is definitely NOT facebook.com, but some other domain name, which clearly wouldn't be a host of an official notification with the ability to suspend your account.

Notice also that the Firefox NoScript add-on which I have enabled on my system caught 13 different scripts trying to execute when they page loaded. Along with a mix of ad revenue sites, there were various other scripts as well. Also, both buttons would lead a user to the same link, and potentially set them up for a host of ensuing nastiness no matter which one was chosen.

Continued : http://blog.eset.com/2012/06/14/your-facebook-account-will-be-terminated-again

.. campaign

From the ESET Threat Blog:

News of SMS (text) phishing scams are nothing new to readers of this blog. ESET researcher Cameron Camp recently wrote an article explaining how they work and how to avoid them here on ESET's Threat Blog: SMSmishing (SMS Text Phishing) - how to spot and avoid scams, And just before Valentine's Day, my colleague Stephen Cobb performed a two-part investigation into a Victoria's Secret gift card scam delivered via email.

A Global Enterprise

The scamming continues unabated, and this time electronics retailing giant Best Buy is the target: Within a period of about three hours, both a coworker and myself received identical messages inviting us to visit what appears at a cursory glance to be a Best Buy's web site, but instead belongs to a domain registered through Internet.BS, a shadowy domain registrar registered to do business in the Bahamas, and perhaps best known for its curious relationship to online pharmacies and use of anonymous payment systems favored by Russian cybercriminals. The web site itself is located at a French hosting provider.

Anatomy of a scam: SMS scammer's payoff

So, what is the scam here? Visiting the web site and entering the code takes you to a web site which asks you to enter your email address in a prominently displayed, larger form in the center of the page.

Continued: http://blog.eset.com/2012/06/14/smsmishing-unabated-best-buy-targeted-by-fake-gift-card-campaign

In a move that will patch several loopholes with its iPhone, the newest iteration of Apple's mobile operation system, iOS 6, will come with heightened security, it was revealed at the company's Worldwide Developers Conference (WWDC) this week.

Releasing this fall but currently available in beta, iOS 6 will now request users' explicit permission before allowing third-party applications access to certain information. This includes the phone's contacts list, calendars, reminders and photo library.

The following text can be found in iOS 6's release notes, according to Macrumors.com:

For contact, calendar, and reminder data, your app needs to be prepared to be denied access to these items and to adjust its behavior accordingly. If the user has not yet been prompted to allow access, the returned structure is valid but contains no records. If the user has denied access, the app receives a NULL value or no data. If the user grants permission to the app, the system subsequently notifies the app that it needs to reload or revert the data.

The change comes after several apps on the iPhone were criticized earlier this year for not transferring users' personal data securely.

It was discovered in February that Path, a social network app that allows friends to share photos and messages was uploading its users' address book to a server without their prior authorization. Path eventually rectified the situation by releasing a new version of the app that allowed users to opt in or out of sharing their contacts.

Continued : http://threatpost.com/en_us/blogs/tightened-security-regulated-app-permissions-store-ios-6-061512

The latest release of the Flash Player plugin, version 11.3, is causing frequent crashes in Firefox 13 on Windows. The problem seems to be related to the recently introduced Protection Mode, which is supposed to make the plugin run in a sandbox to isolate it from the rest of the system. The number of users experiencing this problem is now so large that Mozilla and Adobe are both offering differing solutions for a fix.

Many of the crashes appear to be the result of interactions between Flash Player and other plugins, particularly plugins which offer the ability to record Flash video streams. Mozilla specifically mentions a Firefox extension called RealPlayer Browser Record and recommends deactivating this plugin. The Firefox developers have also added this plugin to its blacklist which comprises add-ons known to be insecure or unstable. Firefox automatically disables extensions on this list, but allows users to reactivate them manually.

A further option for remedying the problem is to deactivate Protected Mode. Under Windows 7 or Vista, this requires the addition of the line ProtectedMode=0 to the configuration file mms.cfg. Since Protected Mode is not used under Windows XP, this step is not necessary on that platform. In 64-bit editions of Windows 7 and Vista, mms.cfg is located in <%windir%\syswow64\macromed\flash>; in 32-bit versions the file is located in <%windir%\system32\macromed\flash>. Administrator privileges are required to modify these files. Detailed instructions can be found in Adobe's Protected Mode FAQ.

Continued : http://www.h-online.com/security/news/item/Firefox-13-tripped-up-by-Flash-patch-1619399.html

Additional Information: Flash Player Update Causing Firefox Crashes - For Some

They are just saying the problem with Flash 11.3 in Firefox 13 appears to be worse where Firefox has certain plugins/add-ons, like the RealPlayer Browser Record add-on.

If you are still having problems then do you wish to revert back to an earlier version of Flash?

If so, visit the page below for guidance how to downgrade from Flash 11.3 to Flash 10.3 or 11.2;
http://support.mozilla.org/en-US/kb/flash-113-crashes

I hope that helps.

Mark

From SANS ISC:

We got a lot of responses to yesterday's "fake Verizon" e-mail. This brings (again) up the topic of authenticating e-mail messages. If you are reading this post, you probably already realize that the "From" header, like anything else transmitted in a default email, doesn't do a thing to authenticate an e-mail message. There are a number of technologies that can be deployed to help this.

1 - SMTP over SSL

There are a number of methods to run SMTP and other mail related protocols over SSL (pop, imap...) . SMTP in particular frequently uses the "STARTTLS" protocol which can start an SSL connection "on the fly" if both servers support it. SSL however only protects the connection. The receiving mail server can verify the identity of the sending mail server, and the connection can be encrypted. In most implementations I have seen, the certificate is not verified, and the SSL connection is optional, which significantly reduces the value of this technique, in particular between mail servers. For mail clients sending e-mail to trusted mail servers, SMTPS can be a meaningful control if for example a VPN isn't available. But the main issue is that e-mail is forwarded from server to server, and the sender or recipient have no control if the path the email took was secure.

2 - DKIM

DomainKeys Identified Mail (DKIM) [1] is mostly an anti-spam feature. It will authenticate if a mail server is authorized to send e-mail on a particular domain's behalf. At this point, some major e-mail providers like Yahoo will implement DKIM. However, aside from its limited scope, DKIM suffers from a number of implementation issues. First of all, it is typically not a default component of mail servers, but has to be added on via a patch or additional software packages. Secondly, once implemented, e-mail for a particular domain has to be sent via authorized mail servers. A users working from home may no longer use his or her ISP's mail server, but has to send e-mail via the corporate mail server. In most cases, this is a good thing, but it can be difficult to implement. The neat part about DKIM is that keys are distributed via DNS, and that validation is done on the server without user involvement. Of course, the use of DNS also requires a secure DNS infrastructure.

Continued : https://isc.sans.edu/diary.html?storyid=13486