Spyware, viruses, & security forum: NEWS - August 27, 2012

Online file-backup and storage service Dropbox has begun offering a two-step authentication feature to help users beef up the security of their accounts. The promised change comes less than a month after the compromise of a Dropbox employee's account exposed many Dropbox user email addresses.

Dropbox users can take advantage of the new security measure by logging in at this link, and then clicking the "Security" tab. Under account sign in, click the link next to "Two-step verification." You'll have the option of getting security code sent to your mobile device, or using one of several mobile apps that leverage the Time-based One-Time Password algorithm. [Screenshot]

If you're already familiar with the Google Authenticator app for Gmail's two-step verification process (available for Android/iPhone/BlackBerry) this is a no-brainer: When prompted, open the app and create a new token, then use the app to scan the bar code on your computer screen. Enter the key generated by the app into your account settings on the site, and you're done. Other supported apps include Amazon AWS MFA (Android) and Authenticator (Windows Phone 7).

Continued : https://krebsonsecurity.com/2012/08/dropbox-now-offers-two-step-authentication/

Related:
Dropbox two-factor authentication available to early adopters
Dropbox Upgrades Security With Two-factor Authentication

Attackers have seized upon a previously unknown security hole in Oracle's ubiquitous Java software to break into vulnerable systems. So far, the attacks exploiting this weakness have been targeted and not widespread, but it appears that the exploit code is now public and is being folded into more widely-available attack tools such as Metasploit and exploit kits like BlackHole.

News of the vulnerability surfaced late last week in a somewhat sparse blog post by FireEye, which said the exploit seemed to work against the latest version of Java 7, which is version 1.7, Update 6. This morning, researchers Andre' M. DiMino & Mila Parkour published additional details on the targeted attacks seen so far, confirming that the zero-day affects Java 7 Update 0 through 6, but does not appear to impact Java 6 and below.

Initial reports indicated that the exploit code worked against all versions of Internet Explorer, Firefox and Opera, but did not work against Google Chrome. But according to Rapid 7, there is a Metasploit module in development that successfully deploys this exploit against Chrome (on at least Windows XP).

Also, there are indications that this exploit will soon be rolled into the BlackHole exploit kit. Contacted via instant message, the curator of the widely-used commercial attack tool confirmed that the now-public exploit code worked nicely, and said he planned to incorporate it into BlackHole as early as today. "The price of such an exploit if it were sold privately would be about $100,000," wrote Paunch, the nickname used by the BlackHole author.

Continued : http://krebsonsecurity.com/2012/08/attackers-pounce-on-zero-day-java-exploit/

Also:
Warning on critical Java hole
Java zero day vulnerability actively used in targeted attacks

Saudi Arabia-based Aramco was attacked earlier this month by malware that targeted some 30,000 workstations. According to the state-owned group which controls all of Saudi Arabia's oil production, things have been cleaned up in short time, and oil production itself was not impacted.

The early August attack gained traction because the malware itself appeared to be created solely for this campaign. It has a Hollywood quality as well, given that 30,000 systems at the world's largest oil production company were hit in a single sweep. Adding to that were the threats made by a group calling themselves the Cutting Sword of Justice warned that they would attack again on Saturday.

If they did launch a second attack, it failed. Most security pundits however are leaning towards the fact that the warning was an empty threat, and subsequent messages (each one unsigned) discussing the attack were simply glory hounds seeking their time in the spotlight. Despite the FUD associated with the story however, Aramco was attacked, and it took them two weeks to clean their network. The initial message on their Web site remains, despite a statement given to the media over the weekend.

Continued : http://www.securityweek.com/saudi-oil-giant-aramco-says-things-are-fine-after-cyber-attack

Related:
World's largest oil producer falls victim to 30K workstation attack
Saudi Aramco Restores Internal Network After Malware Attack

These days, every user is mobile. Laptops, smartphones, tablets, and constant connectivity have unshackled all of us from our desks. And thanks to the ready availability of apps and cloud services that blur the line between consumer and business tools, we're also unshackled from controls over company data. Many IT departments are having a hard time keeping up--mainly because they've failed to adapt as quickly as their users to the new reality.

Most companies have some form of mobile security policy in place. Sixty-two percent of respondents to InformationWeek's 2012 Mobile Security Survey have policies that lets employees use personal mobile devices for work. However, many of these policies are far from fully fleshed out. And often businesses lack the means to monitor mobile use of data across all devices and applications, which limits IT's ability to enforce those policies.

To enable users to get the most out of their mobile technology and protect them in the process, companies must consider several factors, including device selection, data security, device management, net- work security support for mobile devices, and application controls. We spoke with a number of experts on these matters concerning the challenges involved and to get tips on how to develop a solid mobile security program.

Continued : http://www.darkreading.com/security/perimeter-security/240006133/10-tips-for-protecting-mobile-users.html

In compliance with its policies, the Zero Day Initiative (ZDI) has now released five security holes that HP has had more than six months to fix. All of the zero-day holes affect products in HP's enterprise and networking divisions:

• HP LeftHand Virtual SAN
• HP Operations Agent for NonStop
• HP Intelligent Management Center
• HP iNode Management Center
• HP Diagnostics Server

In all five products, remote attackers can exploit programming flaws to inject and execute arbitrary code via specially crafted requests - sometimes even at SYSTEM user level. This is considered the highest threat level. In all five cases, the ZDI informed the company of the problems at the end of 2011. Yet HP failed to release patches for any of these critical security holes - hence the name zero-day, or 0day: customers have no advance notice to prepare for potential attacks that exploit these holes. Also, HP has not yet responded to requests for comment from heise Security, The H's associates in Germany.

Continued : http://www.h-online.com/security/news/item/Five-0days-HP-in-the-security-dock-1676337.html

Federal Courts Order Seizure of Three Website Domains Involved in Distributing Pirated Android Cell Phone Apps

Seizure orders have been executed against three website domain names engaged in the illegal distribution of copies of copyrighted Android cell phone apps, Assistant Attorney General Lanny A. Breuer of the Department of Justice's Criminal Division, U.S. Attorney Sally Quillian Yates of the Northern District of Georgia, and Special Agent in Charge Brian D. Lamkin of the FBI's Atlanta Field Office announced today.

The department said that this is the first time website domains involving cell phone app marketplaces have been seized.

The seizures are the result of a comprehensive enforcement action taken to prevent the infringement of copyrighted mobile device apps. The operation was coordinated with international law enforcement, including Dutch and French law enforcement officials.

The three seized domain names—applanet.net, appbucket.net, and snappzmarket.com—are in the custody of the federal government. Visitors to the sites will now find a seizure banner that notifies them that the domain name has been seized by federal authorities and educates them that willful copyright infringement is a federal crime.

"Cracking down on piracy of copyrighted works—including popular apps—is a top priority of the Criminal Division," said Assistant Attorney General Breuer.

Continued : http://www.infosecisland.com/blogview/22283-Three-Domains-Seized-for-Distributing-Pirated-Android-Apps.html

Source: http://www.fbi.gov/atlanta/press-releases/2012/federal-courts-order-seizure-of-three-website-domains-involved-in-distributing-pirated-android-cell-phone-apps