Spyware, viruses, & security forum: NEWS - December 28, 2012

.. WordPress Sites

From Bitdefender's "HOTforSecurity" Blog:

A severe bug that allows access to users' password hashes has been discovered in a third-party plugin for the highly popular WordPress content management system. The flaw resides in the W3 Total Cache plugin, an extension that helps high-traffic increase their performance by caching static pages, among others.

According to SecLists poster Jason Donenfield, the W3 Total Cache folder allows directory listings in its default configuration. This allows anyone to take a peek at the the contents of the /wp-content/w3tc folder and look for anything they may find interesting - in this case, cache files that hold usernames and their corresponding hashed passwords.

"Even with directory listings off, cache files are by default publicly downloadable, and the key values / file names of the database cache items are easily predictable. Again, it seems odd that 'deny from all' isn't added to the .htaccess file. Maybe it's documented somewhere that you should secure your directories, or maybe it isn't; I'm not sure," wrote Donenfield.

Continued : http://www.hotforsecurity.com/blog/caching-plugin-poses-serious-security-threat-for-large-wordpress-sites-4920.html

Also:
WordPress W3 Total Cache Misconfiguration Leaves Some Blogs Vulnerable
New WordPress vuln emerges

... User and Post It on the Timeline

XYSEC Labs security researchers Subho Halder and Aditya Gupta have identified a Cross Site Request Forgery (CSRF) vulnerability in Facebook.

To demonstrate how an attacker could exploit this security hole, the experts made a proof-of-concept video. They showed that a cybercriminal could record a video of the targeted user via his/her own webcam and seamlessly post in on their Facebook timeline.

"This is an classic example of a Cross Site Request Forgery(CSRF/XSRF), a kind of security attacks in which the actual source from which the request is being made, is not being properly verified. So, in our case, Facebook wasn't able to judge whether an attacker is making the request of posting the video as a status, or it was Facebook itself," Gupta told Softpedia.

He explained that for this type of attack to work, the victims need to be logged in to their accounts.

Posting a video recorded with the user's webcam is just one example, which requires some degree of interaction from the victim, but the CSRF vulnerability could be leveraged in other ways as well.

"There could be other attack vectors as well using this vulnerability, in which a video (from other source, not the webcam) could be posted to his timeline, without any kind of user interaction," the expert noted.

Continued: http://news.softpedia.com/news/Flaw-in-Facebook-Allowed-Attackers-to-Record-Video-of-User-and-Post-It-on-the-Timeline-Video-317462.shtml

.. Servers

From TrendLabs Security Intelligence Blog:

Malware like BKDR_JAVAWAR.JG prove that web servers are viable targets by cybercriminals as they store crucial data and can easily be used to infect other systems once unwitting users visit those affected websites.

We recently spotted a Java Server page that performs backdoor routines and gains control over vulnerable server. Trend Micro detects this as BKDR_JAVAWAR.JG. This malware may arrive as either a file downloaded from certain malicious sites or as a file dropped by other malware.

For this attack to be successful, the targeted system must be a Java Servlet container (such as Apache Tomcat) or a Java-based HTTP server. Another possible attack scenario is when an attacker checks for websites powered by Apache Tomcat then attempts to access the Tomcat Web Application Manager.

Using a password cracking tool, cybercriminals are able to login and gain manager/administrative rights allowing the deployment of Web application archive (WAR) files packaged with the backdoor to the server. The backdoor will be automatically added in the accessible Java Server pages. To execute its routine, the attacker can access the Java Server page using the following:

Continued : http://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-disguised-as-java-server-page-targets-web-hosting-servers/

New law enforcement and marketing tools and technologies keep privacy advocates on their toes

Verizon's attempt -- unsuccessful so far -- to secure a patent for a so-called 'snooping technology,' which in this case would let television advertisers target individual viewers based on what they're doing or saying in front of their sets, capped another challenging year for privacy advocates.

Verizon's snooping technology and TV ads

The Verizon technology, which includes a sensor/camera housed in a set-top box, would determine the activities of individual viewers -- eating, playing, cuddling, laughing, singing, fighting or gesturing -- and then trigger personal advertisements based on the activities.

Overall, the technology would serve targeted ads based on what the user is doing, who the user is, his or her surroundings, and any other suitable personal information, according to Verizon.

The U.S. Patent Office delivered a non-final" rejection of Verizon's application in November.

But analysts say that because engineers are already working on such technology, it's a cinch that some kind of similar technology will be included in TV set-top boxes in the not too distant future.

Continued : http://www.networkworld.com/news/2012/122812-drones-phones-and-other-2012-265403.html