Spyware, viruses, & security forum: NEWS - January 28, 2013

The title of this blog is far from unique. Tracking security flaws in Java is like counting grains of sand on a beach.

As I write this on January 27, 2013, the flaw in question is new. It is known by its creator, Adam Gowdiak of Security Explorations, simply as Issue 53.

Before going into detail, let's first put things in perspective.

The last Java flaw garnered a ton of attention, with a typical headline reporting that the Department of Homeland Security told everyone to disable Java. It's not clear why that flaw garnered so much attention. The New York Times reported it as a "rare" warning, but that news was not fit to print. The warning was routine.

In the middle of the last scare, Art Manion and Will Dormann of CERT wrote

"We've been telling people to disable Java for years. In fact, the first version of the Securing Your Web Browser document from 2006 provided clear recommendations for disabling Java in web browsers."

Oracle released a new edition of Java (Version 7 Update 11) to fix that problem, very quickly (perhaps an example of what bad publicity can do). But since that fix was issued on January 13th, the bad news for Java has continued to trickle out.

MORE BAD NEWS

Continued: http://blogs.computerworld.com/malware-and-vulnerabilities/21693/yet-another-java-security-flaw-discovered-number-53

* * * * * * * * * * * * * * * * * *

Java's new "very high" security mode can't protect you from malware

"Fix that was supposed to make malware attacks harder can be easily circumvented"

Security researchers have uncovered a newly discovered bug in Oracle's Java framework that allows attackers to bypass important security protections designed to prevent malware attacks.

The security improvements were introduced in Java 7 Update 10, and they came after a spate of in-the-wild attacks exploited fully patched versions of Java. Those allowed crooks to surreptitiously install malware on the computers of unsuspecting people using Java browser plugins. By default, the change required end users to manually allow the execution of Java code not digitally signed by a trusted authority. Users also had the ability to prevent any unsigned Java applet from running at all. Some security experts praised Oracle for adding the feature because it promised to drastically reduce the success of attacks that exploit security bugs in Java.

"Unfortunately, the above is only a theory," security researcher Adam Gowdiak wrote on Sunday, referring to the way the protections are supposed to block untrusted code from running on end-user computers. "In practice, it is possible to execute an unsigned (and malicious!) Java code without a prompt corresponding to security settings configured in Java Control Panel."

Continued : http://arstechnica.com/security/2013/01/javas-new-very-high-security-mode-cant-protect-you-from-malware/

Most malware is severely crippled if it can't contact the C&C servers from which it receives its instructions and updates, so malware authors are constantly coming up with new ways to thwart firewalls, intrusion prevention systems and local gateways blocking such communication.

The latest innovation in this particular "field" has been spotted by Symantec researcher Takashi Katsuki, who recently discovered a Trojan that uses Sender Policy Framework (SPF) to keep the connection between malware and C&C servers alive and well.

Ironically, the SPF is an email validation system designed to spot email spoofing and, therefore, spam.

"SPF consists of a domain name server (DNS) request and response. If a sender's DNS server is set up to use SPF, the DNS response contains the SPF in a text (TXT) record," explains Katsuki.

Continued : http://www.net-security.org/malware_news.php?id=2387

Related:
Browser-hijacking malware talks to attackers using SPF email validation protocol
Cybercriminals Use Anti-Spam System for Communication Between Malware and Server

From the Symantec Security Response Blog:

As we predicted toward the end of last year, we are once again seeing an upswing in ransomware activity in 2013. The ransomware extortion scam has been in existence now for a number of years but its popularity among cybercriminals has grown over the last two years and it continues to indiscriminately plague computer users in greater numbers. Symantec has tracked this growing menace in various blogs, a whitepaper, and a video.

In the last week Symantec has observed a new spike in ransomware activity being seen worldwide. While several variants of the ransomware threat are responsible for the overall spike, the main ransomware variant being observed is Trojan.Ransomlock.Y. This variant is being distributed through pornographic websites leading to the Impact Exploit kit. Symantec has the following Intrusion Prevention Signatures (IPS) in place for the Impact Exploit kit and is observing a similar telemetry spike around detections of this exploit kit:

• Web Attack: Impact Exploit Kit Website
• Web Attack: Impact Exploit Kit Website 2
• Web Attack: Impact Exploit Kit Website 3

[Screenshot: Trojan.Ransomlock.Y]

Continued: http://www.symantec.com/connect/blogs/upswing-ransomware-activity

... for Reforms

In honor of Data Privacy Day, Google this morning offered some more insight into how it handles government requests for your data, and pushed Congress to update an outdated law that covers how the feds can access your information.

Google said it scrutinizes every request carefully to make sure it's in line with its policies. "For us to consider complying, it generally must be made in writing, signed by an authorized official of the requesting agency and issued under an appropriate law," the search giant said in a blog post.

The info comes several days after Google released an update to its Transparency Report, which included a breakdown, for the first time, of how U.S. government officials requested data from Google about its users: subpoena, search warrants, or court orders.

Overall, user data requests have jumped more than 70 percent since 2009, Google said last week. In total, Google received 21,389 requests for information about 33,634 users in the last six months of 2012, most of which - 68 percent - were subpoenas.

Continued : http://www.pcmag.com/article2/0,2817,2414766,00.asp

... revocation

Apple has released version 6.1 of its iOS operating system that is the brains of millions of iPhones, iPads and iPod Touch devices.

I would consider this to be a critical update, as many of the fixes can be used to remotely compromise your shiny iDevices.

iOS 6.1 is available for users of the iPhone 3GS and later, iPad 2 and later and iPod Touch 4th generation and later. Apparently Apple's advice to users of it's older hardware is "buy new ones".

The vast majority of the flaws were in WebKit, the rendering engine used by Safari to display web content. This isn't surprising as it is a very complicated component.

It is also a very dangerous component to leave vulnerable as it can be attacked by any web page controlled by someone with malicious intent. I would make these updates a priority.

Some of these fixes have been known for some time. A bug in handling Japanese Unicode characters dates back to 2011 and could lead to a cross-site scripting attack.

You could even characterize this update as long awaited as it finally addresses the bad certificates released by TURKTRUST and discovered this past Christmas.

Continued : http://nakedsecurity.sophos.com/2013/01/28/apple-updates-ios-fixing-27-vulnerabilities-and-turktrust-revocation/

The US Department of Defense is to increase the size of its cybersecurity forces fivefold over the next few years, boosting the department's Cyber Command personnel from 900 to 4,900. Anonymous US officials said the expansion had been approved by the Pentagon at the end of last year, according to a report in the Washington Post.

Those officials noted that attacks, such as the one which wiped data from 30,000 computers at a Saudi Arabian state oil company last summer, had highlighted the gravity of the threat for the Pentagon.

The plan will involve the creation of three forces under Cyber Command. A "national mission force" will focus on US infrastructure, power grids and plants, a "combat mission force" will help commanders plan and execute offensive operations outside the US and "cyber protection forces" will shore up the Defense Department's own network defenses. The plan appears to go further than the cyber strategy plan presented in July 2011.

http://www.h-online.com/security/news/item/US-military-to-massively-increases-cyber-security-personnel-1792415.html

Related:
Pentagon to boost cybersecurity force numbers: report
Pentagon Plans Massive Increase in Cybersecurity Teams
U.S. DoD's cybersecurity force to increase fivefold

"Facebook Graph Search is made out of people. They're making our food out of people.
You've gotta tell them. You've gotta tell them! It's people!"