Just over two months ago, Chrome sponsored the <a href="http://blog.chromium.org/2012/02/pwnium-rewards-for-exploits.html">Pwnium</a> browser hacking competition. We had <a href="http://chrome.blogspot.com/2012/03/pwnium-great-exploits-fast-patches.html">two fantastic submissions</a>, and successfully blocked both exploits within 24 hours of their unveiling. Today, we'd like to offer an inside look into the exploit submitted by <a href="http://arstechnica.com/business/2012/03/googles-chrome-browser-on-friday/">Pinkie Pie</a>.

Four bugs chained together to achieve root. There's an upcoming post about the other hack, which involved 10 chained bugs. The chaining makes it more like an accumulator at racing - much harder to achieve anything, even though you cracked the bug.

Ironically, the vulnerability is introduced by a class of firewalls cellular carriers use. While intended to make the networks safer, these firewall middleboxes allow hackers to infer TCP sequence numbers of data packets appended to each data packet, a disclosure that can be used to tamper with internet connections.

Complex, and presently theoretical… apart from the test that the researchers carried out using some smartphones, in which they spoofed a variety of sites, including banks. (Thanks @rquick for the link.)

As you may have heard, some <a href="http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/">security researchers recently released information outlining</a> a long-standing vulnerability within the PHP-CGI code. The short of it is that remote attackers may be able to pass command line arguments in a query_string that will be passed directly to the PHP-CGI program.

Disable CGI if you use PHP, first.

Fixes cross-site scripting, URL spoofing and remote code execution bugs - all severe. But Graham Cluley has harder words for Apple:

Do you work for Apple? If so, please suggest - to the highest authority in the company you dare to email directly - that your employer tweaks its update publishing system. Make sure that [security article] HT1222 is updated at the same time as any security-related product update is published, not hours or days later. This will have a positive outcome: your users will apply security fixes more promptly.

No signs yet of Apple putting security visibility further up the priority list. It should.

How all those Macs got infected:

The partner program was based on script redirects from huge numbers of legitimate websites all over the world. Around the end of February/early March 2012, tens of thousands of sites powered by WordPress were compromised. How this happened is unclear. The main theories are that bloggers were using vulnerable versions of WordPress or they had installed the ToolsPack plugin. Websense put the number of affected sites at 30,000 , while other companies say the figure could be as high as 100,000. Approximately 85% of the compromised blogs are located in the US.</p><p>

Code was injected into the main pages when the blogs were hacked. As a result, when any of the compromised sites were visited, a partner program TDS was contacted. Depending on the operating system and browser version, the browser then performed a hidden redirect to sites in the rr.nu domain zone that had the appropriate set of exploits installed on them to carry out an infection.

Oh joy: A new version of the Mac OS X Sabpab Trojan horse has come to light, and rather than relying upon a Java vulnerability - it appears to be exploiting malformed Word documents instead.

Disabled Java.. Flash.. Word.. web..

Competitors offering similar secure, encrypted devices are charging $15,000 to $20,000 per device and are using proprietary software and hardware, Palma said.</p><p>

“We are going to drive down towards a lower price point, but … not mass-market price point,” he said referring to iPhones, BlackBerries and other consumer market smartphones.</p><p>

“We believe that there is significant interest in the defense side as well as the intelligence side and in the commercial world as well,” Palma said.

YANF - Yet Another Android Fork. (Thanks @rquick for the link.)

Rich Mogull:

This is anecdotal, and I don’t have survey numbers to back it up, but I’ve been probably the most prominent writer on Mac security for the past 5 years, and talk to a ton of people in person and over email. Nearly universally Mac users are and have been, concerned about security and malware.</p><p>

So where does this myth come from? I think it’s 3 sources.

Read the three sources before you comment.

Google is stronger than Apple, according to CNet. Don't tell us that's not a surprise.

So:

any hacker who happens to know one Bangkok-based security researcher who goes by the handle “the Grugq”–or someone like him–has a third option: arrange a deal through the pseudonymous exploit broker to hand the exploit information over to a government agency, don’t ask too many questions, and get paid a quarter of a million dollars–minus the Grugq’s 15% commission.

Cheapest exploits? Adobe Reader. Priciest? iOS.

VISA and MasterCard are alerting banks across the country about a recent major breach at a U.S.-based credit card processor. Sources in the financial sector are calling the breach “massive,” and say it may involve more than 10 million compromised card numbers.</p>

<p>Update, 4:32 p.m. ET: Atlanta-based processor Global Payments just confirmed that they discovered a breach in early March 2012. See their full statement and several other updates at the end of this story.

Depressing, really. Banks have started looking for where the common point of use of breached cards might be. First result: parking garages around New York City.

Three people have been sentenced for participating in a massive online music fraud, in which the gang uploaded music to iTunes and Amazon before using compromised cards to buy it back in large volumes.</p>

<p>At Southwark Crown Court on Thursday, James Batchelor was jailed for two years, Siobhan Clarke was given an eight-month suspended sentence and 150 hours' unpaid work, and Colton Johnson was order to undertake 80 hours' unpaid work. The sentencings were the last to take place in connection with the fraud, which has already seen 11 other people convicted and sentenced.</p><p>

The fraud cost Apple and Amazon somewhere in the region of £1m, the Met said. The members of the gang were originally arrested in 2009 following a joint operation between the Met's Police Central e-Crime Unit (PCeU) and the New York Police Department.

Thousands of compromised US and UK credit cards were used for the fake purchases. Stupidly, they picked too few albums - they'd have been major recording artists to get that volume of purchases.

France-based VUPEN is one of the highest-profile firms trafficking in zero-day exploits. Earlier this month at the CanSecWest information security conference, VUPEN declined to participate in the Google-sponsored Pwnium hacking competition, where security researchers were awarded up to $60,000 if they could defeat the Chrome browser’s security and then explain to Google how they did it. Instead, VUPEN—sitting feet away from Google engineers running the competition—successfully compromised Chrome, but then refused to disclose their method to Google to help fix the flaw and make the browser safer for users.

“We wouldn’t share this with Google for even $1 million,” said VUPEN founder Chaouki Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”

In effect such companies are modern-day arms dealers: you have to hope they stay onside and don't do anything stupid.

With Brazil loving Chrome, the bad guys are creating extensions which take over your Facebook profile.

You’re probably asking yourself how the bad guys are turning this malicious scheme into money. Well, it’s easy: they have total control of the victim’s profile, so they created a service to sell “Likes” on Facebook, especially focused for companies that want to promote their profiles, gaining more fans and visibility: 1000 likes earn R$ 50.00 (around U$ 27.00)

Of course, to sell the “Likes” they use the profile of the victims.

Be careful when using Facebook. And think twice before installing a Google Chrome extension.

(Thanks @pauljreynolds for the link.)

Approximately 40% of federal government agencies are out of compliance with a regulation that requires them to deploy an extra layer of authentication on their Web sites to prevent hackers from hijacking Web traffic and redirecting it to bogus sites.

It's been more than two years since federal agencies were required to support DNS Security Extensions (DNSSEC) on their Web sites. However, two recent studies indicate that around 40% of federal Web sites have not yet deployed this Internet security standard.

Faintly depressing.

Jailbreakers, bad news:

Apple has unveiled iOS 5.1, the latest version of its mobile operating system, with fixes for over 80 vulnerabilities.

Most of the plugged vulnerabilities involve the WebKit framework used to render web pages in Safari and other applications. Apple warned that visiting a malicious website could lead to a “cross-site scripting attack”, an “unexpected application termination”, or “arbitrary code execution”, according to a <a href="http://support.apple.com/kb/HT5192">security advisory

.

A number of screen lock bypass issues were fixed, including a race condition issue in the handling of slide to dial gestures.

However jailbreakers said they'd figured how to get around it within a few hours. (Thanks @rquick for the link.)

Chester Wisniewski on the latest, which includes trying to hack "unrootable" Android phones, hacking iPhones, NFC risks and some more - notably what percentage of iPhones have been found to be jailbroken. Which is fascinating.

Security researchers are warning that some 30,000 WordPress websites, 85% of them based in the US, have been compromised by a mass-injection hijack attack which sees visitors to any of more than 200,000 individual pages redirected to a Trojan infected rogue AV scam.

Look for code linking to a script from rr.nu.

As Bits reported earlier this week, developers who make applications for Apple iOS devices have access to a person’s entire photo library, as long as that person allows the app to use location data.

It turns out that Google, maker of the Android mobile operating system, takes it one step further. Android apps do not need permission to access a user’s photos, and as long as an app has the right to access the Internet, it can copy those photos to a remote server without any notice, according to developers and mobile security experts. It is not clear whether any apps that are available for Android devices are actually doing this.

The proof-of-concept was done by Lookout Software, which specialises in spotting malware on mobiles. Google, in response, said it would consider changing its approach; "A Google spokesman said that the lack of restrictions on photo access was a design choice related to the way early Android phones stored data."

Developers of applications for Apple’s mobile devices, and Apple itself, came under scrutiny this month after reports that some apps were taking people’s address book information without their knowledge.

As it turns out, address books are not the only things up for grabs. Photos are also vulnerable. After a user allows an application on an iPhone, iPad or iPod Touch to have access to location information, the app can copy the user’s entire photo library, without any further notification or warning, according to app developers.

Are we tired of this yet?

Hey, Anonymous!

Google has pledged cash prizes totaling $1 million to people who successfully hack its Chrome browser at next week's CanSecWest security conference.

Google will reward winning contestants with prizes of $60,000, $40,000, and $20,000 depending on the severity of the exploits they demonstrate on Windows 7 machines running the browser. Members of the company's security team announced the Pwnium contest on their <a href="http://blog.chromium.org/2012/02/pwnium-rewards-for-exploits.html">blog on Monday</a>. There is no splitting of winnings, and prizes will be awarded on a first-come-first-served basis until the $1 million threshold is reached.

Among a number of initiatives to bring Android phones into the enterprise:

Vodafone Group Plc, the world’s largest mobile operator, plans to use the Cebit technology trade show in Hanover next month to demonstrate its device-management suite as well as a SIM-card software that authenticates a phone’s user and encrypts data and messages, said Jan Geldmacher, who heads the carrier’s German enterprise unit. The encryption works better on Android devices than on iOS because Apple doesn’t let developers fine- tune the operating system for maximum security, he said.

“The security is a bit reduced if the manufacturer doesn’t let us access the system,” he said in an interview. “When I advise a customer and he wants to use an encryption mechanism from our Secure SIM card, and he asks me which phone he’d recommend, I’d say take an Android device.”

Wonder if Apple will respond to this in its next version of iOS. (Thanks @modelportfolio2003 for the link.)

Intego:

We recently <a href="http://blog.intego.com/new-flashback-trojan-horse-variant-uses-novel-delivery-method-to-infect-macs/">reported about a new variant of the Flashback Trojan horse</a> which is using novel techniques to infect Macs. Since then, we have discovered a number of samples of this latest variant, Flashback.G, and have seen evidence that many Mac users have been infected by this malware.

What's not explained is what "many" is (even compared to Intego's client base) or what this novel infection method is. Flashback is a password-stealing program. Presently easy to detect:
• open Terminal.app
• type cd /Users/Shared
• type ls -l
• look for any file ending ".so". If you're infected, you've then got a problem. (Thanks @rquick for the link.)

Why the new Gatekeeper feature on the new version of the Mac operating system matters to all users.

The flaw came to light by analysing more than seven million public keys which are used to secure online transactions, email messages and other web services.
The researchers discovered that a flaw in the process for generating random prime numbers – a critical component of the public key encryption – resulted in thousands of public keys sharing common prime numbers.

"What surprised us most is that many thousands of 1024-bit RSA moduli, including thousands that are contained in still valid X.509 certificates, offer no security at all," the research paper states.

Well, not exactly <em>no</em> security. Just rather less than immense security.

Andy Baio:

since Gmail added OAuth support in March 2010, an increasing number of startups are asking for a perpetual, silent window into your inbox.

I’m concerned OAuth, while hugely convenient for both developers and users, may be paving the way for an inevitable privacy meltdown.

Will make you think twice about giving your approval to apps you haven't researched.

So iOS basically lets apps upload your address book:

I did a quick survey of 15 developers of popular iOS apps, and 13 of them told me they have a contacts database with millons of records. One company's database has Mark Zuckerberg's cell phone number, Larry Ellison's home phone number and Bill Gates' cell phone number. This data is not meant to be public, and people have an expectation of privacy with respect to their contacts.

Those are some databases, though. Off Steve Jobs's iPhone?

Complicated: you'd need an HTC handset connected to the Wi-Fi network. And then:

The issue would require the user to install an application that had been specifically designed to harvest details or was uploaded to the Android Market with the specific aim of collecting information. The impact may have been small in the fact that such an app will not see the reach as a more popular app but the security risk does exist.

Minimal but possible risk. Affects the Desire HD, Droid Incredible and more.

If you own one of the affected handsets, you may have already received the fix. If you do not, keep checking the HTC Support site for more information.

This is big.

The hacker discovered a way to log in as another user, impersonate that user, chat and send photos on their behalf.

The vulnerabilities are also present in Blendr, the straight version of the app, according to a security expert who said both apps had "no real security" and were "poorly designed".

"Just before the holiday weekend, as their final act of defiance in 2011, AntiSec supporters published nearly a million records taken during the Christmas Eve attack on Strategic Forecasting Inc. The Tech Herald has examined the list of 860,160 passwords hashes that were leaked, and the results of our tests were both expected and pitiful.<br />"We’re sorry to report that the state of password management and creation is still living in the Dark Ages."<br /><br />This story never changes. Why are we surprised any more? Are we surprised any more? The more worrying aspect is "password recycling" where people use the same password in multiple places.

Rok Ferguson: "What would a criminal do if they access to your card details but not your password? Of course, there’s that handy “I forgot my password” link. Let’s see how well protected that is.
 
"The first step in the password reset procedure is to enter your card number, obviously to ensure you are resetting the password for the correct account. Once that number is entered the system now requires some corroborating data to be sure that you are the legitmate account holder, let’s have a look at that “Identification” phase."

What you then discover will make you despair of the design of card security systems.

"Today's dubious security vulnerability comes from somebody who reported that the Load­Keyboard­Layout function had a security vulnerability which could lead to arbitrary code execution. This is a serious issue, but reading the report made us wonder if something was missing."

What was missing was a security vulnerability. Collateral damage of the ease of vulnerability reporting.

"CSS Shaders is a new feature folks from Adobe, Apple, and Opera have proposed to the W3C CSS-SVG Effects Task Force.  Rather than being limited to pre-canned effects, such as gradients and drop shadows, CSS Shaders would let web developers apply arbitrary OpenGL shaders to their content.  That makes for some really impressive demos.  Unfortunately, CSS Shaders has a security problem."

The explanation of the way that the security problem arises is very complicated, but essentially means your information could be leached.

"As always on the second Tuesday of the month Microsoft and Adobe release their monthly security bulletins.

"This month Microsoft has released 13 bulletins, although they had originally announced there would be 14 this month. In the final stages of QA, Microsoft discovered a application incompatibility with a major software vendor."

It's very hard to grasp just how complex the process of introducing, checking and verifying patches is - but it's probably one of the hardest tasks Microsoft has. And it's almost perpetual - the Sisyphean rock of software.

"Websites belonging to a Netherlands-based issuer of digital certificates were unavailable following reports hackers penetrated their security and accessed databases that should have been off limits.

"Dutch telecommunications giant KPN issued a statement (translation here) that said it temporarily shut the website of it's Gemnet subsidiary while it investigated the hack. A second website belonging to a KPN subsidiary that issues digital certificates to the Dutch government was also taken down."

While everyone is looking at issues such as CarrierIQ, the whole web of trust in certificates is rotting away.

"The problem Mac developers are facing is that the two that Apple is enforcing on the Mac App Store (Sandboxing and Code Auditing) are implemented currently to be actively bad for developers and not particularly good for users. And the method that would provide the most benefit for developers and users (Certification) isn’t enforced broadly enough to be useful."

"Now, with the release of iOS 5.0.1 beta, we’ve discovered that one of the new security fixes is a fix for this Smart Cover bug. It appears that Apple has fixed the issue by not allowing the iPad 2 to go to sleep by way of the Smart Cover closing while on the power off menu. iOS 5.0.1 should make its way onto everyone’s iOS 5 devices in a few weeks."

So it goes.

The Timthumb vulnerability is still around, despite having been reported way back in August.

Declan McCullagh: "MoboTap, a Pasadena, Calif.-based mobile developer, told CNET today that Dolphin HD for Android transmitted the Web addresses back to the company's servers but that they were not stored. The addresses were used to determine whether to format Web pages in 'Webzine' format, MoboTap said.

"The privacy and security implications arise when a user connects to a secure Web site (usually shown by "https://" and a closed lock icon). The second, surreptitious connection to MoboTap is unencrypted, allowing an eavesdropper on a Wi-Fi network to learn what's happening."

Could allow session hijacking. Theoretically.

"When a Microsoft Windows machine gets infected by viruses/malware it does so mainly because users forget to update the Java JRE, Adobe Reader/Acrobat and Adobe Flash."

"When a browser and a server launch a secure connection, they first have to decide which protocol versions they know, and settle on the most recent one known to both. Opera works with TLS 1.2, as does Internet Explorer 8 using Windows 7. Apparently, though, Apple's Safari, Mozilla's Firefox, and Google's Chrome do not, nor do many popular mobile browsers. This means that anyone using them might be vulnerable to a TLS 1.0 attack.<br />
<br />
"The attack, dubbed Browser Exploit Against SSL/TLS, or BEAST, lets a malicious party on a subverted network pass along scripting code that runs in a victim's browser when pages are requested."<br />
<br />
Security isn't having a very good year.

"The European Union's computer security agency warned that the draft HTML5 standard may neglect important security issues. The European Network and Information Security Agency (ENISA) on Aug. 1 released a 61-page document that cited 51 security problems in the draft HTML5 specifications.<br />
<br />
"It's the first time anyone has looked at those specifications from a security point of view," said Giles Hogben, program manager for secure services at ENISA. Some of the security issues can be fixed by tweaking the specifications, while others are risks that browser users should be warned about, Hogben said. <br />
<br />
(Thanks @rquick for the link.)

"The skimmer components typically include a card skimmer that fits over the card acceptance slot and steals the data stored on the card’s magnetic stripe, and a pinhole camera built into a false panel that thieves can fit above or beside the PIN pad. If these components don’t match just-so, they’re more likely to be discovered and removed by customers or bank personnel, leaving the thieves without their stolen card data.<br />
"Enter the 3D printer. This fascinating technology, explained succinctly in the video below from 3D printing company i.materialise, takes two dimensional computer images and builds them into three dimensional models by laying down successive layers of powder that are heated, shaped and hardened."<br />
<br />
This has the potential to turn into something bad. Well, it already has.

"Due to Lions relatively short time on the market, I am yet to find any of the major crackers supporting OS X Lion hashes (SHA512 + 4-byte salt). To simplify the cracking of these hashes I have created a simple python script which can be downloaded here.<br />
"Now, if the password is not found by the dictionary file you're out of luck, right? Well, no! Why crack hashes when you can just change the password directly! It appears Directory Services in Lion no longer requires authentication when requesting a password change for the current user."<br />
<br />
Note that it's the logged-in user. Not clear what happens if that user then logs out. (Also, you'd need to be accessing a machine where multiple users are logged in. Does that happen a lot?)

From early in August, but still relevant: "'With a large enterprise, you have to assume that people are going to get tricked into installing malware,' iSec CTO Alex Stamos told The Reg. 'You can't assume that you'll never have malware somewhere in a network. You have to focus on parts where a bad guy goes from owning Bob the HR employee to become Sally the domain admin.'<br />
"At the heart of the Mac server's insecurity is a proprietary authentication scheme known as DHX that's trivial to override. While Mac servers can use the much more secure Kerberos algorithm for authenticating Macs on local networks, Stamos and fellow iSec researchers Paul Youn, Tom Daniels, Aaron Grattafiori, and William "BJ" Orvis found it was trivial to force OS X server to resort back to Apple's insecure protocol."<br />
<br />
They also did a proof of concept. OSX Server is the weakest link. Then again, a similar flaw in Windows is what led to Google getting hacked in China in 2009.

Inspired by <a href="http://xkcd.com/936/">this XKCD strip</a>.

"One of the several new features in Chrome is the addition of HTTP Strict Transport Security. HSTS allows a site to request that it always be contacted over HTTPS. HSTS is supported in Google Chrome, Firefox 4, and the popular NoScript Firefox extension.<br />
"The issue that HSTS addresses is that users tend to type http:// at best, and omit the scheme entirely most of the time. In the latter case, browsers will insert http:// for them.<br />
"However, HTTP is insecure. An attacker can grab that connection, manipulate it and only the most eagle eyed users might notice that it redirected to https://www.bank0famerica.com or some such. From then on, the user is under the control of the attacker, who can intercept passwords etc at will."<br />
<br />
Chrome will start having a preloaded list of must-HSTS sites. Seems like other major browsers should do this too.

"The public release of the source code for the infamous ZeuS Trojan earlier this year is spawning novel attack tools. And just as hybrid cars hold the promise of greater fuel efficiency, these nascent threats show the potential of the ZeuS source code leak for morphing ordinary, run-of-the-mill malware into far more efficient data-stealing machines."

Google has been looking at malware attacks, with a big report: "The report looks at a number of evasion and defensive techniques employed by attackers and malware distributors and concluded that not only are the bad guys quite skilled at adapting to new behaviors by users and browsers, they're also doing some of their own innovation. One of the more interesting findings in the report is that socially engineered malware--the kind that uses various tricks to goad users into visiting a site or downloading a file--make up barely 2% of all malware observed by Google. The volume of socially engineered malware has been rising steadily during the course of the last few years, but Google's engineers said it's still a tiny piece of the overall picture."

Free phone charging? Think again. "Brian Markus, president of Aires Security, said he and fellow researchers Joseph Mlodzianowski and Robert Rowley built the charging kiosk to educate attendees about the potential perils of juicing up at random power stations. Markus explains the motivation behind the experiment:<br />
“'We’d been talking about how dangerous these charging stations could be. Most smartphones are configured to just connect and dump off data,' Markus said. 'Anyone who had an inclination to could put a system inside of one of these kiosks that when someone connects their phone can suck down all of the photos and data, or write malware to the device.'"

"Researchers have discovered what they say is a design flaw in Android that could be used by criminals to steal data via phishing or by advertisers to bring annoying pop-up ads to phones."

Simple, really. Tells you how long it would take the average desktop machine to crack your password. Or if you're one of the most popular passwords (in which case, change it). No usernames or emails taken, so it's safe.

"The Exec summary: An image resizing utility called timthumb.php is widely used by many WordPress themes. Google shows over 39 million results for the script name. If your WordPress theme is bundled with an unmodified timthumb.php as many commercial and free themes are, then you should immediately either remove it or edit it and set the $allowedSites array to be empty."

Plus the title text, of course.

"A crusader from Attrition.org has found that an alarmingly high number of books written by computer security experts are nearly 100% copied from other sources. What does that say about the industry?"<br />
<br />
Er... that its exponents may have learnt their craft by copying others? (We got the link from <a href="http://twitter.com/kevinmitnick">Kevin Mitnick</a>, by the way.)

"Oddly the flaw in iOS was a widespread flaw in WebKit and Microsoft's CryptoAPI nine years ago. It allows any valid certificate purchased from a Certificate Authority to sign any other certificate, which the client device will then consider valid.<br />
"This allows anyone who can capture traffic from your iPhone, iPad or iPod Touch with man-in-the-middle techniques to intercept and read any and all encrypted SSL traffic silently and without notification to the user.<br />
"This patch should be applied immediately if you log in to any service on your device, especially things like your bank or PayPal. Users are particularly vulnerable to this attack if they frequently use public/open WiFi.<br />
"The really bad news? If you are using an iPod Touch generation one or two, or an iPhone older than the 3GS, you will be perpetually vulnerable. Owners of these devices should not use them for any purpose for which security or privacy is required."

Brian Krebs, reliable as ever: "An explosion of online fraud tools and services online makes it easier than ever for novices to get started in computer crime. At the same time, a growing body of evidence suggests that much of the world’s cybercrime activity may be the work of a core group of miscreants who’ve been at it for many years."

Clever, exploiting the nature of FireWire. But: "Mac users who want to foreclose the threat from forensic software can change the default setting of their accounts so they no longer log in automatically at startup. Mac antivirus provider Intego has step-by-step instructions for doing this here. Requiring a password when unlocking or waking a Mac prevents OS X from storing the login password in the machine's memory. The other way to prevent such attacks is to turn off Macs when they're not being used, rather than locking them or putting them into sleep mode."<br />
<br />
You are warned.

Before you wonder, yes, they had similar ones about the Oslo killings. No event is too awful for a scammer not to exploit.

Fascinating, detailed read. 

Mostly offline as owners have been jailed or gone into hiding. Spam volumes have fallen by 90% over the past year. But there's a new rootkit around, called TDL-4, infecting millions of machines: "Getting infected with TDL-4 may not be such a raw deal if your computer is already heavily infected with other malware: According to Kaspersky, the bot will remove threats like the ZeuS Trojan and 20 other malicious bot programs from host PCs. “TDSS scans the registry, searches for specific file names, blacklists the addresses of the command and control centers of other botnets and prevents victim machines from contacting them,” wrote Kaspersky analysts Sergey Golovanov and Igor Soumenkov."<br />
<br />
Makes it sound like a boon.

Commenting on the Bloomberg link from elsewhere, about how people plug malware-infected USB sticks into computers: "People get USB sticks all the time. The problem isn't that people are idiots, that they should know that a USB stick found on the street is automatically bad and a USB stick given away at a trade show is automatically good. The problem is that the OS trusts random USB sticks. The problem is that the OS will automatically run a program that can install malware from a USB stick. The problem is that it isn't safe to plug a USB stick into a computer.<br />
<br />
"Quit blaming the victim. They're just trying to get by."

"The U.S. Department of Homeland Security ran a test this year to see how hard it was for hackers to corrupt workers and gain access to computer systems. Not very, it turned out.<br />
"Staff secretly dropped computer discs and USB thumb drives in the parking lots of government buildings and private contractors. Of those who picked them up, 60% plugged the devices into office computers, curious to see what they contained. If the drive or CD case had an official logo, 90% were installed."

Summary: "In this paper we consider the problem of efficiently locating cryptographic keys hidden in gigabytes of data, such as the complete file system of a typical PC. We describe efficient algebraic attacks which can locate secret RSA keys in long bit strings, and more general statistical attacks which can find arbitrary cryptographic keys embedded in large programs.<br />
"These techniques can be used to apply lunchtime attacks on signature keys used by financial institutes, or to defeat authenticode type mechanisms in software packages."<br />
<br />
Scared yet? Worse: it's from 1998. One co-author is Adi Shamir, part of the RSA team.

So far, it has infected 4.5m PCs: "The malware detected by Kaspersky Anti-Virus as TDSS is the most sophisticated threat today. TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center. TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.<br />
"Its creator calls this program TDL. Since it first appeared in 2008, malware writers have been perfecting their creation little by little. By 2010, the latest version was TDL-3, which was discussed in depth in an article published in August 2010.<br />
"The creators of TDSS did not sell their program until the end of 2010. In December, when analyzing a TDSS sample, we discovered something odd: a TDL-3 encrypted disk contained modules of another malicious program, SHIZ."<br />
<br />
Bad news all round.

"It's a simple enough attack, luring Tumblr users with the promise of "hidden" pornographic content that requires entering login credentials to view. 'This page contains adult content. Please revalidate your credentials"'"<br />
<br />
The old ones are the best.

"Groupon subsidiary Sosasta.com accidentally published a database containing the email addresses and clear-text passwords of 300,000 users and the cache was indexed by Google."<br />
<br />
Oops.

"TrafficConverter.biz was dismantled on Nov. 29, 2008, most likely because the same domain was referenced deep inside the guts of the Conficker worm, a family of malware that is estimated to have infected at least 10 million Microsoft Windows systems.<br />
"Prior to site's demise, security researchers managed to snag a copy of the database for the TrafficConverter affiliate program. While that data set is incomplete, the information available on the top-earning affiliates helps explain why so many consumers are reporting infections from rogue anti-virus products: Successful affiliates are making money hand over fist with these programs."

You can tell there isn't a large UK sample because "1966" isn't there.

"It might be surprising to external observers, but security professionals are also secretly getting a kick out of watching these guys go nuts.<br />
"I wrote my first article on information security around May 2001. It was about the Sadmind worm and it ran on the letters page of the IT section of The Age newspaper in Melbourne.<br />
"No one who mattered listened. Executives think it's FUD. They honestly think that if they keep paying their annual AV subscriptions they'll be shielded by Mr. Norton's magic cloak.<br />
"Security types like LulzSec because they're proving what a mess we're in. They're pointing at the elephant in the room and saying 'LOOK AT THE GIGANTIC FUCKING ELEPHANT IN THE ROOM ZOMG WHY CAN'T YOU SEE IT??? ITS TRUNK IS IN YR COFFEE FFS!!!'"

"We end up with 93% of accounts being between 6 and 10 characters long which is pretty predictable. Bang on 50% of these are less than eight characters. It’s interesting that seven character long passwords are a bit of an outlier – odd number discrimination, perhaps?<br />
"I ended up grouping the instances of 20 or more characters together – there are literally only a small handful of them. In fact there’s really only a handful from the teens onwards so what we’d consider is a relatively secure length really just doesn’t feature."<br />
<br />
Interesting analysis; only 1% of passwords don't contain an alphanumeric character. But of course those 20-character passwords are all useless anyway, as they were stored in cleartext.

"If you're reading this column, you are likely sophisticated enough to not fall for such nonsense, starting with clicking in the link on the Web page. You might have already turned off the Safari Open Safe Files option, or use a browser like Firefox or Chrome that requires additional steps to install this malware.<br />
"But how many of your friends, relatives, and colleagues are going to be this credulous? And Mac Defender is just the first effort to make any impact. Don't be fooled by the fact that in this release you have to enter a credit-card number to be scammed. Future Mac malware will be just like that under Windows, with the potential to install all manner of viruses, like keystroke loggers, spam email programs, and the like."<br />
<br />
Very good, well-argued piece with an unavoidable conclusion.

"On March 21, 2011, my MacBook was stolen from my apartment in Oakland, CA. I reported the crime to the police and even told them where it was, but they couldn't help me due to lack of resources. Meanwhile, I'm using the awesome app, Hidden, to capture these photos of this guy who has my MacBook."<br />
<br />
He doesn't any more, though, because the Oakland Police Department picked him (and the computer) up. Have you got any tracking software installed?

Neat browser plugin for IE, Firefox, Chrome, Safari that shows you what web beacons etc there are on a page.

"In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants. The update will also help protect users by providing an explicit warning if they download this malware.  <br />
"In the meantime, the Resolution section below provides step-by-step instructions on how to avoid or manually remove this malware."<br />
<br />
Going to be interesting to see how much this malware mutates, if at all.

Ars Technica: "Internally, Apple’s [IT] department mandates the use of Norton Antivirus on company machines.”<br />
John Gruber: "This may be true for any Apple-owned machines running Windows, but it is not true for machines running any version of Mac OS X. I asked several Apple engineers whether any antivirus software was mandated or even recommended for Mac OS X, internally. All said no. Said one, 'You couldn’t get me to install Norton on OS X if you slipped me the date rape drug.'"

"[Security researcher] Wisniewski also pointed out flaws in IE9's download blocking, using Microsoft's own statistics to back up his case.<br />
"[Microsoft's] Haber said that 90% of all downloads do not trigger a warning by IE9, but of the 1-in-10 downloads that do display an alert, the 'false positive' rate -- meaning that the warning was incorrectly flagging a legitimate file -- was between 30% and 75%.<br />
"'If that's true, will you continue to pay attention to the warning when it really matters?' Wisniewski asked. 'People may get sick of it, just like they did with [User Account Control] warning in Vista.'"

As he put it, months ahead of its announcement by Apple, because it would be more convenient, and more secure.

Seems to have spread rather more quickly than they expected. What's not clear is where any details entered into the program are sent - which would be the quick way to track down those behind it.

To be precise, Mac *scareware* is worrying a lot of people, and based on this conversation, people at Apple support centres feel obliged to help out. <br />
<br />
It's malware in the sense that it's malicious, but it's classic social engineering, not the exploitation of a vulnerability. <br />
<br />
The irony is that all the noise about "Macs are vulnerable, they need antivirus" and the fact that antivirus companies have been offering products has created the market for this scareware. Security exploits that don't require user interaction aren't showing up, though.<br />
<br />
So the final irony is that people who believe there's no malware for Macs won't be taken in by this. Those who think it's inevitable... will.