« Archives in October, 2010


A lot of talk has come out about the new Firefox extension called Firesheep. Firesheep was released at Toorcon on Oct. 24, 2010 to demonstrate the serious problem with the way websites, such as Facebook and Twitter, handle authenticated session management.

When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a “cookie” which is used by your browser for all subsequent requests.

It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie (and the user) vulnerable. HTTP session hijacking (sometimes called “sidejacking”) is when an attacker gets a hold of a user’s cookie, allowing them to do anything the user can do on a particular website. On an open wireless network, cookies are basically shouted through the air, making these attacks extremely easy.

Firesheep is free, open source, and is available now for Mac OS X and Windows. Linux support is on the way.

Adobe: Flash, Reader hole used in PDF attacks

A new critical vulnerability in Flash and Adobe Reader and Acrobat 9.x is being exploited to attack computers running the popular PDF viewer software, Adobe warned today.

Adobe is not currently aware of attacks targeting Flash Player, the company said in a blog post.

The bug is in Flash Player and earlier versions for Windows, Mac, Linux, and Solaris, and Flash Player and earlier for Android. It also is in the authplay.dll component in Reader 9.4 and earlier 9.x versions for Windows, Mac, and Unix, and Acrobat 9.4 and earlier 9.x versions for Windows and Mac. The component renders Flash content in the PDF viewer.

Adobe Reader and Acrobat 8.x and Reader for Android are not impacted by the flaw, the company said.

Read more…

FBI Warns Of 'Corporate Account Takeover' Scams

Cybercriminals are targeting the financial accounts of small and midsize businesses (SMBs), fraudulently transferring money directly from their accounts, the FBI warned Wednesday.

Just SMBs?

In a fraud alert issued Wednesday, the FBI said “corporate account takeover” attacks use malware to steal passwords and other credentials from senior executives at SMBs and then use those credentials to empty the companies’ coffers.

“Corporate account takeover” attacks? Just when we were getting use to phishing, spear phishing, and whaling. I’ve just been attacked by a CAT.

This isn’t exactly fresh news other than a new term coined for this type of criminal activity. However, while I’m making light of the subject it does have serious consequences to businesses of all sizes. No matter what your defensive posture is, user awareness is important.

Read more…
FBI Report

What Adobe's New PDF Sandbox Really Means For Attackers

Adobe Reader X’s ‘Protected Mode’ will make PDF attacks tougher to execute, but it can’t stop every threat.

Sandboxing basically quarantines any operations to a confined, restricted space so that if a PDF were infected with malware, the malicious code couldn’t spread outside that file and into the system itself or to other files. The new feature is part of Adobe’s security strategy of hardening its code against attacks, says Brad Arkin, senior director of product security and privacy for Adobe.

With the Reader sandbox making it tougher for bad guys to send their payloads via a PDF, they could move to Java plug-ins or other increasingly popular targets, experts say.

Read more…

Hacker 'spotlight' will shine on Reader X's sandbox

Adobe’s chief security executive said that there will be a bull’s-eye on Reader X when the new version ships next month.

Adobe Reader X, slated for release in the next 30 days, will feature Protected Mode, a “sandbox” technology that isolates processes, preventing or at least hindering malware from escaping an application to wreak havoc on the computer.

Security researchers and experts have long called for Adobe to add sandboxing to Reader because of its many vulnerabilities, which have made it a popular route to PC infection. They’re getting what they asked for in November.

Read more…

IDA Pro 6.0 released

While I’m talking about new tool releases. In case you missed it Hex-Rays has released version 6.0 of their famous IDA Pro disassembler. The most significant new feature is undoubtedly full support for Linux and Mac OS X in both the graphical disassembler and the decompiler. Prior to this release, Linux and Mac users had been limited to the disassembler / debugger which was operated by a rather crude text interface and a keyboard layout that differed from that used in the Windows version. The new interface for Linux and Mac OS X utilises Qt and is broadly based on the classic Windows GUI. This will allow many IDA Pro users to dispense with using a Windows VM.


EDB (Evan’s Debugger) is a Qt4 based binary mode debugger with the goal of having usability on par with OllyDbg. It uses a plugin architecture, so adding new features can be done with ease. The current release is for Linux, but future releases will target more platforms.

Evan has just released version 0.9.16. I have to say that this debugger is quite nice if you love OllyDbg.

The latest release can be found here.

Facebook games maker sued in privacy flap

A developer of some of Facebook’s most popular games has been hit by a federal lawsuit alleging it shared millions of Facebook user IDs with advertisers and data brokers.

The lawsuit alleges that Zynga, maker of six of the top 10 Facebook games, collected and shared the IDs of 218 million users, in violation of federal law and terms of service. It seeks unspecified monetary damages and an injunction preventing the alleged practice from continuing. The suit was filed in US District Court in San Francisco on behalf of Nancy Graf of St. Paul, Minnesota. It seeks class action status so other Facebook users may also be represented.

The action follows an investigation by The Wall Street Journal that found that a large number of Facebook apps, including all of the top 10, transmitted the unique user IDs of those who ran them to outside companies. Zynga – maker of games such as Farmville, Mafia Wars, and Cafe World – was found to be “transmitting personal information about a user’s friends to outside companies,” the paper reported.

Read more…

FAKEAV Update: Java Vulnerabilities and Improved Fake Alerts

Follow this link to TrendLabs write up of the Java vulnerabilities used to spread FAKEAV.

Hackers subvert Firefox security warnings to sling scareware

Hackers have subverted warnings generated by Firefox about dangerous sites to punt fake anti-virus portals.

Surfers straying onto a web page offering the “Security Tool” rogue anti-virus are offered a warning page that convincingly mimics the genuine Firefox block page. The site offers supposed updates for Mozilla’s technology that are actually scareware packages.

Read more…