The latest ‘Ouch’ (PDF file) helps to determine whether you’ve been hacked, and if you have, what to do about it.
The PushDo trojan has been around for a while, but recent variants are making it more difficult for security researchers.
PushDo infects vulnerable computers when users visit an infected web site (drive-by download). Once installed on a computer, PushDo sends out phishing email purporting to be from banking institutions, tricking other users into clicking links within the email and infecting their computers with other malware.
What makes the new versions of PushDo different is that they hide communication with the botnet’s controlling servers amongst a flurry of traffic to other, unrelated servers. This makes the process of finding the controlling servers much more difficult and time-consuming.
Update 2012Sep22: A Security Advisory published yesterday by Microsoft announced the availability of a patch for Flash in Internet Explorer 10. A related post on the Microsoft Security Response Center blog explains how security updates for Flash in Internet Explorer will be handled in the future. Anyone using Internet Explorer 10 or Windows 8 should install the Flash update as soon as possible.
Update 2012Sep11: Given the negative reaction to Microsoft’s previous announcement that recent Flash vulnerabilities would not be fixed in Internet Explorer 10 until after Windows 8 is released, today’s announcement is perhaps not much of a surprise. Microsoft is now saying that the Flash holes in IE10 will be plugged much sooner than originally announced. However, there will still be an easily-exploited delay between the launch of Windows 8 and the point at which all Windows 8 systems are patched.
Recently, Google switched to an integrated version of Flash in the Chrome web browser. They did this to simplify the update process: Chrome users no longer have to worry about keeping their browser’s Flash plugin up to date.
Microsoft has apparently done something similar with Internet Explorer 10, which is included with Windows 8. Unfortunately, the recent Flash vulnerabilities were not addressed in Internet Explorer 10 when Windows 8 was finalized recently. Which means Windows 8 has at least two very serious security holes in its integrated web browser, out of the box.
Microsoft says that the Flash vulnerabilities in Windows 8’s IE10 will be fixed during the regular patch cycle, but it’s not known exactly when the updates will appear.
Nefarious hackers are no doubt preparing for a surge of new Windows 8 systems to appear on the Internet, all with these rather large holes, ready to exploit.
If you are using Windows 8 or plan to start using it soon, your options are:
- Stop using Internet Explorer. This isn’t really a viable option, since the browser is integrated into the O/S.
- Disable Flash in Internet Explorer 10, assuming this is even possible.
- Avoid all Flash content while using Internet Explorer 10. This is increasingly difficult to accomplish, given the prevalence of Flash content on the web.
‘Phishing’ is the term used to describe email sent with the intention of tricking the recipient into divulging personal (often financial) information to the perpetrator.
A recent ISC Diary post provides some examples of recent phishing email received by ISC handler Johannes Ullrich. The associated analysis is helpful for learning how to distinguish legitimate from phishing email.
ISC is the Internet Storm Center, which “provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers.” The site and associated services provide a wealth of information regarding Internet security.
Researchers have already found a vulnerability in Java 7 Update 7, which was only released yesterday. So far all we know is that a report, along with code demonstrating the security hole, have been submitted to Oracle, Java’s developer.
Details on the new Java hole show that it could be used to take over a vulnerable computer. So, once again, users are being urged to disable Java, especially in web browser software.
Your move, Oracle.
UPDATE 2012Sep01: SANS reports that a new email phishing attack exploiting this new Java hole is showing up in the wild. The email appears to be from Microsoft, and is patterned on a recent, legitimate Microsoft email message. The mail contains an URL that – once clicked – sends web browsers to a site that has been infected with the published Java exploit code. Advice to users is the same as usual: be very careful about clicking on any link you don’t know for sure is safe, and consider disabling Java in your web browser.
CERT confirms that the new patch does indeed resolve the problem. All Java users – and that’s you, unless you’re absolutely certain Java is disabled – should apply this update as soon as possible. This affects Windows, Linux and MacOS users.
This is a welcome reaction from Oracle. Until this patch was released, it was assumed that the hole would not be fixed until the next regular patch cycle in October 2012.
Visitors to my home who want to use our wireless network are often stupefied by the 63-character, hexadecimal WPA2 passcode. In spite of the legitimate security concerns that went into my choice of such a long code, this always embarrasses me. Of course, being embarrassed easily is all part of growing up and being British. (That’s a Monty Python reference in case you didn’t get it.)
So I’m happy to report yet another analysis of wireless passcode security and the relative ease of cracking them.
The upshot is that no passcode is uncrackable. Your only hope is to make your passcode so long and complex that it can’t be cracked in a reasonable timeframe. Using all of the maximum 63 characters is strongly recommended.
So, laugh all you want, and groan as you struggle to enter that monstrosity, but I’m not going to simplify it just for convenience.
UPDATE: Oracle releases a fix ahead of schedule.
A recently-discovered security flaw in Java is going to make web browsing more dangerous than usual over the coming weeks.
The new vulnerability has already been exploited to develop a working attack that can affect Windows, Linux and MacOS computers to varying degrees. The exploit code is available as part of the controversial Metasploit and Blackhole hacking toolkits. That means we can expect real, web-based attacks to start appearing almost immediately.
Anyone wanting to compromise vulnerable systems need only place the attack code on a web site and wait for those systems to visit the site. In this case, vulnerable systems include just about any Windows or Linux system running a web browser with Java enabled.
Java is typically installed both as a stand-alone runtime environment and as a plugin for web browsers. Both environments are vulnerable to this attack. Java is widely used for a variety of applications, including open source tools like Freemind and Eclipse. Some web sites use Java to provide functionality beyond what’s normally possible with web browsers.
Unfortunately, unless Java’s developer decides to issue an out-of-cycle patch for this vulnerability, it won’t be fixed until the next update cycle, which is scheduled for October 2012.
Standalone, locally-hosted Java applications you’re already using should be safe. Until the vulnerability is patched, we don’t recommend new installations of any Java-based software.
If you don’t use Java, or can live without it until a fix is made available, you can disable it completely in your operating system. However, this is overkill.
Attacks exploiting this vulnerability are much more likely to appear on compromised and nefarious web sites. Navigating your web browser to such a site will almost certainly infect your computer with some kind of malware. Savvy web users already know that care should be exercised when web browsing at any time, but until this security hole is fixed, blindly clicking on web links and browsing to unknown web sites is going to be like playing Russian Roulette. Because of this, many security experts are recommending disabling Java in web browsers, until the flaw is patched.
Here are some more technical details from CERT.
Additional related articles
Apparently some Google employees decided to test Adobe Reader after they found several security-related bugs in the PDF reader code used in Google Chrome. They found sixty issues that cause crashes, about forty of which could provide attack vectors.
Bugs, crashes and security issues in Adobe software are nothing new. But given the frequency and number of updates for Reader, one might assume that Adobe had a handle on these issues. The ongoing crashing problems with Flash on Windows 7 indicate otherwise, as does this new revelation from Google.
Blizzard, the company that brought you the Diablo series, as well as World of Warcraft, runs a service called Battle.net. The service ostensibly helps online gamers find servers running their favourite Blizzard games. In fact the service is not much more than DRM: technology used by Blizzard to prevent people from playing their games. And prevent them it does. While Blizzard only really wants to prevent people with ‘pirated’ copies of games from playing, server outages and other technical glitches have caused problems for paying customers since the service began. Even people who purchased Diablo III with no intention of playing online must use Battle.net for the single player game, so they are affected by service outages.
Yesterday, Blizzard added insult to injury when they announced that Battle.net had been hacked. According to Blizzard, no financial (credit card) data was stolen, and although passwords may have been taken, those passwords were encrypted. Still, they are recommending that all Battle.net users change their password as soon as possible.
SANS has a breakdown of the implications to users.
When Blizzard announced that Diablo III would require use of the Battle.net service, even for single player games, I decided to protest by not buying the game, despite having enjoyed the previous two games immensely. That’s starting to look like a wise choice.