|
|
|
|
| |
CERTStation Week In Review Transcript: week 5, 2010 |
|
| |
|
|
| |
Spam email purporting to be a critical update for Microsoft Outlook and Outlook Express contains a link to download a malicious program that can steal personal information from a user's computer, including login credentials and credit card information. This message appears to come from the Microsoft Support department and contains instructions to install a new update for Microsoft Outlook / Outlook. The email has the 12kB big ZIP archive. The extracted file is the 24 kB big file. Also recently, phishing emails have been circulating that appear to come from Microsoft and ask recipients to reconfigure their Outlook account by clicking on a link to a website where users are asked to fill in their account information, including their mail server address. It is generally advised not to install software, updates or patches for Microsoft software or the operating system that is distributed by email. Microsoft will only offer updates and patches through the official Windows Update channel on the Windows system itself.
|
|
| |
|
|
| |
Cisco's Unified MeetingPlace voice, video and web conferencing solution contains several holes that allow attackers to compromise vulnerable systems. In a current advisory, the vendor describes an SQL injection hole which can be exploited to manipulate or spy out database contents. The Cisco Unified MeetingPlace conferencing solution provides functionality that allows organizations to host integrated voice, video, and web conferencing. The solution is deployed on-network and integrated directly into an organization's private voice/data networks and enterprise applications. Cisco Unified MeetingPlace servers can be deployed so that the server is accessible from the Internet, allowing external parties to participate in meetings. Specially crafted URLs can apparently be used for setting up new user accounts without requiring the attacker to sign in beforehand. Other flaws in the authentication protocol allow attackers to manipulate transmitted packets to spy out user names and passwords or even obtain admin privileges. Versions 5, 6 and 7 of Cisco Unified MeetingPlace are affected, although not all of the vulnerabilities are present in every version. The vendor has released updates to fix the problems – but only for registered customers.
|
|
| |
|
|
| |
Google has launched an experimental program to encourage external security researchers to find and report vulnerabilities in its browser. Borrowing from the Mozilla Foundation's 2004 Security Bug Bounty Program, $500 will be awarded for each bug found. In special cases, a committee will decide whether to increase the amount to a maximum of $1,337 however, this reward is only for vulnerabilities which are particularly critical, or particularly smart reports on vulnerabilities and their exploitation. The "experimental new incentive," which Google announced Thursday, is for external researchers only. It addresses a key complaint among many researchers that the security of far too many applications is built on the backs of people who receive no compensation for the countless hours they spend discovering and reporting critical vulnerabilities. Google is hoping that this will improve the security of its browser and therefore security for its users. Any bug found can be reported via the bug tracking system. Further information and a list of Q&As can be found in Google's blog entry announcing the program.
|
|
| |
|
|
| |
Apple's iPhone is vulnerable to exploits that allow an attacker to spoof web pages even when they're protected by the SSL, or secure sockets layer, protocol, a security researcher said. The iPhone is obviously a consumer market product which was later enhanced to become an enterprise device. Unfortunately, it seems Apple messed up their corporate-oriented functionalities, ending up with something that proves to be hard to integrate in a public-key infrastructure in any secure way. The revelation comes after the hack was discussed in an anonymous blog post over the weekend. It explained how it was possible to sign an XML-based configuration file using a SSL certificate registered to a fictitious company called Apple Computer. Because the iPhone checks only that the certificate was signed by a trusted CA, or certificate authority, the author's rogue update.mobilconfig file was accepted and executed. It is relatively easy to obtain a signature certificate from many of them without any sort of verification. A demo signature certificate can be obtained from VeriSign without need for anything other than a valid e-mail address (throwaway addresses work, too) for sixty days at no price and without providing any credit card details.
|
|
| |
|
|
| |
The Pushdo botnet recently made changes to its code to cause infected nodes to create junk SSL connections to approximately 315 different websites. The attacked sites include government sites including the FCC, the NIH, the FBI and the CIA, not to mention smaller targets like the Australian embassy in Berlin. There are also prominent commercial sites from Microsoft, Office Depot, Mozy, GotoMeeting and Red Hat Magazine. Pushdo has been sending junk SSL connections to the affected sites. The bot clients send a little junk data to the sites, then they disconnect. Researchers still seem to be unclear on what the point of it all is. "Hundreds of thousands" of IP addresses, are involved in the attack, and yet it doesn't quite look like a DDOS, nor is it succeeding as one. It's not clear why Pushdo has unleashed this torrent. Infected PCs appear to initiate the SSL connections, along with a bit of junk, disconnect and then repeat the cycle. They don't request any resources from the website or do anything else.
|
|
| |
|
|
| |
|
|
| |
If you enjoyed this podcast why not visit CERTStation.com and check out our free Internet Security Dashboard. In the meantime this is your host Jay Johnson wishing you a safe and secure week. |
|
|
|
| |
|
|
