Facebook's ticker privacy scare, and what you should do about it

Amongst the recent new changes to appear on Facebook, there is a "ticker" (a rolling real time list of what your friends are doing).
Not everyone has received it yet, because it's on a staggered rollout, but millions have already seen it.
You'll find it on the right hand side of your Facebook page, in the collapsible chat bar.
It's smashing if you want to keep fully up-to-date with your friends' activity, but there is a problem with it.

The ticker makes it very simple for you to eavesdrop when one of your Facebook friends says something to someone you've never heard of - and even see what the stranger originally wrote too.

Testing shows that your privacy settings are working the same as they did before, providing you used them in the first place.
The appalling enforced eavesdropping in the ticker (your friend said something to someone you've never heard of) is the result of the lax or non-existent settings of your friends, so here's the deal..

What happens is this:
1. You have "friends of friends" or "public" as the privacy setting for your posts.
2. One of your Facebook friends comments on your post, or clicks "Like".
3. As well as all the people commenting on the thread seeing what has been posted (this much is normal), Facebook also tells all *their* friends what was said.
4. Your friend's settings *cannot* stop this from happening, *your* settings can protect your friends' privacy, in this instance.

The ticker has just made it much easier to eavesdrop on what were probably intended to be more private conversations.

So, do this - and make your friends do it too:
* Stop using the "Friends of friends" setting. This is what is broadcasting so widely.
* If you use the "Public" setting, explain that you are doing so. Then people can decide if they want *all* of their friends to be informed of their comments.
* "Limit" all previous posts you have made via the privacy settings (unless you had "friends only" or specific lists already) - this will change everything to "friends" only and will stop people you deleted but did not block, people who sent you friend requests that you ignored, and friends of friends from seeing your activity (yes they can, if you are not on "Friends" or lists).
* Use lists to decide who you want to see things (use the privacy controls in the top right of your posts).

* Encourage your friends to restrict their setting to "friends" or custom lists too. This is the important bit.
* Inform strangers or the connecting friend when strangers show up in your feed. It is their settings that made them show up. This will illustrate to them why they also need to change their settings.

It is not just your settings that control what goes in your Facebook newsfeed and appears on your friends' tickers. Anyone's posts which have privacy set to more than "Friends" will go to all the friends of all the commenters. This is a fact! We've tested it!

Still baffled?  Don't worry.  The problem is complicated to explain, but the solution is simple.  If you want to stop strangers from seeing everything you do, you and your friends need to change your privacy settings to "Friends" or custom lists.  That's it.
The hard part is getting your friends to do it.

If you find your friends aren't understanding the issue, forget about explaining the details and "copy and paste" this to your status:

"If you don't want your actions broadcast to everyone via the ticker/News Feed please set your privacy to "Friends" and ask your friends to do the same.  Pass it on."

What *not* to tell your Facebook friends
Now, there is also a piece of advice being circulated which reads like this:

"Please do me a favor and move your mouse over my name here, wait for the box to load and then move your mouse over the "Subscribe" link. Then uncheck the "Comments and Likes". I would really rather that my comments on friends and families posts not be made public, thank You! Then re-post this if you don't want your every single move posted on the right side in the "Ticker Box" for everyone to see!"

This appears to be the most commonly suggested solution on Facebook, and it's rubbish! It still doesn't stop *your* posts being broadcast. It's an illusion. This option stops you seeing when other people have broadcast a message to a wide audience. It does *not* stop your actions being broadcast by your friends!

You have to do this for every single one of your friends. Time consuming *and* it does not solve the problem - it just stops you from seeing it.
Please don't spread this advice, as it is confusing people and stopping the real problem from being fixed.
How to tell if a post will broadcast to all your friends:
Under each post (on the right) there is an icon which will tell you who it was shared with:

Public
The globe icon means that the post is going to be public.
That means, if you comment your friends will be shown the comment immediately and that everyone on Facebook (except those people you have specifically blocked) can see it.

Friends
The icon showing two heads means that the post is shared with friends only.
It should be safe to comment, with no threat of exposure to strangers via the ticker/news feed.

Custom or Friends of Friends
A gear icon can actually mean one of two things - either Custom or Friends of Friends. You will have to hover your mouse over the icon to see which.
Custom means that the post will be safe to comment on with no leakage to strangers via the ticker/news feed.
Friends of Friends, however, can be considered unsafe - as all your friends and all of their friends will be shown the comment immediately via the ticker/news feed.

You can check your own posts easily that way if you want to make sure that your settings are right.
And don't forget - next time you leave a comment on someone else's Facebook post, don't say something that you may later regret.
If you're on Facebook, consider joining the Sophos Facebook page, where you can keep up-to-date on the latest rogue applications, scams and malware attacks threatening Facebook users.

USA Today's Twitter account falls foul of hackers

USA Today is the latest high profile Twitter account to have fallen victim to a group of hackers.
A group calling themselves the Script Kiddies have claimed responsibility for the hack, which involved posting a series of messages to the official USA Today Twitter account, including:

"Fox News, Wal-mart, Unilevel, Pfizer, NBC and now USA Today. who's next? Vote now! [LINK]"

and

"Please like The Script Kiddies on Facebook! You could choose our next target!"

Fortunately, USA Today was able to regain control of the account (with some assistance from Twitter) before any serious harm could be caused. The newspaper tweeted an apology to its followers:

The Script Kiddies group has previously claimed responsibility for hacking into the NBC News Twitter account to post fake news reports of a terrorist attack involving planes in New York, defacing Pfizer's Facebook page and breaking into the Fox News Politics Twitter account to post a bogus announcement about the death of Barack Obama.
It's unclear how the USA Today Twitter account was compromised, but there was speculation that the hack by the same group against NBC News's Twitter account was assisted by a spyware Trojan horse.
The Script Kiddies might believe that their hacks against media organisations are just childish pranks, but it's unlikely that the authorities find them amusing. The more social media accounts that they target, the more the computer crime police will be keen to bring them to justice.
As always, we recommend that social networking users ensure that they keep their security software up-to-date, choose hard-to-crack passwords and do not use the same password in more than one place.

Has CERN found an exploitable vulnerability in physics?

Rresearchers at the European Organization for Nuclear Research, better known as CERN, claim to have exported subatomic particles from Switzerland to Italy at greater than the speed of light!

You read that correctly. Greater than the speed of light - something which even science fiction fans accept isn't really supposed to happen.
Reports say that CERN boosted streams of neutrinos to a whopping 300,006 kilometres per second on their journey from Geneva, Switzerland, to a laboratory over 700km away in Gran Sasso, Italy.

But received wisdom - and the so-called Standard Model of physics - says that the neutrinos ought to have topped out at just 299792 kilometres per second, the speed of light. Suddenly, the laws of physics seem to have an exploitable vulnerability.
The results now need checking out, a project which researchers worldwide will doubtless be keen to take on.
Unless and until the findings are disproved, however, we can all hope that this means that the speed of light will no longer be the limiting factor in the speeds at which we can send data across the internet.
And then, who knows?
Perhaps we will be able to replace our fibre optic cables with neutrino-based transmission systems, and gain an unexpected 0.07% improvement in performance?
Just imagine how much more YouTube video we'd be able to pack into our busy lives!

Mac OS X Trojan hides behind malicious PDF disguise

A fascinating new example of Mac malware has been discovered, that appears to be adopting an old Windows-style disguise to fool users into running it.
Despite the numerous times that cybercriminals have created boobytrapped PDF files that exploit vulnerabilities to infect unsuspecting users, many people still think that PDF files are somehow magically safer to open than conventional programs.
The OSX/Revir-B Trojan plays on this by posing as a PDF file.
When the malicious Macintosh application file is run it tries to drop a PDF embedded inside it onto the user's hard drive. The Chinese language PDF file displayed is about a controversial topic, "Do the Diaoyu Islands belong to Japan?"
The Diaoyu Islands (known as the Senkaku islands in Japan) are the subject of a long-running dispute between the two countries, with both claiming sovereignty.
Because the document is opened, users may believe that they have opened a harmless PDF rather than run a program.

When we tested the malware inside our labs, we couldn't manage to get it to execute as the author probably intended - however, strings embedded deep inside its code make it clear that it was written with malicious intent.

The malware attempts to install a backdoor Trojan horse (detected by Sophos as OSX/Imuler-A) which would give malicious hackers remote access to your Apple Mac computer.
As our friends at F-Secure point out, we have seen plenty of Windows malware in the past which has pretended to be a PDF rather than an EXE - sometimes using techniques such as the double-extension trick (for instance, filename.PDF.EXE).
It's quite possible that this is evidence that Mac malware authors are attempting something similar, moving on from the fake anti-virus alerts that blighted many Mac users earlier this year.
Customers of Sophos, including users of Sophos's free anti-virus for Mac, are protected against the malware.

Homeless hacker 'Commander X' pleads not guilty

The FBI believes that the homeless man they arrested on Thursday was "Commander X", a member of the People's Liberation Front (PLF) associated with Anonymous hacktivism.
47-year-old Christopher Doyon has entered a not guilty plea to charges of "conspiracy to cause intentional damage to a protected computer, causing intentional damage to a protected computer, and aiding and abetting".
According to an indictment filed against Christopher Doyon and another man, Joshua John Covelli, the charges specifically relate to a denial-of-service attack against the servers of Santa Cruz County in December 2010, after the city put in place a law prohibiting camping inside the city.

The indictment gives Doyon the aliases "PLF", "Commander Adama" (clearly a Battlestar Galactica fan) and "Commander X". Covelli meanwhile is alleged to use the pseudonyms "Absolem" and "Toxic". 26-year-old Covelli was previously named in connection with internet attacks on PayPal.
Someone calling themselves "Commander X" gave an interview to CBS News earlier this year, claiming responsibility for denial-of-service attacks by Anonymous.

According to a CBS News report, "Commander X" told their reporter that he had no fear about being caught:

"We're not going to turn ourselves in. They can come and get us is what I say. Bring it on. Until then, we run... We will remain free and at liberty and at large for as long as we can, and when the time comes that each and every one of us eventually will be brought to justice, we will hold our head high in any court of law and we will defend our actions."

Doyon is scheduled to appear on September 29th for a bail hearing

Secure web browsing cracked by BEAST

A pair of researchers have unveiled a serious new attack on web browser security.
The researchers used this week's Ekoparty security conference in Buenos Aires to unveil a new tool that attacks TLS and SSL, the cryptographic protocols used to establish secure web connections.
The ability to crack encrypted web traffic removes the safety net that protects you when you're doing sensitive online tasks like banking or using credit cards.
The tool, known as BEAST (Browser Exploit Against SSL/TLS), compromises TLS by exploiting a vulnerability that has been known about for years but which has been treated as a theoretical problem until now.
However, although researchers Thai Duong and Juliano Rizzo have significantly raised the stakes it's probably too early to start hoarding tins of beans and donning our tin foil hats.
Right now the attack can take up to half an hour to execute. Although the researchers have hinted that this can be significantly reduced the fact is that if you have the malicious nature, time and access required to execute this attack then there are probably easier ways to exercise your criminal ambitions.
Even when governments attack weapons manufacturers, they don't need to get any more high-tech then basic con tricks like spear-phishing.
The danger of BEASTly attacks against TLS has moved a little closer but we probably have enough time to react before it becomes practical.
A good start would be for browser and server vendors to pull their collective fingers out and start supporting versions 1.1 and 1.2 of TLS. Both of them have specific defences against this kind of attack but unfortunately support for them is poor.
Duong and Rizzo tipped off the major browser vendors about their findings months ago but so far the only response appears to have come from the folks at Chrome. A fix for the attack is currently under test in the development version of their browser.
If you run a web server and you're concerned you may want to take a look at switching them so that they prefer the rc4-sha cipher. It's widely supported and isn't vulnerable to this kind of attack.
Although the BEAST attack is targeted at browsers there are plenty of other applications that rely on TLS, not least mail servers. Although BEAST isn't targeted at them I'm sure it will have raised eyebrows and their vendors will be taking a keen interest. Keep an eye out for updates and advisories.
If you want to know more about how the attack actually works then I recommend you take a look at nickm's excellent and accessible write-up over at the Tor project.

NASA looks to lasers to speed data

WASHINGTON, (UPI) -- NASA says it's looking at lasers to speed up the transmission of high-resolution images from distance spacecraft like those now on Mars.
It currently takes 90 minutes to transmit images to Earth from the planet by radio, but NASA said research could dramatically reduce that time to just minutes and a new optical communications system it plans to demonstrate in 2016 will lead the way.
Such a system could even allow the streaming of high-definition video from distances beyond the moon, a release by the agency said Thursday.
"We want to take NASA's communications capabilities to the next level," said Dave Israel, who is leading a research team that includes NASA's Jet Propulsion Laboratory in Pasadena, Calif., and the Massachusetts Institute of Technology.
Current communication technology will not keep pace with the projected data needs of advanced instruments and future human exploration, Israel said.
"Just as the home Internet user hit the wall with dial-up, NASA is approaching the limit of what its existing communications network can handle," he said.
The solution, NASA said, is to augment its legacy radio-based network with laser-based optical systems that could increase data rates by anywhere from 10 to 100 times.
"This transition will take several years to complete, but the eventual payback will be very large increases in the amount of data we can transmit, both downlink and uplink, especially to distant destinations in the solar system and beyond," James Reuther of NASA's Office of the Chief Technologist said.

NASA Satellite Hits Earth, Space Agency Confirms

WASHINGTON — NASA's dead 6-ton satellite plunged to Earth early Saturday, but more than eight hours later, U.S. space officials didn't know just where it hit. They thought the fiery fall was largely over water and the debris probably hurt no one.
The bus-sized satellite first penetrated Earth's atmosphere somewhere over the Pacific Ocean, according to NASA and the U.S. Air Force's Joint Space Operations Center. But that doesn't necessarily mean it all fell into the sea.
NASA's earlier calculations had predicted that the 20-year-old former climate research satellite would fall over a 500-mile swath and could include land.
Because the plummet began over the ocean and given the lack of any reports of people being hit, that "gives us a good feeling that no one was hurt," but officials didn't know for certain, NASA spokesman Steve Cole told The Associated Press.
The two government agencies said the 35-foot satellite fell sometime between 11:23 p.m. EDT Friday and 1:09 a.m. EDT Saturday, but with no precise time or location.
There was rampant speculation on the Internet and Twitter, much of it focusing on unconfirmed reports and even video of debris over Alberta, Canada.
Cole said that was possible because the last track for the satellite included Canada, starting north of Seattle and then in a large arc north then south. From there, the track continued through the Atlantic south toward Africa, but it was unlikely the satellite got that far if it started falling over the Pacific.
Cole said NASA was hoping for more details from the Air Force, which was responsible for tracking debris.
But given where the satellite may have fallen, officials may never quite know precisely.

"Most space debris is in the ocean. It'll be hard to confirm," Cole said.
Some 26 pieces of the satellite representing 1,200 pounds of heavy metal had been expected to rain down somewhere. The biggest surviving chunk should be no more than 300 pounds.
The Upper Atmosphere Research Satellite is the biggest NASA spacecraft to crash back to Earth, uncontrolled, since the post-Apollo 75-ton Skylab space station and the more than 10-ton Pegasus 2 satellite, both in 1979.
Russia's 135-ton Mir space station slammed through the atmosphere in 2001, but it was a controlled dive into the Pacific.
Before UARS fell, no one had ever been hit by falling space junk and NASA expected that not to change.
NASA put the chances that somebody somewhere on Earth would get hurt at 1-in-3,200. But any one person's odds of being struck were estimated at 1-in-22 trillion, given there are 7 billion people on the planet.
The satellite ran out of fuel and died in 2005. UARS was built and launched before NASA and other nations started new programs that prevent this type of uncontrolled crashes of satellite.
___
Online:
NASA: http://www.nasa.gov/mission_pages/uars/index.html

NASA Says Satellite Fell to Earth Over Pacific Ocean

NASA

An artist's concept of the Upper Atmosphere Research Satellite (UARS) satellite in space. The 6 1/2-ton satellite was deployed from space shuttle Discovery in 1991 and decommissioned in December 2005.

NASA's dead six-ton satellite fell to Earth early Saturday morning, starting its fiery death plunge somewhere over the vast Pacific Ocean.

Details were still sketchy, but the U.S. Air Force's Joint Space Operations Center and NASA say that the bus-sized satellite first penetrated Earth's atmosphere somewhere over the Pacific Ocean. That doesn't necessarily mean it all fell into the sea -- although most of it is believed to have burned up.

There are a myriad of unconfirmed reports, including video that purportedly shows the satellite breaking up over Canada. There were also unconfrimed reports of debris seen from Florida. However, Cecilie Korst of the Aerospace Corporation said Oregon was likely the last place in the U.S. that the satellite was visible.

NASA's calculations had predicted that the former climate research satellite would fall over a 500-mile swath.

The two government agencies say the 35-foot satellite fell sometime between 11:23 p.m. EDT and 1:09 a.m. EDT. NASA said it didn't know the precise time or location yet

Some 26 pieces of the satellite -- representing 1,200 pounds of heavy metal -- were expected to rain down somewhere. The biggest surviving chunk should be no more than 300 pounds.

The Upper Atmosphere Research Satellite, or UARS, will be the biggest NASA spacecraft to crash back to Earth, uncontrolled, since the post-Apollo 75-ton Skylab space station and the more than 10-ton Pegasus 2 satellite, both in 1979.

Russia's 135-ton Mir space station slammed through the atmosphere in 2001, but it was a controlled dive into the Pacific.

Some 26 pieces of the UARS satellite -- representing 1,200 pounds of heavy metal -- are expected to rain down somewhere. The biggest surviving chunk should be no more than 300 pounds (136 kilograms).

Earthlings can take comfort in the fact that no one has ever been hurt by falling space junk -- to anyone's knowledge -- and there has been no serious property damage. NASA put the chances that somebody somewhere on Earth would get hurt at 1-in-3,200. But any one person's odds of being struck were estimated at 1-in-22 trillion, given there are 7 billion people on the planet.

"Keep in mind that we have bits of debris re-entering the atmosphere every single day," said NASA orbital debris scientist Mark Matney in brief remarks broadcast on NASA TV.

In any case, finders definitely aren't keepers.

Any surviving wreckage belongs to NASA, and it is against the law to keep or sell even the smallest piece. There are no toxic chemicals on board, but sharp edges could be dangerous, so the space agency is warning the public to keep hands off and call police.

The $740 million UARS was launched in 1991 from space shuttle Discovery to study the atmosphere and the ozone layer. At the time, the rules weren't as firm for safe satellite disposal; now a spacecraft must be built to burn up upon re-entry or have a motor to propel it into a much higher, long-term orbit.

NASA shut UARS down in 2005 after lowering its orbit to hurry its end. A potential satellite-retrieval mission was ruled out following the 2003 shuttle Columbia disaster, and NASA did not want the satellite hanging around orbit posing a debris hazard.
Space junk is a growing problem in low-Earth orbit. More than 20,000 pieces of debris, at least 4 inches in diameter, are being tracked on a daily basis. These objects pose a serious threat to the International Space Station.

End of the road for DigiNotar as bankruptcy declared

DigiNotar, the Dutch certificate authority which hackers compromised and used to generate hundreds of bogus web security certificates, has filed for bankruptcy.
The announcement that DigiNotar has filed for voluntary bankruptcy was made today by its US parent company VASCO Data Security International.
And, quite frankly, there aren't many who will be mourning its loss.

VASCO's CEO, T. Kendall Hunt, seemed keen to disassociate the parent firm from the security problems seen at its subsidiary:

"We would like to remind our customers and investors that the incident at DigiNotar has no impact on VASCO's core authentication technology. The technological infrastructures of VASCO and DigiNotar remain completely separated, meaning that there is no risk for infection of VASCO's strong authentication business."

Cliff Bown, Vasco's chief financial officer, said the losses associated with DigiNotar "were expected to be significant."
It's unlikely that many people are going to shed many tears over the demise of DigiNotar. The firm lost all trust when when it was discovered that it had known that it had suffered a security breach weeks before coming clean about the problem.
But it does serve as a chilling reminder of just how fatal a hack can be for an organisation, especially if the way your corporation decides to respond to it is woefully insufficient.
The fraudulent certificates were issued in the name of major web properties such as Facebook, Twitter, Microsoft and Google; and even in the name of intelligence agencies such as the Mossad and the CIA).
For more background on the DigiNotar security scandal, make sure to take the time to listen to a recent Sophos podcast which discussed the issue featuring Sophos experts Chester Wisniewski and Mike Wood:
You can also download the podcast directly in MP3 format: Sophos Security Chet Chat 72

China denies hacking high-tech weapon maker

When news of a hack against Japan's biggest weapons maker, Mitsubishi Heavy Industries, broke earlier this week an obvious question was - who might be responsible?
In all, more than 80 computers and servers at the firm - which manufactures everything from warships to space rockets - were infected by malware at a variety of sites. According to some local newspaper reports, a Chinese language script was found in one of the attacks which left computers at a submarine manufacturing plant and a missile manufacturing facility compromised.
The Guardian reports that the claims of Chinese involvement were firmly denied by a spokesman from China's foreign ministry:

"The Chinese government has consistently opposed hacking activities. The law strictly prohibits this. China is one of the main victims of hacking... criticising China as being the source of the hacking attacks is not only baseless, it is also not beneficial for promoting international co-operation for internet security."

Defence officials in Tokyo are reported to be fuming that they learnt about the attacks against Mitsubishi Heavy via local media reports more than a month after they took place, rather than directly from the firm itself.
Of course, as we all know, China is routinely blamed for cyberattacks and accused of using the internet to spy on other countries. Just as routinely, China denies its involvement.
Most famously, in January 2010 Google blamed China for an attack (dubbed "Operation Aurora") after discovering that someone in the country had tried to hack into the Gmail accounts of human rights activists.
In other incidents, accusations of China-backed hacking have come from a variety of directions including India, Belgium, the Dalai Lama, the British Secret Service, the US Defense Secretary and the Australian Prime Minister.
The truth is, however, that proving the origin of a hack attack is complicated by the fact that cybercriminals can use compromised PCs owned by innocent people to act as a go-between when trying to break into someone's computer. In other words - yes, a Chinese computer might have tried to connect to yours, but it may be under the control of someone in, say, Great Britain.
We'd be naive to think that the Chinese (and just about every other country around the world) isn't using the internet for its political, commercial and military advantage, but we should be very cautious about making assumptions without having all the proof in front of us.
So far there are no reports of classified information having been exposed by the hack attack at Mitsubishi Heavy Industries.

Hackers attack high-tech military contractor, break into submarine manufacturing plant

Mitsubishi Heavy Industries, Japan's biggest defense contractor, has revealed that it suffered a hacker attack in August that caused some of its networks to be infected by malware.
The firm - which is involved in a wide range of activities including space rockets, the production of jet fighters, shipbuilding, and running nuclear power plants - said that 45 network servers and 38 PCs became infected with malware at ten facilities across Japan.
The infected sites included its submarine manufacturing plant in Kobe and the Nagoya Guidance & Propulsion System Works, which makes engine parts for missiles.
The Japanese newspaper Yomiuri claimed that at least eight different pieces of malware, including some which stole data, were discovered at Mitsubishi sites.
A Mitsubishi spokesperson, however, was quoted as saying that "there is no possibility of any leakage of defense-related information at this point."
The company first noticed the attack on August 11th, and expects to have the results of an investigation into the security breach by the end of September.
If Mitsubishi Heavy Industries was targeted by hackers, the obvious question to ask is who was behind the attack and what was the motive?
Earlier this year we saw a series of cyber attacks against US military contractors, including Lockheed Martin, L-3 Communications and Northrop Grumman, and US Deputy Defense Secretary William Lynn publicly claimed that a foreign intelligence agency was behind a hack attack that stole classified information about a top secret weapons system.
Whoever it was who attacked Mitsubishi Heavy Industries, and whatever their motive, it's clear that all organisations need to take computer security seriously.
Cybercriminals, whether state-sponsored or not, are interested in stealing sensitive information which could have more than a financial value. You would be foolish to ignore such a threat, and must ensure that your organisation has strong defences in place to reduce the risks.

Troj/PHPShll-B: Malware injects itself into WordPress installations

On Friday, a colleague in our IT department asked about a Mal/Badsrc-C malware detection that had been found by Sophos products on one of their friend's websites.
When I initially downloaded the website it looked clean. However, the automated systems inside SophosLabs were detecting the webpage as being infected with Mal/Badsrc-C.
So, I investigated a little more deeply - repeating the download after setting the User-Agent in my browser to pretend to be Internet Explorer.
This time I saw:

>>> Virus 'Mal/Badsrc-C' found in file index.html

Clearly, the malware on the website was planted in such a way that it would only manifest itself if it believed that the computer visiting the webpage was running Internet Explorer.
When you look at the last line of the index.html file you can see the appended malicious script tag:

As my colleague knew the affected website's owner, I was able to gain a complete copy of the site which was running an installation of the popular WordPress blogging platform.
Looking at the WordPress configuration file (wp-config.php) I saw a suspicious piece of code prepended:


When this code is run it decodes to some suspicious code:

stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 6")||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 7")||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 8")||stristr($_SERVER["HTTP_USER_AGENT"],"MSIE 9")){ return base64_decode("PHNjcmlwdCBzcm...

The above code snippet means that malicious code will only be served if the User-Agent is Internet Explorer. The geekier amongst you will recognise the base64 string as being the beginning of:

<script src

Sophos now detects and disinfects this modified code as Troj/PHPShll-B.
So, what's happened is that somehow malicious code has managed to inject itself into the PHP code used on some websites running WordPress, meaning that if you visit them when running Internet Explorer you could be exposing yourself to a malware attack.
What isn't clear is exactly how the malicious code managed to embed itself on the website, although it was most probably via compromised FTP credentials.
If you run a site which uses WordPress you would be wise to ensure that your passwords are chosen carefully (not dictionary words, and not easy to guess) and that you are not using the same credentials on any other websites. If you think it's possible that your password details may have been stolen - or if you use the same passwords elsewhere on the internet - change them immediately.
Furthermore, you should be regularly auditing the code on your site to ensure that there have not been any unauthorised changes.
Finally, always ensure that your website software is up-to-date and fully patched.
This hack appears to be widespread and website owners need to be vigilant.

Automated Skype calls spread fake anti-virus warning [VIDEO]

As more and more people become acquainted by the tricks used by internet scammers and cybercriminals, so they are pressed to find new social engineering tricks in their hope of tricking the unwary.
One of the schemes we have heard of involves unsolicited calls via Skype, where an automated message (what I like to call a "Digital Dorothy") warns you in a semi-robotic voice that your computer's security is not up-to-date.
A Naked Security reader has pointed us to the following YouTube video, showing just such a scam call caught on camera. Fortunately, in this case, the recipient of the bogus call about his computer's security was wise to the scam and knew not to act upon it.
Warning: Some of the language used in this video is a little fruity.

In case you couldn't make it out on the video's soundtrack, here's what the automated call was saying:

"Attention: this is an automated computer system alert. Your computer protection service is not active. To activate computer protection, and repair your computer, go to [LINK]"

If you weren't aware of fake anti-virus (also known as scareware) scams like this you might well be worried enough to visit the website referred to in the message, where it will pretend to scan your computer's security.

Surprise surprise.. the website claims that you are not properly protected - and it urges you to install its software (a steal at $19.95).

I'm not sure I would want to trust any product which uses Skype spam techniques to advertise itself, and presented itself in such an underhand manner.
They seem to be keen for you to hand over your contact details (including your email address). For test purposes, I entered an email address - but haven't received a communication yet. One thing is for sure - I am not going to trust whatever they say in that email.

Of course, if you don't want to receive unsolicited Skype calls the best thing to do is change your privacy settings so only users listed in your contacts list are allowed to get in touch with you.

If you want to find out more about fake anti-virus or scareware attacks download the technical paper from SophosLabs: "What is Fake AV?" [PDF]

Flaw in OS X Lion allows unauthorized password changes

A researcher at the Defense in Depth blog has discovered a flaw in Apple's recently released operating system, OS X 10.7 (Lion), which allows passwords to be changed without knowledge of the logged in user's password.
The flaw appears related to Apple's move towards a local directory service which has permissions set in an insecure manner.
An attacker who has access to a logged in Mac (locally, over VNC/RDC, SSH, etc) is able to change the currently logged in user's password without knowing the existing password as would normally be required:

testmac:~ TestUser$ dscl localhost -passwd /Search/Users/TestUser
New Password:
Historically (in Snow Leopard) you would have needed to enter your existing password first to verify that you in fact are the account holder:

testmac:~ TestUser$ passwd
Changing password for TestUser.
Old Password: -OldPass-
New Password: -NewPass-
Retype New Password: -NewPass-

Not only can a logged in user change their password without knowledge of the existing password, but you can read any other users password hash and make attempts at brute forcing it.
Defense in Depth showed how you can parse the hash from openly readable directory information and recover both the hash and the salt used to encrypt the password.
This is another great reason to be sure you have secured your Mac properly until Apple makes a fix available. Taking the following steps will help ensure you are protected:

1. Use a secure password to prevent brute force attacks against your account using stolen hashes.
2. Enable the screensaver and set it to prompt you for your password.
3. Disable automatic logon.
4. Never leave your Mac logged in and unattended. Use a "Hot Corner" or the Keychain lock to lock your screen.

Keychain preferences windows on OS X 10.7 allows for status bar icon for locking.
For more tips on securing your Mac check out our three part series on top tips for Mac OS X security.
This is particularly dangerous if you are using Apple's new FileVault 2 disk encryption. If your Mac were left unlocked and someone changed your password you would no longer be able to boot your computer and potentially would lose access to all of your data.
Cnet had reported that you can also change other users passwords, but I was unable to replicate their findings.
Hopefully Apple will release an update soon, I was able to confirm with testers of OS X 10.7.2 that the flaw still exists in test builds.

Microsoft reissues update for Win XP/2003 for DigiNotar certificate revocation

Microsoft had to reissue an update for users of Windows XP and Windows 2003 today related to the compromise of certificate authority DigiNotar.
It was not related to further hacking though, it appears to be a quality assurance SNAFU at the software giant.
Microsoft has updated the known issues in security advisory 2607712 to refer to an updated advisory 2616766.
KB article 2616766 points out that the update shipped last week to remove the known compromised certificates from the trusted certificate list omitted the certificates known to have been in use in the wild.
Somehow Microsoft's Patch Tuesday update only removed additional certificates issued to DigiNotar by GTE and Entrust, but did not remove the original root certificates used to intercept communications in Iran.
Users of Windows XP and 2003 with automatic updating enabled will receive the updated patch automatically, but administrators who manually deploy patches using WSUS may be required to push update 2616676 a second time.
Even worse the update requires users of XP and 2003 to reboot after applying the fixed update. Users of Windows 7, Vista, 2008 and 2008 R2 are unaffected.

Google Wallet - why you shouldn't throw away your wallet just yet

Google has announced, to some fanfare, what it hopes will be a revolution in the way we pay for things: Google Wallet.
Google Wallet is a smartphone app (currently only available for the Nexus S 4G Android phone) that aims to replace your credit cards.
It works like this. You go to a store (let's imagine it's a coffee shop), the barista hands you your steaming skinny caramel macchiato and a toasted onion bagel with low fat cream cheese and bacon, and rather than give them your credit card or reach into your pocket for some coins, you..
* take out your smartphone
* unlock it
* run the Google Wallet app
* enter the PIN for your Google Wallet app
* swipe your smartphone against the coffee shop's pay point.
How convenient!
The Google Wallet app uses NFC (near-field communications) technology in your smartphone to wirelessly debit the credit card you have linked with the application.
Here's a video that Google has produced describing Google Wallet.

Human nature being what it is, some people will be nervous of adopting this kind of technology to pay for goods. Just remember how long it took for some people to switch to using credit cards.
The PIN
It looks like Google recognises that some people will be fearful, and is keen for potential users to know that the Google Wallet app is protected by a four digit PIN.
Unless the PIN is entered, the NFC antenna is switched off - meaning that you can't make any purchases. Similarly when the phone's screen is switched off, the NFC antenna is disabled.
The Google Wallet app insists that you re-enter your PIN every five minutes by default - something that I suspect many users will find irritating, and will change to a longer time period for more convenience and less security.
Another concern I have, though, is whether users will choose sensible PINs to protect their Google Wallet.
When you're waiting to slurp your steaming skinny caramel macchiato and munch on your toasted onion bagel with low fat cream cheese and bacon, will you be entering a PIN code that is convenient or one that is more secure?
Research published earlier this year, revealed the top 10 passcodes that iPhone owners use to protect their devices and we have to assume that Google Wallet users will be just as laissez-faire when choosing a PIN.

We already know that 67% of consumers don't have any form of password on their mobile phones.
It's hard to imagine that all users are going to choose a PIN code for their Google Wallet which is hard to crack, let alone different from the one which they should be using to protect all the rest of their smartphone.
So, if you lose your smartphone and have not chosen a sensible PIN code both for the device and a different one for your Google Wallet then there may be opportunities for criminals to take advantage.
Don't throw away your wallet just yet
I don't want to rain on the parade entirely, however. It's not Google's fault that people might choose dumb obvious PINs or use the same PIN code for their digital wallet as for the device itself (although Google might do some work to reduce the likelihood of those happening, or give an option for longer pass codes).
We may be a long way off throwing away our physical wallets entirely - as folks still like to carry around their receipts, driving license, business cards and some old fashioned bank notes - but we will see mobile devices being used more and more for commerce.
It's going to take some years for merchants to invest in the hardware to provide support for Google Wallet, and some may prefer to wait and see how the market plays out and if a rival option becomes more popular.
Always have a backup
I have one piece of advice though, which will probably hold true for many years to come. Think about this. What happens when your smartphone runs out of juice?
You won't be able to open your Google Wallet app to pay for the late night train ride home if the battery is flat. Then you'll be rueing not having a real credit card in your pocket or a couple of notes hidden in the sole of your shoes.

Vorce – Instant language translation app for iPhone

Vorce [voh-krey], instant language translation app allows users to communicate instantly with anybody from anywhere. It translates your voice into other languages instantly and magically speaks what you’ve said into the selected language when you flip the phone horizontally. The language options include English (US/GB/AU), Spanish, French, Italian, German, Japanese and Chinese.
Features of Vorce translation app for iPhone

• In Person Speech-to-Speech Conversation Translation via accelerometer/orientation activation.
• Simply shake the device to edit the translation, and it will be uploaded to the server.
• You can purchase additional translation credits in-app, in addition to initial free credits.
• Option to share the app via Facebook, Twitter, SMS, and Email.

Here is a short demo of the app

The app has also won Best Mobile App and Audience Choice Award at TechCrunch Disrupt event. Download Vorce translation app for iPhone (iOS 4.0 or later) from the Apple iTunes Store (select countries only) for free.

5 new userland exploits found , Untethered iPhone 5 jailbreak imminent

Hacker pOsixninja from the Chronic Dev Team has announced the discovery of 5 new bootrom userland exploits which will be used to develop a jailbreak for Apple A5 based devices. The A5 chip is being currently used in the iPad and is expected to be the chip powering the next generation iPhone.

The 5 exploits discovered are userland ie software level exploits and can be patched by Apple. What is more exciting is that pOsixninja believes that it will be the most amazing jailbreak so far making its way to all exploitable firmwares. The team expects the next generation iPhone to also sport the same chip which will enable the team to develop an untethered jailbreak for it. With the number of jailbreak only features that Apple has been adding to iOS , the importance of jailbreaking has certainly gone down. Are you excited by the prospect of an untethered jailbreak on your next iPhone ?

Google Voice Actions for Android now supports British English, French, Italian, German and Spanish

Google Voice Actions, that lets you control your Android phone or tablet with voice command now supports additional languages like British English, French, Italian, German and Spanish. This would let the users in users in the UK, France, Italy, Germany and Spain to call contacts, send texts, browse the web and do much more using voice commands in their own language.
You can just tap the microphone button on the Google search box and hold the mic button in the app to speak the voice commands that performs the desired action. Some of the commands include

• send text to [contact] [message]
• call [business]
• call [contact]
• go to [website]
• navigate to [location/business name]
• directions to [location/business name]
• map of [location]

The 10 Worst Computer Viruses in History

• INTRO

Credit: Dreamstime

The worst computer virus is the one that happens to infect your own personal computer. Unfortunately, millions of us have had this misfortune, and then spent hours — sometimes days — cleaning, restoring and recovering from a computer virus.
Today, many pieces of malware are designed to attack specific targets, such as the Stuxnet worm (designed to knock out Iran's nuclear centrifuges) or the Zeus and SpyEye Trojans (designed to steal from victims' bank accounts).
But back in the day — say, before 2005 — viruses were all about how much damage could be done by trashing hard drives, corrupting files, bringing corporations to their knees and slowing down the Internet itself.
It was an atmosphere that turned computer security into a big business and created some of the most notorious viruses of all time.
Here are the dirtiest of the bunch, our terrible 10 worst viruses in history.

• 10

Stoned

Before there was the World Wide Web, the first computer viruses spread via floppy disks. One of the earliest was the 1987 boot-sector virus Stoned, which taunted infected users with the on-screen message, "Your computer is now stoned."
Several variants of the virus were written by copycats, ushering in the practice of hackers updating existing virus code to create more infections

• 9

Jerusalem
Toward the end of 1987, the Jerusalem virus began spreading. The virus was much more destructive than the Stoned virus, infecting both .exe and .com files (different kinds of applications).
Because it launched only on every Friday the 13th, Jerusalem's spread was more slow-moving than Stoned's, but Jerusalem destroyed tens of thousands of users' programs along the way.

• 8

The source code for the Morris worm at the Boston Museum of Science. Credit: Shannon Bullard, GoBostonCard.com

The Morris Worm
November 1988 saw what is widely regarded as the first worm — a self-contained program that spreads without human intervention — to infect public networks. At the time, it was estimated to have infected about 10 percent of all computers connected to the nascent Internet.
Its creator, Cornell University graduate student Robert Tappan Morris, whose father was a famous computer scientist, became the first person convicted under the Computer Fraud and Abuse Act.

• 7

The Concept Virus
The '90s saw the development of a raft of new bugs, including so-called polymorphic viruses that could change their appearance with each new infection, making it difficult for anti-virus software to detect their presence.
In 1995, the Concept virus broke new ground by being the first to infect Microsoft Word documents. Unaware users sharing documents via email helped make it one of the fastest spreading viruses of its time.

• 6

Melissa
Before the decade was out, one of the worst viruses of all-time appeared. Reputed to be named for a Florida stripper, Melissa showed up in mid-1999 and was one of the first viruses designed to spread from computer to computer without relying on action on the user's part.
For every PC it infected via email, it attempted to infect another 50 using the victim's Microsoft Outlook address book. The subsequent volume of Internet traffic forced companies such as Intel and Microsoft to temporarily shut down their own mail servers.

• 5 

The Love Bug
Social engineering — tricking a person to open a file or reveal information — came into its own in May 2000 with the ILOVEYOU virus.
Like Melissa, it also used email and appeared to come from someone known to the recipient. But in reality, the attached script deleted multimedia and personal files, changed the Internet Explorer start page and unleashed a torrent of junk mail.
The Love Bug is still considered to be one of the most destructive viruses ever. It infected more than 50 million computers in just nine days, and caused several military sites to shut down their networks until the virus could be purged.

• 4

Anna Kournikova at Bagram Air Force Base in Afghanistan in Dec. 2009. Credit: Senior Airman Felicia Juenke, U.S. Air Force

The Anna Kournikova Virus
You didn't have to be a tennis fan in February 2001 to fall victim to this virus. Inaugurating what has since become a commonplace tactic, the Kournikova virus enticed email recipients to open an attached picture of the statuesque tennis star.
There was in fact no image behind the message — just an obsessed young programmer from the Netherlands, who quickly turned himself in to authorities.

•  3    

Credit: Like the Grand Canyon/Wikipedia

Code Red
In 2001, anti-virus researchers were frustrated by a new worm dubbed Code Red, after the hyper-caffeinated flavor of Mountain Dew soda its finders were drinking when they discovered it.
Code Red attacked Microsoft servers and during the summer of 2001 infected more than 350,000 computers. It proved tricky to eradicate because it was able to re-infect cleaned systems, causing overload and denial-of-service problems for sites around the world.

• 2

Nimda
Using a tripartite attack, Nimda ("admin" spelled backwards) was not only a virus (an alteration to a benign program or file) but also a worm and a Trojan horse (a standalone program that pretends to be benign).
Nimda's variety of attack methods enabled it to spread faster than any previous malware, spanning the globe in less than an hour. (It appeared on Sept. 18, 2001, leading to media speculation of an Al Qaeda connection.) Although estimates vary, it is reported to have caused billions of dollars worth of damage.

• 1    

 Netsky and Sasser
By 2004, virus writers were rapidly exploiting and building on each other's code, so much so that they were beginning to interfere with one another. So the Netsky and Sasser worms took the extraordinary step of attempting to clean out other worms on a victim's PC before installing themselves.
Sasser drew attention because it knocked out the satellite communications system for the French news agency Agence France-Presse and caused problems with Delta Air Lines systems, causing some flight cancellations. Eventually, both viruses were traced to a teenage computer science student in Germany.





THE Worst DDos attacks coming soon...

QR code security risks in the car park

QR codes are a highly convenient way to link a physical object to a URL. Point your phone's camera at the 2D barcode and you're instantly taken to a website.

That's something which can have security consequences, as mobile guru Terence Eden explains.

Recently, Islington Council in London has partnered with Verrus to bring mobile phone payments to car parking.

It's a really simple way to improve paying for parking - but it does leave open some fairly serious security risks.

Initial impressions

The QR codes being used by Islington Council are fairly clearly displayed on the side of the parking meters - but there is no printed call to action.

Which raises the question - what does scanning the code do?

From a practical point of view, would anyone scanning the code know that it allowed them to pay with their phone?

From a security point of view, does the QR code belong to the parking company? Could someone malicious have stuck this code onto the machine?

Unfortunately, there is a problem with the QR code that rang instant alarm bells in my mind.

I spotted instantly that it isn't using an HTTPS URL:

http://m.paybyphone.co.uk/?
utm_source=islington&
utm_medium=qrcode&
utm_campaign=mweb

For a site which asks for a password - and later for credit card details - that seems like a worrying oversight, and isn't going to instill confidence.

In fairness, the site does automatically redirect to the SSL version - but why leave that out of the QR code?

After scanning the code with their mobile phone, this is what the first time user sees:

One thing to note is that most mobile phones won't display the full URL, unless they are in landscape mode.

The URL on display could easily be:

https://m.paybyphone.evilsite.xxx/

Registering

If you've never used the system before, you need to register on this screen:

It is, in my opinion, a very poor idea to require someone to type their credit card number into a phone.

• What if there's a gang of vicious hoodies waiting to snatch credit cards from unsuspecting users as they get them out on the street?
• Is this really a legitimate site? There is no way of knowing, and the switch in branding between "paybyphone" or "PayByPhone" just makes things more confusing and suspicious.

Attack Vectors

The main way of attacking a QR code is to change it. In this case, all it would take would be a large sticker placed on the car parking notice to successfully redirect the user.

In the most mundane case, an attacker could ask the user to visit a malicious website which collects their login details - or worse, their credit card number.

However, a QR code can also be used to point to a premium rate phone number or premium rate SMS. Both could look "legitimate" when placed near a parking meter. A simple and effective way to deprive a victim of their money.

Solutions

QR code hijacking is very rare - but here are a few practical tips for securing a QR code payment service.

1. Include signage telling the user what the code does. Otherwise the user has no way of knowing if the code should point to a URL, phone number, or SMS.
2. Print the URL near to the code. This way if the code is hijacked and pointed to http://evilsite.xxx/ the user can see they're not visiting the correct site.
3. Include https in the URL. Get users used to checking for https before they interact with you.
4. If possible, use a short domain. Not only will it reduce the size of the QR code, it will give your users confidence if they can see the full domain in their phone's URL bar.
5. Don't ask a user to get their credit card out on a busy street. Use a mobile payment solution which charges to the user's phone bill or deducts it from their credit.

QR codes provide a brand new way for people to interact with your service. Make sure that what you offer them is simple, satisfying, and secure.

Disclaimer: The author currently works for InMobi who have a mobile payments product called SmartPay. There are several other cross-network payment solutions, including Bokuor Google Checkout.