Friday 24 September 2010

» Twitter 'onMouseOver' security flaw widely exploited

The Twitter website is being widely exploited by users who have stumbled across a flaw which allows messages to pop-up and third-party websites to open in your browser just by moving your mouse over a link. In a worrying development, messages are also spreading virally exploiting the cross-site-scripting (XSS) vulnerability without the consent of users.
Thousands of Twitter accounts have posted messages exploiting the flaw. Victims include Sarah Brown, wife of the former British Prime Minister.
Sarah Brown's Twitter page
It appears that in Sarah Brown's case her Twitter page has been messed with in an attempt to redirect visitors to a hardcore porn site based in Japan. That's obviously bad news for her followers - over one million of them.
Japanese porn website
To Mrs Brown's credit, she has posted a warning on her Twitter page:
don't touch the earlier tweet - this twitter feed has something very odd going on ! Sarah
Here's an example of a Twitter profile which is using the exploit to pop-up a message.

Twitter security flaw popping up a message box

It looks like many users are currently using the flaw for fun and games, but there is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code, or for spam advertising pop-ups to be displayed.
Here's a quick YouTube video I made demonstrating the exploit live on Twitter:
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
Hopefully Twitter will shut down this loophole as soon as possible - disallowing users to post the onMouseOver JavaScript code, and protecting users whose browsing may be at risk.
Some users are also seemingly deliberately exploiting the loophole to create tweets that contain blocks of colour (known as "rainbow tweets"). Because these messages can hide their true content they might prove too hard for some users to resist clicking on them.
Rainbow Tweet exploiting security flaw
Right now you might be safer using a third-party Twitter client rather than the Twitter.com website.
Update Twitter says that it is aware of the problem, and hopes to roll out a patch soon.
Response from Twitter
Update 2 Twitter has posted a blog entry going into some detail of what happened, and how it says it has now fixed the problem.
Which means that - if you like - you should be safe to follow me on Twitter at @gcluley to keep up-to-speed on the latest security threats. :) Take care folks.

Email this story to a friend   Reddit   Technorati   Slashdot   NewsVine   MySpace   Google   Live   Mixx   del.icio.us   StumbleUpon  

The Malware, the SMS, and the Money

A threat we call Trojan:MSIL/Fakeinstaller.A has been making the rounds lately. It is a slight deviation from the family of malware threats known as Trojan:Win32/Ransom.
The malware is similar to Trojan:Win32/Ransom, which seizes control of the computer by locking the user's screen and then demanding a passcode from the user. The user receives the passcode only after sending an SMS to a premium number.
This particular sample of Trojan:MSIL/Fakeinstaller.A (SHA1: 5a888391750c0efefe9dfc7dd63ed5b78f603ef9) is not as aggressive, but nonetheless racketeers by ripping some freely distributable application from the Internet and then using that to gain profit.
The malware arrives supposedly as an installer for a program. But when users actually try to install the program, they are prompted to send an SMS to a premium number, from which a reply is sent back with a code to unlock and install the application. While the application doesn’t lock up your desktop, unsuspecting users may still get charged to send the SMS to a premium account.
Fake installer for uTorrent
Fake installer for DivX
Contrary to Trojan:Win32/Ransom, which is mostly targeted towards Russian users, Trojan:MSIL/Fakeinstaller.A seems to have been purposely made for users residing in other countries in Europe.

Tuesday 21 September 2010

BMW introducing iPad docks for back seats, iPhone 4 integration

Filed under: , , , ,
BMW ConnectedDrive
BMW ConnectedDrive - Click above for high-res image gallery

Good news, Apple fans. BMW has turned up the level of smart phone integration in its vehicles in a big way. The company will be showing off its new ConnectedDrive system at the 2010 Paris Motor Show. The swank tech not only boasts Bluetooth wizardry and a text-to-speech function that will allow drivers to access text messages, memos, emails and the like from their Blackberry, it will also work with Apple iOS4. That means that the system clicks with the latest iPhone.

But wait, there's more.

The German manufacturer is also introducing something it calls iPod Out that's designed to make the most of using Apple music players in the vehicle. There's even a handy docking system for the iPad in the back seats. What's more, BMW will offer a mobile hotspot system with ConnectedDrive so that passengers can surf the web without burning up their data plans. Welcome to the brave new world. Thanks for the tip, Chris!



[Source: BMW]
BMW introducing iPad docks for back seats, iPhone 4 integration originally appeared on Autoblog on Mon, 20 Sep 2010 11:28:00 EST. Please see our terms for use of feeds.
Permalink | Email this | Comments

Phishing Proliferating via Facebook Chat

Recently, while chatting with someone on Facebook, one of my friends surprised me when she sent me this:
Facebook chat messages
Out of curiosity and suspicion, I visited the link. This eventually led me to the following site, which was hosted at http://{BLOCKED}atingchatnetwork.com/facebook/index.php.
Click for larger view
Users who input their Facebook credentials here would be surrendering their credentials to phishers. Phishing attacks such as this that use Facebook applications are not entirely new but having it spread via Facebook’s own chat feature makes it a more significant threat. The appearance of these messages coming from a user’s friends may lead to more people clicking these links.
The Facebook application used in this attack has already been removed. The underlying phishing page has also been blocked by the Trend Micro™ Smart Protection Network™.
Post from: TrendLabs | Malware Blog - by Trend Micro

Phishing Proliferating via Facebook Chat

Friday 10 September 2010

'Here You Have' Malware Preys on the Incompetent



  • 09.09.2010
This afternoon at least one story began swirling about a new threat provisionally called "here you have". It's thus named because this malware arrives in an e-mail with "here you have" in the subject.
ABC News reported that NASA, Comcast, and ABC's parent Disney were hit hard, among others. The McAfee Labs Blog referred to it as a virus, a Trojan, and a worm. The term "worm" refers to a malicious program that can spread to other computers without any human interaction, so that last point had me worried.
As it turns out, this threat isn't a worm. It can't attack your computer by itself. In fact, it can't do anything at all unless some goofball clicks the wrong link (though once that happens it can infect connected computers and USB drives). Really, it's barely more than a social engineering attack. The fact that it managed to spread widely through various multinational businesses doesn't say a lot for the security savvy of the workers.
People! DO NOT click links in e-mail messages from unknown people. DO NOT even click links in e-mail messages from your friend, since the real source of the message might be a virus. DO keep your computer protected with an antivirus or a security suite. That way if you click the wrong link in a fit of weakness you'll still be protected from whatever new threat replaces "here you have".
Originally posted to the PCMag.com security blog, Security Watch.

Wednesday 8 September 2010

Orange and T-Mobile merge networks

Mobile phone The deal will initially only apply to text messages and voice calls
Customers of Orange and T-Mobile will soon be able to hop between the two mobile networks.
The deal is one of the first practical benefits from the recent merger of the two firms, which have 30 million customers combined.
The network sharing deal is limited to 2G signals, meaning that customers will see little benefit when using the mobile web.
Analysts said that T-Mobile had the most to gain from the merger.
"Outside of the South-East [of England] there has been a constant perception that T-Mobile is an underperforming network," said Shaun Collins of research firm CCS Insight.

Related stories

"This literally takes it away overnight."
Network evolution He said that network coverage was becoming a "key battleground" between the major UK networks.
"The network coverage advantages of the merger [between Orange and T-Mobile] were always the most important part of it," he said.
Customers of the two firms will have to sign up for the free "roaming" service, which goes live on 5 October.
Once registered, their phone will automatically hop between the networks when it loses signal. The underlying system is similar to that used when a phone "roams" on a different network abroad.
Next year Everything Everywhere - the company that runs Orange and T-Mobile in the UK - said that phones would automatically switch to whichever of the two networks has the strongest signal mid-call.
It said it also plans to roll it out to 3G services.
When it does, Orange customers will be able to use a 3G network owned and operated by Mobile Broadband Network Limited (MBNL), a joint venture company owned by Three and T-Mobile.
Orange joined MBNL on the 16 August.
"Everything Everywhere will be adding Orange sites to the network it shares with Three in the course of time, and Three customers will get access to a significant proportion of those as they are added," said a spokesperson for Everything Everywhere.
Three customers are already able to use the Orange network for 2G calls and texts.
Further down the line, Everything Everywhere aims to start building a next-generation LTE (long-term evolution) mobile network, to cope with the surge in demand for data and the mobile web.
LTE offers faster speeds than current 3G networks and is able to handle more traffic.
The UK government plans to hold an auction of spectrum for next generation services in 2011.

More on This Story

PlayStation 3 update targets hardware hacks

PS Jailbreak Sales of the dongle are now illegal in Australia
Sony has closed a loophole that allowed users to run software that enables pirated games to be played on the PS3 console.
The update blocks the PSJailbreak and PSGroove applications.
Mathieu Hervais, one of the developers behind PSGroove, told BBC News that it was "safer not to update" if users wished to continue using the hacks.
Sony won a court order in early September banning the distribution of the PSJailbreak dongle.
The update is the latest step in Sony's ongoing battle against the commercial dongle - PS Jailbreak - that allows users to play pirated software. It also targets open source code, known as PSGroove, which allows homemade games to be played on the console.

Related stories

While the PSGroove software was not originally intended to allow the playing of pirated games, as PSJailbreak does, it has already been modified by other hackers to permit the practice.
Mixed response It is the continuation of a cat-and-mouse game between hackers and the electronics giant, which started when PSJailbreak first appeared for sale on website.
The USB dongle was the first hardware hack of Sony's secure games console.
Sony has since obtained a court injunction preventing the distribution of the PSJailbreak dongle in Australia.
The firm has also filed a US lawsuit against Zoomba, a firm that runs a site selling the device. Distributors in the Netherlands have also told the BBC that they have received court documents banning the sale of the dongles.
However, Sony has now decided to tackle the problem head-on by releasing a software update for the consoles that block the hacks.
The new patch received a mixed reception from the gaming community, with some users praising Sony for its prompt action, while others were more critical.
"Every time there is an update, it's a security patch I don't care about," wrote one.
"Give me something that will keep me occupied like more visuals on the music player, a way to delete trophies for a game I don't have anymore, backward compatibility for PS2 games, better video chat.
"You guys don't take to many suggestions from your players. If you listen, I mean really listen, to the ideas you will be top," they added.
Mr Hervais told BBC News that it did yet know how Sony fixed the security flaw.
Sony declined to comment on the specifics of the update, but a spokesman told BBC News: "Since this is an overall security related issue, we will not be providing further commentary to this case.
"But as we always have, we will continue to take necessary actions to both hardware and software to protect the intellectual content provided on the PlayStation 3."

Saturday 4 September 2010

PS3 hack ban upheld by court as free version released

PlayStation 3 A similar lawsuit has now been filed also in the US
Sony's battle to block the distribution of a hack for its PlayStation 3 (PS3) has been won in an Australian court but lost on the internet.
The court ruled on Friday that a ban on distribution of the PSJailbreak "dongle", first issued on 27 August, would be made permanent.
However, on Thursday the software code behind a similar hack was released free on the internet as PSGroove.
The hacks allow homemade games to be played on the console.
While the PSGroove software was specifically designed not to allow the playing of pirated games, as PSJailbreak does, it has already been modified by other hackers to permit the practice.
Also on Friday, it emerged that Sony had filed a US lawsuit against Zoomba, the firm that runs shopPSjailbreak.com, a site selling the device.
The lawsuits specifically name the PSJailbreak device - software loaded onto a USB data stick - but reports have surfaced that the device has been replicated and could soon be widely available through other vendors.

Related stories

The Australia ban prevents resellers OzModChips, ModSupplier and Quantronics from importing or distributing the device in Australia, and names the supplier as Chinese firm China Sun Trading Limited.
The court order demands that the distributors hand over any stocks of the dongles, China Sun Trading to send any ordered dongles to the court, and calls for as-yet undetermined damages to be paid to Sony.
OzModChips posted an apologetic message to its Twitter account on Friday, saying "Sorry 4 the lack of updates, its been a long day. Bassically the injunction still stands but its not 100% over yet. Not allowed to say more."
The BBC has learned that distributors in the Netherlands have received substantially similar court documents banning the sale of the dongles.
Choice and innovation However, the court's action was pre-empted when another group of hackers decided to develop and release PSGroove, the code behind the hack, on the internet.
Mathieu Hervais told BBC News he was one of about 20 hackers involved in PSGroove's development.
"We want people to run the software they like on the system they paid for without it having to be licensed by Sony," he said.
"We released it on the internet because we believe in openness, choice and innovation from everyone.
"We understand (games console makers') point of view as well when it comes to protecting their income or business models, we just believe compromises could be made to keep everyone happy."
Sony declined to comment on the court cases or the release of the open-source code.