| |
 |
 |
 |
|
|
|
|
Date: 07 December 2012
Click here for printable version
Greetings,
First up this week - Check Point recently revealed details of how the Eurograbber attack stole thirty-six million euros from over 30,000 customers and over 30 banks in Italy, Spain, Germany, and Holland earlier this year. This attack used a modified version of the Zeus trojan which targeted both victims' PCs as well as their Blackberry and Android mobile devices, taking advantage of the SMS messages used by their banks as part of their authentication process. With both victims' PCs and mobile devices compromised, the criminals were able to hijack banking transaction sessions including the SMS messages sent from the banks to the victims containing their TAN or 'transaction authentication number'. For more details check out the article over at Help Net Security.
Earlier this week Twitter corrected an SMS spoofing vulnerability, also shared by Facebook, which was disclosed by security researcher Jonathan Rudenberg in mid-August. However it appears that the vulnerability in Twitter has existed as far back as 2007, and the issue was raised back in March 2009 by Heise Security! The vulnerability arose as a result of SMS-posting not requiring any kind of authentication, which meant that someone could spoof tweets through an SMS gateway just by knowing another Twitter user's phone number. It is believed that Facebook has also corrected the issue.
According to Blue Coat security researcher Adnan Shukor, the widely deployed Blackhole exploit kit has a hard time infecting users of Google Chrome. While Blackhole simply executes its normal payload when it detects Internet Explorer or Firefox in a browser's user agent string, and attempts to exploit a multitude of Adobe Reader, Java or IE vulnerabilities, if the kit detects Chrome as the user agent it instead redirects to a fake Chrome update installer page that a user needs to agree to download and install. Shukor believes that this is due to Chrome's rendering of PDF files via a non-Adobe reader, and the fact that Chrome requires permission from a user before executing Java applets.
Researchers from F-Secure recently discovered Mac malware targeting Tibetan supporters being served up by a compromised website connected to the Dalai Lama. This malware, known as Dockster exploits the exact same Java vulnerability (CVE-2012-0507) used by the Flashback trojan earlier this year. Users running the current version of OS X are not vulnerable, nor are those who have disabled the Java browser plug-in. Additionally the compromised site is also serving up a Windows based trojan which also leverages a vulnerability in Java allowing remote code execution.
Last week we pointed readers towards a blog AusCERT has published in response to the Australian Defence Signals Directorate's updated "35 Strategies to Mitigate Targeted Cyber Intrusions". The blog provides some advice on how to apply appropriate security controls from a non-technical perspective. In addition to this blog, AusCERT has also published a paper which gives readers some practical suggestions for the implementation of the top four of these 35 strategies including how to gain buy-in with key decision makers. Highly recommended reading!
This week's top four bulletins (in no particular order):
1) ESB-2012.1132 - [Win][UNIX/Linux] BIND: Denial of service - Remote/unauthenticated
First up is a critical vulnerability in ISC's BIND, which can allow for a remote unauthenticated denial of service. This particular vulnerability only affects installations of BIND which are configured to use DNS64, and ISC has stated that the vulnerability can be exploited without extensive effort.
2) ASB-2012.0170 - [VMware ESX][Appliance] McAfee Email Gateway: Cross-site scripting - Remote with user interaction
McAfee this week released a bulletin detailing two vulnerabilities in its McAfee Email Gateway product (aka MEG). The more serious of the two could allow for webmail users to be affected by cross-site scripting, while the other vulnerability could allow existing users of the Secure Web Mail Client to cause a denial of service.
3) ESB-2012.1126 - [Win][UNIX/Linux][Debian] apache2: Multiple vulnerabilities
Up next are two vulnerabilities in Apache HTTPD Server, the first of which could cause a remote denial of service, however the second vulnerability known as the "CRIME" attack could allow a man-in-the-middle attack if using SSL/TLS data compression with HTTPS in a connection to a web browser.
4) ASB-2012.0166 - [Win][Linux][OSX] Google Chrome: Multiple vulnerabilities
This week's obligatory web browser bulletin mention goes out to Google Chrome for the second week in a row, because we all want to patch/update our web browsers on a weekly basis!
Lastly, a quick reminder that the Call for Presentations and Tutorials for the AusCERT2013 Conference is currently open and the deadline for submissions is 31st January 2013. AusCERT welcomes original contributions for presentations and tutorials not previously published under a range of broad categories. For more information please go to: http://conference.auscert.org.au/conf2013/CFP.html
Have a great weekend!
Jonathan
|
|
|
|
 |
|
 |
|
|