Wireshark 1.0.8 Released

Version 1.0.8 of the Wireshark network protocol analyser has fixed a few bugs, including one that affects the processing of the PCNFSD protocol. Crafted packages can crash the PCNFSD dissector, and the developers classify this as a security vulnerability. A PCNFS server is contained in Microsoft Windows Services for UNIX, for example.

The new version also eliminates bugs in Lua integration and in the SCCP and NDMP dissectors. Though these can also cause a crash in certain cases, they don’t affect security. Protocol support for ASN.1, DICOM, RTCP, SSL and STANAG has also been updated.

Source:
http://www.h-online.com/security/Security-update-for-Wireshark–/news/113364

Posted in Internet, Networking, Privacy, Security, Software | No Comments

Websites keeping deleted photos

User photographs can still be found on many social networking sites even after people have deleted them, Cambridge University researchers have said.

They put photos on 16 popular websites – noting the web addresses where the images were stored – and deleted them.

The team said it was able to find them on seven sites – including Facebook – using the direct addresses, even after the photos appeared to have gone.

Facebook says deleted photos are removed from its servers “immediately”.

The Cambridge University researchers said special photo-sharing sites, such as Flickr and Google’s Picasa, did better and Microsoft’s Windows Live Spaces removed the photos instantly.

Source:
http://news.bbc.co.uk/2/hi/uk_news/8060407.stm

Posted in Internet, Privacy | No Comments

Twitter users warned of new phishing scam

Security experts are warning Twitter users of a new phishing scam that could lead to their accounts being compromised.

The typo-squatting site, which was discovered by Rik Ferguson, senior security advisor at Trend Micro, has been set up by phishers to look like Twitter, although the URL uses only two ‘t’s and replaces the ‘w’ with ‘vv’ (www.tvviter.com) to make it appear authentic.

“Please don’t visit this site,” wrote Ferguson on Trend Micro’s official blog. “It has been designed to harvest credentials, and is currently directing users (through intermediate fake personal web sites and using URL shortening services) to sites hosting euphemistically titled ‘Adult Dating Services’ by automatically adding followers to the compromised accounts.”

Those who are conned into handing over their account details will find new account followers who post links in their profiles redirecting users to adult dating sites.

“These sites make the scammers money in the process through a pay-per-click affiliate scheme,” said Ferguson. “The URLs concerned are under ongoing analysis for malicious content. Please do not feel tempted to visit them, even out of curiosity.”

Source:
http://www.vnunet.com/vnunet/news/2242712/twitter-phishing-scam-uncovered

Posted in Internet, Privacy, Security | No Comments

Enterprise Wi-Fi Gets a Security Boost

The Wi-Fi Alliance has expanded its WPA2 certification program to include a tool for secure handoffs between Wi-Fi and 3G networks, as well as an authentication system that uses multiple secured tunnels.

WPA2 (Wi-Fi Protected Access 2) is the most advanced security standard for Wi-Fi. The WPA2 certification program already included five other EAP (extensible authentication protocol) methods. The Wi-Fi Alliance tests routers, access points and client devices for interoperability using certain protocols and certifies them with its logo.

The newly added protocols, EAP-AKA (Authentication and Key Agreement) and EAP-FAST (Flexible Authentication via Secure Tunneling), are designed to better secure enterprise Wi-Fi LANs.

EAP-AKA was developed by the 3GPP (Third-Generation Partnership Project), the main standards body for 3G networks, and has been in use for a few years on both UMTS (Universal Mobile Telecommunications System) and CDMA2000 (Code-Division Multiple Access) networks. It allows for the handoff of calls between cellular and Wi-Fi networks using a single user identifier. As more mobile phones are equipped with Wi-Fi and more laptops and netbooks gain cellular data capability, having a standard way to shift calls from paid carrier networks to free Wi-Fi could be valuable, especially in enterprises that have rolled out Wi-Fi across their offices.

Cisco Systems created EAP-FAST several years ago as a replacement for its LEAP (Lightweight EAP), which was found to be vulnerable to certain types of attacks. Those included “dictionary” attacks, so-called because they generate a series of likely guesses at the network’s decryption key or passphrase. EAP-FAST is now an open international standard.

Source:
http://www.pcworld.com/article/165173/wifi_wpa2.html?tk=rss_news

Posted in Internet, Networking, Privacy, Security | No Comments

Gumblar Malware Exploit Circulating

US-CERT is aware of public reports of a malware exploit circulating. This is a drive-by-download exploit with multiple stages and is being referred to as Gumblar. The first stage of this exploit attempts to compromise legitimate websites by injecting malicious code into them. Reports indicate that these website infections occur primarily through stolen FTP credentials but may also be compromised through poor configuration settings, vulnerable web applications, etc. The second stage of this exploit occurs when users visit a website compromised by Gumblar. Users who visit these compromised websites and have not applied updates for known PDF and Flash Player vulnerabilities may become infected with malware. This malware may be used by attackers to monitor network traffic and obtain sensitive information, including FTP and login credentials, that can be used to conduct further exploits. Additionally, this malware may also redirect Google search results for the infected user.

US-CERT encourages users and administrators to apply software updates in a timely manner and use up-to-date antivirus software to help mitigate the risks.

Source:
http://www.us-cert.gov/current/index.html#gumblar_malware_attack_circulating

Posted in Internet, Security | No Comments