Asus warns of a virus infection in shipping Eee Boxes

The Japanese division of Taiwanese computer and component manufacturer Asus is warning customers that shipping versions of its Eee Box B202 desktop computer are infected with a virus. According to Asus, the virus is located on the D drive in a file called recycled.exe. When the user opens the D drive, the virus is triggered and immediately starts copying itself onto the C drive and any connected USB media.

Why the virus is there, though, and how it got onto the disks, Asus is not saying. Nor will it comment if infected machines are shipping outside of Japan, although The Register has found a different infection on a UK unit.

Apart from its apologies, Asus is offering its customers assistance with the problem.

Source:
http://www.heise-online.co.uk/news/Asus-warns-of-a-virus-infection-in-shipping-Eee-Boxes–/111691

Posted in Hardware, Internet, Privacy, Security | No Comments

Anatomy of a SQL Injection Attack

While there are a number of security risks in the world of electronic commerce, SQL injection is one of the most common Web site attack techniques used to steal customer data such as credit card numbers, hold customer data hostage by encrypting it or destroy data outright.

Where a Web server only understands and speaks the HTTP protocol, a database’s native tongue is Structured Query Language (SQL), which is essentially a set of command statements that instruct a database to execute specific actions. Every database server has a similar series of commands to query its tables, narrow down results to a few specific entries, and combine information from one table to another.

Here is an example SQL query:

SELECT — FROM users WHERE Email = ‘” + Email + “‘ AND Password = ‘” + Password + “‘;

The WHERE specifies a condition, that an e-mail address and password combination match data present in the “users” table. When this command is given to the database server, it returns true if a match is found and a false if there is no match.

When clients send data on the Web, they use URLs and forms to assemble the database query statements. The following URL represents an example login page for a Web application:

GET /shopping_cart/[email protected]&Password=$ecret123 HTTP/1.1

This URL shows that the destination application is a Microsoft ASP page and it is accepting two parameters, one called “Email” and the other called “Password.” If the user credentials are correct then the result of this query will provide response data that represents a successful authentication and will be used to allow the client to proceed to the corresponding Web page.

Source:
http://www.pcworld.com/article/152054/sql_injection_attack.html?tk=rss_news

Posted in Internet, Linux, Privacy, Security, Windows | No Comments

Firefox Extension Blocks Dangerous Web Attack

A popular free security tool for the Firefox browser has been upgraded to block one of the most dangerous and troubling security problems facing the Web today.

NoScript is a small application that integrates into Firefox. It blocks scripts in programming languages such as JavaScript and Java from executing on untrusted Web pages. The scripts could be used to launch an attack on a PC.

The latest release of NoScript, version 1.8.2.1, will stop so-called “clickjacking,” where a person browsing the Web clicks on a malicious, invisible link without realizing it, said Giorgio Maone, an Italian security researcher who wrote and maintains the program.

Clickjacking has been known for several years but is drawing attention again after two security researchers, Robert Hansen and Jeremiah Grossman, warned last month of new scenarios that could compromise a person’s privacy or even worse, steal money from a bank account.

Unfortunately, clickjacking is possible due to a fundamental design feature in HTML that allows Web sites to embed content from other Web pages, Maone said. Nearly all Web browsers are vulnerable to a clickjacking attack.

Source:
http://www.pcworld.com/article/152025/firefox_addon_protects.html?tk=rss_news

Posted in Internet, Linux, Privacy, Security, Windows | No Comments

Fake SSL Certificates Seen Again

Online banks use cryptographic protocols to secure the exchange of information on the Web, and hackers do not hesitate to adapt to this technology too. A new case of fake SSL (Secure Sockets Layer) certificates appeared again, following phishing threats we’ve seen last April and May.

This time, the website of Open Banks Enterprises was faked by malware authors using Rock Phish Kit.  Like similar phishing or malware cases, this spoofed site asks customers to download a new security certificate. The site even displays options for Windows users and Mac users, but users are led to .EXE files, which perform malicious routines on systems, compromising their security instead of securing online transactions like security certificates are supposed to do.

Source:
http://blog.trendmicro.com/fake-ssl-certificates-seen-again/

Posted in Internet, Privacy, Security | No Comments

Net game turns PC into undercover surveillance zombie

Underscoring the severity of a new class of vulnerability known as clickjacking, a blogger has created a proof-of-concept game that uses a PC’s video cam and microphone to secretly spy on the player.

The demo, which is available here, appears to be a simple game that tests how quickly a user can click on a series of moving targets. Behind the scenes, it combines a generic clickjacking attack with weaknesses in Adobe’s Flash technology to record the player using the PC’s video camera and microphone.

The proof of concept is a powerful demonstration of the spooky implications behind clickjacking. The vulnerability allows malicious webmasters to control the links visitors click on. Once lured to a booby-trapped page, a user may think he’s clicking on a link that leads to Google – when in fact it takes him to a money transfer page, a banner ad that’s part of a click-fraud scheme, or any other destination the attacker chooses.

It plagues every major browser, Adobe Flash, and many other browsing technologies, according to Jeremiah Grossman and Robert “RSnake” Hansen, the researchers who first sounded the clickjacking alarm. The pair was scheduled to detail the threat two weeks ago at at OWASP’s AppSec 2008 Conference in New York, but canceled the talk at the request of Adobe.

The unnamed blogger behind the game said his proof of concept used Flash, but the writer went on to say that the same thing could have been achieved using Java, SilverLight, or Dynamic Hyper Text Markup Language.

Source:
http://www.theregister.co.uk/2008/10/07/clickjacking_surveillance_zombie/

Posted in Internet, Linux, Privacy, Security, Windows | No Comments