Firefox 26 blocks Java plugins by default

December 11, 2013 – 5:02 AM

Mozilla released Firefox 26 which includes five critical, three high, three moderate, and three low security updates.

All Java plug-ins are defaulted to ‘click to play’, which is a welcome security addition.

Benjamin Smedberg, Engineering Manager, Stability and Plugins at Mozilla commented: “When Mozilla conducted a user research study on the prototype implementation of click-to-play plugins earlier this year, we discovered that many users did not understand what a plugin was. Participants were confused or annoyed by the experience, especially having to enable plugins on the same site repeatedly. We redesigned the click-to-play feature to focus on enabling plugins per-site, rather than enabling individual plugin instances on the page.”

The password manager now supports script-generated password fields and updates can now be performed by Windows users without write permissions to Firefox install directory (requires Mozilla Maintenance Service).

Source:
http://www.net-security.org/secworld.php?id=16088

Have I been pwned?

December 6, 2013 – 4:53 PM

A very useful site was just created to check if any of your online accounts have been compromised (yet):

http://www.haveibeenpwned.com/

It’s trustworthy…I know the guy who runs it and it will be updated with all the major data breaches going forward.

New type of audio malware transmits through speakers and microphones

December 3, 2013 – 5:54 PM

A few weeks ago, security researcher Dragos Ruiu publicly claimed that computers in his lab were being infected by some sort of stealthy over-the-air transmission method that relied on ordinary speakers and microphones to transmit the malware payload from system to system. Ruiu nicknamed this bug “badBIOS,” and research into its existence (or lack thereof) continues. Multiple security researchers have lined up on both sides of the issue.

Now, however, there’s proof that at least one key aspect of badBIOS’ supposed design isn’t science fiction. Researchers have published a paper on how malware can be designed to cross the air gap by transmitting information through speakers and recording it via microphone. An air gap is a measure that boosts the security of a system by essentially isolating it from other, less secure networks. Rather than relying on TCP-IP, the research team used a network stack originally developed for underwater communication.

The signal was propogated through the use of a software-defined modem based on the GNU Radio project. They also tested with a mini-modem, but found the software-defined modem had better range characteristics. Line-of-site transfer speeds stretched up to 19.7m, and researchers were able to ping the signal back and forth across systems.

Source:
http://www.extremetech.com/computing/171949-new-type-of-audio-malware-transmits-through-speakers-and-microphones

Virus can attack ‘any bank anywhere’

November 29, 2013 – 7:10 AM

Kaspersky Lab has recorded several thousand attempts to infect computers used for online banking with a malicious programme that its creators claim can attack “any bank in any country”.

The Neverquest Trojan banker supports just about every possible trick used to bypass online banking security systems: web injection, remote system access, social engineering, and so on. In light of the Trojan’s self-replication capabilities, a sharp rise in the number of attacks involving Neverquest can be expected, resulting in financial losses for users all over the world.

The weeks prior to the Christmas and New Year holidays are traditionally a period of high malicious user activity. As early as November there have been instances where posts were made in hacker forums about buying and selling databases to access bank accounts and other documents used to open and manage the accounts to which stolen funds are sent.

Neverquest appeared on the market even earlier – an advert looking for a partner to work with the Trojan on the servers of a group of cybercriminals, with their support, was posted in July of this year.

Sergey Golovanov, Principal Security Researcher, Kaspersky Lab, commented: “After wrapping up several criminal cases associated with the creation and proliferation of malware used to steal bank website data, a few ‘holes’ appeared on the black market. New malicious users are trying to fill these with new technologies and ideas.

Source:
http://www.iol.co.za/scitech/technology/security/virus-can-attack-any-bank-anywhere-1.1613989

JPEG Files Used For Targeted Attack Malware

November 29, 2013 – 7:04 AM

We recently came across some malware of the SOGOMOT and MIRYAGO families that update themselves in an unusual way: they download JPEG files that contain encrypted configuration files/binaries. Not only that, we believe that this activity has been ongoing since at least the middle of 2010. A notable detail of the malware we came across is that these malware  hide their configuration files. These JPEGs are located on sites hosted in the Asia-Pacific region, and we believe that these malware families are used in targeted attacks in the region as well.

Analysis of the JPEG updates

While the contents of the JPEG file are encrypted, we were able to decrypt and analyze the contents of these files. We can divide these into three groups:

  • configuration file (Type A)
  • configuration file (Type B)
  • binary content (either DLL or EXE files)

The first kind of configuration file (Type A) is similar to what we’ve seen with other malware. It contains information that allows the malware to process commands from an attacker, change settings/modules, and update itself. Among these settings are URLs where other malicious JPEG files are hosted. In addition, these files indicates that the attacker may have already compromised the targeted organization(s), as some of the information pertains to specific machines or individuals within.

Source:
http://blog.trendmicro.com/trendlabs-security-intelligence/jpeg-files-used-for-targeted-attack-malware/