Monday, 23 May 2011

Google rolls out silent fix for Android security vulnerability

Google rolls out silent fix for Android security vulnerability: "

AndroidsThere's good news for any owners of Android devices worried about the recently announced security vulnerability that could allow allow unauthorised parties to snoop on your Google Calendar and Contacts information.


Google has already started rolling out a fix!


The issue had already been fixed in Android 2.3.4 (codenamed Gingerbread), but as we mentioned earlier this week over 99% of Android users are running earlier versions of the operating system.


Google has started to implement a server-side patch that addresses the issue for all versions of the Android OS. The great news is that it doesn't require a software update on the Android devices themselves - meaning the fix is automatic and worldwide. Effectively this is a silent fix.


The fix addresses a vulnerability with the use of authTokens for Google's Calendar and Contacts apps discovered by researchers at Germany's University of Ulm, but a similar issue with Picasa is still being investigated. If not fixed, the problems could mean that a hacker could snoop on your activity when you use an unencrypted WiFi hotspot and steal personal information.


Google reckons the work will be complete, and all devices secured from this vulnerability, within the week by forcing its servers to use an encrypted HTTPS connection when Android phones try to sync with them.


Here's what a Google spokesperson had to say:


'Today [May 18th] we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days.'


So, it's a very good thing that this problem is being fixed. Of course, concerns still remain as to how easy it would be to fix a serious security vulnerability on the Android devices themselves, given that Google is so reliant on manufacturers and carriers to push out OS updates.





"

" The Roving Giraffe News Report " provided by Ace News

Microsoft study asserts social engineering more common than exploitation

Microsoft study asserts social engineering more common than exploitation: "

OK buttonEarlier this week Microsoft posted a blog entry showing statistics from their SmartScreen technology built into Internet Explorer (IE) 7, 8 and 9.


Their conclusions? One in every 14 downloads is malicious (of the malicious files that Microsoft is aware of) and this represents between two and five million malware attacks per day against IE users. Microsoft uses this to assert that users are falling prey to malicious downloads far more often than drive-by exploits.


While these statistics are fascinating, and very useful for those of us without the ability to collect this type of information, Microsoft is comparing apples to. . . nothing.


SmartScreen itself is unable to prevent exploits from convincing Adobe Reader, iTunes, Real Player, Adobe Flash, Java and other technologies from downloading malicious content, and Microsoft hasn't presented any data on how often exploits are actually being used.


The purpose of their post is to point out the success of Microsoft's reputation filtering they added in IE 9. While it is an interesting step forward, Microsoft's own statistics raise more questions than they answer.


Microsoft states that 90% of downloads do not trigger a warning, which implies that 1 in every 10 times I try to grab something I get a scary warning message. When I receive this scary warning message, there is a 30% to 75% chance that it is a false positive.


This reminds me of an article I wrote for Virus Bulletin last year about browser SSL certificate warnings. Considering the scary warning messages that browsers display to users and the frequency with which they are confronted with these warnings, we end up training our users to simply click through.


Users think, 'If this were truly dangerous, it would have simply been blocked, right?' Microsoft's statistics show that in a real world attack 99% of users did delete the file, but this warning message is still a new phenomenon. It will be interesting to see how many click through over the long run.


Even worse, if up to 75% of the time you get the warning you are downloading a legitimate file, will you continue to pay attention to the warning when it really matters?


Later in their post they claim that a typical user is presented this warning only two times per year. If that is true, that means users are only downloading 20 files per year and won't see this too often. I don't know anyone who only downloads 20 files per year.


These numbers just don't really add up.


Microsoft also points out that applications triggering the warning are not Authenticode signed most of the time. While the concept of digital signatures representing trustworthiness is at the heart of many security solutions, its implementation is often flawed.


As we saw with the Stuxnet worm last year, legitimate signing certificates that were 'trusted' were stolen and used by malware authors to increase their chances of bypassing security technologies.


I do not believe most computer users are equipped with the knowledge necessary to make good decisions regarding deeply technical problems. When they are confronted with a question attempting to stop them from making a mistake it is often viewed as an annoying roadblock.


Earlier this month we saw a large number of Apple Mac users falling victim to a fake anti-virus attack that required them to type their administrative password. Clearly users will jump through hoops when presented with the opportunity if they are being tricked into doing something they think they want to do.


As security experts we need to make safety online as black and white as possible. While SmartScreen is doing a great job at stopping known badware, I'm not convinced that reputation technologies that require users to make technological decisions are the right answer to the problem.





"

" The Roving Giraffe News Report " provided by Ace News

Hottest & Funniest Golf Course Video scam spreads virally on Facebook - beware!

Hottest & Funniest Golf Course Video scam spreads virally on Facebook - beware!: "

Yet another scam is spreading virally across Facebook, posing as a video in a scheme to make money for the confidence tricksters behind it.


The messages show what appears to be a thumbnail of a video showing a man standing closely behind a scantily clad woman to give her golfing advice.


The Hottest & Funniest Golf Course Video - LOL. Watch the Hottest & Funniest Golf Course Video Don\



The Hottest & Funniest Golf Course Video - LOL

[LINK]

Watch the Hottest & Funniest Golf Course Video Don\


Another version of the scam uses football rather than golf as the lure:


The Most Funniest & Hottest Footbal Video - Must Watch!


The Most Funniest & Hottest Footbal Video - Must Watch!

[LINK]

Watch the Funniest & Hottest Footbal Video - Must Watch!


The links in the messages we have seen so far have pointed to a webpage at blogspot.com, although this could - of course - be changed by the scammers in future variations.


If you make the mistake of clicking on the link in the hope that you might see a funny saucy video you will find that you have fallen straight into the scammers' trap - as your Facebook page has been updated to say that you also 'Like' the page, thus sharing it virally with all of your friends.


You will also be encouraged to complete an online survey for 'verification' purposes, which in reality only earns commission for the bad guys who kicked off the money-making scheme in the first place.


The Hottest & Funniest Golf Course Video survey


Unfortunately, when I tested the scam I found no evidence that Facebook's newly introduced security measures to intercept scams and warn of dangerous links had been effective.


How to clean-up the scam from your Facebook page


If you have been unfortunate enough to have been hit by this scam, here's how you clean-up.


Move your mouse above the offending entry on your Facebook page and you should see an 'X' appear in the top right hand corner of the post. You should now be able to mark the post as spam (which will remove it from your page).


Remove the post by marking it as spam


Unfortunately, this hasn't also removed the page from the list of pages you like, so you will need to edit your profile to manually remove it. You should find it listed under 'Activities and Interests'.


Unlike the offending webpage


Be sure to remove any other pages you don't recognise in that list also.


If you use Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 80,000 people.


Hat-tip: Thanks to Naked Security reader Lars for first alerting us to this attack.





"

" The Roving Giraffe News Report " provided by Ace News

Converting currency on Google can lead to malware attack

Converting currency on Google can lead to malware attack: "

Euro and dollarOne of the guys at the North American branch of SophosLabs recently stumbled across some Euros following an overseas trip, and wondered how much they were worth in dollars.


So he did what any of us would probably do. He Googled it.



215 euro to usd


Google very cleverly and kindly tells you what it believes the conversion rate to be, but you're also given a number of search results:


Euro to USD currency conversion search results


It's that final search result which is of interest to us. A quick search finds a number of other webpages which don't just use keywords related to currency conversion, but also other terms - 'dirty sexist jokes', for instance.


Euro to USD currency conversion search results


What is occurring here is SEO poisoning, where bad guys create poisoned webpages related to certain search terms in the hope that you will come across them and infect your computer.


The good news is that Sophos can offer a layered defence against this attack.


The initial webpage is blocked by Sophos as Mal/SEORed-A. It acts effectively as the doorway to the rest of the attack.


The site delivering the actual malicious payload is also blocked, and Sophos detects the exploit itself as Troj/ExpJS-BP.


Finally, the Java class files pushed by the exploit code are detected as Mal/JavaDldr-B.


Neat!


We see online criminals poisoning search engine results using blackhat SEO techniques a lot.


Fraser and Onur in our labs have written an excellent technical paper (PDF) which discusses the problem, and lifts the lid on how the bad guys are using automated kits to do their dirty work for them.


SEO poisoning technical paper



It's a great read. Check it out now.





"

" The Roving Giraffe News Report " provided by Ace News