Security

SophosLabs: Julianne Hough is famous in the United States not just for being an actress and country music singer, and dating “American Idol” host Ryan Seacrest, but also for having won ABC’s “Dancing with the stars” TV show twice. So, hardly the kind of woman who you would think would need to resort to a cheap publicity stunt to raise her profile. But no doubt there are skeptics who are right now wondering if the news that her mobile phone was “hacked” and one hundred of her private photographs published on the net is nothing more than a way of gaining attention. ...

Read it yourself… 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 ———- Forwarded message ———- From: J.H. Date: 2011/8/29 Subject: [kernel.org users] [KORG] Master back-end break-in To: [email protected] —–BEGIN PGP SIGNED MESSAGE—– Hash: SHA1 Afternoon Everyone, As you can guess from the subject line, I've not had what many would consider a “good” day. Earlier today discovered a trojan existing on HPA's personal colo machine, as well as hera. Upon some investigation there are a couple of kernel.org boxes, specifically hera and odin1, with potential pre-cursors on demeter2, zeus1 and zeus2, that have been hit by this. As it stands right now, HPA is working on cleaning his box, and I'm working on hera (odin1 and zeus1 are out of rotation still for other reasons), mainly so that if one of us finds something of interest, we can deal with it and compare notes on the other box. Points of interest: – – Break-in seems to have initially occurred no later than August 12th – – Files belonging to ssh (openssh, openssh-server and openssh-clients) were modified and running live. These have been uninstalled and removed, all processes were killed and known good copies were reinstalled. That said all users may wish to consider taking this opportunity to change their passwords and update ssh keys (particularly if you had an ssh private key on hera). This seems to have occurred on or around August 19th. – – A trojan startup file was added to rc3.d – – User interactions were logged, as well as some exploit code. We have retained this for now. – – Trojan initially discovered due to the Xnest /dev/mem error message w/o Xnest installed; have been seen on other systems. It is unclear if systems that exhibit this message are susceptible, compromised or not. If you see this, and you don't have Xnest installed, please investigate. – – It \*appears\* that 3.1-rc2 might have blocked the exploit injector, we don't know if this is intentional or a side affect of another bugfix or change. – – System is being verified from backups, signatures, etc. As of right now things look correct, however we may take the system down soon to do a full reinstall and for more invasive checking. – – As a precaution a number of packages have been removed from the system, if something was removed that you were using please let us know so we can put it back. – – At this time we do not know the vector that was used to get into the systems, but the attackers had gained root access level privileges. That's what we know right now, some of the recent instabilities may have been caused by these intrusions, and we are looking into everything. If you are on the box, keep an eye out, and if you see something please let us know immediately. Beyond that, verify your git trees and make sure things are correct. – – John ‘Warthog9' Hawley Chief Kernel.org Administrator —–BEGIN PGP SIGNATURE—– Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora – http://enigmail.mozdev.org/ iEYEARECAAYFAk5a5U0ACgkQ/E3kyWU9dif+1ACfYPlgq/keFrFO77AmQVduKGwx TAcAnRAu6nHt74+5aC+fPeb8aT0hcy2K =Semd —–END PGP SIGNATURE—–

Google: Today we received reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it). Google Chrome users were protected from this attack because Chrome was able to detect the fraudulent certificate. ...

BetaNews.com: Panda Security has released Panda Cloud Antivirus 1.9.1 Beta, a preview of its forthcoming 2.0 release. The beta sees Panda’s lightweight free cloud-based antivirus tool add firewall protection for the first time. The new firewall is community based, which means it’s capable of detecting known processes and settings appropriate levels of protection for them without bothering the end user with a pop-up alert. The new firewall is visible from a new tab on the Panda Cloud Antivirus interface. ...

Mozilla Security Blog: Mozilla just released an update to Firefox for Desktop, Thunderbird and SeaMonkey. Updates are now available for: Firefox for Windows, Mac and Linux (final release) Firefox for Windows, Mac and Linux (3.6.21 final release) Firefox Aurora for Windows, Mac and Linux Firefox Nightly for Windows, Mac and Linux SeaMonkey (2.3.2) Thunderbird (6.0.1) We strongly recommend that all users upgrade to these releases. If you already have Firefox, you will receive an automated update notification within 24 to 48 hours. Users can also manually check for updates if they do not want to wait for the automatic update. ...

H-Online: A vulnerability in its forum software has been exploited by a hacker to compromise mobile phone maker Nokia‘s developer forum. The attacker used SQL injection to access the forum database at developer.nokia.com and, according to Nokia, obtained email addresses of registered users. Where configured to be publicly available, the table also includes details such as the user’s date of birth, web site URL and Skype, ICQ or other IM username; this is reported to be the case for around 7 per cent of users. The database did not contain passwords or credit card information. The issue does not, according to Nokia, affect any other Nokia accounts. ...

Schneier on Security: It’s hard to know how serious this really is: The screenshots appear as B-roll footage in the documentary for six seconds­between 11:04 and 11:10 minutes — showing custom built Chinese software apparently launching a cyber-attack against the main website of the Falun Gong spiritual practice, by using a compromised IP address belonging to a United States university. As of Aug. 22 at 1:30pm EDT, in addition to Youtube, the whole documentary is available on the CCTV website. ...

Microsoft Malware Protection Center: We’ve had reports of a new worm in the wild and that generates increased RDP traffic for our users on port 3389. Although the overall numbers of computers reporting detections are low in comparison to more established malware families, the traffic it generates is noticeable. The worm is detected as Worm:Win32/Morto.A and you can see a detailed description of at http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A. Morto attempts to compromise Remote Desktop connections in order to penetrate remote systems, by exploiting weak administrator passwords. Once a new system is compromised, it connects to a remote server in order to download additional information and update its components. It also terminates processes for locally running security applications in order to ensure its activity continues uninterrupted. Affected users should note that a reboot may be required in order to complete the cleaning process. ...

Sunbelt: Facebook recently published a guide for it’s users on how to secure their online accounts from anything that threatens one’s Facebook security. Among those covered are Wall, Chat, and Comment spams, weak passwords, fake applications, and account hacking. Personally, I’m quite happy that Facebook is actually doing something that concerns user security, despite it being quite late come to think about it. Still, better to have something than nothing. ...

H-Online: The phpMyAdmin developers have announced the release of versions 3.4.4 and 3.3.10.4 of their open source database administration tool. According to the security advisory, these maintenance and security updates close a hole (CVE-2011-3181) in the Tracking feature that leads to multiple cross-site scripting (XSS) vulnerabilities. The exploit was discovered by Norman Hippert and is caused due to improper sanitisation when input is passed to the table, column and index names. For an attack to be successful, an attacker must be logged in via phpMyAdmin. Versions 3.3.0 to 3.4.3.2 are affected and the developers consider the problem to be serious. Updating to phpMyAdmin 3.3.10.4 or 3.4.4 fixes the problem. Alternatively, users can apply the provided patches. ...