Sophos iPhone app – free download now available
June 14, 2010 by admin
Filed under Security News
Sophos has launched its first application for the Apple iPhone – designed to give you a better view of the security threats that are out there, with live hourly updates direct from SophosLabs.
The app, which also runs on the iPod Touch and the iPad, allows you to access Sophos information when you’re on the move or away from your desk, and includes the following supa-dupa features:
Threat Spotlight Experts from our labs detail some of the most interesting threats that they have analysed in the last week, explaining who is at risk, details of the attack and how to avoid becoming a victim.
Latest threats A dynamic list of the latest top ten threats analysed by the experts in SophosLabs, providing detailed information on their prevalence and a helpful link to further details on the Sophos website.
Stats Sexy graphs to bamboozle your boss with – showing in technicolour pie charts the latest stats for top email attachment malware attacks, spam and web-based threats.
Maps Now this is funky. Your iPhone will show you a world map, allowing you to view not just the latest email, spam and web attacks – but where they have been spotted around the world. You can even zoom in on particular countries, and view the subject lines of spams being sent around the globe.
Info Links to our blogs, our latest threat report, and loads of other good stuff.
So, what are you waiting for? Grab it from the Apple App Store now, or search for “Sophos” in the iTunes App Store.
We’re very interested in getting feedback as to what you think of this Sophos app. So please do leave us a rating and a review on iTunes, as it will help us decide if we should develop it further.
Also, if you have the time, why not quickly fill in the following survey to tell us what you’d like to see next from the Sophos Security Threat Monitor app?
Critical patches: Update your Adobe Flash player now
June 11, 2010 by admin
Filed under Security News
Adobe has issued a security bulletin detailing critical vulnerabilities that have been discovered in the current versions of Adobe Flash Player for Windows, Macintosh, Solaris and Linux.
An update issued by Adobe claims to resolve 32 vulnerabilities in Flash Player – which if left unpatched could leave open a door for hackers to infect innocent users’ computers. Some of the security holes are already being exploited by malicious hackers.
Adobe is recommending that users upgrade to Adobe Flash Player 10.1.53.64.
If you’re not sure which version of the Adobe Flash Player you have installed, visit theAbout Flash Player page. Remember that if you use more than one browser on your computer you should check the version number on each.
Adobe further recommends that users of Adobe AIR version 1.5.3.9130 and earlier versions update to Adobe AIR 2.02.12610.
It is becoming more and more common for cybercriminals to exploit vulnerabilities in Adobe’s software – so it would be a very good idea for everyone to update vulnerable computers as soon as possible.
Bad tidings as Greeting_Card.zip spam spreads malware
June 2, 2010 by admin
Filed under Security News
SophosLabs are intercepting a major new malicious spam campaign which is disguising itself as a greeting card from “someone who cares about you”.
The messages, which have been sent to email addresses around the globe, typically read similar to the following:
Good afternoon,
You have just received a postcard Greeting from someone who cares about you..Please find zip file with your Greeting Card attached to this mail!
Thank you for using www.Greetings.com services !!!
Please take this opportunity to let your friends hear about us by sending them a postcard from our collection !
The messages come complete with an attached ZIP file (Greeting_Card.zip) which contains a malicious payload, designed to infect Windows computers.
Embarrassing privacy flaw found on Facebook
May 19, 2010 by admin
Filed under Security News
A researcher has found a critical security flaw on Facebook that could be exploited by hackers to expose sensitive information about users.
M J Keith, a senior security analyst with security firm Alert Logic, discovered the vulnerability which could lead to private information being exposed, or users’ Facebook pages being maliciously defaced.
IDG security reporter Robert McMillan has explained the problem well:
The bug has to do with the way that Facebook checked to make sure that browsers connecting with the site were the ones they claimed to be. Facebook's servers use code called a "post_form_id" token to check that the browser trying to do something -- liking a group, for example -- was actually the browser that had logged into the account. Facebook's servers check this token before making any changes to the user's page, but Keith discovered that when he simply deleted the token from messages, he could change many settings on any Facebook account.
This is called a CSRF (Cross-site request forgery attack), which – if left unpatched – would allow hackers to set up malicious webpages that could submit instructions to the victim’s Facebook account without validation.
The consequence? Well, a hacker could make your hitherto private information public, or force your profile to “like” a Facebook group that you may find embarrassing.
M J Keith reports on AlertLogic’s website that he informed Facebook of the problem on the 11th of May, and that the problem has now been fixed.
However, IDG has reported that the security hole is still present.
Hopefully, if it’s not already patched, this privacy flaw – which comes at an embarrassing time for Facebook – will be removed soon.
If you’re a regular user of Facebook, you could do a lot worse than join the Sophos page on the site to ensure you are kept up-to-date with the latest security news. Oh, and remember to be careful about clicking on suspicious links..
By Graham Cluley, Sophos
Transport website leaking private information of 168,000 passengers
May 19, 2010 by admin
Filed under Security News
A hacker called “ins3ct3d” has demonstrated that he can access the personal information of 168,000 users of public transport in The Netherlands via an insecure website.
A campaign to encourage residents living in the provinces of Gelderland, Overijssel and Flevoland to use public transport has been promoting a website called “Experience the OV” at www.ervaarhetov.nl, which allows people to request a card allowing them to try out public transport travel for free.
However, as magazine Webwereld reports, a simple SQL injection attack allowed “ins3ct3d” to access how to access the personal information of subscribers – including names, addresses, birth dates, email addresses and phone numbers.
The hacker, who has chosen to remain anonymous, demonstrated the attack to the magazine by accessing the personal data of one of Webwereld’s reporters.
Explaining his reason for exposing the security vulnerability, “ins3ct3d” explained that he felt compelled to warn his fellow citizens as long as the government continues to use unsafe systems. “This time it’s sensitive personal data, next time your fingerprints or EPD,” he said.
(EPD is the Electronische Patientdossier.. I guess I don’t need to give a translation of that for you to realise why that’s not data you want falling into the wrong hands).
There’s no confirmation that banking data was exposed, but there were fields in the databases for ID card numbers, payment agreements and so forth. At the request of Webwereld, the hacker did not retrieve more data, so there’s no telling if any of these fields had been filled.
Webwereld contacted the authorities, and the website is currently “temporarily unavailable”:
I guess we should all breath a sigh of relief that, in this instance, the hack appears to have orchestrated with the interests of exposing poor security, rather than stealing users’ data and identities. Hopefully this incident might play some smart part in raising awareness around the world of the need to ensure your website is coded securely, and not at risk of leaking sensitive information.
By Graham Cluley, Sophos
The Facebook Friend Suggestions security scare
May 14, 2010 by admin
Filed under Security News
Warnings are being posted all across Facebook suggesting that users who have received multiple friend suggestions are really infected with a computer virus.
A typical version of the warning reads as follows:
VIRUS WARNING: ANYONE WHO HAS GOTTEN A TON OF FRIEND SUGGESTIONS BE CAREFUL! IT IS A VIRUS! IF YOU ACCEPT THEM THEN YOUR ACCOUNT WILL SEND OUT ABOUT 85 TO SOMEONE ELSE!!! WARN YOUR FRIENDS NOW! This is a new virus that is sending requests to spread. DO NOT ACCEPT FRIEND SUGGESTIONS AT THE MOMENT!
The reality, however, is somewhat different. Most importantly, the behaviour and sightings of more than the usual number of Friend Suggestions are not a sign of a computer virus infection.
Instead, it appears that Friend Suggestions on Facebook now go to both parties, rather than just the one you specifically suggests takes up your suggestion of a new online connection.
So, imagine you are Tom, and you think that your friend Dick should become Facebook friends with Harry. You visit Dick’s Facebook profile, scroll down to where it says “Suggest friends for Dick” and choose Harry’s name.
Your suggestion that Dick should become friends with Harry doesn’t just go to Dick, but it will also now go to Harry as well. Presumably Facebook has made this change in order to encourage more users to interconnect.
But there’s more.
As Facebook reveals on its help pages about Friend Suggestions, Facebook can alsosuggest possible friends for you to connect with.
It does this by automatically examining “the networks that you are a part of, mutual friends, work and education information, contacts imported using the Friend Finder, and many other factors.”
Aside from the mysteriously ambiguous “many other factors”, the thing I find concerning there is the reference to Friend Finder.
What Facebook means is that they can suggest friends based upon email addresses that you may have imported into Facebook from your email account address book, perhaps when you first set up your account.
What many people may not realise is that even if you didn’t add everyone you imported from your address book as a Facebook friend, Facebook can still use those contacts imported from Outlook, Gmail, Hotmail, Yahoo, etc, in order to make future recommendations.
Therefore, Facebook may also see your email address in other people’s contact lists, and determine relationships based upon that.
If this bothers you (and I can perfectly understand why it would), then Facebook says you can tell it to remove the contacts from its suggestions system. Of course, it might have been better if you hadn’t offered up your address book to Facebook in the first place..
Facebook also says that you can change your privacy settings to prevent your profile from being visible to everyone as a potential friend suggestion.
More information about Facebook’s Friend Suggestions system can be read online here.
No doubt most of the souls forwarding and reposting this latest Facebook security scare to their profiles are oblivious to all these fine details, however, and are still believing that a virus is behind the suggestion messages that they are viewing.
Of course, it should still go without saying, that whether you receive a friend request or a friend suggestion, you should exercise caution about who you befriend on a social network – as it could be a cybercriminal rather than a long lost chum who is trying to access your profile.
Oh, and don’t forget. If you’re on Facebook you might want to become a Fan of Sophos on Facebook to ensure you are kept up-to-date with the latest security news.
By Graham Cluley, Sophos
KHOBE ‘vulnerability’: is this game over for security software?
May 11, 2010 by admin
Filed under Security News
The last couple of days there have been a lot of headlines in the security press about a report by a firm called Matousec, which claimed that “today’s most popular security solutions simply do not work.”
The attack method, dubbed KHOBE and described by Matousec researchers as an “8.0 earthquake for desktop security software”, describes a potential bypass in the way some parts of some anti-malware products operate on some versions of Microsoft Windows.
The dramatic headlines might make you think that this is TEOTWAWKI*, but the truth is somewhat different.
Because KHOBE is not really a way that hackers can avoid detection and get their malware installed on your computer. What Matousec describes is a way of “doing something extra” if the bad guys’ malicious code manages to get past your anti-virus software in the first place.
In other words, KHOBE is only an issue if anti-virus products such as Sophos (and many others) miss the malware. And that’s one of the reasons, of course, why we – and to their credit other vendors – offer a layered approach using a variety of protection technologies.
So, before you hide yourself in the basement and prepare for nuclear winter, make sure you read this excellent piece by Paul Ducklin, which examines and discusses the KHOBE claims in greater detail.
TEOTWAWKI: The End Of The World As We Know It
By Graham Cluley, Sophos
Danger! Fake $50 iTunes certificate carries malware
May 10, 2010 by admin
Filed under Security News
Amid all the usual attacks posing as delivery notices from DHL and FedEx this morning, I spotted some malware that had been spammed out posing as an Apple iTunes certificate for $50.
The emails read as follows:
Subject: Thank you for buying iTunes Gift Certificate!
From: "iTunes Online Store" <software@itunes.com>
Attached file: iTunes_certificate_997.zipHello!
You have received an iTunes Gift Certificate in the amount of $50.00
You can find your certificate code in attachment below.Then you need to open iTunes. Once you verify your account, $50.00 will be credited to your account, so you can start buying music, games, video right away.
iTunes Store.
Running the attached malware can infect Windows computers. Clearly the hackers are hoping that in your excitement about receiving a $50 iTunes gift certificate that you will throw caution to the wind and open the attachment.
Sophos detects the malware, contained inside a ZIP file, as Troj/BredoZp-AM andMal/FakeAV-BW.
By Graham Cluley, Sophos
‘More followers’ spam hits Twitter accounts
May 10, 2010 by admin
Filed under Security News
Thousands of Twitter users are finding that their accounts have been compromised, and are posting messages advertising a website which claims to help users attract more followers.
A typical message reads:
CHECK out this site, im a member of it, It gets you more followers: http://tinyurl.com/[removed]
Clicking on one of these links takes you to the Twtfaster website, which asks you to enter your Twitter username and password.
Of course, regular readers of the Clu-blog know that it’s never a good idea to hand over your login credentials to a third party, and that’s the case with this site too. Curiously, when I entered bogus information on the above screen it didn’t display an error message – suggesting that it might be created simply to scoop up users’ login details. Hmm.. that smells worryingly like a phishing attack to me.
Further investigation finds some small print on the Twtfaster website that suggests that they plan to use your account to advertise their service – but I wonder how many people would read that before eagerly signing up for more followers?
One piece of good news is that TinyURL appears to be currently blocking links used in the campaign, but of course that’s not going to stop the people behind this latest outbreak from using alternative URL shortening services.
So, if you’ve found out that your Twitter account has been sending messages advertising how to get more followers, I would recommend that you change your password immediately. And next time a third-party website asks you to hand over your username and password for Twitter, steer well clear.
It is possible that the accounts that are spamming out the adverts for Twtfaster have not signed-up for the site themselves, but have been compromised in some other way. Even so, that’s still a good reason to change your Twitter password. If you need help choosing a memorable, hard-to-crack password you should watch the video I made on the subject.
As I’ve discussed before, you should always exercise extreme caution before signing-up for a service which offers to increase your Twitter following.
Unfortunately, as the popularity of Twitter grows and the desire for more followers deepens we can expect more and more users to fall for scams like this.
Surveillance firm sells Apple iPad spyware
May 10, 2010 by admin
Filed under Security News
Could someone be spying on the emails you send and the websites you visit on your iPad?
For many the thought that someone could be reading every email you send, secretly logging every call that you make on your mobile phone, or silently tracking your location via GPS would be the stuff of nightmares.
And yet software exists (and is sold completely legitimately online) that does exactly this for those who wish to spy on their workers, or on members of their family.
And now a firm which in the past has made surveillance software to monitor the usage of iPhones, BlackBerrys, and Android , Windows Mobile and Symbian smartphones has announced a version of its snooping software to spy on iPads.
For just $99.97 a year, Mobile Spy customers can access a website that allows them to view a list of every website visited on an iPad, every contact added to the address book, and every email sent and received.
The way that vendors get away with this is by explaining that it is almost certainly an offence to install software onto a phone or computer that monitors or spies upon the owner unless you have authorisation to install it.
So, for instance, it would be okay to spy on your employees phone, computer or iPad activity if they had agreed to such surveillance in their contract. And it would be okay to snoop upon your kids because.. well, they’re your kids, and how likely are they to take you to court?
Such software exists in the “grey” area between legitimate and illegitimate software, typically promoted as a way for wives to spy on philandering husbands, or for concerned parents to keep an eye on what their babysitter is up to, or to assist companies in enforcing acceptable use policies, rather than more traditional identity theft – but it’s clear that it can be used for a criminal purposes too.
Fortunately, Mobile Spy’s spyware for iPads only works on jailbroken devices. In other words, not only does whoever want to spy on you need access to your iPad to install the software, your iPad also needs to have been tinkered with to allow you to run software that hasn’t been given the stamp of approval by Apple.
Late last year we saw malware which targeted users of jailbroken iPhones. My expectation is that if enough iPad owners jailbreak their gizmos too that some of the hackers at least won’t be far behind.
Hat-tip: Krebs on Security
By Graham Cluley, Sophos
