Google invites attacks on Chrome

Google has launched an experimental programme to encourage external security researchers to find and report vulnerabilities in its browser. Borrowing from the Mozilla Foundation’s 2004 Security Bug Bounty Program, $500 will be awarded for each bug found. In special cases, a committee will decide whether to increase the amount to a maximum of $1,337 – however, this reward is only for vulnerabilities which are particularly critical, or particularly smart reports on vulnerabilities and their exploitation.

According to Google, it doesn’t matter whether the vulnerability is in the open source Chromium version or the binary Chrome version. The two differ only marginally anyway – Chrome additionally contains GoogleUpdater and sends an RLZ parameter which is forwarded to Google when a search term is entered in the Chrome address bar. The company will not be offering rewards for reports of bugs in third-party plug-ins.

Continued here: http://www.h-online.com/security/news/item/Google-invites-attacks-on-Chrome-918266.html

Details in The Chromium Blog: Encouraging More Chromium Security Research

More concerns raised about suitability of the Apple iPad, as Norton say that it will not be able to run its phishing protection engine

The announcement of the launch of the Apple iPad has led to concerns being raised not only about the security implications, but also the extra strain put on mobile operators. […]

Mike Romo, senior product manager at Symantec who works on Norton products for the Mac, said that from a security point of view, developers are still beholden to Apple.

He said: "The iPad now runs mobile versions of their popular iWork suite, which opens the door for downloading and sharing important business files. This does push security more into the fore than years past, as users will be open to non-Apple approved bits coming into their device (other than media files).

"Symantec will endeavour to provide the relevant products, but right now we are hampered by the limitations, such as they are, of the current mobile OS in iPad, iPod touch and iPhone, primarily because we cannot run processes in the background. For example, if you are checking your email, we cannot scan an attachment for viruses because our scanning engine cannot run while the mail program is running.

"Similarly, we cannot run our phishing protection engine (which scans pages while they load for threats as opposed to just checking to see if the site is listed as a phishing site) because the Safari browser is running. Of course, that is just one aspect (an important aspect to be sure) of what we do; there are other more assistive solutions that we are investigating, but from a classical security perspective (Symantec protecting you from malicious threats entering your system), we need a bit more flexibility in the OS. Happily, the rumour mill is already back in action, with hopes that iPhone OS 4.0 will actually allow background apps, but we’ll have to wait for that to happen later this year, if at all."

Francisco Martin Abreu, president and CEO of Optenet, claimed that as mobile operators compete to add the latest devices to satisfy customers’ desire to stay connected anytime and anywhere, those that cannot offer sophisticated and built-in security for its customers will be the ones who find it hard to survive.

http://www.scmagazineuk.com/more-concerns-raised-about-suitability-of-the-apple-ipad-as-norton-say-that-it-will-not-be-able-to-run-its-phishing-protection-engine/article/162625/

Black Hat DC: Researchers To Release Web Development Platform Hacking Tool

Tool tests for newly discovered class of vulnerabilities in popular Apache, Sun, Microsoft Web development platforms

A technique used in Web application development platforms that provides a constant look-and-feel across multiple Web pages can potentially expose sensitive user data, such as credit-card numbers, according to researchers, who at next week’s Black Hat DC will demonstrate a new class of vulnerabilities in Apache MyFaces, Sun Mojarra, and Microsoft ASP.NET. They will also release a tool that tests for the flaws.

The so-called "view state" technique in both the MyFaces and Mojarra frameworks can be exploited such that an attacker can view user data — think username, password, and credit-card number — that’s temporarily stored on the server during a session. View state is basically a method for tracking changes to visual components on a Web page that lets the Web server update a Web page without moving from that page.

"This is a fairly complicated vulnerability," says David Byrne, senior security consultant with Trustwave’s SpiderLabs. "View state is something most people have heard of, but they aren’t familiar with its inner workings. The tool we’re going to release will help reveal those inner workings."

http://www.darkreading.com/vulnerability_management/security/vulnerabilities/showArticle.jhtml?articleID=222600302

Antivir 2010 is a new fake security application

Antivir 2010 takes its name from the real Antivir Antivirus by Avira. Antivir 2010 detects fake infections on a clean system to scare users. It also installs a BHO to display error messages in Internet Explorer.

http://siri-urz.blogspot.com/2010/01/antivir-2010.html

Antivir 2010 is yet another rogue security application. This rogue replaces Antivir rogue security application.

Both Antivir 2010 and Antivir are rogue security applications not to be confused with legitimate security application Avira AntiVir Personal.

http://bharath-m-narayan.blogspot.com/2010/01/antivir-2010.html

Antivir 2010 removal instructions:  http://www.bleepingcomputer.com/virus-removal/remove-antivir

SOHU Digital Channel Web Site Compromised with Xunlei Thunder DapPlayer Exploit

Websense Security Labs ThreatSeeker Network discovered that the SOHU Digital Channel Web site was compromised with a Xunlei Thunder DapPlayer Exploit that can lead to downloading and executing an Autorun worm that steals users’ online game account information.

SOHU is one of the biggest portals in China, with Alexa rank 43. It offers mainly advertising, search engines, and online multi-player gaming. While Xunlei is one of most popular download managers and BitTorrent clients, it also offers free media for download. Its main site also has a relatively high Alexa rank of 126.

According to Secunia, the vulnerability is caused by a boundary error in the DPClient.Vod.1 ActiveX control (DapPlayer_Now.dll) when it is handling arguments passed to the "DownURL2()" method. This can be exploited to cause a buffer overflow by passing an overly long argument to the affected method. Successful exploitation allows execution of arbitrary code.

Details with screenshots in http://securitylabs.websense.com/content/Blogs/3539.aspx

China Internet users use VPN servers to cross firewall

Paid virtual private networks (VPNs) are quietly catching on in China as a way to access forbidden websites, analysts say, while authorities are leaving them alone until they become more popular.

VPNs designed for secure Internet use in offices have spread over the past half year among expatriates and tech-savvy Chinese since the popular social networking website Facebook was blocked.

Twitter and YouTube are also blocked in China, which uses a filtering "firewall" to block Internet users from overseas website content that challenges the Communist Party.

The rise of VPNs comes as China defends its curbs on the Internet after the world’s biggest search engine provider, Google Inc., threatened to shut down its Chinese Google.cn site over censorship and a severe hacking attack.

"So long as the VPN is outside of mainland China, it should not be a problem," said Danny Levinson, publisher of ChinaTechNews.com. "We use our own VPN and it works fine."

http://www.reuters.com/article/idUSTOE60P0A120100128?type=marketsNews

Hackers Kick Off Tax Season With Oklahoma Web Site Attack

You might not be preparing your taxes yet, but hackers are thinking ahead with new tax-time scams. The Oklahoma Tax Commission was victimized by an attack that defaced the organization’s Web site and downloaded malware onto visitors’ computers, security researchers say.

Visitors to the Oklahoma Tax Commission Web site were told they needed to accept an Adobe license agreement and then download software. While the prompt appears "normal," researchers said that the application contained malicious code designed to infect users if they click "Accept." Once infected, hackers were able to take control of a user’s PC, and gain access to victim’s personal information stored on their system.

Researchers at AVG Technologies, who discovered the attack Thursday, said that the hackers were capitalizing on the uptick of visitors to tax sites at the beginning of tax season.

"With tax time upon us, this is a timely hack of a site that’s getting above normal traffic," said Roger Thompson, AVG chief technology researcher, in an AVG blog post, adding "These things happen to lots of people, but it’s a bit unfortunate to happen to any tax site at this time of year."

Thompson said that the site’s IT personnel will remove the malicious code and restore the hacked Oklahoma tax site quickly. But how the hackers were able infiltrate the site still remains to be determined, he said, noting that the Oklahoma Tax site hackers seemed to be able to manipulate the site with relative ease.

http://www.crn.com/security/222600345;jsessionid=405W4XZU0ZZB3QE1GHPSKH4ATMY32JVN?cid=ChannelWebBreakingNews

Details with screenshots in http://thompson.blog.avg.com/2010/01/ok-so-that-sucks-a-bit-especially-given-the-time-of-year.html

Report: Flawed Apps Increasingly Under the DDoS Gun

A report shows an upward trend where attack tools exploit layer 7 to maximize the impact of DDoS assaults.

A report from the CYBER SECURITY Forum Initiative (CSFI) offers further evidence that botnet herders are getting a bigger bang out of distributed denial-of-service (DDoS) attacks by targeting security holes at layer 7, more commonly known as the application layer.

A paper on the findings, L7DA (Layer 7 DOS Attack) Report v1.0, was passed along to CSOonline by Paul de Souza, a Chicago-based security analyst and founder of CSFI, a group of IT security practitioners who volunteer their guidance and support to companies that have suffered cyber attacks.

The findings stem from an investigation conducted by 11 volunteers from the IT security community. According to the paper, CWFI/CSFI was contacted by a company that claimed to be experiencing a new layer 7 DDoS. CSOonline.com has left out the specific names of companies and agencies involved as much of the information is confidential.

"The attack has been found in the wild and [was] possibly created by Chinese hackers," the paper states. "It is said to have been deployed to Chinese-owned botnets at this time. According to our source, this new L7DA targets IIS and Apache servers."

http://www.networkworld.com/news/2010/012710-report-flawed-apps-increasingly-under.html

IPad? That’s So 2002, Fujitsu Says

It’s sleek. It’s mobile. It has a touchscreen.

It’s Fujitsu’s iPad from 2002.

Sold mainly in the United States, the multifunctional device from the Tokyo technology company helps shop clerks verify prices, check real-time inventory data and close sales on the go.

Fujitsu, which applied for an iPad trademark in 2003, is claiming first dibs, setting up a fight with Apple over the name of the new tablet device that Apple plans to sell starting in March.

“It’s our understanding that the name is ours,” Masahiro Yamane, director of Fujitsu’s public relations division, said Thursday. He said Fujitsu was aware of Apple’s plans to sell the iPad tablet and that the company was consulting lawyers over next steps.

http://www.nytimes.com/2010/01/29/technology/companies/29name.html via Slashdot: Fujitsu Readies Lawsuit Over "iPad" Name