Sunday, June 28, 2009

Joomla! Security / Vulnerability Scanner

Detect vulnerabilities on target Joomla! website...

I stumble across another cool scanner from yegh community. A regularly-updated scanner that can detect file inclusion, sql injection, command execution vulnerabilities of a target Joomla! web site. It's handy utility to check your website after designing on Joomla! platform.

If you are not aware - Joomla is an award-winning content management system (CMS), which enables you to build Web sites and powerful online applications. Many aspects, including its ease-of-use and extensibility, have made Joomla the most popular Web site software available. Best of all, Joomla is an open source solution that is freely available to everyone.

You can download it from here.

Microsoft to release free anti-virus

Windows Security Essentials - New free antivirus software

Windows Security Essentials, the replacement for Windows Live OneCare, the for-a-fee security package that Microsoft is ditching on June 30, will be available for download at approximately noon, Eastern time. The free download will be posted on a new Microsoft site dedicated to Security Essentials (the page will go live Tuesday).

Microsoft has pitched the software as a basic antivirus, antispyware product that consumes less memory and disk space than commercial security suites like those from vendors such as Symantec and McAfee, and so is suitable for even low-powered PCs such as netbooks.

Microsoft has already repeatedly shown a particular incompetence when it comes to identifying and preventing malware, and I personally think this will be a new challenge from Microsoft in this domain.

Microsoft has had bad luck in the past when it has limited the number of downloads for previews of its software. Last January, the company had to restart the launch of Windows 7 Beta after its servers were overwhelmed because users, who had been told Microsoft would cap the downloads, rushed to grab a copy.

In May, when Microsoft offered Windows 7 Release Candidate (RC), it made it clear to users that it wouldn't restrict the number of copies downloaded from its site.

Thursday, June 25, 2009

Adobe Shockwave critical update

Critical Adobe Shockwave flaw affects millions

Adobe’s Shockwave Player contains a critical vulnerability that could be exploited by remote hackers to take complete control of Windows computers, according to a warning from Adobe.

The flaw affects Adobe Shockwave Player 11.5.0.596 and earlier versions. Details from Adobe’s advisory:

"This vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected system. Adobe has provided a solution for the reported vulnerability (CVE-2009-1860). This issue was previously resolved in Shockwave Player 11.0.0.465; the Shockwave Player 11.5.0.600 update resolves a backwards compatibility mode variation of the issue with Shockwave Player 10 content. To resolve this issue, Shockwave Player users on Windows should uninstall Shockwave version 11.5.0.596 and earlier on their systems, restart, and install Shockwave version 11.5.0.600, available here
."

This issue is remotely exploitable.


Wednesday, June 24, 2009

Australia's first voiceprint recognition telephone banking

NAB tests voiceprint recognition

NAB is the first local institution to give customers an opportunity to enrol in a voiceprint recognition system, dispensing with the need to remember PINs and passwords or provide personal information when calling the bank. Customers enrolled in National Australia Bank's new voice biometrics system for phone banking may be able to use the same system to authenticate their internet banking activities.

NAB direct channels speech program manager Sam Jackel said voiceprints could be used as a second-factor authentication method for internet banking transactions independently verified at present via an SMS message sent to the customer's mobile phone. Users had to open the message to retrieve a single-use passcode and enter it into the onscreen session, he said.

Staff tested the voice registration and identity verification system for several weeks and it was being offered initially to customers who had difficulties with the automated check and required personal attention.

After callers have registered their unique voiceprint, they simply recite their individual account number at the beginning of each call and the system will verify their identity before the call centre agent picks up the call. Customer identification and verification used to take two to three minutes a call, but now this has been cut to about 20-30 seconds.

NAB is using Salmat VeCommerce's VeSecure voice biometric technology, which sits on top of VeConnect, a speech recognition system installed earlier this year to allow automatic routing of phone calls to the right service area and to support the launch of a single number, 136 NAB, to manage all NAB customer inquiries.

Sunday, June 21, 2009

Scam Alert: False Friends on Facebook

Beware two-faced friends on Facebook

Hackers are joining your friends on popular social networking sites in a new form of identity theft. They typically trick you into downloading programs that record keystrokes and sit back and wait for you to key in passwords and email address. Then they log on as you and wreak havoc on your social networking life and, possibly, your financial life.

They also use video links, fake antivirus deals and other ruses to get your goat. However, independent research, reveals fallout from the Great Recession includes all kinds of cyber crimes.

To avoid problems on social networks and online in general, an AARP Scam Alert advises:

• Don't click on links in email -- even friends' email -- without checking them out with a phone call or otherwise off line.

• Update software direct from the maker's website, not through a provided link.

• Make your social networking account private, open only to friends.

• Regularly scan your computer for viruses and update operating system as soon as updates are available. The updates often include added protection from current virus attacks.

• Always be suspicious of anyone asking for money or offering to give you large sums of money over the Internet.

Thursday, June 18, 2009

Microsoft Office 2003 is still widely used like Microsoft XP

Stick with standard Office file formats

You can minimize file-compatibility issues by standardizing on the most common file formats. By default, OpenOffice.org saves files in Open Document Format (ODF). Microsoft's by-the-book support for ODF, unfortunately, breaks some spreadsheet files, according to a recent ZDNet blog post.

OpenOffice reads and writes Office 2007's default .docx and .xlsx XML file formats. But the older .doc and .xls formats are still the ones most often used. I suggest that you make the classic Office formats your defaults in OpenOffice. To set .doc as the document default, for example, open any OpenOffice program and do the following:

Step 1. Choose Tools, Options;
Step 2. Select General under Load/Save;
Step 3. Click Text Document under Document type in the Default file format and ODF settings section;
Step 4. Choose Microsoft Word 97/2000/XP in the Always save as drop-down menu and click OK.

To make .xls the default worksheet format, open the same dialog box and follow the same steps, with the following differences:

Step 1. Choose Spreadsheet under Document type in the Default file format and ODF settings section;
Step 2. Choose Microsoft Excel 97/2000/XP in the Always save as drop-down list and click OK.

If you are using Microsoft Office 2008 but you send these documents to someone they mostly complain that they are still using Microsoft Office 2003 and they are having problem opening the file, here is the interim fix until Microsoft Office 2008 is widely deployed and accepted.

Open Microsoft Office 2008 Word; click on Office button and then select word options as shown in below picture:



After selecting word options, click on "Save" options and then select "Word 97 - 2003" format from "Save in this file format" drop down option, as illustrated in below picture.



Repeat the same steps for Microsoft Excel 2008. Once Microsoft Office 2008 is widely accepted, you can repeat the similar steps and select .docx format as your default file saving format.

Wednesday, June 10, 2009

Web Trackers Systematically Compromise Users' Privacy

Website monitoring practices take advantage of many loopholes in privacy regulations

A University of California, Berkeley study found that Web users may be tracked by dozens of sources on a visit to a single site. Within a single month, the researchers found 100 monitoring agents on the site blogspot.com. Although many of the trackers used on blogging sites are low-level monitors used by bloggers to see who is reading their posts, major companies also are tracking a significant amount of Web traffic, according to the report.

The researchers found five trackers operated by Google, including Analytics, DoubleClick, AdSense, FriendConnect, and Widgets. "Among the top 100 Websites this project focused on, Google Analytics appeared on 81 of them," according to the report. When combined with the other trackers it operates, Google can track 47 of the top 50 Web sites, and 92 of the top 100 Web sites. The researchers note that even if Web users know that their online activities are being tracked, they have no way of knowing how that data is being used. The report says that 36 percent of the Web sites in the study openly acknowledge the presence of third-party tracking, but each of the sites also state that the data-collection practices of the third parties are outside the coverage of the site's privacy policy. "Based on our experience, it appears that users have no practical way of knowing with whom their data will be shared," the researchers report.

The researchers note that many large companies have hundreds or even thousands of affiliates, sometimes in completely different industries, and occasionally in foreign countries. Please refer here to read this interesting research and report on DarkReading.

Sunday, June 7, 2009

Classic Fraud: 6 Scams That Don't Go Away

From Check Fraud to Phishing, All the Old Tricks are Back with a Vengeance

Bank fraud has evolved over the last several years, but some classic variations keep financial institutions busy.

Here are six old fraud tricks that are back with new twists to bedevil fraud departments and information security professionals.

Check Fraud

Last week, New York indicted 18 people in a massive check counterfeiting ring that cashed more than $1 million worth of checks at major New York City banks. This case causes even the best fraud departments in financial institutions to check their own programs and safeguards.
Attempted check fraud at U.S. banks totaled $12.2 billion in 2006, according to the latest biennial survey conducted by the American Bankers Association (ABA). Bank prevention systems caught 92 percent or $11.2 billion of check fraud attempts.

Precautions: Employee training is still one of the most effective security measures against check fraud. Other prevention systems include signature verification, screening of new accounts, "positive pay" systems (a computerized check number matching program between banks and corporate customers), special check stock (water marks, micro-printing and/or holograms) and "touch signature" fingerprint programs for cashing non-customers' checks.

Elderly and Immigrant Identity Fraud

Financial institutions' mortgage and loan officers need to pay attention to this kind of fraud. While not new, elderly and immigrant fraud is regaining popularity, especially in the age of identity theft. This is currently happening in some reverse mortgage situations. Similarly, some immigrants who rent properties are discovering that their identities have been used on fabricated loan transactions.

A simple inquiry about a loan product that leverages investment or rental properties can be enough to obtain information for use on fabricated loan transactions. As foreclosure scams also continue to proliferate, loan officers need to keep track of those homeowners, making sure they don't fall prey to these scavengers.

ATM Fraud/Skimming

This type of fraud made it into President Barack Obama's speech announcing his cybersecurity initiative, when he said "thieves used stolen credit card information to steal millions of dollars from 130 ATM machines in 49 cities around the world -- and they did it in just 30 minutes." The big question is: Can it happen at your institution?

Phishing


Phishing continues to change and grow, and crimeware (or malware) is also growing. There is a notable tendency for phishing to become more technical -- for example, using advanced obfuscation to combat anti-spam techniques. At the same time, crimeware (what used to be called malware) is becoming increasingly more reliant on social engineering. Trojan horses commonly use clever social engineering techniques to improve their success rates. Bad guys have been devastatingly effective at tricking end users into installing malware and divulging personal information, but their methods for monetizing this data have been fairly crude. This is starting to change, however, and brokerage accounts are an area of particular concern.

Vishing

The increased number of "vishing" - or phone-based phishing -- scams hitting regions is cause for alarm. In the last week, there have been five different regions of USA hit by phishers using phone calls to solicit information about the person's credit union or bank account:

•New England Federal Credit Union in Williston, VT reported that a vishing scam hit residents, and the Heritage Family Credit Union in Rutland, VT also reported a similar scam.

•Customers of the Forward Financial Credit Union in Niagara, WI and the River Valley Bank in Iron Mountain, MI received calls last week from fraudsters asking for account information.

•Asheville Savings Bank, Asheville, NC was alerted last week by its customers that a vishing scam targeting area residents was trying to get debit card numbers.

•The final vishing scam of last week targeted all 22,000 residents of Guilford, CT. The calls started coming on May 24. In the Guilford, CT. case, the automated call was a female voice claiming to be from Guilford Savings Bank. It prompted those on the other end of the line to enter bank card and PIN numbers, along with their card's expiration date.

Insider Threat

The threat of a trusted employee or vendor taking sensitive information is not new, but the ways that insiders are getting to the juicy data or dollars is changing. Collusion is the new way insiders are getting sensitive data.

To put it into context, people who stole information with the intent to sell it, more than half of them were recruited to do by parties outside of the organization. When fraud is involved with insiders, half of those involved another insider.


Wednesday, June 3, 2009

Criminals are looking for ways to turn browser vulnerabilities into money.

Security vs. Usability

Usability and security have been long been at odds with each other in software design. The web browser is no exception to that rule. When browsing the Web or downloading files the user constantly needs to make choices about whether to trust a site or the content accessed from that site. Browser approaches to this have evolved over time - for example, browsers used to give a slight warnings if you accessed a site with an invalid HTTPS certificate; now most browsers block sites with invalid certificates and make the user figure out how to unblock them.

Similar approaches are taken with file downloads. Internet Explorer tends to ask the user several times before opening a downloaded file, especially if the file is not signed. Prompting the user for actions that are legitimate most of the time often creates user fatigue, which makes the user careless in walking the tightrope between software with a "reasonable but not excessive" security posture and a package that is either too open for safety or too closed to be useful. Most browsers today have evolved from the "make the user make the choice" model to the "block and require explicit override action" model.

In some cases the security of the browser has had a major impact on Web site design and usability. Browsers present a clear target for identity theft malware, since a lot of personal information flows through the browser at one time or another. This type of malware uses various techniques to steal users' credentials. One of these techniques is form grabbing - basically hooking the browser's internal code for sending form data to capture login information before it is encrypted by the SSL layer.

Another technique is to log keyboard strokes to steal credentials when the user is typing information into a browser. These techniques have spawned various attempts by Web site designers to provide more advanced authentication with a hardware token and use of various click-based keyboards to avoid key loggers.

Another usability feature of the Web browser that has been attacked by malware is the auto-complete functionality. Auto-complete saves the form information in a safe location and presents the user with options for what he typed before into a similar form. Several families of malware,such as the Goldun/Trojan Hearse, used this technique very effectively. The malware cracked the encrypted auto complete data from the browser and send it back to the central server location without even having to wait for the user to log in to the site.

Giving all the vulnerabilities out there and the willingness of attackers to exploit them, you might think that users would be clamoring for more security from their browsers. And some of them do as long as it doesn't prevent any of their desired features from working.

There are a number of documents available that list steps one can take to lock down a Web browser. For example, one of those steps often is something like "Disable JavaScript." But few people actually ever do that - at least not permanently, because using a browser with JavaScript turned off is annoying, and in many cases prevents you from visiting sites you have legitimate reasons to visit.

"Attack and defense strategies are evolving, as the use and threat models. As always, anybody can break into anything if they have sufficient skills, motivation and opportunity. The job of browser developers, network administrators, and browser users is to modulate those three quantities to minimize the number of successful attacks."

Tuesday, June 2, 2009

Decoding the Internet's Raw Data

Government data sets available for citizens to use...

The massive amounts of data available on the Internet potentially have infinite uses. For example, advertisers want to mine photos and status updates on social networks to better sell products, while scientists are tracking weather patterns using decades of climate records. Now, U.S. White House officials want to make government data available to the public so citizens can monitor government actions.

The problem is determining how to organize and display such a massive amount of data without having to sift through volumes of spreadsheets. Participants at the recent symposium at the University of Maryland's Human-Computer Interaction Lab focused on solving this problem. "We're trying to understand data and make sense of it visually, but there's no way of evaluating how effective these visuals really are for people," says PricewaterhouseCoopers research manager Mave Houston. Analysts from the U.S. Department of Defense, SAIC, and Lockheed Martin expressed their frustrations with available information visualization tools, which are too complex for novice users, frequently do not work well with user-generated content, and have difficulty handling large amounts of data.

The Human-Computer Interaction Lab is working on ways of linking information, creating user-friendly technology devices, and improving how people interact with the Web. "Our belief is that technology is not just useful as toys or for business," says lab founder Ben Shneiderman. "We're talking about using these technologies for national priorities."

Refer here to read full details about the news.