Timthumb WordPress Hack

Posted by admin on 20/Sep/2011 in Security Alert Log | 0 comments

Many of the themes used with WordPress sites (the content management system in use on this web site) have used a popular image re-sizing script called Timthumb (http://www.binarymoon.co.uk/projects/timthumb/).

This script is used by hundreds of thusands of sites and is quite popular in the WordPress theming community. It was discovered last month that a vulnerability existed within certain versions of the script (http://code.google.com/p/timthumb/issues/detail?id=212). If you are using a WordPress theme with your mobile WordPress web site then it is highly likely that the Timthumb WordPress Hack can be exploited on your site (depending on when you last updated your theme). The author of the Timthumb script has provided a fix that you should apply to your site now.

It’s Not Personal

Most hacked sites are just black hat SEO scam artists trying to increase their own site ranking for whatever purposes. It’s not personal so don’t panic if you find you have been hacked. Don’t take it personally, they are not out to get you in particular.

Sites being hacked have always been a problem, if yours has never been hacked then consider yourself to be lucky. You have to do your best to make sure this kind of thing doesn’t happen but it still can.

Android SpyEye Spitmo Discovered

Posted by SmsMyCustomers FSecure on 13/Sep/2011 in Security Alert Log | Comments Off

It was going to happen sooner or later…

Trusteer reports that an Android variant of Spitmo (SpyEye for mobile) has been discovered.

(more…)

New Android Riskware

Posted by SmsMyCustomers FSecure on 8/Sep/2011 in Security Alert Log | Comments Off

We have just encountered a number of Android riskware applications that target subscribers in the China region.

The suspect applications cover a variety of topics, including horoscopes, farm and pet games/info and the Chinese calendar, to name a few. Below is a screenshot of the permissions requested by one of these applications:

(more…)

Are You Monitoring Your Business’s Google Place?

Posted by SmsMyCustomers FSecure on 6/Sep/2011 in Security Alert Log | Comments Off

Running a small business can be a difficult job (particularly in today’s economic climate). Competition can be very cut-throat … and dirty tricks are sometimes played by the unethical.

For example: In 2003, Saad Echouafni, owner of Orbit Communications (a satellite television reseller), paid for an Ohio botmaster (Richard Roby) to DDoS the websites of two competitors. In 2005, Roby, the botmaster, was convicted of computer crimes in US federal court. Investigation into Roby’s crimes revealed a link to Echouafni and a co-conspirator (Paul Ashley) who also pleaded guilty to related crimes in 2005. Echouafni paid bail and fled US jurisdiction.

Reportedly, at the height of the DDoS attacks, Rapid Satellite and WeaKnees were offline for two weeks. It’s quite an interesting tale and you can read more here: Feds bust DDoS ‘Mafia’, by Kevin Poulsen.

Wow, a DDoS Mafia, circa 2003. But what’s the situation in 2011? (more…)

Diginotar Hacked by Black.Spook and Iranian Hackers

Posted by SmsMyCustomers FSecure on 5/Sep/2011 in Security Alert Log | Comments Off

Diginotar is a Dutch Certificate Authority. They sell SSL certificates.

Somehow, somebody managed to get a rogue SSL certificate from them on July 10th, 2011. This certificate was issued for domain name .google.com.

What can you do with such a certificate? Well, you can impersonate Google — assuming you can first reroute Internet traffic for google.com to you. This is something that can be done by a government or by a rogue ISP. Such a reroute would only affect users within that country or under that ISP.

But why would anybody want to intercept Google? Well, this is not really about the search engine at www.google.com. This is about the Gmail servers at mail.google.com and Google Docs at docs.google.com and maybe Google+ at plus.google.com.

We saw a similar attack in May (via Certificate reseller instantssl.it in Italy). That case was tied to Iran. So is this one. It’s likely the Government of Iran is using these techniques to monitor local dissidents.

Iran does not have its own Certificate Authority. If they did, they could just issue rogue certificates themselves. But since they don’t, they need such certificates from a widely trusted CA. Such as Diginotar.

(more…)

Facebook to Prevent 3rd-party Apps From Seeing Your Information Via Your Friends

Posted by SmsMyCustomers FSecure on 25/Aug/2011 in Security Alert Log | Comments Off

On Tuesday of this week, Facebook announced significant changes to their profile controls and sharing options. The roll out of these changes begins today, August 25th. You’ll find an excellent summary of the changes by Jason over on our Save and Savvy blog.

Meanwhile, we’ve been busy digging into the details and reading between the lines.

And there’s lots of details to consider:

(more…)

Windows XP

Posted by SmsMyCustomers FSecure on 24/Aug/2011 in Security Alert Log | Comments Off

Let’s compare the major computer operating systems at the moment. We have Windows XP, Windows Vista and Windows 7. We have various Linux distributions. And we have Mac OS X.

Of these, obviously Windows XP has the weakest security, by far. And Windows XP has the biggest marketshare, too. Globally close to half of all computers still run XP. And today, Windows XP is ten years old. Ten years is an eternity in this business. So it’s no wonder XP’s security architecture is not up to date.

As a result, attackers right now would be stupid* o spend their time and money targetting any other operating system. That makes no sense as long as they have this huge, easy low hanging fruit. Obviously XP is going away.

And Why Would this Bother Mobile Phone Users?

Ever plugged your phone in to your computer to do a file synch, an update or to transfer files? How about hooking your phone up to your homes XP Wi-Fi network? Think about it.

As we can see from this chart, Windows 7 will pass in XP in the near future and will become the most common operating system.

And when XP’s marketshare drops low enough, attackers need to start looking around. Some will focus on Windows 7. Others will look at OS X, Android, iOS and so on. The attackers have never had it so good. The easiest target is also the most common target. This can’t change quick enough.

Do a good deed today. Uninstall an installation of XP.

Mobile malware to steal photos from your phone

Posted by SmsMyCustomers FSecure on 16/Aug/2011 in Security Alert Log, Trojans | Comments Off

A good deal of this year’s mobile malware was developed in China. And Chinese mobile malware tends to include stuff such as backdoors, password stealers and spy tools.

Knowing that Chinese malware likes to spy, we’ve been keeping an eye out for various functions, such as photo scraping. Stealing photos from a phone could be used for harassment and blackmailing.

We didn’t have to look for long. A member our Threat Response team just found something interesting in a Symbian malware sample.

Here are our analyst’s notes

The code of Trojan:SymbOS/Spinilog.A (md5: b346043b4efb1e9834a87dce44d6d433) includes a class named CMyCameraEngine which inherits and implements the Symbian class MCameraObserver. This enables the trojan to receive control when an image has been captured with the camera. Spinilog.A then encodes the raw bitmap to a JPG, which it saves to the phone’s memory. This feature seems to still be unused and possibly incomplete as the constructor of the CMyCameraEngine class is not called in the code. Other data stolen by the trojan is more traditional such as the content and details of SMS and e-mail messages, phone call details and calendar and contact information.

So while this particular backdoor won’t yet steal your photos, it’s clear which direction we’re headed to.

Anonymous Ops Britian and BART

Posted by SmsMyCustomers FSecure on 15/Aug/2011 in In The News, Security Alert Log | Comments Off

Here’s a new maxim for politicians, policy makers and public administrators: curtail, censor or otherwise limit communications technology in the real-world — expect online reprisals.

Hacker collective Anonymous released a “press release” on Saturday announcing OpBritian, a reaction to UK Prime Minister David Cameron’s suggestions that social media should be restricted in a time of crisis.

And while Anonymous states that actions by rioters were “violent”, they have no love for police authority, and so the enemy of my enemy is my friend. Besides promising online hacks, Anonymous has called for rebellion peaceful real-world protests on October 15th.

(more…)

Can Germany’s data protection laws forestall facial recognition?

Posted by SmsMyCustomers FSecure on 11/Aug/2011 in Security Alert Log, Syndicated | Comments Off

Facial recognition technology is a hot topic and this recently caught my attention: German authorities have suggested that Facebook’s “facial recognition” feature is illegal. From Deutsche Welle:

Hamburg’s data protection official Johannes Caspar claims that the software violates both German and European Union data protection laws and that Facebook users don’t know how to delete the data that Facebook is gathering. “If the data were to get into the wrong hands, then someone with a picture taken on a mobile phone could use biometrics to compare the pictures and make an identification,” Caspar told the Hamburger Abendblatt. “The right to anonymity is in danger.”

The legal keyword appears to be “biometrics”.

According to Caspar:

“A normal user doesn’t know how to delete the biometric data. And besides, we have demanded that biometric data be stored with the subject’s express consent.”

Another keyword appears to be “stored” (though… Deutsche Welle’s article also states that no data can be “collected” without consent). Collected or stored biometric data, which is it?

Is on the fly facial recognition analysis legal if the data isn’t retained or stored after it’s used?

In any case, having several self-tagged Wall photos, I decided to test the feature with my own personal Facebook account. (Existing tagged photos is a prerequisite, even if the user hasn’t opted-out. No tagged photos, no biometric data will exist.)

First, I re-enabled my “Suggest photos of me to friends” option in Facebook’s privacy settings.

And then I uploaded a photo:

While Facebook’s photo upload service “detected” two faces, neither of them were “recognized” and no tag suggestions where offered. So it would appear that there’s no hidden biometric “faceprint” of me in Facebook’s databases. Either none was collected between the time when the feature was introduced and I opted-out, or else they deleted what was stored after I disabled the feature.

I ask myself, is Facebook’s biometric data really such a big deal?

Google Images recently released reverse image search. That feature is much more likely to be used in future photo comparisons than any Facebook data that falls “into the wrong hands”. If you have an iPhone/Android device, try Google Goggles and then imagine the Google+ possibilities.

Then there’s current camera technology to consider. My Canon S90 does a very decent job of detecting faces on its own. If a face is detected, the photo’s EXIF metadata includes “SceneCaptureType – Portrait” and the faces are tagged.

And that’s just a start. Some vendors, such as Samsung, have “Smart Face Recognition”, as demonstrated in this video from April 2009. It’s not a far leap at all before our cameras are detecting, recognizing, and tagging faces in our photos at the moment they’re taken. And that includes camera phones: Apple reportedly plans to include facial recognition features in iOS 5.

Mr. Caspar may indeed have legitimate concerns regarding Facebook’s current biometric practices. But what happens if (when) it’s no longer a matter of analysis? If consumers upload photos that contain facial tags, can Facebook then make the suggestion?

It should be noted that Facebook currently strips EXIF metadata from uploaded images. (Kudos.)

Germany (and the EU) has excellent data protection laws. But the law itself cannot hope to forestall the issue of facial recognition forever. The technology exists and policy makers need to address the issue and seek solutions as if biometric data is already freely available.

Because even if legitimate companies can be successfully regulated from storing this type of data, criminals won’t be so restrained. Computing power is cheap, and getting cheaper. The worst case scenario could be unregulated black market search engines providing facial recognition services as a service.

It wouldn’t be the first time such a business model developed.

Be seeing you,
Sean

See also:

Kashmir Hill — If Everyone’s A Celebrity In The Internet Age, Shouldn’t We Expect To Be Recognized By Face?
Alessandro Acquisti — Faces Of Facebook-Or, How The Largest Real ID Database In The World Came To Be

On 10/08/11 At 07:40 PM