Pwn2Own: Google offers $1M in Chrome exploit rewards

new-chrome-logoGoogle is to offer up to a million dollars in rewards for Chrome exploits at the CanSecWest conference. Previously, Google has sponsored the Pwn2Own competition which is held at CanSecWest, but has decided that this year it will directly reward exploits.

“We discovered that contestants are permitted to enter Pwn2Own without having to reveal full exploits (or even all of the bugs used!) to vendors” says Google in a blog post. In previous years, full details have been handed over, but the revised rules make it “an explicit non-requirement in this year’s contest” – a change that Google calls “worrisome”. The organizers revised the rules to make the contest “more fair” and “more of a competition”.

Google says it is proud of its track record in previous contests, having not been exploited in the past, though it had patched Chrome with fixes for bugs discovered during Pwn2Own. The company says that not receiving exploit information makes it harder for them to improve the browser’s security. Google’s own reward scheme is designed to create an incentive to participants to fully disclose their exploits.

For a “Full Chrome exploit” which uses only Chrome bugs and persists in a Windows 7 local user’s account, Google will pay $60,000. A “Partial Chrome exploit”, where one bug in Chrome and other bugs are used, will pay $40,000, while a “Consolation reward”, where bugs in Flash, Windows or some other component not specific to Chrome are used, will pay $20,000. Google will pay these rewards, up to a total of a million dollars, on a first-come-first-served basis for exploits with a complete set of reliable, fully functional bugs, present in the latest versions as “genuinely 0-day”. Reward winners will also receive a ChromeBook.

The CanSecWest rewards are separate from Google’s Chromium Vulnerability Rewards Program which has, to date, paid around $300,000 to flaw finders.

Source: H-Security

Oops! Selena and Bieber’s hidden camera bedroom video Facebook scam

Oops indeed. At least if you were one of the Facebook users who believed that a hidden camera video had leaked onto the net of Justin Bieber sharing some intimate moments with his girlfriend Selena Gomez.

Of course, Bieber’s typical fans – or those who would delight in his public humiliation by a hungry paparazzi – are probably unlikely to think twice about clicking on a link shared with them by their Facebook friends, claiming to leak to a sex video.

selena-bieber-scam-1

00ps!!! There was a hidden camera in Selena & bieber's bedroom
[LINK]
WOW HaHa it's really so funny ~ Don't Miss it!

If you made the mistake of clicking on the link, you would be taken to a third-party website which urges you to share the video further, amongst your Facebook friends.

selena-bieber-scam-2

And if you made the mistake of sharing you’ll then be presented with an all-too-familiar online survey. This is how the scammers make money, tricking you into driving traffic to online surveys that earn them commission. Using sex videos is not a new technique, and Justin Bieber has had his name used in vain by the scammers on several occasions.

If you were fooled into participating in this scam remove the message from your newsfeed, and delete any messages you may have inadvertently shared with your friends. That way at least you are no longer spreading it with your online chums. You can also report the link as spam – hopefully if enough people do it, Facebook will begin to stop the scam from spreading.

If you use Facebook and want to receive early warnings about the latest attacks, you should join the Omid’s TechBlog facebook page.

Beatles for Sale? It’s spam of the day

beatles-170I’ve owned up to some of the great loves of my life in the past.

For instance, I’m a music lover and I’m very partial to board games (even during a denial-of-service attack).

Today I can also share that I like The Beatles. In particular, anything from “Rubber Soul” and later when the “Yeah yeah yeah” turned into something rather more “Yeah man. Dig it”.

I’ve simply never come across a more talented combination of musicianship and songwriting abilities – for me, you can kick The Stones, The Who, Cream and.. yes.. even MeatLoaf to the kerb, as Lennon, McCartney, Harrison and Starr are the guv’nors.

So, perhaps I was the right person to receive the following spam message about a box set of remastered Beatles CDs and mini-documentaries.

beatles-email

If you click further on the email, which has clearly been written with a Spanish-speaking audience in mind, you discover – ¡Ay, caramba! – that whoever is touting this “box set” has actually shoved every Beatles track onto one DVD.

They’ve even gone to the effort of adding a mini-documentary for each official album from “Please Please Me” to “Abbey Road”.

beatles-web

It’s beginning to sound suspiciously like these tracks and the video content might be somewhat similar to what Apple announced for its iTunes store to great fanfare late last year.

In short, if you purchase goods like this advertised to you via spam – you’re not only encouraging the spammers to flood your inbox some more, but you’re also preventing Messrs McCartney and Starr, and the families of Lennon and Harrison from receiving their rightful earnings for their musical genius.

If you like music, buy it through official channels – and support the artists who created it. Don’t feed the spammers.

Source: SophosLabs

Nothing last forever, but still I miss you

passfail-small[10]Finally first level of my German class at Goethe-Institut finished (Read here when it begin) and I’m so sad, I will miss all my great classmate and teacher, we have been a great group, really a perfect group together and it was not easy to say Bye.

I passed the A1.1 level with “satisfactory” score (Evaluation), yeah I know I could do better but… I will try to practice at home too for the next level.

In my life I’ve been in many different groups of people, family, friends, school, co-workers at IRIB, businessman(s) at work etc. but I’ve never been that happy that I’ve been between this group of good folks at my class, they have been very nice people in there with no bothersome between us, we really could match together, either old or young classmates together, I’ve been younger than others in there! Winking smile

Our teacher may have not been most experienced teacher of institute (She was good anyway at her job, at least for me) but she is a very good person with a very good personality and excellent behavior to us. Never angry, never silly, never boring, never ignoring anyone, never kidding anyone and never stopped smiling, kind of teacher which with her at school we had better than than without her, when she were at class no one noticed the time and 90minutes of class fly at just a moment.

You may say still I can keep in touch with them, but after the class there are less reason for us to contact or get together, during the course we have been together 3 times a week but now? Or will our teacher join us also? I don’t think so! so we are almost done.

I wish all of you my classmates and my dear teacher best of best in your life.

-Omid

Google Drive Will Support Third Party Apps

GoogleGoogle Operation System Blog: Back in November 2010, a comment from the Google Docs source code revealed some new features that will be available: third party apps, Cloud Print integration and sync.

It turns out that the upcoming Google Drive release will add support for third party apps and Google will also include a SDK for developers. This way, you’ll be able to open the files stored in Google Drive using non-Google apps. The Google Docs source code mentions “SDK” several times in connection with Google Drive and the “open with” feature.

drive-sdk-1

drive-sdk-2

There’s also an interesting message that suggests Google Drive will integrate even more with Gmail: “Say goodbye [to] email attachments and hello to real time collaboration. Drag anything shared with you to My Drive for easy access.”

In a recent article, Wall Street Journal reported that GDrive “is expected to launch in the coming weeks or months and will be free for most consumers and businesses. Google will charge a fee to those who want to store a large amount of files.”

Most likely, Google Drive is an important upgrade to Google Docs that will detach the online storage service from the Google Docs apps and will make it more useful by offering more free storage, syncing apps and integration with web apps developed by other companies.

Twilight author’s official website attacked

meyerSunbelt: Twilight fans who normally frequent the official website of Stephenie Meyer, infamous writer of the said book and saga, may have found their systems captured by a “being” that is neither a blood-sucker or a giant, feral dog. It might be something supernatural, but not in the security world: zombies.

Our friends at avast! have unearthed a recent attack on the author’s website not so long ago:www.stepheniemeyer.com had been hosting Crimepack, an exploit kit that takes advantage of known vulnerabilities of various Web browsers and the Windows OS to install malware. Brian Krebs ofKrebsOnSecurity.com took a closer look at this particular exploit pack back in 2010, and it is indeed a nasty one. Not only is it capable of targeting holes of software installed on your system, it also “lets customers [buyers of this Crimepack exploit kit] test various Web reputation services to discover whether any include their exploit sites.” Computers successfully exploited by the Crimepack exploit kit are eventually turned into zombies, which online criminals use to do malicious tasks, such as spamming and launching denial of service (DoS) attacks.

www.stepheniemeyer.com is now free from malicious codes.

Once again, we implore our readers to make it a point to regularly update their operating system and security software.

Stay safe!

YouPorn passwords available for download, thousands of users exposed [Updated]

youporn-170SophosLabs: Want a free password for one of the world’s most popular adult websites?

YouPorn, one of the world’s most popular porn video websites and one of the top 100 websites of any kind in the world, appears to have been caught with its pants down – after a list of many of its users’ email addresses, passwords and dates of birth were left exposed on a public-facing server.

According to security blogger Anders Nilsson, the credentials of well over a million YouPorn users were publicly accessible.

Unlike the recent Brazzers porn site hack, however, sloppy practices are being blamed for the YouPorn incident, with debug data about users seemingly being stored in a public fashion since 2007.

youporn-user-data

Hackers have been sifting through the information, and in some cases republishing it elsewhere online. So even though YouPorn appears to have now shut down the offending server – its users remain exposed.

youporn-passwords

This is one of those cases where it’s not just bad to have your password exposed – it’s actually potentially worse to have your email address connected with this breach too.

You can imagine how employers and marital partners may be less than impressed to find you are registered for a website like YouPorn. And their discovery of your porn penchant is only a search and a click away.

But more than the embarrassment factor, there’s also a security issue here. We know that many internet users adopt the same password for multiple sites.

So, if your YouPorn password is now known, hackers might try that same password against your email address, your PayPal account, your Amazon account, and all many of other online resources.

If you are still using the same password on multiple sites, please change your dirty habit now.

But it’s unlikely that the victims of this data breach will be finding things so amusing.

At the time of writing, there is no mention of the apparent data loss on YouPorn’s official blog (no, we’re not linking to it) or Twitter account.

Update: YouPorn has attempted to clarify the situation, explaining that only YouPorn chat users have been affected by the incident. The chat feature is run by an undisclosed company that is not directly associated with YouPorn. YouPorn has since removed the chat feature from its web site.

Fake AICPA Mail Serves Blackholes and Rootkits

Sunbelt: Be wary of emails claiming to be from AICPA – as per their alert here, these are not real and any mention of “unlawful tax return fraud” is just a bait to convince the end-user to open up a malicious attachment (in this case, a .doc file although there are rogue PDF files in circulation too).

aicpaexploitmails

As with many of the malicious spam campaigns doing the rounds at the moment, this one will use the Blackhole exploit kit to serve up zbot from multiple compromised domains. Worse, a Sakura kit (typical example here) will download Sirefef / ZeroAccess , which as we’ve seen elsewhere is not a good thing to have on your system.

One of the more unpleasant spam campaigns we’ve seen recently.

Масленица Началась, And So Is Spam!

Symantec Connect: Maslenitsa (Маслница) is a religious holiday celebrated in Russia and Ukraine during the last week before Lent, i.e. the seventh week before Pascha (Easter). This festival is also known as Pancake week or Butter week. During this week people enjoy the social activities that are forbidden during the prayerful Lenten season, such as partying, dancing etc. This year the Maslenitsa will be celebrated from February 20 to February 26.

We are observing Maslenitsa spam targeting Russian and Ukrainian users that offers attractive tour packages. Similar to other Russian spam messages like online marketing promotions, spammers have provided a phone number to book the carnival package.

Below is a sample of a tour package spam:

mail1

Translation:

mail2

Our readers are encouraged not to fall for such cheap package offers and stay safe from online scams. 

Поздравляю вам с счастливой Масленицей

Ex-girlfriend sex videos, browser plugins and Facebook survey scams

omg-girlfriend-170SophosLabs: Scammers are up to their old tricks on Facebook, tricking users into visiting revenue-generating survey scam websites by appearing to offer sex videos.

Using a thumbnail which suggests a link to a sex video, messages posted on compromised Facebook users’ walls attempt to lure their unsuspecting Facebook friends into clicking to see more.

And if the use of a saucy snapshot of a naked man and woman in an intimate pose wasn’t enough, the messages also include a variety of names (obscured in the images below) – presumably these are the names of the afflicted users’ Facebook friends.

omg-girlfriend

[Video] WOW.. watch what Happened to his Ex Girlfriend!!
[LINK]
Omg. I cant believe this actually happened to his Ex-Girlfreind!

Another version reads:

OMG. watch what happened to his Ex-Girlfriend!
[LINK]
[Video] Wow. I cant believe this actually happened to his Ex-Girlfreind!

If you are fooled into clicking on the link, however, you are taken to a third party webpage which claims that you will only be able to view the sex video once you you have installed a DivX plugin.

omg-install

Hopefully regular readers of Naked Security would know better than to click on the link to install the plugin, but if you did it would attempt to install a script into your browser.

divx0

divx1

This script subsequently takes your browser to an all-too-familiar survey webpage – and the more people who complete the survey (presumably the scammers hope that their victims have committed so much effort into viewing the video by now, that they’re unlikely to give up now) the more commission is made.

If you use Facebook and want to receive early warnings about the latest attacks, you should join the Omid’s TechBlog Facebook page.