The Intel Security Advanced Threat Research Team has discovered a critical signature forgery vulnerability in the Mozilla Network Security Services (NSS) crypto library that could allow malicious parties to set up fraudulent sites masquerading as legitimate businesses and other organizations.
The Mozilla NSS library, commonly utilized in the Firefox web browser, can also be found in Thunderbird, Seamonkey, and other Mozilla products. Dubbed “BERserk”, this vulnerability allows for attackers to forge RSA signatures, thereby allowing for the bypass of authentication to websites utilizing SSL/TLS. Given that certificates can be forged for any domain, this issue raises serious concerns around integrity and confidentiality as we traverse what we perceive to be secure websites.
What users can do immediately
Individual Firefox browser users can take immediate action by updating their browsers with the latest patches from Mozilla.
Google has also released updates for Google Chrome and ChromeOS, as these products also utilize the vulnerable library.
Ensuring that privacy and integrity be maintained is core to what we do at Intel Security. As this issue unfolds we will continue to provide updates on effective countermeasures and proper mitigation strategies.
Symantec is overhauling its Norton security software, going from nine products to just one as the company turns its attention to smartphones and connected devices.
The new product, called Norton Security, doubles down on the company’s renewed focus on subscription models. In its most recent quarter, when Symantec reported a $236 million profit on a 2% gain in revenue to $1.74 billion, the company said it planned to optimize the Norton business while streamlining product support.
Norton Security, which goes on sale Sept. 23 and costs $80 a year, will combine all of the antivirus, spyware, spam-monitoring and other features scattered across various versions of Norton AntiVirus, Norton Internet Security and Norton 360. It most closely resembles the Norton 360 Multi-Device offering that previously had cost $100 a year but is now $70.
The new product can be used across a family’s Windows and Mac computers, as well as their smartphones running iOS and Android. It includes other services, such as a password keeper, and offers cloud-backup storage starting at an additional $10 a year for 25 gigabytes.
The one-size-fits-all approach to PCs makes sense for Symantec at a time when security concerns are broadening beyond the traditional battlegrounds to smartphones, tablets and other connected devices, Fran Rosch, Symantec’s executive vice president in charge of the Norton business, said in a briefing with The Wall Street Journal.
People who want a premium version of Norton Security and Antivirus on an Android phone today have a choice: pay $30 for an in-app purchase, or buy the larger subscription and log in as a premium user. (People using iOS can’t buy the premium version through the app.)
The free version of the Android app scans downloads for malware, while the full version includes antitheft controls, backup, call blocking and an app monitor that looks for suspicious or “unnecessary” activity, such as personal data getting uploaded to the cloud.
While Symantec is putting all of its Norton products under one PC roof, it will continue to have separate smartphone apps that perform specific tasks.
Norton apps are available for iOS, but Mr. Rosch said Symantec isn’t focusing on iPhones and iPads. The way Apple controls its mobile OS and app distribution makes the platform less of a security challenge, he said. There is more opportunity on Android, which is considered a more “open” OS.
Perhaps the best news for consumers: As part of the transition, Symantec is easing back on preinstalled promotional software that many PC buyers have come to label “junkware.” Mr. Rosch says the placement isn’t worth the cost. To make the same profit as it does on one direct-subscription sale, he said, Symantec needs to convert about five of the trial software users. The company declined to say how much it pays to place trial versions of its software on PCs.
That doesn’t mean Symantec is walking away from its core PC audience. It is working on a touch-friendly Windows 8 app, which could give Norton more visibility in Microsoft’s Windows App Store. Thirty percent of Norton’s users are running the software on Windows 8—but only in the classic desktop version, not the touch-friendly version, the company said.
The other area Symantec is turning its attention to is the “Internet of Things,” Mr. Rosch said. Symantec is working with manufacturers to lock down the connected devices they build. Tiny gadgets built for specific purposes usually don’t have the horsepower or battery juice to scan for viruses, Mr. Rosch said, but Symantec has software that can help “white list” appropriate programs to safeguard them from malware.
Symantec isn’t completely ruling out an Internet of Things product of its own in the future, Mr. Rosch said. It already prototyped a “home security system” device—complete with a camera—but isn’t ready to release it at this time.
So many Facebook scams in 2014 have been a little worrying even though at first they all seem innocent enough, but these are social scams to lure users in to gain money or access to computers.
One particular Facebook scam this year was the “Robin Williams goodbye video”, which was apparently made before his death. This fake BBC News video is a scam and no such video exists.
The “Robin Williams goodbye video” started to circulate on Facebook and asks users to share the video before they can watch it, DO NOT click on it. There is no video so no point on sharing it, Symantec explains in detail that when Facebook users click on the video it asks them to either fill out a survey or install an application. When the survey is complete the scammers gain money for each one completed.
Do not open any app offering to change your Facebook’s color because it is a scam. The Facebook color blue may be getting a little boring for some and may like a change; this is where a new web app could come in handy.
If you come across the “Facebook color changer” or “Facebook Colour Changer” DO NOT open this at all, it will hijack peoples Facebook accounts. It has already been reported it has accessed over 10,000 FB accounts so far; this is malicious software done in two steps. The first step process is when users click to allow the app access to the users Facebook profile, the second step is where the first step has been declined and asks the user to download anti-virus software.
If anyone has followed the tutorial video on how to use the “Facebook colour changer” it is advised to change passwords immediately, you should also remove the app from your profile from the Facebook app settings.
Another Facebook scam will trick users and then access accounts, in a nutshell you basically hack yourself. It cleverly lures Facebook victims into believing they can access anyone’s account using three simple steps. The scam starts of by asking users to open Facebook in a web browser then visit the person they wish to hack, with a few simple steps such as right-clicking anywhere on the page after doing the above and then via the pop-up menu select “Inspect Element”. Once this has been done it will open an HTML editor, it is within this editor users are instructed to copy-paste a string of code provided – The code does not work, never has and never will.
Whilst on the subject of Facebook scams we recommend you keeping an eye on these ones, anything to do with these please do not click on them. 1) A Facebook app that allows you to see total profile views and visitors, 2) There is another scam titled ‘Rihanna sex tape with her boyfriend’, 3) Free-T-shirts when you Check my status update (Just another scam), 4) You can check if a friend has deleted you.
The above are only a few Facebook scams, there are thousands but these are more recent. Do NOT click on anything you are not sure about, especially when it says share this video to view it (Unless it is a trusted website).
A couple days ago, NBC News ran a report pegged to the Sochi Olympics about Russian hacking. In it, correspondent Richard Engel uses a “brand new” smartphone to test out the Russian internet while hanging out in a Moscow cafe. “Almost immediately,” he says in the segment, “we were hacked.” Naturally, as the security consultant NBC hired for the segment explained today, it’s not true.
It was the perfect amalgamation of Russian stereotypes and fears: The subtext is that low-grade security infrastructure, built probably by the same bribe-laden goons that put two toilets together in Sochi, has been completely overrun by evil Russian hackers all to prey on the poor visitors to the backwards country.
“Malicious software hijacked our phone before we even finished our coffee, stealing my information and giving hackers the ability to record my phone calls,” says Engel in the segment, incredulous. The implied follow-up to the report is obvious: Not only is Russia so inept that it hosted the Winter Olympics at a beach, you can’t even walk into the country without getting spied on!
The irresistible mix of the “Russia is sketchy” storyline with Sochi and the specter of Cold War-era spycraft (how about those hotel shower cameras?) sent the report bounding around the internet. “Report: Nearly all visitors to Sochi Winter Olympics will be hacked,” reads a perfectly representative headline, while NBC’s own post about it says Sochi is “‘open hunting season for hackers.”
Nevermind the fact that Engel was actually in Moscow, which is about a 1,000 mile drive from the shores of Sochi. And ignore the fact that malware was only downloaded to Engel’s devices after deliberately clicking on the same kind of malware-laden crap everyone in the world knows to avoid. It was too good a story to pass up.
But a story it was. Things started to unravel last night when a post on the Errata Security blog claimed that the story was “100% fraudulent.” Instead, argues the writer Robert Graham, the story was simply a reminder not to click on clearly hostile websites, like the fake Olympic sites Engel visited. “Absolutely 0% of the story was about turning on a computer and connecting to a Sochi network,” he writes. “100% of the story was about visiting websites remotely.”
Today, Wilhoit explained that every attack involved a user interaction, could have happened anywhere, and happened on brand new devices without OS updates. Rather than a story about visitors being immediately hacked upon visiting Sochi, the story was about using internet best practices and not opening suspicious emails—which is hardly groundbreaking.
How did it happen? Wilhoit lays it out clearly (emphasis mine): “While all three devices looked like they had been compromised with no user interactions that was just not the case. Incorrect impressions may have been formed due to the editing process; no zero-days were used and all infections required plenty of risky behavior to succeed.”
Wilhoit’s white paper has in-depth explanations of the hacks observed on the test equipment—a Galaxy S4, Lenovo ThinkPad, and MacBook Air—but again, the caveat is clear. “As in most malware attacks, user activity of one form or another is required for an infection to affect devices,” he wrote. “The case studies presented in this paper do not differ in that the user has to do something because no compromise automatically occurs.”
So while Engel’s report wasn’t 100 percent false—the tested equipment was indeed compromised—the malware attacks were absolutely not immediate, and were absolutely not endemic to Sochi. Such infections could have happened to anyone in the world, and could have come from anywhere in the world, because they involved fooling around on compromised sites on the open web.
How does a tale about internet best practices—a legitimately good thing to remind people of—turn into a Sochi hacking story based in Moscow? After Graham’s report dropped, NBC told Business Insider that nothing was fraudulent about the report, and that it was clear that it happened in Moscow and that it was designed to model what an average user would do. It’s as yet not clear how NBC will respond to Wilhoit’s report; I’m waiting on a response to an email inquiry, and will update when possible.
However, it does seem pretty apparent that NBC dressed up a hacking story—which I can say from experience are not easy to tell in video form, especially to a broad audience—by pegging it to Sochi. Teaching travelers about internet security is a smart, valuable service. But by focusing so heavily on the Sochi angle, and suggesting that hacks are immediate—an assertion that, beyond the control of NBC, was also amplified and distorted in the media echo chamber—the report ended up missing the mark.
REDMOND, WASHINGTON (The Borowitz Report)—Bill Gates’s first day at work in the newly created role of technology adviser got off to a rocky start yesterday as the Microsoft founder struggled for hours to install the Windows 8.1 upgrade.
The installation hit a snag early on, sources said, when Mr. Gates repeatedly received an error message informing him that his PC ran into a problem that it could not handle and needed to restart.
After failing to install the upgrade by lunchtime, Mr. Gates summoned the new Microsoft C.E.O. Satya Nadella, who attempted to help him with the installation, but with no success.
While the two men worked behind closed doors, one source described the situation as “tense.”
“Bill is usually a pretty calm guy, so it was weird to hear some of that language coming out of his mouth,” the source said.
A Microsoft spokesman said only that Mr. Gates’s first day in his new job had been “a learning experience” and that, for the immediate future, he would go back to running Windows 7.
The Federal Bureau of Investigation is willing to pay top dollar for the malicious, infectious software the rest of us pay to keep out of our computers, according to the Federal Business Opportunities website.
A Monday price quote request by the Investigative Analysis Unit of the agency’s Operational Technology Division is asking computer security developers and retailers to help the agency build a library of malware for an undisclosed reason, letting the companies name their price.
“The IAU has a team of highly trained technical analysts, specialists and engineers providing on-scene technical support, employing innovative, custom developed analytical methods and tools to analyze collected data,” the request reads. “Critical to the success of the IAU is the collection of malware from multiple industry, law enforcement and research sources.”
The agency’s minimum specifications for malware to purchase include 35 gigabytes of shareable malware per day, updated every 24 hours, across a wide range of file types.
“The collection of this malware allows the IAU to provide actionable intelligence to the investigator in both criminal and intelligence matters,” the request states, describing the acquisition of malware as ”critical to the success of the IAU’s mission to obtain global awareness of malware threat.”
The request also indicates the FBI will test any such malware before purchase, and that it will notify vendors when and where to send the software, after which the test products will be deleted due to “the nature of the solicitation.”
Initial descriptions and quotes for malware packages are due on Feb. 14.
Watch the official Lyric Video for “Never Enough” from “Colours In The Dark”:
It all starts with a mystic woman dressed in black, slowly striding through long corridors: Tarja. Cut. Then, a painter, a dancer and an oboe player are shown in a dusty, old factory. All caged in their dull habits, their daily tasks, repeating their monotone movements over and over again — all victims of their rituals.
Tarja is coming to their rescue. With a hint of a smile and powerful colours, she is able to free them and brings out the best in each of them. It all could have ended here, wasn’t it for the dark, suspicious figures. They have been following Tarja the whole time, watching her every move and then, chase her, try to get her down. Will they succeed or will Tarja win the epic final battle?
Answers to this question can be found in the official video for Tarja’s first single “Victim Of Ritual” from her forthcoming album “Colours In The Dark”. Shot in Berlin by Florian Kaltenbach for Hunger Film, the video resembles a short film with its running time of 6 minutes.
“Victim Of Ritual” will be released as download, CD single and 7″ vinyl on July 12th, 2013 via earMUSIC. Both physical releases will surely become rare collector’s items, being made available in strictly limited quantities. The 4-songs digipak CD-single is limited to 3.000 copies worldwide, whereas the 2-track 7″ vinyl is limited to only 1.500 units worldwide.
Tarja’s forthcoming new album “Colours In The Dark” will be released on August 30th, 2013 via earMUSIC. Mixed by Tim Palmer (Pearl Jam, U2) in Austin, Texas, the album is definitely going to be one of the brightest moments for rock in 2013.
Tarja will perform the songs from “Colours In The Road Tour” starting with her forthcoming tour.
Colours In The Road Tour 2013
17.10. Olomouc – Hala University Palackeho (CZ)
19.10. Berlin — Huxley’s (GER)
20.10. Wieze — Metal Female Voices Festival (BE)
22.10. Hamburg — Docks (GER)
23.10. Dortmund — FZW (GER)
25.10. Karlsruhe — Festhalle Durlach (GER)
26.10. Munich — Backstage (GER)
27.10. Vienna — Arena (AT)
29.10. Pratteln — Z7 Konzertfabrik (CH)
30.10. Nuremberg — Löwensaal (GER)
01.11. Leipzig — Haus Auensee (GER)
02.11. Cologne — Gloria (GER)
Colours In The Road Tour 2014
09.11. Klub Studio — Kraków (PL)
10.11. Łódź — Klub Wytwórnia (PL)
12.11. Mega Club — Katowice (PL)
13.11. Palladium — Warsaw (PL)
Since yesterday, some Avira Internet Security users have only been able to use their web browsers if they first disable Avira Web Protection. According to Avira, some customers are getting a “data structure error” that requires a complete uninstall and fresh installation of the program.
However, users in the Avira forum are saying that reinstalling does not solve all their problems: activating IPv6 support and the Drive-by protection causes new browsing issues – this appears to be a Java-related problem, particularly if the latest version, Java 7, is installed. Disabling browser protection is the only way to get around the problem. Chrome, Opera, Firefox and the Thunderbird email client are all affected. Avira has acknowledged that there is an issue with Avira Web Protection and the recently released Chrome version 28; the problem is currently being investigated.
The cause of the problem is not known, but may have been the result of a regular signature update. The recently announced forced upgrade of 2010 and 2012 versions to the 2013 version seems to be unrelated.
Rich Notifications are another new Chrome feature. Chrome already supported basic notifications, but with the new notifications users can be shown, and can interact with, tips and information outside of the browser. For example, a pop-up window in the Windows task bar can inform users when a new email arrives. Notifications can contain pictures, buttons and URLs as well as text. The notifications are handled by a notification center outside the browser, which not only allows the information to be displayed without a running browser but also serves as somewhere a user can consult to see what notifications they have missed.
Rich Notifications replace HTML-based notifications in the Chrome extensions: HTML-based notifications are no longer supported in version 28. Comprehensive instructions for developers are available. At the moment, Rich Notifications only work in Chrome OS and Windows – support for Mac OS X and Linux is said to be coming.
Version 28 also closes various security holes including a richly rewarded use-after-free issue with network sockets and a well-rewarded fix to a HTTP/SSL man-in-the-middle attack. Other rewarded bugs included two use-after-free issues in input handling and resource loading, plus an out-of-bounds read in SVG, all found by Chrome bounty regular miaubiz, a screen data leak through GL textures with Windows and NVIDIA cards, and a lack of entropy in renderers.
The updated browser is available to download for Windows, Linux and Mac OS X or, for existing users, will arrive automatically. Chrome has also seen its Flash player updated to version 11.8.800.97 as noted in Adobe’s patch day.