Google's reCAPTCHA briefly cracked

H-Online: Hackers developed a script which was able to crack Google's reCAPTCHA system with a success rate of better than 99 per cent. They presented the results of their research at the LayerOne security conference in Los Angeles last weekend; however, their demonstration was somewhat frustrated as, just an hour before the presentation, Google made improvements to its CAPTCHA system.

Of the various CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) systems, Google's reCAPTCHA is considered to be one of the most reliable for differentiating man from machine. By requiring users to enter visually distorted alphanumeric sequences, web service providers can, for example, ensure that their registration forms are not flooded by spam bots. Rather than trying to analyze these distorted characters, the script, code-named "Stiltwalker", analyzed the audio version of the CAPTCHAs, which Google provides for individuals who are visually impaired.

Stiltwalker makes use of various techniques, including machine learning, but it also exploits the fact that the computer voice has a very limited vocabulary. While text CAPTCHAs are highly complex, relying on a large pool of words in a variety of fonts, Google's audio CAPTCHAs use just 58 different English words.

Slightly frustrated, Defcon Group 949 presented their research results just as Google had fixed the problem

To make automated analysis more difficult, Google adds a background murmur which computers usually have a hard time filtering out. The hackers discovered that the background was composed of a limited number of recordings of radio programmes. The changes that Google made to reCAPTCHA shortly before the presentation render Stiltwalker impotent, but the three-man team of hackers did not let that affect the entertainment value of their presentation.

AVAST software blocked its services for embargoed countries

Petr Chocholous in response to Iranian users contacting avast saying they are unable to open website or update their antivirus said:

AVAST Software a.s. is currently blocking access to port 80 (that effectively means websites and updates of avast! software) of its servers from following countries: Iran, Sudan, Cuba, Syria, North Korea and Burma/Myanmar. AVAST Software a.s. [and its subsidiaries/sister companies] must not provide any services in these countries because of policies and regulations that are applicable to AVAST Software a.s.

Blog and forum are available, because we hope they are information source/personal communication service and because of this they have exclusion from these regulations.

We are sorry for any caused inconvenience.

http://forum.avast.com/index.php?topic=98853.msg789135#msg789135

Text message provider to pay out for Android malware

H-Online: UK regulator PhonepayPlus (fomerly known ICSTIS) has imposed a fine of £50,000 on a payment provider used for an Android malware-based fraud and forced it to reimburse customers' losses. Last December, unknown perpetrators posted fake versions of popular applications on Google's Play store (formerly the Android Market) which sent out expensive premium rate text messages.

According to Android virus experts Lookout, the applications in question were based on the RuFraud malware and were customized to disguise themselves as 30-plus titles such as Angry Birds, Assassins Creed and Cut the Rope. These apps were downloaded an estimated 14,000 times, and sent out three premium rate text messages, costing £5 each, every time the user tried to open the app. Total losses to customers in the UK were estimated at £27,850.

PhonepayPlus was able to intervene before the money was transferred from payment services company A1 Agregator Limited to the perpetrators of the fraud. The UK registered limited company will now be required to return the money to affected smartphone users, including those who have not made a complaint, and pay a fine of £50,000.

Flame worm - Iran claims to discover new Stuxnet-like malware

Naked Security wrote:

The Iranian Computer Emergency Response Team (MAHER) claims to have discovered a new targeted malware attack attacking the country, which has been dubbed Flame (also known as Flamer or Skywiper).

In a statement, researchers say that they believe the malware is "a close relation" to Stuxnet, and claim that Flame is not detected by any of 43 anti-virus products it tested against, but that detection was issued to select Iranian organizations and companies at the beginning of May.

MAHER also says that it has produced a removal tool for the malware. Whether this is built into the recently announced "Iran's self-built anti-virus" is unclear.

Continue Reading: http://nakedsecurity.sophos.com/2012/05/28/flamer-iran-malware/

Update:

Now there are more resource about this:

• http://www.darknet.org.uk/2012/05/complex-cyberwar-tool-flamer-found-infecting-computers-in-iran-israel/
• http://www.telegraph.co.uk/news/worldnews/middleeast/iran/9295938/Flame-worlds-most-complex-computer-virus-exposed.html
• http://www.virus-database.com/description/1209-flame.html
• http://www.ibtimes.co.uk/articles/346076/20120528/flame-virus-discovered-cyber-attack-weapon-middle.htm
• http://www.inquisitr.com/243707/cyber-weapon-flame-found-all-over-the-middle-east/
  

Facebook and Opera: Facebook Browser Is Imminent

Mashable: Are you ready for a Facebook browser that integrates the social networking behemoth into your online life more than ever? That’s exactly what could be on the way soon, according to one report.

A Friday Pocket-lint report cites a “trusted source” that Facebook wants to buy Opera Software — manufacturers of the Opera web browser, which claims more than 200 million users worldwide. The Facebook browser would include default menu bar plugins, further permeating Facebook into users’ general web experience, according to the report.

A Facebook spokesperson declined Mashable‘s request for comment.

A custom browser would be a significant step toward Facebook becoming your web, as opposed to just an Internet site you visit and service you use. Opera’s mobile browser has received strong reviews online, meaning a functional Facebook browser using it could be even more powerful. Facebook has struggled to penetrate mobile use as deeply as many think it should be able to — and will need to in order to sustain long-term growth.

A Facebook browser would also bolster the newly public company’s competition with Google. Google Chrome recently became the web’s most-used browser, but Facebook’s gigantic user base of more than 900 million people would present a potential serious threat down the line. It would be interesting to see Facebook try to battle Google for browser dominance as Google+ struggles to play catchup in social networking.

We’ll see if the Opera rumors are true, but if Pocket-lint‘s “man in the know” is even remotely hooked in, it’s not hard to imagine the arrival of a Facebook browser being only a matter of time.

How could a Facebook browser help the company take over the web — or can it? Share your perspective in the comments.

Source: Mashable

A technical analysis of Adobe Flash Player CVE-2012-0779 Vulnerability

Microsoft Malware Protection Center wrote:

Recently, we've seen a few attacks in the wild targeting a patched Adobe Flash Player vulnerability. The vulnerability related to this malware was addressed with a recent patch released by Adobe on May 4th. On the Windows platform, Flash Player 11.2.202.233 and earlier is vulnerable. If you're using vulnerable version, you need to update your Flash Player now to be protected against these attacks. We had a chance to analyze how the malware (sha1: e32d0545f85ef13ca0d8e24b76a447558614716c) works and here are the interesting details we found during the investigation.

Continue Reading at: http://blogs.technet.com/b/mmpc/archive/2012/05/24/a-technical-analysis-of-adobe-flash-player-cve-2012-0779-vulnerability.aspx

Yahoo released private certificate with new extension

H-Online: Yahoo! introduced a new "browser", Axis, last night, both as a standalone application for iPhone and iPad and as a browser extension on Chrome, Firefox, Internet Explorer and Safari. Axis is meant to offer faster, smarter searching using Yahoo's services. Within hours of the launch, hacker and blogger Nik Cubrilovic posted on his blog that the Chrome extension came with a worrying extra, a Yahoo private certificate file which was used to sign the extension package and prove the package's authenticity to the Google browser.

With the private key in the wild it would be possible to create and sign an extension which appeared to be from Yahoo!; Cubrilovic demonstrated this by creating "yahoo-spoof", a lightly modified version of the extension, signed with the private certificate. According to Cubrilovic, there was no password associated with the certificate, which allowed this signing to take place, and the build script was also included in the extension.

It would have been possible, if DNS was appropriately compromised, to have updated a legitimate Axis extension with a correctly signed but malicious version. Given how new Axis is, this would have been unlikely, but leaving a private certificate in the distributed extension does raise questions over how through and secure Yahoo's release process is. A member of the Axis team, Ethan Batraski, commented on various sites that Yahoo! had pulled down the Chrome extension and blacklisted the exposed certificate. The company has since released an updated version of the Chrome extension signed with a new private certificate.

Google releases security update for Chrome 19

H-Online: Google has announced an update to the stable version of Chrome, which brings the browser version to 19.0.1084.52 on Windows, Mac OS X and Linux. The update is a pure security update that does not include any new features – it closes nine vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating of "High" and fixes two problems labelled "Critical" as well as two "Medium" level issues.

Many of the vulnerabilities are due to bugs in Chrome's memory handling, such as out-of-bounds reads and use-after-free conditions, and Google points out that several of them were detected with their AddressSanitizer tool. Other bugs were fixed in Chrome's PDF handling code and its V8 JavaScript rendering engine.

Further details about the security vulnerabilities have not yet been released; this is to give the updates time to roll out to all affected users. Google did announce that it has paid out its signature amount of $1337 to a researcher who reported one of the critical vulnerabilities. Three $1000 bounties and one of $500 were also paid to three other individuals as part of Google's bounty program for Chrome security vulnerabilities. The company has recently published a detailed account of exactly how these types of vulnerabilities are discovered and how they reward the researchers who report security issues in a responsible manner.

Windows XP in update loop

H-Online: Users of Windows XP are reporting more problems with recent automatic updates. Three security updates for .NET Framework 2.0 and 3.5 are at the center of the problem, labeled as patches KB2518664, KB2572073 and KB2633880 in Windows XP's automatic update feature.

On affected systems, the installation of these patches proceeds without error but after a short time, the update service says it would like to install them again and will keep reinstalling the patches if allowed. Microsoft's general advice in this situation is to reset Windows Update components, though it has yet to offer any specific advice. It is interesting to note that the three patches in question were not released on Microsoft's official patch day.

Hackers use fake Facebook cancellation emails to deploy malware

H-Online: A new type of phishing strategy, which aims to trick unsuspecting users into installing a trojan by pretending to be an account cancellation request from Facebook, has been discovered by Sophos. The email messages link to a third party application on the site that will install a Java applet and then prompt the user to update their Flash player, but will actually deliver the trojan malware.

The email messages that are sent out claim to be from Facebook and state: "We are sending you this email to inform you that we have received an account cancellation request from you." However, Facebook never sends such account cancellation confirmation messages via email. Users who want to cancel their Facebook account can do so by visiting facebook.com/deactivate.php to deactivate their account; they may later delete it after a cool down period has passed.

The malware preys on the fact that many users value their Facebook account highly and do not want it to be deleted. If they follow the link, they get prompted to install a Java applet. If they choose not to do so, the application will keep nagging until the user agrees to the applet being installed. Next, the user will see a message that they need to update Flash Player – this will actually install a trojan onto the system which allows the hackers to take over the machine and integrate it into a botnet. According to Sophos, the most commonly installed trojans are SpyEye-B and Agent-WHZ.