Keep your Facebook friends close and your antivirus closer

Microsoft Malware Protection Center: Facebook malware attacks are not new. Scams spreading via status updates have been around for a long time, but in recent weeks one threat has been getting creative in terms of social engineering. Backdoor:Win32/Caphaw.A can intercept URL requests in both Firefox and Internet Explorer and it has been observed to post very personable updates on friends' walls in Facebook, gaining access if the user is logged in.

The message links to a video posted on a Youtube-like website, which suggests that the user update the browser with a bogus ActiveX object. The malware's authors also went one step further in making sure the video landing page looks as legitimate as possible:

This download is actually Backdoor:Win32/Caphaw.A, a sophisticated firewall-bypassing backdoor armed with almost everything. It installs an FTP server, a proxy server, and a keylogger on the computer. It also has built-in remote desktop functionality based on the open source VNC project. We received a report that a user found this in his computer and also discovered that money had been transferred from his bank account by an unknown party. The keylogging component, coupled with the remote desktop functionality, makes it entirely possible for this to have happened.

The backdoor "calls home" to domains such as commonworld[removed].cc or web[removed]es.cc to get the data that it posts on the friends' Facebook walls. Its main module, in the meantime, is hosted on [removed]youtube.com.

The good thing to do when spotting such fishy wall posts is to warn your friends whose accounts have been compromised. You can mark the message as spam to help prevent others from downloading the backdoor; Facebook is quite diligent about filtering these posts once they have been reported.

The presence of this threat on your computer threatens your whole online identity, so we recommend that you change the passwords to all of your sensitive accounts – email, online shopping, and online banking, for example. And while you're at it, remind your affected friends to change their Facebook passwords, too.

Finally, scan your machine with an up-to-date antivirus solution to remove this malware from your computer.
Here are some SHA1s of files detected by our products as Backdoor:Win32/Caphaw.A:

• c10ad13419ea44ba85cd8e83e2cd7ac8313e91de
• 54d9f40156cc4a2561252f8ad30b4afdcc5e93b4
• ebbd8790eab8a9822a80c2afaa575a4b2c2f3b55

Stop Censorship: Help us stop the Internet Blacklist Legislation

Protect the Internet

Help us stop the Internet Blacklist Legislation

Mozilla: On November 16^th, Congress holds hearings on the first American Internet censorship system. This bill can pass. If it does, the Internet and free speech will never be the same.
Join us to stop this bill.

• Why?

  A few infringing links are enough to justify censoring an entire site, blocking good content along with the bad.

• How?

  The US will be able to block a site’s web traffic, ad traffic and search traffic using the same website censorship methods used by China, Iran and Syria.

• Who's at risk?

  Your favorite websites both inside and outside the US could be blocked based on an infringement claim.

• Could this pass?

  Yes. The Stop Online Piracy Act and the PROTECT IP Act have widespread support in Congress and are expected to pass. 

 http://americancensorship.org/

• https://wfc2.wiredforchange.com/o/9042/p/dia/action/public/?action_KEY=8173
• http://www.mozilla.org/sopa/
• http://www.myce.com/news/google-sopa-is-pro-internet-censorship-stymies-cybersecurity-54652/

Persistent XSS Vulnerability in White House Website

The Hacker News: Alexander Fuchs, A German Security Researcher Discover Persistent XSS Vulnerability in Official website of White House.

"The petition system is vulnerable. Every Petition i start or join will execute my code. I could join all petitions and my code will be executed on all users who visit the petition system." He said.
Read full story in German: http://www.1337core.de/2011/die-whitehouse-gov-lol-petition/

The XSS Demo is here: https://wwws.whitehouse.gov/petitions/!/petition/security/WxgwM7DS
Advisory: http://vulnerability-lab.com/get_content.php?id=308
What is XSS? http://en.wikipedia.org/wiki/Cross-site_scripting

Forward button to become optional in Firefox

mozillalinks.org: Do you need the forward button? Most likely yes, but it is rarely used compared to the back button, which is the single most used widget in any browser user interface. So it doesn’t make sense to keep it present at all times, stealing focus from its helpful neighbor.

To address this, current Firefox nightlies feature the forward button as optional. If there is nowhere to go further, the button is hidden instead of just disabled as shown in the screenshot below.

Since it is only in nightlies at this time, Firefox 10 (expected for early 2012) is the earliest we will see this change in a final Firefox release.

If you want this behavior and remove some clutter today, add these lines to your userChrome.css file located in your profile folder*:

/* Conditionally hide the Forward button */
#forward-button[disabled="true"] {  display: none; } 

Note that the back button won’t integrate with the location bar as in the nightlies.

* To open your profile folder, go to about:support and push the Open Containing Folder button. If userChrome.css is not present, just copy or rename userChrome-example.css and add the lines below.

Internet Explorer’s Share of Web Traffic Drops Below 50%

Mashable: Internet Explorer can no longer claim more than half of the web’s traffic, as of October, ending more than a decade of the default Microsoft browser’s reign.

Safari’s hold on 62.17% of mobile traffic has reduced IE’s overall share of web browsing, despite still claiming 52.63% of desktop traffic, according to Netmarketshare.com.

The Microsoft browser’s diminishing share (49.6%) reflects its near absence from the realms of mobile and tablet, which now make up 6% of web traffic. However, chances are, you gave up on IE long enough ago that this milestone makes you more curious as to who actually still uses the browser.

As of October, Firefox is the second most popular web browser, accounting for 21.20% of traffic, followed by Google Chrome and Safari, which account for 16.60% and 8.72% respectively.

Chrome, which recently celebrated its third birthday, experienced the most expansion in October, increasing its share of the desktop market 1.42%.

Safari, the default browser in Apple’s iPhone and iPad, continues to increase its dominance over the mobile web, gaining 6.58% of the market. Safari’s share is increasing faster than the iPhone’s, probably due to how much mobile traffic is now driven by iPads.

Google Releases Official Google+ Notification Extension For Chrome

gHacks.net: If you are a heavy user of Google’s Google+ social networking product you are probably keeping the site running in a tab all the time to never miss new messages. But even if you do, you need to switch back to the tab regularly to see if there are any new notifications on Google+.

Notifier extensions make sure that users stay informed even if they close the Google+ browser window. Up until now Chrome users could make use of third party notifiers which, will working perfectly, were not official which may have kept some users from installing and using those extensions.

Google yesterday released the official Google+ notification extension for the Google Chrome browser.
Google+ Notifications works in principle just like any other notification extension. A new message count is displayed as an icon in the Chrome address bar upon installation. The count goes up for new unread messages and down once those messages get read by the user.

The button of the notification extension turns red whenever updates are waiting for the user. A click on the button displays all recent messages and updates on Google+. This feature is a copy of the Google Toolbar button that offers the exact same functionality.

 Notifications include updates on who added you on Google+ and who added a comment or +1 to one of your posts or a post you commented on.

A click on an update leads directly to the Google+ website where it can be read in full. The notifications window also links directly to the Google+ user profile and offers to load the “all notifications” page on the website as well.

Heavy Google+ users on Chrome may find the new official Google+ Notifications extension by Google quite handy. Users can install the extension directly on the Google Chrome Web Store page. (via)

Duqu exploits previously unknown vulnerability in Windows kernel

The H-Online Security: Microsoft has confirmed a report from Budapest-based Laboratory of Cryptography and System Security (CrySyS), which claimed that the Duqu bot spreads by exploiting a zero day vulnerability in the Windows kernel. How it spreads had previously been unknown. CrySyS discovered the Windows vulnerability whilst analysing the installer. The bot, which anti-virus software firm Symantec believes is related to Stuxnet, infects target systems using a specially crafted Word file which injects the malware into the system using a kernel exploit. Microsoft is already working on a patch.

Symantec says that in at least one case, attackers have already taught Duqu to spread via network shares. This allowed the bot to spread through the company network and even infect systems with no direct internet access. The latter were then supplied with instructions from the command and control server by bots which did have internet access.

Until now, Duqu has reportedly only been used for targeted attacks. The installer examined by Symantec was set to be active during an eight-day window in August, only. Symantec has already identified possible infections at six companies operating in France, The Netherlands, Switzerland, the Ukraine, India, Iran, Sudan and Vietnam. Other security companies claim to have discovered infections in the UK, Austria and Indonesia. To date, Duqu has not been identified at German companies. The German Federal Office for Information Security (BSI) has specifically asked businesses to inform it of any cases of infection.

One area in which Duqu has been deployed is to carry out espionage against manufacturers of industrial control systems. This suggests that the attackers may be using the stolen information to plan new attacks on industrial control systems, such as those used in power plants. Stuxnet was initially deployed to sabotage Iran's nuclear programme. Stuxnet also exploited previously unknown vulnerabilities in Windows.

In the meantime, security specialists from Dell's SecureWorks Counter Threat Unit (CTU) have expressed doubt as to whether Duqu is really related to Stuxnet. They report that although both pieces of malware utilise broadly similar rootkit techniques, such as a kernel driver which first decrypts an encrypted DLL and then injects it into other processes, these techniques are now standard practice and are used by many pieces of malware unrelated to Stuxnet. Duqu's payload, according to Dell, bears no relation to Stuxnet's and does not suggest a relationship between the two.

Facebook Scam: Girl killed herself on Halloween

SophosLabs: Scammers have put a new spin on an old Facebook scam, claiming that a girl killed herself on Halloween after her father posted a message on her wall.

Facebook users are sharing messages with their friends, claiming to link to the salacious content.

Girl-Killed-Herself-on-Halloween-After-Dad-Posted-This-on-Her-Wall
[LINK]
This is unbelievable.. shocking..

The messages are currently spreading very quickly on Facebook, as - at the moment at least - Facebook's built-in security systems are not blocking them.

We've seen similar scams in the past, of course, including some which claimed that the girl killed herself on Christmas Eve rather than at Halloween.

Of course, the story is purely designed to lure you into clicking on the link. So what do you see if you do click on the link?

You are taken to a third-party webpage where you are told that in order to view the shocking message left by the father on his late daughter's Facebook wall, you will have to "Share" and "Recommend" the link with your friends.

Woah!! Would you really share and recommend a link before you've actually found out what the content is?

Sadly, lots of Facebook users are so curious that they will do exactly that - helping the message spread for scammers.

And why do the scammers want the message to spread?

Because it drives traffic to online surveys like this, which earn the scammers affiliate commission:

If you were fooled into participating in this scam remove the message from your newsfeed, and delete any messages you may have inadvertently shared with your friends. That way at least you are no longer spreading it with your online chums.

Make sure that you keep informed about the latest scams spreading fast across Facebook and other internet attacks. Join the Omid's Blog page on Facebook, where people regularly share information on threats and discuss the latest security news.