What the Information Security Office is watching.

QuickTime for Windows Update Plugs Security Holes

http://support.apple.com/kb/HT5261

"Version 7.7.2 of QuickTime for Windows has been released to address
a total of 17 security vulnerabilities in the media player. According
to Apple, these include integer, stack and buffer overflows, as well
as memory corruption issues, all of which could be could exploited by
an attacker to crash the application or execute arbitrary code on a
victim's system. For an attack to be successful, a user must first
open a malicious Web site or a specially crafted file.

The company notes that, on Mac OS X, many of the holes have already
been fixed in Mac OS X 10.7.3 and 10.7.4 Lion, and Security Updates
2012-001 and 2012-002 for Mac OS X 10.6.8 Snow Leopard systems. A
majority of these vulnerabilities were discovered by members of

TippingPoint's Zero Day Initiative (ZDI). QuickTime 7.7.2 for Windows
is available for Windows 7, Vista and XP SP2 or later" [1].
[1] QuickTime for Windows Update Plugs Security Holes

http://www.h-online.com/security/news/item/QuickTime-for-Windows-update-plugs-security-holes-1576777.html

Police Trojan Crosses the Atlantic, Now Targets USA and Canada

http://blog.trendmicro.com/police-trojan-crosses-the-atlantic-now-targets-usa-and-canada/

A ransomware application that locks computers and asks their owners
to pay fines for allegedly violating several laws through their
online activity is targeting U.S. and Canadian users, Trend Micro
experts report. The "Police Trojan" has been targeting European users
for about a year. In the latest batch of C&C servers analyzed, not
only has the list of countries increased but also their targets are
now more specific. For instance, UKash vouchers are not available in
the U.S., thus the U.S. fake police notification that spoofs the
Computer Crime & Intellectual Property Section of the U.S. Department
of Justice only mentions PaySafeCard as the accepted payment method.

The criminals also took the time in adding plenty of logos of local
supermarkets and chain stores where the cash vouchers are available.

The Trend Micro researchers have found clues that suggest a link
between this trojan and Gamarue, a piece of information-stealing
malware distributed through drive-by download attacks launched from
infected Web sites and spam emails. There are also signs that the C&C
software used to manage the computers infected with the Police Trojan
is being resold, which means that multiple cybercrime gangs might be
spreading this ransomware.

Find out if your MAC is infected with Flashback

http://gizmodo.com/5899352/mac-flashback-trojan-find-out-if-youre-one-of-the-600000-infected

Critical - Security Update Available for Adobe Flash Player

https://www.adobe.com/support/security/bulletins/apsb12-07.html

Adobe released a new version of Flash Player, 11.2, fixing critical
security issues that could cause a crash and potentially allow an
attacker to take control of the affected system. This latest version
also includes an auto-updating mechanism designed to streamline the
deployment of Flash security fixes across multiple browsers.

See also:
Critical Security Update for Adobe Flash Player
http://krebsonsecurity.com/2012/03/critical-security-update-for-adobe-flash-player-2/

LinkedIn is a Hacker's Dream Tool

http://money.cnn.com/2012/03/12/technology/linkedin-hackers/index.htm

This article discusses a hot topic at RSA's security conference last
month, citing one case study in which "self-described 'hacker for
hire' Ryan O'Horo demonstrated how he used LinkedIn to get inside a
client's corporate network....O'Horo created a fake account on
LinkedIn, posing as a company employee. He stocked the profile with
realistic details - a plausible job history and skill set - plus a
few credibility-establishing flourishes like a membership in a local
hockey league. From his dummy account, O'Horo sent out 300 connection
requests to current company employees. Sixty-six were accepted.
Next, O'Horo requested access to a private LinkedIn discussion forum
the company's employees had created. The group's moderators granted
his request without ever checking a company directory to confirm his
identity. 'Now I had an audience of 1,000 company employees,' O'Horo
said. 'I posted a link to the group wall that purported to be a beta
test sign-up page for a new project. In two days, I got 87 hits - 40%
from inside the corporate network.'"

Attempts to Spread Mobile Malware in Tweets

http://www.symantec.com/connect/blogs/attempts-spread-mobile-malware-tweets

Symantec reports that tweeting is proving a popular method to direct users to the
Android.Opfake malware. This post "describes a series of Russian and
English-language tweets discussing software, mobile devices and dieting
topics containing links to sites distributing the Opfake malware. One Twitter
campaign identified by researchers sent over 130,000 malicious tweets from
100 accounts. Several of the Twitter accounts have since been suspended and
Symantec said it is working with Twitter to disable accounts that are sending
out malicious links"[1].
[1]Cybercriminals Peddling Android Malware Through Twitter
http://threatpost.com/en_us/blogs/cybercriminals-peddling-android-malware-through-twitter-031212

Flashback Mac Trojan Horse Infections Increasing with New Variant

http://blog.intego.com/flashback-mac-trojan-horse-infections-increasing-with-new-variant/
This Intego article is a follow-up to a post two weeks ago[1]regarding
a new variant of the Flashback trojan. Intego statedyesterday that they have discovered
a number of samples of thislatest variant, Flashback.G, and have seen evidence that
many Macusers have been infected by this malware. The article includes details of
the behavior of the variant, notablythat the trojan installs itself in an invisible file in
the/Users/Shared folder. Intego provides examples of forum logs fromusers having
trouble with certain applications crashing. In eachcase, a file in /Users/Shared is present. [1]

New Flashback Trojan Variant Uses New Delivery Method to Infect Macs

http://blog.intego.com/new-flashback-trojan-horse-variant-uses-novel-delivery-method-to-infect-macs/
Intego reported a new method the Flashback trojan is using to infect Macs. The malware first tries to
install itself using one of two Javavulnerabilities. Since this latest variant is able to install itselfon a
Mac with much more limited user intervention, there is no longeran installer or a request for a password.
If these vulnerabilitiesare not available it attempts to trick users through a socialengineering trick. The
applet displays a self-signed certificate,claiming to be issued by Apple. Most users won't understand
what thismeans, and click on Continue to allow the installation. "Found in the wild, this new variant
installs an executable file inthe /tmp directory, applies executable permissions with the chmodcommand,
then launches the executable with the nohup command. TheFlashback backdoor is then active with no
indication to users thatanything has happened."

RealPlayer 15.02.71 Released to Address Critical Security Vulnerabilities

http://service.real.com/realplayer/security/02062012_player/en/

"RealNetworks has released an update to RealPlayer to close a number
of holes in its media player application. Version 15.02.71 of

RealPlayer addresses a total of seven remote code executionvulnerabilities, rated as highly critical by Secunia, which could be exploited by an attacker to compromise a victim's system.

Versions 11.0 to 11.1, 14.0.0 to 14.0.7 and 15.0.0 to 15.0.1.13, as
well as RealPlayer SP 1.0 to 1.1.5 are affected. The company advises
all users to upgrade to the current version"[1].
[1]RealPlayer Update Closes Critical Holes

http://www.h-online.com/security/news/item/RealPlayer-update-closes-critical-holes-1429639.html

HTC Android phones can leak Wi-Fi passwords

Exposed 802.1X credentials can be picked off by rogue applications
By Tim Greene, Network World
February 01, 2012 02:34 PM ET

A group of HTC Android phones is susceptible to an exploit that can steal Wi-Fi credentials and passwords and send them to attackers. The exploit relies on attackers creating rogue applications to take advantage of vulnerabilities in the Android build HTC uses on some of its phones, according to a post by the United States Computer Emergency Readiness Team (US-CERT).
Users with affected phones should go to HTC's support site for software updates, US-CERT says.

TIPS: Tricks for upgrading your Android phone

The affected Android builds expose 802.1X passwords to applications on the phones that have permission to access the Wi-Fi state of the phone. The flaw doesn't allow access to the 802.1X settings themselves, it does allow viewing Wi-Fi credentials, according to a description of the flaw at the My War With Entropy blog by Bret Jordan.
So an application could gain access to stored SSIDs of Wi-Fi networks, user names and passwords. If the application also has Internet-access privileges, it could send along the stolen credentials to attackers.
If the stolen credentials are for corporate networks, they could be used to target data on those business networks, Jordan writes.

According to US-CERT, affected phones are:
• Desire HD (both "ace" and "spade" board revisions) - Versions FRG83D, GRI40
• Glacier - Version FRG83
• Droid Incredible - Version FRF91
• Thunderbolt 4G - Version FRG83D
• Sensation Z710e - Version GRI40
• Sensation 4G - Version GRI40
• Desire S - Version GRI40
• EVO 3D - Version GRI40
• EVO 4G - Version GRI40

HTC and Google were told about the flaw last September and have been working to fix the problem and arrange for public disclosure. Jordan describes the companies as responsive and good to work with.

Univ. of Hawaii Settles with 98,000 over Five Breaches

http://www.scmagazine.com/univ-of-hawaii-settles-with-98000-over-five-breaches/article/225158/

The University of Hawaii (UH) has settled a class-action data breach
lawsuit brought by nearly 100,000 students, faculty, alumni and
staff, according to the plaintiffs' lawyers. The suit relates to five
breaches in all, including one involving the inadvertent posting
online of personal information by a faculty member who accidentally
uploaded sensitive files to an unencrypted Web server. Details
included names, Social Security numbers, addresses, birth dates, and
educational data. In another incident, hackers gained access to a UH
at Manoa parking office computer server that contained the personal
data of 53,000 individuals, including 40,870 Social Security numbers
and 200 credit card numbers.
UH agreed to provide two years of credit and fraud protection
services as part of the agreement.

Victoria University's Hard Drives Found with Thieves' Note

http://www.cbc.ca/news/canada/british-columbia/story/2012/01/26/bc-uvic-data-theft.html

Earlier this month "computer devices" and a safe were stolen during a
weekend break-in at the University of Victoria. On Tuesday, a postal
worker found the hard drives and other computer devices in a green
garbage bag stuffed in a mailbox in a nearby suburb along with a note
from the thieves claiming that no information was "copied,
distributed or exploited."

Police aren't buying the apology and say that most of the information
on the hard drives was wiped clean. Also, the most important hard
drive that contained most of the personal information was not
recovered. The hardware contained unencrypted banking information and
social insurance numbers of up to 13,000 current and former
University of Victoria employees, and the police believe at least two
cases of bank fraud may have been linked to the theft.

Multiple Vulnerabilities in Oracle JRE Java Platform

http://www.oracle.com/technetwork/java/javase/6u30-relnotes-1394870.html

Multiple vulnerabilities have been discovered in the Oracle Java
(formerly known as Sun Java) Runtime Environment (JRE) that can be
exploited if a user visits or is redirected to a specifically crafted
Web page or opens a specially crafted file.

The most notable issues fixed in this release was the vulnerability
impacting the establishing of TLS/SSL connections[1]. The previous
release of Oracle Java JRE introduced a bug that prevented the proper
establishing of TLS/SSL connection when certain parameters were used.

This resulted in applications hanging due to Java incorrectly
throwing an IndexOutOfBoundsException or sending an unexpected extra
TLS/SSL packet in communications between server and client.

These vulnerabilities affect Oracle Java JRE 1.6.0_29, Oracle Java
JRE 1.5.0_32, and Oracle Java JRE 1.4.2_35. Users should update to
the latest version: 1.6.0_30. Please note that this update is not
part of the Oracle Quarterly Critical Patch Update. The last quarter
update was in October 2011. The next update is scheduled for January
10, 2012.

[1]http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7103725
See also for specific details of the other flaws fixed in this update:

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6761678

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6670868
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7041800
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6682380

New Java Attack Rolled Into Exploit Kits (Make sure you run your Java Updates!)

http://krebsonsecurity.com/2011/11/new-java-attack-rolled-into-exploit-kits/

"A new exploit that takes advantage of a recently-patched critical
security flaw in Java is making the rounds in the criminal
underground. The exploit, which appears to work against all but the
latest versions of Java, is being slowly folded into automated attack
tools. The exploit attacks a vulnerability that exists in Oracle Java
SE JDK and JRE 7 and 6 Update 27 and earlier. If you are using Java 6
Update 29, or Java 7 Update 1, then you have the latest version that
is patched against this and 19 other security threats."

Automated Skype Calls Spread Fake Anti-Virus Warning

http://nakedsecurity.sophos.com/2011/09/19/automated-skype-calls-spread-fake-anti-virus-warning-video/

Sophos reported a new scheme targeting Skype users, who receive
unsolicited calls where an automated message warns that the
computer's security is not up-to-date. Clicking the link provided
directs the user to a Web site that offers its "Computer Protection
Service" for only $19.95 and attempts to obtain the user's contact
information. In addition to including a video showing the scam caught
on camera, this article reminds Skype users to protect themselves by
changing privacy settings so only users listed in one's contacts list
can initiate a call.

Facebook privacy: Uncovering 5 important settings

Facebook Pwn tool takes profile info, helps social engineers

A group of security researchers based in Egypt have created a tool that will make social engineering easier because it automates the collection of hidden Facebook profile data that is otherwise only accessible to friends in a user's network. Read More

New Malware Continues to Steal TRU Credentials

During a recent evaluation of the Fireeye 4000 intrusion detection/prevention system it was clearly shown that new forms of malware continue to infect TRU systems and export data. These types of malware are primarily designed to steal login credentials. TRU is currently in the process of evaluating IDS solutions and Trusteer Rapport as possible means of defeating these exploits. Remember to always be cautious about the sites you visit and emails you respond to.

Credential theft at TRU