SSCC 58 – Coreflood, DSLReports, Sony, Stars and Ars Technica

Sophos Security Chet Chat logoPaul Ducklin joined me from Sydney this week as we both returned home from a long and rewarding trip to InfoSec Europe.

While the news has been dominated by the recent attack on Sony Computer Entertainment, we started off talking about the actions the US government took against the Coreflood botnet. The news was largely positive, but it does allow broadened powers for the police that include actions some feel could further harm the victims.

When the topic of DSLReports, Sony and other data leakage incidents came up, our conclusions were ultimately in alignment. While these incidents are important and may draw our attention to the problem, these losses are only a small part of what Paul likes to call the “death of a million cuts.”

On the topic of the supposed “Stars” virus, which Iran claims is a second stage Stuxnet virus, the conclusion was the same. Even if this “Stars” virus is real, and is a concern for Iran, in the meantime the rest of us are being hit with a barrage of cyber-crap that is having real impact on our lives.

No story is complete without some comment on Facebook and Chet Chat 58 is no exception. Aside from the usual list of attacks and scams, it appears that their DMCA takedown process and other pieces of their self-defense mechanisms are easily manipulated. Ars Technica’s Facebook page was arbitrarily deleted this week based on a DMCA claim that no one has yet been able to explain.

If you prefer a news summary for the week in text format, visit the Sophos Security News and Trends for the latest selected hot topics or subscribe to our weekly newsletter, Sophos eNews.

(28 April 2011, duration 18:37 minutes, size 12.6MBytes)

You can also download this podcast directly in MP3 format: Sophos Security Chet Chat 58.

Facebook comment-jacking? OMG! I Can’t believe JUSTIN Bieber did THIS to a girl

Justin Bieber scam on FacebookIt’s starting to seem like Facebook can’t win against those who wish to use their service to scam, spam and simply cause trouble. Over the last day or so, a new type of attack has been spreading using the phrase “OMG! I Can’t believe JUSTIN Bieber did THIS to a girl”.

It leads to a page asking you to verify a simple math problem to “prevent bots from slowing down the site”. In actuality, it is another clickjack-type scheme in which you are asked to type the answer into a box.

Comment-jack security check

It doesn’t matter what you type, because it’s a social engineering trick. What you are actually typing is a comment that is used to share the link with your friends on Facebook. You can see the tooltip that says “Add a Comment” in the screenshot.

This bypasses Facebook’s recent attempt at detecting likejacking fraud. Links you comment on are not using the same mechanisms that Facebook is monitoring when you click “Like”.

Many moons ago, the first Facebook attacks started with illegitimate applications asking for permission to access your wall and spread their messages by spamming your friends through wall posts. While this worked well, it was a bit easy for Facebook to track down and remove the bogus apps.

Early in 2010 we saw the first attempts at likejacking. This technique involves layering one image over the top of a Like button and tricking the victim into clicking something that appears to play a video or a continue button, when in fact they are clicking the Like button hidden underneath.

Facebook Bieber scam wall post

More recently we have seen the attackers trying lots of new techniques. In the past few months we have seen them tagging people in photos they are not in to get you to click, inviting people to fake events and even making you an administrator of a Facebook page that isn’t yours.

While protecting yourself may not be as simple as not clicking anything that says “OMG!” that isn’t a bad start. Be skeptical, understand that messages from your friends may not in fact have been sent to you willingly, and if you are really tempted to click, take a short timeout to conduct a Google/Bing search.

As of the time of this writing some of the YouTube videos this scam leads to have been removed by YouTube. However, one video that is still working has over 525,000,000 views since February and thousands of comments in the last 24 hours — in other words, since this Facebook scam has been making the rounds.

To stay up to date on the latest threats, follow us on Facebook. For advice on how to configure your profile to protect your privacy check out our recommendations for Facebook settings.

Firefox 4 gets its first security update

Yesterday, five weeks after shipping Firefox 4, the Mozilla project published the new browser’s first-ever security update. The Firefox version number bumps up to 4.0.1.

The update fixes 50-odd bugs in total, amusingly including three fixes listed as specific to OS/2. Ironically, the latest official release of the OS/2 port of Firefox, dubbed Warpzilla, hasn’t yet reached version 4 – it’s still back at version 3.6.8.

The release notes for Firefox 4.0.1 are hard to find from the main page. (Browsing to doesn’t help, as this just redirects to the Mozilla page.) But if you know where to look, you’ll find that two critical security advisories are fixed in the 4.0.1 release.

MFSA2011-12 deals with memory corruption bugs in the browser engine itself; Mozilla experts officially opined that “with enough effort at least some of these could be exploited to run arbitrary code”. MFSA2011-17 deals with “two crashes that could potentially be exploited to run malicious code” in a graphics library called WebGLES, used by Firefox.

Because the 4.0.1 update addresses vulnerabilities that are considered remotely exploitable, we advise you to apply this update without delay.

The previous version, Firefox 3.6, also gets an update, moving to 3.6.17. This update also squashes some critical bugs, including the MFSA2011-12 memory corruption vulnerability affecting Firefox 4.

Two other critical vulnerabilities which don’t affect version 4 are fixed.

MFSA2011-13 deals with various “dangling pointer” bugs (a dangling pointer is a programming mistake in which a memory reference remains in use after the memory it points to has been returned to the operating system for re-use). MFSA2011-15 deals with a privilege escalation bug in the Java Embedding Plugin.

The MFSA2011-15 vulnerability is specific to the Mac OS X version of Firefox. Apple users who imagine themselves invulnerable simply by virtue of their choice of operating system, please take note!

There’s an update to Mozilla’s Thunderbird email client as well. Thunderbird moves to version 3.1.10.

Somewhat confusingly, the Thunderbird release notes don’t list any critical vulnerabilities fixed in this version, but the MFSA2011-12 advisory specifically states that the bugs it covers are “fixed in Thunderbird 3.0.10”.

If you’re a Thunderbird user, we advise you, too, to update as soon as you can.

#SecChat: A Live Twitter Chat

On Tuesday, April 26, Symantec hosted a live Twitter chat centered around our latest Internet Security Threat Report and the changing threat landscape. We’d like to extend a big thank you to those who participated and joined the conversation.

 Using the #SecChat hash tag in Twitter, we were able to guide a lively discussion around what’s top of mind with regard to the current security threat landscape for those of you in the security industry.

One aspect of the discussion focused on end-user security education and its importance, while others questioned whether dollars spent toward user education made any difference at all. We certainly heard all sides to the story. If there is anything people agree on it’s that the “user is like water, following the path of least resistance to their end goal,” in the words of one tweeter.

Those in support of end-user security education felt that, if it is done well, user education can make a measurable difference in an organization’s overall security posture. “We throw a ton of money at tools to try to solve what is basically user education issues,” said one tweeter. Another felt “employee education is often done really poorly and could be solved if you put $100,000 into security education.” Another tweeted and said “I’d be thrilled if we could teach users not to click on attachments.”

Others felt a hybrid approach is needed with a combination of education and security technologies. “If education is done well it can help. We still need to improve technology: people aren't perfect.”

On the other side of the aisle, we heard several say security education just doesn’t work, and it’s not nearly as fun. “It’s just really sexy to unbox a new IPS, it’s not as sexy to buy some pizzas and talk to your users about staying safe,” said one user. Another tweeted, “when was the last time you saw a security awareness video/program that didn't make you cringe?” This group favored technology over education. “I think the money should be put into active protection, not security awareness training.” Another tweeted, “weirdly, risk assessment done before and after employee education often yield no changes.” Another felt that “an employer not only needs incentive to educate, but likely wants measurable ROI too; two hurdles not always easy to overcome.”

As you can see, it was a great discussion!  As a company, we spend a lot of time and resources talking with customers and industry influencers to help us provide the solutions that meet real-life needs. We value these interactions and hope those who attended also took something meaningful from the conversation.

We plan to do more of these in the future, and we welcome additional participation. You can participate in the ongoing industry discussion by following the #SecChat hash tag on Twitter.