Pondus
1581
Botnets on discount!
Creating a botnet has become insanely easy and cheap
http://blog.gdatasoftware.com/blog/article/botnets-on-discount.html
system
1582
New malicious email attachments come with accusations, threats
The latest social engineering trick to get victims to open malicious email attachments accuses them of being spammers and threatens to sue them if they don't stop. It's all in an attempt to get targets to open up the zip attachment by telling them it contains evidence of their spamming. Actually it's an .exe file that infects the machine but displays like a document.
The emails are dressed up to look like they come from real businesses that are upset because the recipient has been spamming them. “The emails even formally claims that legal action will be taken because of the spam you have sent,” says the blog.
http://www.networkworld.com/news/2011/092111-malware-251104.html
Asyn
1583
system
1584
I’m pretty sure nobody here would fall for it but I got an email purporting to be from Google about upgrading my gmail. The message was the following:
Dear Gmail Account User,
A DGTFX virus has been detected in your folders
Your email account has to be upgraded to our new
Secured DGTFX anti-virus 2011 version to prevent
damages to our email log and your important
files.
Click your reply tab, Fill the columns below and
send back or your email account will be terminated
immediately to avoid spread of the virus.
USER ID:
PASSWORD:
PHONE NUMBER:
DATE OF BIRTH:
Gmail Technical Team
Note that your password will be encrypted with
1024-bit RSA keys for your password safety to
avoid any unauthorized user.
It said it was from upgrade @gmail.com but a thorough inspection of the header revealed that it actually came from somebody in Romania since it had a .ro at the end of the address.
Asyn
1585
Asyn
1587
polonus
1588
Asyn
1589
Yes but sadly only for W7.
Chrome and Firefox use the Network Security Services (NSS), which only support TLS 1.0. Windows Vista, XP, 2000 and Server 2003 as well as Server 2008 are also incapable of using TLS 1.1 by default.
Asyn
1590
Dwarden
1591
i checked the manual edit, i must say it dont work because i can’t do it myself due to 'line max character limit)
if i just copy the actual line and change the order, i’m missing approx 50 characters over 1024
jeez who in these days have character limit …
Asyn
1592
system
1593
system
1594
Mozilla discussion here (about Java)
https://bugzilla.mozilla.org/show_bug.cgi?id=689661
I recommend that we blocklist all versions of the Java Plugin.
As far as I understand the situation, If all of these apply:
(1) The attacker can control the user’s network connection, and
(2) The attacker can perform DNS rebinding or similar
(3) The user loads any non-HTTPS page, or the user loads an HTTPS page controlled by the attacker
(4) The Java plugin is enabled
then, the attacker will be able to steal the user’s existing session cookies for any website, including any HTTPS website that the user visits, even when the cookies are marked Secure and HttpOnly. So, for example, the attacker would be able to steal the uesr’s Google mail cookie, Paypal cookie, bugzilla.mozilla.org cookie, mail.mozilla.com cookie, etc., allowing the attacker to log in as the user.
My understanding is that Oracle may or may not be aware of the details of the same-origin exploit. As of now, we have no ETA for a fix for the Java plugin.
DavidR
1595
Seems lunacy, for firefox to drop JAVA (when many may not have it anyway) when essentially the vulnerability is in the SSL/TLS version used by the browser for secure communication. The vulnerable versions being SSL V3.0 and TLS 1.0. Surely they should be working towards firefox using TLS 1.1 and 1.2 of TLS that aren’t susceptible.
I also thought it was a specially crafted javascript and not JAVA that did the decryption, which is immaterial if version 1.1 and 1.2 of TLS aren’t susceptible, gear firefox up to use those versions.
Asyn
1596
For their chosen-plaintext attack on the Cipher-Block Chaining (CBC) mode that tends to be used with TLS, Rizzo and Duong have to bypass the browser's Same Origin Policy (SOP) so that they can communicate with servers outside of, for instance, the Java applet's domain.
Although the purpose of SOPs is to prevent exactly that, a previously undisclosed bug in Java appears to enable attackers to do so regardless. In the Firefox developers’ opinion, the onus is therefore on Oracle to solve the Java problem first. However, Oracle has so far failed to respond, which has prompted the developers to consider releasing an update that disables all Java plug-ins for security reasons.
http://www.h-online.com/security/news/item/Mozilla-considers-disabling-Java-in-Firefox-1351590.html
system
1597
David, I already disabled TLS 1.0 in the past once in Firefox >>> end result? … most secure sites don’t use TLS 1.1 and later, you get an error message and the sites won’t open.
DavidR
1598
Yes sites have to play their part too and update vulnerable SSL/TLS versions. Problem being the chicken and the egg, if browsers don’t give the option/work with the later TLS versions, then sites won’t bother either.
Disabling TLS 1.0 in firefox is a bit of a waste of time right now, as it would then fall back to SSL 3.0 which is also vulnerable. FF7 and below only have SSL3 and TLS 1.0 as the encryption protocol options.
system
1599
nope not here ;D that’s why I tried it a while ago, as I’m using FIPS settings as a basis in FF. SSL3 is disabled (not just from the advanced settings it’s not enough). So when I disabled TLS 1.0, I made the mistake to believe that 1.1 and later were present in FF, well they’re not. But they’re available in Windows for IE (TLS 1.1 and later). That’s were you can actually experiment and see that no site supports that, see screen shot with default settings.
DavidR
1600
Which is why I’m saying Mozilla needs to concentrate some effort in firefox having TLS 1.1 and 1.2 as options. Then at least when sites start to catch up their users have it as an option.
So it could at least be a selection preference TLS 1.2, drop to 1.1 and then to 1.0 if the site doesn’t have the higher level TLS support. Then if the user so chooses they can uncheck TLS 1.0 so they at least know that the site has a security weakness and choose if they want to enable 1.0 for that instance.
The problem is when they have no option at all when both versions in firefox are vulnerable.
However, all that said, I think that this really has had more headline grabbing attention when this isn’t going to be a very common occurrence. Plus no mention of what the users own security applications can do to block the specially crafter script to do the decryption. Not to mention the time it takes.
