Internet Providers Launching Copyright Alert System Today to Warn Customers About Downloading Content

Five of the United States’ largest Internet service providers are launching today what they call a new system that will “educate” customers about downloading copyrighted content by issuing warnings instead of lawsuits. The program, called the Copyright Alert System, is a creation of the Internet providers and the trade associations representing the film and music industries, and is designed to reduce the amount of content obtained via file-sharing services such as BitTorrent.

Comcast, Verizon, AT&T, Cablevision, and Time Warner are all participating in the program, meaning that the so-called “six strikes” system will apply to most U.S. households with a broadband Internet connection. The trade groups involved include the Recording Industry Association of America and the Motion Picture Association of America, along with their member corporations.

Under the system’s rules, customers found to have downloaded copyrighted content without paying will be issued a series of warnings, along with an increasing chance that their Internet service will be throttled. Customers who receive those warnings may also find themselves suddenly redirected to a website scolding them for their downloads.

Users who receive these warnings may also find themselves blocked from certain “frequently visited” websites, according to documents about the plan obtained last year by Torrent Freak, a website that reports on news about file-sharing. The Copyright Alert System was originally supposed to launch last November, but was delayed until today.

The documents also state that content owners and ISPs could pursue legal action after the fifth warning, though for the most part, the Copyright Alert System is designed to be an extrajudicial program set up by Internet and entertainment companies.

Warnings, the system’s website advises, are issued when content owners find which Internet Protocol addresses are sharing copyrighted materials, then turn those addresses over to the service providers, who in turn identify the associated customer. The warnings can be challenged via the American Arbitration Association, which charges a filing fee.

Security Updates and Important Information

Mandiant Releases Report On Chinese “APT1” Group

Incident response specialist company Mandiant released on Tuesday a groundbreaking report, citing highly detailed evidence to support a claim that the Chinese government, through Unit 61398 of the People’s Liberation Army, has been engaging in systematic attacks on American interests, as well as those of other English-speaking nations around the globe, over the course of the past 6 years. The report, which included domain names, IP addresses, SSL certificates, and MD5sums of malicious binaries, has already caused a major political stir, with the Obama administration set to impose trade penalties for cybertheft, with the Chinese government denying any involvement.

Reference: http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf

Schneider Electric IGSS Buffer Overflow

Independent researcher Aaron Portnoy recently discovered a set of vulnerabilities in the widely used Schneider Electric IGSS protocol, which could be remotely exploited for full administrative privileges on target systems. The vendor has since issued a patch, and users of these systems are strongly encouraged to both apply the patch and to ensure that all electrical infrastructure is appropriately firewalled from the Internet.

PDF 0-day Being Exploited In The Wild

Adobe confirmed last week that a pair of new exploits targeting Acrobat Reader were being exploited in the wild; as of the time of writing, no patches had yet been released. The exploits were particularly nefarious, in that they used a brand-new ROP-based technique to escape Reader’s sandboxing technology, which was designed by Adobe to mitigate the impact of vulnerabilities such as these.  Users are urged to be extremely cautious when opening PDF documents from any source.

USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

Detailed analysis for MS12-081:
http://blog.ptsecurity.com/2013/02/surprise-for-network-resources-from.html

TeamViewer authentication protocol:
http://blog.accuvantlabs.com/blog/bthomas/teamviewer-authentication-protocol

iOS 6.1 hack allows lock screen bypass:
http://thehackernews.com/2013/02/ios-61-hack-allows-iphone-lock-screen.html

FROST: Forensic Recovery of Scrambled Telephones:
https://www1.informatik.uni-erlangen.de/frost

Cyber attacks against Uighur Mac OS X users intensify:
https://www.securelist.com/en/blog/208194116/Cyber_Attacks_Against_Uyghur_Mac_OS_X_Users_Intensify

Practical identification of SQL injection vulnerabilities:
https://www.us-cert.gov/reading_room/Practical-SQLi-Identification.pdf

Targeted ‘phone ring flooding’ as a service going mainstream:
http://blog.webroot.com/2013/02/13/targeted-phone-ring-flooding-attacks-as-a-service-going-mainstream/

DDoS attack on bank hid $900,000 cyberheist:
http://krebsonsecurity.com/2013/02/ddos-attack-on-bank-hid-900000-cyberheist/

iOS 6.1 hack lets users see your phone app, place calls

Some sleight of hand will allow iOS 6.1 hackers to access your phone application, listen to your voice mails, and place calls.

A YouTube video showing users how to “bypass iPhone 5 passcode” on Apple’s latest iOS releases, including iOS 6.1, has been published. The person who uploaded the video shows how anyone can access the phone application on a passcode-protected iPhone.

In order to achieve the hack, users must come close to turning off the iPhone, place an emergency call, and keep their finger on the power button. We were able to re-create the hack with ease, and the YouTube user who uploaded the video provided step-by-step directions.

“For prank[ing] your friends, for a magic show. Use it as you want, at your own risk, but…please…do not use this trick to do evil,” “videosdebarraquito” posted on the YouTube page.

Apple said it is at work on a fix to the issue, but that it will require a software update.

Remote Controlled: Mobile Backdoor Spotted

Reports of a smartphone botnet with over a million bots confirm how varied mobile threats have become. The fact that these malware can avoid detection and lead to further infections makes this discovery more troubling.

Access Through Fake Apps

Malware like ANDROIDOS_KSAPP.A came from a third-party app store and were repackaged as gaming apps. Once installed, these malicious apps download and analyze a script from remote sites. This script contains commands that a remote attacker can execute on the affected device. The malicious apps can also make devices vulnerable to further infection via notifications and pop-up windows that prompt you to install other possibly malicious files.

More Sophisticated Malware

What make these particular malware notable are their abilities to analyze downloaded script and equip themselves with new ones. They can update their script to avoid antimalware detection. This behavior makes them more complicated than the typical Android malware with backdoor capabilities.

These refined routines led to a mobile trend we saw last year. Using social engineering baits, cybercriminals have since included newer attack methods. The discovery of the reported malware indicates that cybercriminals are continuously creating more complex malware to prey on mobile users like you.

Protecting Your Devices

Protect your mobile devices by scrutinizing each app before you download and install them. Cybercriminals often spoof popular apps to trick you into downloading malware. Reading app descriptions and reviews can help you sift legitimate from suspicious apps.

Installing a security app, if available, adds another layer of protection to your mobile device. Android devices have a good selection of security apps. iDevices have fewer options due to Apple’s reluctance to allow third party developers offer solutions. We beleive this will change this year. The threats are growing and manufacturers need partners to ensure security. As Windows phones gain market share, solutions will be available for them as well.

Security Update Bulletin – Information on lastest threats

Here’s a quick round-up of information we think you should know about –

  • New Ransomware and Phishing Variants Detected (January 31, 2013) Ransomware known as Police Virus carries more strength that previous versions of the malware as it actually has the capacity to encrypt all data on infected machines. This variant disables regedit, task manager, and msconfig to further confound users. The malware tells users that because of a criminal offense, they must pay money or their computers will be encrypted. It spreads through malicious links, infected files, or drive-by downloads.
  • There has also been a surge in phishing emails that appear to come from FedEx. The messages tell recipients that because FedEx was unable to deliver a package, they must click a provided link to print a receipt to bring to their local FedEx office to retrieve the package. The link instead leads to a malicious site that infects their computers with a Trojan horse program. FedEx has posted a statement online warning of the scam and reminding people that the company “does not send unsolicited emails to customers requesting information regarding packages, invoices, account numbers, passwords, or personal information.”
  • A new nasty turn in the psychology the criminals are using in this campaign in Germany is to accuse the victim of having a system containing pictures of child pornography and then subsequently displaying such material on the victim’s computer.
  • Mozilla says it will automatically disable all Firefox plug-ins with the exception of the most current version of Adobe Flash. Mozilla says the decision was prompted by security and stability concerns, particularly the risk of drive-by attacks. Blocked plug-ins will include up-to-date versions of Silverlight and Java. Currently, Firefox turns on click-to-play only for those plug-ins that are deemed unsafe or seriously out-of-date. Chrome and Opera offer click-to-play, but users must enable the feature themselves. [We think this is a gutsy move by Mozilla, hopefully the user base will not rebel. Users need some help with the silliness of allow-everything by default: Average people are their own system administrators and the complexity of updating even legitimate third-party apps (insecure by negligence, not malice) is ridiculous.]
  • PayPal has fixed a SQL injection vulnerability in its e-commerce website application that could have been exploited to compromise company databases and steal sensitive information. PayPal awarded a US $3,000 bounty to the organization that discovered the flaw and alerted the company to its existence in August 2012.(January 30, 2013)
  • Universal Plug-and-Play Security Vulnerabilities Prompt
    Recommendation to Disable the Technology (January 29, 2013) Researchers have found three sets of vulnerabilities in the universal plug-and-play (UPnP) component that allows devices to detect and communicate with each other over networks. The flaws could be exploited to steal passwords and documents and to hijack webcams, printers, and other Internet-connected devices. The US Department of Homeland Security’s (DHS) US-CERT has issued an advisory on the matter. UPnP is most used in SOHO configurations. While it may be used internally by enterprises, it is rarely exposed to the Internet by enterprises.  This feature is a hole in firewalls and has been associated with vulnerabilities for a long time.  While the vulnerability is pervasive, the threat and risk have been low.
  • More Headaches for Java (January 30, 31, & February 1, 2013)
    Apple has blocked Java completely in OS X 10.6 and above. Other companies are taking steps to protect their users from Java as well; virtually all plug-ins will be blocked in Firefox (see above).
    Oracle admits that there are serious problems with Java, but says that those problems lie with the Java browser plug-ins and that server-side, desktop, and embedded Java are not vulnerable to the same attacks.

Finally, some good news:

The FBI has arrested a California man in connection with numerous instances of cyberextortion in which he threatened to post compromising pictures of women whose social networking accounts he had hacked hijacked. Investigators believe that Karen “Gary” Kazaryan had more than 350 victims between 2009 and 2011. A recently unsealed indictment charges Kazaryan with 15 counts of computer intrusion and 15 counts of aggravated identity theft.