Vulnerabilities


Qchex’s Fraud-Enabling Biz Gets FTC Smackdown

The Federal Trade Commission has charged those behind the shady online
check service Qchex with contempt, and wants daily fines imposed on
them until they give up the ghost. The group has launched a new site—a
Qchex clone—with the same questionable policies that made Qchex a
“dinner bell for fraudsters.” This has left the FTC fuming, and it
wants the site’s operators to quit helping criminals rip people off—now. Read the full article. [Ars Technica] Read the FTC complaint. 

Tips for Diminishing Botnet Attacks

Online,
the biggest battle these days is against botnets: networks of infected
computers which hackers can use — unbeknownst to the machine’s owner
— for online crimes including sending out spam or launching a denial
of service attack. The black-hat techniques
employed to snare users into a botnet web have evolved to a level that
makes them often undetectable by even the most sophisticated security
products. Combine that with a lack of user knowledge, and the threat of
infection becomes very high. Read the full article. [CSOonline.com]

Microsoft Finds Security Flaw in Google Chrome Frame

Back in September, when Google launched the Google Chrome Frame plug-in for Internet Explorer users, Microsoft immediately warned that the move would increase the attack surface and make IE users less secure.Now comes word that a security researcher in the Microsoft Vulnerability Research (MSVR) has discovered a “high risk” security vulnerability that could allow an attacker to bypass cross-origin protections.


Under Fedora 12, users are able to install software from repositories without being prompted for root password. The undocumented change in Fedora 12 has caused consternation amongst Fedora users. The change is part of PolicyKit’s policy for desktop users and was made to make the system easier for desktop users. Read the full article. [The H Security] 

If the multibillion-dollar e-mail security industry has been built to
prevent information from seeping out through personal communication,
how is social networking in the workplace still going unchecked? After
all, consumer social apps such as Facebook and Twitter provide the same
information-leakage threat as unsecured, personal e-mail–possibly
more, thanks to the viral impact of broadcasting news tidbits to one’s
network of friends in real-time. Read the full article. [Forbes]

Hackers could one day turn
ordinary smart phones into “rogue” devices to attack major wireless
networks, Research In Motion’s security chief warned. Scott Totzke, RIM’s vice-president of BlackBerry security, said
hackers could use smart phones to target wireless carriers using a
technique similar to one used in assaults that slowed Internet traffic
in the United States and South Korea in July. Read the full article. [The Globe and Mail]

Authorities in the U.K. have arrested two people in connection with using a notorious Trojan in a scheme to steal online banking information. The man and the woman, both 20, were arrested by the Metropolitan Police Service in Manchester, according to police. The duo is accused of using the Zeus Trojan, also known as Zbot, in a plot to steal information. It is believed the Trojan was configured to record victim’s online bank account information and passwords, as well as credit card numbers and other information. Read the full article. [eWEEK]

An email which purports to
relate to a recent Apple retail transaction and asks for details of any
recent orders is out there. The email also carries a stuffed file.
This contains an ‘exe’ file which will only launch on a Windows machine. The email reads: “We recorded a payment request from ‘Apple Inc.’ to
enable the charge of $7,548.45 on your account.” Read the full article. [9to5Mac]

Mozilla will add a new lockdown feature to
Firefox 3.6 that will prevent developers from sneaking add-ons into the
program, the company said. The new feature, which Mozilla dubbed “component directory
lockdown,” will bar access to Firefox’s “components” directory, where
most of the browser’s own code is stored. The company has billed the
move as a way to boost the stability of its browser. Read the full article. [Computerworld]

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.