SECURITY WARNINGS & Notices - Please post them here

[CharleyO]

***

6.46 million LinkedIn passwords leaked online

More than 6.4 million LinkedIn passwords have leaked to the Web after an apparent hack. Though some login details are encrypted, all users are advised to change their passwords.
A user on a Russian forum has claimed to have downloaded 6.46 million user hashed passwords from LinkedIn.

It looks as though some of the weaker passwords — around 300,000 of them — may have been cracked already. Other users have been seen reaching out to fellow hackers in an apparent bid to seek help in cracking the encryption.

Finnish security firm CERT-FI is warning that the hackers may have access to user email addresses also, though they appear encrypted and unreadable.

http://www.zdnet.com/blog/btl/646-million-linkedin-passwords-leaked-online/79290


***

[CharleyO]

***

The world's worst password requirements list

The Attorney General of Texas Child Support website has the worst set of password requirements I've ever seen.

Here's another bad password policy, courtesy of TechRepublic:

... here's ING's 4-digit PIN login:

 This one from the US Citizenship and Immigration Services site is very similar to the Texas one.

Is there a consultant somewhere telling state and federal governments how not to do passwords?

Please click the below the link to see explanations of the above statements.

http://kottke.org/12/06/the-worlds-worst-password-requirements-list


***

[CharleyO]

***

Facebook Security Team Warns Users About DNSChanger Malware

The security team at the world’s most populace social network over in Palo Alto, Calif., finally addressed the thorny issue of the DNSChanger malware to its users in a blog post on the Facebook Security page yesterday.

To the uninitiated, DNSChanger started popping up in security headlines earlier this year when it was targeted as part of an international botnet-takedown campaign dubbed "Operation Ghost Click." It has since proven itself to be a tenacious adversary with some in the industry believing that it may be impossible to completely scrub the Internet of DNSChanger.

... Facebook’s security team warns that users infected by DNSChanger will be shown ... warning message (which looks ominously similar to any number of Facebook scams) ...

Facebook notes that any individuals (not just those on Facebook) that fail to remove DNSChanger by the July 9th deadline may lose access to the Internet altogether.

You can find instructions on how to remove DNSChanger on the DCWG website ... http://www.dcwg.org/

http://threatpost.com/en_us/blogs/facebook-security-team-warns-users-about-dnschanger-malware-060512


***

[CharleyO]

***

Microsoft Patches Digital Certificate Issue Exploited by Flame

The minds behind the Flame attacks signed components of the malware with an unauthorized digital certificate to make it appear as though the code had been legitimately signed by Microsoft.

Microsoft issued an update June 3 to address a certificate issue exploited in the Flame malware attacks.

Flame, which was publicized by security researchers last week, is a cyber-espionage toolkit that incorporates a wide range of functionality, including intercepting Web traffic, recording audio and taking screenshots.

According to Microsoft, components of Flame were signed with an unauthorized digital certificate that chained up to a Microsoft sub-certification authority issued under the Microsoft Root Authority. This happened via the Terminal Server Licensing Service, which Microsoft operates to issue certificates to customers for "ancillary PKI- [public-key infrastructure-] based functions" in their enterprise.

By signing malware with fake certificates, attackers can trick browsers and applications into trusting malicious content, enabling activities such as phishing and man-in-the-middle attacks.

http://www.eweek.com/c/a/Security/Microsoft-Patches-Digital-Certificate-Flaw-Exploited-by-Flame-237271/?kc=EWKNLEDP06062012B


***

[Asyn]

6.46 million LinkedIn passwords leaked online

http://www.h-online.com/security/news/item/LinkedIn-passwords-in-circulation-Update-1612022.html
http://arstechnica.com/security/2012/06/8-million-leaked-passwords-connected-to-linkedin/
http://www.h-online.com/security/features/Comment-LinkedIn-and-its-password-problems-1612877.html

[AdrianH]

***

Microsoft Patches Digital Certificate Issue Exploited by Flame

The minds behind the Flame attacks signed components of the malware with an unauthorized digital certificate to make it appear as though the code had been legitimately signed by Microsoft.

Microsoft issued an update June 3 to address a certificate issue exploited in the Flame malware attacks.

Flame, which was publicized by security researchers last week, is a cyber-espionage toolkit that incorporates a wide range of functionality, including intercepting Web traffic, recording audio and taking screenshots.

According to Microsoft, components of Flame were signed with an unauthorized digital certificate that chained up to a Microsoft sub-certification authority issued under the Microsoft Root Authority. This happened via the Terminal Server Licensing Service, which Microsoft operates to issue certificates to customers for "ancillary PKI- [public-key infrastructure-] based functions" in their enterprise.

By signing malware with fake certificates, attackers can trick browsers and applications into trusting malicious content, enabling activities such as phishing and man-in-the-middle attacks.

http://www.eweek.com/c/a/Security/Microsoft-Patches-Digital-Certificate-Flaw-Exploited-by-Flame-237271/?kc=EWKNLEDP06062012B


***

http://www.pcadvisor.co.uk/news/software/3361791/microsoft-throws-kill-switch-on-own-certificates-after-flame-hijack/

Microsoft throws 'kill switch' on own certificates after Flame hijack.



(wondered why I got a Microsoft Update today)

[Asyn]

Microsoft Security Bulletin Advance Notification for June 2012
http://technet.microsoft.com/en-us/security/bulletin/ms12-jun

[Asyn]

Oracle Java SE Critical Patch Update Pre-Release Announcement - June 2012
http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html

[Dim@rik]

Flame

http://www.securelist.com/en/blog/208193566/Flame_Replication_via_Windows_Update_MITM_proxy_server

The Flame inside Stuxnet

http://www.securelist.com/en/blog/208193568/Back_to_Stuxnet_the_missing_link

[Asyn]

Microsoft Security Advisory (2719615)
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution
http://technet.microsoft.com/en-us/security/advisory/2719615

[Asyn]

Intel CPUs affected by VM privilege escalation exploit
http://www.h-online.com/open/news/item/Intel-CPUs-affected-by-VM-privilege-escalation-exploit-1616866.html
http://www.kb.cert.org/vuls/id/649219

[nadiepornadie]

I found this article about Flame Virus, URL: http://edition.cnn.com/2012/06/04/opinion/rushkoff-flame-virus/index.html

[Asyn]

Oracle warns EBS users of auto-update to Java 7
http://www.h-online.com/security/news/item/Oracle-warns-EBS-users-of-auto-update-to-Java-7-1618753.html
https://blogs.oracle.com/stevenChan/entry/bulletin_disable_jre_auto_update

[Asyn]

Firefox 13 tripped up by Flash patch
http://www.h-online.com/open/news/item/Firefox-13-tripped-up-by-Flash-patch-1619399.html

Edit: Fixed in FF 13.0.1

[Asyn]

Microsoft Security Advisory (2719615)
Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution
http://technet.microsoft.com/en-us/security/advisory/2719615

Exploit for unpatched IE hole released
http://www.h-online.com/security/news/item/Exploit-for-unpatched-IE-hole-released-1619732.html