Drew Houston, 28, chief executive and co-founder of Dropbox, last fall pocketed $250 million from seven of Silicon Valley’s top venture capital firms. That eye-popping sum pegged the value of his company at $4 billion and his own net worth — at least on paper — at an estimated $600 million. (Matt Staver, Bloomberg / July 6, 2011)

Read the full store here in LA Times: http://www.latimes.com/business/la-fi-dropbox-20120115,0,6541893.story

SophosLabs: Have you been told to verify your Hotmail account? Did you receive a message saying that Hotmail’s email servers were congested, and so they were removing all unused accounts?

If so, I hope you responded to the email with a roll of the eyes and a quick stab of the delete button. Because if you didn’t, you might have been at risk of having your login credentials stolen.

Thanks to the reader, who forwarded us the following phishing email that he and others received, posing as communication from Hotmail:

Part of the email reads:

We are upgrading our database to serve you better. Due to the congestion in our E-mail servers there would be removal of all unused Hotmail Account. You will have to confirm if your E-mail account is still active by filling out your information below after clicking the reply button

The email then requests that you reply with your Hotmail username, password, date of birth and country. Of course, doing so puts vital information right into the hands of the cybercriminals.

It looks like the bad guys have had some problems in the past though, with victims handing over incorrect information (how typical!):

Ensure every detail requested above is provided correctly upon receipt of this notification to enable the upgrade. Incomplete details and wrong passwords forwarded will result in suspension or closure of your account for security reasons.

The fact is, of course, that the email isn’t from Hotmail, and they would never ask you for your password. Although a simple phishing scam like this can be obvious to those of us who work in the field of computer security, there are plenty of less-savvy people out there who might be fooled into responding – and hand over the keys to their account.

No, it’s a scam you want to avoid. Share the knowledge with your friends!

Credit to Norman Security for sharing

H-Security: Version 17 of Chrome has been released into the WebKit-based browser’s Beta channel. Its developers say that the new Chrome beta, version 17.0.963.26, is focused on improving two of the browser’s core principles: speed and security.

To make Chrome “go even faster”, some web pages will start loading in the background before a user has even finished typing a URL into the Omnibox address and search bar. To reduce the time between a user pressing enter and the page being fully loaded, Chrome will pre-render some pages if the URL auto-completes to a site a user is likely to visit. According to Google Software Engineer Dominic Hamon, this will, in some cases, cause pages to appear “instantly”.

With version 17, Chrome’s Safe Browsing technology has been extended to protect against malicious downloads by analysing executable files, including Windows .exe and .msi files. So, if a user visits a web site and is tricked into downloading, for example, a fake anti-virus product, Chrome will issue a warning if the file appears to be malicious and will advise the user to discard it. Further details about Chrome 17.0.963.26, which is available to download from dev.chromium.org, can be found in a post on the Google Chrome Blog.

The Chrome Team at Google has also updated the browser’s Stable channel to version 16.0.912.75, closing three high risk security holes. These include a use-after-free in animation frames, a heap-buffer-overflow in the libxml software library, and a stack-buffer-overflow in glyph handling.

As part of its Chromium Security Rewards programme, Google paid security researchers a total of $2,000 for discovering and reporting the holes. As usual, further details of the vulnerabilities are being withheld until “a majority of users are up-to-date with the fix”. Chrome 16.0.912.75 is available to download from google.com/chrome; alternatively, users who currently have Chrome installed can use the built-in update function.

SophosLabs: Microsoft’s Ryan Gavin announced a new strategy to keep the web safe… Keep your Internet Explorer up to date.

It is great news for Windows users who don’t appreciate the importance of staying up to date.

Microsoft has been struggling with browser stragglers for years. They even ran their own campaign comparing IE 6 to spoiled milk including shameful infopr0n.

Old versions of IE leave a considerable number of users vulnerable to old exploits, or in their parlance easy targets.

If Microsoft updates everyone’s browser how will companies like Google have their “Aurora” moments?

While bringing everyone up to Internet Explorer 9 is a great initiative, and doing so automatically will help things along, there are still some big issues ahead for Microsoft.

Their new policy seems to rest somewhere between Google Chrome’s “You don’t know it but you just upgraded major versions” and Mozilla Firefox’s “You know that our weekly major revision is available, would you like it now? Would ya? Please?”

This could be a big problem for some enterprises that followed Microsoft’s advice 10 years ago and adopted a fully-integrated, Active-X, .aspx, optimized for Internet Explorer 6 (or 7!) internal web application.

Most organizations that use Internet Explorer are stuck on older versions because of IE-only proprietary code, and the fact that you can only have one version of Internet Explorer installed at the same time.

It only takes one application. Which is why Microsoft introduced the Internet Explorer 8 and 9 upgrade blocker. This allows you to stay as stale as Internet Explorer 7 if you wish.

Australians and Brazil will be the first to see the automatic upgrades in action, and users who have already said no to IE 8 or 9 will remain at their current version.

Good news for web developers, good news for security and most of all a demonstration of why open standards are such a good idea.

We could all be running Chrome 36 if it wasn’t for that darned Active-X control for Accounting…

The H-Online: The first patches for the zero-day flaw in Adobe’s Acrobat and Reader applications, which the company confirmed was being exploited in the wild, have been released. The initial problem was caused by a memory corruption when processing Universal 3D (U3D) files, which could allow attackers to potentially take control of an affected system. The patches released also address a newly revealed critical flaw (CVE-2011-4369) which can cause memory corruption when processing Product Representation Compact (PRC) 3D files.

Adobe has now released updates for Adobe Reader 9.x for Windows and Acrobat 9.x for Windows. The updates can be installed by selecting Help ➤Check for Updates in either application. Manual downloads for Reader 9.4.7 and Acrobat 9.4.7 are also available. Adobe is not releasing updates for Reader X or Acrobat X at this time because it says the defensive technologies added to those products stops any exploitation of the flaws. It will be releasing fixed versions of those applications as part of the next quarterly security update on 10 January 2012, along with updates for the Unix and Mac OS X versions.

Adobe suggests that users of Reader and Acrobat X should verify the defensive mechanisms are enabled. In Acrobat X a user should go to Edit ➤ Preferences➤ Security (Enhanced) and make sure that “Enable Enhanced Security” is checked along with either “Files from potentially unsafe locations” or “All files”. Adobe Reader X users should go to Edit ➤ Preferences ➤ General and ensure that “Enable Protected Mode at startup” is checked.

SophosLabs: Visa is investigating a potential security breach that may have compromised payment cards of Eastern Europeans.

Although Visa hasn’t disclosed which countries were hit, the Romanian state-owned CEC Bank has blocked and reissued 17,000 cards on suspicion that they had been compromised.

CEC Bank said in a statement that “a number” of cards issued by banks both in Romania and abroad might have been compromised via an international database.

Here’s an excerpt from the statement, translated into English from Romanian by v3.co.uk:

The bank has been informed that a number of cards issued by banks in Romania and abroad have been potentially compromised through an international database. CEC Bank has decided to block the cards and reissue a new card and PIN, at no cost, for a number of cards in its portfolio 

This attack did not target CEC Bank’s cards alone and was not due to any bank vulnerability. Our clients’ money is safe.

Visa pinned the problem on a European payment processor and issued this statement:

Visa Europe has been informed of a potential data security breach at a European processor and an investigation is underway. We are working closely with our member banks to ensure cardholders are protected.

In his report on this incident, v3′s Phil Muncaster pointed to a warning earlier this month from Trend Micro regarding a basic design flaw in some implementations of the 3D Secure protocol – aka “Verified by Visa” and “MasterCard SecureCode” – that could allow crooks to conduct ID fraud on some Visa cards.

The potential security hole in 3DS is a result in a weakness in the password reset process of some system versions, Trend Micro’s Rik Ferguson explained the flaw on his CounterMeasures blog:

If you are making a purchase through a merchant that is subscribed to the program, you will be redirected, during the payment phase, to a 3DS verification page. On this page you confirm the details of the transaction, enter your password and hey presto, the transaction is complete. So far so good, the merchant never sees my password, no transaction with that merchant can be completed without it and I’m protected, but…

He then goes on to describe the password reset link, finding that three of four pieces of information used to verify identity – cardholder name, expiration date and signature panel code – are all contained in the card itself, either embossed or printed and contained in the magnetic stripe data.

The fourth piece of information, cardholder date of birth, would be drop-dead easy to track down, he says:

Trouble is, it’s information that is not only widely shared on social networks, surveys, sign-up forms and a myriad of other places, but also freely available in public records. We cannot and should not consider our date of birth to be a secret.

The Eastern Europe breach and the 3DS flaw are spelling one headache-y month for Visa so far. Yikes, now all the company needs is for the EU to contemplate carving away at its profits with big fines for privacy breaches or something like that.

But wait, that’s exactly what the EU is mulling!

The way the Financial Times reads it, the proposed rule, slated to be introduced in January, will impact social media most sharply, serving as a significant tool to boost the EU’s powers when it comes to combating data protection breaches.

But it will be interesting to see what happens (if in fact the rule doesn’t get watered down to pointlessness, that is) in cases such as credit card payment breaches like the one Visa is now investigating, if it turns out that Visa or its payment processor was treating customer data with anything less than kid gloves.

I would like to invite you to join my forum, its a small forum for now but by the time it will get better, a link to my forum is available in in my TechBlog, LifeBlog or in my site, feel free to join and express yourself in whatever you like, feel free to post whatever you like except advertisement, Thanks!

Thank you for joining in advance
-Omid

Also posted in Omid’s LifeBlog

The message links to a video posted on a Youtube-like website, which suggests that the user update the browser with a bogus ActiveX object. The malware’s authors also went one step further in making sure the video landing page looks as legitimate as possible:

This download is actually Backdoor:Win32/Caphaw.A, a sophisticated firewall-bypassing backdoor armed with almost everything. It installs an FTP server, a proxy server, and a keylogger on the computer. It also has built-in remote desktop functionality based on the open source VNC project. We received a report that a user found this in his computer and also discovered that money had been transferred from his bank account by an unknown party. The keylogging component, coupled with the remote desktop functionality, makes it entirely possible for this to have happened.

The backdoor “calls home” to domains such as commonworld[removed].cc or web[removed]es.cc to get the data that it posts on the friends’ Facebook walls. Its main module, in the meantime, is hosted on [removed]youtube.com.

The good thing to do when spotting such fishy wall posts is to warn your friends whose accounts have been compromised. You can mark the message as spam to help prevent others from downloading the backdoor; Facebook is quite diligent about filtering these posts once they have been reported.

The presence of this threat on your computer threatens your whole online identity, so we recommend that you change the passwords to all of your sensitive accounts – email, online shopping, and online banking, for example. And while you’re at it, remind your affected friends to change their Facebook passwords, too.

Finally, scan your machine with an up-to-date antivirus solution to remove this malware from your computer.
Here are some SHA1s of files detected by our products as Backdoor:Win32/Caphaw.A:

• c10ad13419ea44ba85cd8e83e2cd7ac8313e91de
• 54d9f40156cc4a2561252f8ad30b4afdcc5e93b4
• ebbd8790eab8a9822a80c2afaa575a4b2c2f3b55

Protect the Internet

Help us stop the Internet Blacklist Legislation

Mozilla: On November 16^th, Congress holds hearings on the first American Internet censorship system. This bill can pass. If it does, the Internet and free speech will never be the same.
Join us to stop this bill.