Information Security Philippines

Two zero-day exploits for remote code execution flaws in Yahoo! Messenger’s Webcam application have been released.

One of the flaws is a boundary error in the Yahoo! Webcam Upload ActiveX control; the other is in the Yahoo! Webcam Viewer ActiveX control.

Yahoo! expects to have a fix for the flaws available soon.  The flaws have been confirmed in Yahoo! Messenger version 8.1.0.249 and may exist in other versions as well.

{Update: As of Friday, June 8, 2007, Yahoo! has already prompted yahoo messenger users to download and install a security upgrade to patch the security issue}

More info here on the Yahoo! ActiveX Flaw.

Attackers broke into the computer systems of web host company DreamHost and installed malware on hundreds of websites, including the official site of the Mercury music awards.

DreamHost said the intruder or intruders exploited a flaw in its web control panel software.

DreamHost has notified affected customers of the breach via email.

The attackers attempted to access the company’s central database and billing data, but no billing or credit card data were compromised in the intrusion.

DreamHost is responsible for more than 500,000 domains.  The intrusion affected approximately 3,500 FTP accounts; users were urged to change their FTP account passwords as soon as possible.

Read Dreamhost’s official statement on the breach

Hackers are developing increasingly stealthy techniques to evade detection.  The attacks place malicious code on web sites, then keep track of the IP addresses that have visited infected sites; if the same IP address attempts to view the malicious site again, benign content is offered in its stead.

The attacks are also capable of identifying “the IP addresses of web crawlers used by URL filtering, reputation services and search engines,” and serve legitimate content to avoid being identified as malicious.

Recent findings reveal that hackers have created a new class of highly evasive attacks which represent a quantum leap in terms of technological sophistication, going far beyond drive-by downloads and code obfuscation.

The combination of these evasive attacks with code obfuscation techniques significantly enhances the capability of sophisticated hackers to go undetected.

A follow-up study conducted by Finjan’s Malicious Code Research Centre warns of the growing presence of malicious code in online advertising.

More info at: VNUNet

Viruses and threats are changing.

They are now more dangerous than ever. They are more discreet. They are faster. They are frequently designed to steal confidential information or money. They can even be ‘tailor-made’ to target each victim.

Malware Radar is a revolutionary breakthrough scanning technology developed by Panda Software.  Malware Radar has found banks, Fortune 500 companies, small businesses, and even government agencies infected with hidden malicious programs actively stealing information despite being “protected” by what they thought were the best antivirus and Internet security measures available.

Fast, comprehensive, and easy to use:

•     Works online - nothing to install
•     Finds and completely removes hidden malware
•     Works with all antivirus and security programs (does NOT replace them)
•     Leaves no trace on system after scan
•     Produces full comprehensive reports on system vulnerabilities and malware found

Take Malware Radar for a spin to get an automated malware audit.

Executive Order No. 573 was issued by President Arroyo last October 26, 2006. E) 573 is meant to form an Anti-Fraud Task Force composed of the National Bureau of Investigation and the Philippine National Police and will be headed by Justice Secretary Raul Gonzalez.

The task force’s main objective is to strengthen Republic Act 8484, or the Access Device Regulation Act of 1998.

“The occurrence of credit card fraud is increasing and acquiring banks incur huge losses and suffer stunted credit card sales, ultimately threatening the survival of the credit card industry, including the negative repercussions in the domestic economy,” the President said.

This comes after the Credit Card Association of the Philippines (CCAP) appealed to Malacañang to give more teeth to its laws against fraudsters using illegally obtained information from credit cards.

The CCAP complained that most of credit card fraudsters were able to walk away and disappear after being caught because of the absence of guidelines to govern the implementation of the country’s anti-fraud laws.

Although credit card fraud is not as widespread in the Philippines as in other countries — constituting less than one percent of credit card transactions here — the CCAP said there was a need for safeguards because of the inadequate security features of most credit cards in the country.

Phishers have begun using SMS messages as an attack vector. Users have reported receiving SMS messages purporting to confirm that they have signed up for a dating service and notifying them they will be charged US$2 a day until they cancel the order at a certain web site. That site downloads a Trojan horse program onto their phones, allowing it to be controlled by the attackers. The practice has been dubbed SMiShing.
(more…)

Following the directions that come with mobile devices, such as phones and PDAs, to remove data before selling or recycling them is not enough to ensure the next person who holds the device will not be able to see your private information.

Data can still be retrieved from phones that have been reset. A security software company that purchased 10 used smartphones and PDAs on eBay found sensitive, personally identifiable information on nearly all of them.

The company plans to return all the phones to their original owners and has kept all the data it retrieved from the phones on a computer not connected to its corporate network.

Some companies have provided stronger data wiping functions in their newer devices.
http://www.theage.com.au/news/Technology/Software-Can-Resurrect-Cell-Phone-Info/2006/08/31/1156816976190.html
http://software.silicon.com/security/0,39024888,39161863,00.htm
http://www.vnunet.com/vnunet/news/2163176/pdas-sold-ebay-loaded-sensitive

The National Statistics Office and National Economic Development Authority are pilot agencies in the implementation of Executive Order No. 420 otherwise known as the Unified Multi-purpose Identification (UMID) system issued by President Gloria Macapagal Arroyo, directing government agencies under the executive branch to harmonize identification systems and adopt a uniform ID data collection and format.

According to Catalino G. de Gracia, Statistician II, of the local NSO UMID will give people easy access to government transactions. “It will start with the NSO and NEDA this year, then to all government agencies by January 2007 and eventually to the local government units”, he said. “It will not violate the individual’s right to privacy since it only ask the basic information about the person, similar to our Office or Government Security Insurance System(GSIS) ID cards”, he stressed.

(more…)

Global Security Week 2006, the week leading up to September 11th each year, is an opportunity to join forces with other security professionals worldwide and promote security to the masses. The theme for Global Security Week 2006 is identity theft. Find out about the truth behind the headlines. Is “phishing” a genuine threat? What are the banks doing about it? What can ordinary members of the public do about it? Participate in Global Security Week to help spread the word about identity theft and encourage ordinary law-abiding citizens to be on their guard.

http://www.globalsecurityweek.com/index.html

I recently came across emails that at first glance came from a local bank — PNB Philippine National Bank.

I know for a fact that it is a phishing scam since I don’t have a bank account with PNB

Click on the links below for a screenshot of the PNB Phishing emails.

PNB Phishing Email # 1

PNB Phishing Email # 2