A security researcher has managed to create a proof-of-concept PDF file that executes an embedded executable without exploiting any security vulnerabilities.

The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file.

Here’s the skinny from researcher Didier Stevens.
I use a launch action triggered by the opening of my PoC PDF. With Adobe Reader, the user gets a warning asking for approval to launch the action, but I can (partially) control the message displayed by the dialog. Foxit Reader displays no warning at all, the action gets executed without user interaction.

Although PDF viewers like Adobe Reader and Foxit Reader doesn’t allow embedded executables (like binaries and scripts) to be extracted and executed, Stevens discovered another way to launch a command (/Launch /Action), and ultimately run an executable he embedded using a special technique.

Stevens said Adobe’s PDF Reader will block the file from automatically opening but he warned that an attacker could use social engineering tricks to get users to allow the file to be opened.

With Foxit Reader, there is no warning whatsoever:
Stevens has not released the proof-of-concept file.  The issue has been reported to Adobe’s security response team.

With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this (I don’t use JavaScript in my PoC PDF), and patching Adobe Reader isn’t possible (I’m not exploiting a vulnerability, just being creative with the PDF language specs).

Stevens tested his research on Adobe Reader 9.3.1 (Windows XP SP3 and Windows 7).

Share on Facebook

A security researcher has managed to create a proof-of-concept PDF file that executes an embedded executable without exploiting any security vulnerabilities.

The PDF hack, when combined with clever social engineering techniques, could potentially allow code execution attacks if a user simply opens a rigged PDF file.

Here’s the skinny from researcher Didier Stevens.
I use a launch action triggered by the opening of my PoC PDF. With Adobe Reader, the user gets a warning asking for approval to launch the action, but I can (partially) control the message displayed by the dialog. Foxit Reader displays no warning at all, the action gets executed without user interaction.

Although PDF viewers like Adobe Reader and Foxit Reader doesn’t allow embedded executables (like binaries and scripts) to be extracted and executed, Stevens discovered another way to launch a command (/Launch /Action), and ultimately run an executable he embedded using a special technique.

Stevens said Adobe’s PDF Reader will block the file from automatically opening but he warned that an attacker could use social engineering tricks to get users to allow the file to be opened.

With Foxit Reader, there is no warning whatsoever:
Stevens has not released the proof-of-concept file.  The issue has been reported to Adobe’s security response team.

With Adobe Reader, the only thing preventing execution is a warning. Disabling JavaScript will not prevent this (I don’t use JavaScript in my PoC PDF), and patching Adobe Reader isn’t possible (I’m not exploiting a vulnerability, just being creative with the PDF language specs).

Stevens tested his research on Adobe Reader 9.3.1 (Windows XP SP3 and Windows 7).

Share on Facebook

Are you downloading your favourite game or a particular application that allows you to share pictures, videos and information? These days, we have various gaming applications and individual developers coming out with unique and interesting downloadable applications. But, you need to make sure you are not inviting virus to disrupt your mobile handset. You should know that Internet/ mobile applications, if certified, can be trusted; if not, they can hamper your mobile data.

Worms, trojans, viruses and hackers – they not just threaten for your home PC or laptop anymore. As per Trend Micro, an Internet security firm, cyber crooks are on their way into your pocket. The popularity of smartphones like the Blackberry, iPhone and the emerging Droid is on a boom and that’s making them a lucrative target for cyber crooks to cause mischief.

The possibility of someone hacking cellphone became public knowledge when Paris Hilton’s mobile was hacked. Unfortunately for her, numbers of all her celebrity friends were also placed on the Internet – resulting in a barrage of calls to each of them. This was one of the highlighted cases of phone hacking through extracting personal information from the mobile handset.

The ingenuity of cyber criminals to come up with new social engineering angles seems endless. Mobile worms and viruses are similar to those that infect PCs. An unsuspecting user can be tricked into installing a harmless-looking file that infects a device and seeks additional mobile phones to target, often disrupting the phone’s operations.

What can a mobile hacker do? There are quite a number of things that can be done by the mobile hacker. Depending on intent, their main targets are:

Steal your number: Your phone number can be accessed and obtained by hacking. This allows them to make calls and have it charged on your account.

Extract your information: Mobile hacking allows a hacker to contact your cellphone, without your knowledge, and to download your addresses and other information you might have on your phone. Many hackers are not content to just getting your information. Some will even change all your phone numbers! Be sure that you keep a backup of your information somewhere. All you have to do is to ensure that the handset is malware-protected. Here are some quick and easy points a user should keep in mind when downloading applications on mobile phones.

First, identify the source from where you are downloading the application. A general community site that does not have any face is not contactable. For example, download.com is the worst place to get the software from. You can download applications like our P2P software on your mobile.

Check the software for security certificates. Try not to use any unsigned application. These are third-party signatures from Verisign, Symbian and Sun. Absence of any trusted signature can make the application very dangerous. The only warning that you will get is when you install and load the application. So, go for trusted applications.

Once the signature is there, visit the company site to verify application that you have downloaded. Check for warnings, known bugs and the functions that it would provide. This may help you understand the resources the application will take, such as memory, CPU, etc. Applications like file share, Voip, etc use some core OS functionality. In case of a bug, such an application can disrupt other functionalities of the phone.

Social media-based applications that download the files can also bring in a virus-infected file to your handset. In such a case, one should have some anti-virus software installed in the system or the application should check for MIME-type before it allows the download of the content. But, make sure that you protect your handset with anti-virus software to ensure that even if by chance you have downloaded a non-trusted application, security solution providers like Trend Micro or McAfee have anti-virus solutions for you.

Check for your data plan before you start to use an application that uses some sort of data transfers. An application like mBit p2p can generate huge data transfers. The user is advised to get in touch with the customer care to identify an appropriate plan for it. The user can tell the customer support about the desired application and an appropriate plan for the same.

Follow these simple steps and you’ll ahve a happy downloading session. So, treat your smart phones like your laptops or computers, and not a landline phone.

Share on Facebook

Back at the dawn of the Web, the most popular account password was “12345.”

Today, it’s one digit longer but hardly safer: “123456.”

Despite all the reports of Internet security breaches over the years, including the recent attacks on Google’s e-mail service, many people have reacted to the break-ins with a shrug.

According to a new analysis, one out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like “abc123,” “iloveyou” or even “password” to protect their data.

“I guess it’s just a genetic flaw in humans,” said Amichai Shulman, the chief technology officer at Imperva, which makes software for blocking hackers. “We’ve been following the same patterns since the 1990s.”

Mr. Shulman and his company examined a list of 32 million passwords that an unknown hacker stole last month from RockYou, a company that makes software for users of social networking sites like Facebook and MySpace. The list was briefly posted on the Web, and hackers and security researchers downloaded it. (RockYou, which had already been widely criticized for lax privacy practices, has advised its customers to change their passwords, as the hacker gained information about their e-mail accounts as well.)

The trove provided an unusually detailed window into computer users’ password habits. Typically, only government agencies like the F.B.I. or the National Security Agency have had access to such a large password list.

“This was the mother lode,” said Matt Weir, a doctoral candidate in the e-crimes and investigation technology lab at Florida State University, where researchers are also examining the data.

Imperva found that nearly 1 percent of the 32 million people it studied had used “123456″ as a password. The second-most-popular password was “12345.” Others in the top 20 included “qwerty,” “abc123″ and “princess.”

More disturbing, said Mr. Shulman, was that about 20 percent of people on the RockYou list picked from the same, relatively small pool of 5,000 passwords.

That suggests that hackers could easily break into many accounts just by trying the most common passwords. Because of the prevalence of fast computers and speedy networks, hackers can fire off thousands of password guesses per minute.

“We tend to think of password guessing as a very time-consuming attack in which I take each account and try a large number of name-and-password combinations,” Mr. Shulman said. “The reality is that you can be very effective by choosing a small number of common passwords.”

Some Web sites try to thwart the attackers by freezing an account for a certain period of time if too many incorrect passwords are typed. But experts say that the hackers simply learn to trick the system, by making guesses at an acceptable rate, for instance.

To improve security, some Web sites are forcing users to mix letters, numbers and even symbols in their passwords. Others, like Twitter, prevent people from picking common passwords.

Still, researchers say, social networking and entertainment Web sites often try to make life simpler for their users and are reluctant to put too many controls in place.

Even commercial sites like eBay must weigh the consequences of freezing accounts, since a hacker could, say, try to win an auction by freezing the accounts of other bidders.

Overusing simple passwords is not a new phenomenon. A similar survey examined computer passwords used in the mid-1990s and found that the most popular ones at that time were “12345,” “abc123″ and “password.”

Why do so many people continue to choose easy-to-guess passwords, despite so many warnings about the risks?

Security experts suggest that we are simply overwhelmed by the sheer number of things we have to remember in this digital age.

“Nowadays, we have to keep probably 10 times as many passwords in our head as we did 10 years ago,” said Jeff Moss, who founded a popular hacking conference and is now on the Homeland Security Advisory Council. “Voice mail passwords, A.T.M. PINs and Internet passwords — it’s so hard to keep track of.”

In the idealized world championed by security specialists, people would have different passwords for every Web site they visit and store them in their head or, if absolutely necessary, on a piece of paper.

But bowing to the reality of our overcrowded brains, the experts suggest that everyone choose at least two different passwords — a complex one for Web sites were security is vital, such as banks and e-mail, and a simpler one for places where the stakes are lower, such as social networking and entertainment sites.

Mr. Moss relies on passwords at least 12 characters long, figuring that those make him a more difficult target than the millions of people who choose five- and six-character passwords.

“It’s like the joke where the hikers run into a bear in the forest, and the hiker that survives is the one who outruns his buddy,” Mr. Moss said. “You just want to run that bit faster.”

Share on Facebook

The outbreak of swine flu has provided hackers a new opportunity to attack your computers.

With the virus fast-spreading and people wanting more information on the pandemic flu and safety, the hackers are capitalising on their fear to spread malicious content.

“The attacks arrive through an unsolicited email message typically containing a subject line related to the swine flu. These email messages may contain a link or an attachment,” said an advisory by the Computer Emergency Response Team (CERT), the cyber security agency operating under the ministry of communications and IT.

“If users click on this link or open the attachment, they may be directed to a phishing website or infected with malicious code,” the CERT added.

The mails in fact look quite interesting with subject lines like ‘Swine influenza: frequently asked questions.pdf’, inviting users to click to know more about the subject.

“This is as an email with attachment and being used to drop malware on computers. It takes advantage of a vulnerability in Adobe ( a software) to drop a malicious ‘infostealer’ Trojan on the user’s computer,” said CERT.

“This is then used to steal personal information, such as credit card number and online bank credentials.”

Among some of the eye-catching subject lines that will tempt a user to click on the link include: ‘Madonna caught swine flu!’, ‘Swine flu worldwide!’ and ‘Swine flu in Hollywood!’

The CERT added that instances of such malicious attacks might increase with a number of new websites being registered with the term “swine flu” included in them.

“Right now they are not used for anything, but it is anticipated that at some point, these sites may be used for spamming purposes, perhaps advertisements or even greater malicious use,” it added.

Share on Facebook