Weekly Security News Roundup: Rented PCs Spy, Photograph Users

: (CSOonline) “The denial of service attack that disrupted the Wells Fargo & Co. electronic banking operations Tuesday was the fourth since last week. And it appears to lend some credence to threats and claims that the Izz al-Din al-Qassam Cyber Fighters, the military wing of Hamas, the Islamic party that governs the Gaza Strip, are behind them.”

New Zero-Day Vulnerability Found in Java 5, 6 and 7; 1.1 Billion Desktops Affected: (ThreatPost) “A critical vulnerability in all of the latest versions of Java SE software was discovered that would allow an attacker full remote control of a computer landing on a malicious site. The exploit developed by Adam Gowdiak and his team at Polish security consultancy Security Explorations enabled them to escape the Java security sandbox in Java SE 7. Java 5 and 6 also contain the same vulnerability. Oracle says 1.1 billion desktops currently run Java, which is also a plug-in for all major browsers.”

Compromised SourceForge Mirror Distributes Backdoored phpMyAdmin Package: (CSOonline) “Unknown attackers compromised a download mirror server for the SourceForge software repository, rigging the installer package for phpMyAdmin, a popular Web-based MySQL database administration tool, with a backdoor.”

FTC: Rental Computers Spied On, Photographed Users: (NetSecurity) “Seven rent-to-own companies and a software design firm have agreed to settle Federal Trade Commission charges that they spied on consumers using computers that consumers rented from them, capturing screenshots of confidential and personal information, logging their computer keystrokes, and in some cases taking webcam pictures of people in their homes, all without notice to, or consent from, the consumers.”

Google Releases Chrome 22, Pays Out Nearly $30K to Researchers: (ThreatPost) “Google has released Chrome 22, a major new version of its browser that includes a huge number of security fixes, many of them high-priority vulnerabilities. The company also handed out nearly $30,000 in rewards to security researchers, more than half of it to Sergey Glazunov, who discovered two especially severe bugs that the Chrome security team deemed worthy of special rewards.”

Chinese Hackers Blamed for Intrusion at Energy Industry Giant Telvent: (KrebsOnSecurity) “A company whose software and services are used to remotely administer and monitor large sections of the energy industry began warning customers last week that it is investigating a sophisticated hacker attack spanning its operations in the United States, Canada and Spain. Experts say digital fingerprints left behind by attackers point to a Chinese hacking group tied to repeated cyber-espionage campaigns against key Western interests.”

New Twitter-Based Malware Uses Direct Messaging to Spread: (ThreatPost) “Sophos is warning of a new trick to get Twitter users to open direct messages from trusted users that ultimately infect their machines with malware. In a blog post, senior technology consultant Graham Clulely said the initial message is a tweet claiming the recipient’s been captured on a Facebook video. One version makes it sound like something scandalous was taped without the person’s knowledge.”

Another IE Exploit Targeting Defense Industry Discovered: (ThreatPost) “Another malicious website has been discovered hosting an exploit for the zero-day vulnerability Internet Explorer patched by Microsoft last week. This site, like the other exploits discovered, targets the defense and space industries, and is dropping an unknown payload, according to Barracuda Labs.”

Tiny Evil Maid CHKDSK Utility Can Steal Passwords: (ThreatPost) “Stealthy malware that can sneak onto machines during the boot process and remain undetected indefinitely is one of the brass rings of security research. There have been a number of tools developed over the years that aimed to accomplish this goal, with Joanna Rutkowska’s Evil Maid attack being perhaps the most famous. Now a developer in Canada has produced a similar tool that impersonates the CHKDSK utility and can grab a user’s password and then exit without the user’s knowledge.”

Forrester: Most Data Breaches Caused by Employees: (NetworkWorld) “Most data breaches are caused by mundane events such as employees losing, having stolen or simply unwittingly misusing corporate assets, a Forrester report has found. After questioning over 7,000 IT executives and ordinary employees across North America and Europe, 31 percent cited simple loss or theft as the explanation for data breaches they had experienced, ahead of inadvertent misuse by an employee on 27 percent. External attack was mentioned in 25 percent of cases with abuse by malicious insiders on 12 percent. The same selection of causes was cited at much lower levels for business partners.”