Malware continues to be a minimal threat to most Mac users, but that doesn't mean attackers aren't constantly trying to come up with new ways to steal information or turn users' machines into botnet drones. The latter appears to be the case with a new Mac trojan posing as a PDF file, discovered by security researchers at F-Secure.

The malware in question has been identified as Trojan-Dropper:OSX/Revir.A, which installs a backdoor, Backdoor:OSX/Imuler.A, onto the user's Mac. Currently, however, the backdoor doesn't communicate with anything. The command-and-control center for this particular malware is apparently a bare Apache installation, which has been sitting at its current domain since May of this year. Because of this, users who might fall victim to this attack aren't likely to see many ill effects for the time being, but that could change if the files end up spreading to a wider audience.

As mentioned earlier, this trojan spreads by masking itself as a PDF, which displays a Chinese-language document on the screen in an attempt to hide its background activity. This isn't a new strategy on the surface, as F-Secure notes, but some deeper digging indicates that it might be stealthier than its Windows counterparts.

"This malware may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a '.pdf.exe' extension and an accompanying PDF icon," reads the post on F-Secure's blog. "The sample on our hand does not have an extension or an icon yet. However, there is another possibility. It is slightly different in Mac, where the icon is stored in a separate fork that is not readily visible in the OS. The extension and icon could have been lost when the sample was submitted to us. If this is the case, this malware might be even stealthier than in Windows because the sample can use any extension it desires."

As for how this trojan is spreading, that's a bit of a mystery. The researchers noted that they're not yet sure of the methods it uses to propagate, but they believe the most likely explanation is that it's circulating via e-mail attachment.

Read the comments on this post

The Department of Homeland Security and National Institute of Standards and Technology are looking to beat back the kudzu of spam generators, distributed denial of service zombies, and other botnets, and they want your cooperation—on a totally voluntary basis, of course.

After a long and escalating string of high-profile attacks on government and corporate sites using botnets like the Low Orbit Ion Cannon, botnets are obviously high on DHS's "to-kill" list. But while the government has had some success in attacking botnets directly, as it did in April when the FBI went after the Coreflood botnet, McAfee researchers estimate that the number of systems infected with botnet malware is growing at an average of 4 million per month.

On Friday, a pair of security researchers will present a hacking tool which they claim decrypts secure Web requests to sites using the Transport Layer Security 1.0 protocol and SSL 3.0, allowing a person or program to hijack sessions with financial websites and other services. Juliano Rizzo and Thai Duong are unveiling their Browser Exploit Against SSL/TLS tool, dubbed BEAST, at the Ekoparty security conference in Buenos Aires.

The tool is based on a blockwise-adaptive chosen-plaintext attack, a man-in-the-middle approach that injects segments of plain text sent by the target's browser into the encrypted request stream to determine the shared key. The code can be injected into the user's browser through JavaScript associated with a malicious advertisement distributed through a Web ad service or an IFRAME in a linkjacked site, ad, or other scripted elements on a webpage.

Using the known text blocks, BEAST can then use information collected to decrypt the target's AES-encrypted requests, including encrypted cookies, and then hijack the no-longer secure connection. That decryption happens slowly, however; BEAST currently needs sessions of at least a half-hour to break cookies using keys over 1,000 characters long.

The attack, according to Duong, is capable of intercepting sessions with PayPal and other services that still use TLS 1.0—which would be most secure sites, since follow-on versions of TLS aren't yet supported in most browsers or Web server implementations.

While Rizzo and Duong believe BEAST is the first attack against SSL 3.0 that decrypts HTTPS requests, the vulnerability that BEAST exploits is well-known; BT chief security technology officer Bruce Schneier and UC Berkeley's David Wagner pointed out in a 1999 analysis of SSL 3.0 that "SSL will provide a lot of known plain-text to the eavesdropper, but there seems to be no better alternative." And TLS's vulnerability to man-in-the middle attacks was made public in 2009. The IETF's TLS Working Group published a fix for the problem, but the fix is unsupported by SSL.

Read the comments on this post

A security researcher has discovered that changes to Directory Services in Lion make it much easier to access and potentially crack hashed user passwords. Worse yet, it is possible for any user to change any currently logged in user's password, making it much easier to gain root remotely.

According to researcher Patrick Dunstan, Directory Services' command line utility can be run by any user. By itself, this isn't necessarily a security problem, but at least two functions make it trivial to access user password hashes or even change the current user's password without administrator authentication.

Amazon has earned the FISMA security accreditation from the US General Services Administration, a key endorsement for its cloud security model that could increase adoption among federal agencies.

FISMA, the Federal Information Security Management Act, is the fifth major certification or accreditation Amazon has gained for its Web Services business featuring the Elastic Compute Cloud infrastructure-as-a-service platform.

“FISMA Moderate Authorization and Accreditation requires AWS to implement and operate an extensive set of security configurations and controls,” Amazon said in an announcement today. “This includes documenting the management, operational, and technical processes used to secure the physical and virtual infrastructure as well as conducting third party audits. This is the first time AWS has received a FISMA Moderate authority to operate.”

Amazon already counted the likes of NASA’s Jet Propulsion Laboratory and Treasury.gov as customers, so the company wasn’t exactly struggling to land big names. But adding to its roster of accreditations could help Amazon EC2 attract more mission-critical use cases.

FISMA certification had already been obtained by Google for its Apps service and by Microsoft for its cloud infrastructure and its BPOS-Federal service. Prior to today, Amazon achieved compliance with the SAS 70 Type II auditing standard, the HIPAA health data privacy act, PCI DSS credit card standards, and the ISO 27001 international security standard. The new FISMA certification covers Amazon EC2, Amazon’s Simple Storage Service, the Virtual Private Cloud, and the services’ underlying infrastructure.

Read the comments on this post

Adobe is removing a DigiNotar certificate from its trusted list and pushing out critical security patches to Reader and Acrobat tomorrow.

The Dutch certificate authority was hacked recently, generating “hundreds of fake security certificates for numerous websites, including Google, Yahoo, and others.” Adobe announced last Thursday that it was in the process of removing the DigiNotar Qualified CA from its Approved Trust List, and offered Reader and Acrobat users manual instructions on removing the certificate themselves. Adobe provided a further update on Friday, saying that a security update for Reader and Acrobat will be published September 13.

“We have delayed the removal of this certificate until next Tuesday at the explicit request of the Dutch government, while they explore the implications of this action and prepare their systems for the change,” Adobe said on a corporate blog.

The rogue certificates known to exist today are related to a different certificate, the DigiNotar Public CA, but Adobe said a Dutch security consultancy has found evidence of the Qualified CA being compromised as well.

The security updates to be pushed out tomorrow are rated critical and affect Adobe Reader X (10.1) and Adobe Acrobat X (10.1) and earlier versions for Windows and Mac. Adobe said it is also holding discussions with the Dutch government regarding other certificates related to DigiNotar and is planning changes to Reader and Acrobat and its Approved Trust List to react more quickly to such problems in the future.

Read the comments on this post

The hack of Dutch certificate authority DigiNotar already bore many similarities to the break-in earlier this year that occurred at a reseller for CA Comodo. Bogus certificates were issued for webmail systems, which were in turn used to intercept Web traffic in Iran. Another similiarity has since emerged: the perpetrator of the earlier attacks is claiming responsibility for the DigiNotar break-in.

Calling himself ComodoHacker, the hacker claims that DigiNotar is not the only certificate authority he has broken into. He says that he has broken into GlobalSign, and a further four more CAs that he won't name. He also claimed that at one time he had access to StartCom.