Computer security researchers will unveil a new malicious software program next week at the Black Hat computer security conference in Las Vegas that could steal peoples’ online profiles and logon information from web sites like MySpace, Facebook, eBay and Google.

The software relies on a new hybrid computer file that is recognized as different things to different computer programs. By putting the files on web sites that allow people to upload images, the developers can fool security systems and take over the personal accounts of people who use these sites.

The malicious file is called a GIFAR, a combination of GIF ( an image file ) and JAR ( a Java file ), the two types of files are combined.

To the web site, the file looks like a harmless .gif image file, however a person’s browser will recognize the file as a Java applet and run the malicious program on the users computer.

Black hat hackers could create a profile on on a popular social network, like MySpace.com or Facebook.com, and upload their GIFAR file as an image on the web site. They would then trick another user into visiting a malicious site, which would tell the person’s web browser to run the GIFAR software. The applet would run in the browser, giving the hackers access to the victim’s web site account information.

This type of attack could work on any web site that allows people to upload files, potentially even on sites that are used to upload banking card photos or eCommerce sites.

However, the victim would have to be logged into the site that is hosting the image for the attack to work.

There are some ways that the GIFAR software could be stopped. Sites could upgrade filtering tools so that they could identify these malicious hybrid files. Also, Sun Microsystems could modify the Java runtime to stop the GIFAR from working. The security researchers believe that Sun will come up with a security fix soon after its Black Hat presentation.

Source: ComputerWorld.com

US federal court officials are warning that hackers are emailing fake subpoenas that contain malware to corporate executives in an effort to steal private corporate data.

Thousands of top US executives have received the fraudulent emails that contain web links which, when clicked on, install malware on the user’s PC, letting hackers take control of the computer to steal passwords or other private information.

Web security professionals refer to these types of attacks as “whaling” because they use social-engineering gimmicks involved in “phishing” but target “big phish” rather than going after the masses of Internet users.

Websense Security Labs manager Stephan Chenette said the success rate has been extremely high and that it is, “Most likely due to the nature of the content and the real data, the emails had their exact names and legal language in there that made it seem like a serious subpoena.”

The fake subpeonas are written using official seal of the US federal court in San Diego, California, and are addressed to executives using their names, addresses and other personal information.

Clicking on the included link to view the “subpoena” brings up a realistic-looking legal document and secretly installs malicious computer software on the reader’s computer that can read keystrokes and sends the information to a computer over the internet, enabling hackers to steal passwords as well as other sensitive financial information.

Subpoenas in the US are usually served in person to assure judges that court orders have been personally received by the people named.

Federal investigators believe the hackers are unfamiliar with the US court system since the website executives are directed to use is a “uscourts.com” domain while actual court website addresses typically end with “.gov.”

Police believe that certain aspects of writing in the emails appear to be British.

Some of the targets have been executives at CitiBank, America OnLine and Ebay.

Source: Yahoo.com

A group of German hackers have threatened to publish German Chancellor Angela Merkel’s fingerprints in protest of the government’s use of biometric information in passports.

The hackers are part of Germany’s oldest and biggest hacker group, called the Chaos Computer Club. Last Saturday the group published German Interior Minister Wolfgang Schaeuble’s fingerprints in their magazine.

Schaeubele’s prints were lifted from a drinking glass he used at a public debate.

The group is upset with Merkel over her support for increased use of biometric data.

German passports issued since November 2007 use a biometric computer chip that contains a copy of the owner’s fingerprints which can be used by immigration authorities for identification.

The Chaos Computer Club argues that a person’s fingerprints are a bad choice for identification purposes since they are easy to obtain and reproduce. The CCC’s website publishes a 12-point lesson for creating a fake set of fingerprints.

The CCC does not believe that fingerprints offer increased security benefits, but, rather, are being used to increase the surveillance of everyday citizens.

Source: Breitbart.com

In this short YouTube video, CNN interviews Chinese hackers, who claim to have broken into high-level private and government websites, including a Pentagon website. The hackers claim that they have been paid by the Chinese Government to conduct these security breeches.

Wired.com’s Threat Level blog has posted news on a white hat phone hacker that goes by Lucky225, who got into Paris Hilton’s voice mail and then called to inform her of his intrusion as well as give her helpful advice for securing her voice mail and cellphone account.

Although we are not interested in giving Paris Hilton another 15 minutes of fame, the audio and transcript of the conversation between Lucky225 and Paris is instructive about the security holes in major cellphone service providers.

You can listen to the audio of the phone call as well as read a transcript of the conversation @ Threat Level Blog.