Security News for Tuesday, July 28 2015

This article is reporting om a new texting flaw that could allow hackers to take over an Android smart phone. From the article:

According to the Verge, the vulnerability called ‘Stagefright’ affects roughly 950 million Android devices worldwide, according to researcher estimates. But the most vulnerable devices are those running pre-Jelly Bean versions of Android.

Google has released a patch for the vulnerability to manufacturers, but most have not yet pressed that update to customers.

According to this article, a flaw has been discovered in Apple’s App Store and iTunes invoicing system which could allow a malicious user to hijack sessions and manipulate invoices. From the article:

Revealed this week by security researcher Benjamin Kunz Mejri from Vulnerability Lab, the persistent injection flaw, deemed critical, is an application-side input validation web vulnerability. In an advisory, the researcher said the vulnerability allows remote attackers to inject malicious script codes into flawed content function and service modules.

In this article, the loosely-knit hacking collective known as Anonymous are making claims that they have hacked the US Census Bureau. From the article:

Anonymous hacked into the United States Census Bureau and stole employee information as a form of protest against the Transatlantic Trade and Investment Partnership and the Trans-Pacific Partnership. It is not completely known why Anonymous is against the trade agreements.

Posted in Security News | Leave a comment

Security News for Tuesday, July 14 2015

This post is reporting that United Airlines has payed a security researcher 1 million frequent flyer miles in return for vulnerabilities he discovered on their websites. From the article:

A vulnerability researcher from Florida, Wiens was the first recipient of United’s highest-level reward in its bug bounty program, reserved for remote code execution (RCE) vulnerabilities in its web properties.

United announced the bounty program in May 2015, which it said is the first such program in the airline industry.

President Obama’s chief information security officer has warned of more hacker attacks against the US government according to this brief article. From the article:

Scott launched a 30-day government-wide blitz on cybersecurity in the wake of a massive system breach in which hackers stole the private information, including Social Security numbers, of 21.5 million Americans.

“We said, ‘Run hard for the next 30 days and get big progress on these things. No excuses, just get it done,’” Scott told Reuters.

Posted in Security News | Leave a comment

Security News for Tuesday, July 7 2015

This article is reporting that a new law went into effect July 1, 2015 that requires mobile phone manufacturers to incorporate theft deterrent technology into all phones sold in California. From the article:

The California law is significant because smartphone anti-theft features must be turned on by default – Minnesota passed the first kill switch law last year but didn’t make the default setting a requirement.

The California law, Senate Bill 962, requires new phones sold in the state to have the anti-theft setting enabled during the initial setup of a new smartphone.

Buyers can opt out of the technology during setup.

According to this article, a controversial cyber espionage company has been hacked and hundreds of gigabytes of their data has been released on the Internet. The company, ironically named Hacking Team, has yet to divulge if the data that was dumped is legitimate. From the article:

Without a doubt, a hack of this kind would be terribly problematic for a company that secretly sells spyware to governments — including, if the documents prove authentic, repressive ones — around the world.

Posted in Security News | Leave a comment

Security News for Wednesday, July 1 2015

Scammers have found a new way to use the tech support ruse to trick victims into clicking on malicious links. They are now using Javascript to generate browser popups that include the ISP of the victim which can make the seem extremely convincing:

This article is reporting on a newly discovered flaw affecting Adobe Flash that is already being exploited to deliver ransomware. Ransomware is a type of malware that encrypts all of your personal files with strong encryption and forces you to pay for the decryption key. From the article:

The bug that was fixed is designated CVE-2015-3133, and it is a remote code execution (RCE) bug that Adobe admitted was “being actively exploited in the wild via limited, targeted attacks.”

However, Adobe went on to temper that statement by adding, “Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets.”


Posted in Security News | Leave a comment

Security News for Wednesday, June 17 2015

This article discusses Duqu 2.0, what it labels as “the most sophisticated malware ever seen”.  Duqu 2.0 exploits a number of zero-day vulnerabilities on target systems. From the article:

“Duqu 2.0, the cyberespionage tool that was used to compromise security firm Kaspersky Lab, has also been used in a number of other attack campaigns against a range of targets, including several telecoms firms.

This article examines various email-based attacks such as spear-phishing. Because pretty much everyone uses email, it is still a very popular attack vector so this article is worth taking a look at. from the article:

Here we have collected several real world examples of how all types of attacks utilize emails. Spreading ransomware and bankers, phishing, targeted campaigns and large ones – all rely on emails and social engineering to get the job done.

According to this article, various Samsung smartphones include a keyboard app that could leave you open to attack. The app in question (SamsungIME) includes an auto-update feature that performs updates without performing any verification. From the article:

This is a similar bug to the hole we recently wrote about in Hospira drug pumps, where a researcher found he could upload a firmware update without worrying about verification.

That sort of vulnerability makes it much easier than it ought to be for a crook to feed fake code or data into your device, and ultimately to reprogram it almost arbitrarily.

Posted in Security News | Leave a comment

Security News for Monday, June 8 2015

This article discusses how a security researcher was able to modify a discontinued children’s toy to open a garage door in less than 10 seconds. From the article:

The exploit only works against garage doors that respond to a “fixed code” that is transmitted by a wireless remote rather than newer, more secure alternative doors which use a “rolling code” that changes with each button press

This article is reporting that California has passed a law requiring warrants to search computers and mobile devices. From the article:

As the LA Times reports, California on Wednesday joined the ranks of states that require police to have a warrant if they want to search computers, mobile phones, tablets and other devices, or if they want to siphon off location data from any of those devices.

According to this article, and based on recently released research, a new zero-day vulnerability affecting Mac OS X could allow attackers to not only modify the system BIOS, but to also install a rootkit and potentially take full control of a vulnerable system. From the article:

The critical vulnerability, discovered by well-known OS X security researcher Pedro Vilaca, affects Mac computers shipped before mid-2014 that are allowed to go into sleep mode.

Posted in Security News | Leave a comment

Security News for Tuesday, June 2 2015

This article takes a look at a white-hat or  “ethical hacker” and describes what they do in the course of their job. From the article:

These hackers work with businesses to probe their networks for security holes and vulnerabilities to social engineering, while considering the mindset of someone who might have criminal motivations. To learn about what such work is like we spoke with Ben Miller, an ethical hacker at Parameter Security.

This article is reporting on the newly launched Google “My Account” dashboard that allows you to control setting relating to privacy and data. From the article:

Privacy and security are two sides of the same coin: if your information isn’t secure, it certainly can’t be private. My Account gives you quick access to the settings and tools that help you safeguard your data, protect your privacy, and decide what information is used to make Google services work better for you. It also provides more context to help you understand your options and make the right choices for you.

According to this article, and based on a recently released analysis from security vendor NopSec, the financial industry takes an average of 176 days to patch security vulnerabilities. From teh article:

The report analyzed over 65,000 vulnerabilities logged within the National Vulnerability Database, a US government repository of standards-based vulnerability management data which includes security related software flaws, misconfigurations, product names, and impact metrics.

By analyzing this data across a 20-year period, NopSec was able to determine how long on average has taken players in different industries to recognize and patch problems, ranging from the finance sector to education.

Posted in Security News | Leave a comment

Security News for Monday, June 1 2015

According to this article, and based on recently released research by the Anti-Phishing Working Group (APWG), more than half (54%) of targeted phishing attacks in the period covered affected 3 major brands, Apple, Paypal, and Chinese marketplace Taobao. from the article:

This shows that phishers are regularly updating their approaches, probing new areas and looking out for new victims in niche industry segments and regions, as well as taking aim at larger global players and their users.

This article is reporting that hackers have compromised the accounts of approximately 100,000 IRS tax accounts using data stolen in earlier attacks. From teh article:

These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer.

Posted in Security News | Leave a comment

Security News for Tuesday, May 26 2015

This article is reporting on recently released research by security vendor ESET regarding a new worm that is affecting Linux-based routers in order to commit social networking fraud. From the article:

In their investigation, ESET’s team observed the worm creating bogus accounts on sites such as Instagram, and automatically following users. In many cases the rise in followers was carefully staggered over some days, seemingly to avoid raising alarms in automated systems built by the social networks to identify suspicious behaviour.

According to this article, Malicious Minecraft Android applications have been downloaded from the Google Play Store anywhere between 660,000- and 2.8 million times. From the article:

All of the discovered apps were fake in that they did not contain any of the promised functionality and only displayed banners that tried to trick users into believing that their Android system is infected with a dangerous virus,” ESET researcher Lukas Stefanko wrote in a blog post.

Posted in Security News | Leave a comment

Security News for Wednesday, May 20 2015

News of a security researcher hacking into the in-flight entertainment (IFE) system  and crossing over to system that control avionics (all while the plane was in flight) has been making the rounds over the last week. While many in the security industry feel that this story is being blown out of proportion, it is still being actively reported on.  This article takes a look at how such an attack could take place. From the article:

It was once believed that the cockpit network that allows the pilot to control the plane was fully insulated and separate from the passenger network running the in-flight entertainment system. This should make it impossible for a hacker in a passenger seat to interfere with the course of the flight.

But the unfolding story of this hacker’s achievement, which has prompted further investigation by authorities and rebuttals from plane manufacturers, means that this assumption needs to be revisited.

It is worth saying that all of this should be taken with a grain of salt until it is proven that the hacker actually did what he claims (he also claimed to hack the international Space Station (ISS) and altered the temperature of the craft.

In this article, a spokesman for Boeing states that IEF and avionic systems are isolated from one another and the claims made by the hacker are false. From the article:

While these systems receive position data and have communication links, the design isolates them from the other systems on airplanes performing critical and essential functions…

Posted in Security News | Leave a comment