Security News for Friday, February 27 2015

According to this article, Facebook paid out about $1.3 million in bounties last year to whitehat hackers who submitted security flaws in that affected the popular social network. From the article:

Facebook’s bug bounty program was started in 2011 and has since awarded more than $3 million, helping to maintain a social network used by 1.39 billion people.

Among the bugs submitted were flaws that could have allowed hackers to view users’ private messages, post to their timelines and upload content to Facebook and Instagram’s servers, reports Sky News.

This article is reporting that earlier this week the website of Lenovo, a Chinese multinational computer technology company, was hacked. Traffic to the Lenovo site was re-directed to another site and corporate emails were intercepted. From the article:

Hacking group Lizard Squad claimed credit for the attacks on microblogging service Twitter. Lenovo said attackers breached the domain name system associated with Lenovo and redirected visitors to lenovo.com to another address, while also intercepting internal company emails.

Posted in Security News | Leave a comment

Security News for Tuesday, February 24 2015

This article discusses recently released research from Stanford that claims a mobile device (in this case cell phone) can be geographically tracked by the power that it consumes. From the article:

Computer scientists from Stanford, realising that Android devices make it easy to grab regular readings of your battery’s voltage and current, wondered what that might tell them.

As you will be acutely aware from your own mobile phone, one of the biggest “invisible” power drains is the phone component itself.

According to this article, and based on research from security vendor FireEye, hackers impersonating IT staff is a popular tactic in data breaches. From teh article:

Within FireEye’s sixth annual M-trends report, which tracks the threat landscape and emerging threat actors, the firm says that cybersecurity has now gone beyond the boardroom and has entered the mainstream thanks to the number of high-profile security breaches in 2014. While companies are taking less time to discover a data breach, hackers are smarter about the way they conduct themselves — and a lack of basic security safeguards are leaving businesses vulnerable.

Posted in Security News | Leave a comment

Security News for Wednesday, February 18 2015

Time was that most security professionals warned people that visiting Internet sites “off the beaten path” could lead to system infections. Today it is becoming more and more commonplace for legitimate sites to serve up malware when they are visited.

According to this article, the website of celebrity chef Jamie Oliver has been dishing up malware since December of 2014. From the article:

Quite how the malicious code got to be there is open to question – but hopefully the people responsible for administering Jamie Oliver’s website will ensure that they don’t stop at cleaning up the infection, but also discover the underlying problem to ensure that the site does not get compromised again.

According to this article, and based on recently released research by Russian security vendor Kaspersky, the group that compromised over 1 million payment cards from office supply store Staples last year made up to 1 billion in bank raids. From the article:

The hacker crew that breached Staples last year and made off with data on as many as 1.16 million payment cards appears to have robbed banks of far more than initially thought. The cybercriminal gang, known as Anunak or Carbanak, may have made up to $1 billion in their exploits, which are ongoing, according to Russian security firm Kaspersky.

Posted in Security News | Leave a comment

Security News for Monday, February 2 2015

No longer are only computers connected to networks vulnerable to hackers. As technology incorporates more and more computer-based features into automobiles, they are becoming attractive targets to malicious hackers as well as security researchers. According to this article, BMW recently patched a flaw that left 2.2 million vehicles vulnerable to hackers. From the article:

The flaw affected models fitted with BMW’s ConnectedDrive software, which uses an on-board Sim card.

The software operated door locks, air conditioning and traffic updates but no driving firmware such as brakes or steering, BMW said.

According to this post, Adobe has issued an advisory warning of a zero-day vulnerability targeting Flash Player running under Internet Explorer and Firefox. From the post:

The company said Monday the zero-day flaw exists in the latest version of Flash Player, version 16.0.0.296 (and earlier), and if exploited could cause a crash that allows an attacker to take control of the affected system.

Windows and Mac users are affected, along with Linux users (version 11.2.202.440 and earlier).

Posted in Security News | Leave a comment

Security News for Tuesday, January 28 2015

According to this post, a security researcher has uncovered a major flaw in the Blackphone, a mobile device that has been highly advertised as being extremely secure. The flaw can allow an attacker to send a Blackphone user a specially crafted text message that allows remote code execution on the device.  A paper with full details on the flaw can be found here.

Unless forced to use complex passwords, many users elect to use easy to remember passwords to protect their accounts (123456 typically tops the list of most used passwords every year). This article discusses how two-factor authentication can be used to protect accounts that incorporate simple passwords. This article takes a look at the 25 most used passwords for 2014. The password ‘123456’ ranks at #1.

Posted in Security News | Leave a comment

Security News for Monday, January 26 2015

According to this article, and based on recently released research from Google’s research team Project Zero, three new unpatched vulnerabilities have been discovered in Apple OS X. From the article:

CNET describes the three exploits in detail. The first involves “circumvention of commands in the network system”, but may already be a non-issue for users on OS X Yosemite. The second documents “OS X IOKit kernel code execution due to NULL pointer dereference in IntelAccelerator.” The final bug is an exploit relating to OS X’s kernel structure. All three of the exploits would requite an attacker to have access to a targeted Mac.

Posted in Security News | Leave a comment

Security News for Wednesday, January 14 2015

After the holiday season and some extended vacations, we are back to posting on a regular basis.

There has been much talk in the news over the last 6 months about personal webcams and baby monitors (usually being run in default configurations) being taken over by malicious individuals or set up to stream over sites where anyone can view them. This article provides some sound advice on how to protect your webcam/baby monitor from hackers.

Posted in Security News | Leave a comment

Security News for Thursday, December 11 2014

A new day and even more news regarding the recent Sony hack. According to this post, Sony is using unconventional methods to fight back at data thieves looking to obtain data that was stolen during the breach. From the post:

As reported by Re/Code, according to two people with knowledge of the matter, the company is using hundreds of computers in Asia to initiate denial of service attacks on websites where Sony’s stolen information is available for download.

Amazon Web Services data centers in Tokyo and Singapore are being used to support the counter-attack, according to one of the sources.

Posted in Security News | Leave a comment

Security News for Wednesday, December 10 2014

Stolen credit card data due to breaches of merchants such as Home Depot is getting to the point that it is commonplace. Many have no idea what actually happens with the stolen credit card data. This article examines what the bad guys do with this data. From the article:

Whether it’s a RAM scraper or an “older” threat like a physical skimmer placed directly on a POS machine used to swipe a credit or debit card, phishing attack or simply storing customers’ card information insecurely, the result is the same: credit card data for millions of people winds up in the hands of criminals eager to sell it for profit. How does that process unfold? And how can you – or people you know – get sucked into it?

More fallout from the recent hack against Sony. According to this post, not only were unreleased movies stolen and released on the Internet, but contact details and aliases for celebrities has also been released. From the post:

Those affected include Brad Pitt, Julia Roberts, Tom Hanks, Daniel Craig, Natalie Portman, Tobey Maguire and Sarah Michelle Gellar.

Besides the doxed aliases, the new leaks also include the email addresses and phone numbers of cast, crew and other staff on several film productions.

Posted in Security News | Leave a comment

Security News for Tuesday, December 9 2014

While this is not security related, it is still interesting. According to this post, Facebook has enabled a new search feature that allows users to search for keywords in past posts. From the post:

On Monday, it announced the new Graph Search, which, it tells us, will enable the reliving of “the most important memories of your life”.

The new Facebook search is being introduced this week in the US, in English, on iPhone and on the desktop version of Facebook.

There has been a lot of news stories over the last week about the recent attack against Sony Pictures but according to this article, the attack was an ‘unparalleled crime’. From the article:

The cyber-attack knocked much of Sony Pictures’ network offline, resulted in the theft and distribution online of five movies about to be released to cinemas worldwide as well as the exposure of vital records including celebrity data and over 47,000 social security numbers.

Posted in Security News | Leave a comment