Security News for Friday, September 4 2015

According to this article, one of the individuals behind what has been labeled “one of the most financially destructive computer viruses in history” is due in court in New York today. From the article:

Deniss Calovskis, a Latvian national, was arrested in November 2012 for his alleged role in writing some of the code that allowed the Gozi virus to be so effective. The malicious code infected at least 40,000 computers in the U.S., including NASA computers, and was allegedly used to steal tens of millions of dollars from bank accounts around the world, according to the U.S. Department of Justice.

This article is reporting that a hacker is claiming to have unreleased Hillary Clinton private emails for sale. It has been hard to avoid the news that Mrs. Clinton is under a lot of scrutiny for running a government work-related email server out of her home. from the article:

The anonymous “computer specialist” claims to be in possession of 32,000 emails from Clinton’s private server that were retrieved because, according to the site’s source, “Hillary or someone from her camp erased the outbox containing her emails, but forgot to erase the emails that were in her sent box.”

Posted in Security News | Leave a comment

Security News for Tuesday, September 1 2015

According to this post, PayPal has patched a vulnerability that could have potentially allowed for an attacker to steal payments. From the post:

PayPal’s Secure Payments page produces a form on which a user normally enters details needed to complete a payment transaction, such as credit card long number, expiry date and short number (CVV2).

In other words, if crooks could subvert that form, they’d have a potential gold mine for cybercrime.

This article provides a great overview of using encryption to protect the data on your mobile phone and laptop. From the article:

The worst thing about having a phone or laptop stolen isn’t necessarily the loss of the physical object itself, though there’s no question that that part sucks. It’s the amount of damage control you have to do afterward. Calling your phone company to get SIMs deactivated, changing all of your account passwords, and maybe even canceling credit cards are all good ideas, and they’re just the tip of the iceberg.

Disclaimer: The above link is posted as a resource for users to protect their home computers. Please obtain proper permission before installing any tools on University resources.

Posted in Security News | Leave a comment

Security News for Tuesday, August 18 2015

According to this article, the internal Revenue Service has announced that a data breach they announced in May of this year was much worse than originally thought. From the article:

It noted in an official press release that more than twice as many US taxpayers have been affected, with cybercriminals gaining access to up to 330,000 accounts.

The attackers also attempted – but failed – to gain access into a further 280,000 accounts through a flaw on the IRS’ Get Transcript online service, which has since been temporarily shut down.

This article is reporting on flaws affecting over 100 cars that were kept secret by Volkswagen for 2 years. From the article:

Volkswagen used its lawyers to keep the research under wraps but now a legal settlement has allowed the documents to go public.

The researchers say the flaw lies in the widely-used Megamos Crypto transponder, which is responsible for the encryption between the car and remote.

Posted in Security News | Leave a comment

Security News for Tuesday, August 11 2015

This article is reporting on recently released research regarding a $30 device that can be used to unlock nearly any car with a keyless entry feature. From the article:

As TechInsider reports, Kamkar’s latest toy takes advantage of a rather old vulnerability in car keyless entry systems. Most remotes use rolling codes to communicate with the car—meaning that the remote sends a different coded signal every time you push the button. This is meant to prevent bad guys from copying the remote’s code to create a dummy remote. Most remote garage door openers operate on the same principle.

According to this article, a security researcher has been urging Facebook to correct a security flaw that he accidentally discovered several months ago. From the article:

Reza Moaiandin, technical director and co-founder of UK-based SEO company SALT.agency, recently said that this flaw could leave the social network at risk of being compromised.

Writing for the company’s official blog earlier this month, Mr Moaiandin explained that as a consequence of this defect, hackers could “decrypt and sniff out Facebook user IDs using one of Facebook’s APIs in bulk”.

Posted in Security News | Leave a comment

Security News for Tuesday, July 28 2015

This article is reporting om a new texting flaw that could allow hackers to take over an Android smart phone. From the article:

According to the Verge, the vulnerability called ‘Stagefright’ affects roughly 950 million Android devices worldwide, according to researcher estimates. But the most vulnerable devices are those running pre-Jelly Bean versions of Android.

Google has released a patch for the vulnerability to manufacturers, but most have not yet pressed that update to customers.

According to this article, a flaw has been discovered in Apple’s App Store and iTunes invoicing system which could allow a malicious user to hijack sessions and manipulate invoices. From the article:

Revealed this week by security researcher Benjamin Kunz Mejri from Vulnerability Lab, the persistent injection flaw, deemed critical, is an application-side input validation web vulnerability. In an advisory, the researcher said the vulnerability allows remote attackers to inject malicious script codes into flawed content function and service modules.

In this article, the loosely-knit hacking collective known as Anonymous are making claims that they have hacked the US Census Bureau. From the article:

Anonymous hacked into the United States Census Bureau and stole employee information as a form of protest against the Transatlantic Trade and Investment Partnership and the Trans-Pacific Partnership. It is not completely known why Anonymous is against the trade agreements.

Posted in Security News | Leave a comment

Security News for Tuesday, July 14 2015

This post is reporting that United Airlines has payed a security researcher 1 million frequent flyer miles in return for vulnerabilities he discovered on their websites. From the article:

A vulnerability researcher from Florida, Wiens was the first recipient of United’s highest-level reward in its bug bounty program, reserved for remote code execution (RCE) vulnerabilities in its web properties.

United announced the bounty program in May 2015, which it said is the first such program in the airline industry.

President Obama’s chief information security officer has warned of more hacker attacks against the US government according to this brief article. From the article:

Scott launched a 30-day government-wide blitz on cybersecurity in the wake of a massive system breach in which hackers stole the private information, including Social Security numbers, of 21.5 million Americans.

“We said, ‘Run hard for the next 30 days and get big progress on these things. No excuses, just get it done,’” Scott told Reuters.

Posted in Security News | Leave a comment

Security News for Tuesday, July 7 2015

This article is reporting that a new law went into effect July 1, 2015 that requires mobile phone manufacturers to incorporate theft deterrent technology into all phones sold in California. From the article:

The California law is significant because smartphone anti-theft features must be turned on by default – Minnesota passed the first kill switch law last year but didn’t make the default setting a requirement.

The California law, Senate Bill 962, requires new phones sold in the state to have the anti-theft setting enabled during the initial setup of a new smartphone.

Buyers can opt out of the technology during setup.

According to this article, a controversial cyber espionage company has been hacked and hundreds of gigabytes of their data has been released on the Internet. The company, ironically named Hacking Team, has yet to divulge if the data that was dumped is legitimate. From the article:

Without a doubt, a hack of this kind would be terribly problematic for a company that secretly sells spyware to governments — including, if the documents prove authentic, repressive ones — around the world.

Posted in Security News | Leave a comment

Security News for Wednesday, July 1 2015

Scammers have found a new way to use the tech support ruse to trick victims into clicking on malicious links. They are now using Javascript to generate browser popups that include the ISP of the victim which can make the seem extremely convincing:

This article is reporting on a newly discovered flaw affecting Adobe Flash that is already being exploited to deliver ransomware. Ransomware is a type of malware that encrypts all of your personal files with strong encryption and forces you to pay for the decryption key. From the article:

The bug that was fixed is designated CVE-2015-3133, and it is a remote code execution (RCE) bug that Adobe admitted was “being actively exploited in the wild via limited, targeted attacks.”

However, Adobe went on to temper that statement by adding, “Systems running Internet Explorer for Windows 7 and below, as well as Firefox on Windows XP, are known targets.”

 

Posted in Security News | Leave a comment

Security News for Wednesday, June 17 2015

This article discusses Duqu 2.0, what it labels as “the most sophisticated malware ever seen”.  Duqu 2.0 exploits a number of zero-day vulnerabilities on target systems. From the article:

“Duqu 2.0, the cyberespionage tool that was used to compromise security firm Kaspersky Lab, has also been used in a number of other attack campaigns against a range of targets, including several telecoms firms.

This article examines various email-based attacks such as spear-phishing. Because pretty much everyone uses email, it is still a very popular attack vector so this article is worth taking a look at. from the article:

Here we have collected several real world examples of how all types of attacks utilize emails. Spreading ransomware and bankers, phishing, targeted campaigns and large ones – all rely on emails and social engineering to get the job done.

According to this article, various Samsung smartphones include a keyboard app that could leave you open to attack. The app in question (SamsungIME) includes an auto-update feature that performs updates without performing any verification. From the article:

This is a similar bug to the hole we recently wrote about in Hospira drug pumps, where a researcher found he could upload a firmware update without worrying about verification.

That sort of vulnerability makes it much easier than it ought to be for a crook to feed fake code or data into your device, and ultimately to reprogram it almost arbitrarily.

Posted in Security News | Leave a comment

Security News for Monday, June 8 2015

This article discusses how a security researcher was able to modify a discontinued children’s toy to open a garage door in less than 10 seconds. From the article:

The exploit only works against garage doors that respond to a “fixed code” that is transmitted by a wireless remote rather than newer, more secure alternative doors which use a “rolling code” that changes with each button press

This article is reporting that California has passed a law requiring warrants to search computers and mobile devices. From the article:

As the LA Times reports, California on Wednesday joined the ranks of states that require police to have a warrant if they want to search computers, mobile phones, tablets and other devices, or if they want to siphon off location data from any of those devices.

According to this article, and based on recently released research, a new zero-day vulnerability affecting Mac OS X could allow attackers to not only modify the system BIOS, but to also install a rootkit and potentially take full control of a vulnerable system. From the article:

The critical vulnerability, discovered by well-known OS X security researcher Pedro Vilaca, affects Mac computers shipped before mid-2014 that are allowed to go into sleep mode.

Posted in Security News | Leave a comment