A team of researchers has developed a system that makes it much harder for hackers to obtain usable passwords from a leaked database, which could help blunt the damage from a data breach.The system is described in a research paper that has been submitted for consideration at the 2015 Annual Computer Security Applications Conference, which takes place in Los Angeles in December.Called ErsatzPasswords, the system is aimed at throwing off hackers who use methods to “crack” passwords, said Mohammed H. Almeshekah, a doctoral student at Purdue University in Indiana.To read this article in full or to leave a comment, please click here
The FBI contends a cybersecurity researcher said he caused an airplane’s engine to climb after hacking its software, according to a court document.The researcher, Chris Roberts, was questioned by the FBI on April 15 after he wrote a tweet that suggested he was probing aircraft systems on a United Airlines flight he took earlier that day.The FBI interviewed him after he flew into Syracuse, New York, and seized his electronics. Two days later, the agency then filed an application for a search warrant to examine Roberts’ gear, which has been published in federal court records.To read this article in full or to leave a comment, please click here
United Airlines is offering rewards to researchers for finding flaws in its websites but the company is excluding bugs related to in-flight systems, which the U.S. government says may be increasingly targeted by hackers.The bug bounty program rewards people with miles that can be used for the company’s Mileage Plus loyalty program as opposed to cash, which web giants such as Google, Facebook and Yahoo pay.Many companies have launched reward programs to attract independent researchers to investigate their software code and confidentially report flaws before hackers discover them.To read this article in full or to leave a comment, please click here
Microsoft has taken steps to stop a China-based hacking group from using its TechNet website as part of its attack infrastructure, according to security vendor FireEye.The group, which FireEye calls APT (advanced persistent threat) 17, is well-known for attacks against defense contractors, law firms, U.S. government agencies and technology and mining companies.TechNet is highly trafficked website that has technical documentation for Microsoft products. It also has a large forum, where users can leave comments and ask questions.APT17—nicknamed DeputyDog—created accounts on TechNet and then left comments on certain pages. Those comments contained the name of an encoded domain, which computers infected by the group’s malware were instructed to contact.To read this article in full or to leave a comment, please click here
Google will require most extensions for its Chrome browser to be installed from its Web Store, a move intended to stop users from inadvertently installing malicious ones.Google has gradually been changing its policy around extensions to prevent abuse. Last year, it mandated that all Chrome extensions for Windows be hosted in its store, wrote Jake Leichtling, an extensions platform product manager.The change caused a 75 percent drop in requests from customers asking how to uninstall unwanted extensions, he wrote. It did not apply to the Windows developer channel, but hackers are now using that in order to install extensions, he wrote. Starting Wednesday, all extensions for Windows will have to be hosted in the store, and the same will apply to OS X in July.To read this article in full or to leave a comment, please click here
Starbucks is still grappling with fraud involving its customers’ online accounts and gift cards, with some victims seeing hundreds of dollars stolen.Gift-card related fraud with Starbucks cards is not new, but recent victims were highlighted earlier this week in an article by journalist and author Bob Sullivan.Starbucks officials could not be immediately reached for comment, although Sullivan wrote the company told him that customers would not be liable for charges and transfers they didn’t make.To read this article in full or to leave a comment, please click here
A surprising amount of mobile data still crosses the Internet unencrypted, and a new free app is designed to show users what isn’t protected.The program, called Datapp, comes from the University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG), which last year showed popular Android applications such as Instagram, Grindr and OkCupid failed to safely store or transmit data.To read this article in full or to leave a comment, please click here
An Israeli company has developed a product it says can detect if a mobile device connects to a fake cellular base station or Wi-Fi access point, potentially protecting critical data from falling into the hands of hackers.Two large European carriers are testing the product, which is expected to come to market in early 2016, said Dror Liwer, chief security officer and co-founder of CoroNet, based in Be’er Sheva, Israel.CoroNet’s software addresses one type of attack that was long thought to be too expensive to conduct. It involves creating a fake base station that has a stronger signal than a real one. Mobile devices are designed to connect to the station with the strongest signal.To read this article in full or to leave a comment, please click here
Password managers are a great way to supply random, unique passwords to a high number of websites. But most still have an Achilles’ heel: Usually, a single master password unlocks the entire vault.But a group of researchers has developed a type of password manager that creates decoy password vaults if a wrong master password is supplied.A paper on the experimental software, called NoCrack, will be presented on May 19 at the IEEE Symposium on Security and Privacy in San Jose, California.NoCrack is intended to make it much more time-consuming and difficult for attackers to figure out if they’ve hit pay dirt.To read this article in full or to leave a comment, please click here
Password managers are a great way to supply random, unique passwords to a high number of websites. But most still have an Achilles’ heel: Usually, a single master password unlocks the entire vault.But a group of researchers has developed a type of password manager that creates decoy password vaults if a wrong master password is supplied.A paper on the experimental software, called NoCrack, will be presented on May 19 at the IEEE Symposium on Security and Privacy in San Jose, California.+ MORE: Beware ticking IoT security time bomb +To read this article in full or to leave a comment, please click here
As interest grows in applications deployed in containers, questions about their security are developing as well.The open-source platform built by Docker has seen quick uptake by developers. Applications are deployed in so-called containers, which can be easily updated and moved to other machines due to their small footprint.Many application containers can run on a single physical system and share an operating system’s kernel. That commingling of demands on the operating system can, however, have serious consequences for security.Jay Lyman, research manager with the analyst 451 Group, said the security and management tools for virtual machines are highly evolved, but container technology is relatively immature.To read this article in full or to leave a comment, please click here
A suspected malicious advertising attack turned out to be a much deeper compromise of an online advertising company, according to Trend Micro.The security company found that advertisements served by Mad Ads Media, based in Mount Laurel, New Jersey, redirected to websites hosting an exploit kit, which probed users’ computers for software flaws in order to deliver malware. The number of people affected peaked at 12,500 on May 2, Trend said.At first, the incident appeared to be another example of malvertising, wrote Joseph Chen, a fraud researcher with Trend. Advertising networks have occasionally seen malicious ads uploaded to their networks that redirect people to other malicious websites.To read this article in full or to leave a comment, please click here
A vulnerability within two widely used WordPress plugins is already being exploited by hackers, putting millions of WordPress sites at risk, according to a computer security firm.The plugins are JetPack, a customization and performance tool, and Twenty Fifteen, used for infinite scrolling, wrote David Dede, a malware researcher with Sucuri. WordPress installs Twenty Fifteen by default, which increases the number of vulnerable sites.Both plugins use a package called genericons, which contains vector icons embedded in a font. In the package, there is an insecure file called “example.html” which makes the package vulnerable, Dede wrote.To read this article in full or to leave a comment, please click here
The maker of a widely used electronic lock has taken issue with a security company’s criticism of one of its flagship products.IOActive, a Seattle-based security consultancy, published an advisory alleging several security flaws in electronic locks made by CyberLock, of Corvallis, Oregon.CyberLock, which received advance notice of the problems from IOActive, contends it wasn’t given enough time or information prior to IOActive’s warning. Mike Davis, the IOActive researcher who found the problems, published two letters said to have been sent by CyberLock’s lawyers to IOActive.To read this article in full or to leave a comment, please click here
MacKeeper, a utility and security program for Apple computers, celebrated its fifth birthday in April. But its gift to U.S. consumers who bought the application may be a slice of a $2 million class-action settlement.Released in 2010, MacKeeper has been dogged by accusations that it exaggerates security threats in order to convince customers to buy. Its aggressive marketing has splashed MacKeeper pop-up ads all over the web.The program was originally created by a company called ZeoBIT in Kiev, Ukraine. The country—full of young, smart programmers—has long been a hub for lower-cost software development and outsourcing.To read this article in full or to leave a comment, please click here
Netflix has released under an open-source license an internal tool it developed to manage a deluge of security alerts and incidents.Called FIDO (Fully Integrated Defense Operation), the tool is designed to research, score and categorize threats in order to speed up handling of the most urgent ones.Netflix started developing FIDO four years ago after finding it took from a few days to more than a week to resolve issues that were entered into its help-desk ticketing system, the company wrote in a blog post Monday.It was a largely manual and labor intensive process. “As attacks increase in number and diversity, there is an increasing array of detection systems deployed and generating even more alerts for security teams to investigate,” it said.To read this article in full or to leave a comment, please click here
Netflix has released under an open-source license an internal tool it developed to manage a deluge of security alerts and incidents.Called FIDO (Fully Integrated Defense Operation), the tool is designed to research, score and categorize threats in order to speed up handling of the most urgent ones.MORE: New Cisco CEO: Meet the Real Chuck RobbinsNetflix started developing FIDO four years ago after finding it took from a few days to more than a week to resolve issues that were entered into its help-desk ticketing system, the company wrote in a blog post Monday.To read this article in full or to leave a comment, please click here
Sally Beauty Holdings said it is investigating another possible payment card breach, about a year after it reported a similar cyberattack.The retail chain, which runs nearly 2,800 stores in the U.S., said it has received reports of ”unusual activity” involving payment cards used at some of its stores during the last week of April. Law enforcement has been contacted, the company said Monday.It did not say if the second incident is related to last year’s attack. “Until this investigation is completed, it is difficult to determine with certainty the scope or nature of any potential incident,” it said.To read this article in full or to leave a comment, please click here
A new type of malware resorts to crippling a computer if it is detected during security checks, a particularly catastrophic blow to its victims.The malware, nicknamed Rombertik by Cisco Systems, is designed to intercept any plain text entered into a browser window. It is being spread through spam and phishing messages, according to Cisco’s Talos Group blog on Monday.Rombertik goes through several checks once it is up and running on a Windows computer to see if it has been detected.That behavior is not unusual for some types of malware, but Rombertik “is unique in that it actively attempts to destroy the computer if it detects certain attributes associated with malware analysis,” wrote Ben Baker and Alex Chiu of the Talos Group.To read this article in full or to leave a comment, please click here
A botnet designed for Web advertising fraud was also used to nudge up the number of views of some pro-Russian videos on the website DailyMotion, according to security vendor Trustwave.An investigation into what appeared to be strictly ad fraud turned out to have a surprising political angle, wrote Rami Kogan of Trustwave’s SpiderLabs, in a blog post on Thursday.“We can’t know for sure who’s behind the fraudulent promotion of video clips, but it appears to be politically motivated,” he wrote.To read this article in full or to leave a comment, please click here
Jeremy Kirk