An open-source tool for importing content into the Magento e-commerce platform, called Magmi, has a zero-day vulnerability, according to security vendor Trustwave.
The directory traversal flaw is in some versions of Magmi, which is used to move large amounts of data into Magento's SQL database. Such a flaw can allow access to other files or directories in a file system.
"Successful exploitation results in access to Magento site credentials and the encryption key for the database," wrote Assi Barak, lead security researcher with Trustwave's SpiderLabs.To read this article in full or to leave a comment, please click here
A cybercriminal network that caused at least US$10 million in losses has been disrupted by U.S. and U.K. law enforcement, with the U.S. seeking a Moldovan man's extradition, the Department of Justice said Tuesday.Andrey Ghinkul, 30, is accused of being the administrator of the Dridex botnet, also known as Cridex and Bugat.A nine-count indictment was unsealed on Tuesday in the U.S. District Court for the Western District of Pennsylvania, DOJ said. Ghinkul was arrested on Aug. 28 in Cyprus.Dridex has been a real headache for a number of years. It collects online banking credentials from infected computers, which prosecutors said were then used to initiate large wire transfers.To read this article in full or to leave a comment, please click here
The Web is full of deception, and it's sometimes still hard for people to figure out if the website they're viewing really is what it says it is.This type of cyberattack, known as phishing, is designed to elicit sensitive details from victims by creating websites that look nearly identical to services like PayPal or Bank of America.Despite improvements in quickly detecting and taking such sites offline, it's still a huge problem.A U.K.-based network monitoring company, Netcraft, says fraudsters are exploiting weaknesses in technology companies in order to make more convincing looking phishing sites.Many websites use SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates to verify their domain name and encrypt communications with users.To read this article in full or to leave a comment, please click here
Hackers are like any other coders: they want to built better software, even if it's a program that merely aims to extract a ransom from a hapless Android user.Symantec said it has seen a new version of the Porn Droid ransomware that uses Google's custom-built design language, Material Design, to create more intimidating warnings.Discovered last year, Porn Droid purports to be an adult content viewer. If installed, it locks a device and warns that users have viewed illicit pornography and demands a ransom. The app has been seen on third-party Android application marketplaces or forums for pirated software.To read this article in full or to leave a comment, please click here
Apple's removal of several apps from its mobile store on Thursday shows the challenges iOS developers can face when app guidelines shift.Among the apps removed was Choice, developed by the Palo Alto-based company Been. The app interrupted encrypted traffic streams sent to a handful of companies, including Facebook, Google, Yahoo and Pinterest, in order to block in-app ads.Apple said the apps, which it did not name, used root digital certificates that could expose data to untrusted sources.To read this article in full or to leave a comment, please click here
Apple on Thursday removed several apps from its store that it said could pose a security risk by exposing a person's Web traffic to untrusted sources.The company recommended deleting the apps but did not name them, which may make it hard for people to know which apps put their data at risk.The apps in question installed their own digital certificates on a person's Apple mobile device. It would enable the apps to terminate an encrypted connection between a device and a service and view the traffic, which is a potential security risk.Most websites and many apps use SSL/TLS (Secure Socket Layer/Transport Security Layer), a protocol that encrypts data traffic exchanged with a user. SSL/TLS is a cornerstone of Web security, ensuring data traffic that is intercepted is unreadable.To read this article in full or to leave a comment, please click here
Huawei doesn't plan to patch more than a dozen models of 3G routers that have severe software vulnerabilities.The flaws could allow an attacker to change DNS (Domain Name System) settings, upload new firmware without logging into the device and conduct a denial-of-service attack.The models of affected routers, distributed by ISPs in 21 countries, are now considered out of Huawei's support cycle, said Pierre Kim, a security researcher who found the issues and listed the models on his blog.To read this article in full or to leave a comment, please click here
A journalist accused of helping a rogue hacking group briefly take control of the LA Times' website was convicted by a federal jury in California on Wednesday.Matthew Keys, 28, of Vacaville, California, was convicted of conspiracy to make unauthorized changes to a computer, transmitting malicious code and attempted transmission of malicious code, according to the Department of Justice.One of Keys' attorneys, Jay Leiderman, wrote on Twitter that "we'll proceed forward to sentencing and look forward to appealing this verdict."To read this article in full or to leave a comment, please click here
Android users in more than 20 countries have been infected with a particularly aggressive malware program that bombards devices with unwanted advertisements.Researchers from FireEye found that the malicious component, nicknamed Kemoge, has been seeded inside what appear to be legitimate apps offered on third-party application stores."This is another malicious adware family, possibly written by Chinese developers or controlled by Chinese hackers, spreading on a global scale that represents a significant threat," wrote Yulong Zhang, a staff research scientist with FireEye.To read this article in full or to leave a comment, please click here
An upcoming talk covering security problems in Internet-connected cameras has been canceled after opposition from some manufacturers.Gianni Gnesa was scheduled to give a presentation titled "Abusing Network Surveillance Cameras" on Oct. 14 at the Hack in the Box GSEC conference in Singapore.Internet-connected video camera, or IP cameras, are widely used for security systems, offering the advantage that footage can be streamed anywhere remotely. But anything connected to the Internet poses risks if not properly secured.
IP cameras, like this one made by Shenzhen Shixin Digital, are widely used in the security industry.To read this article in full or to leave a comment, please click here
Google has issued patches for two new Stagefright-related vulnerabilities, one of which affects Android versions going back to 2008 and puts millions of users at risk.The flaws were found by security company Zimperium, which also unearthed the original Stagefright flaws in April.In an advisory Monday, Google said it didn't appear that attackers have started exploiting the vulnerabilities yet.The latest flaws are only slightly less dangerous than their predecessors, which allowed a device to be compromised merely by sending a specially crafted multimedia message (MMS). An attacker needed only to know the victim's phone number.To read this article in full or to leave a comment, please click here
A project that aims to increase the use of encryption by giving away free SSL/TLS certificates has issued its first one, marking the start of its beta program.
The project, called Let's Encrypt, is run by the Internet Security Research Group (ISRG) and backed by Mozilla, the Electronic Frontier Foundation (EFF), Cisco and Akamai, among others.
Let's Encrypt plans to distribute free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates, which encrypt data passed between a website and users. The use of SSL/TLS is signified in most browsers by "https" and a padlock appearing in the URL bar.To read this article in full or to leave a comment, please click here
Cybercriminals often leave a lot of digital crumbs, and when organizations get attacked, finding those clues can help reveal who is attacking and why.For 15 years, a small company called DomainTools, based in Seattle, has collected vast amounts of information about the Web: historical domain name registrations and network information, all of which are extremely valuable in investigating cyberattacks.Using its tools makes it possible, for example, to see what other websites are using a particular IP address, what email address was used to register them, DNS servers and other information.But DomainTools' Web-based interface wasn't designed in a way that reflected the workflows that investigators follow when probing cyberattacks and the speed at which they need to collate large amounts of information.To read this article in full or to leave a comment, please click here
A spat between two security companies shows just how sensitive reporting software vulnerabilities can be, particularly when it involves a popular product.The kerfuffle between FireEye and ERNW, a consultancy in Germany, started after an ERNW researcher found five software flaws in FireEye's Malware Protection System (MPS) earlier this year.One of the flaws, found by researcher Felix Wilhelm, could be exploited to gain access to the host system, according to an advisory published by ERNW. To read this article in full or to leave a comment, please click here
Researchers at security company ESET have found a type of malware that changes an Android device's PIN, the first of its kind in an ever-evolving landscape of ransomware attacks.
For most users, the only option to get rid of the malware is to reset the phone to its factory settings, which unfortunately also deletes all the data on the device.
The malware calls itself "Porn Droid" and bills itself as a viewer for adult content. It has only been seen on third-party Android application marketplaces or forums for pirated software, wrote Lukas Stefanko, an ESET malware analyst.
But after it's installed, users see a warning supposedly from the FBI that they've allegedly viewed "prohibited pornography." It asks for a US$500 fine to be paid within three days.To read this article in full or to leave a comment, please click here
North Korea is likely behind cyberattacks that have focused on exploiting a word processing program widely used in South Korea, security firm FireEye said Thursday in a report.The proprietary program, called Hangul Word Processor, is used primarily in the south by the government and public institutions.The vulnerability, CVE-2015-6585, was patched three days ago by its developer Hancom.FireEye's conclusion is interesting because only a handful of attacks have been publicly attributed to the secretive nation, which is known to have well-developed cyber capabilities.To read this article in full or to leave a comment, please click here
There hasn't been a lack of strange things turning up in the Ashley Madison data leak.One of the latest discoveries comes from Trend Micro, which found bogus Ashley Madison profiles that used email addresses the company created solely for collecting spam samples.The email addresses are known as "honeypots," a general term for systems set up by researchers in the hope that they will be attacked. Studying the attacks can shed light on new methods used by malicious hackers.One of Trend's addresses was used for a profile describing a 33-year-old Los Angeles woman who is "sexy, aggressive" and "knows what she wants," wrote Ryan Flores, a threat research manager with Trend, in a blog post.To read this article in full or to leave a comment, please click here
WhatsApp, the widely used messaging program, has fixed a dangerous flaw in its Web app that could be used to trick people into installing malware, according to Check Point.The flaw could affect as many as 200 million people who use WhatsApp's web interface, wrote Oded Vanunu, Check Point's group manager for security research and penetration."All an attacker needed to do to exploit the vulnerability was to send a user a seemingly innocent vCard containing malicious code," he wrote.To read this article in full or to leave a comment, please click here
Fiat Chrysler said Friday it is voluntarily recalling 7,810 SUVs due to a software glitch that could make the vehicles vulnerable to remote control.Half of the vehicles, which are 2015 Jeep Renegade SUVs equipped with 6.5-inch touchscreens, are still at dealerships, the carmaker said in a statement.The company downplayed the risk to drivers, saying it was unaware of injuries related to the problem and had received no complaints.It further said "the software manipulation addressed by this recall required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code."To read this article in full or to leave a comment, please click here
A new study from Microsoft researchers warns that many types of databases used for electronic medical records are vulnerable to leaking information despite the use of encryption.The paper, due to be presented at the ACM Conference on Computer and Communications Security next month, shows how sensitive medical information on patients could be pilfered using four different attacks.Researchers discovered the sex, race, age and admission information, among other data, using real patient records from 200 U.S. hospitals.In the light of increasing cyberattacks against the health care industry, the researchers recommended that the systems they studied "should not be used in the context of" electronic medical records.To read this article in full or to leave a comment, please click here
Jeremy Kirk