If you're a company that makes its own websites and applications, make sure your developers don't do what the Ashley Madison coders did: store sensitive credentials like database passwords, API secrets, authentication tokens or SSL private keys in source code repositories.Judging by the massive amount of data leaked last month by Impact Team from AshleyMadison.com's owner Avid Life Media (ALM), the hackers gained extensive access to the Canadian company's IT infrastructure.The ALM data dumps contained customer records and transaction details from the Ashley Madison infidelity website, but also the email database of the company's now-former CEO and the source code for the company's other online dating websites including CougarLife.com and EstablishedMen.com.To read this article in full or to leave a comment, please click here
Kaspersky Lab has released an emergency patch for some of its antivirus products after a security researcher found a critical vulnerability that could allow hackers to compromise computers.The flaw was discovered by vulnerability researcher and Google security engineer Tavis Ormandy, who mentioned it Saturday on Twitter, before sending the bug's details to Kaspersky.Ormandy's Twitter message included a screen shot showing the Windows calculator (calc.exe) running under the Kaspersky antivirus process.It works great against versions 15 and 16, he said.Versions 15 and 16 correspond to Kaspersky's 2015 and 2016 product lines. It's not clear if only Kaspersky Anti-Virus was affected or also the vendor's Internet Security and Total Security products.To read this article in full or to leave a comment, please click here
For the past several weeks an intelligence-gathering campaign has been using fake LinkedIn recruiter profiles to map out the professional networks of IT security experts, researchers from F-Secure have discovered.LinkedIn can be a great tool to establish new professional relationships and discover job opportunities. However, accepting connection requests from unknown people is a double-edged sword that can put both employees and the companies they work for at risk.There are multiple cases where attackers have used fake LinkedIn profiles to gather sensitive information about organizations and their employees. Knowing who is the manager of a particular department in a company or who is a member of the organization's IT staff can be very useful in planning targeted attacks.To read this article in full or to leave a comment, please click here
New versions of a highly persistent adware program called Shopperz use a cunning technique to make DNS (Domain Name System) hijacking harder to detect and fix.Shopperz, also known as Groover, injects ads into users' Web traffic through methods researchers consider malicious and deceptive.In addition to installing extensions in Internet Explorer and Firefox, the program creates Windows services to make it harder for users to remove those add-ons. One service is configured to run even in Safe Mode, a Windows boot option often used to clean malware.Moreover, Shopperz creates a rogue Layered Service Provider (LSP) in Windows's network stack that allows it to inject ads into Web traffic regardless of the browser used.To read this article in full or to leave a comment, please click here
Disturbing reports in recent years of hackers hijacking baby monitors and screaming at children have creeped out parents, but these incidents apparently haven't spooked makers of these devices.A security analysis of nine baby monitors from different manufacturers revealed serious vulnerabilities and design flaws that could allow hackers to hijack their video feeds or take full control of the devices.The tests were performed by researchers from security firm Rapid7 during the first half of this year and the results were released Tuesday in a white paper. On a scale from A to F that rated their security functionality and implementation, eight of the devices received an F and one a D.To read this article in full or to leave a comment, please click here
If you work for a large, global company, chances are some of your peers have installed gambling apps on the mobile devices they use for work, and that's bad news for IT security.A study has found that the average company has more than one such gambling application in some employee devices, putting corporate data stored on those devices at risk.The analysis was performed by security firm Veracode, which scanned hundreds of thousands of mobile apps installed in corporate mobile environments. The study found that some companies had as many as 35 mobile gambling apps on their network environment.The company tested some of the most popular gambling apps it detected in corporate environments for potential security risks and found critical vulnerabilities that could enable hackers to gain access to a phone's contacts, emails, call history and location data, as well as to record conversations.To read this article in full or to leave a comment, please click here
If your Wi-Fi network is using the popular Belkin N600 DB router, be warned: it may have several vulnerabilities that could allow hackers to take it over.Remote unauthenticated attackers could exploit the vulnerabilities to spoof DNS (Domain Name System) responses and direct users to rogue websites or trick users' browsers to change the device configuration, the CERT Coordination Center (CERT/CC) at Carnegie Mellon University said Monday in an advisory.Furthermore, attackers with access to the local area network could bypass an affected router's authentication and take complete control over it, CERT/CC said.To read this article in full or to leave a comment, please click here
Malware that runs inside GPUs (graphics processing units) can be harder to detect, but is not completely invisible to security products.Researchers from Intel division McAfee Labs teamed up with members of Intel's Visual and Parallel Computing Group to analyze a proof-of-concept GPU malware program dubbed JellyFish that was released in March.Their conclusion, which was included in McAfee's latest quarterly threat report, is that running malicious code inside GPUs still has significant drawbacks and is not nearly as stealthy as its developers suggested.To read this article in full or to leave a comment, please click here
If you're a Linux user, especially a systems administrator, the Linux Foundation has some security tips to share with you, and they're quite good.
Konstantin Ryabitsev, the Foundation's director of collaborative IT services, published the security checklist that the organization uses to harden the laptops of its remote sysadmins against attacks.
The recommendations aim to balance security decisions with usability and are accompanied by explanations of why they were considered. They also have different severity levels: critical, moderate, low and paranoid.To read this article in full or to leave a comment, please click here
Security researchers from Symantec have identified 49 more modules of the sophisticated Regin cyberespionage platform that many believe is used by the U.S. National Security Agency and its close allies.This brings the total number of modules known so far to 75, each of them responsible for implementing specific functionality and giving attackers a lot of flexibility in how they exploit individual targets.Regin came to light in November last year, but it has been in use since at least 2008 and antivirus companies have known about it since 2013.To read this article in full or to leave a comment, please click here
BitTorrent fixed a vulnerability that would have allowed attackers to hijack BitTorrent applications used by hundreds of millions of users in order to amplify distributed denial-of-service (DDoS) attacks.The vulnerability was located in libuTP, a reference implementation of the Micro Transport Protocol (uTP) that's used by many popular BitTorrent clients including uTorrent, Vuze, Transmission and the BitTorrent mainline client.The flaw was disclosed earlier this month in a paper presented at the 9th USENIX Workshop on Offensive Technologies by four researchers from City University London, Mittelhessen University of Applied Sciences in Friedberg, Germany and cloud networking firm PLUMgrid.To read this article in full or to leave a comment, please click here
Several DSL routers from different manufacturers contain a guessable hard-coded password that allows accessing the devices with a hidden administrator account.According to an alert issued Tuesday by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University, the affected device models are: ASUS DSL-N12E, DIGICOM DG-5524T, Observa Telecom RTA01N, Philippine Long Distance Telephone (PLDT) SpeedSurf 504AN and ZTE ZXV10 W300.All of the devices have an admin password in the form "XXXXairocon" where XXXX are the last four characters of the device's physical MAC address, CERT/CC said.To read this article in full or to leave a comment, please click here
Agora, the Tor network's largest black marketplace, has been temporarily shut down because its administrators worry the website is vulnerable to recent methods of exposing Tor Hidden Services.Hidden services are websites that can only be accessed from within the Tor network, which is specifically designed to hide the IP address of both servers and users. The built-in anonymity safeguards have made Tor Hidden Services the preferred method for running online marketplaces that allow buying and selling illegal goods like drugs, guns, stolen credit card details and more.The largest of these so-called dark markets was Silk Road, which was eventually shut down by the FBI in 2013. Many similar websites have appeared since then and some were targeted in subsequent international law enforcement raids, but Agora survived and surpassed even Silk Road in size and popularity.To read this article in full or to leave a comment, please click here
An application available in the Google Play store until yesterday took advantage for months of a flaw in the TeamViewer remote support tool for Android in order to enable screen recording on older devices.The app's developer discovered the vulnerability independently from security researchers from Check Point Software Technologies who presented it earlier this month at the Black Hat security conference along with similar flaws in other mobile remote support tools.The Check Point researchers dubbed the issues Certifi-gate because they stem from failures to properly validate the digital certificates of remote support apps that are supposed to communicate with privileged plug-ins installed in the system.To read this article in full or to leave a comment, please click here
Recent visitors to Plenty of Fish (pof.com), an online dating website with over 3 million daily active users, had their browsers redirected to exploits that installed malware.
The attack was launched through a malicious advertisement that was distributed through a third-party ad network, researchers from security firm Malwarebytes said in a blog post Thursday.
The malicious ad pointed to the Nuclear exploit kit, a Web-based attack tool that exploits known vulnerabilities in browsers and popular browser plug-ins like Flash Player, Java, Adobe Reader and Silverlight.To read this article in full or to leave a comment, please click here
A vulnerability in the iOS sandbox for third party applications, like those installed by companies on their employees' devices, can expose sensitive configuration settings and credentials.
The flaw was discovered by researchers from mobile security firm Appthority and impacts apps deployed on iOS devices through mobile device management (MDM) or enterprise mobility management (EEM) products. These products allow administrators to automatically push applications, configuration settings and data access rules to enterprise mobile devices.
Before a new iOS device is brought inside the network of a company that uses a mobile management system, an MDM account is created for it and a client application is installed. The MDM client is used to install corporate apps and to enforce access policies for corporate data and email.To read this article in full or to leave a comment, please click here
Adobe Systems released a security patch for LiveCycle Data Services, a development tool used by businesses to synchronize data between back-end servers and rich Internet applications built with Adobe Flex or AIR.
The hotfix is available for LiveCycle Data Services 3.0.0, 4.5.1, 4.6.2 and 4.7.0 and addresses a vulnerability that could lead to information disclosure.
The flaw is tracked as CVE-2015-3269 in the Common Vulnerabilities and Exposures database and is rated important by Adobe.
The issue is associated with parsing crafted XML entities and falls into a class of vulnerabilities known as XML External Entity (XXE).To read this article in full or to leave a comment, please click here
Hackers breached the computer systems of Internet services provider Web.com Group and stole credit card information of 93,000 customers.According to a website set up by the company to share information about the incident, Web.com discovered the security breach on Aug. 13 as part of its ongoing security monitoring.Attackers compromised credit card information for around 93,000 accounts, as well as the names and addresses associated with them. No other customer information, like social security numbers was affected, the company said.MORE ON NETWORK WORLD: 26 crazy and scary things the TSA has found on travelers
According to the company, the verification codes for the exposed credit cards were not leaked. However, there are websites on the Internet that don't require such codes for purchases.To read this article in full or to leave a comment, please click here
Pixabay
Android
The Android service that processes multimedia files has been the source of several vulnerabilities recently, including a new one that could give rogue applications access to sensitive permissions.The latest vulnerability in Android's mediaserver component was discovered by security researchers from antivirus firm Trend Micro and stems from a feature called AudioEffect.The implementation of this feature does not properly check some buffer sizes that are supplied by clients, like media player applications. Therefore it is possible to craft a rogue application without any special permissions that could exploit the flaw to trigger a heap overflow, the Trend Micro researchers said Monday in a blog post.To read this article in full or to leave a comment, please click here
BitTorrent applications used by hundreds of millions of users around the world could be tricked into participating in distributed denial-of-service (DDoS) attacks, amplifying the malicious traffic generated by attackers by up to 50 times.DDoS reflection is a technique that uses IP (Internet Protocol) address spoofing to trick a service to send responses to a third-party computer instead of the original sender. It can be used to hide the source of malicious traffic.The technique can typically be used against services that communicate over the User Datagram Protocol (UDP), because unlike the Transmission Control Protocol (TCP), UDP does not perform handshakes and therefore source IP address validation. This means an attacker can send a UDP packet with a forged header that specifies someone else’s IP address as the source, causing the service to send the response to that address.To read this article in full or to leave a comment, please click here
Lucian Constantin