Lucian Constantin

Author Archives: Lucian Constantin

Large-scale Google malvertising campaign hits users with exploits

A large number of ads distributed by a Google advertising partner redirected users to Web-based exploits that attempted to install malware on users’ computers.Security researchers from Dutch security firm Fox-IT observed the malvertising campaign Tuesday, when ads coming through a Google partner in Bulgaria called Engage Lab started redirecting users to the Nuclear Exploit Kit.Exploit kits are Web-based attack platforms that try to exploit vulnerabilities in browsers and browser plug-ins in order to infect users’ computers with malware. The Nuclear Exploit Kit specifically targets vulnerabilities in Adobe Flash Player, Oracle Java and Microsoft Silverlight.To read this article in full or to leave a comment, please click here

Researchers show that IoT devices are not designed with security in mind

In the latest blow to Internet of Things (IoT) security, an analysis of smart home devices has found flaws that could give attackers access to sensitive data or allow them to control door locks and sensors.The research was performed by a team from application security firm Veracode for six up-to-date devices acquired in December and found serious issues in five of them. The tested devices were the Chamberlain MyQ Garage, the Chamberlain MyQ Internet Gateway, the SmartThings Hub, the Ubi from Unified Computer Intelligence Corporation, the Wink Hub and the Wink Relay.All of these devices enable remote control and monitoring over the Internet of various home automation devices and sensors, including door locks, interior switches and power outlets. Most of them connect to cloud-based services and users can interact with them through Web portals or smartphone applications.To read this article in full or to leave a comment, please click here

Vulnerable Dell support tool now detected as risky software

Security vendor Malwarebytes has flagged the Dell System Detect tool as a potentially unwanted application after older versions of the program were found to put computers at risk.Last month a security researcher named Tom Forbes warned that attackers can exploit a weakness in older versions of Dell System Detect to remotely install malware on computers when users visit specially crafted websites.The program allows Dell’s support website to automatically detect the service tags of users’ PCs, so it can offer the corresponding drivers. The tool is offered for download when users click the “Detect Product” button on the website for the first time and continues to run in the background after installation.To read this article in full or to leave a comment, please click here

Under one percent of Android devices affected by potentially harmful applications

Based on data collected by Google, less than one percent of Android devices had a potentially harmful application installed last year. This includes devices on which users have installed applications from outside the official Google Play store.The data was collected through a feature called Verify Apps that was first introduced in Android 4.2 back in 2012. The feature, which was also backported to Android 2.3 and higher in 2013, checks locally installed applications for potentially harmful behavior regardless of whether they were downloaded from Google Play or other sources.Verify Apps initially scanned applications only at installation time, but since March 2014 it also performs background scans, so it can later detect malicious applications that weren’t flagged when they were initially installed.To read this article in full or to leave a comment, please click here

Like Google, Mozilla set to punish Chinese agency for certificate debacle

The Mozilla Foundation plans to reject new digital certificates issued by the China Internet Network Information Center (CNNIC) in its products, but will continue to trust certificates that already exist.The move will follow a similar decision announced Wednesday by Google and is the result of CNNIC, a certificate authority (CA) trusted in most browsers and operating systems, issuing an unrestricted intermediary certificate to an Egyptian company called MCS Holdings.To read this article in full or to leave a comment, please click here

Over 100,000 devices can be used to amplify DDoS attacks via multicast DNS

Over 100,000 devices have a misconfigured service called multicast DNS that accepts requests from the Internet and can potentially be abused to amplify distributed denial-of-service (DDoS) attacks.The multicast Domain Name System (mDNS) is a protocol that allows devices on a local network to discover each other and their services. It is used both by PCs and embedded devices like network attached storage (NAS) systems, printers and others.The mDNS protocol allows queries to be sent to a specific machine using its unicast address. However, the official specification recommends that when receiving such queries, the mDNS service should check before responding that the address that made the request is located in the same local subnet. If it’s not, the request should be ignored.To read this article in full or to leave a comment, please click here

Google cracks down on ad-injecting Chrome extensions

Google has identified and disabled 192 Chrome browser extensions that injected rogue ads into Web pages opened by users without being upfront about it. The company will scan for similar policy violations in future.The action followed a study that the company conducted together with researchers from University of California Berkeley and which found that more than five percent of Web users who accessed Google websites had an “ad injector” installed.The deceptive Chrome extensions were detected as part of that study, but the researchers also found ad injectors affecting browsers such as Internet Explorer and Mozilla Firefox, on both Windows and Mac OS X.To read this article in full or to leave a comment, please click here

New malware program used in attacks against energy sector companies

A new malware program is being used to do reconnaissance for targeted attacks against companies in the energy sector.The program, dubbed Trojan.Laziok by researchers from antivirus vendor Symantec, was used in spear-phishing attacks earlier this year against companies from the petroleum, gas and helium industries.The attacks targeted companies from many countries in the Middle East, but also from the U.S., India, the U.K., and others, according to malware researchers from Symantec.The Trojan is spread via emails with malicious documents that exploit a Microsoft Office vulnerability for which a patch has existed since April 2012.To read this article in full or to leave a comment, please click here

Lebanese cyberespionage campaign hits defense, telecom, media firms worldwide

For the past two years, a cyberespionage group that likely operates from Lebanon has hacked into hundreds of defense contractors, telecommunications operators, media groups and educational organizations from at least 10 countries.The still-active attack campaign was uncovered and analyzed recently by security researchers from Check Point Software Technologies, who dubbed it Volatile Cedar. The company’s researchers found evidence that the attackers started their operation in late 2012, but have managed to fly under the radar until now by carefully adapting their tools to avoid being detected by antivirus programs.Unlike most cyberespionage groups, the Volatile Cedar attackers do not use spear phishing or drive-by downloads to gain a foothold into their victims’ networks. Instead they target Web servers and use them as initial entry points.To read this article in full or to leave a comment, please click here

British Airways notifies frequent flyers of possible breach of their accounts

Over the last few days, a large number of British Airways customers have found that reward points they accumulated for flights, called Avios, have disappeared from their accounts. Others have been locked out of their accounts completely.Affected users have gathered on the flyertalk.com forum to share their experiences after calling the company’s call center, which according to reports, has been giving out “contradictory” information at times.It seems that the incident is the result of hackers gaining access to a large number of accounts.To read this article in full or to leave a comment, please click here

New mobile-malware detection technique uses gestures

Mobile malware is a growing problem, but researchers from University of Alabama at Birmingham have figured out a new way of detecting when shady mobile apps get up to no good, such as trying to call premium-rate numbers unbeknowst to a phone’s owner.The technique relies on using the phone’s motion, position and ambient sensors to learn the gestures that users typically make when they initiate phone calls, take pictures or use the phone’s NFC reader to scan credit cards.Some mobile malware programs already abuse these services and security researchers expect their number will only increase.The technology developed by the UAB researchers can monitor those three services and can check whether attempts to access them are accompanied by the natural gestures users are expected to make. If they’re not, they were likely initiated by malware.To read this article in full or to leave a comment, please click here

Cisco patches autonomic networking flaws in IOS routers and switches

Cisco Systems released firmware updates for several routers and switches that run its IOS and IOS XE software in order to fix flaws in their autonomic networking infrastructure (ANI) feature.ANI is an automatic device management feature that allows Cisco IOS devices to securely join a domain and be configured without prestaging—setting up the necessary accounts in advance.Cisco’s new patches, released Wednesday, address three vulnerabilities in the way Cisco IOS and IOS XE devices handle autonomic networking (AN) messages.One vulnerability could allow a remote unauthenticated attacker to force a vulnerable device to join a rogue autonomic domain by sending it specially crafted AN messages. This would give the attacker limited control over the device and would prevent it from joining the legitimate domain, Cisco said in a security advisory.To read this article in full or to leave a comment, please click here

Microsoft blacklists latest rogue SSL certificates, Mozilla mulls sanctions for issuer

Microsoft has blacklisted a subordinate CA certificate that was wrongfully used to issue SSL certificates for several Google websites. The action will prevent those certificates from being used in Google website spoofing attacks against Internet Explorer users.Microsoft’s move, taken on Tuesday, came after Google reported that the China Internet Network Information Center (CNNIC), a certificate authority (CA) trusted by most browsers and operating systems, issued an intermediate certificate to an Egyptian company called MCS Holdings. The company then used it to generate SSL certificates for Google-owned websites without authorization.To read this article in full or to leave a comment, please click here

Dell support tool put PCs at risk of malware infection

Attackers could have remotely installed malware on systems running a flawed Dell support tool used to detect customers’ products.A security researcher discovered the flaw in November and reported it to the PC manufacturer, which patched it in January. However, it’s not clear if the fix closed all avenues for abuse.The application, called Dell System Detect, is offered for download when users click the “Detect Product” button on Dell’s support site for the first time. It is meant to help the website automatically detect the user’s product—more specifically its Service Tag—so that it can offer the corresponding drivers and resources.Last year, a security researcher named Tom Forbes reverse engineered the program to see how it communicated with the Dell website. He found that the application installs a Web server on the local machine that listens on port 8884. The Dell site then uses JavaScript to send requests to the local server through the user’s browser.To read this article in full or to leave a comment, please click here

Flash-based vulnerability lingers on many websites three years later

Flash files that are vulnerable to a serious flaw patched by Adobe Systems over three years ago still exist on many websites, exposing users to potential attacks.The vulnerability, known as CVE-2011-2461, was found in the Adobe Flex Software Development Kit (SDK) and was fixed by Adobe in November 2011. The development tool, which has since been donated to the Apache Software Foundation, allows users to build cross-platform rich Internet applications in Flash.The vulnerability was unusual because fixing it didn’t just require Flex SDK to be updated, but also patching all the individual Flash applications (SWF files) that had been created with vulnerable versions of the SDK.To read this article in full or to leave a comment, please click here

New malware program PoSeidon targets point-of-sale systems

Retailers beware: A new Trojan program targets point-of-sale (PoS) terminals, stealing payment card data that can then be abused by cybercriminals.The new malware program has been dubbed PoSeidon by researchers from Cisco’s Security Solutions (CSS) team and, like most point-of-sale Trojans, it scans the RAM of infected terminals for unencrypted strings that match credit card information—a technique known as memory scraping.This sensitive information is available in plain text in the memory of a PoS system while it’s being processed by the specialized merchant software running on the terminal.Security experts have long called for the use of end-to-end encryption technology to protect payment card data from the card reader all the way to the payment service provider, but the number of systems with this capability remains low.To read this article in full or to leave a comment, please click here

Cisco small business phones open to remote eavesdropping, calling

You don’t need to be the NSA to tap calls on Cisco’s SPA 300 and 500 IP phones: An authentication flaw allows potential attackers to do that by default.An unpatched vulnerability in the firmware of the SPA 300 and 500 series IP phones, typically used by small businesses, could allow eavesdropping on calls.“The vulnerability is due to improper authentication settings in the default configuration,” Cisco Systems said in a security advisory.Unauthenticated remote attackers could send crafted XML requests to affected devices in order to exploit the flaw and remotely listen to audio streams or make phone calls through them, the company warned.To read this article in full or to leave a comment, please click here

New attacks suggest leeway for patching Flash Player is shrinking

Cybercriminals are exploiting newly patched vulnerabilities faster, a sign that users and companies need to improve their software updating habits.Researchers from both Malwarebytes and FireEye reported Thursday that drive-by download attacks using the Nuclear Exploit Kit target a vulnerability that was patched last week in Flash Player.The flaw, which is tracked as CVE-2015-0336, was fixed by Adobe on March 12. It affects all Flash Player versions older than 17.0.0.134 on Windows and Mac, 11.2.202.451 on Linux and 13.0.0.277 ESR (extended support release).To read this article in full or to leave a comment, please click here

All major browsers hacked at Pwn2Own contest

Security researchers who participated in the Pwn2Own hacking contest this week demonstrated remote code execution exploits against the top four browsers, and also hacked the widely used Adobe Reader and Flash Player plug-ins.On Thursday, South Korean security researcher and serial browser hacker JungHoon Lee, known online as lokihardt, single-handedly popped Internet Explorer 11 and Google Chrome on Microsoft Windows, as well as Apple Safari on Mac OS X.He walked away with US$225,000 in prize money, not including the value of the brand new laptops on which the exploits are demonstrated and which the winners get to take home.The Pwn2Own contest takes place every year at the CanSecWest security conference in Vancouver, Canada, and is sponsored by Hewlett-Packard’s Zero Day Initiative program. The contest pits researchers against the latest 64-bit versions of the top four browsers in order to demonstrate Web-based attacks that can execute rogue code on underlying systems.To read this article in full or to leave a comment, please click here

At least 700,000 routers given to customers by ISPs are vulnerable to hacking

More than 700,000 ADSL routers provided to customers by ISPs around the world contain serious flaws that allow remote hackers to take control of them.Most of the routers have a “directory traversal” flaw in a firmware component called webproc.cgi that allows hackers to extract sensitive configuration data, including administrative credentials. The flaw isn’t new and has been reported by multiple researchers since 2011 in various router models.Security researcher Kyle Lovett came across the flaw a few months ago in some ADSL routers he was analyzing in his spare time. He investigated further and unearthed hundreds of thousands of vulnerable devices from different manufacturers that had been distributed by ISPs to Internet subscribers in a dozen countries.To read this article in full or to leave a comment, please click here