WordPress site owners using the WP-Slimstat plug-in installed should upgrade it to the latest version immediately in order to fix a critical vulnerability, security researchers warn.WP-Slimstat, a Web analytics plug-in for WordPress, has been downloaded over 1.3 million times and is highly rated by users. The plug-in allows site owners to track returning visitors and registered users, monitor JavaScript events, detect intrusions, analyze email campaigns and more.Researchers from Web security firm Sucuri found a vulnerability that stems from weak cryptographic key generation in WP-Slimstat versions 3.9.5 and lower. If attackers can determine the secret key used by the plug-in, they can launch blind SQL injection attacks that enable them to read sensitive information from the site’s database.To read this article in full or to leave a comment, please click here
Security researchers are urging users to install new Samba security updates in order to address a critical vulnerability that allows attackers to execute arbitrary code with root privileges.Samba is an implementation of the SMB/CIFS networking protocol that enables Unix-like systems, including Linux, BSD, Solaris and Mac OS X to share files and printers with Windows computers. It also allows such systems to be integrated into Microsoft Active Directory environments and even act as domain controllers.The new vulnerability is located in the smbd file server and was discovered by Richard van Eeden of Microsoft Vulnerability Research.“It can be exploited by a malicious Samba client, by sending specially-crafted packets to the Samba server,” the Red Hat security team said in a blog post. “No authentication is required to exploit this flaw. It can result in remotely controlled execution of arbitrary code as root.”To read this article in full or to leave a comment, please click here
New cases of insecure HTTPS traffic interception are coming to light as researchers probe software programs for implementations that could enable malicious attacks. The latest software to open a man-in-the-middle hole on users’ PCs is a new version of PrivDog, an advertising product with ties to security vendor Comodo.Over the weekend, a user reported on Hacker News that his system failed an online test designed to detect a man-in-the-middle vulnerability introduced by Superfish, a program preloaded on some Lenovo consumer laptops.To read this article in full or to leave a comment, please click here
On Thursday security researchers warned that an adware program called Superfish, which was preloaded on some Lenovo consumer laptops, opened computers to attack. However, it seems that the same poorly designed and flawed traffic interception mechanism used by Superfish is also used in other software programs.Superfish uses a man-in-the-middle proxy component to interfere with encrypted HTTPS connections, undermining the trust between users and websites. It does this by installing its own root certificate in Windows and uses that certificate to re-sign SSL certificates presented by legitimate websites.To read this article in full or to leave a comment, please click here
An effort to search for cryptographic flaws in TrueCrypt, a popular disk encryption program, will resume even though the software was abandoned by its creators almost a year ago.For years TrueCrypt has been the go-to open-source tool for people looking to encrypt files on their computers, especially since it’s one of the few solutions to allow encrypting the OS volume.In October 2013, cryptography professor Matthew Green and security researcher Kenneth White launched a project to perform a professional security audit of TrueCrypt. This was partly prompted by the leaks from former U.S. National Security Agency contractor Edward Snowden that suggested the NSA was engaged in efforts to undermine encryption.To read this article in full or to leave a comment, please click here
Lenovo has admitted it “messed up badly” by pre-loading software on some consumer laptops that exposed users to possible attack, and said it will soon release a tool to remove it.“I have a bunch of very embarrassed engineers on my staff right now,” Lenovo CTO Peter Hortensius said in an interview Thursday. “They missed this.”Users have been complaining since September about the third-party program, called Superfish, which injects product recommendations into search results. But it only emerged Wednesday that the program also opens a serious security hole.To read this article in full or to leave a comment, please click here
Some Windows laptops made by Lenovo come pre-loaded with an adware program that exposes users to security risks.The software, Superfish Visual Discovery, is designed to insert product ads into search results on other websites, including Google.However, since Google and some other search engines use HTTPS (HTTP Secure), the connections between them and users’ browsers are encrypted and cannot be manipulated to inject content.To overcome this, Superfish installs a self-generated root certificate into the Windows certificate store and then acts as a proxy, re-signing all certificates presented by HTTPS sites with its own certificate. Because the Superfish root certificate is placed in the OS certificate store, browsers will trust all fake certificates generated by Superfish for those websites.To read this article in full or to leave a comment, please click here
Samsung does not encrypt voice recordings that are collected and transmitted by its smart TVs to a third party service, even though the company has claimed that it uses encryption to secure consumers’ personal information.A week ago, the revelation that Samsung collects words spoken by consumers when they use the voice recognition feature in their smart TVs enraged privacy advocates, since according to Samsung’s own privacy policy those words can in some cases include personal or sensitive information. The incident even drew comparisons to Big Brother behavior from George Orwell’s dystopian novel 1984.To read this article in full or to leave a comment, please click here
Starting with Windows 10, Internet Explorer will allow users to access some websites only over SSL-encrypted connections, if those websites have opted into a new security mechanism.Users can test the new feature, known as HTTP Strict Transport Security (HSTS) in Internet Explorer on Windows 10 Technical Preview. In the future, it will also be added to the Project Spartan browser, said Microsoft program managers Mike Bell and David Walp in a blog post.HSTS is a standard defined by the Internet Engineering Task Force in RFC6797. It was designed to prevent SSL stripping attacks, where hackers in a position to intercept a user’s traffic can downgrade connections from HTTPS (HTTP and SSL encryption) to plain HTTP.To read this article in full or to leave a comment, please click here
Starting with Windows 10, Internet Explorer will allow users to access some websites only over SSL-encrypted connections, if those websites have opted into a new security mechanism.
Users can test the new feature, known as HTTP Strict Transport Security (HSTS) in Internet Explorer on Windows 10 Technical Preview. In the future, it will also be added to the Project Spartan browser, said Microsoft program managers Mike Bell and David Walp in a blog post.
HSTS is a standard defined by the Internet Engineering Task Force in RFC6797. It was designed to prevent SSL stripping attacks, where hackers in a position to intercept a user’s traffic can downgrade connections from HTTPS (HTTP and SSL encryption) to plain HTTP.To read this article in full or to leave a comment, please click here
The Stuxnet computer worm that was used to sabotage the Iranian nuclear program was likely preceded by another sophisticated malware program that used some of the same exploits and spread through USB thumb drives to computers isolated from the Internet.The USB worm is called Fanny and is part of a sophisticated malware toolset used by a cyberespionage group that researchers from Russian antivirus firm Kaspersky Lab have dubbed Equation.Kaspersky published a detailed report Monday about Equation, which it considers the most advanced group of attackers to date and whose activity spans back to 2001 and possibly even to 1996. Even though the company stopped short of directly linking the group to the U.S. National Security Agency, there are significant details that point to such links.To read this article in full or to leave a comment, please click here
Several wireless routers made by Netgear contain a vulnerability that allows unauthenticated attackers to extract sensitive information from the devices, including their administrator passwords and wireless network keys.The vulnerability can be exploited over local area networks, as well as over the Internet if the devices are configured for remote administration and expose their Web interface externally.Details about the vulnerability were published on the Full Disclosure mailing list last week, along with a proof-of-concept exploit. Peter Adkins, the researcher who found the flaw, claims that he contacted Netgear but that his attempts to explain the nature of the issue to the company’s technical support department failed.To read this article in full or to leave a comment, please click here
In the latest Internet of Things security blunder, personal weather station devices made by Netatmo were found sending users’ Wi-Fi passwords back to the company over unencrypted connections.Netatmo weather stations can be used to monitor indoor and outdoor temperature, humidity, carbon dioxide levels and overall air quality. Users can see the data collected by their stations in real-time through an app installed on their phones, tablets or computers.The public weather map on Netatmo’s website shows that thousands of such devices are installed around the world.When the weather stations are first configured, users need to give them access to their Wi-Fi networks, so they can transmit sensor readings to the Netatmo cloud over the Internet.To read this article in full or to leave a comment, please click here
Lucian Constantin