Archive

Category Archives for "Network World Security"

Trend Micro’s spam traps surface more Ashley Madison fake users

There hasn't been a lack of strange things turning up in the Ashley Madison data leak.One of the latest discoveries comes from Trend Micro, which found bogus Ashley Madison profiles that used email addresses the company created solely for collecting spam samples.The email addresses are known as "honeypots," a general term for systems set up by researchers in the hope that they will be attacked. Studying the attacks can shed light on new methods used by malicious hackers.One of Trend's addresses was used for a profile describing a 33-year-old Los Angeles woman who is "sexy, aggressive" and "knows what she wants," wrote Ryan Flores, a threat research manager with Trend, in a blog post.To read this article in full or to leave a comment, please click here

WhatsApp fixes dangerous flaw in Web app

WhatsApp, the widely used messaging program, has fixed a dangerous flaw in its Web app that could be used to trick people into installing malware, according to Check Point.The flaw could affect as many as 200 million people who use WhatsApp's web interface, wrote Oded Vanunu, Check Point's group manager for security research and penetration."All an attacker needed to do to exploit the vulnerability was to send a user a seemingly innocent vCard containing malicious code," he wrote.To read this article in full or to leave a comment, please click here

Microsoft Edge browser gets its first critical patches

Released a little over a month ago, Microsoft's new Edge browser has gotten its first set of critical security patches.As part of its monthly round of security fixes, colloquially known as Patch Tuesday, Microsoft released a critical bulletin, MS15-05, with four patches covering vulnerabilities in the Windows 10-only Edge browser.Overall this month, Microsoft issued 12 bulletins covering 56 vulnerabilities. Five bulletins were deemed as critical, meaning they should be addressed as soon as possible.In addition to Edge, this month's patches cover issues in Internet Explorer, Windows, Office, Exchange, the .Net framework, the Hyper-V virtual machine, Active Directory, and Skype for Business.To read this article in full or to leave a comment, please click here

Microsoft Edge browser gets critical patches

Released a little over a month ago, Microsoft's new Edge browser has gotten a set of critical security patches.As part of its monthly round of security fixes, colloquially known as Patch Tuesday, Microsoft released a critical bulletin, MS15-095, with four patches covering vulnerabilities in the Windows 10-only Edge browser.Overall this month, Microsoft issued 12 bulletins covering 56 vulnerabilities. Five bulletins were deemed as critical, meaning they should be addressed as soon as possible.In addition to Edge, this month's patches cover issues in Internet Explorer, Windows, Office, Exchange, the .Net framework, the Hyper-V virtual machine, Active Directory, and Skype for Business.To read this article in full or to leave a comment, please click here

Africa’s effort to tackle cybercrime gains momentum

Africa’s efforts to tackle cybercrime are gaining momentum as Tanzania joins African countries including Zambia, Nigeria, South Africa and Kenya in coming up with a law that includes penalties of up 10 years in prison.The law comes amid claims that Tanzania has one of the highest rates of cybercrime and social media abuse in Africa. Tanzanian President Jakaya Kikwete has already approved the Cyber Crimes Act of 2015, which becomes operational this week.The Tanzania Communications Regulatory Authority (TCRA) is already warning of tough actions against cybercriminals in the East African country as a result of the new law.Critics have said however, that the Tanzanian law targets social media with the aim of regulating its use in order to silence divergent views and critics of the government.To read this article in full or to leave a comment, please click here

Microsoft released 12 patches, 5 rated critical, 1 being exploited in the wild

Microsoft released 12 security updates for September 2015 Patch Tuesday, five of which are rated critical and one is currently being exploited in the wild.Microsoft patches rated criticalMS15-097 contains a fix for a flaw currently being exploited in the wild, so it should be your top priority. It patches 11 vulnerabilities in Microsoft Graphics Component which could allow remote code execution.Qualys CTO Wolfgang Kandek wrote, “The bulletin is rated critical on Windows Vista and Server 2008, plus Microsoft Office 2007 and 2010, plus Lync 2007, 2010, 2013. In addition one of the vulnerabilities, rated as only as important in the bulletin is under attack in the wild: CVE-2015-2546 allows for an escalation of privilege once on the machines, allowing the attacker to become administrator of the targeted machine. CVE-2015-2546 affects all versions of Windows including Windows 10.”To read this article in full or to leave a comment, please click here

Blackmail rising from Ashley Madison breach

Cybercriminals are maddeningly adaptable.If a Dark Web illicit marketplace gets shut down, others spring up almost immediately to take its place. If credit cards get tougher to hack, there is always spear phishing, poorly protected electronic health records or the unending variety of devices that make up the Internet of Things (IoT), most of which have little to no security built in.To read this article in full or to leave a comment, please click here

Blurred lines: Cyberespionage group caught borrowing banking malware code

A group of hackers that target military and government organizations has recently borrowed code from an old online banking Trojan called Carberp, further blurring the line between cybercrime and cyberespionage.The hacker group is known by various names in the security industry, including Pawn Storm and APT28. Its primary malware tool is a backdoor program called Sednit or Sofacy.The group has been active since at least 2007 and has targeted governmental, security and military organizations from NATO member countries, as well as defense contractors and media organizations, Ukrainian political activists and Kremlin critics.To read this article in full or to leave a comment, please click here

IDG Contributor Network: Will the Ashley Madison hack really bring about any change in corporate IT security?

That sultry, sexy, "shh." We've all seen it over and over and over again during the past month. That "shh" promised sex and security. It looks like Ashley Madison didn't deliver much of either. Except for the sordid stories that keep Ashley Madison in the news, there is really nothing notable about the Ashley Madison breach. We are swimming in a sea of data breaches. They've become so routine it takes sex and scandal for anyone to notice. With so many data breaches over the past several years, you would expect companies (and governments) to do something about them.To read this article in full or to leave a comment, please click here

4 new cybercrime trends threaten your business

The more things change, the more things stay the same -- at least for hackers. That's one of the finding in Proofpoint's mid-year threat report on the attacks of choice for the first half of 2015. In addition to the return of an old friend, the cybersecurity company also found more targeted attacks towards businesses, heightened activity around social media and a shift in the volume and accuracy of the bad stuff that ends up in your inbox, looking to take your money. Click the attachment They're baaaaaack – email attachments that infect a computer once clicked upon, that is. To read this article in full or to leave a comment, please click here

Credentials stored in Ashley Madison’s source code might have helped attackers

If you're a company that makes its own websites and applications, make sure your developers don't do what the Ashley Madison coders did: store sensitive credentials like database passwords, API secrets, authentication tokens or SSL private keys in source code repositories.Judging by the massive amount of data leaked last month by Impact Team from AshleyMadison.com's owner Avid Life Media (ALM), the hackers gained extensive access to the Canadian company's IT infrastructure.The ALM data dumps contained customer records and transaction details from the Ashley Madison infidelity website, but also the email database of the company's now-former CEO and the source code for the company's other online dating websites including CougarLife.com and EstablishedMen.com.To read this article in full or to leave a comment, please click here

$60 device spoofs phantom objects and tricks self-driving cars into stopping

A security researcher used a homemade $60 system to outsmart self-driving car lidar sensors that cost thousands; he was able to trick an autonomous vehicle into slowing down and even launched a denial of service attack on a self-driving car's tracking system so that it came to a complete stop.Lidar, a remote sensing technology, is most commonly known as the circular “eye” mounted on the roof of most self-driving cars; it acts somewhat like radar as the lasers spin around to scan the area and detect objects. Lidar devices come in various sizes and prices. The lidar (Light Detection and Ranging) market is estimated to be a one billion market by 2020; it’s not used exclusively for driverless cars as seen in recent news about autonomous golf carts and surveying drones. Yet Jonathan Petit, a principal scientist at Security Innovation, believes lidar sensors are “the most susceptible technologies” in self-driving vehicles.To read this article in full or to leave a comment, please click here

Kaspersky Lab pushes emergency patch for critical vulnerability

Kaspersky Lab has released an emergency patch for some of its antivirus products after a security researcher found a critical vulnerability that could allow hackers to compromise computers.The flaw was discovered by vulnerability researcher and Google security engineer Tavis Ormandy, who mentioned it Saturday on Twitter, before sending the bug's details to Kaspersky.Ormandy's Twitter message included a screen shot showing the Windows calculator (calc.exe) running under the Kaspersky antivirus process.It works great against versions 15 and 16, he said.Versions 15 and 16 correspond to Kaspersky's 2015 and 2016 product lines. It's not clear if only Kaspersky Anti-Virus was affected or also the vendor's Internet Security and Total Security products.To read this article in full or to leave a comment, please click here

Fiat Chrysler voluntarily recalls 7,810 SUVs over software issues

Fiat Chrysler said Friday it is voluntarily recalling 7,810 SUVs due to a software glitch that could make the vehicles vulnerable to remote control.Half of the vehicles, which are 2015 Jeep Renegade SUVs equipped with 6.5-inch touchscreens, are still at dealerships, the carmaker said in a statement.The company downplayed the risk to drivers, saying it was unaware of injuries related to the problem and had received no complaints.It further said "the software manipulation addressed by this recall required unique and extensive technical knowledge, prolonged physical access to a subject vehicle and extended periods of time to write code."To read this article in full or to leave a comment, please click here

Crypto wars: FTC commissioner says to encrypt despite feds pushing for backdoors

Surveillance is so out of control that superheroes like Captain America fight against it; even the Avengers tried to show us the dangers of militarizing the Internet. Sure that might be coming from fictional characters just like the cosplay activism campaign going on Dragon Con this weekend in Atlanta. Yet as Project Secret Identity points out:To read this article in full or to leave a comment, please click here

NIST sets the stage for contactless fingerprint readers

Biometric technologies may soon replace cumbersome passwords, but the U.S. National Institute of Technology is looking out to a time when you won't even have to press your finger onto a grimy fingerprint reader to gain entry to a computer.NIST has funded a number of companies to make touchless fingerprint readers possible, and is creating a framework for evaluating possible technologies for widespread use.Touchless fingerprint readers could be particularly useful for quickly identifying large numbers of people, such as a queue entering a controlled facility, NIST contends. Germaphobes would also appreciate the technology, as they would not have to touch potentially germy fingerprint readers to gain access to their computers.To read this article in full or to leave a comment, please click here

Blackberry buys Good Technology as it further expands into mobile device security

Blackberry has moved further into the mobile device management space by purchasing Good Technology for US$425 million [m]. Good Technology sells enterprise mobile security products and was Blackberry's competitor. In a January blog post, Blackberry called out Good for claiming it was the first company to add a special billing feature to its products. A separate blog post on Friday discussing the merger made note of this history, saying the companies have taken "aggressive positions" through the years.To read this article in full or to leave a comment, please click here

French ISPs petition court to overturn secret foreign surveillance decree

Two French ISPs have asked France's highest court to make public a secret government decree defining how French security services can monitor the Internet.France's foreign intelligence service, the Directorate General of Exterior Surveillance (DGSE) operates under rules set in a secret government decree in 2008. The existence of the decree was revealed by the magazine l'Obs in July this year.The decree's existence has not been denied by the government. While its content remains secret, it is known that it authorizes the DGSE to tap Internet communications entering or leaving French territory on a massive scale.On Thursday, ISPs FDN and FFDN, along with online rights group La Quadrature du Net, revealed that they had filed two suits with the Council of State, seeking a summary judgment and suspension of the unpublished decree. The Council of State is, among other functions, France's highest court for matters involving the administration.To read this article in full or to leave a comment, please click here