Archive

Category Archives for "Network World Security"

Large scale attack hijacks routers through users’ browsers

Cybercriminals have developed a Web-based attack tool to hijack routers on a large scale when users visit compromised websites or view malicious advertisements in their browsers.The goal of these attacks is to replace the DNS (Domain Name System) servers configured on routers with rogue ones controlled by attackers. This allows hackers to intercept traffic, spoof websites, hijack search queries, inject rogue ads on Web pages and more.The DNS is like the Internet’s phonebook and plays a critical role. It translates domain names, which are easy for people to remember, into numerical IP (Internet Protocol) addresses that computers need to know to communicate with each other.To read this article in full or to leave a comment, please click here

Full Adult Friend Finder database offered for $17,000

An unredacted version of a database said to be stolen from Adult Friend Finder is being offered for sale for 70 bitcoins, or around US$17,000.ROR[RG], the nickname of the person who claims to have breached the large online hookup site, wrote on Saturday in an underground forum that “I have had so many people ask me to buy the db today.”Seeking to capitalize on the momentum, ROR[RG]—who claims to live in Thailand—also offered to break into any company or website for 750 bitcoins, worth about $170,000.Fifteen files of data purported to come from Adult Friend Finder were posted to an underground forum in March. The files contained 3.9 million email addresses and in some cases the partner preference, gender, birth date, state, post code, language preference and IP address of users.To read this article in full or to leave a comment, please click here

US Senate blocks NSA surveillance reform bill

The U.S. Senate voted early Saturday to block the USA Freedom Act, a legislation that aimed to put an end to the bulk collection of telephone records by the National Security Agency.It also voted down a bill that would extend to July 31 certain provisions of the Patriot Act, including Section 215, which provides the legal framework for the current NSA phone surveillance program.The Senate, which adjourned Saturday for the Memorial Day weekend, will reconvene on May 31, when it will try to hammer out a deal ahead of the June 1 deadline when the Patriot Act provisions expire, unless reauthorized in the same or modified form by legislation.To read this article in full or to leave a comment, please click here

Suhosin: How to harden your PHP web application

The number of Internet servers that run the PHP language is incredible: According to Netcraft, as of January, 2012, something around 244,000,000 web sites were running PHP and according to a May, 2015, survey by W3Techs “PHP is used by 81.9% of all websites whose server-side programming language we know.” Bottom line: PHP rules.The lure of PHP is that it's easy to learn, easy to develop with, and flexible (though not every one thinks PHP is a good idea). On the other hand, as with all programming languages, PHP has security issues so poor coding practices can make a server vulnerable to hackers.To read this article in full or to leave a comment, please click here

US Senate leader pushes to extend NSA phone dragnet

The U.S. Senate was deadlocked on Friday over whether to extend authorization for the National Security Agency’s massive collection of domestic telephone records, with Majority Leader Mitch McConnell insisting the surveillance program should continue with no new limits.With a weekend deadline looming, McConnell advocated for extending the section of the Patriot Act that the NSA has used to justify its collection of millions of U.S. phone records over the last nine years. Section 215 of the Act, which allows the agency to collect any telephone and business records relevant to a counterterrorism investigation, expires June 1, and Congress is scheduled to take a week-long recess starting this weekend.To read this article in full or to leave a comment, please click here

The Upload: Your tech news briefing for Friday, May 22

Connected cars will add to mobile traffic jamsExpect mobile networks to struggle as they are called on to handle a rapidly increasing number of connected cars. Traffic growth from M2M (machine to machine) connections, particularly from cars, will cause headaches for mobile operators, says Machina Research. Car connections are expected to surpass 500 million in 2019 and then 1 billion in 2023, when they will account for more than half of all M2M connections over cellular networks. And they’ll use lots of data, thanks to connected entertainment and navigation systems.To read this article in full or to leave a comment, please click here

Factory reset in Android phones leaves sensitive user data behind

It’s common sense to reset an Android phone to its factory state before selling or disposing of it. But beware, researchers recently found that this often fails to properly wipe all sensitive user data from the device.A test on 21 second-hand smartphones running Android versions between 2.3.x (Gingerbread) and 4.3 (Jelly Bean) revealed that it’s possible to recover emails, text messages, Google access tokens and other sensitive data after the factory reset function had been used.The study was done by researchers Laurent Simon and Ross Anderson from the University of Cambridge in the U.K. on used devices bought from eBay between January and May 2014. The devices included models from Samsung Electronics, HTC, LG Electronics, Motorola and three from Google’s Nexus line of phones.To read this article in full or to leave a comment, please click here

Secom security drone follows, photographs intruders

If you think drones are more than slightly creepy, wait until you meet one that will autonomously follow you and record video.Japanese security company Secom is launching a drone that will automatically launch when an intruder is detected and follow him or her while sending video to human supervisors.The sleek silver quadcopter was shown off this week at the inaugural International Drone Expo held in Makuhari outside Tokyo, where about 50 companies gathered to exhibit drones and related technologies.The UAV will be offered to businesses in Japan operating on relatively large parcels of land—big enough to warrant a flying security camera—such as shopping malls and supermarkets with large parking lots.To read this article in full or to leave a comment, please click here

Freelance hacking site vows to clean up dodgy listings

Charles Tendell is trying to repair a reputation problem for his website, Hacker’s List.The site debuted in November and quickly drew high-profile attention, including a front-page story in the New York Times. It’s an online marketplace where people can list computer-security related jobs for bidding and match them with the right “hacker.”It has been criticized as amateurish since forums where such deals are made are password-protected and generally hard to find for regular Internet users. It has also raised concern since many projects up for bidding appear illegal.To read this article in full or to leave a comment, please click here

Leaked database of Adult Friend Finder still online

Adult Friend Finder, one of the largest online dating sites, may have been breached more than two months ago, and the sensitive files—include names, ages, email addresses, zip codes and more—are apparently still online.British broadcaster Channel 4 reported Thursday that the website had been breached, although information regarding the breach had been trickling out in a low-key way for some time.FriendFinder Networks, a California-based company that owns Adult Friend Finder and other dating websites, said in an advisory that it has contacted law enforcement and is investigating.To read this article in full or to leave a comment, please click here

US Senate leader to push for vote to renew NSA phone dragnet

The U.S. Senate on Thursday failed to move forward on efforts to extend the section of the Patriot Act that the National Security Agency has used to collect millions of domestic telephone records.Congress is facing an effective deadline of this weekend to extend the phone records collection section of the antiterrorism law, with Section 215 of the Patriot Act expiring June 1 and lawmakers scheduled to take a weeklong break after finishing business this week.On Thursday, Senators were wrestling with three alternatives: allow the Patriot Act’s records collection program to expire, extend the program with no new limits, or pass a House of Representatives bill that aims to end bulk records collection but allows the NSA to search phone and business records in a more targeted manner.To read this article in full or to leave a comment, please click here

Netgear and ZyXEL confirm NetUSB flaw, are working on fixes

Networking device manufacturers ZyXEL Communications and Netgear have confirmed that some of their routers are affected by a recently disclosed vulnerability in a USB device-sharing service called NetUSB.ZyXEL will begin issuing firmware updates in June, while Netgear plans to start releasing patches in the third quarter of the year.The vulnerability, tracked as CVE-2015-3036, is located in a Linux kernel module called NetUSB that’s commonly used in routers and other embedded devices. The module is developed by a Taiwan-based company called KCodes Technology and allows routers to share USB devices with other computers via the Internet Protocol (IP).To read this article in full or to leave a comment, please click here

The Upload: Your tech news briefing for Thursday, May 12

Senators block vote extending NSA dragnet powersFour U.S. senators ground the chamber’s business to a halt Wednesday in an effort to prevent voting on a bill that would extend a law that’s legitimized the National Security Agency’s bulk collection of telephone and business records. The relevant section of the Patriot Act expires at the end of the month, and to stop it from being renewed, a bipartisan group took control of the Senate floor in a filibuster mid-Wednesday.Hack hits health care target, reaps data on 1.1 millionTo read this article in full or to leave a comment, please click here

US proposes tighter export rules for computer security tools

The U.S. Commerce Department has proposed tighter export rules for computer security tools, a potentially controversial revision to an international agreement aimed at controlling weapons technology.On Wednesday, the department published a proposal in the Federal Register and opened a two-month comment period.The changes are proposed to the Wassenaar Arrangement, an international agreement reached in 1995, aimed at limiting the spread of “dual use” technologies that could be used for harm.To read this article in full or to leave a comment, please click here

RadioShack, US states reach agreement on sale of customer data

RadioShack has reached agreement with U.S. states over the sale of customer data, by consenting to limit the number of email addresses to be sold, and giving customers the opportunity to be removed from the list.A coalition of 38 U.S. states, led by Texas, objected to the sale of personally identifiable information by the bankrupt electronics retailer, citing its online and in-store privacy policies. The customer data, which was withdrawn from an earlier sale of assets that included RadioShack stores, was included in a second auction this month.The bulk of the consumer data will be destroyed, and no credit or debit card account numbers, social security numbers, dates of birth or phone numbers will be transferred to General Wireless Operations, the winner of both auctions, said Texas Attorney General Ken Paxton in a statement Wednesday.To read this article in full or to leave a comment, please click here

Health insurer CareFirst reveals cyberattack affecting 1.1 million

A large U.S. health insurer, CareFirst BlueCross BlueShield, has disclosed it fell victim to a cyberattack that affected about 1.1 million people.The attack, which occurred in June last year, targeted a single database that contained information about CareFirst members and others who accessed its websites and services, the company said Monday.The nonprofit has 3.4 million members, mostly around Maryland, Washington, D.C., and Northern Virginia.“We were the subject of a cyberattack,” a somber looking Chet Burrell, the company’s CEO, says in a video posted to its website.CareFirst said customer names, birth dates, user names, email addresses and subscriber ID numbers may have been stolen. The database did not contain Social Security numbers, medical claims or financial information, it said. And member passwords were encrypted and stored in a different system, CareFirst said.To read this article in full or to leave a comment, please click here

Senators stall vote to extend NSA phone records dragnet

Four U.S. senators ground the chamber’s business to a halt Wednesday in an effort to prevent lawmakers from voting on a bill to extend portions of the Patriot Act used to collect telephone and business records from the country’s residents.Time is running out for the Senate to extend the telephone records collection section of the Patriot Act before it expires at the end of the month. In an effort to block a vote, Senator Rand Paul, a Kentucky Republican, took control of the Senate floor in a filibuster mid-Wednesday, with Senators Ron Wyden, an Oregon Democrat, Mike Lee, a Utah Republican, and Martin Heinrich, a New Mexico Democrat, joining him later in the day.To read this article in full or to leave a comment, please click here

Senators stall vote to extend NSA phone records dragnet

U.S. Senator Rand Paul spoke on the chamber's floor for more than nine hours Wednesday during a filibuster to prevent lawmakers from voting on a bill to extend portions of the law used by the National Security Agency to collect telephone and business records from the country's residents.Paul, a Kentucky Republican, continued to talk on the Senate floor at 10:25 p.m. EST, after taking control of the chamber earlier in the day. Nine other senators joined him for short stretches throughout the day, including Ron Wyden, an Oregon Democrat, Mike Lee, a Utah Republican, and Martin Heinrich, a New Mexico Democrat.Time is running out for the Senate to extend the section of the Patriot Act that the NSA uses as authorization to collect telephone and other business records. Section 215 of the Patriot Act expires at the end of the month, and lawmakers are scheduled to take an extended Memorial Day break next week.To read this article in full or to leave a comment, please click here

E-paper display gives payment cards a changing security code

By embedding an e-paper display in the back of credit and debit cards, payment specialist Oberthur Technologies hopes to make online fraud a lot more difficult. An upcoming test in France will show if the underlying technology can cut it.Using payment cards with an embedded chip makes payments more secure in physical stores, but it’s still relatively easy for criminals to copy card details and use them online. Oberthur’s Motion Code technology replaces the printed 3-digit CVV (Card Verification Value) code, usually found on the back of the card, with a small screen, where the code changes periodically.Today, any criminal who has seen a card or overheard the owner dictating the CVV code can make an unauthorized purchases online or by phone. With Motion Code, because the CVV changes from time to time, the time a fraudster has to act is reduced.To read this article in full or to leave a comment, please click here

Android stock browser vulnerable to URL spoofing

A vulnerability in Android’s default Web browser lets attackers spoof the URL shown in the address bar, allowing for more credible phishing attacks.Google released patches for the flaw in April, but many phones are likely still affected, because manufacturers and carriers typically are slow to develop and distribute Android patches.The vulnerability was discovered by a researcher named Rafay Baloch and was privately reported to Google with the help of security firm Rapid7.Baloch discovered the flaw on Android 5.0 Lollipop, which uses Chrome as its default browser, but then also confirmed it in the stock browser in older Android versions.To read this article in full or to leave a comment, please click here