In the latest attack involving malicious advertisements, hackers managed to launch Flash Player exploits against the visitors of several popular porn websites.It’s not clear how many users were impacted, but the affected websites have over 250 million monthly visits combined, according to researchers from Malwarebytes who spotted and analyzed the attack.The malicious ads were posted through an advertising network called AdXpansion that was abused in similar incidents in the past.The attackers managed to distribute through the network a Flash-based ad that attempted to exploit a vulnerability in Flash Player.The flaw affects Flash Player through version 17.0.0.134, which was released within the last two months, the Malwarebytes researchers said in a blog post Thursday. Affected sites listed in the blog post include Drtuber.com, Nuvid.com, Hardsextube.com and Justporno.tv.To read this article in full or to leave a comment, please click here
Surgical robot can be taken over by hackersThe dark underside of the revolution in medical technology is that security is usually an afterthought, if it’s considered at all. Now researchers at the University of Washington have proved another nightmare scenario by taking over a tele-operated surgical robot, Computerworld reports. One of the problems is that the device communicates with the remote control console using a publicly available protocol that’s easy to hijack.NSA data dragnet broke the law, appeals court rulesTo read this article in full or to leave a comment, please click here
A team of developers has created a rootkit for Linux systems that uses the processing power and memory of graphics cards instead of CPUs in order to remain hidden.The rootkit, called Jellyfish, is a proof of concept designed to demonstrate that completely running malware on GPUs (graphics processing units) is a viable option. This is possible because dedicated graphics cards have their own processors and RAM.Such threats could be more sinister than traditional malware programs, according to the Jellyfish developers. For one, there are no tools to analyze GPU malware, they said.Also, such rootkits can snoop on the host’s primary memory, which is used by most other programs, via DMA (direct memory access). This feature allows hardware components to read the main system memory without going through the CPU, making such operations harder to detect.To read this article in full or to leave a comment, please click here
As interest grows in applications deployed in containers, questions about their security are developing as well.The open-source platform built by Docker has seen quick uptake by developers. Applications are deployed in so-called containers, which can be easily updated and moved to other machines due to their small footprint.Many application containers can run on a single physical system and share an operating system’s kernel. That commingling of demands on the operating system can, however, have serious consequences for security.Jay Lyman, research manager with the analyst 451 Group, said the security and management tools for virtual machines are highly evolved, but container technology is relatively immature.To read this article in full or to leave a comment, please click here
A suspected malicious advertising attack turned out to be a much deeper compromise of an online advertising company, according to Trend Micro.The security company found that advertisements served by Mad Ads Media, based in Mount Laurel, New Jersey, redirected to websites hosting an exploit kit, which probed users’ computers for software flaws in order to deliver malware. The number of people affected peaked at 12,500 on May 2, Trend said.At first, the incident appeared to be another example of malvertising, wrote Joseph Chen, a fraud researcher with Trend. Advertising networks have occasionally seen malicious ads uploaded to their networks that redirect people to other malicious websites.To read this article in full or to leave a comment, please click here
A U.S. appeals court judge shredded the government’s defense of an extensive National Security Agency program targeting the phone records of the nation’s residents.Judge Gerard Lynch, writing for a three-judge panel in the U.S. Court of Appeals for the Second Circuit, picked apart the Department of Justice’s arguments for the phone records collection program, revealed by former NSA contractor Edward Snowden in mid-2013.The appeals court ruled that Congress didn’t authorize the massive phone records collection in the Patriot Act of 2001, the antiterrorism law the past two U.S. presidents have used as a basis for the collection. A representative of the U.S. White House’s National Security Council noted that President Barack Obama’s administration is working with Congress to create a more limited program.To read this article in full or to leave a comment, please click here
The U.S. National Security Agency’s program to collect domestic telephone records in bulk was not authorized by Congress in the Patriot Act, an appeals court has ruled.The NSA’s phone records program violates U.S. law because it “exceeds the scope of what Congress has authorized,” a three-judge panel for the U.S. Court of Appeals for the Second Circuit has ruled.The appeals court vacated a December 2013 ruling by a district court judge who granted the government a motion to dismiss the case, but upheld the district court decision to deny plaintiffs, including the American Civil Liberties Union, a preliminary injunction to halt the so-called phone metadata collection program.To read this article in full or to leave a comment, please click here
A new WordPress version released Thursday fixes two critical cross-site scripting (XSS) vulnerabilities that could allow attackers to compromise websites.One of the flaws is located in the Genericons icon font package that is used by several popular themes and plug-ins, including the default TwentyFifteen WordPress theme.Researchers from Web security firm Sucuri warned Wednesday that they’ve already seen attacks targeting this XSS vulnerability.To exploit it, attackers need to trick users to click on specifically crafted links, but once they do that, they can leverage the flaw to steal authentication cookies. If the victim is a website’s administrator, they could gain full control over that website.To read this article in full or to leave a comment, please click here
Over five percent of browser visits to Google owned websites, including Google Search, are altered by computer programs that inject ads into pages. One called Superfish is responsible for a majority of those ad injections.The findings are the result of a study by Google and researchers from the University of California at Berkeley and Santa Barbara, who analyzed over 102 million page views to Google sites between June and September last year.Google added code to its websites that detected and reported back when ads were injected into pages by programs or browser extensions. This revealed that locally installed ad injectors interfered with 5,339,913 page views (5.2 percent of the total), impacting tens of millions of users around the world—or 5.5 percent of unique daily Internet Protocol addresses that accessed Google’s sites.To read this article in full or to leave a comment, please click here
More than 95 percent of SAP systems deployed in enterprises are exposed to vulnerabilities that could lead to a full compromise of business data, a security firm claims.Onapsis, a Boston-based company that specializes in SAP security audits, also found that the average time-to-patch for SAP vulnerabilities is more than 18 months—12 months for SAP to issue fixes and 6 months for companies to deploy them.This suggests that many companies are falling behind on SAP security, even though these systems hold some of their most critical and confidential information.To read this article in full or to leave a comment, please click here
A vulnerability within two widely used WordPress plugins is already being exploited by hackers, putting millions of WordPress sites at risk, according to a computer security firm.The plugins are JetPack, a customization and performance tool, and Twenty Fifteen, used for infinite scrolling, wrote David Dede, a malware researcher with Sucuri. WordPress installs Twenty Fifteen by default, which increases the number of vulnerable sites.Both plugins use a package called genericons, which contains vector icons embedded in a font. In the package, there is an insecure file called “example.html” which makes the package vulnerable, Dede wrote.To read this article in full or to leave a comment, please click here
Legislation intended to end the U.S. National Security Agency’s bulk collection of domestic telephone records is drawing opposition from several unlikely sources, digital and civil rights groups.The USA Freedom Act, approved last Thursday in a 25-2 vote by the House of Representatives Judiciary Committee, doesn’t go far enough to protect privacy, several digital rights groups and government whistleblowers said in a letter to members of Congress.The USA Freedom Act would result in “minimal reforms” to the NSA telephone records program, said the letter, sent Wednesday by CREDO Action, Demand Progress, Fight for the Future, the Republican Liberty Caucus and other groups.To read this article in full or to leave a comment, please click here
A new bill in Congress would require law enforcement agencies to get court-ordered warrants before targeting U.S. residents in searches of electronic communications collected by the National Security Agency.The End Warrantless Surveillance of Americans Act, introduced Tuesday by three members of the House of Representatives, would end the so-called surveillance back door that allows the FBI and other agencies to search U.S. emails, texts and other data swept up in NSA surveillance of overseas communications.+ A REVIEW: Government can exploit loopholes for warrantless surveillance on Americans +To read this article in full or to leave a comment, please click here
Hackers will put Internet-connected embedded devices to the test at the DefCon 23 security conference in August. Judging by the results of previous Internet-of-Things security reviews, prepare for flaws galore.This year, DefCon, the largest hacker convention in the U.S., will host a so-called IoT Village, a special place to discuss, build and break Internet-of-Things devices.“Show us how secure (or insecure) IP enabled embedded systems are,” a description of the new village reads. “Routers, network storage systems, cameras, HVAC systems, refrigerators, medical devices, smart cars, smart home technology, and TVs—If it is IP enabled, we’re interested.”To read this article in full or to leave a comment, please click here
The maker of a widely used electronic lock has taken issue with a security company’s criticism of one of its flagship products.IOActive, a Seattle-based security consultancy, published an advisory alleging several security flaws in electronic locks made by CyberLock, of Corvallis, Oregon.CyberLock, which received advance notice of the problems from IOActive, contends it wasn’t given enough time or information prior to IOActive’s warning. Mike Davis, the IOActive researcher who found the problems, published two letters said to have been sent by CyberLock’s lawyers to IOActive.To read this article in full or to leave a comment, please click here
MacKeeper, a utility and security program for Apple computers, celebrated its fifth birthday in April. But its gift to U.S. consumers who bought the application may be a slice of a $2 million class-action settlement.Released in 2010, MacKeeper has been dogged by accusations that it exaggerates security threats in order to convince customers to buy. Its aggressive marketing has splashed MacKeeper pop-up ads all over the web.The program was originally created by a company called ZeoBIT in Kiev, Ukraine. The country—full of young, smart programmers—has long been a hub for lower-cost software development and outsourcing.To read this article in full or to leave a comment, please click here
French lawmakers have taken a first step toward allowing real-time surveillance of Internet and mobile phone use in France.Following attacks on satirical newspaper Charlie Hebdo and a supermarket in Paris in January, the government rushed out a bill that will allow French intelligence services to collect communications metadata on the entire country’s phone calls and Internet traffic, in some cases installing their own equipment on operators’ networks. On Tuesday, the French National Assembly approved the bill by 438 votes to 86.The proposed surveillance measures have encountered opposition from many quarters: Internet service providers, civil liberties groups, and even an association of motorcyclists, concerned about the potential for government monitoring of lobby groups.To read this article in full or to leave a comment, please click here
Cybercriminals are increasingly copying cyberespionage groups in using targeted attacks against their victims instead of large-scale, indiscriminate infection campaigns.This change in tactics has been observed among those who launch attacks, as well as those who create and sell attack tools on the underground market.A recent example of such behavior was seen in a cybercriminal attack against vendors of point-of-sale systems that researchers from RSA documented last week.The attackers sent emails to specific vendors impersonating small businesses such as restaurants. This technique, known as spear-phishing, is typically associated with advanced persistent threats (APTs)—highly targeted, customized attacks whose goal is usually long-term cyberespionage.To read this article in full or to leave a comment, please click here
Chambers steps down as Cisco CEO, Robbins gets the jobIt’s finally time for the changing of the guard at Cisco, after many months of rumors that John Chambers, CEO for 20 years, was planning his retirement. His surprise replacement is senior VP of worldwide operations Chuck Robbins, who wasn’t highlighted in a succession plan a few years ago. Chambers will move into the role of executive chairman on July 26 when Robbins takes over.EU’s new digital strategy could target US tech vendorsTo read this article in full or to leave a comment, please click here
Netflix has released under an open-source license an internal tool it developed to manage a deluge of security alerts and incidents.Called FIDO (Fully Integrated Defense Operation), the tool is designed to research, score and categorize threats in order to speed up handling of the most urgent ones.Netflix started developing FIDO four years ago after finding it took from a few days to more than a week to resolve issues that were entered into its help-desk ticketing system, the company wrote in a blog post Monday.It was a largely manual and labor intensive process. “As attacks increase in number and diversity, there is an increasing array of detection systems deployed and generating even more alerts for security teams to investigate,” it said.To read this article in full or to leave a comment, please click here