Security researchers who participated in the Pwn2Own hacking contest this week demonstrated remote code execution exploits against the top four browsers, and also hacked the widely used Adobe Reader and Flash Player plug-ins.On Thursday, South Korean security researcher and serial browser hacker JungHoon Lee, known online as lokihardt, single-handedly popped Internet Explorer 11 and Google Chrome on Microsoft Windows, as well as Apple Safari on Mac OS X.He walked away with US$225,000 in prize money, not including the value of the brand new laptops on which the exploits are demonstrated and which the winners get to take home.The Pwn2Own contest takes place every year at the CanSecWest security conference in Vancouver, Canada, and is sponsored by Hewlett-Packard’s Zero Day Initiative program. The contest pits researchers against the latest 64-bit versions of the top four browsers in order to demonstrate Web-based attacks that can execute rogue code on underlying systems.To read this article in full or to leave a comment, please click here
One of the most successful U.S. National Security Agency spying programs involved intercepting IT equipment en route to customers and modifying it.At secret workshops, backdoor surveillance tools were inserted into routers, servers and networking equipment before the equipment was repackaged and sent to customers outside the U.S.The program, run by the NSA’s Tailored Access Operations (TAO) group, was revealed by documents leaked by former NSA contractor Edward Snowden and reported by Der Spiegel and Glenn Greenwald.To read this article in full or to leave a comment, please click here
More than 700,000 ADSL routers provided to customers by ISPs around the world contain serious flaws that allow remote hackers to take control of them.Most of the routers have a “directory traversal” flaw in a firmware component called webproc.cgi that allows hackers to extract sensitive configuration data, including administrative credentials. The flaw isn’t new and has been reported by multiple researchers since 2011 in various router models.Security researcher Kyle Lovett came across the flaw a few months ago in some ADSL routers he was analyzing in his spare time. He investigated further and unearthed hundreds of thousands of vulnerable devices from different manufacturers that had been distributed by ISPs to Internet subscribers in a dozen countries.To read this article in full or to leave a comment, please click here
More than 700,000 ADSL routers provided to customers by ISPs around the world contain serious flaws that allow remote hackers to take control of them.Most of the routers have a “directory traversal” flaw in a firmware component called webproc.cgi that allows hackers to extract sensitive configuration data, including administrative credentials. The flaw isn’t new and has been reported by multiple researchers since 2011 in various router models.Security researcher Kyle Lovett came across the flaw a few months ago in some ADSL routers he was analyzing in his spare time. He investigated further and unearthed hundreds of thousands of vulnerable devices from different manufacturers that had been distributed by ISPs to Internet subscribers in a dozen countries.To read this article in full or to leave a comment, please click here
The mystery high-severity flaw that people were expected to be fixed in OpenSSL is no Heartbleed, but it is serious and users should update.Earlier this week, the OpenSSL Project advised users that patches scheduled to be released Thursday will address several security flaws, one of which was classified as high severity. The announcement gave rise to speculation and some people thought the upcoming vulnerability might have wide-ranging impact, on par with the critical Heartbleed flaw disclosed last April, which affected Web servers, client software, mobile apps and even hardware appliances.To read this article in full or to leave a comment, please click here
An activist group working to end China’s Internet censorship is facing an ongoing distributed denial of service (DDoS) attack that threatens to cripples its activities.GreatFire.org, a censorship watchdog based within the country, reported on Thursday that it had been hit with its first ever DDoS attack.Although it’s not known who is behind the attack, China has been suspected of using the tactic before to take down activist websites.DDoS attacks work by using an army of hacked computers to send an overwhelming amount of traffic to a website, effectively disabling it.To read this article in full or to leave a comment, please click here
Target has agreed to pay US$10 million in a proposed settlement to a class-action lawsuit stemming from its massive 2013 data breach.The proposal, which requires U.S. federal court approval, calls for individual victims to receive up to $10,000. As many as 110 million people were affected by the attack, which occurred during the holiday shopping season.The proposed settlement includes measures to better protect the customer data that Target collects, according to documents filed with the U.S. District Court, District of Minnesota. Target must develop and test a security program for protecting consumer data and implement a process of monitoring and identifying security threats. The company must also provide its employees with security training around keeping consumer data safe. After the settlement’s approval, Target would have five years to implement these measures.To read this article in full or to leave a comment, please click here
Norwegian browser developer Opera Software has bought virtual private network service SurfEasy to help its users protect their privacy when accessing the Web from smartphones, tablets and computers.The acquisition of the Canadian company also appears to be the latest in the company’s strategy to expand into other products beyond the browser.SurfEasy offers applications to encrypt Internet traffic on Windows, Mac, iOS and Android devices as well as a password-protected USB plug-in that lets users browse securely from any computer or network, without leaving a trace.Opera bought SurfEasy because Internet users are increasingly looking for ways to securely access the Internet, the company said in a release announcing the deal. The financial terms of the deal were not disclosed.To read this article in full or to leave a comment, please click here
Mandrill warned customers on Wednesday that some email-related data may have been exposed after attackers tried to lasso some of its servers into a botnet.Data doesn’t appear to have been stolen, but some customers should take some security precautions, wrote Brandon Fouts, general manager of Mandrill, which is a platform for managing transactional email that is owned by The Rocket Science Group.“There’s not evidence that any customer data was queried or exported, but unfortunately we can’t completely rule out the possibility of access,” Fouts wrote in a blog post.Data that may have been exposed includes internal logs about emails sent, including sender and recipient addresses but not custom metadata or the content of messages, Fouts wrote.To read this article in full or to leave a comment, please click here
Proposed legislation that would require U.S. businesses to notify affected customers after data breaches is too weak because it would preempt stronger breach notification laws in several states and it wouldn’t cover several classes of data, including geolocation and health information, critics told lawmakers.The proposed Data Security and Breach Notification Act covers only data linked to identity theft or financial fraud, including Social Security numbers, but would not require businesses and nonprofit groups to notify users if other information is stolen, said critics, including Democratic members of the House of Representatives Energy and Commerce Committee’s trade subcommittee.To read this article in full or to leave a comment, please click here
After a security enthusiast discovered a loophole that allowed him to register a valid SSL certificate for Microsoft’s live.fi domain, he tried to responsibly disclose the issue. But instead of thanks he got locked out of his email, phone, Xbox and online storage accounts.The issue was discovered by a Finnish man who works as an IT manager for a company in the industrial sector. He talked to the IDG News Service, but requested anonymity.Microsoft’s Outlook.com email service allows users to have multiple email addresses called aliases under a single account. At the moment, the service only allows aliases to be created on the @outlook.com domain, but several months ago more domains were available.To read this article in full or to leave a comment, please click here
A legal filing by the U.K. government has raised fears that the country’s intelligence service GCHQ is misusing its powers to hack telecommunications companies in other countries.The document was made public by Privacy International and the Chaos Computer Club, both claimants in a lawsuit filed last year against GCHQ over its spying practices. In the filing, which is part of the case, the U.K. government claims it has the right to break into computers anywhere in the world, even if they are not connected to a crime or a threat to national security, the groups said.To read this article in full or to leave a comment, please click here
Publicly accessible websites and services of U.S. government agencies will have to move to HTTPS encryption within two years to meet the government’s objective that these sites and Web services should be offered over a secure connection.The Hypertext Transfer Protocol Secure offers the strongest privacy protection available for public Web connections with today’s Internet technology, according to a draft proposal released Tuesday by the White House’s Office of Management and Budget.“The use of HTTPS reduces the risk of interception or modification of user interactions with government online services,” it added.To read this article in full or to leave a comment, please click here
Premera Blue Cross may have been attacked using the same methods employed against its fellow health insurer Anthem, suggesting that a single group may be behind both breaches.Customer data, including bank account and clinical data going back to 2002, may have been compromised in the attack, affecting 11 million people, Premera said Tuesday.It is the largest breach to affect the healthcare industry since Anthem disclosed last month that upwards of 78.4 million records were at risk after hackers accessed one of its databases.Several computer security companies have published data that points to a China-based group known as Deep Panda as a possible source for Anthem’s breach.To read this article in full or to leave a comment, please click here
Hundreds of Android and iOS apps are still vulnerable to a dangerous attack revealed two weeks ago that can compromise encrypted data, a security vendor said Tuesday.The apps have not yet been patched against the FREAK attack, short for Factoring attack on RSA-EXPORT Keys, which was revealed by researchers on March 3.The unpatched apps, which were not identified, are in categories including finance, communication, shopping, business and medicine, computer security company FireEye said in a blog post Tuesday.The findings highlight how even some of the most publicized and severe flaws can take quite a bit of time to get fixed. That poses risks for people using apps whose developers are not quick to patch them.To read this article in full or to leave a comment, please click here
As many as 11 million customers may have been affected by a data breach at U.S. health insurance provider Premera Blue Cross, in the second large attack against the health care industry disclosed in the last two months.The breach, discovered on Jan. 29, may have compromised customer names, birth dates, Social Security numbers, mailing and email addresses, phone numbers and bank account details, as well as claims and clinical information, Premera said on its website.It hadn’t determined yet if that sensitive information was actually removed from its systems, and it said there’s “no evidence to date that such data has been used inappropriately.” The FBI has been notified, it said.To read this article in full or to leave a comment, please click here
Twitter has added a tool to help users report abusive content to law enforcement, which could aid in removing the most threatening posts as Twitter ramps up its efforts to combat harassment.The tool has been incorporated into the existing process for flagging abusive content or tweets. After reporting abusive or threatening content to Twitter, users have an option to receive an emailed summary of the report. The report would include the flagged tweet and its URL, the time at which it was sent, and the user name and account URL of the person who posted it.The report, aimed at law enforcement, would also include a link to Twitter’s guidelines on how authorities can request non-public user account information from Twitter. The idea is that after seeing a report, law enforcement might feel compelled to take further action.To read this article in full or to leave a comment, please click here
Microsoft updated its Enhanced Mitigation Experience Toolkit (EMET), a free exploit prevention tool, to protect against attacks that attempt to bypass Internet Explorer’s sandbox using VBScript.Microsoft first released EMET 5.2 last week, but re-released it Monday to fix issues that some customers experienced when running the tool in conjunction with Internet Explorer 11 on Windows 8.1.The new version offers protection against so-called VBScript God Mode attacks, which rely on a method documented last year that can bypass anti-exploitation mechanisms like Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR) and Control-Flow Integrity (CFI).To read this article in full or to leave a comment, please click here
Microsoft released an update to blacklist an SSL certificate for one of its domain names that was issued to an unauthorized third party.The improperly issued certificate could be used to spoof content, launch phishing attacks, or perform man-in-the-middle HTTPS interception against the live.fi and www.live.fi Web properties, Microsoft said in a security advisory Monday.The company updated the Certificate Trust List (CTL) included in Windows in order to blacklist the fraudulent certificate. Systems running Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012 and Windows Server 2012 R2 will receive the update automatically and transparently.To read this article in full or to leave a comment, please click here
New versions of OpenSSL will be released on Thursday to patch several security vulnerabilities, one of which is considered highly serious, according to the OpenSSL Project Team.An advisory published on Monday did not give further details of the vulnerabilities, presumably so as to not tip off hackers and perhaps to give some organizations time to patch in the meantime.The updates will be included in OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf, the advisory said.A number of serious problems have been found over the last year in OpenSSL, which is widely used open-source software that encrypts communications using the SSL/TLS (Secure Sockets Layer/Transport Layer Security) protocol, a cornerstone of Web security.To read this article in full or to leave a comment, please click here