Archive

Category Archives for "Network World Security"

How a Blu-ray disc could install malware on your computer

A pair of vulnerabilities found in hardware and software for playing Blu-ray discs might come in handy for secret snooping by the U.S. National Security Agency.Stephen Tomkinson of NCC Group, a U.K.-based security consultancy, engineered a Blu-ray disc which detects the type of player the disc is running on and then picks one of two exploits to land malware on a computer. He presented the research at the Securi-Tay conference at Abertay University in Scotland on Friday.One of the problems is in PowerDVD, an application made by Taiwanese company CyberLink for playing DVDs on Windows computers. The company’s applications are often preinstalled on computers from manufacturers including HP, Dell, Acer, Lenovo, Toshiba and ASUS, according to its website.To read this article in full or to leave a comment, please click here

Personal data on 50,000 Uber drivers exposed in breach

The names and license plate numbers of about 50,000 Uber drivers were compromised in a security breach last year, the company revealed Friday.Uber discovered a possible breach of its systems in September, and a subsequent investigation revealed an unauthorized third party had accessed one of its databases four months earlier, the company said.The files accessed held the names and license plate numbers of about 50,000 current and former drivers, which Uber described as a “small percentage” of the total. About 21,000 of the affected drivers are in California. The company has several hundred thousand drivers altogether.To read this article in full or to leave a comment, please click here

White House privacy proposal aims to give consumers control over data

U.S. businesses that collect personal data would be required to describe their privacy and security practices and give consumers control over their personal information under a proposed privacy bill of rights released Friday by President Barack Obama’s administration.The proposal would also require companies and nonprofit groups to collect and retain only the personal data they need to operate.However, the proposal allows industry groups to submit their own codes of conduct to the Federal Trade Commission and shields companies that follow those codes from FTC enforcement actions.To read this article in full or to leave a comment, please click here

D-Link remote access vulnerabilities remain unpatched

D-Link routers have several unpatched vulnerabilities, the worst of which could allow an attacker to gain total control over a device, according to a systems engineer in Canada.Peter Adkins, who does security research in his free time, released details of the flaws on Thursday. Adkins said in a phone interview that he has been in intermittent contact with D-Link since Jan. 11 on the issues, but the company has not indicated when it might patch.“I believe it’s probably better for the end user to know that these exist than be completely in the dark for months on end while the vendor prepares patches,” he said.D-Link officials did not have an immediate comment.To read this article in full or to leave a comment, please click here

Hackers exploit router flaws in unusual pharming attack

An email-based attack spotted in Brazil recently employed an unusual but potent technique to spy on a victim’s Web traffic.The technique exploited security flaws in home routers to gain access to the administrator console. Once there, the hackers changed the routers’ DNS (Domain Name System) settings, a type of attack known as pharming.Pharming is tricky to pull off because it requires access to an ISP’s or an organization’s DNS servers, which translate domain names into the IP addresses of websites. Those DNS systems are typically well-protected, but home routers often are not.Security firm Proofpoint wrote in a blog post Thursday that launching the attack via email was a novel approach since pharming is normally a network-based attack.To read this article in full or to leave a comment, please click here

Twitter adds more reporting tools to curb abuse and improve safety

Twitter has added new reporting tools to help it fight abuse and protect users on its site.The company took some steps in this direction late last year, when it made it easier to report harassment in tweets. Now it’s making it easier to report other behaviors including impersonation, self-harm and the sharing of private or confidential information. The changes will begin rolling out Thursday and should reach all users in the coming weeks.As a result of the changes it made already, Twitter now reviews five times as many user reports as it did previously, the company said, and it has tripled the number of people who handle such reports at the company. It has also reduced its response time to a fraction of what it once was, the company says.To read this article in full or to leave a comment, please click here

Some Bitdefender products break HTTPS certificate revocation

Aggressive adware applications that break the trust between HTTPS (HTTP Secure) websites and users have been at the center of controversy lately. But over the past week, HTTPS interception flaws of varying severity were also found in security programs, with products from antivirus vendor Bitdefender being the latest example.Carsten Eiram, the chief research officer of vulnerability intelligence firm Risk Based Security, found that the latest versions of several Bitdefender products, namely Bitdefender Antivirus Plus, Bitdefender Internet Security and Bitdefender Total Security, do not check the revocation status of SSL certificates before replacing them with new ones that are signed using a root certificate installed locally. The products use this technique in order to scan encrypted HTTPS traffic for potential threats.To read this article in full or to leave a comment, please click here

The Upload: Your tech news briefing for Thursday, February 26

Lenovo’s defaced website points to weakness in Net domain name systemSome hackers took Lenovo’s corporate web address for a joyride on Wednesday, redirecting traffic to a video stream showing an apparently bored teen sitting in his bedroom. The prank, like the hijacking of Google’s Vietnam site recently, highlights continued weakness in the Internet’s Domain Name System, which translates website names into IP addresses.Samsung gets more woe over eavesdropping TVsThe fuss over data collected by voice-operated TVs made by Samsung Electronics is not going away, despite its efforts to minimize the issue. Now the Electronic Privacy Information center is asking the U.S. Federal Trade Commission to investigate, in a complaint that says Samsung has violated federal law.To read this article in full or to leave a comment, please click here

Like Google in Vietnam, Lenovo tripped up by a DNS attack

The redirection of both Lenovo’s website and Google’s main search page for Vietnam this week highlights weaknesses with the Internet’s addressing system.On Wednesday, visitors to lenovo.com were greeted with what appeared to be webcam images of a bored young man sitting in a bedroom, and the song “Breaking Free” from an old Disney movie. On Monday, Google’s site for Vietnam also briefly redirected people to another website.Both Google and Lenovo were victims of “domain hijacking,” a type of attack against the Domain Name System (DNS), which translates domain names into IP addresses that can be called into a browser.To read this article in full or to leave a comment, please click here

Lenovo website hacked in wake of Superfish debacle

Lenovo’s website appeared to have been hacked Wednesday, possibly in retaliation for a piece of adware it installed on PCs that was found to have opened up a security hole.Early Wednesday afternoon Pacific time, some visitors to lenovo.com were greeted what looked like webcam images of a bored teenager sitting in a bedroom, and the song “Breaking Free” from an old Disney movie.The source code for the webpage includes the line: “The new and improved rebranded Lenovo website featuring Ryan King and Rory Andrew Godfrey,” who have reportedly been connected to the hacker group Lizard Squad.Lenovo didn’t immediately respond to a request for comment.To read this article in full or to leave a comment, please click here

Europol and security vendors disrupt massive Ramnit botnet

European law enforcement agencies seized command-and-control servers used by Ramnit, a malware program that steals online banking credentials, FTP passwords, session cookies and personal files from victims.Ramnit started out in 2010 as a computer worm capable of infecting EXE, DLL, HTM, and HTML files. However, over time it evolved into an information-stealing Trojan that’s distributed in a variety of ways.Ramnit is capable of hijacking online banking sessions, stealing session cookies which can then be used to access accounts on various sites, copying sensitive files from hard drives, giving attackers remote access to infected computers and more.To read this article in full or to leave a comment, please click here

Facebook fixed 61 high-severity flaws last year through its bug bounty program

As a result of reports received through its bug bounty program Facebook confirmed and fixed 61 high-severity vulnerabilities last year, almost 50 percent more than in 2013.Since 2011, the company has been paying monetary rewards to researchers who report flaws that could compromise the integrity or privacy of user data or could enable access to systems within its infrastructure.While the minimum reward is US$500, there is no upper limit. The company decides how much to pay depending on a bug’s severity and sophistication. The program doesn’t cover only the facebook.com site and related services, but also other products that Facebook created or acquired, like Instagram, Parse, Onavo, Oculus, Moves and osquery.To read this article in full or to leave a comment, please click here

Flaw in popular Web analytics plug-in exposes WordPress sites to hacking

WordPress site owners using the WP-Slimstat plug-in installed should upgrade it to the latest version immediately in order to fix a critical vulnerability, security researchers warn.WP-Slimstat, a Web analytics plug-in for WordPress, has been downloaded over 1.3 million times and is highly rated by users. The plug-in allows site owners to track returning visitors and registered users, monitor JavaScript events, detect intrusions, analyze email campaigns and more.Researchers from Web security firm Sucuri found a vulnerability that stems from weak cryptographic key generation in WP-Slimstat versions 3.9.5 and lower. If attackers can determine the secret key used by the plug-in, they can launch blind SQL injection attacks that enable them to read sensitive information from the site’s database.To read this article in full or to leave a comment, please click here

The Upload: Your tech news briefing for Wednesday, February 25

Hewlett-Packard lowers outlook as its struggles continueHewlett-Packard reported another quarter of declining sales and profit on Tuesday, and blamed a strong dollar as it lowered its outlook for the current quarter and the year. Revenue was $26.8 billion, down 5 percent from a year earlier, while net profit was down 4 percent to $1.4 billion. Sales in the personal systems group were flat, but declined in both the printing and enterprise services divisions.Is Visa priming Europe for Apple Pay?To read this article in full or to leave a comment, please click here

Gemalto says spies probably didn’t steal mobile phone encryption keys from it after all

SIM card maker Gemalto has dismissed recent reports that U.K. and U.S. spies obtained encryption keys protecting millions of mobile phones by hacking its network.Secret documents revealed last week suggested that spies from the U.S. National Security Agency and the U.K. Government Communications Headquarters had stolen SIM card encryption keys from Gemalto, allowing them to intercept the conversations of millions of mobile phone users. The GCHQ documents, dating from 2010, were among those leaked by former NSA contractor Edward Snowden.To read this article in full or to leave a comment, please click here

Google scraps annual Pwnium bug-hunting contest

Google is scrapping Pwnium, its annual bug hunting event, and folding it into an existing year-round program in part to reduce security risks.The company held Pwnium annually at CanSecWest, a security conference in Vancouver, to find security problems in its Chrome OS, Chrome browser and affiliated applications.But Tim Willis of the Chrome Security Team wrote in a blog post that the annual event isn’t best for either researchers or the company.To read this article in full or to leave a comment, please click here

Anthem’s latest breach estimate says 78.8 million were affected

The Anthem data breach may have exposed 78.8 million records, according to a more finely tuned estimate by the health insurance company, but Anthem is still investigating exactly how many records hackers extracted from a database.Hackers accessed a database at Anthem that contained customer and employee records with names, birth dates, Social Security numbers, addresses, phone numbers, email addresses and member IDs, the health insurance company said on Feb. 4. Some records included employment information and income levels, but no financial information was compromised, it said.It marked one of the largest data breaches to affect the health care industry, adding to a string of recent attacks that have shaken large companies, including retailers Home Depot, Target and Michaels.To read this article in full or to leave a comment, please click here

DOJ offers $3 million reward for Gameover Zeus botnet suspect

Two U.S. government agencies are offering a US$3 million reward for information leading to the arrest or conviction of a Russian man suspected of having served as an administrator for the destructive Gameover Zeus botnet.The U.S. Department of Justice and the Department of State’s Transnational Organized Crime Rewards Program announced the reward for information about suspect Evgeniy Mikhailovich Bogachev on Tuesday. Bogachev is charged in the U.S. with several crimes related to Gameover Zeus, which targeted banking credentials and other personal information over a two-year period.Gameover Zeus was responsible for more than 1 million computer infections, resulting in financial losses of more than $100 million, the DOJ said in a press release. The DOJ, working with law enforcement agencies from other countries, disrupted the botnet in mid-2014.To read this article in full or to leave a comment, please click here

Reddit bans nude photos, sex videos posted without consent

Reddit, the online message board known for its users’ unrestrained posts, is going against its laissez-faire philosophy and moving to restrict an abusive form of sexual content.Under a revised privacy policy going into effect on March 10, it will be officially prohibited for Reddit users to post naked photos and sex videos if they lack permission from the people depicted.Affected people should email the company at [email protected] to expedite the removal of the offending photos or videos “as quickly as possible,” Reddit said in the policy.Reddit, which bills itself as “the front page of the Internet,” has built its following of nearly 160 million users by letting them express themselves with various degrees of anonymity to communicate about any topic. The site’s “Ask Me Anything” discussions are popular threads.To read this article in full or to leave a comment, please click here

Critical remote code execution flaw patched in Samba

Security researchers are urging users to install new Samba security updates in order to address a critical vulnerability that allows attackers to execute arbitrary code with root privileges.Samba is an implementation of the SMB/CIFS networking protocol that enables Unix-like systems, including Linux, BSD, Solaris and Mac OS X to share files and printers with Windows computers. It also allows such systems to be integrated into Microsoft Active Directory environments and even act as domain controllers.The new vulnerability is located in the smbd file server and was discovered by Richard van Eeden of Microsoft Vulnerability Research.“It can be exploited by a malicious Samba client, by sending specially-crafted packets to the Samba server,” the Red Hat security team said in a blog post. “No authentication is required to exploit this flaw. It can result in remotely controlled execution of arbitrary code as root.”To read this article in full or to leave a comment, please click here