Threatpost for B2B
China has been blamed for cyberattacks on every major industrial base in the United States—and even in some corners for the Super Bowl blackout. But most of it has been rampant speculation coupled with the lacing together of a number of loose ends. Examples of the kind of direct attribution to the People’s Liberation Army (PLA) presented in a report today by security company Mandiant have been rare.
Laptops belonging to several Facebook employees were compromised recently and infected with malware that the company said was installed through the use of a Java zero-day exploit that bypassed the software's sandbox. Facebook claims that no user data was affected by the attack and says that it has been working with law enforcement to investigate the attack, which also affected other unnamed companies.
Hackers and data recovery specialists alike could soon be turning to a new technique that under the right conditions can allow for the harvesting of personal information from phones, even after they’ve been frozen.
Passwords are the keys to our online identities, and as a result, they're also near the top of the target list for attackers. There have been countless breaches in the last few years in which unencrypted passwords have been stolen from a database and leaked online, and security experts often shake their heads at the lack of use of encryption or even hashing for passwords. Now, a group of cryptographers is sponsoring a competition to come up with a new password hash algorithm to help improve the state of the art.
Good passwords are hard to remember while passwords that are easily remembered are often just as easily guessed. Therein lies the reason passwords are such a security headache. The race to replace passwords is ever-present in the security industry, and the newest entrant is the smart-watch.
UPDATE - With enough work, users can bypass the lockscreen on Apple’s ubiquitous iPhone by exploiting a flaw on its most recent operating system iOS 6.1. By simply making an emergency call and holding down the power button on an iPhone twice, users can gain access to the device’s phone feature, view and edit contacts, check voicemail and look through photos, according to reports today.
Researchers have noticed a spike in cyberattacks over the past few weeks targeting the Uyghur people, a Turkic ethnic group based primarily in China and Kazakhstan. The attacks have been exploiting a Microsoft Word vulnerability patched in June 2009, according to a Securelist post by Kaspersky Lab Senior Security Researcher Costin Raiu yesterday.
Adobe released an advisory yesterday suggesting a manual mitigation for zero-day vulnerabilities in its Reader and Acrobat products that are being actively exploited in the wild. The exploit is the first sandbox escape in Adobe Reader X and above.
A group of large certificate authorities, including some that have been the victims of recent compromises of their CA systems, have formed an alliance designed to develop strategies for strengthening the CA infrastructure through education and industry initiatives. Comodo, DigiCert, Entrust, Symantec and Go Daddy and other companies announced the alliance on Thursday.
There are a set of easily exploited vulnerabilities in the appliances used in the emergency alert system (EAS) that could be used by attackers to log in to these boxes remotely and send fake emergency alerts like the one that interrupted a TV broadcast in Montana on Monday. The vulnerabilities include authentication bypasses and other bugs that a researcher says can be used to compromise the ENDEC machines that are responsible for sending out alerts over the EAS on TV and radio.
Android application developer Dan Nolan claims that the Google Play store sends software developers the names, approximated locations, and email addresses of every individual that downloads one of their applications.
The Industrial Control System CERT released an advisory this week warning of a vulnerability in a popular sensor monitoring system used in a number of critical industries, including energy, water and manufacturing.
Web app framework Ruby on Rails patched two security flaws this week in the open source framework that could have led to denial of service attacks and remote execution vulnerabilities.
The Government Accountability Office has determined that the Federal Communications Commission failed to properly implement necessary security controls in the initial phases of its Enhanced Secured Networks project, and, as a result, FCC data remains vulnerable to “unnecessary risk of inadvertent or deliberate misuse, improper disclosure, or destruction.”
The executive order that President Barack Obama signed yesterday in advance of his State of the Union Address contains a lot of provisions for information sharing on attacks and threats on critical infrastructure, and also calls for the development of a framework to reduce cybersecurity risks in federal agencies and critical infrastructure. What the order does not include are any mandates, required changes or a plan for significant action.
UPDATE-Attackers are using malicious PDFs posing as an application for an international travel visa to exploit a zero-day vulnerability in Adobe Reader and Acrobat, a researcher at FireEye told Threatpost today. The exploit is the first to escape the sandbox included in Reader X and above.
For all intents and purposes, the Heartland Payment Systems data breach saga ended more than two years ago when the embattled payment processor finalized settlements paying out millions of dollars to various banks, credit card issuers and consumers. That is until a handful of banks reportedly requested the Fifth Circuit reopen their negligence case that stemmed from the 2008 breach.
What's better than one Flash Player update a week? Why two, of course.
Adobe released its regularly scheduled security updates today, including another set of fixes for its ubiquitous Flash Player, less than a week after an emergency patch took care of two zero-day vulnerabilities being exploited in the wild.
Internet Explorer continues to dominate Microsoft’s 2013 security updates. Among the 12 bulletins and 57 vulnerabilities patched in today’s release was a cumulative update for the maligned browser and another fix for a bug being exploited in the wild.