Feed aggregator

British Airways Suspends Some Accounts Following Unauthorized Activity

Threatpost for B2B - Mon, 03/30/2015 - 15:22
British Airways, one of the U.K's biggest airlines, suspended users' frequent flier accounts this weekend after an apparent breach recently hit the company.

eBay Fixes File Upload and Patch Disclosure Bugs

Threatpost for B2B - Mon, 03/30/2015 - 13:41
eBay has fixed a pair of security vulnerabilities in its site that could enable attackers to upload executable files disguised as benign file types, construct full path URLs and then point victims to them through drive-by download attacks. The first bug resulted from the failure of an eBay page to check the headers of image files uploaded by […]

Hackers Selling Uber Credentials on Underground Market

Threatpost for B2B - Mon, 03/30/2015 - 12:57
Uber user credentials are on sale on underground hacking forums, but the alternative taxi company says it has found no evidence of a breach of its systems.

DDoS Attack Against GitHub Continues After More Than Four Days

Threatpost for B2B - Mon, 03/30/2015 - 10:55
More than four days after it began, the massive DDoS attack on GitHub is still ongoing. The attack has evolved significantly since it started and GitHub officials said they believe that the goal of the operation is to force the site to remove some specific content. In the evening hours of March 25, DDoS attack […]

Ad Networks Ripe for Abuse Via Malvertising

Threatpost for B2B - Mon, 03/30/2015 - 10:05
Criminals have found a safe haven abusing legitimate processes, such as real-time bidding, implemented by online advertising networks to move exploits and malware, and build botnets and fraud campaigns.

iOS, OS X Library AFNetwork Patches MiTM Vulnerability

Threatpost for B2B - Fri, 03/27/2015 - 14:56
Until yesterday, a popular networking library for iOS and OS X, used by several apps like Pinterest and Simple was susceptible to SSL man-in-the-middle (MiTM) attacks.

Slack Discloses Breach of Its User Profile Database, Implements 2FA

Threatpost for B2B - Fri, 03/27/2015 - 14:49
Collaboration providers Slack disclosed that a database storing its user profile information has been breached. The break-in has been stopped, and Slack announced that it has implemented two-factor authentication going forward.

FBI Pleads For Crypto Subversion in Congressional Budget Hearing

Threatpost for B2B - Fri, 03/27/2015 - 13:49
FBI Director James Comey pleads with Congress to create a law that would allow law enforcement access to encrypted mobile communications on Android and Apple devices.

GitHub Hit With DDoS Attack

Threatpost for B2B - Fri, 03/27/2015 - 11:54
A large-scale DDoS attack, apparently emanating from China, has been hammering the servers at GitHub over the course of the last 12 hours, periodically causing service outages at the code-sharing and collaboration site.

Threatpost News Wrap, March 27, 2015

Threatpost for B2B - Fri, 03/27/2015 - 11:50
Dennis Fisher and Mike Mimoso discuss the news of the week, including the Android app-replacement vulnerability, the Windows privilege escalation bug and the Yahoo transparency report and the company's crypto efforts.

Schneider Electric Patches Easily Exploitable Bugs in HMI Products

Threatpost for B2B - Fri, 03/27/2015 - 11:01
There are a series of vulnerabilities related to credentials and authentication in two of Schneider Electric's HMI products, and an attacker who exploits them may be able to run arbitrary code.

CanSecWest 2015: everything is hackable

Secure List feed for B2B - Fri, 03/27/2015 - 09:48

Last week, we had the privilege to participate in and present at the 15th edition of CanSecWest in beautiful Vancouver, BC, along with its famous accompaniment, the ever famous Pwn2Own competition. Yes, once again all major browsers were hacked, but they were not alone! BIOS and UEFI, 4G modems, fingerprints, credentials, virtual machines, and operating systems were among the victim systems successfully hacked by our fellow presenters.

The event gathers a very technical audience with a shared interest in the most recent attacks and the presenters delivered with a variety of demos that showcased their intended vulnerabilities beautifully and thus reinforced the conclusion that digital voodoo can turn obscure and seemingly innocuous vulnerabilities into mind-numbingly cunning attacks.

One of the most discussed presentations, and certainly one of our favorites, showcased the power of BIOS and UEFI hacking: two guys, Corey Kallenberg and Xeno Kovah of Legbacore, armed with $2,000 and 4 weeks of hard work were able to show how a long list of vendor BIOSes were not only vulnerable but could successfully be loaded with LightEater, an SMM implant capable of pilfering sensitive information from Tails OS and even exfiltrating that information in such a way as to bypass the OS entirely. We clearly agree with their conclusion, it´s time to start taking a harder look at firmware!

Firmware insecurity: absence of evidence is not evidence of absence

One of the very possible attack is the well-known 'evil maid' or the 'border guard' approach: someone with physical access to your computer can just plug a small device (see below) and successfully reflash your system's BIOS, rewriting it with malicious code, without so much as booting up the system.

Press a button and in a few seconds the handy green light will indicate the BIOS is p0wned

Another very interesting presentation by Jan "starbug" Krissler showed how high resolution photos could bypass biometric authentication. Pictures acquired through high-resolution cameras from a safe distance amounted to the successful theft of fingerprints, faces, and irises used by current biometric systems for authentication. The distance can even be extended through the use of infrared imagery! We spent the talk imagining the breach possibilities as  an increasing number of ATMs  nowadays rely on biometric input.

Please authenticate access to your bank account using a password you can never change: your fingerprint

We also saw presentations on MacOS DLL (dylib) hijacking, userland exploits on iOS 8, attacks using Windows PowerShell, and even the installation of a bootkit in a 4G modem by simply sending an SMS! All sandwiched between explanations of the work of the ever fascinating Google Project Zero Team. In one of these, Chris Evans walked the audience through how a 'simple' crash caused by a call with a negative length became an exploit on Adobe Flash Player.

Our own presentation was a walkthrough of the misuse of whitelisted tools to further all kinds of attacks, from APTs and Targeted attacks to banking trojans and ransomware. This ongoing project is intended to highlight the faulty foundations of the whitelisting approach to security and how whitelisting alone simply won't protect you, from advanced and intermediary attackers alike! Stay tuned for a post on our findings.

In the end, we expanded our view as to the true breadth of vulnerable software and hardware. on which we depend daily. Security is a truly elusive state in an ecosystem composed of interwoven, dependent systems, each responding to the diverging priorities of a developer, an administrator, a user, and, of course, an attacker as well. The role of the security researcher that lives and breathes attack vectors and obscure vulnerabilities in search of the right digital voodoo has never been more important. And we can't help but echo the sentiments of Dragos Ruiu and our own Eugene Kaspersky in thanking CanSecWest for bringing all these researchers under one roof and one banner to share that digital voodoo and successfully stave off the balkanization of our industry just a while longer.

Hotel Internet Gateways Patched Against Remote Exploit

Threatpost for B2B - Thu, 03/26/2015 - 14:50
A critical vulnerability in a popular hotel and convention center Internet gateway from AntLabs called InnGate has been patched. The flaw allows attackers read and write access to the devices from the Internet.

MIT Researchers Debut Debugger for Integer Overflows

Threatpost for B2B - Thu, 03/26/2015 - 14:38
Students from M.I.T. have devised a new way to scour raw code for integer overflows.

U.S. Government Requests for Yahoo User Data Drop

Threatpost for B2B - Thu, 03/26/2015 - 13:17
Yahoo received nearly 5,000 requests for user data from the United States government in the last six months of 2014 and disclosed some content in nearly 25 percent of those cases.

Denial of Service and Memory Vulnerabilities Patched in Cisco IOS

Threatpost for B2B - Thu, 03/26/2015 - 12:15
Cisco released its semiannual set of patches for its Cisco IOS router and switch operating system. The patches address 16 vulnerabilities.
Syndicate content