Oracle

Java Installer Flaw Shows Why You Should Clear Your Downloads Folder (csoonline.com) 45

itwbennett writes: On Friday, Oracle published a security advisory recommending that users delete all the Java installers they might have laying around on their computers and use new ones for versions 6u113, 7u97, 8u73 or later. The reason: Older versions of the Java installer were vulnerable to binary planting in the Downloads folder. 'Though considered relatively complex to exploit, this vulnerability may result, if successfully exploited, in a complete compromise of the unsuspecting user's system,' said Eric Maurice, Oracle's software security assurance director, in a blog post.
Security

Researcher Finds Tens of Software Products Vulnerable To Simple Bug (softpedia.com) 132

An anonymous reader writes: There's a German security researcher that is arduously testing the installers of tens of software products to see which of them are vulnerable to basic DLL hijacking. Surprisingly, many companies are ignoring his reports. Until now, only Oracle seems to have addressed this problem in Java and VirtualBox. Here's a short (probably incomplete) list of applications that he found vulnerable to this attack: Firefox, Google Chrome, Adobe Reader, 7Zip, WinRAR, OpenOffice, VLC Media Player, Nmap, Python, TrueCrypt, and Apple iTunes. Mr. Kanthak also seems to have paid special attention to antivirus software installers. Here are some of the security products he discovered vulnerable to DLL hijacking: ZoneAlarm, Emsisoft Anti-Malware, Trend Micro, ESET NOD32, Avira, Panda Security, McAfee Security, Microsoft Security Essentials, Bitdefender, Rapid7's ScanNowUPnP, Kaspersky, and F-Secure.
Crime

Metel Hackers Roll Back ATM Transactions, Steal Millions (threatpost.com) 66

msm1267 writes: Researchers from Kaspersky Lab's Global Research & Analysis Team today unveiled details on two new criminal operations that have borrowed heavily from targeted nation-state attacks, and also shared an update on a resurgent Carbanak gang, which last year, it was reported, had allegedly stolen upwards of $1 billion from more than 100 financial companies. The heaviest hitter among the newly discovered gangs is an ongoing campaign, mostly confined to Russia, known as Metel. This gang targets machines that have access to money transactions, such as call center and support machines, and once they are compromised, the attackers use that access to automate the rollback of ATM transactions. As the attackers empty ATM after ATM—Metel was found inside 30 organizations—the balances on the stolen accounts remained untouched.
Security

Hackers Leak DHS Staff Directory, Claim FBI Is Next (csoonline.com) 76

itwbennett writes: On Sunday, the name, title, email address, and phone number of more than 9,000 DHS employees, with titles ranging from engineers, to security specialists, program analysts, InfoSec and IT, all the way up to director level was posted on Twitter. 'The account went on to claim that an additional data dump focused on 20,000 FBI employees was next,' writes CSO's Steve Ragan. The hacker told Motherboard that the data was obtained by "compromising the email account of a DoJ employee, although he would not elaborate on how that account was accessed in the first place."
Security

Neutrino Exploit Kit Has a New Way To Detect Security Researchers (csoonline.com) 39

itwbennett writes: [The Neutrino exploit kit] is using passive OS fingerprinting to detect visiting Linux machines, according to Trustwave researchers who found that computers they were using for research couldn't make a connection with servers that delivered Neutrino. Daniel Chechik, senior security researcher at Trustwave's SpiderLabs division wrote that they tried changing IP addresses and Web browsers to avoid whatever was causing the Neutrino server to not respond, but it didn't work. But by fiddling with some data traffic that Trustwave's computers were sending to the Neutrino server, they figured out what was going on.
Microsoft

Even With Telemetry Disabled, Windows 10 Talks To Dozens of Microsoft Servers (voat.co) 556

An esteemed reader writes: Curious about the various telemetry and personal information being collected by Windows 10, one user installed Windows 10 Enterprise and disabled all of the telemetry and reporting options. Then he configured his router to log all the connections that happened anyway. Even after opting out wherever possible, his firewall captured Windows making around 4,000 connection attempts to 93 different IP addresses during an 8 hour period, with most of those IPs controlled by Microsoft. Even the enterprise version of Windows 10 is checking in with Redmond when you tell it not to — and it's doing so frequently.
Botnet

Online Museum Displays Decades of Malware (thestack.com) 39

An anonymous reader writes: archive.org has launched a Museum of Malware, which devotes itself to a historical look at DOS-based viruses of the 1980s and 1990s, and gives viewers the opportunity to run the viruses in a DOS game emulator, and to download 'neutered' versions of the code. With an estimated 50,000 DOS-based viruses in existence by the year 2000, the Malware Museum's 65 examples should be seen as representative of an annoying, but more innocent era of digital vandalism.
Security

Avast SafeZone Browser Lets Attackers Access Your Filesystem (softpedia.com) 37

An anonymous reader writes: Just two days after Comodo's Chromodo browser was publicly shamed by Google Project Zero security researcher Tavis Ormandy, it's now Avast's turn to be publicly scorned for failing to provide a "secure" browser for its users. Called SafeZone, and also known as Avastium, Avast's custom browser is offered as a bundled download for all who purchase or upgrade to a paid version of Avast Antivirus 2016. This poor excuse of a browser was allowing attackers to access files on the user's filesystem just by clicking on malicious links. The browser wouldn't even have to be opened, and the malicious link could be clicked in "any" browser.
Government

UK Wants Authority To Serve Warrants In U.S. (usatoday.com) 142

schwit1 writes with this news, as reported by USA Today: British and U.S. officials have been negotiating a plan that could allow British authorities to directly serve wiretap orders on U.S. communications companies in criminal and national security inquiries, U.S. officials confirmed Thursday. The talks are aimed at allowing British authorities access to a range of data, from interceptions of live communications to archived emails involving British suspects, according to the officials, who are not authorized to comment publicly. ... Under the proposed plan, British authorities would not have access to records of U.S. citizens if they emerged in the British investigations. Congressional approval would be required of any deal negotiated by the two countries.
Education

K-12 CS Framework Draft: Kids Taught To 'Protect Original Ideas' In Early Grades 132

theodp writes: Remember that Code.org and ACM-bankrolled K-12 Computer Science Education Framework that Microsoft, Google, Apple, and others were working on? Well, a draft of the framework was made available for review on Feb. 3rd, coincidentally just 3 business days after U.S. President Barack Obama and Microsoft President Brad Smith teamed up to announce the $4+ billion Computer Science for All initiative for the nation's K-12 students. "Computationally literate citizens have the responsibility to learn about, recognize, and address the personal, ethical, social, economic, and cultural contexts in which they operate," explains the section on Fostering an Inclusive Computing Culture, one of seven listed 'Core K-12 CS Practices'. "Participating in an inclusive computing culture encompasses the following: building and collaborating with diverse computational teams, involving diverse users in the design process, considering the implication of design choices on the widest set of end users, accounting for the safety and security of diverse end users, and fostering inclusive identities of computer scientists." Hey, do as they say, not as they do! Also included in the 10-page draft (pdf) is a section on Law and Ethics, which begins: "In early grades, students differentiate between responsible and irresponsible computing behaviors. Students learn that responsible behaviors can help individuals while irresponsible behaviors can hurt individuals. They examine legal and ethical considerations for obtaining and sharing information and apply those behaviors to protect original ideas."
Security

MIT Reveals "Hack-Proof" RFID Chip (thestack.com) 53

JustAnotherOldGuy writes: A group of researchers at MIT and Texas Instruments claim that they have developed a new radio frequency identification chip that may be impossible to hack. Traditional RFID chips are vulnerable to side-channel attacks, whereby a hacker can extract a cryptographic key from the chip. The new RFID chip runs a random-number generator that creates a new secret key after each transaction. The key can then be verified with a server to ensure that it is correct. The group at MIT also incorporated protection against a power-glitch attack, an attack that would normally leave a chip vulnerable to an interruption of the power source that would in turn halt the creation of a new secret key. Texas Instruments CTO Ahmad Bahai stated, "We believe this research is an important step toward the goal of a robust, lo-cost, low-power authentication protocol for the industrial internet." The question is, how long will it be before this "hack proof" chip is hacked?
Security

Anti-Malware Maker Files Lawsuit Over Bad Review (csoonline.com) 162

itwbennett writes: In a lawsuit filed January 8, 2016, Enigma Software, maker of anti-malware software SpyHunter, accuses self-help portal Bleeping Computer of making 'false, disparaging, and defamatory statements.' At issue: a bad review posted by a user in September, 2014. The lawsuit also accuses Bleeping Computer of profiting from driving traffic to competitor Malwarebytes via affiliate links: 'Bleeping has a direct financial interest in driving traffic and sales to Malwarebytes and driving traffic and sales away from ESG.' Perhaps not helping matters, one of the first donations to a fund set up by Bleeping Computer to help with legal costs came from Malwarebytes.
Government

Marco Rubio Wants To Permanently Extend NSA Mass Surveillance (nationaljournal.com) 346

SonicSpike writes: Marco Rubio wants Congress to permanently extend the authorities governing several of the National Security Agency's controversial spying programs, including its mass surveillance of domestic phone records. The Florida Republican and 2016 presidential hopeful penned an op-ed on Tuesday condemning President Obama's counterterrorism policies and warning that the U.S. has not learned the "fundamental lessons of the terrorist attacks of Sept. 11, 2001." Rubio called on Congress to permanently reauthorize core provisions of the post-9/11 USA Patriot Act, which are due to sunset on June 1 of this year and provide the intelligence community with much of its surveillance power. "This year, a new Republican majority in both houses of Congress will have to extend current authorities under the Foreign Intelligence Surveillance Act, and I urge my colleagues to consider a permanent extension of the counterterrorism tools our intelligence community relies on to keep the American people safe," Rubio wrote in a Fox News op-ed.
Cloud

CoreOS Launches Rkt 1.0 (eweek.com) 49

darthcamaro writes: Docker is about to get some real competition in the container runtime space, thanks to the lofficial aunch of rkt 1.0. CoreOS started building rkt in 2014 and after more than a year of security, performance and feature improvement are now ready to declare it 'production-ready.' While rkt is a docker runtime rival, docker apps will run in rkt, giving using a new runtime choice: "rkt will remain compatible with the Docker-specific image format, as well as its own native App Container Image (ACI). That means developers can build containers with Docker and run those containers with rkt. In addition, CoreOS will support the growing ecosystem of tools based around the ACI format."
Google

Google Targets Fake "Download" and "Play" Buttons (torrentfreak.com) 117

AmiMoJo writes: Google says it will go to war against the fake 'download' and 'play' buttons that attempt to deceive users on file-sharing and other popular sites. According to a new announcement from the company titled 'No More Deceptive Download Buttons', Google says it will expand its eight-year-old Safe Browsing initiative to target some of the problems highlighted above. 'You may have encountered social engineering in a deceptive download button, or an image ad that falsely claims your system is out of date. Today, we're expanding Safe Browsing protection to protect you from such deceptive embedded content, like social engineering ads,' the company says.
AI

Harnessing Artificial Intelligence To Build an Army of Virtual Analysts 41

An anonymous reader writes: PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market. Their goal was to make a system capable of mimicking the knowledge and intuition of human security analysts so that attacks can be detected in real time. The platform can go through millions of events per day and can make an increasingly better evaluation of whether they are anomalous, malicious or benign.
Security

Push To Hack: Reverse Engineering an IP Camera (contextis.com) 35

New submitter tetraverse writes: For our most recent IoT adventure, we've examined an outdoor cloud security camera [the Motorola Focus 73] which like many devices of its generation a) has an associated mobile app b) is quick to setup and c) presents new security threats to your network. From the article: This blog describes in detail how we were able to exploit the camera without access to the local network, steal secrets including the home networkâ(TM)s Wi-Fi password, obtain full control of the PTZ (Pan-Tilt-Zoom) controls and redirect the video feed and movement alerts to our own server; effectively watching the watchers.
Crime

Survey: Average Successful Hack Nets Less Than $15,000 (csoonline.com) 84

itwbennett writes: According to a Ponemon Institute survey, hackers make less than $15,000 per successful attack and net, on average, less than $29,000 a year. The average attacker conducts eight attacks per year, of which less than half are successful. Among the findings that will be of particular interest to defenders: Hackers prefer easy targets and will call off an attack if it is taking too long. According to the survey, 13 percent quit after a delay of five hours. A delay of 10 hours causes 24 percent to quit, a delay of 20 hours causes 36 to quit, and a majority of 60 percent will give up if an attack takes 40 additional hours. 'If you can delay them by two days, you can deter 60 percent of attacks,' said Scott Simkin, senior threat intelligence manager at Palo Alto Networks, which sponsored the study.
United States

Former DoE Employee Ensnared By Secret-Selling Sting Pleads Guilty (washingtonpost.com) 40

mdsolar writes: A former Energy Department employee accused of attempting to infiltrate the agency's computer system to steal nuclear secrets and sell them to a foreign government pleaded guilty Tuesday to a reduced charge of attempting to damage protected government computers in an email "spear-phishing attack." Charles Harvey Eccleston, a former employee at the department and at the independent Nuclear Regulatory Commission (NRC), was arrested March 27 by Philippine authorities after an undercover FBI sting operation. Eccleston, 62, a U.S. citizen who had been living in the Philippines since 2011, was "terminated" from his job at the NRC in 2010, according to the Justice Department. In January 2015, the department said, he targeted more than 80 Energy Department employees in Washington at four national nuclear labs with emails containing what he thought were links to malicious websites that, if activated, could infect and damage computers.
Programming

Winner of the 2015 Underhanded C Contest Announced (underhanded-c.org) 48

Xcott Craver writes: The Underhanded C contest results have now been announced. This time the contest challenge was to cause a false match in a nuclear inspection scenario, allowing a country to remove fissile material from a warhead without being noticed. The winner receives $1000 from the Nuclear Threat Initiative.

Slashdot Top Deals