55226693
submission
msm1267 writes:
Giant retailer Target has clarified that the partial personal information--including names, addresses, phone numbers and email addresses--of another 70 million individuals was also stolen during a two-week long breach of its systems starting the day before Thanksgiving. Target said: "These are two distinct groups and are not linked. While there may some overlap between the two groups (the 40 million and the 70 million) but we don’t know to what extent at this time."
55217137
submission
msm1267 writes:
Mobile banking applications fall short on their use of encryption, validation of digital certificates and two-factor authentication, putting financial transactions at risk worldwide. An examination of 40 iOS mobile banking apps from 60 leading banks worldwide revealed a slew of security shortcomings that also included hard-coded development credentials discovered during a static analysis of app binaries. It's a mess, and to date, most of the banks have been informed and none of provided feedback indicating the vulnerabilities were patched.
55207483
submission
netbuzz writes:
Target this morning issued an update regarding its recent catastrophic data breach that increases the number of customers victimized from 40 million to 70 million. The company also reported that even more information had been stolen than previously believed. In addition, and not surprisingly, Target told the investment world that sales are down this quarter.
55204033
submission
AmiMoJo writes:
According to security company Sophos around 55% of home users and 18% of enterprise users have updated to Mavericks, the latest version of Mac OS (10.9). Unfortunately Apple appears to have stopped providing security updates for older versions. Indeed, they list Mavericks itself as a security update. This means that the majority of users are no longer getting critical security patches. Sophos recommends taking similar precautions to those recommended for people who cannot upgrade from Windows XP.
55118225
submission
msm1267 writes:
The Blackhole Exploit Kit has been out of commission since October when its alleged creator, a hacker named Paunch, was arrested in Russia. The kit was a favorite among cybercriminals who took advantage of its frequent updates and business model to distribute financial malware to great profit. Since the arrest of Paunch, however, a viable successor has yet to emerge--and experts believe one will not in the short term. This is partially the reason for the increase in outbreaks of ransomware such as CryptoLocker as hackers aggressively attempt to recover lost profits.
55083437
submission
msm1267 writes:
Generic malware warnings that alert computer users to potential trouble are largely ineffective and often ignored. Researchers at Cambridge University, however, have proposed a change to the status quo, believing instead that warnings should be re-architected to include concrete, specific warnings that are not technical and rely less on fear than current alerts.
54847911
submission
msm1267 writes:
The NSA uses its XKeyscore spying tool to find Windows Error Reporting crash reports, which are sent in the clear to Microsoft. The information is used to fingerprint machines for compromise, and is a treasure trove of system and application data for not only the spy agency, but for hackers as well who may have compromised an upstream proxy or ISP.
The best countermeasure, since the feature is on by default post-Windows XP, is a change to a Group Policy setting that forces that initial transmission to be encrypted. However, 80 percent of the billion-plus Windows machines on the plant, participate in the program and send this sensitive data in the clear.
54846717
submission
DavidGilbert99 writes:
“The shadowy Darknet then will be the only truly world-wide web” — this is the view of Alexander Gostev, chief security expert at Kaspersky Lab who believes the fallout from Edward Snowden's leaks may lead at some point to the "collapse of the current Internet, which will break into dozens of national networks."
54755977
submission
JoeyRox writes:
The recent decline in Facebook's popularity with teenagers appears to be worsening. A Global Social Media Impact study of 16 to 18 year olds found that many considered the site "uncool" and keep their profiles alive only to keep in touch with older relatives, for whom the site remains popular. Researches say teens have switched to using WhatsApp, Snapchat, and Twitter in place of Facebook.
54753161
submission
msm1267 writes:
eBay users remain vulnerable to account hijacking nearly five months after it was initially informed of a cross-site request forgery flaw by a U.K. security researcher. Ebay has three times communicated to the researcher that the code causing the XSRF situation has been fixed, but it still remains vulnerable to his exploit.
The attack allows a hacker who lures a victim to a website hosting the exploit to change the user's contact information necessary to perform a password reset. The hacker eventually is able to log in as the victim and make purchases on their behalf.
54305581
submission
msm1267 writes:
Users of Apple’s Safari browser are at risk for information loss because of a feature common to most browsers that restores previous sessions.
The problem with Safari is that it stores session information including authentication credentials used in previous HTTPS sessions in a plaintext XML file called a Property list, or plist, file. The plist files, a researcher with Kaspersky Lab’s Global Research and Analysis Team said, are stored in a hidden folder, but hiding them in plain sight isn’t much of a hurdle for a determined attacker.
“The complete authorized session on the site is saved in the plist file in full view despite the use of https,” said researcher Vyacheslav Zakorzhevsky on the Securelist blog. “The file itself is located in a hidden folder, but is available for anyone to read.”
54162003
submission
msm1267 writes:
As expected, Microsoft did today patch a zero-day in its GDI+ graphics component (MS13-096) reported more than a month ago after exploits were spotted in the wild. The fix was one of 11 security bulletins—five critical—released as part of the December 2013 Patch Tuesday security updates.
While there were five critical bulletins released today, experts urge IT administrators to also prioritize an ASLR bypass vulnerability that was patched today and rated “important” by Microsoft.
MS13-106 takes care of an Office vulnerability that is being exploited in the wild, Microsoft said. Attackers hosting a malicious exploit online can trigger the vulnerability in the hxds.dll that enables a bypass of ASLR or Address Space Layout Randomization, a security feature in Windows that mitigates memory corruption exploits.
53943387
submission
msm1267 writes:
A weakness has been discovered in the reflective cross-site scripting filter present in Internet Explorer since IE 8 that could enable an attacker to trick the browser into executing malicious code as trusted. The problem going forward is twofold: everything occurring in the bypass method is accepted as part of the official HTML standard going back at least 15 years; and Microsoft said it will not work on a fix for the flaw.
53888877
submission
msm1267 writes:
Noted cryptographer Matthew Green of Johns Hopkins University proposed a number of practical and elaborate scenarios explaining how SSL could be subverted or suborned. He also suggests that there’s no time like the present to get away from RSA keys and consider alternatives such as perfect forward secrecy and even Elliptic Curve Cryptography.
53880661
submission
judgecorp writes:
A trove of two million passwords for online services has been found, collected by a botnet running the Pony malware. There are a lot of Facebook credentials in the stash, and security expert SpiderLabs observes that all too many of the passwords are "terrible".
