Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Submission + - Popular Wordpress Plugin Leaves Sensitive Data in the Open (securityledger.com)

chicksdaddy writes: "A security researcher is warning WordPress uses that a popular plugin may leave sensitive information from their blog accessible from the public Internet with little more than a Google search.

The researcher, Jason A. Donenfeld, who uses the handle “zx2c4” posted a notice about the add-on, W3 Total Cache on the Full Disclosure security mailing list on Sunday, warning that many WordPress blogs that had added the plugin had directories of cached content that could be browsed by anyone with a web browser and the knowledge of where to look. The content of those directories could be downloaded, including directories containing sensitive data like password hashes, Donenfeld wrote.

W3 Total Cache is described as a “performance framework” that speeds up web sites that use the WordPress content management system by caching site content, speeding up page loads, downloads and the like. The plugin has been downloaded 1.39 million times and is used by sites including mashable.com and smashingmagazine.com, according to the WordPress web site."


Submission + - Spammers abusing Google Rich Snippets for Black Hat SEO (securityledger.com)

chicksdaddy writes: "What’s hot in spamming circles today? Google’s “rich snippets” microdata and micro formatting technology, which is being used to make compromised spam sites look legitimate.
Writing on the Unmask Parasites blog, (http://blog.unmaskparasites.com/2012/12/20/rich-snippets-in-black-hat-seo/) Denis Sinegubko said that spammers are using the ability of the Google search engine to parse so-called “structured data” in what he describes as a “massive SEO” campaign involving compromised WordPress and Joomla web sites.
He says Google’s “rich snippets” ratings microdata figures prominently in the scam. After compromising the legitimate “doorway” web sites, the hackers install PHP code that is used to “cloak” the site: detecting search engine crawlers and replacing keywords and site content with SEO-optimized spam content. Part of the content that is added are special "ratings" microdata that Google treats as legitimate and converts into ratings that appear in search results list. For unsuspecting users, the result is that compromised sites display what appear to be legitimate user reviews that make the link in question look legitimate and popular.

It is unclear whether Google is aware of the misuse of the rich snippets microdata feature. According to information posted online, rich snippets are supposed to reflect the actual content of the site, but Security Ledger writes that it appears that Google isn't bothering to scrutinize the "ratings" to see if they're legitimate."


Submission + - Citing Facebook, Mobile Devices, FTC revamps Child Privacy Online Act (securityledger.com)

chicksdaddy writes: "Social networks like Facebook and mobile devices like the iPhone have fundamentally changed the way children use the Internet, requiring a whole new set of online privacy protections for vulnerable minors.
That was the message on Wednesday as the U.S. Federal Trade Commission (FTC) issued new guidelines for implementing the Children’s Online Privacy Protection Act (COPPA).

Among other things, the changes expand the list of information that cannot be collected from children without parental consent to include photographs, videos and audio recordings of children and geo-location information.

“Unless you get parental consent, you may not track children and use their information to build massive profiles of online behavior,” said FTC Chairman Leibowitz.

The new rules are a major revision to the COPPA rule, which was first passed in 1998. The law is a kind of privacy Bill of Rights and applies to children 13 years old and younger.

Other new rules bar advertisers from collecting geo-location information from kids, strengthen security requirements for kids’ data and close a loophole that allowed third parties to collect personal information from kids using plug-ins to kid directed mobile- applications and web sites. The update also extend COPPA to clearly cover persistent cookies that can track users across multiple web sites and third parties that contract with website operators.

Not covered under COPPA: mobile app stores, which have a broad audience and aren't targeted explicitly at the under-13 set. Stay tuned for more legislation to expand the protections afforded by COPPA to teenagers, the lawmakers said."


Submission + - Analysis of Dexter Malware Uncovers Mystery Man, And Links to Zeus (securityledger.com)

chicksdaddy writes: "The newly discovered Dexter malware is one of the few examples of a malicious program that targets point of sale terminals, but also communicates, botnet-like, with a command and control infrastructure. According to an analysis by Seculert, the custom malware has infected “hundreds POS systems” including those operated by “big-name retailers, hotels, restaurants and even private parking providers.”
Now a detailed analysis by Verizon’s RISK team suggests that Dexter may be a creation of a group responsible for the ubiquitous Zeus banking Trojan.
By analyzing early variants of Dexter discovered in the wild, Verizon determined that the IP addresses used for Dexter’s command and control were also used to host Zeus related domains and several domains for Vobfus, also known as “the porn worm,” which has been used to deliver the Zeus malware.
Verizon also produced some tantalizing clues as to the identity of one individual who may be a part of the crew responsible for the malware. The RISK team linked the domain registration for a Dexter C&C server to an unusual online handle, “hgfrfv,” that was used to post a number of suggestive help requests (“need help with decrypting a table encrypted with EncryptByKey") in online technical forums, where a live.com e-mail address was also provided. The account name was also linked to a shell account on the outsourcing web site freelancer.com, which lists “hgfrfv” as an individual residing in the Russian Federation."


Submission + - Zero Day Hole in Samsung Smart TVs Could Have TV Watching You (securityledger.com)

chicksdaddy writes: "The company that made headlines in October for publicizing zero day holes in SCADA products now says it has uncovered a remotely exploitable security hole in Samsung Smart TVs. If left unpatched, the vulnerability could allow hackers to make off with owners' social media credentials and even to spy on those watching the TV using built-in video cameras and microphones.

In an e-mail exchange with Security Ledger, the Malta-based firm said that the previously unknown ("zero day") hole affects Samsung Smart TVs running the latest version of the company's Linux-based firmware. It could give an attacker the ability to access any file available on the remote device, as well as external devices (such as USB drives) connected to the TV. And, in a Orwellian twist, the hole could be used to access cameras and microphones attached to the Smart TVs, giving remote attacker the ability to spy on those viewing a compromised set.

However, Samsung might have a hard time fixing the hole. ReVuln, in keeping with company policy, is refusing to disclose any details of the vulnerability outside of its paying customer base."


Submission + - FBI issued alert after July hack of HVAC system (securityledger.com) 1

chicksdaddy writes: "The FBI issued an alert to businesses in July after unknown attackers breached a computer used to control the heating, ventilation and air conditioning (HVAC) system of a New Jersey company, accessing a graphical user interface for the system US Business 1, a New Jersey company that installs air conditioning systems for other companies, according to a copy of the July, 2012 Situational Information Report (PDF), issued by the Newark Division of the FBI."

Submission + - Human Rights Group Report Warns of Cyber's Growing 'Dark Side' (securityledger.com)

chicksdaddy writes: "The head of a prominent human rights groups has warned that increased state involvement in cyberspace, including surveillance, censorship, propaganda campaigns and offensive cyber operations threatens the future of the Internet as much as endemic problems like cyber crime – part of a growing “dark side” to cyberspace.

Writing in the Penn State Journal of Law and International Affairs, Ronald Deibert, Director of Citizen Lab and Canada Centre for Global Security Studies said that threats to human rights and individual liberties come from a variety of states – from authoritarian regimes, to Latin American narco-states to liberal democracies in the West, as governments increasingly leverage the power of the Internet to monitor citizens’ behavior and impose limits on free expression.

Sophisticated, global cyber criminal operations are part of that – thriving and innovating even as law enforcement struggles to pursue criminal organizations across international boundaries. Even more concerning are the ways in which “the worlds of cyber crime are blurring into acts of espionage, sabotage and even warfare,” he said.

And, while conventional wisdom has long assumed authoritarian regimes would wither in the face of the unfettered access to information provided by the Internet, Deibert said that, in some cases, just the opposite is true. Regimes, including those in China, Syria, Vietnam and Iran “have successfully employed second and third generation control techniques to penetrate and immobilize opposition, cultivating a climate of fear and self-censorship,” he said."


Submission + - New 25 GPU Monster Devours Strong Passwords in Minutes (securityledger.com) 1

chicksdaddy writes: "A presentation at the Passwords^12 Conference in Oslo, Norway (slides: https://hashcat.net/p12/), has moved the goalposts on password cracking yet again. Speaking on Monday, researcher Jeremi Gosney (a.k.a epixoip) demonstrated a rig that leveraged the Open Computing Language (OpenCL) framework and a technology known as Virtual Open Cluster (VCL) to run the HashCat password cracking program across a cluster of five, 4U servers equipped with 25 AMD Radeon GPUs communicating at 10 Gbps and 20 Gbps over Infiniband switched fabric.

Gosney’s system elevates password cracking to the next level, and effectively renders even the strongest passwords protected with weaker encryption algorithms, like Microsoft’s LM and NTLM, obsolete.

In a test, the researcher’s system was able to generate 348 billion NTLM password hash checks per second. That renders even the most secure password vulnerable to compute-intensive brute force and wordlist (or dictionary) attacks. A 14 character Windows XP password hashed using LM for example, would fall in just six minutes, said Per Thorsheim, organizer of the Passwords^12 Conference.

For some context: In June, Poul-Henning Kamp, creator of the md5crypt() function used by FreeBSD and other Linux-based operating systems was forced to acknowledge that the hashing function is no longer suitable for production use — a victim of GPU powered systems that could perform “close to 1 million checks per second on COTS (commercial off the shelf) GPU hardware,” he wrote. Gosney’s cluster cranks out more than 77 million brute force attempts per second against MD5crypt."


Submission + - Bluetooth Sniffing Traffic Sensors Vulnerable to Man in the Middle Attacks (securityledger.com)

chicksdaddy writes: "As cities everywhere trying to use technology to solve chronic traffic congestion problems, Bluetooth sniffing highway traffic monitors are all the rage (http://yro.slashdot.org/story/12/11/28/2318245/bluetooth-used-to-track-traffic-times). Inexpensive and easy to deploy, these roadside devices monitor traffic congestion in real time by detecting the signal from bluetooth devices like smart phones and dash-mounted GPS devices as the vehicles they're carried in pass the sensors. By tracking the time it takes for the device to move between sensors, cities can detect how fast traffic is flowing.

The sensors are a boon to transportation departments: providing almost realtime data on traffic flows and road congestion. But what about the *ahem* privacy issues?

The device makers have assured the public that there's nothing to worry about. Bluetooth data is anonymous and, besides, any data that is collected is encrypted before being transmitted to the central traffic management system.

Except that...this is software, right? Right. No surprise then, that ICS-CERT issued an advisory on Friday for customers who use Bluetooth-based traffic systems from the firm Post Oak Traffic Systems. According to CERT, Post Oak’s Anonymous Wireless Address Matching (AWAM) Bluetooth Reader Traffic Systems do not properly generate authentication keys used to secure communications, Security Ledger reports.

Researchers from the University of California at San Diego and the University of Michigan found that the AWAM Bluetooth Reader Traffic System doesn’t use sufficient entropy when generating authentication and host keys that are used to secure communications to and from the devices. In other words: the supposedly random keys aren’t really random. A knowledgeable and motivated attacker could guess the host key of reused or non-unique host keys, then carry out a man-in-the-middle attack against the traffic monitoring system. That could allow an attacker to calculate the private key used by the AWAM readers, which are used in Houston, Texas and other cities, then use those to impersonate the device, siphoning off administrative credentials that would give them direct access to the traffic monitoring system."


Submission + - Researcher promising Chrome 0day a no-show at security con (securityledger.com)

chicksdaddy writes: "A planned talk that was to unveil a new and previously unknown (or “zero day”) vulnerability in Google’s Chrome web browser was cancelled on Saturday after the researcher, Ucha Gobejishvili, backed out, citing difficulties obtaining a visa to travel to New Dehli, India, where the Malcon hacking conference was held.

The organizer of Malcon, Rajshekhar Murthy, confirmed in an email to Security Ledger that Gobejishvili cancelled his talk at the last minute.

“(Ucha) did not come at (sp) the conference due to visa issues in the last minute,” Rajshekhar Murthy wrote in an e-mail to Security Ledger on Monday. “The issue stated was he was called in last minute (sp) by the military for compulsory service which conflicted with our event dates.”

There were questions about Gobejishvili’s presentation from Google and others. The researcher, who is credited with discovering a number of cross site scripting and SQL injection holes, said he would demonstrate an exploit – but not release proof of concept code for it that could be independently verified. He also declined to give Google any information about the hole, despite claims that he discovered it in July.

A copy of Gobejishvili’s presentation slides shared with Security Ledger revealed little about the specifics of the exploit, which Gobejishvili dubbed “Calypso,” beyond a YouTube video that purports to show the exploit being used to run malicious code in the Chrome browser."


Submission + - 'New' malware spotted in Iran actually old, almost extinct (securityledger.com)

chicksdaddy writes: "Just days after Symantec Corp. warned about a new piece of malware, W32.Narilam, researchers at the Russian anti-virus firm Kaspersky Lab threw cold water on the report, saying their analysis of the malware suggests that Narilam is two to three years old. Though Kaspersky said Symantec was correct in saying that the malware targeted systems using Microsoft's SQL software, Kaspersky said it probably targeted financial software packages from an Iranian software firm, TarrahSystems, that are used by small businesses in Iran and neighboring countries.
Hardly an example of a sophisticated, new piece of malware in the ilk of Stuxnet and Flame, Narilam is 'almost extinct,' with just 80 detections in the last three years and just six so far in 2012, Kaspersky researchers say."


Submission + - Researcher claims to have Chrome 0day, Google says 'prove it' (securityledger.com)

chicksdaddy writes: "Google's been known to pay $60,000 for information on remotely exploitable vulnerabilities in its Chrome web browser. So, when a researcher says that he has one, but isn't interested in selling it, eyebrows get raised. And that's just what's happening this week, with Google saying it will wait and see what Georgian researcher Ucha Gobejishvili has up his sleeve in a presentation on Saturday at the Malcon conference in New Delhi. Gobejishvili has claimed that he will demonstrate a remotely exploitable hole in the Chrome web browser at Malcon. He described the security hole in Chrome as a “critical vulnerability” in a Chrome DLL. “It has silent and automatically (sp) download functionand it works on all Windows systems” he told Security Ledger.
However, more than a few questions hang over Gobejishvili’s talk. The researcher said he discovered the hole in July, but hasn't bothered to contact Google. He will demonstrate the exploit at MalCon, and have a “general discussion” about it, but won’t release source code for it. “I know this is a very dangerous issuethat’s why I am not publishing more details about this vulnerability,” he wrote. Google said that, with no information on the hole, it can only wait to hear the researcher's Malcon presentation before it can assess the threat to Chrome users."


Submission + - Profile poisoning the next frontier for web attacks? (securityledger.com) 1

chicksdaddy writes: "Google and Facebook already know everything about you – your interests, friends, tastes and even your movements. That’s a privacy nightmare. But researchers at the Georgia Institute of Technology’s Information Security Center (GTISC) think it could soon be a security nightmare, also.

According to Georgia Tech's “Emerging Cyber Threats Reports 2013, automated information systems could soon become a powerful tool in the hands of sophisticated attackers, who will look for ways to manipulate victims’ online profile — a kind of super SEO poisoning attack — that will steer them to certain (malicious) sites.

“If you compromise a computer, the victim can always switch to a clean machine and your attack is over,” said Wenke Lee, a professor at Georgia Tech’s College of Computing and director of the GTISC in the report. “If you compromise a user’s search history and hence his online profile, the victim gets the malicious search results no matter where he logs in from.""


Submission + - Years-Old Windows Vulnerabilities Still Exploited (itworld.com)

jfruh writes: "Microsoft can celebrate a genuine achievement: the company, once notorious for insecure products, didn't rate a single entry on Kaspersky Lab's latest list of 10 top vulnerabilities. But because Windows in particular has such staying power, many older unpatched systems still hanging on offer holes for attackers. For instance, Microsoft issued the MS08-067 patch for the Server Service vulnerability in October 2008; today, four years after it's been "fixed," it's still one of the most commonly searched for exploits among hackers."

Submission + - John McAfee accused of murder, wanted by Belize police (thehackernews.com) 1

thn writes: "John McAfee, who started the antivirus software giant named after him, has been accused of murder in Belize and wanted. McAfee had taken to "posting on a drug-focused Russian message board...about his attempts to purify the psychoactive compounds colloquially known as 'bath salts,'" Gizmodo wrote. The scariest aspect of this story may be the fact that an entire lab was constructed for John McAfee’s research purposes. Because of his efforts to extract chemicals from natural chemical plans McAfee was able to justify his experiments in a country that is largely unregulated."

Slashdot Top Deals

A verbal contract isn't worth the paper it's written on. -- Samuel Goldwyn