Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Security

Submission + - New Breed of Malware Hits POS Systems and ATMs (securityweek.com)

wiredmikey writes: A new malware targeting point-of-sale (POS) systems and ATMs has stolen payment card information from several US banks, researchers say. Called “Dump Memory Grabber”, the malware scans the memory of point-of-sale systems and ATMs looking for credit card data, researchers say. The researchers believe the malware has already been used to steal data from payment cards issued by major US banks, including Chase, Capital One, Citibank, and Union Bank of California.

Interestingly, a few POS systems running Windows XP or Windows Embedded with Remote Desktop or VNC software were infected remotely, and in some cases, attackers exploited vulnerabilities in ATM networks connecting to the bank's VPN or GSM/GPRS networks.

Dump Memory Grabber is not the first malware family to target POS and ATMs. A few months ago, malware named "Dexter" was discovered, which infected POS systems at well-known retail outlets, hotels, and food establishments. Just last week, McAfee identified vSkimmer, a Dexter successor.

Coincidentally, a Boston-based liquor store notified customers this week that it had found malware on its POS systems, though it's unclear if the malware is any of the above or something different.

Android

Submission + - Android Trojan Used in APT Attacks (securityweek.com)

wiredmikey writes: Targeted attacks against Tibetan and Uyghur activists are nothing new, but attackers appear to be expanding their arsenal of attack tools to the Android platform. While attacks against the activists in the past have targeted both Windows and Mac OS X-based platforms, researchers from Kaspersky Lab have discovered an APT that successfully leverages Android to compromise targets.

According to Kaspersky researchers, a high profile Tibetan activist had his email account hacked on March 24th, 2013. Attackers used the hacked account to send spear phishing emails to the victim’s contact list that included a malicious Android Package (APK) attachment named “WUC’s Conference.apk”, which if installed, creates a malicious app called ‘Conference’ on the Android desktop.

If the victim launches the malicious app, the malware silently contacts a C&C server and starts to harvest data including includes contacts, call logs. SMS messages, geolocation and other phone data such as phone number, OS version, phone model, and SDK version.

While there have been previous indications that these types of attacks were in development, this attack is perhaps the first in a new wave of targeted attacks aimed at Android users, Kaspersky noted in a blog post. “So far, the attackers relied entirely on social engineering to infect the targets. History has shown us that, in time, these attacks will use zero-day vulnerabilities, exploits or a combination of techniques.”

Desktops (Apple)

Submission + - Apple Makes Two Factor Authentication Available for Apple IDs (securityweek.com)

wiredmikey writes: In an effort to increase security for user accounts, Apple on Thursday introduced a two-step verification option for Apple IDs. As the “epic hacking” of Wired journalist Mat Honan proved, an Apple ID often carries much more power than the ability to buy songs and apps through Apple’s App store.

An Apple ID can essentially be the keys to the Kingdom when it comes to Apple devices and user maintained data, and as Apple explains, is the “ key to many important things you do with Apple, such as purchasing from the iTunes and App Stores, keeping personal information up-to-date across your devices with iCloud, and locating, locking, or wiping your devices.”

“After you turn [Two-step verification] on, there will be no way for anyone to access and manage your account at My Apple ID other than by using your password, verification codes sent your trusted devices, or your Recovery Key,” a announcing the new service explained.

IOS

Submission + - Apple Fixes Security Flaws With iOS 6.1.3 Release (securityweek.com)

wiredmikey writes: Apple on Tuesday released iOS 6.1.3, the latest software update for iPhone and iPads, which fixes a security flaw that lets anyone with physical access to the device bypass the screen lock feature.

iOS 6.1.3 addresses other security issues including a kernel vulnerability (CVE-2013-0978) that could allow a local user to determine the address of structures in the kernel, a “lockdown” vulnerability (CVE-2013-0979) that may allow a user to change permissions on arbitrary files, and a vulnerability in Webkit that could allow a malicious website to cause unexpected application termination (crashes) or arbitrary code execution. Apple also addressed a USB issue (CVE-2013-0981) that permitted a local user to be able to execute arbitrary code in the iOS kernel.

The iOS 6.1.3 update is available through iTunes and Software Update on iOS devices.

Google

Submission + - Google Implements DNSSEC Validation for Public DNS (securityweek.com)

wiredmikey writes: Google on Tuesday announced that it now fully supports DNSSEC (Domain Name System Security Extensions) validation on its Google Public DNS resolvers. Previously, the search giant accepted and forwarded DNSSEC-formatted messages but didn’t actually perform validation.

“With this new security feature, we can better protect people from DNS-based attacks and make DNS more secure overall by identifying and rejecting invalid responses from DNSSEC-protected domains,” Yunhong Gu, Team Lead, Google Public DNS, wrote in a blog post.

In a recent column, Ram Mohan explained that while DNSSEC does not solve every Internet-based security issue, it does offer a more advanced level of user security for directory look-ups than is currently in use. “For example, DNSSEC can ensure that a Web browser knows where to find the site you are trying to reach,” Mohan explained. “Browsers can employ this information to help protect users from phishing attacks and from being hijacked. Although browsers don't use DNSSEC in this way today, they easily could (and probably should).”

According to Gu, about 1/3 of top-level domains have been signed, but most second-level domains remain unsigned. According to NIST, there has been no progress in enabling DNSSEC on 98 percent of all 1,070 industry domains tested as of March 18, 2013.

“Overall, DNSSEC is still at an early stage and we hope that our support will help expedite its deployment,” Google’s Gu said.

Android

Submission + - T-Mobile Security Flaw Allowed Eavesdropping of Wi-Fi Calls, Texts (securityweek.com)

wiredmikey writes: A vulnerability discovered by researchers at UC Berkeley enabled attackers to eavesdrop on and modify calls and text messages sent using T-Mobile's "Wi-Fi Calling" feature.

According to Jethro Beekman and Christopher Thompson, both UC Berkeley graduate students, when an affected Android device connected to a server via T-Mobile's Wi-Fi Calling feature, it did not correctly validate the server's security certificate, exposing calls and text messages to a "man-in-the-middle" (MiTM) attack.

In short, by executing a MiTM attack, and using decrypted SIP (Session Initiation Protocol) dialog, an attacker could record all incoming and outgoing calls and text messages. “[An attacker] could record, block and reroute SIP traffic. The attacker could change it by faking a sender or changing the real-time voice data or message content. He could fake incoming traffic and he can impersonate the client with forged outgoing traffic,” the report, released Tuesday, said.

Beekman and Thompson said they notified T-Mobile of their discoveries in December 2012, and worked with the mobile operator to confirm and fix the problem. As of March 18, all affected T-Mobile customers have received the security update fixing the vulnerability, the researchers said.

This is not the first time TLS/SSL issues have come to the forefront of mobile world. Last October, researchers from two universities in Germany published a paper (PDF) that exposed the state of SSL within Android applications, which revealed that many applications failed to properly implement SSL, leaving millions of users exposed to basic Man-In-The-Middle attacks.

Security

Submission + - Apple Hit In Malware Attack, Releasing Updated Malware Removal Tool (securityweek.com)

wiredmikey writes: Apple on Tuesday acknowledged that Mac OS X computers at the Cupertino, California-based company were attacked and infected with malware. The attack is assumed to be the same one Facebook acknowledged on Friday that it fell victim to, which used zero-day exploit taking advantage of a flaw in Java.

Last week, Facebook said that hackers appeared to be targeting developers and technology firms based on a website that was "booby-trapped" with malicious code. As it turns out, Apple was included in the victim list, and in a rare occurrence, acknowledged that hackers had hit its systems with some level of success.

"Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers,” an Apple spokesperson told SecurityWeek.

While attackers managed to penetrate Apple’s systems and infect a limited number with malware, the tech giant said there is no evidence that data was taken. Apple also said that it would release a software utility later today to protect users from malware used in the attacks. “To protect Mac users that have installed Java, today we are releasing an updated Java malware removal tool that will check Mac systems and remove this malware if found."

Government

Submission + - Obama Signs Executive Order on Cybersecurity (securityweek.com)

wiredmikey writes: President Barack Obama signed an executive order on Tuesday designed to better protect critical infrastructure from computer hackers.

Obama, in his annual State of the Union speech to a joint session of the US Congress, said his executive order would "strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs and our privacy." The president also urged Congress to pass legislation "to give our government a greater capacity to secure our networks and deter attacks." The executive order (PDF) calls for voluntary reporting of threats to US infrastructure, such as power grids, pipelines and water systems. The directive, which follows two failed attempts in Congress to pass cybersecurity legislation, allows the government to lead an information-sharing network but stops short of making mandatory the reporting of cyber threats.

House Homeland Security Chairman Michael McCaul said he was "concerned that the order could open the door to increased regulations that would stifle innovation, burden businesses and fail to keep pace with evolving cyber threats."

Leslie Harris of the Center for Democracy & Technology welcomed the directive, arguing it "says that privacy must be built into the government's cybersecurity plans and activities, not as an afterthought but rather as part of the design."

White House officials noted that the measure would not apply to consumer-based services or information systems that do not meet the standard of "critical infrastructure." But the director of George Mason University's Technology Policy Program Jerry Brito said in a tweet that "top-down regulation is the last thing that will improve cybersecurity."

Security

Submission + - Hackers Broadcast Zombie Apocalypse Alert on Montana TV Station (securityweek.com)

wiredmikey writes: Hackers caused a bizarre alert in the US state of Montana by broadcasting a warning about zombies attacking the living, local television channels said Tuesday. The apocalyptic warning interrupted programming via the Emergency Alert System, normally used for real catastrophes such as extreme weather, or even a direct message from the US president in the case of a national crisis. The message was preceded by a buzzing noise typical of such broadcasts, before a voice intoned: "Civilian authorities in your area have reported that the bodies of the dead are rising from their graves, and attacking the living.

The warning broke into regular programming Monday evening on at least four local television stations, according to Cynthia Thompson, station manager at ABC10-CW5. "It has been determined that a 'back door' attack allowed the hacker to access the security of the EAS equipment," she said in an online statement, adding that WNMU-TV 13 at Northern Michigan University was also hacked.

China

Submission + - Wall Street Journal Says Hit by Chinese Hackers Too (securityweek.com)

wiredmikey writes: The Wall Street Journal said Thursday its computers were hit by Chinese hackers, the latest US media organization citing an effort to spy on its journalists covering China.

The Journal made the announcement a day after The New York Times said hackers, possibly connected to China's military, had infiltrated its computers in response to its expose of the vast wealth amassed by a top leader's family.

The Journal said in a news article that the attacks were "for the apparent purpose of monitoring the newspaper's China coverage" and suggest that Chinese spying on US media "has become a widespread phenomenon."

Security

Submission + - Online Ads Are More Dangerous Than Porn, Cisco Says. (securityweek.com) 1

wiredmikey writes: The popular belief is that security risks increase as the user engages in riskier and shadier behavior online, but that apparently isn't the case, Cisco found in its 2013 Annual Security report.

It can be more dangerous to click on an online advertisement than an adult content site these days, according to Cisco. For example, users clicking on online ads were 182 times more likely to wind up getting infected with malware than if they'd surfed over to an adult content site, Cisco said.

The highest concentration of online security targets do not target pornography, pharmaceutical, or gambling sites as much as they affect legitimate sites such as search engines, online retailers, and social media. Users are more 21 times more likely to get hit with malware from online shopping sites and 27 more times likely with a search engine than if they'd gone to a counterfeit software site, according to Cisco's report (PDF). There is an overwhelming perception that people get compromised for "going to dumb sites," Mary Landesman, senior security researcher at Cisco, told SecurityWeek.

Networking

Submission + - UPnP Security Flaws Put Millions of Devices at Risk (securityweek.com)

wiredmikey writes: Security researchers from Rapid7 have uncovered that roughly 40-50 million network-enabled devices are at risk due to vulnerabilities in the Universal Plug and Play (UPnP) protocol.

Universal Plug and Play (UPnP) is a set of networking protocols that allows communication between computers and network-enabled devices. It is enabled by default on millions of devices, from routers to printers to IP cameras and network storage servers. UPnP support is also enabled by default on Microsoft Windows, Mac OS X and many distributions of Linux.

In its research, Rapid7 declares (PDF) that the UPnP protocol "suffers from a number of basic security problems" ranging from a lack of authentication implemented by device manufacturers to privileged common programming flaws plague common UPnP software implementations. These issues, the report notes, are endemic across UPnP-enabled applications and network devices.

According to Rapid7's HD Moore, the two most commonly used UPnP software libraries both contained remotely exploitable vulnerabilities. "In the case of the Portable UPnP SDK, over 23 million IPs are vulnerable to remote code execution through a single UDP packet," Moore noted. "All told, we were able to identify over 6,900 product versions that were vulnerable through UPnP. This list encompasses over 1,500 vendors and only took into account devices that exposed the UPnP SOAP service to the internet, a serious vulnerability in of itself."

Moore suggested organizations take immediate action to identify and disable any Internet-exposed UPnP endpoints in their environments.

Java

Submission + - Oracle to Java Community: "We Have to Fix Java" (securityweek.com)

wiredmikey writes: Oracle's approach to Java security has been under heavy scrutiny of late, with some in the security community renewing calls for enterprises to disable Java due to the number of vulnerabilities and its popularity with exploit writers.

In a public acknowledgement of these concerns, Oracle's Milton Smith, head of Java security, held a conference call with members of the Java user community.

"The plan for Java security is really simple," he said. "It's to get Java fixed up number one, and then number two, to communicate our efforts widely. We really can't have one without the other."

Earlier this month, Oracle shipped a Java update to address reports of a zero-day bug being targeted by attackers. However, the situation took a turn for the worse when it was discovered by security researchers that the update contained additional vulnerabilities and failed to address the underlying issue being exploited by attackers.

According to Smith, Oracle also plans to improve efforts to communicate with the Java community about security. "No amount of talking or smoothing over is going to make anybody happy or do anything for us," he said. "We have to fix Java."

Java

Submission + - Oracle to Java Community: "We Have fo Fix Java" (securityweek.com)

wiredmikey writes: Oracle's approach to Java security has been under heavy scrutiny of late, with some in the security community renewing calls for enterprises to disable Java due to the number of vulnerabilities and its popularity with exploit writers.

In a public acknowledgement of these concerns, Oracle's Milton Smith, head of Java security, held a conference call with members of the Java user community.

"The plan for Java security is really simple," he said. "It's to get Java fixed up number one, and then number two, to communicate our efforts widely. We really can't have one without the other."

Earlier this month, Oracle shipped a Java update to address reports of a zero-day bug being targeted by attackers. However, the situation took a turn for the worse when it was discovered by security researchers that the update contained additional vulnerabilities and failed to address the underlying issue being exploited by attackers.

According to Smith, Oracle also plans to improve efforts to communicate with the Java community about security. "No amount of talking or smoothing over is going to make anybody happy or do anything for us," he said. "We have to fix Java."

Encryption

Submission + - GitHub Search Exposes Encryption Keys, Passwords In Code (securityweek.com)

wiredmikey writes: GitHub's new internal search has made it easy to uncover passwords, encryption keys, and other security missteps in software development projects that are hosted on the site. GitHub announced its internal search on Jan.23, which lets users search for any string through public and private repositories they have access to.

Some users discovered yet another way to use the search tool: finding files containing private encryption keys and source code with login credentials. Scarily enough, there were thousands of them.

Searching on id_rsa, a file which contains the private key for SSH logins, returned over 600 results. Other developers had hardcoded passwords for privileged user accounts, such as root, sa, and admin.

"With a simple script or tool, external hackers or malicious insiders can quickly discover these lost keys and use them to gain access to critical information assets," Jason Thompson, director of global marketing, SSH Communications Security said. "If the key grants a high level of administrative access, such as root, the potential threat to the business grows exponentially.

To be clear, GitHub is not at fault, since the company is just a hosting service. It just stores whatever files the developer wants to save. The search engine is not accidentally leaking confidential information. The data was already saved on GitHub, it is just making it easier for someone to find these mistakes.

Developers should note that GitHub has a Help page on how to make sure sensitive data is not saved to the repository.

Slashdot Top Deals

System going down at 5 this afternoon to install scheduler bug.

Working...