HP Security Bulletin HPSBGN03099 – A potential security vulnerability has been identified with HP IceWall SSO Dfw, SSO Agent and MCRP running OpenSSL. The vulnerability could be exploited remotely resulting in disclosure of information. Revision 1 of this advisory.
Monthly Archives: September 2014
Mandriva Linux Security Advisory 2014-172
Mandriva Linux Security Advisory 2014-172 – The gdImageCreateFromXpm function in gdxpm.c in libgd, as used in PHP 5.4.26 and earlier, allows remote attackers to cause a denial of service via a crafted color table in an XPM file. file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service via a crafted file that triggers backtracking during processing of an awk rule. Various other issues have also been addressed. The updated php packages have been upgraded to the 5.5.16 version resolve these security flaws. Additionally, php-apc has been rebuilt against the updated php packages and the php-timezonedb packages has been upgraded to the 2014.6 version.
CERT/CC Enumerates Android App SSL Validation Failures
The CERT Coordination Center at Carnegie Mellon today released a list of Android applications hosted on Google Play and Amazon that it says fail to validate SSL certificates over HTTPS.
Twitter Launches Bug Bounty Program
Twitter is the latest major Internet company to establish a bug bounty program, and has put no upper limit on the bounty that a researcher can earn for reporting a vulnerability. The company announced on Wednesday that it will operate its bounty program through the HackerOne platform, a bug bounty system that enables vendors to […]
WordPress Plugins Bogged Down with CSRF, XSS Vulnerabilities
A handful of bugs, mostly XSS and CSRF vulnerabilities, have been plaguing at least eight different WordPress plugins as of late.
Car hacking – are one-third of thefts ‘electronic hacks’?
The UK government is to work with car manufacturers to prevent hackers using electronic means to break into increasingly hi-tech vehicles in Britain, after a spate of ‘car hacking’ in London, Computer World reports.
In a speech to independent think tank Reform, Home Secretary Theresa May said that thieves were using “sophisticated devices†to grab car key codes, and driving away in less than 10 seconds without using force, according to the Daily Mail.
The report claimed that “hackers†were behind a third of card thefts in London.
At the Black Hat security conference this summer two researchers launched a petition to change how car companies and technology companies work together. “We request that you unite with us in a joint commitment to safety between the automotive and cyber security industries,†the researchers said via Change.org.
Car hacking: A real risk?
In her speech to Reform, May said, “There have been reports that they could even use ‘malware’ to commandeer vehicle systems via satellites and issue remote demands to unlock doors, disable alarms and start car engines.â€
“Because we have this understanding, we can now work with industry to improve electronic resilience, include this kind of resilience in the vehicle’s overall security ratings, and work out the extent to which the same threat applies to other physical assets such as building security systems.”
May’s speech echoes a series of presentations by security researchers which warn that as cars become increasingly ‘connected’, with up to 200 control units each, hacking such vehicles becomes easy.
Two researchers have concluded that this will become even easier once web browsers in cars become more common.
Hackers behind ‘third’ of crimes
Earlier this summer, a group of Chinese researchers showed off a hack which could open the doors on a Tesla S while in motion, as well as controlling other vehicle systems – and the car’s control panel, thought to run a modified version of Firefox, was claimed to be behind the hack.
Charlie Miller and Chris Valasek in their paper A Survey of Remote Automotive Attack Surfaces conclude that the danger of “hackable†cars is expanding – but is about to grow rapidly, as web browsers are added to cars.
“Once you add a web browser to a car, it’s open. I may not be able to write a Bluetooth exploit, but I know I can exploit web browsers.â€
Last year a U.S senator urged auto manufacturers to change – and his open letter ignited a spate of commentary, with Market Oracle describing the crime as “cyberjackingâ€, and pointing out that the average family car contains 100 million lines of computer code, and that software can account for up to 40% of the cost of the vehicle, according to researchers at the University of Wisconsin-Madison.
On the researchers’ page, I am the Cavalry, they say, “Modern cars are computers on wheels and are increasingly connected and controlled by software. Dependence on technology in vehicles has grown faster than effective means to secure it.â€
The post Car hacking – are one-third of thefts ‘electronic hacks’? appeared first on We Live Security.
Credit card security fears – could Home Depot breach be biggest yet?
Shoppers at Home Depot stores may have had their credit card security details leaked online, after a massive batch of card information went on sale on a criminal internet site this week, according to veteran security writer Brian Krebs, who reported the possible breach on his Krebs on Security website. Krebs claims the breach may be the biggest yet seen.
The credit card security breach could have begun as early as April or early May of this year, and may be linked to hackers responsible for the breaches at Target and P.F. Changs, according to Krebs. Separate batches of debit and credit card details from European and American shoppers have been offered for sale on a criminal website this week.
U.S.A. Today reports that the breach could dwarf even the Target Breach, in which 40 million debit and credit accounts were compromised.
Fox Business News reported that Home Depot has, as yet, not confirmed the scale of the breach.
Credit card security: The biggest breach yet?
“Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately,†spokesperson Paula Drake said in a statement.
The card data were offered for sale under the title, “American Sanctions,†which Krebs interpreted as related to the ongoing conflict in the Ukraine. Stolen information from European cards which had been used in the stores were sold separately as “European Sanctions,†Krebs reported.
Home Depot shares dropped 2.6% at the news, Fox Business reported.
Krebs’ spoke to several banks, and his latest update hints that this breach could be the biggest yet seen. “Several banks contacted by this reporter said they believe this breach may extend back to late April or early May 2014. If that is accurate — and if even a majority of Home Depot stores were compromised — this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period,†he says.
Mark James, security specialist at ESET says, “The news of another credit card hack is not surprising – but is no less worrying. It seems that no company is safe and if you have EVER used a credit card to purchase goods then you may be at risk.”
“It is thought the original team that targeted P.F.Chang’s and Target are also the perpetrators here, and due to the amount of data that has been stolen it stands to reason it will be used or released in batches over time.â€
Card breach: What to do
ESET Malware Researcher Lysa Myers says, “Malware attacks on Point of Sale (PoS) systems are coming thick and fast right now.â€
ESET’s James says, “Nothing can be done about the data already stolen, but we could take some actions to lessen the impact of compromised credit cards. Don’t just have a single credit for all uses: for instance, separate your physical purchases (in store) and your online purchases by using different credit cards for each.â€
“At least that way if one gets lost or stolen it’s not so much of an impact to get it stopped and replaced, also it’s always good practice to keep an eye on your credit statement for small or unusual payments, often small (under the radar) amounts are processed to test if the cards are valid. If they go through then larger amounts will follow.”
“If you spot something unusual notify your bank immediately. As always, it’s imperative the organization in question notifies all parties involved in any security breach so we the public can take action quickly.â€
The post Credit card security fears – could Home Depot breach be biggest yet? appeared first on We Live Security.
Apple denies its services were hacked
“Celebgate†-as the theft and publication of private photos of more than 100 actresses and models has come to be known – is not only affecting the direct victims of the theft but also the companies that have been implicated in the affair.
Initially, it was thought that the leaks could be due to a potential security hole in iCloud, Apple’s virtual storage platform, but the company has announced that, after a 40-hour investigation, they have discovered that the accounts of these celebrities “were compromised by a very targeted attack on user names, passwords and security questions.” Adding that these attacks have “become all too common on the Internet.”
Apple denies that the hacking of the accounts of actresses such as Jennifer Lawrence, Kirsten Dunst and Kate Upton was the consequence of a vulnerability in its iCloud or ‘Find my iPhone‘ services. Although some of the victims have already had their say on the issue.
The company has also announced that it continues to work with the police to help identify the criminals involved and encourages all users to choose a strong password and double check their security systems.
More |Â How to create strong passwords
The post Apple denies its services were hacked appeared first on MediaCenter Panda Security.
Survey shows the person you trust the most may be spying on you
People expect that they are being watched online in cyberspace, but who would expect to be spied on by the people closest to them? You better watch out – your partner may be spying on you more than the NSA: One in five men and one in four women admitted to checking their partner’s smartphone in a survey with 13,132 respondents conducted by AVAST in the United States.
Playing detective
The survey found that while the majority of women check their partner’s device because they are nosey, a quarter of married women suspect their spouse is cheating on them and want to find evidence.
Married women are not the only ones who suspect their partner is cheating on them. The reason why most men pry on their partner is because they too are afraid their better half is being unfaithful and want to confirm their suspicions – especially if the relationship is fresh.
Caught red handed
One may think that people who snoop on their significant other to find evidence of cheating or lying are being paranoid. Unfortunately, the majority of them are not paranoid–their gut feeling is often correct. Seven out of ten women and more than half of men who turn to their partner’s device to find proof their partner is deceiving them, have found evidence. Which of the two sexes is more likely to confront their partner regarding their findings? Women. The survey revealed that women are 20% more likely than men to confront their partner with the facts.
“Picking†the mobile lock
Cracking their partner’s device passcode wasn’t necessary for the greater number of snoopers. A shockingly high percentage of respondents claimed they didn’t need a passcode to gain entry to their significant other’s device. Women did, however, have an easier time with 41% reporting their partner’s device did not have a passcode compared to the 33% of men. Coming in at a high second, both male and female respondents claimed to know their partner’s device passcode because their partner had shared it with them in the past, unknowingly setting themselves up to get caught.
An eye for an eye
More than half of men and women who check their significant other’s device think their partner checks their device as well. There seems to be a low level of trust between partners who feel the need to keep tabs on their significant other.
The survey results show that respondents who just started dating and check their new companion’s device are less likely to suspect their new love of doing the same, compared to snoopers in established relationships. People in long term relationships were the most likely to think their partner does the same behind their backs.
Tips to protect your privacy
Be it from your partner or somebody who finds your lost phone – you should always protect your mobile devices from prying eyes.
- Protect your mobile devices with passcodes!
Everyone should protect their smartphones and tablets with passcodes, even if you aren’t worried about snoopers. Passcodes not only make it more difficult for nosey partners to access secrets and surprises, but can also protect your data should your device get lost or stolen.
- Lock your precious apps
Apps that contain sensitive information deserve an extra layer of protection. With avast! Mobile Security’s app locking feature you can password protect your most precious apps.
- Free your phone from old data – and back it up
Backing up your mobile data allows you to save your data to the cloud so you can delete old data from your phone. This not only prevents data loss, whether you lose your phone or accidentally delete data from your phone, but can prevent your partner from finding out about activity you want to keep to yourself. avast! Backup backs up your call log history, SMS, contacts and photos for free.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter, Google+ andInstagram. Business owners – check out our business products.