Stack-based buffer overflow in the Reprise License Manager service in Borland AccuRev allows remote attackers to execute arbitrary code via the licfile parameter.
Monthly Archives: September 2015
CVE-2015-6947
Multiple stack-based buffer overflows in the activate_doit function in the Reprise License Manager service in Borland AccuRev allow remote attackers to execute arbitrary code via the (1) akey or (2) actserver parameter.
CVE-2015-6948
Heap-based buffer overflow in the Microsoft Word document conversion feature in Corel WordPerfect allows remote attackers to execute arbitrary code via a crafted document.
CVE-2015-6949
Stack-based buffer overflow in the ASUS TM-AC1900 router allows remote attackers to execute arbitrary code via crafted HTTP header values.
CoreBot Adds New Capabilities, Transitions to Banking Trojan
As many researchers expected it would, CoreBot, the credential-stealing malware that first surfaced last month, has added a bevy of new capabilities and reinvented itself as a robust banking Trojan.
CVE-2015-4947
Stack-based buffer overflow in the Administration Server in IBM HTTP Server 6.1.0.x through 6.1.0.47, 7.0.0.x before 7.0.0.39, 8.0.0.x before 8.0.0.12, and 8.5.x before 8.5.5.7, as used in WebSphere Application Server and other products, allows remote authenticated users to execute arbitrary code via unspecified vectors.
Lasers can ‘immobilize driverless cars’
An expert says that a $60 homemade laser kit can be used to disable driverless cars, by convincing its sensors that phantom objects are in its way.
The post Lasers can ‘immobilize driverless cars’ appeared first on We Live Security.
WordPress 4.3.1 Security and Maintenance Release
WordPress 4.3.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
This release addresses three issues, including two cross-site scripting vulnerabilities and a potential privilege escalation.
- WordPress versions 4.3 and earlier are vulnerable to a cross-site scripting vulnerability when processing shortcode tags (CVE-2015-5714). Reported by Shahar Tal and Netanel Rubin of Check Point.
- A separate cross-site scripting vulnerability was found in the user list table. Reported by Ben Bidner of the WordPress security team.
- Finally, in certain cases, users without proper permissions could publish private posts and make them sticky (CVE-2015-5715). Reported by Shahar Tal and Netanel Rubin of Check Point.
Our thanks to those who have practiced responsible disclosure of security issues.
WordPress 4.3.1 also fixes twenty-six bugs. For more information, see the release notes or consult the list of changes.
Download WordPress 4.3.1 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.3.1.
Thanks to everyone who contributed to 4.3.1:
Adam Silverstein, Andrea Fercia, Andrew Ozz, Boone Gorges, Brandon Kraft, chriscct7, Daisuke Takahashi, Dion Hulse, Dominik Schilling, Drew Jaynes, dustinbolton, Gary Pendergast, hauvong, James Huff, Jeremy Felt, jobst, Marin Atanasov, Nick Halsey, nikeo, Nikolay Bachiyski, Pascal Birchler, Paul Ryan, Peter Wilson, Robert Chapin, Samuel Wood, Scott Taylor, Sergey Biryukov, tmatsuur, Tracy Levesque, Umesh Nevase, vortfu, welcher, Weston Ruter
Speaking another language might help you create a safer password
Speaking more than one language has, of course, many advantages. As strange as it might sound, creating safer passwords can be one of them.
The post Speaking another language might help you create a safer password appeared first on Avira Blog.
Social Engineering techniques – What they are and How businesses can avoid them
Although it may be tempting to imagine hackers as being shy and socially inept types, whose only human interaction is via their computers, this is an assumption which rarely corresponds to the reality. In fact, in some cases, the social capabilities of hackers have worked greatly in their favor as a method of intrusion.
This technique is called social engineering and consists of tricking and manipulating the victim into committing a human error so as to compromise the security of IT systems.
Social psychology as a method of intrusion
This form of intrusion doesn’t rely on vulnerabilities in the IT system, but rather a social interaction (online, by telephone, or face-to-face) between the attacker and the weak link in the IT security chain – the user. The most successful social engineering techniques are based on the charisma and problem solving capabilities of the hacker, and almost always a deep knowledge of human psychology, of our irrational impulses, and of our feelings of trust, curiosity, attraction, and fear.
For example, the hacker will try to pass itself off as another person (such as a security personnel or a technician) or will pretend to have a role authority so as to coax confidential information from the victim. All of this is done without the victim realizing for one moment they are being duped.
Kevin Mitnick, one of the most notorious hackers in the 1990s, now works as a digital security consultor and says that social engineering is usually based on four fundamental principles:
- “We all want to help”
- “The first reaction is to trust in the other person”
- “We don’t like to say no”
- “Everyone likes to be praised”
An example is that of Chris Nickerson, the founder of Lares, an American security consultancy firm that used social engineering techniques to test the levels of security in businesses by means of “red team tests”. Armed with only information available to the public on the internet and a technician’s shirt from a known tele-operator, Nickerson tries (and usually succeeds) to access the company’s offices and manipulate the workstations in front of all the employees.
Brief classification of techniques
- Passive – based on observation and behavior analysis, with the aim of reconstructing their daily routine, to create an approximate psychological profile, etc.
- Non-present – based on requests for information via email or over the phone.
- Present but not aggressive – this includes actions such as spying on someone’s house or looking for personal documents in the trash.
- Aggressive and present – Psychological pressure and identity theft.
How do I stop my employees from becoming victims?
In their 2003 book, Hacking Linux Exposed, B. Hatch and J. Lee suggested adopting the following attitudes and they are still relevant today:
- “Train the users” – given that this type of attack is always launched against a person, the best way to avoid it is to ensure that all of your employees are aware of what to look out for when it comes to social engineering tactics.
- “Be paranoid” – the authors recommend “cultivating a healthy paranoia”, as it is normal that the hackers will be wary of using someone who doesn’t seem to trust them. “They look for the easiest objective”, they added.
- “Ask them everything” – it’s advisable to always ask the person you are dealing with why it is that they need the information that they request. “The majority of social engineering attacks fail by asking the attacker questions”.
- “Always check their sources” – if we are suspicious of a request sent my email, we should verify it by calling the person by telephone. If we speak face-to-face with someone we don’t know, we should demand to see some form of ID.
- “Learn to say no” – when a hacker is applying social engineering tactics, it is normal that he or she does it by straying from the norms of the business or tries to get the victim to do it. Keeping within the set rules is a good form of defense in these cases.
- Also recommended is that the business has a good EDR platform (to detect and protect against threats) such as Adaptive Defense 360.
This means that if a user falls for a trap and clicks on a link to download an infected application, it is blocked immediately. It will also inform, in real time, to the company’s security team so that they can act as soon as possible.
The post Social Engineering techniques – What they are and How businesses can avoid them appeared first on MediaCenter Panda Security.