Original release date: August 14, 2014
New Zealand’s National Cyber Security Centre (NCSC) has released Security Advisory NCSC-C-2014-17 which highlights a spearphishing campaign targeting government employees. The NCSC provides enhanced cybersecurity services to the New Zealand Government and private sector organizations against cybersecurity threats.
This product is provided subject to this Notification and this Privacy & Use policy.
Original release date: August 14, 2014
Apple has released security updates for Safari to address vulnerabilities which could allow an attacker to execute arbitrary code or cause an unexpected application termination.
Updates include Safari 6.1.6 and Safari 7.0.6 for OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5 and OS X Mavericks v10.9.4.
Users and administrators are encouraged to review Apple security update HT6367 and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.
A new telephone scam has been targeting upscale restaurants in London, with “convincing†scammers calling restaurant staff and tricking them into believing there’s a problem with their payment system – according to a report issued by Financial Fraud Action. The scammers have targeted restaurants in affluent areas such as the West End and Twickenham.
The fraudsters give staff a phone line to call for customers to make payments, the Telegraph reports. Transactions are then funneled through the fraudulent phone line – restaurant owners have been warned to phone banks on a number known to be legitimate to check before changing payment methods. Katy Worobec, Director of Financial Fraud Action UK, said “It’s important that restaurant owners are alert.  Fraudsters can sound very professional – don’t be fooled.”
To customers, Financial Fraud Action said, “If you receive any calls from your bank claiming there’s a problem with payments, make sure you phone them on an established number to confirm the request is genuine. In addition, always wait five minutes to ensure the line is clear, as fraudsters will sometimes try to stay on the phone line and pretend to be your bank.” The tactics used are variations of those in many current phone scams. In the common ‘courier scam’ used to obtain cards and PINs, the caller waits on the phone and pretends to be a new connection after the caller dials.
ESET senior researcher David Harley says, “The ‘staying on the phone line’ gambit is worth mentioning: it’s certainly been used a lot in the context of other scams.†The tactic works simply because few users take measures to ensure the caller is not waiting – and when they dial, they are still connected. All that happens is the fraudster hears a series of beeps. Harley suggests ‘interrupting’ the call by hanging up and dialing another number – or calling on a different phone.
Action Fraud said,â€When the restaurant calls the phone number, the fraudster asks to speak with the paying customer and then goes through their security questions. Once sufficient security details have been obtained from the customer, the fraudster will instruct the restaurant to put the transaction through.†The fraudster then subsequently calls the customer’s bank – usually within five minutes – and attempts to transfer funds, the Daily Mail said.
The scam is not new – and several elements are “classic social engineering†says ESET Senior Research Fellow David Harley – but it has spiked in the past six weeks, “Certainly there’s a problem with the concept of answering security questions over the phone unless the bank or other caller has already authenticated themselves to you,†Harley says.
Harley says the key to avoiding such scams is not to place trust in unknown callers. If unsure, hang up, and call back on a known number. “In this case, a restaurant that falls for this has clearly failed to verify the credentials of the ‘bank’ and a customer who goes along with it has put too much trust in the restaurant. The ‘security questions’ must persuade the customer to give quite a lot of information away if they have any hope of persuading the bank to make the fraudulent transaction over the phone. One would hope…â€
The post Phone scams: card fraud with that steak, Sir? appeared first on We Live Security.
Two researchers have launched a petition to change how car companies and technology companies work together – with a new villain: in-car web browsers.
“We request that you unite with us in a joint commitment to safety between the automotive and cyber security industries,†the researchers say via Change.org.
A paper presented at Black Hat, shows a danger crossing the line from “proof of concept†to reality. The researchers point out that while hacking a car to give total control is extremely hard, it’s easier to, for instance, attack individual systems, such as commuications or navigation, both of which could be lethal.
Car code is complex, and often bespoke – which means attacks tend towards the level of disabling locks, or affecting electric windows, rather than outright destruction. Even Bluetooth – often hyped as the Achilles’ Heel.
“Bluetooth has become ubiquitous within the automotive spectrum, giving attackers a reliable entry point to test,†they write. But hacks would be of the level of adding an unauthorized device – not outright control.
When CNN Money devotes a section to the year’s “most hackable carsâ€, automotive security is clearly a real issue – a prize won by the Cadillac Escalade and 2014 Toyota Prius incidentally.
Charlie Miller and Chris Valasek in their paper A Survey of Remote Automotive Attack Surfaces conclude that the danger of “hackable†cars is expanding – but is about to grow rapidly, as web browsers are added to cars.
“Once you add a web browser to a car, it’s open. I may not be able to write a Bluetooth exploit, but I know I can exploit web browsers.” The recent reported hack against the Tesla Model S relied on its connected control panel.
A SlashDot user claims to have found a hidden port on the Tesla Model S, and used it to prove the car ran a modified version of Firefox.
Nick Bagot, Motoring Editor of the Mail on Sunday says, “Web browser obviously considerable safety issues – and it’s questionable why they’re needed. The inclusion of browsers in cars may well be to do with the convenience of advertising, and lucrative tie-ups with car brands and particular browsers, than it is for delivering value to the consumer.â€
“Google is, primarily, an advertising company. Google products are built to feed into Adwords. Self-driving cars are an incredible technology – but what is it for?â€
Car technology ignites passions from many sides. Last year a U.S senator urged auto manufacturers to change – and his open letter ignited a spate of commentary, with Market Oracle describing the crime as “cyberjackingâ€, and pointing out that the average family car contains 100 million lines of computer code, and that software can account for up to 40% of the cost of the vehicle, according to researchers at the University of Wisconsin-Madison.
Most in-car innovations have a clear point – car cameras are part of the technology revolution, but increase safety. Which Magazine writes “The importance of having these in-car cameras is becoming more obvious each day, with the devices not only providing UK drivers with an independent witness – but also as we see awareness of the product increase, we hope to see the road safety standards improve and fraudulent crashes and claims decline.
The importance of having these in-car cameras is becoming more obvious each day, with the devices not only providing UK drivers with an independent witness- but also as we see awareness of the product increase, we hope to see the road safety standards improve and fraudulent crashes and claims decline.â€
Other innovations bring less clear benefits, reports The Register. “The problem is that cars are becoming more heavily computerized and that leads to more networking so the driver and passengers can get access to up-to-date information while on the move: most newish cars have a Bluetooth system hidden inside, a connection to the cellular data network, and so on,†the site said.
On the researchers’ page, I am the Cavalry, they say, Modern cars are computers on wheels and are increasingly connected and controlled by software. Dependence on technology in vehicles has grown faster than effective means to secure it.
The post Will web browsers turn cars lethal? appeared first on We Live Security.
WatchGuard Firebox T10 recognized as a “remarkable little appliance” with an affordable price and more features than any other Unified Threat Management firewall in its market
The acc_ctx_cont function in the SPNEGO acceptor in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty continuation token at a certain point during a SPNEGO negotiation.
The Target breach caused real damage to millions of American card users – but big financial institutions are doing little to remedy security issues, according to the New York Times.
A report found that two-factor security was STILL not on offer at major banks such as Citibank, Capital One and for AmEx cards, when it came to online banking. Many other banks require customers to opt in.
The reason, the NYT claims, is economy – for the banks, “Companies have gone back and forth about whether to even allow their customers to sign up for that second factor and require the company to generate a one-time code to be entered in addition to a username and password.”
“While such precautions add to the consumer’s security, they can also increase the company’s tech support needs.”
The opinion piece, a plea for increased adoption of two-factor authentication systems, has ignited debate.
Computer World discusses if there are any “silver bullets†for a world where passwords are stolen in industrial quantities. Some attacks such as a recent attempt against PayPal have attempted to bypass these systems – but they are still another hurdle for gangs to clear.
The below ESET video explains what two-factor is.
Two-factor systems are far more secure than passwords – many high-profile hacks, such as those against the Twitter accounts of media organizations last year, could not have happened if a 2FA system had been in place. Even if a hacker places malware on a PC and steals a password, they are still locked out.
Information Week says that 2FA systems are a key part of ensuring corporate security: “Passwords are the Achilles heel of any network. Around 80% of all domain compromises carried out by our Penetration Testing team come from either a weak password being set, or a password being reused somewhere. Any company that takes its security seriously should protect privileged accounts with strong two-factor authentication (2FA).”
A recent report found that two-thirds of companies who allowed ‘working from home’ failed to provide secure access to company networks, putting private corporate information at risk.
Two-factor systems can help small businesses by allowing home working – and cutting overheads such as office space.
Both Information Age and Computer World suggested further measures – with Computer World suggesting Google Chromebooks as ideal for banking.
“Like private browsing, guest mode erases all traces of your browsing activity when you’re done, but in addition, it also starts you off with a clean slate. That is, when you logon as a Guest there are no cookies, favorites or browsing history to be discovered, stolen or manipulated,†the magazine writes.
One of the more disquieting aspects of the NYT report was that 2FA protection was offered only to some customers – and banks were not clear as to why.
Many sites – including Twitter, Gmail and Dropbox – offer two-factor systems already, free, although you have to enable them yourself – it’s usually found under Settings or Privacy, and most sites walk you through the process.
It’s worth doing so if you keep any private information in such accounts – and particularly if you store sensitive business information.
Two-factor authentication makes it far more difficult – although not impossible – for cybercriminals to break into accounts on sites such as Twitter and Dropbox. At present, though, the system is “opt-in†– you have to go to settings, and add your authentication method manually.
Â
The post 2FA – are big banks failing America? appeared first on We Live Security.
Vulnerabilities in software happen. When they get fixed it’s up to the packager to make those fixes available to the systems using the software. Duplicating much of the response efforts that Red Hat Product Security performs for Red Hat products, the Fedora Security Team (FST) has recently been created to assist packagers get vulnerability fixes downstream in a timely manner.
At the beginning of July, there were over 500 vulnerability tickets open* against Fedora and EPEL. Many of these vulnerabilities already had patches or releases available to remedy the problems but not all. The Team has already found several examples of upstream not knowing that the vulnerability exists and was able to fix the issue quickly. This is one of the reasons having a dedicated team to work these issues is so important.
In the few short weeks since the Team was created, we’ve already closed 14 vulnerability tickets and are working another 150. We hope to be able to work in a more real-time environment once the backlog decreases. Staying in front of the vulnerabilities will not be easy, however. During the week of August 3rd, 27 new tickets were opened for packages in Fedora and EPEL. While we haven’t figured out a way to get ahead of the problem, we are trying to deal with the aftermath and get fixes pushed to the users as quickly as possible.
Additional information on the mission and the Team can be found on our wiki page. If you’d like to get involved please join us for one of our meetings and subscribe to our listserv.
* A separate vulnerability ticket is sometimes opened for different versions of Fedora and EPEL resulting in multiple tickets for a single vulnerability. This makes informing the packager easier but also inflates the numbers significantly.
Severity Rating: Important
Revision Note: V1.1 (August 13, 2014): Revised bulletin to correct the Update FAQ that addresses the question, Will these security updates be offered to SQL Server clusters?
Summary: This security update resolves two privately reported vulnerabilities in Microsoft SQL Server (one in SQL Server Master Data Services and the other in the SQL Server relational database management system). The more severe of these vulnerabilities, affecting SQL Server Master Data Services, could allow elevation of privilege if a user visits a specially crafted website that injects a client-side script into the user’s instance of Internet Explorer. In all cases, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker’s website, or by getting them to open an attachment sent through email.
Severity Rating: Critical
Revision Note: V2.0 (August 12, 2014): Rereleased bulletin to announce the offering of update 2881071 to replace update 2767915 for systems running Microsoft Office 2010 Service Pack 1 or Microsoft Office 2010 Service Pack 2. See the Update FAQ for details.
Summary: This security update resolves two privately reported vulnerabilities in Microsoft Windows, Microsoft Office, and Microsoft Lync. The vulnerabilities could allow remote code execution if a user opens a specially crafted file or webpage. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.