If one day, you were asked by your dearly trusted Facebook Messenger app to log in because your session had expired, would you do that? If the answer is yes, you might have just shared your Facebook credentials with an impostor app disguised in, otherwise legit, Facebook Messenger app.
The post ‘Serialization’ vulnerability: 6 in 10 Android devices can be hijacked appeared first on Avira Blog.
Internet Defense Prize goes to researchers from the Georgia Institute of Technology for designing a tool that detects a new class of C++ vulnerabilities.
The post Researchers win Internet Defense Prize for C++ detection tool appeared first on We Live Security.
The recent Firefox attacks are an example of active in-the-wild exploitation of a serious software vulnerability.
The post Firefox Under Fire: Anatomy of latest 0-day attack appeared first on We Live Security.
The Information Commissioner’s Office is “making enquiries” into a major data breach at Carphone Warehouse in the UK.
The post ICO investigating major data breach at Carphone Warehouse in the UK appeared first on We Live Security.
An alarming number of computers in the Welsh National Health Service (NHS) are running Windows XP.
Is that really an appropriate level of security for computers that could be holding patients’ medical information?
The post 20,000 NHS Wales PCs still running Windows XP from beyond the grave appeared first on We Live Security.
Earlier this week, security researchers unveiled a vulnerability that is believed to be the worst Android vulnerability yet discovered. The “Stagefright” bug exposes nearly 1 billion Android devices to malware. The vulnerability was found in “Stagefright”, an Android media library. Hackers can gain access to a device by exploiting the vulnerability and can then access contacts and other data, including photos and videos, and can access the device’s microphone and camera, and thus spy on you by recording sound and taking photos.
All devices running Android versions Froyo 2.2 to Lollipop 5.1.1 are affected, which are used by approximately 95% of all Android devices.
The scary part is that hackers only need your phone number to infect you. The malware is delivered via a multimedia message sent to any messenger app that can process MPEG4 video format – like an Android device’s native messaging app, Google Hangouts and WhatsApp. As these Android messaging apps auto-retrieve videos or audio content, the malicious code is executed without the user even doing anything – the vulnerability does not require the victim to open the message or to click on a link. This is unique, as mobile malware usually requires some action to be taken to infect the device. The malware could also be spread via link, which could be sent via email or shared on social networks, for example. This would, however, require user interaction, as the video would not load without the user opening a link. This exploit is extremely dangerous, because if abused via MMS, victims are not required to take any action and there are neither apparent nor visible effects. The attacker can execute the code and remove any signs that the device has been compromised, before victims are even aware that their device has been compromised.
Cybercriminals can take advantage of the vulnerability to collectively spy on millions of people – and even execute further malicious code. Repressive governments could abuse the bug to spy on their own people and enemies. The vulnerability, however, could also be used for non-political spying. Hackers can easily spy on people they know, like their spouse or neighbour – all they need to know is their victim’s phone number. Hackers can also steal personal information and use it to blackmail millions of people, or use the data for identity theft. The possible consequences of this vulnerability need to be taken seriously.
Now comprehensive fixes need to be provided by the phone’s manufacturers in an over-the-air (OTA) firmware update for Android versions 2.2 and up. Unfortunately, updates for Android devices have historically taken a long time to reach users. Hopefully, manufacturers will respond quicker in this case. On a positive note, Google has already responded. HTC told Time “Google informed HTC of the issue and provided the necessary patches, which HTC began rolling into projects in early July. All projects going forward contain the required fix.”
We recommend users disable “auto retrieve MMS” within their default messaging app’s settings, as a precautionary measure for the moment. We have put together step-by-step instructions on how you can disable auto retrieve for MMS in various Android messaging apps:
Step 1: Open the Messages app and click on the three dots in the upper right hand corner 
Step 2: Click on “Settings” in the dropdown menu 
Step 3: Click on “Multimedia messages” 
Step 4: Uncheck “Auto retrieve” 
Your Messages “Multimedia messages” settings should now look like this:
Google HangoutStep 1: Open the Google Hangout app and click on the three lines in the upper left corner 
Step 2: Click on “Settings” 
Step 3: Click on “SMS” 
Step 4: Scroll down to “Advanced” and uncheck “Auto retrieve MMS” 
Your Google Hangout “SMS” settings should now look like this: 
Step 1: Open the Messenger app and click on the three dots in the upper right hand corner 
Step 2: Click on “Settings” in the dropdown menu 
Step 3: Click on “Advanced” 
Step 4: Uncheck “Auto retrieve” 
Your Messenger “Advanced Settings” should now look like this: 
Step 1: Open the Messaging app and click on the three dots in the lower right hand corner 
Step 2: Click on “Settings” 
Step 3: Scroll down to “Multimedia (MMS) messages” and uncheck “Auto retrieve MMS” 
Your Messaging “Settings” should now look like this: 
Step 1: Open WhatsApp and click on the three dots in the upper right hand corner 
Step 2: Click on “Settings” 
Step 3: Click on “Chat Settings” 
Step 4: Click “Media auto-download” 
Step 5: Click “When using mobile data” and/or “When connected on Wi-Fi” 
Step 6: The “When connected on Wi-Fi” settings are automatically set to download videos, so it is important to uncheck the checkmark 
Step 7: The “When connected on mobile data” settings are NOT automatically set to download videos, but in case you did enable it, you should disable it 
Your WhatsApp “Media auto-download” should now look like this: 
As the cost of fixing security mistakes in Jeep Chrysler Dodge vehicles mounts, so does the need for manufacturers to weigh cybersecurity risks in the product development process, alongside features and benefits.
The post Cybersecurity and manufacturers: what the costly Chrysler Jeep hack reveals appeared first on We Live Security.
The guys from WordPress just released version 4.2.3 of their software, which is mostly a security update. They “strongly encourage you to update your sites immediately.“ To do so just visit your Dashboard, click on ‘Updates’ and then on ‘Update Now’. As mentioned above you’ll only have to update manually if, for whatever reason, you decided to disable the automatic updates.
According to their blog entry the newest version contains fixes for 20 bugs from 4.2. The page also says: “WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was initially reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team, and later reported by Jouko Pynnönen.
We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies.“
And don’t forget: Since WordPress is definitely one of the most popular Content Management Systems and blogging platforms out there it remains an attractive target for cybercriminals – especially due to the huge user base. Administrators should always keep their WordPress installations (including addons and themes) updated and patch as soon as there are security updates available.
If you want to find out more about the dangers you could face as a blog administrator and get some advice which might help you to protect your page, take a look at Ange Albertini’s blog article concerning the topic.
The post XSS Vulnerability In WordPress – Update Now appeared first on Avira Blog.
A new study on the Internet of Things with focus on smartwatches released by HP revealed that of 10 smartwatches that were tested, all contain significant vulnerabilities and are a “risk that goes beyond the device”.
So what exactly are we talking about? According to the study (PDF) “the results of the research were disappointing, but not surprising.” There are deficiencies when it comes to authentication and authorization, privacy concerns, and problems with the implementation of SSL/TSL.
Their key takeaways are as following:
So yes, it’s basically the same cycle as with most of the ‘newer’ tech gadgets. They get released, there is a big hype, but security becomes only important after lots and lots of reports on hacks, vulnerabilities, and the inevitable bad press. Think nothing of it guys, everything is just the way it always was …
The post New Study: 10 Out of 10 Smartwatches Vulnerable appeared first on Avira Blog.
Last Friday, Adobe confirmed two new “critical” zero-day flaws in the Adobe Flash Player browser plugin 18.0.0.204 – and earlier versions – for Windows, Mac OS X, and Linux. Today, a third flaw was found. Adobe Flash Player is a widely distributed multimedia and application player used to enhance the user experience when visiting web pages or reading email messages.
We recommend disabling Flash until the bugs are fixed.
Three “critical” Flash zero-day flaws in Adobe Flash Player discovered
Security experts say the two flaws were found in stolen files that were dumped earlier this month from Hacking Team, an Italian security firm that sells communication interception and surveillance software to governments around the world. The third one came from the same documents.
“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said in their blog. “Depending on the privileges associated with the user account targeted, an attacker could install programs on the system, alter or delete data, create new accounts with similar user rights, or cause a denial-of-service.”
“Adobe is aware of reports that exploits targeting these vulnerabilities have been published publicly. Adobe expects to make updates available during the week of July 12, 2015,” the blog said.
We recommend you do the following:
To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select “About Adobe (or Macromedia) Flash Player” from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.
Affected systems:
