Gentoo Linux Security Advisory 201512-10 – Multiple vulnerabilities have been found in Mozilla Firefox and Thunderbird, the worst of which may allow user-assisted execution of arbitrary code. Versions less than 38.5.0 are affected.
Monthly Archives: December 2015
AVG's Web TuneUp Put Millions Of Chrome Users At Risk
Watch Infosec Bods Swipe PINs, Magstripe Data From Card Readers Live On Stage
Linode's Crippling Cyber-Siege Enters Day Four
Security's Biggest Winners And Losers In 2015
Google 'Android N' Will Not Use Oracle's Java APIs
Google appears to be no longer using Java application programming interfaces (APIs) from Oracle in future versions of its Android mobile operating system, and switching to an open source alternative instead.
Google will be making use of OpenJDK – an open source version of Oracle’s Java Development Kit (JDK) – for future Android builds.
This was first highlighted by a “mysterious Android
Mutating mobile malware and advanced threats are on the horizon as we approach 2016
Bad guys know that people are moving their computing to mobile, so they are adapting
Yesterday, we walked you through a set of our 2016 predictions in regards to home router security, wearables and the Internet of Things. In addition to these important topics, mobile threats are not something that should be ignored as we move into 2016.
“Most people don’t realize that mobile platforms are not really all that safer or immune from attack then desktop platforms,” said Ondřej Vlček, COO of Avast. “Most people use mobile devices in a more naive way then they use a PC because they just don’t understand that this is a full blown computer that requires caution.”
Hackers have done their homework to prepare for the new year
Over the course of this year, we’ve seen a list of notable mobile threats that jeopardized the privacy and security of individuals. Our own mobile malware analyst, Nikolaos Chrysaidos, has a few ideas about several issues that could crop up in the new year:
- Android malware that can mutate. This superintelligent family of malware is capable of altering its internal structure with new and improved functions, changing its appearance, and if left unmonitored, spreading on a viral scale. And yes, this concept is just about as scary as it sounds.
- More security vulnerabilities that can be exploited as a result of fuzzing. This year, there was a good amount of research on fuzzing, making it more and more of a familiar concept to both good and bad guys within the digital world. Fuzzing is a technique that is used to discover security loopholes in software by inputting massive amounts of data, or fuzz, into a system with the intent of overloading and crashing it. Next year, these vulnerabilities could look similar to Stagefright, the unique and dangerous vulnerabillity that, when exploited, left mobile devices vulnerable to spyware.
- Smarter social engineering techniques. Now that most people know about certain vulnernabilities and their potential consequences, hackers can take advantage of this knowledge and use it to their advantage. For example, a hacker could trick users into installing their malware by telling them that an MMS is waiting for them but can’t be sent via text message due to risks associated with the Stagefright bug. Users are then prompted to click on a malicious download link. Although we could see more of these advancements in 2016, the concept isn’t completely new – this year, an example of this type of technique could be seen within OmniRat spy software.
- APTs on mobile. In 2016, Advanced Persistent Threats (APTs) could be used to target politicians. This could be accomplished by using spyware (similar to Droidjack or OmniRat) in combination with specific social engineering techniques that could aid hackers in gaining access to powerful and influential individuals.
With this list of potential threats and risks in mind, it becomes clear that our mobile devices hold more value than just our apps and contacts. As hackers‘ techniques grow smarter, it’s important that we do the same in regards to the way that we approach our security.
Protect your Android devices with Avast Mobile Security. That and other apps like our new Wi-Fi Finder and Avast Cleanup & Boost are free from the Google Play Store.
Follow Avast on Facebook, Twitter, YouTube, and Google+ where we keep you updated on cybersecurity news every day.
Netduma R1 Router CSRF
Posted by Josh Chaney on Dec 30
## Introduction
Affected Product: Netduma R1 Router
Affected Version(s): 1.03.4 and 1.03.5
Link: http://www.netduma.com/firmware/R1-v-1-03-4.sig
Vendor Website: https://netduma.com/
Vulnerability Type: CSRF
Remote Exploitable: Yes
Reported to vendor: 11/19/2015
Disclosed to public: 12/29/2015
Credits: @joshchaney
##…
Re: Executable installers are vulnerable^WEVIL (case 15):F-SecureOnlineScanner.exe allows arbitrary (remote) codeexecution and escalation of privilege
Posted by lists on Dec 30
Hi Stefan and all,
While we finally did get CVE-2000-0854 the overdue attention, we apparently
didn’t promote this enough:
http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html
(presented at Source Boston in 2012). So now you’ll have to do it – good
luck 🙂
BTW, Stefan, soon you’ll be able to create your own patches for these, and
many other bugs, with http://0patch.com. You’re welcome.
Cheers,
Mitja…
The 10 most alarming cyberattacks of 2015
Neither personal information nor fingerprints have been safe from cybercriminals in the past year and, as the year comes to a close, one thing is for sure – the more devices that we have, the more security we need.
Throughout the course of the year, cybercriminals have shown that they are capable of discovering and, taking advantage of, any vulnerability possible in order to get their hands on our data or to control our devices. Below is a roundup of the most damaging and alarming of these attacks.
Fingerprint theft
If fingerprints are seen as one of the most secure methods of biometric security (they are the current method of unblocking iPhones), the theft of information belonging to US government employees showed that there are serious things to consider with the system.
Last June, a group of cybercriminals managed to obtain the fingerprints of nearly six million federal workers, which could put not only their mobile phones in danger, but even the security of the country.
Remote control of smart cars
Another of the big challenges facing cybersecurity is the issue of smart cars. Until there is a solution, these cars will continue to be vulnerable to manipulation. Last summer, two hackers showed that it was possible to take advantage of errors in the computer system onboard a Jeep Cherokee and took control of the car, even managing to apply the brakes on the vehicle, all carried out remotely.
Thousands of compromised Android devices
Not all of the vulnerabilities in the world of IT security are focused on modern tools or devices. In fact, smartphones have been at the center of a massive scandal in 2015, when thousands of Android devices were affected by Stagefright, a security failure which allowed cybercriminals to access any Android phone and control it without the owner knowing.
The online dating furor
Without a doubt the biggest scandal of the year was the leaking of information relating to more than 32 million users of the online dating site Ashley Madison. This sent shockwaves through the cybersecurity world and served to remind everyone, both platforms and users, of the dangers facing IT security.
A vulnerable infusion pump
The health and safety of people is also at risk due to the vulnerabilities of different devices. It’s not just smart cars that can be manipulated and involved in accidents, as this year an infusion pump used in hospitals to administer patients’ medicine had to be removed. It turned out that if a cybercriminal had connected to the hospitals’ networks, they could have accessed the machine, manipulating it and changing its settings.
Gas stations at risk
It’s not just hospital pumps that are in danger, as investigations carried out on both sides of the Atlantic uncovered the risks facing gas stations. Once connected to a network, these pumps could be attacked, and a cybercriminal could even cause one to explode.
A year to forget for Apple
2015 has been the worst year for Apple in terms of security as the number of attacks directed at its devices has increased five-fold on the previous year, while the number of new vulnerabilities has continued to grow. One such example is the bug Dyld, which was discovered over the summer and affected the MAC OS X operating system.
Data stolen via third-parties
15 million T-Mobile customers had their data stolen by cybercriminals this year. According to the company, the information wasn’t taken from their own servers, but rather stolen from the company that looked after payments for T-Mobile’s customers.
Data theft via web browsers
The biggest names in the technology sector haven’t escaped the year without a few scares. Last summer Firefox had to advise its users that a failure in the browser meant that cybercriminals could have looked for and stolen files without the victim realizing.
A bad end to the year for Dell
The final scandal of the year happened last month, when it was discovered that the latest models of Dell computers were hiding a serious security failure. Thanks to this vulnerability, cybercriminals were able to alter the communication between various different systems and steal information from the affected computers.
The post The 10 most alarming cyberattacks of 2015 appeared first on MediaCenter Panda Security.