All posts by 007admin

Security

HP Security Bulletin HPSBGN03099

HP Security Bulletin HPSBGN03099 – A potential security vulnerability has been identified with HP IceWall SSO Dfw, SSO Agent and MCRP running OpenSSL. The vulnerability could be exploited remotely resulting in disclosure of information. Revision 1 of this advisory.

Security

Mandriva Linux Security Advisory 2014-172

Mandriva Linux Security Advisory 2014-172 – The gdImageCreateFromXpm function in gdxpm.c in libgd, as used in PHP 5.4.26 and earlier, allows remote attackers to cause a denial of service via a crafted color table in an XPM file. file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service via a crafted file that triggers backtracking during processing of an awk rule. Various other issues have also been addressed. The updated php packages have been upgraded to the 5.5.16 version resolve these security flaws. Additionally, php-apc has been rebuilt against the updated php packages and the php-timezonedb packages has been upgraded to the 2014.6 version.

Security

CERT/CC Enumerates Android App SSL Validation Failures

The CERT Coordination Center at Carnegie Mellon today released a list of Android applications hosted on Google Play and Amazon that it says fail to validate SSL certificates over HTTPS.

ESET

Car hacking – are one-third of thefts ‘electronic hacks’?

The UK government is to work with car manufacturers to prevent hackers using electronic means to break into increasingly hi-tech vehicles in Britain, after a spate of ‘car hacking’ in London, Computer World reports.

In a speech to independent think tank Reform, Home Secretary Theresa May said that thieves were using “sophisticated devices” to grab car key codes, and driving away in less than 10 seconds without using force, according to the Daily Mail.

The report claimed that “hackers” were behind a third of card thefts in London.

At the Black Hat security conference this summer two researchers launched a petition to change how car companies and technology companies work together. “We request that you unite with us in a joint commitment to safety between the automotive and cyber security industries,” the researchers said via Change.org.

Car hacking: A real risk?

In her speech to Reform, May said, “There have been reports that they could even use ‘malware’ to commandeer vehicle systems via satellites and issue remote demands to unlock doors, disable alarms and start car engines.”

“Because we have this understanding, we can now work with industry to improve electronic resilience, include this kind of resilience in the vehicle’s overall security ratings, and work out the extent to which the same threat applies to other physical assets such as building security systems.”

May’s speech echoes a series of presentations by security researchers which warn that as cars become increasingly ‘connected’, with up to 200 control units each, hacking such vehicles becomes easy.

Two researchers have concluded that this will become even easier once web browsers in cars become more common.

Hackers behind ‘third’ of crimes

Earlier this summer, a group of Chinese researchers showed off a hack which could open the doors on a Tesla S while in motion, as well as controlling other vehicle systems – and the car’s control panel, thought to run a modified version of Firefox, was claimed to be behind the hack.

Charlie Miller and Chris Valasek in their paper A Survey of Remote Automotive Attack Surfaces conclude that the danger of “hackable” cars is expanding – but is about to grow rapidly, as web browsers are added to cars.

“Once you add a web browser to a car, it’s open. I may not be able to write a Bluetooth exploit, but I know I can exploit web browsers.”

Last year a U.S senator urged auto manufacturers to change – and his open letter ignited a spate of commentary, with Market Oracle describing the crime as “cyberjacking”, and pointing out that the average family car contains 100 million lines of computer code, and that software can account for up to 40% of the cost of the vehicle, according to researchers at the University of Wisconsin-Madison.

On the researchers’ page, I am the Cavalry, they say, “Modern cars are computers on wheels and are increasingly connected and controlled by software. Dependence on technology in vehicles has grown faster than effective means to secure it.”

 

The post Car hacking – are one-third of thefts ‘electronic hacks’? appeared first on We Live Security.

ESET

Credit card security fears – could Home Depot breach be biggest yet?

Shoppers at Home Depot stores may have had their credit card security details leaked online, after a massive batch of card information went on sale on a criminal internet site this week, according to veteran security writer Brian Krebs, who reported the possible breach on his Krebs on Security website. Krebs claims the breach may be the biggest yet seen.

The credit card security breach could have begun as early as April or early May of this year, and may be linked to hackers responsible for the breaches at Target and P.F. Changs, according to Krebs. Separate batches of debit and credit card details from European and American shoppers have been offered for sale on a criminal website this week.

U.S.A. Today reports that the breach could dwarf even the Target Breach, in which 40 million debit and credit accounts were compromised.

Fox Business News reported that Home Depot has, as yet, not confirmed the scale of the breach.

Credit card security: The biggest breach yet?

“Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately,” spokesperson Paula Drake said in a statement.

The card data were offered for sale under the title, “American Sanctions,” which Krebs interpreted as related to the ongoing conflict in the Ukraine. Stolen information from European cards which had been used in the stores were sold separately as “European Sanctions,” Krebs reported.

Home Depot shares dropped 2.6% at the news, Fox Business reported.

Krebs’ spoke to several banks, and his latest update hints that this breach could be the biggest yet seen. “Several banks contacted by this reporter said they believe this breach may extend back to late April or early May 2014. If that is accurate — and if even a majority of Home Depot stores were compromised — this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period,” he says.

Mark James, security specialist at ESET says, “The news of another credit card hack is not surprising – but is no less worrying. It seems that no company is safe and if you have EVER used a credit card to purchase goods then you may be at risk.”

“It is thought the original team that targeted P.F.Chang’s and Target are also the perpetrators here, and due to the amount of data that has been stolen it stands to reason it will be used or released in batches over time.”

Card breach: What to do

ESET Malware Researcher Lysa Myers says, “Malware attacks on Point of Sale (PoS) systems are coming thick and fast right now.”

Myers offers a detailed guide for businesses concerned that they may be being targeted with POS malware.

ESET’s James says, “Nothing can be done about the data already stolen, but we could take some actions to lessen the impact of compromised credit cards. Don’t just have a single credit for all uses: for instance, separate your physical purchases (in store) and your online purchases by using different credit cards for each.”

“At least that way if one gets lost or stolen it’s not so much of an impact to get it stopped and replaced, also it’s always good practice to keep an eye on your credit statement for small or unusual payments, often small (under the radar) amounts are processed to test if the cards are valid. If they go through then larger amounts will follow.”

“If you spot something unusual notify your bank immediately. As always, it’s imperative the organization in question notifies all parties involved in any security breach so we the public can take action quickly.”

The post Credit card security fears – could Home Depot breach be biggest yet? appeared first on We Live Security.