Tag Archives: site

[ISN] Sekurity is hard – technicaleducation.cisco.com vulnerable to XSS


http://www.infosecnews.org/sekurity-is-hard-technicaleducation-cisco-com-vulnerable-to-xss/ By William Knowles @c4i Senior Editor InfoSec News August 22, 2014 On 21 of August 2014 the security researcher E1337 reported to XSSposed (XSS exposed) that technicaleducation.cisco.com has an XSS (Cross-Site Scripting) vulnerability which currently has 2 vulnerabilities in total reported by security researchers). Cross-Site Scripting (XSS) inserts specially crafted data into existing applications through Web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a modification to a browser script, to a different end user. XSS attacks often lead to bypass of access controls, unauthorized access, and disclosure of privileged or confidential information. Cross-site scripting attacks are listed as the number three vulnerability on the OWASP Top 10 list for 2013. XSS attacks are becoming more and more sophisticated these days and are being used in pair with spear phishing, social engineering and drive-by attacks. [...]

Tags: , , , , , , , , , , , , ,

[ISN] 5 cool new security research breakthroughs

http://www.networkworld.com/article/2466795/security0/5-cool-new-security-research-breakthroughs.html By Bob Brown NetworkWorld Aug 19, 2014 University and vendor researchers are congregating in San Diego this week at USENIX Security ’14 to share the latest findings in security and privacy, and here are 5 that jumped out to me as being particularly interesting. *On the Feasibility of Large-Scale Infections of iOS Devices Georgia Tech researchers acknowledge that large-scale iOS device infections have been few and far between, but they claim weaknesses in the iTunes syncing process, device provisioning process and file storage could leave iPhones, iPads and other Apple products vulnerable to attack via botnets. The bad guys could get to the iOS devices via a compromised computer, they say, to install attacker-signed apps and swipe personal info. The researchers came to their conclusion after examining DNS queries within known botnets. *XRay: Enhancing the Web’s Transparency with Differential Correlation Columbia University researchers introduce XRay, a tool designed to give web users more insight into which of their personal data is being used to target them with ads. The researchers will present at USENIX a prototype of XRay, which has already been posted online as an open source system for others to explore. Initially, the system can be used to explain targeting in Gmail ads, Amazon recommendations and YouTube video suggestions.“Today we have a problem: the web is not transparent. We see XRay as an important first step in exposing how websites are using your personal data,” says Assistant Professor of Computer Science Roxana Geambasu. [...]

Tags: , , , , , , , , , , , , , , , , , ,

[ISN] Crooks turn war-torn Syria into cyber-battlefield

http://www.timesofisrael.com/crooks-turn-war-torn-syria-into-cyber-battlefield/ By David Shamah The Times of Israel August 20, 2014 Syrian hackers, known best for their attacks on vital sites in Israel, the US, and Europe, are turning on their own people, taking advantage of their fears about the devastating civil war around them The Syrian Electronic Army, an outfit that has gained fame for its hacks of government and defense websites, is one of the biggest beneficiaries of the unrest that has characterized Syria for the past several years. SEA hackers get access to user systems, recording information about on-line accounts and stealing funds, or using victims’ computers as part of huge botnets that send out spam and become part of attacks on banks and financial sites. A new report by security firm Kaspersky Lab shows how the SEA has used a variety of Internet “dirty tricks” to hoodwink panicked web users into clicking on links and files that have installed a variety of Trojans, viruses, password hijackers, and other malware that give cybercrooks full access to computers. Because Syrians are rattled enough by the civil war to apparently click on anything that seems “official,” issued by the government or the army, hackers don’t even have to bother making their phony wares seem real. They’re confident that users will even gladly click on something called “Ammazon Internet Security” if they believe it will make them a bit safer. [...]

Tags: , , , , , , , , , , , , , ,

[ISN] New website aims to publicly shame apps with lax security

http://arstechnica.com/security/2014/08/new-website-aims-to-shame-apps-with-lax-security/ By Robert Lemos Ars Technica Aug 18 2014 The amount of personal data traveling to and from the Internet has exploded, yet many applications and services continue to put user information at risk by not encrypting data sent over wireless networks. Software engineer Tony Webster has a classic solution—shame. Webster decided to see if a little public humiliation could convince companies to better secure their customers’ information. On Saturday, the consultant created a website, HTTP Shaming, and began posting cases of insecure communications, calling out businesses that send their customers’ personal information to the Internet without encrypting it first. One high-profile example includes well-liked travel-information firm TripIt. TripIt allows users to bring together information on their tickets, flight times, and itinerary and then sync it with other devices and share the information with friends and co-workers. Information shared with calendar applications, however, is not encrypted, Webster says, leaving it open to eavesdropping on public networks. Among the details that could be plucked from the air by anyone on the same wireless network: a user’s full name, phone number, e-mail address, the last four digits of a credit card number, and emergency contact information. An attacker could even change or cancel the victim’s flight, he says. So far, TripIt and 18 other applications and services have made the shaming list, many submitted by other people fed up with the security missteps of companies, Webster says. [...]

Tags: , , , , , , , , , , , , , , , , , , , , ,

[ISN] Foreign Minister Julie Bishop’s phone was hacked at the height of the MH17 crisis

http://www.heraldsun.com.au/news/foreign-minister-julie-bishops-phone-was-hacked-at-the-height-of-the-mh17-crisis/story-fni0fiyv-1227026241325 By Ellen Whinnet Political Editor Herald Sun August 16, 2014 FOREIGN Affairs Minister Julie Bishop’s mobile phone was compromised while she was overseas leading tense negotiations to win access to the MH17 crash site in Ukraine. Australian intelligence officials seized Ms Bishop’s phone on her return from a two-week trip to the United States, Ukraine and Holland, having secured a deal to get Australian police into the crash area. Russian-backed rebels shot down the Malaysia Airlines flight with a surface-to-air missile on July 17, killing 298 passengers and crew, including 38 Australians. It is thought that our intelligence agencies know which country those responsible for compromising Ms Bishop’s phone were operating from. [...]

Tags: , ,

[ISN] Australian teen uncovers security flaw in PayPal

http://www.theage.com.au/it-pro/security-it/australian-teen-uncovers-security-flaw-in-paypal-20140815-1044cx.html By Ben Grubb Deputy technology editor The Age – IT Pro August 15, 2014 An Australian teenager who found a security flaw in an Australian public transport authority’s website has found another serious vulnerability, this time in the site of global payments provider PayPal. The flaw, uncovered by 17-year-old Melbourne schoolboy Joshua Rogers, allowed hackers to bypass the payment provider’s two-factor authentication system, which adds an extra layer of optional security via a one-time code sent via SMS to the user, or a number generator card. With access to a victim’s PayPal account using the flaw, a hacker could have purchased items online or withdrawn money sitting in the account. Joshua told Fairfax Media via email that he published a blog post on August 4 with a link to a YouTube video demonstrating the issue after the payment company ignored his initial email about the flaw on June 5. [...]

Tags: , , , , , , , , , ,

[ISN] Thousands Of People Oblivious To Fact That Anyone On The Internet Can Access Their Computers

http://www.forbes.com/sites/kashmirhill/2014/08/13/so-many-pwns/ By Kashmir Hill Forbes Staff 8/13/2014 There are technologists who specialize in “scanning the Internet.” They are like a search team making its way through a neighborhood, but instead of checking the knob of every door, they check Internet entrances to online devices to see which ones are open. These people have been screaming for some time that there is a lot of stuff exposed on the Internet that shouldn’t be: medical devices, power plants, surveillance cameras, street lights, home monitoring systems, and on and on. But incredibly, their message doesn’t seem to get through, because their scans keep on picking up new devices. While talking about the issue at hacker conference Defcon on Sunday, security engineer Paul McMillan sent his winged monkey scanners out looking for computers that have remote access software on them, but no password. In just that short hour, the results came pouring in: thousands of computers on port 5900 using a program called VNC for remote access. The total number is likely over 30,000. Those using the program failed to password-protect it, meaning anyone who comes looking can see what they’re doing, and manipulate their computers. McMillan set a scanner to take a screenshot of every exposed computer it came across. I went through the screens captured Sunday and saw people checking Facebook, playing video games, watching Ender’s Game, reading Reddit, Skyping, reviewing surveillance cameras, shopping on Amazon, reading email, editing price lists and bills, and, of course, watching porn. I saw access screens for pharmacies, point of sale systems, power companies, gas stations, tech and media companies, a cattle-tracking company, and hundreds of cabs in Korea. This isn’t just about watching people use their computers; the fact that the scanner got in means anyone could manipulate the devices, changing the power company’s settings, pausing the porn stream, going through a company’s records, or reviewing the prescriptions for a pharmacy’s patients. There is no need for hackers to go to great lengths to compromise these computers; their owners have built in backdoors with no locks. “It’s like leaving your computer open, unlocked and ready to rock in a crowded bus terminal and walking away,” says security engineer Dan Tentler, who presented with McMillan. Increasingly, everything is connected to the Internet, and unfortunately, people don’t always know how to connect their things securely. “It’s important to remember that this scan only scratches the very surface of the problem,” says McMillan. “We can’t legally scan for default passwords, but I’m certain if we did, the results would be orders of magnitude worse.” [...]

Tags: , , , , , , , , , , , , , , , , , , , , , , , , ,

[ISN] Russian Gang Amasses Over a Billion Internet Passwords

http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html By NICOLE PERLROTH and DAVID GELLES The New York Times AUG. 5, 2014 A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user name and password combinations and more than 500 million email addresses, security researchers say. The records, discovered by Hold Security, a firm in Milwaukee, include confidential material gathered from 420,000 websites, including household names, and small Internet sites. Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems. Hold Security would not name the victims, citing nondisclosure agreements and a reluctance to name companies whose sites remained vulnerable. At the request of The New York Times, a security expert not affiliated with Hold Security analyzed the database of stolen credentials and confirmed it was authentic. Another computer crime expert who had reviewed the data, but was not allowed to discuss it publicly, said some big companies were aware that their records were among the stolen information. “Hackers did not just target U.S. companies, they targeted any website they could get, ranging from Fortune 500 companies to very small websites,” said Alex Holden, the founder and chief information security officer of Hold Security. “And most of these sites are still vulnerable.” [...]

Tags: , , , , , , , , , , , , , , ,