10 total posts
Chrome Canary Bug Hides URLs A Little Too Well
Borrowing a tactic from the mobile Safari browser in iOS, Google may soon abandon displaying complete URLs in Chrome.
The Canary version of the browser, an unstable version designed for developers and early adopters, is toying with the idea of no longer displaying full URLs in its Omnibox—what other browsers call an address bar—instead moving the top-level domain to a prominent spot left of the Omnibox known as the Origin Chip.
The idea is that this will make it much easier for users to flag phishing sites. But web security firm PhishMe has reported on a bug where URLs that exceed 100 characters will not display a top level domain or URL of any kind, but instead display just an empty search bar.
Continued : http://threatpost.com/chrome-canary-bug-hides-urls-a-little-too-well/105939
Related: Address bar tweak in early Chrome beta puts even savvy users at risk
Orange hacked again. 1.3 million have personal data stolen
French telephone company Orange must have something of a red face right now, as it has found itself in the embarrassing position of admitting that hackers have made away with customer information for the second time this year.
In the latest security breach, hackers managed to seize the names, email addresses, phone numbers, dates of birth and other information related to a jaw-dropping 1.3 million current and potential customers.
Orange says that it detected the hack against a platform used by the company to send promotional emails and text messages on April 18th, but has kept quiet until this week as it wanted to ensure that the security holes used by the attackers to breach the phone company's systems had been patched.
Continued : http://grahamcluley.com/2014/05/orange-hacked-again/
Orange hacked again, 1.3M users affected
Orange France hacked AGAIN, 1.3 million victims seeing red
New App Recognizes Twitter Bots, Researchers Say
Bitdefender's "HOT for Security" Blog:
Indiana University researchers have developed a new app that identifies Twitter accounts controlled by automated software designed to flood online conversations with spam and misleading information, the researchers say.
The BotOrNot app examines about 1,000 account features including the user's network, content and posting frequency to determine the extent to which an account resembles a social bot.
"We have applied a statistical learning framework to analyze Twitter data, but the 'secret sauce' is in the set of more than one thousand predictive features able to discriminate between human users and social bots, based on content and timing of their tweets, and the structure of their networks," said Alessandro Flammini, associate professor of informatics and principal investigator on the project.
Continued : http://www.hotforsecurity.com/blog/new-app-recognizes-twitter-bots-researchers-say-8547.html
Email-borne exploits: the not-so innocuous killers ...
... targeting small business
"Malwarebytes Unpacked" Blog:
Email remains a widely used infection vector that mostly relies on social engineering a victim to click on a link or execute an attachment.
As far as malicious attachments go, the majority are zipped executables that often use the double extension trick (i.e. Invoice.doc.exe) and will directly infect a user's PC as soon as they are ran.
But there's another type of malicious attachments, one that we seldom hear about, that may deceive a lot of people and sneak by your antivirus: regular documents that have been exploited.
Just a couple of days ago, we spotted a new wave of spam emails spewing malicious PDF files. The decoy, which purports to be an invoice, is directly attached to an email targeting small businesses: [Screenshot]
Continued : http://blog.malwarebytes.org/exploits-2/2014/05/email-borne-exploits-the-not-so-innocuous-killers-targeting-small-business/
Related: Small businesses targeted with email-borne exploits
Flash and Java still as vulnerable as ever, says Microsoft
"Microsoft's latest Security Intelligence Report for the second half of 2013 sees Java and Flash as the top attack vectors, with Java being nearly the default"
Java and Flash are still gigantic targets for attackers, and Java has become the biggest security problem for Windows users, according to Microsoft's most recent Security Intelligence Report (pdf). Volume 16 covers trends in worldwide IT security across the second half of 2013.
The report, assembled mainly from intelligence from Microsoft's Trustworthy Computing division, looks at the way the most common threats faced in computing today -- vulnerabilities, malware, exploits, and so on -- evolved during 2013. What's most dismaying is that so many of the same kinds of exploits, attacks, and attack vectors remain a problem.
Continued : http://www.infoworld.com/t/malware/flash-and-java-still-vulnerable-ever-says-microsoft-242130
* * * * * * * * * * * * * * * *
Also related to the Microsoft Security Intelligence Report:
Malware peddlers prefer deceptive tactics to exploits
Cyber crooks are losing interested in exploits as an attack vector, and are concentrating on deceptive downloads and ransomware as a means of earning/stealing money.
The trend is very obvious to Microsoft. In its newest Security Intelligence Report (SIRv16), the data gathered via the company's Malicious Software Removal Tool and real-time protection products reveal that worldwide infection rates and encounter rates in the second half of 2013 have risen considerably.
Continued : http://www.net-security.org/malware_news.php?id=2763
Report-related: Malware infections tripled in late 2013, Microsoft finds
New iPhone lock screen flaw gives hackers full access to ..
.. contact list data
" iPhone users are vulnerable to a lock-screen flaw that allows a hands-on hacker to gain full access to a user's contacts list."
According to the Egyptian part-time hacker who discovered the flaw and recorded the steps on YouTube, Sherif Hashim, the vulnerability only exists when running iOS 7.1.1, the latest version of the mobile platform, and when Siri is available from the lock-screen.
The flaw exists when Siri is triggered on the lock-screen, and a user says, "Contacts." Although Siri will refuse to dish out any details, not before bringing up the password screen, a user is able to access the contacts list by pulling up on the screen, editing the request, and asking for a duplicated name. If you have more than one "John," for instance, you have the option to view all contacts from the "Other..." menu.
However, the hacker attempting to gain access to the device must be in its physical presence in order to perform the trick.