NEWS - April 03, 2014

A security researcher has published technical details and attack code for dozens of security flaws claimed to affect Oracle's Java Cloud Service, including some that could allow an attacker to remotely attack apps hosted in its data centres.

Security Explorations, a Poland-based company headed up by Java security specialist Adam Gowdiak, has spilled the beans on 30 flaws it says affect customers of Oracle's Java Cloud at its US and EMEA region data centres.

Gowdiak said he published details of the flaws after Oracle stopped corresponding with him over the issues. According to the researcher, while Oracle said it had developed fixes for 24 of vulnerabilities, the company didn't provide an update on when they would be released.

Continued: http://www.zdnet.com/attack-code-for-oracle-java-cloud-service-published-7000028015/

Related:
Oracle's Java Cloud Service open to code execution hacks, researchers warn
Researchers publicly disclose vulnerabilities in Oracle Java Cloud Service
Details for 30 Oracle Java Cloud Service flaws revealed

DNS providers Nominum have published new data on DNS-based DDoS amplification attacks that are using home and small office routers as a jumping off point.

The provider said that in February alone, more than five million home routers were used to generate attack traffic; that number represents more than one-fifth of the 24 million routers online that have open DNS proxies.

The impact hits Internet service providers (ISPs) especially hard because amplification attacks not only consume bandwidth, but also drive up support costs and impact customer confidence in their ISP, Nominum said.

Continued: http://threatpost.com/dns-based-amplification-attacks-key-on-home-routers/105220

Related: 24 million routers expose ISPs to DNS-based DDoS attacks

The personal details of some 158,128 people - including their names, email addresses, birth dates, IP addresses - have been leaked following what appears to be a serious security breach at Samsung-owned web TV service, Boxee.

The information, which also includes IP addresses, full message archives and simply salted passwords of Boxee TV forum users, appears to be related to Boxee's online forums, which became dormant shortly after the company was acquired by Samsung last year.

Boxee was perhaps most famous for its strangely lopsided set-top hardware, but now it may be remembered more for its mysterious silence regarding a database breach.

Continued : http://grahamcluley.com/2014/04/got-boxee-change-password/

Related: Hack of Boxee.tv exposes password data, messages for 158,000 users

Apple updated Safari for Mavericks to version 7.0.3, while fixing security and adding compatibility and stability improvements. The update is available through the software update tool in the App Store.

Safari 7.0.3 update details:

• Fixes an issue that could cause the search and address field to load a webpage or send a search term before the return key is pressed
• Improves credit card autofill with websites
• Fixes an issue that could block receipt of push notifications from websites
• Adds a preference to turn off push notification prompts from websites
• Adds support for webpages with generic top-level domains
• Strengthens Safari sandboxing
• Fixes security issues, including several identified in recent security competitions.

http://www.net-security.org/secworld.php?id=16620

Related: What took you so long Apple? 26 remote exec bugs die in OS X Safari

See Vulnerabilities / Fixes: Apple Safari Multiple Memory Corruption Vulnerabilities

Bitdefender's "HOT for Security" Blog:

Bitdefender fans are not the only ones excited about the 2015 suite release in the works - scammers are also preoccupied with the new antivirus edition. They have started promoting fraudulent links on YouTube and Facebook promising the 2015 edition.

The fake Bitdefender antivirus download posted on YouTube leads users to fraudulent surveys and premium SMS scams. The video had hundreds of views and several French users posted messages to warn others. [Screenshot]

"Bitdefender Antivirus Plus 2015 has been launched," the YouTube description reads. "Bitdefender Antivirus Plus has got many advanced features that make it better than most of the other antivirus softwares [sic] available in the market".

The grammatically-troubled spammers lure users into clicking on a URL-shortened link that hides a fraudulent website. The "Bitdefender" download is then blocked by a phony human verification warning.

Continued: http://www.hotforsecurity.com/blog/fans-tricked-with-fake-bitdefender-antivirus-plus-2015-8262.html

I recently encountered a botnet targeting Android smartphone users who bank at financial institutions in the Middle East. The crude yet remarkably effective mobile bot that powers this whole operation comes disguised as one of several online banking apps, has infected more than 2,700 phones, and has intercepted at least 28,000 text messages.

The botnet — which I've affectionately dubbed "Sandroid" — comes bundled with Android apps made to look like mobile two-factor authentication modules for various banks, including Riyad Bank, SAAB (formerly the Saudi British Bank), AlAhliOnline (National Commercial Bank), Al Rajhi Bank, and Arab National Bank. [Screenshot]

It's not clear how the apps are initially presented to victims, but if previous such scams are any indication they are likely offered after infecting the victim's computer with a password-stealing banking Trojan. Many banks send customers text messages containing one-time codes that are used to supplement a username and password when the customer logs on to the bank's Web site. And that precaution of course requires attackers interested in compromising those accounts to also hack the would-be victim's phone.

Continued: http://krebsonsecurity.com/2014/04/android-botnet-targets-middle-east-banks/

An exclusive KrebsOnSecurity investigation detailing how a unit of credit bureau Experian ended up selling consumer records to an identity theft service in the cybercrime underground has prompted a multi-state investigation by several attorneys general, according to wire reports.

Reuters moved a story this afternoon quoting Illinois Attorney General Lisa Madigan saying that "it's part of a multistate investigation," and that Connecticut Attorney General George Jepsen said that Connecticut is looking into the matter as well.

News of the breach first came to light on this blog in October 2013, when KrebsOnSecurity published an exclusive story detailing how a Vietnamese man running an online identity theft service bought personal and financial records on Americans directly from a company owned by Experian, one of the three major U.S. credit bureaus.

Continued : https://krebsonsecurity.com/2014/04/u-s-states-investigating-breach-at-experian/