Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - April 07, 2015

Apr 7, 2015 1:29AM PDT
Is your computer plagued by ad injectors? Google shares staggering adware infection stats

Imagine if when you went Googling for something, you had a page like this served up: [Screenshot]

Rather than a bunch of (hopefully) useful links to webpages about the Nexus 6 Android smartphone, you are served up with a page swathed in banner ads, affiliate links and deals getting in the way of the content you really want to see.

The graphical ads on that page should instantly stand out as unusual for Google, but take a closer look at those text links too. [Screenshot]

The fact is that all of these links and banner ads are helping to make money for whoever has tricked you into installing a program on your computer.

Continued : https://grahamcluley.com/2015/04/ad-injectors/

Related : Google boots unwanted ad injector extensions from Chrome Web Store

Discussion is locked

- Collapse -
Facebook publishes new security settings guide
Apr 7, 2015 1:36AM PDT

Now that it's made its privacy settings drop-dead simple, Facebook's turned to the cobwebby murk of its security tools to do some spring cleaning.

On Friday, it uncorked 11 new visual and interactive guides on the tools it offers for users to keep their information secure, the steps the company itself takes to keep users' info secure, and the ways users can recognize and fend off attempts to get at their data.

Back in November, Facebook had updated its privacy policy with an animated dashboard on a page called Privacy Basics.

Continued : https://nakedsecurity.sophos.com/2015/04/07/facebook-publishes-new-security-settings-guide/

Related : How to keep your Facebook account secure

- Collapse -
Mozilla revokes trust for CNNIC certificates
Apr 7, 2015 1:36AM PDT

Mozilla has joined Google in revoking trust for certificates issued by the China Internet Network Information Center (CNNIC) Certificate Authority.

CNNIC is the administrative agency responsible for Internet affairs under the Ministry of Information Industry of the People's Republic of China, and operates and administers China's domain name registry, the country's code top level domain (.cn) and the Chinese Domain Name System.

"As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products," Google Security Engineer Adam Langley has announced on Wednesday.

Continued : http://www.net-security.org/secworld.php?id=18168

Related : Mozilla piles on China's SSL cert overlord: We don't trust you either

- Collapse -
Microsoft drops Do Not Track default from Internet Explorer
Apr 7, 2015 1:36AM PDT

Microsoft has reversed its position on the contentious Do Not Track (DNT) browser feature, saying Internet Explorer will no longer send DNT signals to websites by default.

"Put simply, we are updating our approach to DNT to eliminate any misunderstanding about whether our chosen implementation will comply with the W3C standard," Microsoft chief privacy officer Brendon Lynch said in a Friday blog post.

Redmond introduced Do Not Track in IE9, without much controversy. But beginning with IE10 - which shipped to coincide with the launch of Windows 8 in October 2012 - users who chose "Express Settings" the first time they launched IE had the DNT feature enabled automatically.

Continued : http://www.theregister.co.uk/2015/04/03/microsoft_reverses_ie_dnt_position/

- Collapse -
Hacking ATMs, Literally
Apr 7, 2015 1:36AM PDT

Most of the ATM skimming attacks written about on this blog conclude with security personnel intervening before the thieves manage to recover their skimmers along with the stolen card data and PINs. However, an increasingly common form of ATM fraud — physical destruction — costs banks plenty, even when crooks walk away with nothing but bruised egos and sore limbs.

An ATM technician and KrebsOnSecurity reader shared photos of a recent attack in which three would-be robbers went to town on a wall-mounted cash machine with crowbars and hammers. [Screenshot]

According to the technician, the burglars ruined a $13,000 cash acceptor, a $5,000 check scanner, a $900 monitor, and a $700 card reader, among many other pricey items. Hardly any part of the machine escaped damage. [Screenshot]

Continued : http://krebsonsecurity.com/2015/04/hacking-atms-literally/

- Collapse -
Vulnerability Forces Mozilla to Disable Opportunistic ..
Apr 7, 2015 2:19AM PDT
...Encryption in Firefox

Less than a week after introducing the new opportunistic encryption feature in Firefox, Mozilla has had to disable it because of a security vulnerability in the browser's implementation of the HTTP Alternative Services specification.

The bug puts a kink in the new feature, which was designed to allow clients to connect securely to a server that doesn't support HTTPS. Opportunistic encryption was included in the release of Firefox 37, which Mozilla pushed out on March 31. It is meant to be a defense against some forms of passive monitoring, especially those executed through man-in-the-middle attacks.

But on April 3, Mozilla released Firefox 37.01, a minor maintenance release of the browser that disables opportunistic encryption as a result of a vulnerability related to certificate verification.

Continued : https://threatpost.com/vulnerability-forces-mozilla-to-disable-opportunistic-encryption-in-firefox/112043

Related :
Firefox disables "opportunistic encryption" to fix HTTPS-crippling bug
Firefox issues brand new update to fix HTTPS security hole in new update

Reflected in the Updates thread: Mozilla Firefox Version 37.0.1 Released
- Collapse -
As many as 1 million sites imperiled by dangerous bug in..
Apr 7, 2015 4:54AM PDT
.. WordPress plugin

"Persistent XSS in WP-Super-Cache allows attackers to insert malicious code."

As many as a million websites could be imperiled by a critical vulnerability recently discovered in WP-Super-Cache, a WordPress plugin that generates static HTML files from dynamic WordPress blogs.

The persistent cross-site scripting bug allows attackers to insert malicious code into WordPress-published pages that use the extension, according to a blog post published Tuesday by security firm Sucuri. Anyone who relies on the plug in should immediately upgrade to version 1.4.4, which has fixes for that bug and several others.

Sucuri researcher Marc-Alexandre Montpas wrote:

Continued : http://arstechnica.com/security/2015/04/as-many-as-1-million-sites-imperiled-by-dangerous-bug-in-wordpress-plugin/
- Collapse -
FBI Warns of Fake Govt Sites, ISIS Defacements
Apr 7, 2015 4:54AM PDT

The Federal Bureau of Investigation (FBI) is warning that individuals sympathetic to the Islamic State of Iraq and al-Shams (ISIS) are mass-defacing Websites using known vulnerabilities in WordPress. The FBI also issued an alert advising that criminals are hosting fraudulent government Web sites in a bid to collect personal and financial information from unwitting Web searchers.

According to the FBI, ISIS sympathizers are targeting WordPress Web sites and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international sites. The agency said the attackers are mainly exploiting known flaws in WordPress plug-ins for which security updates are already available.

The public service announcement (PSA) coincides with a less public alert that the FBI released to its InfraGard members, a partnership between the FBI and private industry partners...

Continued : http://krebsonsecurity.com/2015/04/fbi-warns-of-fake-govt-sites-isis-defacements/

Related : FBI Warns of Phony Sites Offering Government Services