Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - April 29, 2014

by Carol~ Apr 29, 2014 9:13AM PDT
Security breach at AOL. Users told to change passwords

Last week I described how many AOL accounts appeared to be spamming out links to diet spam and Android malware, and speculated that the service could have suffered a serious breach of security.

At the time I wrote:

have the address books of AOL users or AOL's mail logs somehow fallen into the hands of malicious third parties?

In a statement posted yesterday, AOL confirmed my fears:

AOL's investigation is still underway, however, we have determined that there was unauthorized access to information regarding a significant number of user accounts. This information included AOL users' email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions that we ask when a user resets his or her password, as well as certain employee information. We believe that spammers have used this contact information to send spoofed emails that appeared to come from roughly 2% of our email accounts.

AOL is attempting to calm user fears that unencrypted passwords may now be in the hands of hackers, but at the same time is sensibly suggesting that users change their passwords:

Continued : http://grahamcluley.com/2014/04/security-breach-aol/

Related:
You've got pwned: AOL reports e-mail breach as bigger than thought
AOL traces mystery spam flood to security breach; passwords and more stolen
AOL Investigating Breach, Urges Users to Change Passwords
AOL breach confirmed, bigger than initially thought

Discussion is locked

3 Posts
- Collapse + Expand Details
- Collapse -
Adobe Update Nixes Flash Player Zero Day
by Carol~ Apr 29, 2014 10:04AM PDT
Adobe Systems Inc. has shipped an emergency security update to fix a critical flaw in its Flash Player software that is currently being exploited in active attacks. The exploits so far appear to target Microsoft Windows users, but updates also are available for Mac and Linux versions of Flash.

The Flash update brings the media player to v. 13.0.0.206 on Windows and Mac systems, and v. 11.2.202.356 for Linux users. To see which version of Flash you have installed, check this link.

IE10/IE11 and Chrome should auto-update their versions of Flash. If your version of Flash on Chrome (on either Windows, Mac or Linux) is not yet updated, you may just need to close and restart the browser.

Continued : http://krebsonsecurity.com/2014/04/adobe-update-nixes-flash-player-zero-day/

Related:
Zero-day Flash bug under active attack in Windows threatens OS X, Linux too
Adobe patches actively exploited vulnerability in Flash Player
- Collapse -
IE Zero-Day Turns into Permanent Threat for XP Users
by Carol~ Apr 29, 2014 10:04AM PDT

From the Bitdefender "HOT for Security" Blog:

A new Internet Explorer zero-day vulnerability is currently being exploited in the wild. The vulnerability identified on Saturday affects all versions of Internet Explorer, including the archaic versions 6 through 8 which ship with the now-dead Windows XP.

Internals of the exploit

This newly discovered flaw, also known as CVE-2014-1776 leverages a Flash exploitation technique that loads a SWF file to corrupt process memory and direct the program's flow to a memory location where malicious code is laid out. This exploitation technique can bypass the two most important security mechanisms in Windows: DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization)

Impact

While a zero-day attack against an application as popular as Internet Explorer is serious business, things are even worse for a special category: the Windows XP users. Less than three weeks ago, Microsoft shipped the last security update for 20-something percent of Windows users with the firm promise that it would be the last one ever.

Continued : http://www.hotforsecurity.com/blog/internet-explorer-zero-day-turns-into-permanent-threat-for-xp-users-8500.html

- Collapse -
Vishing Attacks Targeting Dozens of Banks
by Carol~ Apr 29, 2014 10:04AM PDT

A recent VoIP-based phishing campaign has been netting the payment card information of up to 250 Americans per day.

Voice over IP phishing, or vishing, is a form of phishing that relies on users getting tricked into giving up their payment card information after receiving phone or SMS messages - purporting to come from banks - instructing them to do so.

Security firm Phish Labs unveiled research on the wave of attacks on its blog today and said it stumbled upon a "cache of stolen payment card data belonging to customers of dozens of financial institutions" upon investigating the campaign.

The firm speculates that an Eastern European crew is carrying out the spree of attacks by using email-to-SMS gateways to send messages informing victims that their debit card has been deactivated.

More than 50 medium-sized banks have been targeted by campaigns over the last several years.

Continued : http://threatpost.com/vishing-attacks-targeting-dozens-of-banks/105774

Back to Spyware, Viruses, & Security forum

CNET Forums

Operating Systems
Software
Electronics & Gadgets
Hardware
Tablets & Mobile Devices
General Help
Brand Forums
Roadshow Autos
Off Topic

Other Forums

Forum Info