Alert

NEWS - August 08, 2016

Aug 8, 2016 8:47AM PDT

Lawrence Abrams (creator and owner of BleepingComputer.com) on August 5th:

Understanding the Windows Credential Leak Flaw and How to Prevent It

This week there has been a lot of news about a flaw in Windows that could be used by web sites to easily gain access to a visitor's Windows login name and password. When I tested this flaw it was downright scary. Using a test site for this flaw, the site was able to get my test Microsoft Account login name and the hash of its password in a few seconds. Then it took the site less than 30 seconds to crack the password! What is even scarier, is that this flaw is not new and was discovered in March 1997!

News about this flaw was recently reported again by VPN company Perfect Private and by ValdikSS, who is affiliated with the Russian VPN service ProtoVPN. They have both set up test sites that demonstrate this flaw so that visitors can determine if they are affected and should change their passwords.

Continued : http://www.bleepingcomputer.com/news/security/understanding-the-windows-credential-leak-flaw-and-how-to-prevent-it/

Discussion is locked

Follow
Reply to: NEWS - August 08, 2016
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - August 08, 2016
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
iOS 9.3.4 Patches Critical Code Execution Flaw
Aug 8, 2016 9:24AM PDT

Apple last week patched a critical iOS memory corruption vulnerability that could allow attackers to execute code on compromised devices.

The flaw was found by Team Pangu, a Chinese hacker group that specializes in building iOS jailbreak tools. The vulnerability is fixed in iOS 9.3.4.

“An application may be able to execute arbitrary code with kernel privileges,” Apple said of the flaw in its advisory;CVE-2016-4654 was assigned to the vulnerability.

Continued: https://threatpost.com/ios-9-3-4-patches-critical-code-execution-flaw/119710/

Related:
Apple thwarts jailbreakers with iOS 9.3.4 update
http://arstechnica.com/apple/2016/08/apple-thwarts-jailbreakers-with-ios-9-3-4-update/

- Collapse -
Android trojan loads ads, installs paid apps on devices
Aug 8, 2016 9:25AM PDT

So far in 2016 Android users have seen malware intercept and change URLs in mobile browsers, use Google Talk to call Chinese numbers, and take advantage of steganography to find malicious code to run.

Now they are seeing a new Android trojan load up advertisements and install paid applications on victims' devices.

On 4 August, researchers at the Russian IT security firm Doctor Web published a description of the virus: [...]

Continued: https://www.grahamcluley.com/2016/08/android-trojan-loads-ads-installs-paid-apps-victims-devices/

- Collapse -
Data Breach At Oracle's MICROS Point-of-Sale Division
Aug 8, 2016 9:26AM PDT

A Russian organized cybercrime group known for hacking into banks and retailers appears to have breached hundreds of computer systems at software giant Oracle Corp., KrebsOnSecurity has learned. More alarmingly, the attackers have compromised a customer support portal for companies using Oracle’s MICROS point-of-sale credit card payment systems.

Asked this weekend for comment on rumors of a large data breach potentially affecting customers of its retail division, Oracle acknowledged that it had “detected and addressed malicious code in certain legacy MICROS systems.” It also said that it is asking all MICROS customers to reset their passwords for the MICROS online support portal.

Continued : http://krebsonsecurity.com/2016/08/data-breach-at-oracles-micros-point-of-sale-division/

- Collapse -
Unwanted bundled software is more aggressive than malware
Aug 8, 2016 9:27AM PDT
Google: Unwanted bundled software is way more aggressive than malware

Google says it issues over 60 million warnings each week to help users avoid installing software that attempts to gain user consent by deception.

According to Google, it issues three times as many unwanted software warnings than malware warnings, much of which relates to adware and browser-hijacking software that's been sneakily bundled with legitimate software.

Ad affiliate networks know that people rarely read terms and conditions and exploit this failing by burying details about bundled software in the text of their consent form. Consumers may not want the additional software, but their consent allows the affiliate marketer to operate legally.

Continued: http://www.zdnet.com/article/google-unwanted-bundled-software-is-way-more-aggressive-than-malware/
- Collapse -
QuadRooter Android Security Bugs Affect over 900M Devices
Aug 8, 2016 11:45AM PDT

A set of four vulnerabilities in Qualcomm chipsets allow an attacker to gain root-level access on Android devices, which, according to the latest statistics, translates to over 900 million affected tablets and smartphones.

The four vulnerabilities have been disclosed today at the DEF CON 24 security conference in Las Vegas by a team of Check Point researchers.

Continued: http://news.softpedia.com/news/quadrooter-android-security-bugs-affect-over-900-million-devices-507052.shtml

Related:
New Android Vulnerabilities in Over 900 Million Devices
http://blog.checkpoint.com/2016/08/07/quadrooter/
Qualcomm-powered Android devices plagued by four rooting flaws
http://www.computerworld.com/article/3105052/security/qualcomm-powered-android-devices-plagued-by-four-rooting-flaws.html

- Collapse -
AdBlock Plus blocked in China: 159m forbidden from ..
Aug 8, 2016 11:46AM PDT
.. stripping adverts

The makers of the AdBlock Plus (ABP) say their ad-blocking browser plugin has been effectively outlawed in China by the Chinese government.

ABP communications boss Ben Williams said in a blog post today that the ban was part of a larger effort by the state to crack down on technology tampering with ads.

In the process, Williams claims, it and other ad-blocking tools are being "bullied" out of the mainland as casualties of China's tough rules on internet advertising. ABP stands to lose about 159 million of its users as a result of the policy.

Continued: http://www.theregister.co.uk/2016/08/05/adblock_plus_chinese_ban/
- Collapse -
Samsung Pay Token Flaw Allows Fraudulent Transactions
Aug 8, 2016 11:46AM PDT

A researcher has discovered several security issues in the Samsung Pay mobile payment service, including a vulnerability that can be exploited to make fraudulent transactions.

Samsung Pay provides users a digital wallet where they can keep their plastic credit, debit, gift, loyalty and membership cards. When customers want to use one of their cards, they simply select it, enter their PIN or scan their fingerprint, and hold their smartphone near the card reader.

At the Black Hat security conference last week, researcher Salvador Mendoza shared the results of his Samsung Pay analysis. The expert discovered static passwords used to protect databases, weak obfuscation, and comments in the code – all of which could eventually allow a clever attacker to access sensitive data.

Continued: http://www.securityweek.com/samsung-pay-token-flaw-allows-fraudulent-transactions

Related:
A flaw in Samsung Pay could allow hackers to intercept payment details
http://www.digitaltrends.com/mobile/samsung-pay-flaw-mst-black-hat/

CNET Forums

Forum Info