Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - December 09, 2014

Dec 9, 2014 12:47AM PST
Meaner POODLE bug that bypasses TLS crypto bites 10 percent of websites

Some of the world's leading websites—including those owned or operated by Bank of America, VMware, the US Department of Veteran's Affairs, and business consultancy Accenture—are vulnerable to simple attacks that bypass the transport layer security encryption designed to thwart eavesdroppers and spoofers.

The attacks are a variation on the so-called POODLE exploits disclosed two months ago against secure sockets layer (SSL), an encryption protocol similar to transport layer security (TLS). Short for "Padding Oracle On Downgraded Legacy Encryption," POODLE allowed attackers monitoring Wi-Fi hotspots and other unsecured Internet connections to decrypt HTTPS traffic encrypted by the ancient SSL version 3. Browser makers quickly responded by limiting or eliminating use of SSLv3, a move that appears to have averted widespread exploitation of the bug.

On Monday, word emerged that there's a variation on the POODLE attack that works against widely used implementations of TLS. At the time this post was being prepared, SSL Server Test, a free service provided by security firm Qualys, showed that some of the Internet's top websites—again, a list including Bank of America, VMware, the US Department of Veteran's Affairs, and Accenture—are susceptible. The vulnerability was serious enough to earn all sites found to be affected a failing grade by the Qualys service. [Screenshot]

Continued : http://arstechnica.com/security/2014/12/meaner-poodle-bug-that-bypasses-tls-crypto-bites-10-percent-of-websites/

Related:
POODLE attack now targeting TLS
POODLE not fixed? Some TLS systems vulnerable
Researchers Say POODLE Attack Affects Some TLS Implementations

Discussion is locked

- Collapse -
Sony hack: Employees get threatening emails
Dec 9, 2014 12:56AM PST

Employees of Sony Pictures Entertainment have received a bizarre email purportedly sent by the hackers who took down the company's network and systems.

In broken English, the sender claims to be the head of the hacker group, that the Sony Pictures attack was just a small part of the group's plans, and that the company clinging "to what is good to nobody" is the reason why the attack continues.

"Please sign your name to object the false of the company at the email address below if you don't want to suffer damage. If you don't, not only you but your family will be in danger," the sender threatened. "Nobody can prevent us, but the only way is to follow our demand. If you want to prevent us, make your company behave wisely."

Continued : http://www.net-security.org/secworld.php?id=17732

Related: Hackers send e-mail to Sony employees threatening their families

- Collapse -
The 'Penquin' Turla
Dec 9, 2014 12:57AM PST

Kaspersky Labs Blog:

"A Turla/Snake/Uroburos Malware for Linux"

Recently, an interesting malicious sample was uploaded to a multi-scanner service. This immediately triggered our interest because it appears to represent a previously unknown piece of a larger puzzle. That puzzle is "Turla", one of the most complex APTs in the world.

We have written previously about the Turla APT with posts about their Epic Turla operations and Agent.btz inspiration . So far, every single Turla sample we've encountered was designed for the Microsoft Windows family, 32 and 64 bit operating systems. The newly discovered Turla sample is unusual in the fact that it's the first Turla sample targeting the Linux operating system that we have discovered.

Continued : https://securelist.com/blog/research/67962/the-penquin-turla-2/

Related:
Powerful, highly stealthy Linux trojan may have infected victims for years
Linux Modules Connected to Turla APT Discovered
Two stealthy Linux malware samples uncovered, following in Windows variants' tracks

- Collapse -
Toward a Breach Canary for Data Brokers
Dec 9, 2014 12:57AM PST

When a retailer's credit card systems get breached by hackers, banks usually can tell which merchant got hacked soon after those card accounts become available for purchase at underground cybercrime shops. But when companies that collect and sell sensitive consumer data get hacked or are tricked into giving that information to identity thieves, there is no easy way to tell who leaked the data when it ends up for sale in the black market. In this post, we'll examine one idea to hold consumer data brokers more accountable.

Some of the biggest retail credit card breaches of the past year — including the break-ins at Target and Home Depot — were detected by banks well before news of the incidents went public. When cards stolen from those merchants go up for sale on underground cybercrime shops, the banks often can figure out which merchant got hacked by acquiring a handful of their cards and analyzing the customer purchase history of those accounts. The merchant that is common to all stolen cards across a given transaction period is usually the breached retailer.

Continued : http://krebsonsecurity.com/2014/12/toward-a-breach-canary-for-data-brokers/

- Collapse -
Several Vulnerabilities Found in Google App Engine
Dec 9, 2014 1:19AM PST

A group of security researchers in Poland say they have discovered a long list of vulnerabilities in the Google App Engine, some of which enable an attacker to escape the Java sandbox.

The researchers at Security Explorations say that they have found more than 30 vulnerabilities in the App Engine, some of which allow code execution and sandbox escapes. The Google App Engine is a platform that enables customers to run their own apps on Google's massive cloud infrastructure. The platform allows users to run apps built in a variety of languages, including Python and Java, and frees customers from having to deal with server maintenance and other details.

In an advisory posted to Full Disclosure, Adam Gowdiak from Security Explorations listed several of the issues the company found in GAE:

Continued : http://threatpost.com/several-vulnerabilities-found-in-google-app-engine/109749

Related : Google App Engine has THIRTY flaws, says researcher

- Collapse -
AliExpress patches account mass harvesting flaw
Dec 9, 2014 1:20AM PST

[VIDEO]

Global threads bazaar AliExpress, an offshoot of global tat bazaar AliBaba, has patched a URL flaw that allowed attackers to harvest users' personal details including names, shipping addresses and phone numbers.

The insecure direct object reference vulnerability reported by an unnamed researcher affected 7.7 million logged-in users for AliExpress, the online retail wing of AliBaba that's the most visited e-commerce site in Russia.

Security researcher Amitay Dan demonstrated the flaw to news site The Hacker News, noting that attackers could harvest personal data en masse using a script to pull the 'mailingAddress.htm' page for numbers between 1 to 99,999,999,999 under the 'mailingAddressId' value.

Continued : http://www.theregister.co.uk/2014/12/09/aliexpress_patches_mass_account_harvesting_flaw/

Related: Info of millions of AliExpress customers could have been harvested due to site flaw

- Collapse -
Unencrypted Data Lets Thieves 'Charge Anywhere'
Dec 9, 2014 3:57AM PST
Charge Anywhere LLC, a mobile payments provider, today disclosed that malicious software planted on its networks may have jeopardized credit card data from transactions the company handled between November 2009 and September 2014.

In a statement released today, the South Plainfield, N.J. electronic payment provider said it launched investigation after receiving complaints about fraudulent charges on cards that had been legitimately used at certain merchants. The information stolen includes the customer name, card number, expiration date and verification code.

"The investigation revealed that an unauthorized person initially gained access to the network and installed sophisticated malware that was then used to create the ability to capture segments of outbound network traffic," the company explained. "Much of the outbound traffic was encrypted. However, the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests."

Continued : http://krebsonsecurity.com/2014/12/unencrypted-data-lets-thieves-charge-anywhere/
- Collapse -
Adobe Patches Flash Player Vulnerability Under Attack
Dec 9, 2014 4:27AM PST

As expected, Adobe today patched a vulnerability in Adobe Reader disclosed last week by Google's Project Zero. What was unexpected was a Flash Player update that includes a patch for a vulnerability being exploited in the wild, Adobe said.

Adobe had announced last Thursday in its pre-notification advisory that it would be issuing a security update for Adobe Reader and Acrobat, but no mention of the Flash update was made. Adobe has been busy shoring up Flash Player security with two updates in November, including an out-of-band emergency fix for a remote code execution vulnerability already included in a number of popular exploit kits. Earlier in November, Adobe patched 18 vulnerabilities in Flash Player as part of its regular update cycle.

Continued : http://threatpost.com/adobe-patches-flash-player-vulnerability-under-attack/109773

Related:
Adobe fixes Flash zero day, plus bugs in Acrobat, Reader and ColdFusion
Adobe release addresses Flash Player bug being actively targeted, includes other critical fixes

See : Security Updates for Adobe Reader | Acrobat (APSB14-2Cool

- Collapse -
Hackers Grab Yahoo Credentials through Mail Activity Reports
Dec 9, 2014 5:39AM PST

Bitdefender's "HOT for Security" Blog:

Yahoo users are being targeted by a new phishing campaign that helps hackers grab their credentials and hijack accounts. Bitdefender was already blocking the malicious URLs spreading in inboxes worldwide.

The phishing campaign starts with messages that bypass the e-mail provider's antispam filters, reaching the Inbox folder. The e-mails pose as "mail activity reports" and copy Yahoo's email format to look legitimate. [Screenshot [...]

"Dear Yahoo User, your recent messages are pending, because your storage limit has surpassed," phishing messages read. "You need to upgrade mail storage (For free). To restore normal message delivery. Use this link to upgrade_quota."

Continued : http://www.hotforsecurity.com/blog/hackers-grab-yahoo-credentials-through-mail-activity-reports-campaign-10959.html