Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - December 15, 2014

Dec 15, 2014 1:00AM PST
In Damage Control, Sony Targets Reporters

Over the weekend I received a nice holiday letter from lawyers representing Sony Pictures Entertainment, demanding that I cease publishing detailed stories about the company's recent hacking and delete any company data collected in the process of reporting on the breach. While I have not been the most prolific writer about this incident to date, rest assured such threats will not deter this reporter from covering important news and facts related to the breach.

"SPE does not consent to your possession, review, copying, dissemination, publication, uploading, downloading, or making any use of the Stolen information, and to request your cooperation in destroying the Stolen Information," wrote SPE's lawyers, who hail from the law firm of Boies, Schiller & Flexner. [Letter from Sony's Lawyers]

... "Here is the full letter from SPE's lawyers (PDF). "

Continued : http://krebsonsecurity.com/2014/12/in-damage-control-sony-targets-reporters/

Discussion is locked

- Collapse -
Hackers promise "Christmas present" Sony Pictures won't like
Dec 15, 2014 1:05AM PST

"GoP had details on every server and PC, as well as SPE's "root" certificate"

This weekend, the "Guardians of Peace"—the cyber-attackers who brought Sony Pictures Entertainment's network down in November and have since shared over a terabyte of the company's internal data—made two more dumps of SPE data to file sharing sites and torrents. The second of the two, on Sunday, was the e-mail box of Sony Pictures Releasing International President Steven O'Dell. And the hackers promised a "Christmas present" soon of even more data if the company does not relent and meet their unspecified demands.

"We are preparing for you a Christmas gift," the GoP said in a post to Pastebin and Friendpaste. "The gift will be larger quantities of data. And it will be more interesting.The gift will surely give you much more pleasure and put Sony Pictures into the worst state. Please send an email titled by 'Merry Christmas' at the addresses below to tell us what you want in our Christmas gift."

Continued : http://arstechnica.com/security/2014/12/hackers-promise-christmas-present-sony-pictures-wont-like/

Related:
Hackers promise to give Sony coal and chaos for Christmas
Hackers Release More Data, Promise Sony 'Christmas Gift'

- Collapse -
Malwarebytes Anti-Exploit Upgrade Mechanism Vulnerable to ..
Dec 15, 2014 1:15AM PST
.. MitM Attacks

The upgrade mechanism in older versions of Malwarebytes Anti-Malware and Malwarebytes Anti-Exploit is plagued by a vulnerability that can be exploited to load malicious code on affected systems.

The bug (CVE-2014-4936) was identified by Yonathan Klijnsma, a researcher with Netherlands-based security firm Fox-IT. The vulnerability affects the consumer versions of Malwarebytes Anti-Malware 2.0.2 and earlier, and Malwarebytes Anti-Exploit 1.03 and earlier. Business versions are not impacted.

According to Klijnsma, affected versions of Malwarebytes Anti-Exploit and Malwarebytes Anti-Malware are upgraded over a HTTP connection and they don't use a proper package validation system to ensure that updates are legitimate. Because the application doesn't verify the installer, an attacker can serve any Windows PE file and it will get executed with full administrative privileges on the victim's system.

Continued : http://www.securityweek.com/malwarebytes-anti-exploit-upgrade-mechanism-vulnerable-mitm-attacks
- Collapse -
Custom Websites Running HD FLV Player Plugin Vulnerable ..
Dec 15, 2014 1:15AM PST
.. to Attack

Content management system providers Joomla and WordPress have patched a critical vulnerability in the HD FLV Player, but custom websites running the Flash video player are still vulnerable.

Researchers at Sucuri disclosed this week that a separate security issue can be abused to send spam and has yet to be patched.

"Websites using one of the aforementioned CMS applications and running an outdated version are vulnerable to an Arbitrary File Download vulnerability which could be used, depending on the platform, to take control of the targeted website," said researcher Marc Alexandre Montpas. "It is important to note that websites using the custom version of this plugin are still vulnerable."

Continued : http://threatpost.com/custom-websites-running-hd-flv-player-plugin-vulnerable-to-attack/109855

Related: Patch Against Critical Flaw in HD FLV Player Still Leaves the Plug-in Vulnerable
- Collapse -
Yahoo Plans to Disclose All New Bugs It Finds Within 90 Days
Dec 15, 2014 1:17AM PST

The new policy is the same one used by Google's Project Zero, a team of researchers that looks for vulnerabilities in a variety of commonly used software packages and platforms. That team has been quite prolific in recent months, finding bugs in a number of products from Microsoft and Apple, among others. When a Project Zero member finds a new vulnerability, the team notifies the affected vendor and the clock starts running. If the vendor hasn't patched the flaw, the team will make the bug details public after 90 days, barring any extenuating circumstances.

Now Yahoo's own internal security team is adopting the same time frame. Yahoo has been assembling a talented security team in the last few months, having hired Alex Stamos as its CISO and Chris Rohlf to head up is penetration testing team. Rohlf said that his team spends its time banging on Yahoo's own custom software, as well as the third-party products the company uses, and when a new flaw is found, the team immediately deploys a fix on its own systems. It then notifies others in the community that may be affected, as well as the US-CERT.

Continued : http://threatpost.com/yahoo-plans-to-disclose-all-new-bugs-it-finds-within-90-days/109798

- Collapse -
UK spy agency makes an Android app—but it won't spy on you
Dec 15, 2014 1:17AM PST

The Government Communications Headquarters (GCHQ), the British equivalent of the National Security Agency, has released its own "fun, free, educational" Android app to teach secondary school students about cryptography.

The Cryptoy app, which has no permissions to access confidential information on Android devices, helps children understand basic encryption techniques and create their own encoded messages.

The government hopes the app could help find the next generation of cyber-spies. Minister for the cabinet office Francis Maude said that it was a "creative solution in the hunt for expertise, but with a 21st century spin."

Continued : http://arstechnica.com/security/2014/12/uk-spy-agency-makes-an-android-app-but-it-wont-to-spy-on-you/

Related: GCHQ releases teen-friendly code-busting app

- Collapse -
Two newcomers in the exploit kit market
Dec 15, 2014 1:17AM PST

Exploit kits are a great means to an end for malware distributors, who either buy them or rent them in order to widely disseminate their malicious wares. It's no wonder then that unscrupulous developers are always trying to enter the market currently cornered by Angler, Nuclear, FlashEK, Fiesta, SweetOrange, and others popular exploit kits.

This year we witnessed attempts from developers behind the Rig, Null Hole and Niteris exploit kits, as well as those who started Astrum and Archie.

The former has been first spotted in September by the researcher that goes by the handle Kafeine. It also piqued the interest of Finnish security firm F-Secure, as it hit a considerable number of Finnish users: [Screenshot]

A new favorite with the Reveton gang, Astrum was initially equipped with exploits for several Flash, Silverlight, IE and Adobe Reader vulnerabilities. In mid October, an exploit for a newly discovered Flash flaw was also added (in the Angler and Nuclear exploit kits, as well).

Continued : http://www.net-security.org/malware_news.php?id=2929

- Collapse -
VIDEO: GPS tracker found on home burglary victim's car..
Dec 15, 2014 1:34AM PST
- Collapse -
Over 700 Mil People Taking Steps to Avoid NSA Surveillance
Dec 15, 2014 1:34AM PST
Bruce Schneier @ his "Schneier on Security" Blog:

There's a new international survey on Internet security and trust, of "23,376 Internet users in 24 countries," including "Australia, Brazil, Canada, China, Egypt, France, Germany, Great Britain, Hong Kong, India, Indonesia, Italy, Japan, Kenya, Mexico, Nigeria, Pakistan, Poland, South Africa, South Korea, Sweden, Tunisia, Turkey and the United States." Amongst the findings, 60% of Internet users have heard of Edward Snowden, and 39% of those "have taken steps to protect their online privacy and security as a result of his revelations."

The press is mostly spinning this as evidence that Snowden has not had an effect: "merely 39%," "only 39%," and so on. (Note that these articles are completely misunderstanding the data. It's not 39% of people who are taking steps to protect their privacy post-Snowden, it's 39% of the 60% of Internet users -- which is not everybody -- who have heard of him. So it's much less than 39%.)

Continued : https://www.schneier.com/blog/archives/2014/12/over_700_millio.html
- Collapse -
Microsoft update blunders going out of control
Dec 15, 2014 1:42AM PST
Larry Seltzer @ ZDNet:

[UPDATED] We have had an absolute deluge of problem updates from Redmond recently and some have been serious. What's up at Microsoft?

The last several months have seen a disturbing string of problems in updates released for Microsoft products. Last week we saw three. It's time to worry about what's behind it all.

This isn't the first time I've brought this up. In Summer of last year Microsoft had buggy Patch Tuesday updates three months in a row. There had been others that year, some of which crippled systems.

The following list includes problems observed in just the last six months: [...]

Update on December 15: They keep coming. KB3008923 describes problems with MS14-080, the December Cumulative Update for Internet Explorer:

Continued : http://www.zdnet.com/article/has-microsoft-stopped-testing-their-updates/
- Collapse -
SpamHaus, CloudFlare Attacker Pleads Guilty
Dec 15, 2014 1:42AM PST

A 17-year-old male from London, England pleaded guilty this week to carrying out a massive denial-of-service attack last year against anti-spam outfit SpamHaus and content delivery network CloudFlare, KrebsOnSecurity has learned.

In late March 2013, a massive distributed denial-of-service (DDoS) attack hit the web site of SpamHaus, an organization that distributes a blacklist of spammers to email and network providers. When SpamHaus moved its servers behind CloudFlare, which specializes in blocking such attacks — the attackers pelted CloudFlare's network. The New York Times called the combined assault the largest known DDoS attack ever on the Internet at the time; for its part, CloudFlare dubbed it "the attack that almost broke the Internet."

Continued : http://krebsonsecurity.com/2014/12/spamhaus-cloudflare-attacker-pleads-guilty-to-computer-abuse-child-porn-charges/

- Collapse -
Hackable intercom lets you SPY on fellow apartment-dwellers
Dec 15, 2014 1:45AM PST

Kiwicon Kiwi hacker Caleb "alhazred" Anderson has popped a video intercom device that could have allowed him to spy on the 700 apartments in his building.

The GrandStream GXV3175 intercom unit has been patched after Anderson - who by day serves as Context Information Security's lead consultant - began the attack while "inspired" by a hangover.

"I thought one day 'I bet I can hack that (the GXV3175) and get a feed into every one of the 700 apartments in my building'," Anderson told the Kiwicon hacker confab in Wellington today.

"The unit looks exactly normal, you can't see that it's hacked by looking at it."

Continued : http://www.theregister.co.uk/2014/12/12/hackable_intercom_becomes_neighbour_spy_box/

- Collapse -
'Security by Antiquity' Bricks Payment Terminals
Dec 15, 2014 1:45AM PST

Last week, several thousand credit card payment terminals at various retailers across the country suddenly stopped working, their LCD displays showing blank screens instead of numbers and letters. Puzzled merchants began to worry that this was perhaps part of some sophisticated hacker attack on their cash registers. It turns out that the incident was indeed security-related, but for once it had nothing to do with cyber thieves.

On Dec. 7, 2014, certain older model payment terminals made by Hypercom stopped working due to the expiration of a cryptographic certificate used in the devices, according to Scottsdale, Ariz.-based Equinox Payments, the company that owns the Hypercom brand.

"The security mechanism was triggered by the rollover of the date and not by any attack on or breach of the terminal," said Stuart Taylor, vice president of payment solutions at Equinox. "The certificate was created in 2004 with a 10 year expiry date."

Continued : http://krebsonsecurity.com/2014/12/security-by-antiquity-bricks-payment-terminals/

- Collapse -
SoakSoak malware hits over 100,000 WordPress websites
Dec 15, 2014 3:33AM PST

Around 19% of the world's websites are thought to run WordPress, which is even more astonishing when you consider that many sites don't have any content management system at all.

And although running your own self-hosted version of WordPress (as opposed to using the technology at WordPress.com) has many benefits, there are security issues that must always be borne in mind as well.

Such as the need to take great care about what third-party WordPress plugins you install. You need to be confident that the plugins are not kept up to date, but that they have been coded securely by a team who are on the look out for vulnerabilities.

That's advice which will be ringing in the ears of many WordPress site owners today, after a major malware attack struck an estimated 100,000 sites. [Screenshot]

Continued : http://blog.lumension.com/9601/soaksoak-malware-hits-over-100000-wordpress-websites/

Related : Google Blacklists WordPress Sites Peddling SoakSoak Malware

- Collapse -
Shellshock Worm Exploiting Unpatched QNAP NAS Devices
Dec 15, 2014 3:33AM PST

A worm exploiting network attached storage devices vulnerable to the Bash flaw is scanning the Internet for more victims.

The worm opens a backdoor on QNAP devices, but to date it appears the attackers are using the exploit to run a click-fraud scam, in addition to maintaining persistence on owned boxes.

"The goal appears to be to backdoor the system, so an attacker could come back later to install additional malware," said Johannes Ullrich, head of the Internet Storm Center at the SANS Institute.

QNAP of Taiwan released a patch in October for the Bash vulnerability in its Turbo NAS products. Like many other vulnerable products and devices, owners may not be aware that Bash is present and exposed. ..

Continued : http://threatpost.com/shellshock-worm-exploiting-unpatched-qnap-nas-devices/109870

Related : Worm exploits nasty Shellshock bug to commandeer network storage systems

- Collapse -
Don't Jailbreak Your iPhone if You Want to Avoid ..
Dec 15, 2014 3:33AM PST
...the Cloud Atlas Malware

The Mac Security Blog:

Cloud Atlas is the latest purported example of sophisticated state-sponsored malware, said to have snooped on diplomats, oil industry workers and the financial industry, intercepting communications and recording phone calls.

And iPhone and iPad users don't escape entirely unscathed.

According to detailed reports published by Blue Coat and Kaspersky, victims in Russia and other countries around the globe would be duped into opening documents and clicking on links—believing they were going to read an advert for an old diplomatic car or click on a link to an upgraded version of WhatsApp.

Continued : http://www.intego.com/mac-security-blog/dont-jailbreak-your-iphone-if-you-want-to-avoid-the-cloud-atlas-malware/