Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - December 24, 2014

Dec 24, 2014 3:48AM PST
Apple automatically patches Macs to fix severe NTP security flaw

"It's the first time OS X's auto-patcher has been used."

[Screenshot: Notification]

Most OS X security updates are issued alongside other fixes via the Software Update mechanism, and these require some kind of user interaction to install—you've either got to approve them manually or tell your Mac to install them automatically. Apple does have the ability to quietly and automatically patch systems if it needs to, however, and it has exercised that ability for the first time to patch a critical flaw in the Network Time Protocol (NTP) used to keep the system clock in sync.

This security hole became public knowledge late last week and affects all operating systems running versions of NTP4 prior to 4.2.8. When exploited, the NTP flaw can cause buffer overflows that allow remote attackers to execute code on your system. If you allow your system to "install system data files and security updates" automatically (checked by default), you've probably already gotten the update and seen the notification above.

Continued : http://arstechnica.com/apple/2014/12/apple-automatically-patches-macs-to-fix-severe-ntp-security-flaw/

Related :
Apple pushes first ever automated security update to Mac users
Apple deploys automatic OS X security update for the first time
Apple Fixes Mac Security Vulnerabilities With Automatic Update

Discussion is locked

- Collapse -
UPDATED: "The Interview" will get a Christmas release ..
Dec 24, 2014 4:10AM PST
... after all

Update: Sony Pictures has now officially confirmed that The Interview will be released in theaters on Christmas Day. "We have never given up, Michael Lynton, CEO of Sony Entertainment, said in a statement. "We are continuing our efforts to secure more platforms and more theaters so that this movie reaches the largest possible audience."

After being hacked, threatened, chastised, and then apparently forgiven, beleaguered Sony Pictures is expected to announce that it will in fact go ahead with a theatrical and video-on-demand release of its hot-button film The Interview on Christmas Day, according to numerous sources (including the Twitter accounts of various theater chains).

Continued : http://arstechnica.com/security/2014/12/sony-pictures-the-interview-might-get-a-christmas-release-after-all/

Related: Sony to show 'The Interview' on Youtube, other Internet channels

Also see:
The Case for N. Korea's Role in Sony Hack
Reacting to the Sony Hack
- Collapse -
Two-Factor Snafu Opened Door to JPMorgan Breach
Dec 24, 2014 4:10AM PST

The biggest U.S. banking breach of all time came down to the smallest of details.

The New York Times, citing sources close to the ongoing investigation of the JPMorgan data breach, said hackers found a server unprotected by two-factor authentication to break in using a stolen user name and password combination. JPMorgan disclosed in August that it was investigating a "computer hacking attack" along with the FBI and Secret Service.

The oversight exposed data belonging to an estimated 76 million consumer households and seven million businesses, and worse for the financial institution's bottom line, neatly hurdled JPMorgan's staggering $250 million IT security budget.

Continued : http://threatpost.com/two-factor-snafu-opened-door-to-jpmorgan-breach/110119

Related:
JPMorgan Chase hack due to missing 2-factor authentication on one server
JPMorgan Hackers Compromised Server Unprotected by Two-factor Authentication

- Collapse -
Gang Hacked ATMs from Inside Banks
Dec 24, 2014 4:10AM PST

An organized gang of hackers from Russia and Ukraine has broken into internal networks at dozens of financial institutions and installed malicious software that allowed the gang to drain bank ATMs of cash. While none of the victim institutions were in the United States or Western Europe, experts say the stealthy methods used by the attackers in these heists would likely work across a broad range of western banks.

Most cybercrime targets consumers and businesses, stealing account information such as passwords and other data that lets thieves cash out hijacked bank accounts, as well as credit and debit cards. But this gang specializes in hacking into banks directly, and then working out ingenious ways to funnel cash directly from the financial institution itself.

Continued : http://krebsonsecurity.com/2014/12/gang-hacked-atms-from-inside-banks/

Related : Russian hackers stole millions from banks, ATMs

- Collapse -
Survey: Nearly 50% of Organizations Hit With DNS Attack ..
Dec 24, 2014 4:10AM PST
.. in Last 12 Months

New research from Vanson Bourne found that more than three quarters of organizations in the United States and U.K. have suffered a domain name system (DNS) attack.

Just less than half (49 percent) of the organizations surveyed said they had experienced such an attack in the past 12 months. The most common DNS threats reported were DDoS (74 percent), DNS exfiltration (46 percent), DNS tunneling (45 percent) and DNS hijacking (33 percent) by those who had suffered an attack.

The research surveyed 300 U.S. and U.K. key IT decision makers in organizations with 1,000+ employees. It covered a variety of verticals including financial services, retail, distribution and transport, IT and manufacturing and production. The study was commissioned by Cloudmark.

Continued : http://www.securityweek.com/nearly-50-percent-organizations-hit-dns-attack-last-12-months-survey
- Collapse -
POS malware crooks hack IP cams to validate targets
Dec 24, 2014 5:01AM PST

Carders operating the BackOff point of sales malware are hacking IP cameras to make sure their targets are worth attacking, says researcher Rotem Kerner.

The research plugs a "critical" gap in a July disclosure by the US CERT, which warned the popular carder malware was being flung at businesses using remote desktop protocols.

Criminals are hacking poorly-protected security cameras to validate the identity of victim businesses, Kerner and contributors Lior Ben Porat, Uri Fleyder and Elic Marcus wrote in the RSA report (pdf).

Continued : http://www.theregister.co.uk/2014/12/24/opendaylight_vulnerability/

Related : RSA Report Dives Deep into Backoff PoS Malware

- Collapse -
Alleged Counterfeiter "Willy Clock" Arrested
Dec 24, 2014 5:01AM PST

In September 2014, I wrote about receiving a package of $500 in counterfeit U.S. currency from an unknown sender, after mentioning in a blog post about a rash of funny money resellers flooding underground cybercrime markets. Last week, U.S. authorities announced the arrest of a Texas man charged with leading the international counterfeit currency operation from a location in the Republic of Uganda.

U.S. prosecutors say 27-year-old Ryan Andrew Gustafson - a.k.a. "Jack Farrel" and "Willy Clock" — is a U.S. citizen currently residing in Kampala, Uganda. Gustafson was arrested on Dec. 16 by Ugandan authorities and charged with conspiracy, counterfeiting, and unlawful possession of ammunition.

The defendant and his alleged accomplices are suspected of passing approximately $270,000 in fake U.S. currency in Uganda. In total, Ugandan authorities say they seized some $1.8 million in funny money from Gustafson's operation.

Continued : http://krebsonsecurity.com/2014/12/alleged-counterfeiter-willy-clock-arrested/