Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - January 12, 2015

Jan 12, 2015 12:38AM PST
Browsing in privacy mode? Super Cookies can track you anyway

"For years, Chrome, Firefox, and virtually all other browsers have offered a setting that doesn't save or refer to website cookies, browsing history, or temporary files. Privacy-conscious people rely on it to help cloak their identities and prevent websites from tracking their previous steps. Now, a software consultant has devised a simple way websites can in many cases bypass these privacy modes unless users take special care."

"Sam Greenhalgh, a technology and software consultant who operates RadicalResearch, has figured out a way to turn this security feature into a potential privacy hazard. His proof of concept is known as HSTS Super Cookies. Like normal cookies, they allow him to fingerprint users who browse to his site in non-privacy mode, so if they return later, he will know what pages they looked at. There are two things that give his cookies super powers. ..."

Continued: http://arstechnica.com/security/2015/01/browsing-in-privacy-mode-super-cookies-can-track-you-anyway/

Related : Brit Proves Google's Eric Schmidt Totally Wrong: Super Cookies Can Track Users Even When In Incognito Mode

Discussion is locked

- Collapse -
Root Command Execution Flaw Haunts ASUS Routers
Jan 12, 2015 12:43AM PST

There is a serious security vulnerability in the firmware of many ASUS routers that allows unauthenticated command execution. The bug may be present in all current versions of the router firmware, and there is an exploit published for it, as well.

Security researchers Joshua Drake posted an advisory on the vulnerability on Thursday, detailing the bug and saying that the best defense likely is to remove the remote command execution function from the vulnerable service. The culprit is a service called infosvr, which is designed to help admins find and configure routers on a network segment.

"Several models of ASUS's routers include a service called infosvr that listens on UDP broadcast port 9999 on the LAN interface. It's used by one of ASUS's tools to ease router configuration by automatically locating routers on the local subnet. This service runs with root privileges and contains an unauthenticated command execution vulnerability," Drake wrote in his advisory.

Continued: http://threatpost.com/root-command-execution-flaw-haunts-asus-routers/110276

Related:
Asus wireless router flaw opens network to local attackers
Got an Asus router? Someone on your network can probably hack it
ASUS Routers Plagued by Command Execution Vulnerability
Most Asus routers affected by hijack bug; exploit posted

- Collapse -
Lavabit founder wants to make "dark" email secure by default
Jan 12, 2015 12:44AM PST

"Drop-in SMTP and IMAP replacements will wrap messages in layers of encryption."

Ladar Levison is probably most well-known to Ars readers as the founder of the secure e-mail service Lavabit, which he shut down in mid-2013 in an effort to avoid being forced to comply with a US government demand to turn over users' e-mails. But his latest project is a lot grander in scope than a single hosted e-mail service: Levison is attempting, with the aid of some fellow crypto-minded developers, to change e-mail at large and build encryption into its fundamental nature.

As one of the members of the Darkmail Technical Alliance, Levison—along with Jon Callas, Mike Janke, and PGP designer Phil Zimmermann—is working on a project collectively referred to as DIME, the Dark Internet Mail Environment. DIME will eventually take the form of a drop-in replacement for existing e-mail servers that will be able to use DMTP (the Dark Mail Transfer Protocol) and DMAP (Dark Mail Access Protocol) to encrypt e-mails by default.

Continued : http://arstechnica.com/security/2015/01/lavabit-founder-wants-to-make-dark-e-mail-secure-by-default/

- Collapse -
OpenSSL release patches 8 vulnerabilities
Jan 12, 2015 12:53AM PST

The OpenSSL Project has released updates for the popular homonymous open-source library that implements the SSL and TLS protocols.

The new releases - 1.0.1k, 1.0.0p and 0.98zd - fix 8 vulnerabilities in all, two of which have been classified as moderate, and can lead to Denial Of Service attacks.

The first one has been spotted by Cisco Systems researcher Markus Stenberg late last year, and can be exploited by an attacker by crafting a special DTLS message that can cause a segmentation fault in OpenSSL due to a NULL pointer dereference.

Continued : http://www.net-security.org/secworld.php?id=17803

Related: Eight Security Vulnerabilities Patched by OpenSSL Project

- Collapse -
Glitch in OS X search can expose private details of Apple ..
Jan 12, 2015 12:53AM PST
.. Apple Mail users

A glitch in the search software in Apple's OS X Yosemite can expose private details of Apple Mail users, revealing their IP address as well as other system details to spammers, phishers and online tracking companies.

The potential privacy risk appears when people use the Spotlight Search feature, which also indexes emails received with the Apple Mail email client. When searching a Mac, Spotlight shows previews of emails and when it does this, it automatically loads external images linked in HTML email.

The Spotlight preview loads those files even when users have switched off the "load remote content in messages" option in the Mail app, a feature often disabled to prevent email senders from knowing if an email has arrived and if it has been opened. What's more, Spotlight also loads those files when it shows previews of unopened emails that landed directly in the junk folder.

Continued: http://www.computerworld.com/article/2867010/glitch-in-os-x-search-can-expose-private-details-of-apple-mail-users.html

Related:
Spotlight search in OS X Yosemite exposes private user details to spammers
OS X Spotlight Glitch Reveals Private Details of Apple Mail Users
- Collapse -
Moonpig Android app flaw puts THREE MILLION accounts at risk
Jan 12, 2015 12:54AM PST

Online greetings card retailer Moonpig has become the first big name of 2015 to be embarrassed by for poor software security after a developer lost patience with the slow response to a serious Android app flaw he claims to have reported to them 18 months ago.

According to developer Paul Price, a mess-up on the development API's authentication design (i.e. there wasn't any) allowed him to access a customer's registered details by inserting a nine-digit number to spoof the ID used in the request header. This is equivalent to an open sesame on any and every account, including partial credit card numbers if those have been registered.

"An attacker could easily place orders on other customers accounts, add/retrieve card information, view saved addresses, view orders and much more."

Continued : http://www.techworld.com/news/security/moonpig-android-app-flaw-puts-three-million-accounts-at-risk-3592812/

Related :
Moonpig takes down customer data-leaking apps after vulnerability found
Moonpig suspends app over concerns about customer security
Moonpig makes a pig's ear of security, exposes details of 3.6 million customers

- Collapse -
Inside CryptoWall 2.0: Ransomware, professional edition
Jan 12, 2015 12:55AM PST

"Code that switches from 32-bit to 64-bit and turns off Windows' defenses." - [Screenshot]

It's been over a year since the first wave of cryptographic extortion malware hit computers. Since then, an untold number of individuals, small businesses and even local governments have been hit by various versions of malware that holds victims' files hostage with encryption, demanding payment by Bitcoin or other e-currency in exchange for a key to reverse the damage. And while the early leader, CryptoLocker, was taken down (along with the "Gameover ZeuS" botnet) last June, other improved "ransomware" packages have sprung up to fill its niche—including the sound-alike CryptoWall.

Ransomware is a strange hybrid of digital mugging and commercial-grade coding and "customer service"—in order to continue to be able to generate cash from their malware, the criminal organizations behind them need to be able to process payments and provide victims with a way to get their files back, lest people refuse to pay because of bad word-of-mouth. And to grow their potential market, the extortionists need to find ways to make their "product" work on a wide range of potential target systems. The apex of this combination of crime and commerce is (at least so far) the latest version of CryptoWall—CryptoWall 2.0.

Continued : http://arstechnica.com/information-technology/2015/01/inside-cryptowall-2-0-ransomware-professional-edition/

Related : CryptoWall 2.0 Has Some New Tricks

- Collapse -
Using spellcheck? Electromagnetic fields could reveal ...
Jan 12, 2015 12:55AM PST
... what you're doing

"Georgia Tech is studying better software and hardware designs to prevent electronic snooping"

It has long been known that subtle electronic fields and noises emitted by computers can reveal clues about your activity, a powerful spying method that can be done from a few feet away.

These so-called "side-channel signals" can be collected by antennas or microphones and through analysis could reveal sensitive data such as encryption keys.

It's not known if spy agencies are already using these methods, but the many academic studies outlining potential attacks would suggest it's probably a growing part of signals intelligence.

Continued : http://www.computerworld.com/article/2865304/using-spellcheck-electromagnetic-fields-could-reveal-what-youre-doing.html

Related : New breed of cyber criminal spies on your laptop even when it's offline
- Collapse -
Microsoft slams Google for spilling the beans on Windows 8.1
Jan 12, 2015 1:00AM PST
... security flaw

"The Redmond giant isn't exactly chipper after Google disclosed a Windows bug just two days before Microsoft planned to issue a fix."

Microsoft has heavily criticized Google and the company's security disclosure policy after the firm publicly revealed a Windows 8.1 security flaw just days before Microsoft planned to issue a patch to kill the bug.

In a lengthy blog post, senior director of the Microsoft Security Response Center Chris Betz said that the threat landscape is becoming increasingly complex, and it is time for companies to stand together in response -- rather than stand divided when it comes to cybersecurity strategies, such as in vulnerability and threat disclosure, as well as the release of security patches and fixes.

This declaration comes after Google released details concerning a Windows 8.1 security flaw two days before Microsoft was due to issue a fix. The public disclosure concerned a bug which allows low-level users to become administrators, granting themselves elevated access to sensitive functions they should not be able to tap into. While Microsoft pointed out that valid login credentials were required to exploit this flaw, this wouldn't necessarily stop a company employee with an axe to grind causing harm to a system.

Continued : http://www.zdnet.com/article/microsoft-slams-google-for-spilling-the-beans-on-windows-8-1-security-flaw/

Related :
Microsoft scolds Google for lack of flexibility in vulnerability disclosure
Microsoft chastises Google for disclosing Windows 8.1 security hole prior to patch
Microsoft slams Google for publishing a security vulnerability in Windows 8.1
- Collapse -
Google Under Fire For Quietly Killing Critical Android ..
Jan 12, 2015 1:13AM PST
.. Security Updates For Nearly One Billion

Android smartphone owners who aren't running the latest version of their operating system might get some nasty surprises from malicious hackers in 2015. That's because one of the core components of their phones won't be getting any security updates from Google, the owner of the Android operating system.

Without openly warning any of the 939 million affected, Google has decided to stop pushing out security updates for the WebView tool within Android to those on Android 4.3, better known as Jelly Bean, or below, according to appalled security researchers. That means two-thirds of users won't receive cover from Google, the researchers noted.

The WebView piece of the messy Android jigsaw allows apps to display web pages without having to open another application. Many apps and ad networks use the component, which the Google Android team even advocates in its developer documentation on rendering web pages...

Continued: http://www.forbes.com/sites/thomasbrewster/2015/01/12/google-webview-updates-quietly-killed-for-most-androids/
- Collapse -
Apple Patches Password-Cracking Security Hole in iCloud
Jan 12, 2015 1:14AM PST

The Mac Security blog:

On New Year's Day, when most of us were recovering from festivities of the night before, Apple was dealing with a whole different headache.

A hacker group calling themselves Pr0x13 released a tool designed to exploit a hole in Apple security, and gain access to iCloud accounts through sheer brute force.

iDict was described as a "100% working iCloud Apple ID Dictionary attack that bypasses account lockout restrictions and secondary authentication on any account."

Posing as a legitimate iPhone device, the iDict software would make multiple attempts to break into iCloud accounts, working through a long list of commonly used passwords. That's the kind of attack that you would hope Apple would normally prevent—noticing that the wrong password has been entered five times, and then blocking further attempts.

Continued : http://www.intego.com/mac-security-blog/apple-patches-brute-force-password-cracking-security-hole-in-icloud/

Related :
Apple blocks tool that brute-forces iCloud passwords
Hackers Just Released A Tool That Could Threaten Everyone's iCloud Account

- Collapse -
Malware Masquerades as Android Data Backup App
Jan 12, 2015 1:14AM PST

"An Android app posing as a tool designed to protect information on the device by creating a backup copy actually steals details about the phone and the user activity."

Called SocialPath, one version of the malicious piece of software managed to make it to the official Android store, but Google received an alert from security researchers and removed it.

The distribution model adopted by the cybercriminals is spamming the victim through messages on Twitter and WhatsApp. The link to the rogue app is a short one, created via the Bit .ly service.

SocialPath takes more data than it states

Continued : http://news.softpedia.com/news/Malware-Masquerades-as-Android-Data-Backup-App-469144.shtml

- Collapse -
Windows exploitation in 2014
Jan 12, 2015 1:14AM PST

ESET "We Live Security" blog:

Today, we published our research about Windows exploitation in 2014 (pdf). This report contains interesting information about vulnerabilities in Microsoft Windows and Office patched over the course of the year, drive-by download attacks and mitigation techniques.

The report includes the following information.

• Vulnerabilities discovered and patched in Microsoft Windows and Office.
• Statistics about patched vulnerabilities and how they compare with 2013's statistics.
• Detailed descriptions of actual exploitation vectors.
• Vulnerabilities that were exploited in the wild, including a specific table showing ASLR bypass vulnerabilities.
• Exploitation methods and mitigation techniques for Microsoft's Internet Explorer web browser (IE).

Continued : http://www.welivesecurity.com/2015/01/08/windows-exploitation-2014/

Related:
Microsoft Software Flaws Increase Sharply But Majority Affect IE
Internet Explorer caused 2014 surge in Microsoft flaws, research finds
How Windows was exploited in 2014