Spyware, Viruses, & Security forum

Alert

NEWS - January 12, 2015

by Carol~ Moderator / January 12, 2015 12:38 AM PST
Browsing in privacy mode? Super Cookies can track you anyway

"For years, Chrome, Firefox, and virtually all other browsers have offered a setting that doesn't save or refer to website cookies, browsing history, or temporary files. Privacy-conscious people rely on it to help cloak their identities and prevent websites from tracking their previous steps. Now, a software consultant has devised a simple way websites can in many cases bypass these privacy modes unless users take special care."

"Sam Greenhalgh, a technology and software consultant who operates RadicalResearch, has figured out a way to turn this security feature into a potential privacy hazard. His proof of concept is known as HSTS Super Cookies. Like normal cookies, they allow him to fingerprint users who browse to his site in non-privacy mode, so if they return later, he will know what pages they looked at. There are two things that give his cookies super powers. ..."

Continued: http://arstechnica.com/security/2015/01/browsing-in-privacy-mode-super-cookies-can-track-you-anyway/

Related : Brit Proves Google's Eric Schmidt Totally Wrong: Super Cookies Can Track Users Even When In Incognito Mode
Discussion is locked
You are posting a reply to: NEWS - January 12, 2015
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - January 12, 2015
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Root Command Execution Flaw Haunts ASUS Routers
by Carol~ Moderator / January 12, 2015 12:43 AM PST

There is a serious security vulnerability in the firmware of many ASUS routers that allows unauthenticated command execution. The bug may be present in all current versions of the router firmware, and there is an exploit published for it, as well.

Security researchers Joshua Drake posted an advisory on the vulnerability on Thursday, detailing the bug and saying that the best defense likely is to remove the remote command execution function from the vulnerable service. The culprit is a service called infosvr, which is designed to help admins find and configure routers on a network segment.

"Several models of ASUS's routers include a service called infosvr that listens on UDP broadcast port 9999 on the LAN interface. It's used by one of ASUS's tools to ease router configuration by automatically locating routers on the local subnet. This service runs with root privileges and contains an unauthenticated command execution vulnerability," Drake wrote in his advisory.

Continued: http://threatpost.com/root-command-execution-flaw-haunts-asus-routers/110276

Related:
Asus wireless router flaw opens network to local attackers
Got an Asus router? Someone on your network can probably hack it
ASUS Routers Plagued by Command Execution Vulnerability
Most Asus routers affected by hijack bug; exploit posted

Collapse -
Lavabit founder wants to make "dark" email secure by default
by Carol~ Moderator / January 12, 2015 12:44 AM PST

"Drop-in SMTP and IMAP replacements will wrap messages in layers of encryption."

Ladar Levison is probably most well-known to Ars readers as the founder of the secure e-mail service Lavabit, which he shut down in mid-2013 in an effort to avoid being forced to comply with a US government demand to turn over users' e-mails. But his latest project is a lot grander in scope than a single hosted e-mail service: Levison is attempting, with the aid of some fellow crypto-minded developers, to change e-mail at large and build encryption into its fundamental nature.

As one of the members of the Darkmail Technical Alliance, Levison—along with Jon Callas, Mike Janke, and PGP designer Phil Zimmermann—is working on a project collectively referred to as DIME, the Dark Internet Mail Environment. DIME will eventually take the form of a drop-in replacement for existing e-mail servers that will be able to use DMTP (the Dark Mail Transfer Protocol) and DMAP (Dark Mail Access Protocol) to encrypt e-mails by default.

Continued : http://arstechnica.com/security/2015/01/lavabit-founder-wants-to-make-dark-e-mail-secure-by-default/

Collapse -
OpenSSL release patches 8 vulnerabilities
by Carol~ Moderator / January 12, 2015 12:53 AM PST

The OpenSSL Project has released updates for the popular homonymous open-source library that implements the SSL and TLS protocols.

The new releases - 1.0.1k, 1.0.0p and 0.98zd - fix 8 vulnerabilities in all, two of which have been classified as moderate, and can lead to Denial Of Service attacks.

The first one has been spotted by Cisco Systems researcher Markus Stenberg late last year, and can be exploited by an attacker by crafting a special DTLS message that can cause a segmentation fault in OpenSSL due to a NULL pointer dereference.

Continued : http://www.net-security.org/secworld.php?id=17803

Related: Eight Security Vulnerabilities Patched by OpenSSL Project

Collapse -
Glitch in OS X search can expose private details of Apple ..
by Carol~ Moderator / January 12, 2015 12:53 AM PST
.. Apple Mail users

A glitch in the search software in Apple's OS X Yosemite can expose private details of Apple Mail users, revealing their IP address as well as other system details to spammers, phishers and online tracking companies.

The potential privacy risk appears when people use the Spotlight Search feature, which also indexes emails received with the Apple Mail email client. When searching a Mac, Spotlight shows previews of emails and when it does this, it automatically loads external images linked in HTML email.

The Spotlight preview loads those files even when users have switched off the "load remote content in messages" option in the Mail app, a feature often disabled to prevent email senders from knowing if an email has arrived and if it has been opened. What's more, Spotlight also loads those files when it shows previews of unopened emails that landed directly in the junk folder.

Continued: http://www.computerworld.com/article/2867010/glitch-in-os-x-search-can-expose-private-details-of-apple-mail-users.html

Related:
Spotlight search in OS X Yosemite exposes private user details to spammers
OS X Spotlight Glitch Reveals Private Details of Apple Mail Users
Collapse -
Moonpig Android app flaw puts THREE MILLION accounts at risk
by Carol~ Moderator / January 12, 2015 12:54 AM PST

Online greetings card retailer Moonpig has become the first big name of 2015 to be embarrassed by for poor software security after a developer lost patience with the slow response to a serious Android app flaw he claims to have reported to them 18 months ago.

According to developer Paul Price, a mess-up on the development API's authentication design (i.e. there wasn't any) allowed him to access a customer's registered details by inserting a nine-digit number to spoof the ID used in the request header. This is equivalent to an open sesame on any and every account, including partial credit card numbers if those have been registered.

"An attacker could easily place orders on other customers accounts, add/retrieve card information, view saved addresses, view orders and much more."

Continued : http://www.techworld.com/news/security/moonpig-android-app-flaw-puts-three-million-accounts-at-risk-3592812/

Related :
Moonpig takes down customer data-leaking apps after vulnerability found
Moonpig suspends app over concerns about customer security
Moonpig makes a pig's ear of security, exposes details of 3.6 million customers

Collapse -
Inside CryptoWall 2.0: Ransomware, professional edition
by Carol~ Moderator / January 12, 2015 12:55 AM PST

"Code that switches from 32-bit to 64-bit and turns off Windows' defenses." - [Screenshot]

It's been over a year since the first wave of cryptographic extortion malware hit computers. Since then, an untold number of individuals, small businesses and even local governments have been hit by various versions of malware that holds victims' files hostage with encryption, demanding payment by Bitcoin or other e-currency in exchange for a key to reverse the damage. And while the early leader, CryptoLocker, was taken down (along with the "Gameover ZeuS" botnet) last June, other improved "ransomware" packages have sprung up to fill its niche—including the sound-alike CryptoWall.

Ransomware is a strange hybrid of digital mugging and commercial-grade coding and "customer service"—in order to continue to be able to generate cash from their malware, the criminal organizations behind them need to be able to process payments and provide victims with a way to get their files back, lest people refuse to pay because of bad word-of-mouth. And to grow their potential market, the extortionists need to find ways to make their "product" work on a wide range of potential target systems. The apex of this combination of crime and commerce is (at least so far) the latest version of CryptoWall—CryptoWall 2.0.

Continued : http://arstechnica.com/information-technology/2015/01/inside-cryptowall-2-0-ransomware-professional-edition/

Related : CryptoWall 2.0 Has Some New Tricks

Collapse -
Using spellcheck? Electromagnetic fields could reveal ...
by Carol~ Moderator / January 12, 2015 12:55 AM PST
... what you're doing

"Georgia Tech is studying better software and hardware designs to prevent electronic snooping"

It has long been known that subtle electronic fields and noises emitted by computers can reveal clues about your activity, a powerful spying method that can be done from a few feet away.

These so-called "side-channel signals" can be collected by antennas or microphones and through analysis could reveal sensitive data such as encryption keys.

It's not known if spy agencies are already using these methods, but the many academic studies outlining potential attacks would suggest it's probably a growing part of signals intelligence.

Continued : http://www.computerworld.com/article/2865304/using-spellcheck-electromagnetic-fields-could-reveal-what-youre-doing.html

Related : New breed of cyber criminal spies on your laptop even when it's offline
Collapse -
Microsoft slams Google for spilling the beans on Windows 8.1
by Carol~ Moderator / January 12, 2015 1:00 AM PST
... security flaw

"The Redmond giant isn't exactly chipper after Google disclosed a Windows bug just two days before Microsoft planned to issue a fix."

Microsoft has heavily criticized Google and the company's security disclosure policy after the firm publicly revealed a Windows 8.1 security flaw just days before Microsoft planned to issue a patch to kill the bug.

In a lengthy blog post, senior director of the Microsoft Security Response Center Chris Betz said that the threat landscape is becoming increasingly complex, and it is time for companies to stand together in response -- rather than stand divided when it comes to cybersecurity strategies, such as in vulnerability and threat disclosure, as well as the release of security patches and fixes.

This declaration comes after Google released details concerning a Windows 8.1 security flaw two days before Microsoft was due to issue a fix. The public disclosure concerned a bug which allows low-level users to become administrators, granting themselves elevated access to sensitive functions they should not be able to tap into. While Microsoft pointed out that valid login credentials were required to exploit this flaw, this wouldn't necessarily stop a company employee with an axe to grind causing harm to a system.

Continued : http://www.zdnet.com/article/microsoft-slams-google-for-spilling-the-beans-on-windows-8-1-security-flaw/

Related :
Microsoft scolds Google for lack of flexibility in vulnerability disclosure
Microsoft chastises Google for disclosing Windows 8.1 security hole prior to patch
Microsoft slams Google for publishing a security vulnerability in Windows 8.1
Collapse -
Google Under Fire For Quietly Killing Critical Android ..
by Carol~ Moderator / January 12, 2015 1:13 AM PST
.. Security Updates For Nearly One Billion

Android smartphone owners who aren't running the latest version of their operating system might get some nasty surprises from malicious hackers in 2015. That's because one of the core components of their phones won't be getting any security updates from Google, the owner of the Android operating system.

Without openly warning any of the 939 million affected, Google has decided to stop pushing out security updates for the WebView tool within Android to those on Android 4.3, better known as Jelly Bean, or below, according to appalled security researchers. That means two-thirds of users won't receive cover from Google, the researchers noted.

The WebView piece of the messy Android jigsaw allows apps to display web pages without having to open another application. Many apps and ad networks use the component, which the Google Android team even advocates in its developer documentation on rendering web pages...

Continued: http://www.forbes.com/sites/thomasbrewster/2015/01/12/google-webview-updates-quietly-killed-for-most-androids/
Collapse -
Apple Patches Password-Cracking Security Hole in iCloud
by Carol~ Moderator / January 12, 2015 1:14 AM PST

The Mac Security blog:

On New Year's Day, when most of us were recovering from festivities of the night before, Apple was dealing with a whole different headache.

A hacker group calling themselves Pr0x13 released a tool designed to exploit a hole in Apple security, and gain access to iCloud accounts through sheer brute force.

iDict was described as a "100% working iCloud Apple ID Dictionary attack that bypasses account lockout restrictions and secondary authentication on any account."

Posing as a legitimate iPhone device, the iDict software would make multiple attempts to break into iCloud accounts, working through a long list of commonly used passwords. That's the kind of attack that you would hope Apple would normally prevent—noticing that the wrong password has been entered five times, and then blocking further attempts.

Continued : http://www.intego.com/mac-security-blog/apple-patches-brute-force-password-cracking-security-hole-in-icloud/

Related :
Apple blocks tool that brute-forces iCloud passwords
Hackers Just Released A Tool That Could Threaten Everyone's iCloud Account

Collapse -
Malware Masquerades as Android Data Backup App
by Carol~ Moderator / January 12, 2015 1:14 AM PST

"An Android app posing as a tool designed to protect information on the device by creating a backup copy actually steals details about the phone and the user activity."

Called SocialPath, one version of the malicious piece of software managed to make it to the official Android store, but Google received an alert from security researchers and removed it.

The distribution model adopted by the cybercriminals is spamming the victim through messages on Twitter and WhatsApp. The link to the rogue app is a short one, created via the Bit .ly service.

SocialPath takes more data than it states

Continued : http://news.softpedia.com/news/Malware-Masquerades-as-Android-Data-Backup-App-469144.shtml

Collapse -
Windows exploitation in 2014
by Carol~ Moderator / January 12, 2015 1:14 AM PST

ESET "We Live Security" blog:

Today, we published our research about Windows exploitation in 2014 (pdf). This report contains interesting information about vulnerabilities in Microsoft Windows and Office patched over the course of the year, drive-by download attacks and mitigation techniques.

The report includes the following information.

• Vulnerabilities discovered and patched in Microsoft Windows and Office.
• Statistics about patched vulnerabilities and how they compare with 2013's statistics.
• Detailed descriptions of actual exploitation vectors.
• Vulnerabilities that were exploited in the wild, including a specific table showing ASLR bypass vulnerabilities.
• Exploitation methods and mitigation techniques for Microsoft's Internet Explorer web browser (IE).

Continued : http://www.welivesecurity.com/2015/01/08/windows-exploitation-2014/

Related:
Microsoft Software Flaws Increase Sharply But Majority Affect IE
Internet Explorer caused 2014 surge in Microsoft flaws, research finds
How Windows was exploited in 2014

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

CNET FORUMS TOP DISCUSSION

Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?