Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - January 13, 2015

Jan 13, 2015 6:39AM PST
This USB wall charger secretly logs keystrokes from Microsoft wireless keyboards nearby

Privacy and security researcher Samy Kamkar has released a keylogger for Microsoft wireless keyboards cleverly hidden in what appears to be a rather large, but functioning USB wall charger. Called KeySweeper, the stealthy Arduino-based device can sniff, decrypt, log, and report back all keystrokes — saving them both locally and online.

This is no toy. KeySweeper includes a web-based tool for live keystroke monitoring, can send SMS alerts for trigger words, usernames, or URLs (in case you want to steal a PIN number or password), and even continues to work after it is unplugged thanks to a rechargeable internal battery. That's an impressive list of features, especially given that Kamkar told VentureBeat the whole process "took a few days" including a few over Christmas break and this past weekend when he decided "to properly document it."

Continued : http://venturebeat.com/2015/01/12/this-usb-wall-charger-secretly-logs-keystrokes-from-microsoft-wireless-keyboards-nearby/

Related:
How a $10 USB Charger Can Record Your Keystrokes Over the Air
Hackers Can Use A $10 Wall Charger To Intercept Anything Typed On Wireless Microsoft Keyboards

Discussion is locked

- Collapse -
Ransomware-wielding crooks made over $217K in a single month
Jan 13, 2015 7:07AM PST

Crypto-ransomware continues to be a very effective way for cyber crooks to "earn" serious money: the method is so lucrative that with a single campaign, the crooks have managed to get their hands on 810 BTC (over $217,000) in a month.

The targets of the latest widespread ransomware delivery campaign are almost exclusively Australian users, and it seems that over 1,200 of them have paid up to have their computers unlocked and their files restored.

The malware - a TorrentLocker variant - is delivered via spoofed emails impersonating the New South Wales government or the Australian Post. In the former example the targets are urged to download a penalty or reminder notice, in the latter information about a delivery.

Continued : http://www.net-security.org/malware_news.php?id=2938

- Collapse -
Toward Better Privacy, Data Breach Laws
Jan 13, 2015 7:07AM PST
President Obama on Monday outlined a proposal that would require companies to inform their customers of a data breach within 30 days of discovering their information has been hacked. But depending on what is put in and left out of any implementing legislation, the effort could well could lead to more voluminous but less useful disclosure. Here are a few thoughts about how a federal breach law could produce fewer yet more meaningful notice that may actually help prevent future breaches.

The plan is intended to unify nearly four dozen disparate state data breach disclosure laws into a single, federal standard. But as experts quoted in this story from The New York Times rightly note, much rides on whether or not any federal breach disclosure law is a baseline law that allows states to pass stronger standards.

Continued : http://krebsonsecurity.com/2015/01/toward-better-privacy-data-breach-laws/

Related : US President spells out his cybersecurity legislative agenda
- Collapse -
Yr's first Patch Tuesday highlights conflict between Google
Jan 13, 2015 8:44AM PST
.. and Microsoft

"After nearly a decade, Microsoft's Patch Tuesday has become part of a routine for security researchers and IT pros. But Google's new hard-line policy on disclosing security vulnerabilities added drama to this Patch Tuesday, and the fireworks will continue unless the two companies can synchronize their calendars."

Normally, the second Tuesday of the month is just another day at the office for Microsoft security researchers and IT pros who support enterprise networks.

For the first Patch Tuesday of 2015, Microsoft has released a total of eight new security updates (one rated Critical, the other seven rated Important) for Windows desktop and server editions. In addition, the company released an update to an Internet Explorer patch from last month and an update for the Adobe Flash Player component built into Internet Explorer 11.

But this batch of patches is strikingly different from its predecessors in two respects.

Continued : http://www.zdnet.com/article/years-first-patch-tuesday-highlights-conflict-between-microsoft-and-google/

Related:
Microsoft Patches Vulnerability Under Attack and Google-Disclosed Zero Day
Microsoft Patches Zero-Day Windows Flaws Disclosed by Google
- Collapse -
Adobe Flash Player 16.0.0.257 Fixes Nine Security Bugs
Jan 13, 2015 8:44AM PST

"Most flaws discovered by Google's Project Zero researchers"

Adobe launched a new version for Flash Player, eliminating a total of nine security flaws from the previous release, most of them presenting the risk of a potential attacker being able to execute arbitrary code on the affected system.

Three of the weaknesses (CVE-2015-0303, CVE-2015-0305 and CVE-2015-030Cool have been reported by security researchers from Google, who recently disclosed two elevation of privilege bugs in Windows 8.1, before giving Microsoft the chance to push fixes to the users through their monthly update cycle.

In Flash Player they found a memory corruption issue, one use-after-free vulnerability and a type confusion flaw, all providing the possibility of code execution, if successfully exploited.

Continued : http://news.softpedia.com/news/Adobe-Flash-Player-16-0-0-257-Fixes-Nine-Security-Bugs-469893.shtml

See stickie : Security Updates for Adobe Flash Player (APSB15-01)

- Collapse -
0-Days Exposed in Several Corel Applications
Jan 13, 2015 8:59AM PST
UPDATE - Researchers from Core Security have disclosed DLL hijacking vulnerabilities in several applications made by Corel Software after the vendor didn't respond to Core's notifications about the flaws. There are no patches available for the bugs, which can allow remote code execution.

Corel sells a variety of graphics, design and video apps, including CorelDRAW, Photo-Paint and CAD, and security researchers at Core discovered that many of the apps contain a DLL hijacking vulnerability that can be triggered when a user opens a malicious DLL.

"When a file associated with the Corel software is opened, the directory of that document is first used to locate DLLs, which could allow an attacker to execute arbitrary commands by inserting malicious DLLs into the same directory as the document," the advisory from Core says.

Continued : http://threatpost.com/0-days-exposed-in-several-corel-applications/110348

Related:
Multiple Corel Products Exposed to Zero-Day Vulnerabilities
Corel DLL hijacking vulnerability could allow arbitrary command execution