Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - July 23, 2016

Jul 23, 2016 6:57AM PDT
GOP delegates suckered into connecting to insecure Wi-Fi hotspots

A Wi-Fi hack experiment conducted at various locations at or near the Republican National Convention site in Cleveland, US, underlines how risky it can be to connect to public Wi-Fi without protection from a VPN.

The exercise, carried out by security researchers at Avast, an anti-virus firm, revealed that more than 1,000 delegates were careless when connecting to public Wi-Fi.

Attendees risked the possibility of being spied on and hacked by cybercriminals or perhaps even spies while they checked their emails, banked online, used chat and dating apps, and even while they accessed Pokemon Go.

Continued: http://www.theregister.co.uk/2016/07/21/gop_wifi_privacy_fail/

Related:
Turns out that you can't trust 'Trump free Wifi' at the Republican National Congress
https://www.grahamcluley.com/2016/07/turns-trust-trump-free-wifi-republican-national-congress/

Discussion is locked

- Collapse -
Users of iPhones and Macs must update to avoid ..
Jul 23, 2016 7:03AM PDT
.. Stagefright-like bug

Do you remember Stagefright?

It was one of the biggest Android security scares of 2015, after it was discovered that a critical bug in the operating system’s Mediaserver could mean that simply opening an email, browsing a website or receiving a media file via MMS could result in malicious code being run on your Android device.

Many millions of Android devices were thought to be vulnerable, and it was such a big deal that it stirred Google into getting more serious about how it would patch and roll-out updates to users in future.

Continued: http://www.welivesecurity.com/2016/07/21/users-iphones-macs-must-update-avoid-stagefright-like-bug/
- Collapse -
Google Chrome Malware Leads to Sketchy Facebook Likes
Jul 23, 2016 7:04AM PDT

Ever wonder how your mild-mannered friend’s Facebook feed suddenly got packed with lewd clickbait? That’s the question Maxime Kjaer was determined to answer when he noticed a friend’s Facebook feed peppered with Likes for sketchy link bait such as “Basic Kissing Tips”.

“Intrigued, I decided to go down the rabbit hole and see what this was all about,” wrote Kjaer, a 19-year-old computer science student at Swiss Federal Institute of Technology in Switzerland, in a blog post Monday.

What he found was what he called a “glaring security hole” in the Google Chrome Webstore that allowed malware authors to infect Chrome browsers via a bogus age verification extension.

Continued: https://threatpost.com/google-chrome-malware-leads-to-sketchy-facebook-likes/119361/

- Collapse -
Cici’s Pizza: Card Breach at 130+ Locations
Jul 23, 2016 7:07AM PDT
Cici’s Pizza, a Coppell, Texas-based fast-casual restaurant chain, today acknowledged a credit card breach at more than 135 locations. The disclosure comes more than a month after KrebsOnSecurity first broke the news of the intrusion, offering readers a sneak peak inside the sprawling cybercrime machine that thieves used to siphon card data from Cici’s customers in real-time.

In a statement released Tuesday evening, Cici’s said that in early March 2016, the company received reports from several of its restaurant locations that point-of-sale systems were not working properly.

Continued: http://krebsonsecurity.com/2016/07/cicis-pizza-card-breach-at-130-locations/

Related:
Cicis restaurant chain experiences data breach
http://www.welivesecurity.com/2016/07/21/cicis-restaurant-chain-experiences-data-breach/
- Collapse -
PayPal Fixes CSRF Vulnerability in PayPal.me
Jul 23, 2016 7:08AM PDT

PayPal recently fixed a vulnerability on its PayPal.me site that could have let an attacker change a user’s profile without permission.

The issue stemmed from a cross-site request forgery (CSRF) vulnerability that existed in PayPal.me, a site the company launched last year to let its users request money; similar to what Venmo, another property it owns, does.

Florian Courtial, a French software engineer who hunts for bugs in his spare time discovered the vulnerability and discussed it on his personal blog earlier this week. Courtial previously disclosed bugs in Slack and the project management app Trello.

Continued: https://threatpost.com/paypal-fixes-csrf-vulnerability-in-paypal-me/119435/

- Collapse -
EU Cookie Law Popup Pushes Dodgy Chrome Extension ..
Jul 23, 2016 7:16AM PDT
.. Down Your Throat

Belgian security researcher Bart Blaze has come across a new method of pushing Chrome extensions using scareware tactics.

The researcher noticed this new trick while surfing the Web. When on a particular site he did not want to name, he noticed an annoying popup trying to scare users into thinking their browser contained malware.

"Your browser contains MALWARE. You have to install Chrome Malware Removal tool," the popup read, which when the user pressed OK, would redirect him to a Google Chrome Web Store page, where the user could install the Chrome Malware Removal Tool extension.

Continued: http://news.softpedia.com/news/eu-cookie-law-popup-pushes-dodgy-chrome-extension-down-your-throat-506541.shtml
- Collapse -
Firefox to Block Flash in August, Disable in 2017
Jul 23, 2016 7:38AM PDT

Starting next year, Firefox users who navigate to pages that contain Flash will be asked for their consent before activating the plugin. The move, long expected, comes as developers seek to curb usage of Flash in everyday web browsing.

Benjamin Smedberg, Manager of Firefox Quality Engineering at Mozilla, confirmed in a blog post on Wednesday that the browser will also begin blocking non-essential Flash content next month, as another step to making the browser run more efficiently.

Continued: https://threatpost.com/firefox-to-block-flash-in-august-disable-in-2017/119419/

Blog post by Benjamin Smedberg: Reducing Adobe Flash Usage in Firefox

- Collapse -
Hacker steals 1.6M accounts from top mobile game's forum
Jul 23, 2016 7:58AM PDT

A hacker has targeted the official forum for popular mobile game "Clash of Kings," making off with close to 1.6 million accounts.

The hack was carried out on July 14 by a hacker, who wants to remain nameless, and a copy of the leaked database was provided to breach notification site LeakedSource.com, which allows users to search their usernames and email addresses in a wealth of stolen and hacked data.

In a sample given to ZDNet, the database contains (among other things) usernames, email addresses, IP addresses (which can often determine the user's location), device identifiers, as well as Facebook data and access tokens (if the user signed in with their social account). Passwords stored in the database are hashed and salted.

Continued: http://www.zdnet.com/article/hacker-steals-forums-of-clash-of-kings-mobile-game/

Related:
Clash of Kings forum hacked — data leaked on 1.6M accounts
http://venturebeat.com/2016/07/22/clash-of-kings-forum-hacked-data-leaked-on-1-6m-accounts/
Companies Behind Warframe, Clash of Kings Games Suffer Data Breaches
http://news.softpedia.com/news/companies-behind-warframe-clash-of-kings-games-suffer-data-breaches-506535.shtml

- Collapse -
Google Fixes 48 Bugs, Sandbox Escape, in Chrome
Jul 23, 2016 8:06AM PDT

Google has patched a high-risk vulnerability in its Chrome browser that allows an attacker to escape the Chrome sandbox.

That vulnerability is one of 48 bugs fixed in version 52 of Chrome released Wednesday.

Four dozen of those flaws are rated as high risks and Google paid out more than $22,000 in rewards to researchers who reported vulnerabilities to the company. Payment on an additional 11 bugs found by bug bounty hunters is pending, Google said.

Continued: https://threatpost.com/google-fixes-sandbox-escape-in-chrome-again/119428/