Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - March 08, 2015

Mar 8, 2015 3:13AM PDT
'FREAK' flaw undermines security for Apple and Google users, researchers discover

Technology companies are scrambling to fix a major security flaw that for more than a decade left users of Apple and Google devices vulnerable to hacking when they visited millions of supposedly secure Web sites, including Whitehouse.gov, NSA.gov and FBI.gov.

The flaw resulted from a former U.S. government policy that forbade the export of strong encryption and required that weaker "export-grade" products be shipped to customers in other countries, say the researchers who discovered the problem. These restrictions were lifted in the late 1990s, but the weaker encryption got baked into widely used software that proliferated around the world and back into the United States, apparently unnoticed until this year.

Researchers discovered in recent weeks that they could force browsers to use the weaker encryption, then crack it over the course of just a few hours. Once cracked, hackers could steal passwords and other personal information and potentially launch a broader attack on the Web sites themselves by taking over elements on a page, such as a Facebook "Like" button.

Continued : http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/03/freak-flaw-undermines-security-for-apple-and-google-users-researchers-discover/

Related :
New FREAK Attack Threatens Many SSL Clients
Time to FREAK out? How to tell if you're vulnerable
Tracking the FREAK Attack
Millions at risk from 'Freak' encryption bug
Stop the presses: HTTPS-crippling "FREAK" bug affects Windows after all

Discussion is locked

- Collapse -
Oracle extends its adware bundling to include Java for Macs
Mar 8, 2015 3:22AM PDT

"For years, Oracle has tormented Windows users by bundling adware with its Java installer for Windows PCs. Now Oracle has begun including the same adware as part of a default installation of Java for the Mac, using the same deceptive techniques." [Screenshot]

For several years, Oracle has been bundling the Ask toolbar with its Java software for Windows PCs, often using deceptive methods to convince customers to install the unwanted add-on.

With the latest release of Java for the Mac, Oracle has begun bundling the Ask adware with default installations as well, changing homepages in the process.

Continued : http://www.zdnet.com/article/oracle-extends-its-adware-bundling-to-include-java-for-macs/

Related : Oracle has just given you another reason not to install Java on your Mac

- Collapse -
Adobe Starts Vulnerability Disclosure Program on HackerOne
Mar 8, 2015 3:22AM PDT
Update: Adobe is the latest tech vendor to begin a vulnerability disclosure program, but it seems they're limping in at the outset.

The program launched this week on the HackerOne platform, but there are no cash incentives being offered and certain Adobe products are not in scope for researchers.

"Bug hunters who identify a Web application vulnerability in an Adobe online service or web property can now privately disclose the issue to Adobe while boosting their HackerOne reputation score," said Pieter Ockers, Adobe security program manager, PSIRT.

Continued : http://threatpost.com/adobe-starts-vulnerability-disclosure-program-on-hackerone/111490

Related :
Adobe launches bug disclosure program, skimps on bounties
Adobe launches cashless bug bounty

Pieter Ockers @ PSIRT: Adobe Launches Web Application Vulnerability Disclosure Program on HackerOne
- Collapse -
NLPRank: An innovative tool for blocking APT malicious ..
Mar 8, 2015 3:22AM PDT
.. domains

Security researchers working at OpenDNS' Security Labs have developed NLPRank, a new system that helps detect - quickly and relatively accurately - phishing and malware-download sites set up by APT threat actors.

They got the idea while perusing the domain names used by the Carbanak, Anunak and DarkHotel APT groups.

They noticed that the phishing emails sent to employees of the various targeted organizations included links to malicious domains whose names were constructed by using names of tech companies and popular software (Microsoft, Adobe, Firefox, Facebook, Java, GMail etc.) and certain words like "login," "update," "security center," "register," "billing," and so on. These cleverly crafted domain names certainly added an aura of legitimacy to the malicious domains.

Continued : http://www.net-security.org/secworld.php?id=18047

Related :
OpenDNS Unveils 'NLPRank,' a New Model for Advanced Threat Detection
OpenDNS Uses Natural Language Processing to Detect APTs
DNS enhancement catches malware sites by understanding sneaky domain names
- Collapse -
Credit Card Breach at Mandarin Oriental
Mar 8, 2015 3:25AM PDT

In response to questions from KrebsOnSecurity, upscale hotel chain Mandarin Oriental Hotel Group today confirmed that its hotels have been affected by a credit card breach.

Reached for comment about reports from financial industry sources about a pattern of fraudulent charges on customer cards that had all recently been used at Mandarin hotels, the company confirmed it is investigating a breach.

"We can confirm that Mandarin Oriental has been alerted to a potential credit card breach and is currently conducting a thorough investigation to identify and resolve the issue," the company said in an emailed statement.

The statement continues, indicating that some of the chain's point-of-sale systems were infected with malware capable of stealing customer card data:

Continued : http://krebsonsecurity.com/2015/03/credit-card-breach-at-mandarian-oriental/

Related:
Mandarin Oriental suffers credit card breach
Report of credit card breach at Mandarin Oriental

- Collapse -
Fake "Flash Player Pro" update delivers password-stealing..
Mar 8, 2015 3:25AM PDT
.. Trojan

Researchers are warning about a new malware delivery campaign aimed at spreading Fareit, a password-stealing Trojan that can also download additional malware.

This campaign is targeting users who's DNS server settings have been changed to redirect them to malicious sites without their knowledge. This can be the result of a previous compromise of their routers via malware such as the DNSChanger Trojan, or a malvertising campaign such as this one.

However it happened, these users are now in danger of getting saddled with Fareit.

Continued : http://www.net-security.org/malware_news.php?id=2982

Related : Fareit trojan pwns punters with devious DNS devilry
- Collapse -
Dridex Banking Trojan Spreading Via Macros in XML Files
Mar 8, 2015 3:40AM PDT

Not long ago, criminals pushing the Dridex banking Trojan were using Microsoft Excel documents spiked with a malicious macro as a phishing lure to entice victims to load the malware onto their machines.

Even though macros are disabled by default inside most organizations, the persistent hackers are still at it, this time using XML files as a lure.

Researchers at Trustwave today said that over the past few days, several hundred messages have been corralled that are trying to exploit users' trust in Office documents with some clever social engineering thrown into the mix in an attempt to convince users to enable macros and thus download the banking malware onto their machines.

Continued : http://threatpost.com/dridex-banking-trojan-spreading-via-macros-in-xml-files/111503

- Collapse -
2 weeks on, Superfish debacle still causing pain for some ..
Mar 8, 2015 3:40AM PDT
.. Lenovo customers

"Assurances on the demise of the dangerous adware are (somewhat) exaggerated."

It has been a rough couple of weeks for Lenovo since revelations surfaced that the PC maker was selling notebooks pre-installed with dangerous, HTTPS-breaking adware. Initially, the company said the Superfish ad-injector posed no threat, a position it quickly reversed. Then, company officials issued a mea culpa that said the company stopped bundling the software in December. For customers who remained vulnerable, executives promised to release a removal tool that would delete all code and data associated with the adware.

Based on the experience of Ars readers Chai Trakulthai and Laura Buddine, Lenovo overstated both assurances. The pair recently examined a $550 Lenovo G510 notebook purchased by a neighbor, and their experience wasn't consistent with two of Lenovo's talking points. First, the PC was ordered in early February more than four weeks after Lenovo said it stopped bundling Superfish, and yet when the notebook arrived in late February it came pre-installed with the adware and the secure sockets layer certificate that poses such a threat.

Continued : http://arstechnica.com/security/2015/03/two-weeks-on-superfish-debacle-still-causing-pain-for-some-lenovo-customers/
- Collapse -
Feds Indict Three in 2011 Epsilon Hack
Mar 8, 2015 3:40AM PDT

U.S. federal prosecutors in Atlanta today unsealed indictments against two Vietnamese men and a Canadian citizen in connection with what's being called "one of the largest reported data breaches in U.S. history." The government isn't naming the victims in this case, but all signs point to the 2011 hack of Texas-based email marketing giant Epsilon.

The government alleges the defendants made more than $2 million blasting out spam to more than one billion email addresses stolen from several email service providers (ESPs), companies that manage customer email marketing on behalf of major corporate brands. The indictments further allege that the men sent the junk missives by hijacking the email servers used by these ESPs.

"This case reflects the cutting-edge problems posed by today's cybercrime cases, where the hackers didn't target just a single company; they infiltrated most of the country's email distribution firms," said Acting U.S. Attorney John Horn. "And the scope of the intrusion is unnerving, in that the hackers didn't stop after stealing the companies' proprietary data—they then hijacked the companies' own distribution platforms to send out bulk emails and reaped the profits from email traffic directed to specific websites."

Continued : http://krebsonsecurity.com/2015/03/feds-indict-three-in-2011-epsilon-hack/

- Collapse -
Intuit Failed at 'Know Your Customer' Basics
Mar 8, 2015 3:46AM PDT
Intuit, the makers of TurboTax, recently introduced several changes to beef up the security of customer accounts following a spike in tax refund fraud at the state and federal level. Unfortunately, those changes don't go far enough. Here's a look at some of the missteps that precipitated this mess, and what the company can do differently going forward.

As The Wall Street Journal noted in a story this week, competitors H&R Block and TaxAct say they haven't seen a similar surge in fraud this year. Perhaps the bad guys are just picking on the industry leader. But with 29 million customers last year — far more than H&R Block or TaxAct (which each had about seven million) — TurboTax should also be leading the industry in security.

Keep in mind that none of the security steps described below are going to stop fraud alone. But taken together, they do or would provide more robust security for TurboTax accounts, and significantly raise the costs for criminals engaged in this type of fraud.

Continued : http://krebsonsecurity.com/2015/03/intuit-failed-at-know-your-customer-basics/
- Collapse -
Amazon Users Receiving Amazon Gift Card Text Message ..
Mar 8, 2015 3:52AM PDT
.. Contains Gazon Malware

Have you received TEXT messages about Gift from Amazon? Beware it might be malware.

Have you recently received text message on your phone that says, "Hey [ABC], I am sending you $200 Amazon Gift Card You can Claim it here"?

It asks you to redeem your Amazon gift card by installing an APK file that is hosted on the page. This is followed by a URL.

Below is the exact SMS being recieved by Android users:

Continued : https://www.hackread.com/gazon-malware-hits-android-users-as-amazon-gift-card/