Spyware, Viruses, & Security forum


NEWS - March 17, 2015

by Carol~ Moderator / March 17, 2015 5:27 AM PDT
Bogus SSL certificate for Windows Live could allow man-in-the-middle hacks

Microsoft is scrambling to block a fraudulent HTTPS certificate that was issued for one of the company's Windows Live Web addresses lest it be used by attackers to mount convincing man-in-the-middle attacks.

The phony Transport Layer Security/Secure Sockets Layer certificate was issued for live.fi and www.live.fi, which are addresses Microsoft reserves for its Windows Live services. The sensitive credential has already been revoked by Comodo, the browser-trusted certificate authority that issued it. But given the ease of defeating the current SSL revocation regimen, attackers may still be able to maliciously use the certificate against unsuspecting end users.

"The purpose of this advisory is to notify customers that an SSL digital certificate was improperly issued," Microsoft officials warned late Monday. "This SSL certificate could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Microsoft web properties. It cannot be used to issue other certificates, impersonate other domains, or sign code."

Continued : http://arstechnica.com/security/2015/03/bogus-ssl-certificate-for-windows-live-could-allow-man-in-the-middle-hacks/

Microsoft Warns Fraudulent Certificate Could Lead to MiTM Attacks
Bogus Comodo certificate could open Windows users to phishing, man-in-the-middle attacks

Also see : Microsoft Security Advisory 3046310
Discussion is locked
You are posting a reply to: NEWS - March 17, 2015
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - March 17, 2015
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Yahoo announces email encryption plugin, password-free login
by Carol~ Moderator / March 17, 2015 5:33 AM PDT
In reply to: NEWS - March 17, 2015

Yahoo email users will soon be able to encrypt the emails they send out by simply clicking on a button. In addition to this, users will be able to effectively forget their email passwords and request an on-demand password (a verification code) each time they want to access their account.

Yahoo CISO Alex Stamos introduced the end-to-end email encryption plugin at the SXSW festival this Sunday, and shared that they have been working on it with Google. In fact, the two companies' email encryption solutions will be compatible, allowing users of both services to send each other encrypted emails.

The plugin is a fork of Google's End-to-End Chrome extension, which uses the OpenPGP standard for key generation, encryption, decryption, digital signature, and signature verification, and whose source code has been made open for review by Google in June 2014.

Continued : http://www.net-security.org/secworld.php?id=18085

Yahoo slices your password out of login process, shows off end-to-end encryption
Yahoo releases e2e encryption source code and launches 'on-demand' passwords
Yahoo's simple - but not necessarily secure - new way to log in

Collapse -
D-Link Patches Flaws in IP Cameras, Wireless Range Extenders
by Carol~ Moderator / March 17, 2015 5:33 AM PDT
In reply to: NEWS - March 17, 2015

"D-Link has released firmware updates to address serious security holes affecting the company's DCS-93xL IP cameras and the DAP-1320 wireless range extender."

According to an advisory published by the CERT Coordination Center at Carnegie Mellon University, Tangible Security researchers discovered a high-severity unrestricted file upload vulnerability (CVE-2015-2049) in the D-Link DCS-93xL family of network cameras.

The flaw affects firmware version 1.04 and possibly other versions. The camera models that run the vulnerable firmware are DCS-931L, DCS-930L, DCS-932L, and DCS-933L.

Continued : http://www.securityweek.com/d-link-patches-flaws-ip-cameras-wireless-range-extenders

D-Link patches critical flaws in wireless range extender, Wi-Fi cameras firmware
D-Link Patches Two Remotely Exploitable Bugs in Firmware

Collapse -
This Black Box Can Brute Force Crack iPhone PIN Passcodes
by Carol~ Moderator / March 17, 2015 5:37 AM PDT
In reply to: NEWS - March 17, 2015

Graham Cluley @ Intego's "Mac Security Blog" :

If you don't have time to read this whole blog post, do one thing for me okay?

Change your iPhone password from a simple 4 digit numeric code to a longer, more advanced version, which can include letters and symbols as well as numbers.

For the rest of you who are still with me, check out this fascinating blog post by British security consultancy firm MDSec.

The team at MDSec has highlighted the availability for purchase of a hardware tool, called IP Box, that can brute force crack the four digit password that most users have protecting their iPhones.

Continued : http://www.intego.com/mac-security-blog/iphone-pin-pass-code/

Related : "Black Box" brouhaha breaks out over brute forcing of iPhone PIN lock

Collapse -
'AntiDetect' Helps Thieves Hide Digital Fingerprints
by Carol~ Moderator / March 17, 2015 5:39 AM PDT
In reply to: NEWS - March 17, 2015

As a greater number of banks in the United States shift to issuing more secure credit and debit cards with embedded chip technology, fraudsters are going to direct more of their attacks against online merchants. No surprise, then, that thieves increasingly are turning to an emerging set of software tools to help them evade fraud detection schemes employed by many e-commerce companies.

Every browser has a relatively unique "fingerprint" that is shared with Web sites. That signature is derived from dozens of qualities, including the computer's operating system type, various plugins installed, the browser's language setting and its time zone. Banks can leverage fingerprinting to flag transactions that occur from a browser the bank has never seen associated with a customer's account.

Payment service providers and online stores often use browser fingerprinting to block transactions from browsers that have previously been associated with unauthorized sales (or a high volume of sales for the same or similar product in a short period of time).

Continued : http://krebsonsecurity.com/2015/03/antidetect-helps-thieves-hide-digital-fingerprints/

Collapse -
9-year-old cybersecurity expert hacks Android smartphone..
by Carol~ Moderator / March 17, 2015 5:40 AM PDT
In reply to: NEWS - March 17, 2015
...in minutes

ESET's "We Live Security" blog:

Wondering how secure your Android smartphone is? Well, a 9-year-old cybersecurity expert has demonstrated how hackers could steal contacts, call logs and messages within just 15 minutes.

Speaking at the Security B-sides Conference last week, Harmony School of Science third-grader Reuben Paul took to the stage to promote safer smartphone security. His Keynote speech stressed the importance of being extra careful when downloading apps, showing how even seemingly safe software can be used by cybercriminals to access sensitive data and snoop on your location.

According to Fox, the 9-year-old Paul completed the hack within a quarter of an hour, claiming that it can happen anywhere, to anyone and at any time.

Continued : http://www.welivesecurity.com/2015/03/17/9-year-old-cybersecurity-expert-hacks-android-smartphone-minutes/
Collapse -
The Andromeda botnet is ballooning once again
by Carol~ Moderator / March 17, 2015 5:51 AM PDT
In reply to: NEWS - March 17, 2015

Cybercriminals are, once again, trying to swell the number of computers compromised by the Andromeda backdoor. This will allow them to control the machines and download additional malware at the behest of the highest paying customer/renter.

According to G Data security experts, the botnet's C&C server is currently just waiting to hear from compromised computers, and is still not sending out instructions to the bots, meaning that the botnet masters are still in the botnet building stage.

But, if you have recently received an unsolicited email with a DOC file that instructed you to enable Word macros in order to see its contents, chances are good that your computer has become part of it.

Continued : http://www.net-security.org/malware_news.php?id=2991

@ G Data : The Andromeda/Gamarue botnet is on the rise again

Collapse -
Windows 10 Devices to Allow Sign in With Face, Iris
by Carol~ Moderator / March 17, 2015 7:16 AM PDT
In reply to: NEWS - March 17, 2015
The new Windows 10 operating system will allow users to sign in to a device without a password by using biometrics, including facial recognition, Microsoft announced Tuesday.

Microsoft said its Windows Hello feature will support biometric authentication as part of an effort to reduce the use of passwords, which can often be hacked.

This means "using your face, iris, or fingerprint to unlock your devices," Microsoft vice president Joe Belfiore said in a blog post. "You -- uniquely you -- plus your device are the keys to your Windows experience, apps, data and even websites and services, not a random assortment of letters and numbers that are easily forgotten, hacked, or written down and pinned to a bulletin board."

Continued : http://www.securityweek.com/windows-10-devices-allow-sign-face-iris

Windows 10 says "Hello" to logging in with your face and the end of passwords
Microsoft to add 'enterprise grade' biometric security to Windows 10
Popular Forums
Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions


Help, my PC with Windows 10 won't shut down properly

Since upgrading to Windows 10 my computer won't shut down properly. I use the menu button shutdown and the screen goes blank, but the system does not fully shut down. The only way to get it to shut down is to hold the physical power button down till it shuts down. Any suggestions?