12 total posts
Researcher finds backdoor opened by Dell's helper app
A security researcher has discovered a serious bug in Dell System Detect, the software Dell users are urged to use to download the appropriate drivers for their machines. The flaw can be exploited by attackers to make the computer download and execute potentially malicious files.
The software, which can be downloaded from the Dell Support page, can thus be effectively used to open a backdoor in the target's computer.
"While investigating this rather innocuous looking program I discovered that it accepts commands by listening for HTTP requests on localhost:8884 and that the security restrictions Dell put in place are easily bypassed, meaning an attacker could trigger the program to download and install any arbitrary executable from a remote location with no user interaction at all," Tom Forbes claims.
Continued : http://www.net-security.org/secworld.php?id=18134
A $60 Gadget That Makes Car Hacking Far Easier
The average automobile today isn't necessarily secured against hackers, so much as obscured from them: Digitally controlling a car's electronics remains an arcane, specialized skill among security researchers. But that's changing fast. And soon, it could take as little as $60 and a laptop to begin messing around with a car's digital innards.
Tomorrow at the Black Hat Asia security conference in Singapore, 24-year-old Eric Evenchick plans to present a new device he calls the CANtact. The open source board, which he hopes to sell for between $60 and $100, connects on one end to a computer's USB port, and on the other to a car or truck's OBD2 port, a network port under its dashboard. That makes the CANtact a cheap interface between any PC and a vehicle's controller area network or CAN bus, the collection of connected computers inside of every modern automobile that control everything from its windows to its brakes.
Continued : http://www.wired.com/2015/03/60-gadget-thatll-make-car-hacking-easier-ever/
Tax Fraud Advice, Straight from the Scammers
Some of the most frank and useful information about how to fight fraud comes directly from the mouths of the crooks themselves. Online cybercrime forums play a critical role here, allowing thieves to compare notes about how to evade new security roadblocks and steer clear of fraud tripwires. And few topics so reliably generate discussion on crime forums around this time of year as tax return fraud, as we'll see in the conversations highlighted in this post.
As several stories these past few months have noted, those involved in tax refund fraud shifted more of their activities away from the Internal Revenue Service and toward state tax filings. This shift is broadly reflected in discussions on several fraud forums from 2014, in which members lament the apparent introduction of new fraud "filters" by the IRS that reportedly made perpetrating this crime at the federal level more challenging for some scammers.
Continued : http://krebsonsecurity.com/2015/03/tax-fraud-advice-straight-from-the-scammers/
Microsoft enlists web security pariah Adobe to help build ..
.. Internet Explorer-killer Spartan
Microsoft has revealed it's working with Adobe on some aspects of project Spartan, its replacement browser that will confine Internet Explorer to the Antique Code Show.
When one contemplates Adobe's contribution to browsers, it's hard not to think of the carnage its Flash plugin has wrought with a seemingly never-ending cavalcade of flaws.
Microsoft doesn't mention the war in its post about the collaboration, which it says has been established because Adobe has helped open-source web rendering engines and so knows its way around the browser. Adobe's "Web Platform Team" is therefore contributing to Spartan "in the areas of layout, typography, graphic design and motion".
Continued : http://www.theregister.co.uk/2015/03/25/microsoft_enlists_web_security_pariah_adobe_to_help_build_spartan/
Google Adds Deceptive Software to Safe Browsing API
Google is continuing to refine its Safe Browsing API and now is giving users warnings about not just malicious software on sites they're attempting to visit, but also about unwanted software.
Google's Safe Browsing API is designed to help protect users from a variety of threats on pages across the Internet. The functionality is built into Chrome, as well as Firefox and other browsers, and when a users tries to visit a page that Google's crawlers or other users have reported to be hosting malware, phishing links or other types of threats it will throw up a warning dialog. Depending upon the type of threat found on the target page, the browser will give the user various types of information and options.
Fake "Incoming Fax Report" emails lead to crypto-ransomware
Once again, fake "Incoming Fax Report" emails carrying malware are being sent out to random users. Given the popularity of online fax-sending services, there are likely to be many victims.
The email takes the same, often repeated form: [Screenshot]
Most of the time, the subject of the fake fax is something related with payrolls, or an internal report, and the malicious file is hosted on an online file storage account and linked to from the email.
In this case, the email carries the malware in the attachment.
According to Dr. Web researchers, the file - a SRC file - is a Trojan downloader which, once run, extracts and launches encryption ransomware.
Continued : http://www.net-security.org/malware_news.php?id=2994
Bankrupt RadioShack's Attempts To Sell Customer Data ..
.. Meets Resistance
By now most everyone knows that RadioShack's Chapter 11 bankruptcy was designed to be a pre-packaged asset sale. That sounded pretty benign when we were talking about the sale or auction of store leases to companies like Sprint, but it turns out data is an asset too. And customer data is the most highly prized at all.
Bloomberg reported today that RadioShack's 100 million customer database is a planned part of the asset auction. That database includes names, email addresses and phone numbers of people who have bought something at the Shack.
Continued : http://www.forbes.com/sites/paularosenblum/2015/03/24/bankrupt-radioshacks-attempts-to-sell-customer-data-meets-resistance/
One reason, I never supplied mine...just common sense