Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - May 11, 2015

May 11, 2015 12:50AM PDT
Millions of WordPress Websites at Risk from in-the-wild Exploit

Graham Cluley @ Tripwire's "State of Security" blog:

What's happened?
A widespread vulnerability has been found in WordPress, that impacts millions of websites running the popular blogging software and content management system.

What's the vulnerability?
It's a cross-site scripting (XSS) vulnerability inside the popular JetPack plugin. and the default Twenty Fifteen theme installed on all WordPress sites.

The problem lies in the genericons package, specifically a file called example.html. Any plugin which makes use of the package is potentially vulnerable.

If a website administrator was tricked into clicking on a malicious link, the vulnerability can be exploited to hijack the website - making changes to it code or altering settings.

Who found the vulnerability?
David Dede, a researcher with security firm Sucuri, uncovered the problem and blogged about it yesterday:

Continued : http://www.tripwire.com/state-of-security/security-data-protection/wordpress-xss/

Related:
Millions of WordPress sites risk hijacking due to flaw in default theme
Hackers target critical XSS vulnerability in millions of Wordpress sites
Actively exploited WordPress bug puts millions of sites at risk

Discussion is locked

- Collapse -
Alleged Developers of Photobucket Hacking Tool Arrested
May 11, 2015 1:11AM PDT

Law enforcement authorities in the United States on Friday indicted and arrested two individuals suspected of developing, marketing and selling a piece of software designed to enable unauthorized access to protected content stored on the image and video hosting website Photobucket.

According to the indictment (pdf), Brandon Bourret, 39, of Colorado Springs, Colorado and Athanasios Andrianakis, 26, of Sunnyvale, California have been accused of conspiring to commit computer fraud and abuse, access device fraud, identification document fraud, and wire fraud.

Photobucket allows users to protect albums containing private content by marking them "private" or "password protected." Bourret and Andrianakis are said to have developed a tool, dubbed "Photofucket," that allowed them to access images and videos stored in private or password-protected albums.

Continued : http://www.securityweek.com/alleged-developers-photobucket-hacking-tool-arrested

Related : The hackers who broke into Photobucket's system have been arrested by the FBI

- Collapse -
GPU-based rootkit and keylogger offer superior stealth and..
May 11, 2015 1:12AM PDT
.. computing power

"Proof-of-concept malware may pave the way for future in-the-wild attacks."

Developers have published two pieces of malware that take the highly unusual step of completely running on an infected computer's graphics card, rather than its CPU, to enhance their stealthiness and give them increased computational abilities.

Both the Jellyfish rootkit and the Demon keylogger are described as proofs-of-concept by their pseudo-anonymous developers, whom Ars was unable to contact. Tapping an infected computer's GPU allows malware to run without the usual software hooks or modifications malware makes in the operating system kernel. Those modifications can be dead giveaways that a system is infected.

Here's how the developers describe their rootkit:

Continued : http://arstechnica.com/security/2015/05/gpu-based-rootkit-and-keylogger-offer-superior-stealth-and-computing-power/

Related : GPU-based malware is real, say developers of PoC rootkit and keylogger
- Collapse -
Breaking Bad-themed ransomware targeting users
May 11, 2015 1:13AM PDT

A new type of ransomware is targeting Australian users, and its creators have decided to have some fun and express their love for the popular US TV show Breaking Bad while trying to "earn" some money. [Screenshot]

Aside from the "Los Pollos Hermanos"-branded ransom message and the email address used in the extortion demand sporting a popular quote by the show's main character, the ransomware is not very innovative.

It encrypts the usual assortment of file types - images, documents, audio and video files, archive and database files - with a random Advanced Encryption Standard (AES) key, which is then encrypted with an RSA public key.

Continued : http://www.net-security.org/malware_news.php?id=3035

@ Symantec's "Security Response Blog" : Breaking Bad-themed 'Los Pollos Hermanos' crypto ransomware found in the wild

Related :
Breaking Bad ransomware
Breaking Bad Ransomware Targeting Australian Computers

- Collapse -
Get ready for Android M, for "more privacy"
May 11, 2015 1:13AM PDT

Google's next Android update may put privacy back into its owners' hands -- literally.

According to sources speaking to Bloomberg on Thursday, the next iteration of Android will give users more detailed choices over what data apps can access. That includes access to photos, contacts, and location data, according to the report.

ZDNet's Kevin Tofel noted the change would give a user more granular controls over their data and how its used, adding that the option has been present in the past -- albeit hidden for developers' use only.

The anticipated move would follow in the footsteps of Google's closest rival, Apple, which added similar security features more than two years ago.

Continued : http://www.zdnet.com/article/get-ready-for-android-m-for-more-privacy/

Related: Google's Next Android Version Could Offer More Privacy to Users

- Collapse -
Windows 10 spells the end of Patch Tuesday
May 11, 2015 1:13AM PDT

Microsoft is ready to abandon the longstanding patching schedule that saw patches and security updates being delivered on the second Tuesday of every month. With the advent of Windows 10, security updates and other software innovations will be pushed to PCs, tablets and phones as soon as they are ready.

But this change will only apply for home users - enterprise users will be able to take advantage of Windows Update for Business, a free service for all Windows Pro and Windows Enterprise devices.

Terry Myerson, the executive VP of Microsoft's Operating Systems group, noted that while they have implemented security in all the layers of the Windows 10 stack, keeping devices up-to-date with the latest security updates is still the most crucial thing enterprises can do to protect them.

Continued : http://www.net-security.org/secworld.php?id=18348

Related:
Windows 10 will kill off 'Patch Tuesday' as Microsoft pushes constant stream of updates
Windows 10 bombshell: Microsoft to KILL OFF Patch Tuesday
Patch Tuesday Facelift End of an Era

- Collapse -
Who's Scanning Your Network? (A: Everyone)
May 11, 2015 1:13AM PDT

Not long ago I heard from a reader who wanted advice on how to stop someone from scanning his home network, or at least recommendations about to whom he should report the person doing the scanning. I couldn't believe that people actually still cared about scanning, and I told him as much: These days there are countless entities — some benign and research-oriented, and some less benign — that are continuously mapping and cataloging virtually every devices that's put online.

".. When I was first getting my feet wet on the security beat roughly 15 years ago, the practice of scanning networks you didn't own looking for the virtual equivalent of open doors and windows was still fairly frowned upon — if not grounds to get one into legal trouble. These days, complaining about being scanned is about as useful as griping that the top of your home is viewable via Google Earth. Trying to put devices on the Internet and then hoping that someone or something won't find them is one of the most futile exercises in security-by-obscurity."

Continued : http://krebsonsecurity.com/2015/05/whos-scanning-your-network-a-everyone

- Collapse -
Superfish ad injection plagues Google searches, study finds
May 11, 2015 3:19AM PDT

"Google finds 50,870 Chrome extensions and 34,407 programs injecting ads into its websites"

Over five percent of browser visits to Google-owned websites, including Google Search, are altered by computer programs that inject ads into pages. One called Superfish is responsible for a majority of those ad injections.

The findings are the result of a study (pdf) by Google and researchers from the University of California at Berkeley and Santa Barbara, which analysed over 102 million page views to Google sites between June and September last year.

Google added code to its websites that detected and reported back when ads were injected into pages by programs or browser extensions. This revealed that locally-installed ad injectors interfered with 5,339,913 page views (5.2 percent of the total), impacting tens of millions of users around the world - or 5.5 percent of unique daily IP addresses that accessed Google's sites.

Continued : http://www.techworld.com/news/security/superfish-ad-injection-plagues-google-searches-study-finds-3610962/

Related:
One in 20 web users infected with ad injection software
Google Report Unmasks Ad Injection Economy

- Collapse -
Lavaboom Secure Email Service Opens to the Public
May 11, 2015 3:19AM PDT

After spending 20 months in closed development, Lavaboom, the email service that promises end-to-end encryption, started to send out sign-up invitations to 25,000 users on the waiting list.

Lavaboom aims to deliver completely private email communication that makes secret not only message content but also the metadata accompanying it, such as the address of the sender and the recipient and the subject line.

Lavaboom is powered by new technology

To achieve this, the service relies on OpenPGP.js, the open source PGP (Pretty Good Privacy) library for JavaScript, and DIME (Dark Internet Mail Environment) technology that uses new message exchange protocols DMTP (the Dark Mail Transfer Protocol) and DMAP (Dark Mail Access Protocol) for encryption.

DIME is developed by the Darkmail Technical Alliance, whose team is composed of Phil Zimmerman (the designer of PGP), Jon Callas from Silent Circle and Mike Janke, both from Silent Circle, and Ladar Levison, the founder of the now defunct Lavabit secure email service that refused to provide the SSL encryption keys to the NSA.

Lavaboom follows in the footsteps of Lavabit as far as the security of email exchange is concerned, but has a much stronger risk management approach. Its data centers are on German territory, where authorities in the US have no jurisdiction.

Continued : http://news.softpedia.com/news/Lavaboom-Secure-Email-Service-Opens-to-the-Public-480603.shtml

[Lavabit emphasis by me]

- Collapse -
PayIvy Sells Your Online Accounts Via PayPal
May 11, 2015 3:19AM PDT

Normally, if one wishes to buy stolen account credentials for paid online services like Netflix, Hulu, XBox Live or Spotify, the buyer needs to visit a cybercrime forum or drop into a dark Web marketplace that only accepts Bitcoin as payment. Increasingly, however, these accounts are showing up for sale at Payivy[dot]com, an open Web marketplace that happily accepts PayPal in exchange for a variety of stolen accounts. [Screenshot]

Marketed and sold by a Hackforums user named "Sh1eld" as a supposed method of selling ebooks and collecting payments for affiliate marketers, PayIvy has instead become a major conduit for hawking stolen accounts and credentials for a range of top Web services.

Continued : http://krebsonsecurity.com/2015/05/payivy-sells-your-online-accounts-via-paypal/