8 total posts
Use privacy software if you want to be safe from Facebook,
A Belgian watchdog has urged all Internet users to download privacy software specifically to shield themselves from Facebook's grasp.
The social network has been under fire for the ways in which it tracks user and non-user behaviour online, without consent, most recently becoming the target of a Europe-wide lawsuit headed up by activist Max Schrems.
It was revealed in April that 25,000 people had already signed up to be a part of that lawsuit, which argues Facebook has been breaching EU data protection law. Individual regulators have been investigating whether or not this is the case for years, and in April Facebook confessed to tracking non-users using cookies (something for which consent must be sought if related to advertising, according to EU law). The social network blamed it on a bug.
Continued : http://arstechnica.com/security/2015/05/use-privacy-software-if-you-want-to-be-safe-from-facebook-warns-watchdog/
Researchers Disclose Further Vulnerabilities in Google App..
A Polish research group claims there are still several outstanding vulnerabilities in Google App Engines for Java, including three complete Java sandbox escapes. After three weeks of radio silence from Google, it decided to disclose on Friday the vulnerabilities, along with proof of concept code.
The code doesn't break the sandbox, but does result in partial GAE bypass and could allow an attacker to gain access to GAE's Java environment.
Security Explorations, the company that found the issues, said the bugs largely stem from the incorrect implementation of several methods and missing security checks in the App Engine.
Adam Gowdiak, Security Explorations' founder and CEO, made several digs at Google, calling out the company's delay in response time, in a post to Full Disclosure and other sites Friday morning.
Continued : https://threatpost.com/researchers-disclose-further-vulnerabilities-in-google-app-engine/112849
Security firm publishes details, exploit code for Google App Engine flaws
Security Firm Releases Details of Unpatched Google App Engine Flaws
Researcher turns tables, discloses unpatched bugs in Google cloud platform
Feds Say That Banned Researcher Commandeered a Plane
A security researcher kicked off a United Airlines flight last month after tweeting about security vulnerabilities in its system had previously taken control of an airplane and caused it to briefly fly sideways, according to an application for a search warrant filed by an FBI agent.
Chris Roberts, a security researcher with One World Labs, told the FBI agent during an interview in February that he had hacked the in-flight entertainment system, or IFE, on an airplane and overwrote code on the plane's Thrust Management Computer while aboard the flight. He was able to issue a climb command and make the plane briefly change course, the document states.
"He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights," FBI Special Agent Mark Hurley wrote in his warrant application (.pdf). "He also stated that he used Vortex software after comprising/exploiting or 'hacking' the airplane's networks. He used the software to monitor traffic from the cockpit system."
Continued : http://www.wired.com/2015/05/feds-say-banned-researcher-commandeered-plane/
FBI: researcher admitted to hacking plane in-flight, causing it to "climb"
Security researcher 'hijacked plane in-flight': questions and (some) answers
United Airlines offers air miles for vulnerability info
United Airlines has become the first airline to start a bug bounty program and instead of monetary rewards, it offers air miles: a million for remote code execution bugs, 250,000 miles for medium severity vulnerabilities (authentication bypasses, timing attacks, etc.), and 50,000 for cross-site scripting and cross-site request forgery flaws, as well as third-party issues that affect the company.
Only members of its MileagePlus program can apply, so bug hunters who aren't will have to become members before sending in their submission.
The bug bounty program encourages researchers to find vulnerabilities in the company's customer-facing websites, its app, and third-party programs loaded by united.com or its other online properties.
Continued : http://www.net-security.org/secworld.php?id=18388
Related : Get paid (airline) peanuts with United's new bug bounty program
Mobile Spy Software Maker mSpy Hacked, Customer Data Leaked
mSpy, the makers of a dubious software-as-a-service product that claims to help more than two million people spy on the mobile devices of their kids and partners, appears to have been massively hacked. Last week, a huge trove of data apparently stolen from the company's servers was posted on the Deep Web, exposing countless emails, text messages, payment and location data on an undetermined number of mSpy "users."
mSpy has not responded to multiple requests for comment left for the company over the past five days. KrebsOnSecurity learned of the apparent breach from an anonymous source who shared a link to a Web page that is only reachable via Tor, a technology that helps users hide their true Internet address and allows users to host Web sites that are extremely difficult to get taken down. [Screenshot]
The Tor-based site hosts several hundred gigabytes worth of data taken from mobile devices running mSpy's products, including some four million events logged by the software. The message left by the unknown hackers who've claimed responsibility for this intrusion suggests that the data dump includes information on more than 400,000 users, including Apple IDs and passwords, tracking data, and payment details on some 145,000 successful transactions.
Continued : http://krebsonsecurity.com/2015/05/mobile-spy-software-maker-mspy-hacked-customer-data-leaked/
WinYahoo adware changes your Chrome secure preferences
Potentially unwanted programs (PUPs) might not be as dangerous as malware, but can often lead to unexpected perils.
Take for example WinYahoo. Despite it's name and the fact that, among other things, it sets Yahoo as the default search engine and homepage in installed browsers, it's not a Yahoo product and in any way related to the company.
"Like a lot of unwanted software, WinYahoo is bundled in with a parent installer," says Malwarebytes' Joshua Cannell. "The referenced file we examined was a bundler for Adobe Photoshop Album Starter Edition."
Continued : http://www.net-security.org/malware_news.php?id=3037
'Payload tested' browser popup via AOL's ad network causes..
.. a scare
"Malwarebytes Unpacked" blog:
[Screenshot] Today, we are looking at a strange case and a potential malvertising issue that appeared on popular news website salon.com but probably also on dozens of other websites.
Some users that browsed to that site's home page may have received a pop up saying "payload tested" which was followed by another one saying "Its working!!!" [sic]: [Screenshot]
The problem was that the popups would never actually stop from harassing you no matter how many times you clicked on the 'OK' button.
This was triggered by an advert that was delivered by wwbads via Google's DoubleClick and Adtech (AOL's ad serving platform). The advertiser wwbads appears to be serving normal ads but every once in a while, switches to the pop up one:
Continued : https://blog.malwarebytes.org/malvertising-2/2015/05/payload-tested-browser-popup-via-aols-ad-network-causes-a-scare/