Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - October 07, 2014

Oct 6, 2014 10:47PM PDT
76M Households, 7M Businesses Impacted in JPMorgan Chase Breach

A securities filing on Thursday revealed that up to 76 million households and seven million small businesses, far more than initially thought, were implicated in the cyber attack that hit JPMorgan Chase over the summer, making it one of the largest data breaches in U.S. history.

The New York-based bank confirmed in a Form 8-K filing with the Securities and Exchange Commission that user contact information - names, addresses, phone numbers and email addresses - were compromised but at this point it doesn't believe account numbers, passwords, user IDs, dates of birth or Social Security numbers are at risk.

The numbers far exceed initial estimates from this past summer that projected only one million accounts were affected.

Continued : http://threatpost.com/76m-households-7m-businesses-impacted-in-jpmorgan-chase-breach/108683

Related:
JPMorgan Chase breach confirmed, 83 million customers affected
JPMorgan Chase breach affected 83 million customers
JPMorgan Refuses To Admit How Many People Were Actually Hacked
83 Million Compromised In JPMorgan Chase Breach

Discussion is locked

- Collapse -
Unpatchable BadUSB Code Is Now Publicly Available
Oct 6, 2014 10:55PM PDT

How sweet would it be to plug and play USB devices without the fear of viruses, malware and other security threats?

It's everyone's dream to own 100% foolproof USB devices for their file storage and transfer routine: Fascinating to think about it, but it simply isn't gonna happen with the raft of current USB-related security threats.

Because even if a USB stick has been completely wiped, and contains no files, it could still pose a threat to your organisation.

I am highlighting an exploit recently spotlighted by two security researchers: Adam Caudill and Brandon Wilson of SR Labs. They reverse-engineered the USB firmware that powers millions of devices, which could enable hackers to inject malicious codes into computers.

Continued : http://blog.lumension.com/9442/unpatchable-badusb-malware-code-is-now-publicly-available/

Related:
BadUSB Can Turn Thumb Drives Into Cyberweapons
How bad is BadUSB? Security experts say there is no quick fix
BadUSB Code Is Out, USB Makers Need to Improve Security
BadUSB - now with Do-It-Yourself instructions

- Collapse -
Bugzilla Zero-Day Exposes Zero-Day Bugs
Oct 6, 2014 10:55PM PDT

A previously unknown security flaw in Bugzilla — a popular online bug-tracking tool used by Mozilla and many of the open source Linux distributions — allows anyone to view detailed reports about unfixed vulnerabilities in a broad swath of software. Bugzilla is expected today to issue a fix for this very serious weakness, which potentially exposes a veritable gold mine of vulnerabilities that would be highly prized by cyber criminals and nation-state actors.

Multiple software projects use Bugzilla to keep track of bugs and flaws that are reported by users. The Bugzilla platform allows anyone to create an account that can be used to report glitches or security issues in those projects. But as it turns out, that same reporting mechanism can be abused to reveal sensitive information about as-yet unfixed security holes in software packages that rely on Bugzilla.

Continued : http://krebsonsecurity.com/2014/10/bugzilla-zero-day-exposes-zero-day-bugs/

Related:
Bugzilla Vulnerability Puts Bug Collections in Harm's Way
Bugzilla 0-day can reveal 0-day bugs in OSS giants like Mozilla, Red Hat
Bugzilla code critters blab your security sinners, warns Mozilla

- Collapse -
Yahoo says its servers weren't Shellshocked
Oct 6, 2014 10:56PM PDT

After researcher Jonathan Hall's claims that a group of hackers has been exploiting the Bash Shellshock vulnerability to compromise a number of servers belonging to Yahoo, Lycos and Winzip made headlines yesterday, the companies in question were forced to address the fact.

Yahoo was the first to acknowledge to the researcher that they found evidence of compromise on the server, and publicly reported that they isolated a handful of their impacted servers, adding that there is currently no evidence of a compromise to user data.

Yahoo CISO Alex Stamos later took to Hacker News to explain what the found. He says that the servers in question were not, after all, affected by Shellshock.

Continued: http://www.net-security.org/secworld.php?id=17460

Related:
White hat claims Yahoo and WinZip hacked by "shellshock" exploiters
Yahoo Confirms Infected Servers Unrelated to Shellshock

- Collapse -
AT&T Hit By Insider Breach
Oct 6, 2014 10:56PM PDT

AT&T is warning consumers about a data breach involving an insider who illegally accessed the personal information of an unspecified number of users. The compromised data includes Social Security numbers and driver's license numbers.

In a letter sent to the Vermont attorney general, AT&T officials said that the breach occurred in August and that the employee in question also was able to access account information for AT&T customers.

"We recently determined that one of our employees violated our strict privacy and security guidelines by accessing your account without authorization in August 2014, and while doing so, would have been able to view and may have obtained your account information including your social security number and driver's license number. Additionally, while accessing your account, the employee would have been able to view your Customer Proprietary Network Information (CPNI), without proper authorization," said Michael A. Chiarmonte, director of finance billing operations at AT&T, in a letter (pdf) to the Vermont AG.

Continued : http://threatpost.com/att-hit-by-insider-breach/108705

Related: AT&T fires insider for slurping customers' social security numbers, driver licenses and more

- Collapse -
Windows 10 Preview Allegedly Acting as a "Keylogger," ..
Oct 7, 2014 12:52AM PDT
.. Keeping Track of Every Click

"The Privacy Statement for Windows 10 Preview reveals some untold aspects of the new OS testing version"

Windows 10 Preview has already been downloaded by millions of users worldwide to see what's new in Microsoft's modern operating system, and many did it through the company's brand new Windows Insider Program that allows them to participate in testing programs for its software.

The Insider Program was launched together with Windows 10 Preview and required a Microsoft account to register and thus get to the download links of the new OS.

While many rushed to download the testing bits of the operating system, few actually read the privacy policy of the Windows Insider Program, which does include some pretty worrying details for lots of users.

Continued : http://news.softpedia.com/news/Windows-10-Preview-Allegedly-Acting-as-a-Keylogger-Keeping-Track-of-Every-Click-461018.shtml

Related:
Windows 10 will not come with built-in keylogging capabilities
Windows 10's 'built-in keylogger'? Ha ha, says Microsoft - no, it just monitors your typing
- Collapse -
Every Fifth Android User Faces Cyber-Attacks
Oct 7, 2014 12:52AM PDT
Kaspersky Lab & INTERPOL Report: Every Fifth Android User Faces Cyber-Attacks

According to the results of the "Mobile cyber-threats" (pdf) survey carried out by Kaspersky Lab and INTERPOL between August 2013 and July 2014, every fifth Android-based device protected by Kaspersky Lab security solutions was attacked by malware at least once during the reporting period. The most popular malicious programs are SMS Trojans that send messages to premium rate numbers without the owner's awareness.

A total of 1,000,000 Android device users around the world encountered dangerous software between August 2013 and July 2014, representing about one fifth of all Kaspersky Lab mobile product users. In fact, this period was the peak of cyber-attacks registered in recent years. [Screenshot]

Continued : http://www.kaspersky.com/about/news/virus/2014/Every-Fifth-Android-User-Faces-Cyber-Attacks
- Collapse -
iPhone Encryption and the Return of the Crypto Wars
Oct 7, 2014 2:32AM PDT

Bruce Schneier @ his "Schneier on Security" blog:

Last week, Apple announced that it is closing a serious security vulnerability in the iPhone. It used to be that the phone's encryption only protected a small amount of the data, and Apple had the ability to bypass security on the rest of it.

From now on, all the phone's data is protected. It can no longer be accessed by criminals, governments, or rogue employees. Access to it can no longer be demanded by totalitarian governments. A user's iPhone data is now more secure.

To hear US law enforcement respond, you'd think Apple's move heralded an unstoppable crime wave. See, the FBI had been using that vulnerability to get into people's iPhones. In the words of cyberlaw professor Orin Kerr, "How is the public interest served by a policy that only thwarts lawful search warrants?"

Continued : https://www.schneier.com/blog/archives/2014/10/iphone_encrypti_1.html

Related: Experts Laud Changes to iPhone, Android Encryption

- Collapse -
Windows XP: Still big in botnets after all these years?
Oct 7, 2014 2:32AM PDT

"A new report shows how Windows XP is figuring strongly in one ongoing large-scale botnet operation that's predominantly targeting US banks."

Windows XP use may be in decline but the 13-year-old Microsoft operating system still seems to be playing a disproportionately large role in botnet attacks.

Latest NetMarketShare figures give Windows XP a worldwide desktop share of 23.9 percent. Yet some 52 percent of the 500,000-plus infected machines in the active Qbot, or Qakbot, botnet are running it, according to Proofpoint.

The security firm said an analysis of the Russian-speaking criminal operation targeting the online credentials for mainly US banks through malware downloaded from compromised WordPress sites highlights the vulnerability of XP, which went out of support in April.

Continued : http://www.zdnet.com/windows-xp-still-big-in-botnets-after-all-these-years-7000034420/

- Collapse -
Huge Data Leak at Largest U.S. Bond Insurer
Oct 7, 2014 3:44AM PDT

On Monday, KrebsOnSecurity notified the Municipal Bond Insurance Association — the nation's largest bond insurer — that a misconfiguration in a company Web server had exposed countless customer account numbers, balances and other sensitive data. Much of the information had been indexed by search engines, including a page listing administrative credentials that attackers could use to access data that wasn't already accessible via a simple Web search.

MBIA Inc., based in Purchase, N.Y., is a public holding company that offers municipal bond insurance and investment management products. According to the firm's Wiki page, MBIA was formed in 1973 to diversify the holdings of several insurance companies, including Aetna, Fireman's Fund, Travelers, Cigna and Continental.

Notified about the breach, the company quickly disabled the vulnerable site — mbiaweb.com. This Web property contained customer data from Cutwater Asset Management, a fixed-income unit of MBIA that is slated to be acquired by BNY Mellon Corp.

Continued : http://krebsonsecurity.com/2014/10/huge-data-leak-at-largest-u-s-bond-insurer/

- Collapse -
ATMs give away millions of dollars without credit cards
Oct 7, 2014 4:05AM PDT

Kaspersky Lab performed a forensic investigation into cybercriminal attacks targeting multiple ATMs around the world. During the course of this investigation, researchers discovered the Tyupkin malware used to infect ATMs and allow attackers to remove money via direct manipulation, stealing millions of dollars.

Attack methodology

The criminals work in two stages. First, they gain physical access to the ATMs and insert a bootable CD to install the Tyupkin malware. After they reboot the system, the infected ATM is now under their control and the malware runs in an infinite loop waiting for a command. To make the scam harder to spot, the Tyupkin malware only accepts commands at specific times on Sunday and Monday nights. During those hours, the attackers are able to steal money from the infected machine.

Continued: http://www.net-security.org/malware_news.php?id=2880

Related: Criminals used a malware program to steal millions from ATMs