Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - October 13, 2014

Oct 13, 2014 12:49AM PDT
Snapchat images stolen from third-party Web app using hacked API [Updated]

"Over 100,000 images from hacked app posted, raising child porn concerns. "

An alleged cache of about 13 gigabytes of stolen images from Snapchat—some of them apparently of nude, underage users of the "ephemeral" messaging platform—was posted online Thursday night, many of them to the image-sharing site 4chan's /b/ discussion board. However, the threads linking to the images have largely been shut down by 4Chan over concerns of trafficking in what could be considered child pornography. Over 100,000 user images and videos were in the cache, according to 4chan discussions.

Update (October 12, 4:00 PM ET): According to 4Chan posters, the files were moved by the operator of the site SnapSaved.com—a site that was operating as a web-based SnapChat viewer—from the original server to a non-indexed site, where they were discovered. The original poster on the leak has said he will not be sharing the contents in both a comment on 4Chan and in a "release" posted on Pastebin.

Continued : http://arstechnica.com/security/2014/10/snapchat-images-stolen-from-third-party-web-app-using-hacked-api/

Related:
200,000 naked Snapchat images leaked, after third-party hack
Snapchat Photos Leaked, Likely Via Third-Party Apps
Leaked Snapchat videos and pictures posted online

Discussion is locked

- Collapse -
Mobile advertisers use malware tricks to get installs
Oct 13, 2014 1:00AM PDT

"Malwarebytes Unpacked" Blog:

Deceptive advertising targeting Android users is an effective way of getting malware installed. Now some advertisers are using it to get paid through pay-per-install schemes.

We've written about advertisers misleading users with scary "you are infected" ad pop-ups in order to get installs of a certain security app and we also know malware uses these tactics.

Lately, we've been seeing more and more of this, but this time advertisers are using these banner and pop-up ads to get installs of more trustworthy apps like Dolphin browser.

The messages are less scary than the virus related ones, but they are still meant to get your attention.

Continued : https://blog.malwarebytes.org/mobile-2/2014/10/mobile-advertisers-use-malware-tricks-to-get-installs/

- Collapse -
Oracle's 155 bug fixes add to mega Patch Tuesday
Oct 13, 2014 1:00AM PDT

" Oracle has a large number of fixes lined up for Tuesday, including 25 for Java SE, while Microsoft and Adobe have patches due then too."

This Tuesday Oracle will release fixes for 155 vulnerabilities affecting 44 products, with the most serious bugs to be fixed being 25 that affect Java SE.

Oracle has a larger than usual line up of fixes in its quarterly critical patch update set for release on Tuesday, alongside Microsoft's Patch Tuesday and Adobe's fixes for Flash.

Topping the two previous quarters' updates, Oracle's October update includes 155 fixes for multiple versions of 44 different products and for flaws that can be remotely exploited over a network without requiring user credentials.

Continued : http://www.zdnet.com/oracles-155-bug-fixes-add-to-mega-patch-tuesday-7000034582/

See : Oracle Critical Update Pre-Release Announcement - Oct 2014

- Collapse -
Report: Apple Tops Phishing Targets in First Half of 2014
Oct 13, 2014 1:00AM PDT

Bitdefender's "HOT for Security" blog:

Apple was the most hijacked brand in the first half of 2014 with a total of 21,951 attacks, or 17.7 percent of all phishing attacks, according to a report (pdf) by the Anti-Phishing Working Group (APWG).

PayPal came second with 17,811 attacks and Chinese shopping site Taobao was third, suffering 16,418 phishing assaults.

iPhones "can be used to lock a user out of their phone and ransom it back to them for money," said Rod Rasmussen, CEO of Internet Identity, in an interview with TechNewsWorld. "There are lots of different attack vectors, which adds up to why Apple is being phished as heavily as it is".

Continued : http://www.hotforsecurity.com/blog/apple-tops-phishing-targets-in-first-half-of-2014-report-says-10460.html

- Collapse -
Who's Watching Your WebEx?
Oct 13, 2014 1:12AM PDT

KrebsOnSecurity spent a good part of the past week working with Cisco to alert more than four dozen companies — many of them household names — about regular corporate WebEx conference meetings that lack passwords and are thus open to anyone who wants to listen in.

At issue are recurring video- and audio conference-based meetings that companies make available to their employees via WebEx, a set of online conferencing tools run by Cisco. These services allow customers to password-protect meetings, but it was trivial to find dozens of major companies that do not follow this basic best practice and allow virtually anyone to join daily meetings about apparently internal discussions and planning sessions.

Some of the more interesting, non-password-protected recurring meetings I found include those from Charles Schwab, CSC, CBS, CVS, The U.S. Department of Energy, Fannie Mae, Jones Day, Orbitz, Paychex Services, and Union Pacific. Some entities even also allowed access to archived event recordings.

Continued : http://krebsonsecurity.com/2014/10/whos-watching-your-webex/

- Collapse -
Flawed reused code opens zero-day in Cyanogenmod
Oct 13, 2014 1:21AM PDT

An unnamed security researcher says that Cyanogenmod, the popular Android-based mobile OS, sports a zero-day vulnerability that can be misused to target users with Man-in-the-Middle attacks.

The vulnerability exists because among the additional original and third-party code implemented into the OS is also Oracle's flawed sample code for Java 1.5 for parsing certificates to obtain hostnames.

"If you go and create a SSL certificate for a domain you own, say evil.com and in an element of the certificate signing request such as the 'organisation name' field you put the 'value,cn=*domain name*, it will be accepted as the valid domain name for the certificate," he explained to The Register's Darren Pauli.

Continued : http://www.net-security.org/secworld.php?id=17483

- Collapse -
Dropbox bug left some users without their stored files
Oct 13, 2014 4:15AM PDT

Popular file cloud hosting service Dropbox has been sending out emails to a "small number" of its customers, explaining that some of their files have been irretrievably lost because of a bug in its Selective Sync feature.

"We received several reports from users who used a Dropbox feature called Selective Sync and couldn't locate certain files they'd saved in Dropbox," the company's support team explained.

"When we took a closer look, we discovered that older versions of the Dropbox client had introduced an issue affecting a small number of users whose Dropbox application shut down or restarted while users were applying Selective Sync settings."

Continued: http://www.net-security.org/secworld.php?id=17484

- Collapse -
Facebook Links Most Removed from Google Searches
Oct 13, 2014 4:56AM PDT

145,000 people requested to be erased from Google records since the "right to be forgotten" process began May 29, according to Google's latest Transparency report.

After the Court of Justice of the European Union decided that search engines give individuals the right to delete any personal data which is not of public interest, Google was swamped with some 1000 demands a day, mostly from Europeans.

So far, France has seen the most activity, with 28,898 removal requests. Germany takes second place with 24,979 requests, followed by the UK with 18,304, Spain with 13,316, and Italy with 11,379.

Continued : http://www.hotforsecurity.com/blog/facebook-links-most-removed-from-google-searches-10479.html

Related:
Google axes 170,000 'right to be forgotten' links
Google reports on "right to be forgotten" requests