Alert

NEWS - October 19, 2015

Facebook: 'Your account may be targeted in state-sponsored attacks'

Facebook has announced that it has started to warn users if it believes their accounts have been targeted in state-sponsored attacks.

Users who Facebook believes could be at risk will see a warning message similar to the following: [Screenshot]

Facebook appears to be using the warning as an opportunity to recommend that at-risk users enable Login Approvals, a system which asks for a special security code to be entered everytime an attempt is made to log into an account from a new computer/web browser/mobile phone.

Continued : https://grahamcluley.com/2015/10/facebook-state-sponsored-attacks/

Related :
Facebook starts warning users of state-sponsored attacks against their accounts
State-sponsored attack? Facebook will now tell you 'You've been hacked'

Discussion is locked

Follow
Reply to: NEWS - October 19, 2015
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - October 19, 2015
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Amazon sues over 1000 people for posting fake reviews

Online retail giant Amazon has filed a lawsuit against more than 1100 people it says posted fake reviews on its website.

The company is suing 1114 defendants - all named as "John Does" because it has yet to uncover their real identities - over a breach of its review policy that prohibits paid-for or fictional reviews.

In a complaint filed Friday in King County Superior Court, Seattle, Amazon says the defendants collectively tarnished "Amazon's brand for their own profit and the profit of a handful of dishonest sellers and manufacturers."

Continued : https://nakedsecurity.sophos.com/2015/10/19/amazon-sues-over-1000-people-for-posting-fake-reviews/

- Collapse -
verified purchase

lawsuit really is a waste of time. All you have to do is to pay attention to the verified purchase reviews and ignore the others.

- Collapse -
Researchers find 256 iOS apps that collect users’ personal..
.. info

Researchers said they've found more than 250 iOS apps that violate Apple's App Store privacy policy forbidding the gathering of e-mail addresses, installed apps, serial numbers, and other personally identifying information that can be used to track users.

The apps, which at most recent count totaled 256, are significant because they expose a lapse in Apple's vetting process for admitting titles into its highly curated App Store. They also represent an invasion of privacy to the one million people estimated to have downloaded the apps. The data gathering is so surreptitious that even the individual developers of the affected apps are unlikely to know about it, since the personal information is sent only to the creator of the software development kit used to deliver ads.

Continued : http://arstechnica.com/security/2015/10/researchers-find-256-ios-apps-that-collect-users-personal-info/

Related: Apple pulls hundreds of iOS apps using private SDK from China to gather user data
- Collapse -
Emergency Flash update plugs zero-day exploited in the wild

Adobe released a Flash Player update to fix the zero-day vulnerability that has been spotted being exploited by Pawn Storm hackers.

The latest version of Flash Player for Windows and OS X (v19.0.0.226) and for Linux (v11.2.202.540) plugs three distinct holes, which can lead to a total compromise of the targeted systems.

This patch was scheduled for this week, but Adobe got a move on it and released it on Friday.

The Pawn Storm attackers used the flaw to target foreign affairs ministries from around the globe. The attack and the exploit was discovered by Trend Micro threats analyst Peter Pi, but Natalie Silvanovich of Google Project Zero detected the flaw and reported it two weeks before it was found exploited in the wild.

Continued : http://www.net-security.org/secworld.php?id=18993

Related :
Kudos to Adobe. They patched Flash quicker than they promised
Adobe releases emergency patch for Flash zero-day flaw
Emergency Adobe Flash Zero Day Patch Arrives Ahead of Schedule

Also See; Critical Security Updates for Adobe Flash Player (APSB15-27)

- Collapse -
Secret code in color printers enables government tracking

A research team led by the EFF recently broke the code behind tiny tracking dots that some color laser printers secretly hide in every document.

The U.S. Secret Service admitted that the tracking information is part of a deal struck with selected color laser printer manufacturers, ostensibly to identify counterfeiters. However, the nature of the private information encoded in each document was not previously known. [Screenshot]

"We've found that the dots from at least one line of printers encode the date and time your document was printed, as well as the serial number of the printer," said EFF Staff Technologist Seth David Schoen.

Continued: http://www.net-security.org/secworld.php?id=18995

- Collapse -
old news

There was press releases about this years and years ago. Guess they are wanting to remind everyone about this.

- Collapse -
Let's talk about that NSA Diffie-Hellman crack

Even before the leaks by former NSA sysadmin Edward Snowden, rumours had circulated for years that the agency could decrypt a significant fraction of encrypted internet traffic.

Now security researchers, who published a paper on their theory in May, have come forward with a detailed and credible theory on the technical foundations of this code-breaking capability. They presented a talk last week with a better explanation of how this fitted with the Snowden leaks.

Three years ago, James Bamford published an article quoting anonymous former NSA officials stating that the agency had achieved a “computing breakthrough” that gave them “the ability to crack current public encryption.” The Edward Snowden documents revealed that that the NSA had the ability to intercept and decrypt VPN traffic. The on-demand decryption of some HTTPS and SSH connections was also possible because of unspecified but ground breaking cryptanalysis capabilities, according to the Snowden leaks.

Continued : http://www.theregister.co.uk/2015/10/19/nsa_crypto_breaking_theory/

Related : Prime Diffie-Hellman Weakness May Be Key to Breaking Crypto

- Collapse -
Thousands of Magento Sites Abused for Malware Distribution

A large number of websites powered by eBay’s Magento e-commerce platform have been breached and abused to deliver malware, researchers warned over the weekend.

The campaign was analyzed by Sucuri, which observed the server side, and antivirus company Malwarebytes, whose researchers monitored the client side of the attack.

According to experts, the attackers compromised Magento websites and injected malicious scripts that create iframes from the “guruincsite.com” domain. The guruincsite website, which according to Google Safe Browsing has already infected more than 8,000 domains, is one of several domains that are part of a redirection chain ending on a Neutrino exploit kit landing page.

Continued : http://www.securityweek.com/thousands-magento-sites-abused-malware-distribution

Related :
Magento sites targeted by Neutrino exploit kit
Magento Websites Exploited in Massive Malware Distribution Campaign

- Collapse -
Better SSL Error Indicators to Be Added in Firefox 44

Mozilla is constantly working on improving its product, and in Firefox 44, along with the planned deprecation of the RC4 cipher, the company is also overhauling its SSL error pages.

Added in Firefox 33, these pages were used to signal users of a failed SSL connection attempt, one that might have put their personal data at risk.

While useful in some cases, the error pages also prevented users from accessing some URLs, which they were sure were secure, and not harboring any attacks.

Continued: http://news.softpedia.com/news/better-ssl-error-indicators-to-be-added-in-firefox-44-494832.shtml

- Collapse -
Tricky new malware replaces your entire browser with a ..
.. dangerous Chrome lookalike

This malicious browser looks and acts just like Chrome--except for all the pop-up ads, system file hijacking, and activity monitoring. [Screenshot]

Security researchers have discovered a fiendish form of browser malware that stands in for your copy of Google Chrome and hopes you won’t notice the difference.

As reported by PCRisk, the “eFast Browser” works by installing and running itself in place of Chrome. It’s based on Google’s Chromium open-source software, so it maintains the look and feel of Chrome at first glance, but its behavior is much worse.

First, makes itself the default and takes over several system file associations, including HTML, JPG, PDF, and GIF, according to MalwareBytes. It also hijacks URL associations such as HTTP, HTTPS, and MAILTO, and replaces any Chrome desktop website shortcuts with its own versions. Essentially, eFast Browser makes sure to open itself at any opportunity.

Continued : http://www.pcworld.com/article/2994778/security/tricky-new-malware-replaces-your-entire-browser-with-a-dangerous-chrome-lookalike.html
- Collapse -
Yahoo! launches! password-free! push! logins! for! mobes!

" 'Death to passwords', cries Purple Palace "

Yahoo! has launched a password-free method of logging into its mail and online services that prompts users to approve access through a mobile push notification.

The Yahoo! Account Key service is another blow to passwords, and the second dealt by the Purple Palace since it rolled out SMS two-factor authentication in March.

Product management vice president Dylan Casey says the new gizmo is "elegant", as long as users don't lose their mobes.

"Passwords are usually simple to hack and easy to forget," Casey suggests.

Continued : http://www.theregister.co.uk/2015/10/19/yahoo_passwords_key/

- Collapse -
willing to bet

every time yahoo makes a change, there seems to be more ads on their pages in addtion to the new features. Makes me wonder if there will be ads associated with their new mobile push notifications. I guess I will soon find out.

any security system has its flaws. I just want my passwords without having to do too much fancy security stuff to access my account.

- Collapse -
Don’t Be Fooled by Fake Online Reviews Part II

Brian Krebs @ his "Krebs On Security" blog:

In July I wrote about the dangers of blindly trusting online reviews, especially for high-dollar services like moving companies. That piece told the story of Full Service Van Lines, a moving company that had mostly five-star reviews online but whose owners and operators had a long and very public history of losing or destroying their customers’ stuff and generally taking months to actually ship what few damaged goods it delivered. Last week, federal regulators shut the company down.

NBC Miami reports that Full Service Van Lines (FSVL) was shut down by the U.S. Department of Transportation, but not because of consumer complaints. The DOT reportedly revoked the company’s license due to a pattern of safety violations. And that’s saying something: The NBC story said FSVL received more complaints this year than any other Florida mover of its size.

Continued : http://krebsonsecurity.com/2015/10/dont-be-fooled-by-fake-online-reviews-part-ii/

CNET Forums

Forum Info