Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - September 23, 2014

Sep 23, 2014 5:02AM PDT
Home Depot ignored security warnings for years, employees say

"Old antivirus, infrequent scans, and a security architect who pled guilty to sabotage."

Former information technology employees at Home Depot claim that the retailer's management had been warned for years that its retail systems were vulnerable to attack, according to a report by The New York Times. Resistance to advice on fixing systems reportedly led several members of Home Depot's computer security team to quit, and one who remained warned friends to use cash when shopping at the retailer's stores.

In 2012, Home Depot hired Ricky Joe Mitchell as its senior IT security architect. Mitchell got the job after being fired from EnerVest Operating in Charleston, West Virginia—and he sabotaged that company's network in an act of revenge, taking the company offline for 30 days. Mitchell retained his position at Home Depot even after his indictment a year later and remained in charge of Home Depot's security until he pled guilty to federal charges in January of 2014.

Continued : http://arstechnica.com/security/2014/09/home-depot-ignored-security-warnings-for-years-employees-say/

Related: Home Depot security was anything but, say former employees

Discussion is locked

- Collapse -
Malware-Laced Emails Appear to Come From LogMeIn
Sep 23, 2014 5:14AM PDT

The SANS Internet Storm Center yesterday warned users and administrators to be on the lookout for malicious emails purporting to come from the security and authentication firm LogMeIn. For it's part, LogMeIn is aware of the attacks, and has issued a number of warnings to its customers on its blog and various social networking channels.

Johannes Ullrich, head of the ISC, explained in a post that he received an email claiming to contain a security update for LogMeIn users. Within that email message was a .zip file that the senders described as a new security certificate that would protect users against the OpenSSL Heartbleed vulnerability from earlier this year. The fake certificate was also touted as a way of connecting the user-machine downloading the certificate with that user's LogMeIn account.

Continued : http://threatpost.com/malware-laced-emails-appear-to-come-from-logmein/10846

- Collapse -
If You Care About Security, Throw Away Your iPhone 4
Sep 23, 2014 5:14AM PDT
.. Right Now

Graham Cluley @ The Mac Security Blog:

With the release of iOS 8—perfectly timed with the launch of the iPhone 6 and the trouser-bulging iPhone 6 Plus—Apple has continued its long and proud tradition of essentially forcing you to throw out your old iPhone and buy a new one.

Why do I say that? Because iOS 8, the latest version of their mobile operating system, is packed with security fixes - none of which are coming to iOS 7.

And, sadly, if you are still using an iPhone 4, iOS 8 is simply unavailable to you. iOS 7 is the end of the road as far as you are concerned.

Which means you have a choice.

You can either buy a more recent model of the iPhone (and upgrade it to iOS 8 if it isn't already pre-installed), switch to an Android (I can hear you gagging already...), or stick with your once proud iPhone 4 running iOS 7 and run the gauntlet of being exploited by the myriad of threats which will never get patched.

Continued : http://www.intego.com/mac-security-blog/if-you-care-about-security-throw-away-your-iphone-4-right-now/
- Collapse -
Nuclear Exploit Kit Evolves, Includes Silverlight Exploit
Sep 23, 2014 5:14AM PDT

TrendLabs Security Intelligence Blog :

Exploit kits have long been part of a cybercriminal's arsenal. One of the most notorious exploit kits in recent years is the Blackhole Exploit Kit. Coverage over this particular exploit kit reached a fevered pitch with the arrest of its author in 2013.

The Blackhole Exploit Kit may have met its demise, but this hasn't deterred cybercriminals from using other exploit kits for their schemes. In fact, other exploit kits are still in use, often with improvements or upgrades. An example is the Nuclear Exploit Kit.

We observed that the Nuclear Exploit Kit exploit kit recently included the Silverlight exploit (CVE-2013-0074) in its scope. We believe that the attackers behind the Nuclear Exploit Kit included Silverlight in its roster of targeted software for two reasons: to have an expanded attack surface and to avoid detection (as not many security solutions have detections for this particular exploit).

The Silverlight exploit

Continued : http://blog.trendmicro.com/trendlabs-security-intelligence/nuclear-exploit-kit-evolves-includes-silverlight-exploit/

- Collapse -
eBay under pressure as hacks continue
Sep 23, 2014 5:14AM PDT

Leading security researchers have called on eBay to take immediate action over dangerous listings, as the problem continues to put users at risk.

The BBC has now identified more than 100 listings that had been exploited to trick customers into handing over personal data.

Over the weekend, readers got in touch with the BBC, saying they had attempted to warn eBay about the problem.

The company said it would "continue to review all site features and content".

The BBC has found that:

Continued : http://www.bbc.com/news/technology-29310042

Related: Number of malicious eBay listings rises, accounts are hijacked

- Collapse -
Researcher Discloses Wi-Fi Thermostat Vulnerabilities
Sep 23, 2014 5:14AM PDT

Heatmiser, a U.K.-based manufacturer of digital thermostats, is contacting its customers today about a series of security issues that could expose a Wi-Fi-connected version of its product to takeover.

Andrew Tierney, a "reverse-engineer by night," whose specialty is digging up bugs in embedded systems wrote on his blog cybergibbons.com, that he initially read about vulnerabilities in another one of the company's products, NetMonitor, and decided to poke around its product line further.

This led him to discover a slew of issues in the company's Wi-Fi-enabled thermostats running firmware version 1.2. The issues range from simple security missteps to critical oversights.

Continued : http://threatpost.com/researcher-discloses-wi-fi-thermostat-vulnerabilities

Related: Owners of Heatmiser WiFi thermostats warned of password leaks and other vulnerabilities

- Collapse -
Who's Behind the Bogus $49.95 Charges?
Sep 23, 2014 5:16AM PDT

Hardly a week goes by when I don't hear from a reader wondering about the origins of a bogus credit card charge for $49.95 or some similar amount for a product they never ordered. As this post will explain, such charges appear to be the result of crooks trying to game various online affiliate programs by using stolen credit cards.

Most of these charges are associated with companies marketing products of dubious value and quality, typically by knitting a complex web of front companies, customer support centers and card processing networks. Whether we're talking about a $49.95 payment for a bottle of overpriced vitamins, $12.96 for some no-name software title, or $9.84 for a dodgy Internet marketing program, the unauthorized charge usually is for a good or service that is intended to be marketed by an online affiliate program. [Screenshot]

Continued : http://krebsonsecurity.com/2014/09/whos-behind-the-bogus-49-95-charges/

- Collapse -
Beware of Apple Wave microwave wireless charging hoax
Sep 23, 2014 5:17AM PDT

Excited about the new Wave iPhone wireless charging technology and can't wait to try it out? Please don't - it's a hoax. You risk damaging both your smartphone and your microwave.

The hoax was started by Internet trolls populating the infamous 4chan forum, who created a credible ad for the bogus feature and began propagating it online under the hashtag #AppleWave: [Screenshot]

To widen the ad's reach and improve the its chances of success, other 4chan users were urged to spam reddit, Tumblr, Twitter, Facebook and other social networks with it, and to talk about how amazing this feature is.

Unfortunately, it seems that no matter how illogical the claim is, a number of iPhone users have fallen for it.

Continued : http://www.net-security.org/secworld.php?id=17400

- Collapse -
jQuery.com compromised to serve malware via drive-by
Sep 23, 2014 5:22AM PDT
.. download

jQuery.com, the official website of the popular cross-platform JavaScript library of the same name, had been compromised and had been redirecting visitors to a website hosting the RIG exploit kit and, ultimately, delivering information-stealing malware.

While any website compromise is dangerous for users, this one is particularly disconcerting because of the demographic of its users, says James Pleger, Director of Research at RiskIQ.

"The jQuery library is a very popular toolkit for developing websites with dynamic content and is widely used by developers within enterprises. jQuery users are generally IT Systems Administrators and Web Developers, including a large contingent who work within enterprises," he pointed out.

Continued : http://www.net-security.org/malware_news.php?id=2869
- Collapse -
Apple's new iPhone 6 vulnerable to last year's TouchID ..
Sep 23, 2014 6:27AM PDT
.. fingerprint hack

Apple's shiny new iPhone 6 can be spoofed with the same fake fingerprints that tricked its older sibling, the iPhone 5S.

That's according to mobile security firm Lookout, which said it discovered that it is possible to create a fake fingerprint that's capable of fooling the TouchID fingerprint sensor of the latest iPhones (6 and 6 Plus are apparently equally vulnerable).

Despite the addition of secure payment app Apple Pay to the iPhone 6, the in-built security hasn't evolved enough over the last year, the securobods warn. iPhone users are still vulnerable to the exact same security flaw as a year ago. The main difference is that now, with Apple Pay, the bad guys have more incentive to abuse access to an iPhone.

The central problem is that the iTouch fingerprint scanner on both the iPhone 5S and iPhone 6 can be fooled with a cloned fingerprint lifted from a shiny surface and recreated using glue.

Continued: http://www.theregister.co.uk/2014/09/23/iphone_6_still_vulnerable_to_touchid_fingerprint_hack/

Related: Apple's iPhone 6 Touch ID has same fingerprint failings as 5s
- Collapse -
Viator(dot)com Data Compromise: Are You Affected?
Sep 23, 2014 6:27AM PDT

"Malwarebytes Unpacked" Blog:

You may well be seeing an email appearing in your inbox from Viator.com, a website designed to help you find tours and trips overseas with none of the typical messing about such tasks usually involve. The emails have been sent out because it appears they had a breach and anything up to 1.4 million customers may have been potentially impacted by the compromise.

Some extracts:

We want to make you aware that Viator has experienced a data compromise that could potentially affect payment card data used to make bookings through Viator's websites and mobile offerings. If you have created a Viator account, this compromise may also affect your email address, password and Viator "nickname."....

Continued : https://blog.malwarebytes.org/online-security/2014/09/viator-com-data-compromise-are-you-affected/

Related: Tripadvisor site coughs to card data breach for a potential 800k users