Hacking & Security

LinkedIn settles class action suit over 2012 unsalted password leak

Sophos Naked Security - 25 Únor, 2015 - 12:22
LinkedIn is privately settling the 2012 unsalted password leak. Were you one of the 800,000 affected users? Here's what you need to know.

Česko obtěžuje další vlna podvodných e-mailů

Zive.cz - bezpečnost - 25 Únor, 2015 - 12:00
Bezpečnostní společnost Excello v těchto dnech zachytila další vlnu česky psaných podovodných e-mailů. Tentokrát se zpráva jeví jako reakce na chybně odeslaný e-mail, fiktivní autor totiž píše, že vrací jakési důležité dokumenty, které jste mu omylem zaslali. Podovodný mail z aktuální vlny A ...
Kategorie: Hacking & Security

Podvodné e-maily s virem cílily na sto tisíc Čechů

Novinky.cz - bezpečnost - 25 Únor, 2015 - 11:48
V úterý se začaly internetem šířit nevyžádané e-maily obsahující údajně špatně zaslané kopie dokladů a smluv. Nová vlna podvodů, jejichž pomocí se počítačoví piráti snaží propašovat virus na cizí PC, mířila na sto tisíc Čechů. Vyplývá to z analýzy bezpečnostní společnosti Excello.
Kategorie: Hacking & Security

Google bans sexually explicit content on Blogger

Sophos Naked Security - 25 Únor, 2015 - 11:31
Unless the content has "public benefit," it will be bumped out of public view as of 23 March (if it's already been published) and banned outright after that date.

Update: Superfish is the Real End of SSL

LinuxSecurity.com - 25 Únor, 2015 - 10:25
LinuxSecurity.com: In-brief: Outrage over Lenovo's promotion of privacy busting adware continued to grow amid lawsuits and more spying revelations. The big question: is this the final - final straw for the beleaguered Secure Sockets Layer (SSL) technology? (Updated to add comment from Kevin Bocek of Venafi.)
Kategorie: Hacking & Security

Yahoo exec goes mano a mano with NSA director over crypto backdoors

LinuxSecurity.com - 25 Únor, 2015 - 10:24
LinuxSecurity.com: Echoing the concerns many US-based technology companies have about US-led surveillance programs, Yahoo Chief Information Security Officer Alex Stamos asked the director of the National Security Agency some pointed questions concerning proposed or existing backdoors placed in encryption technologies.
Kategorie: Hacking & Security

More than 1 million WordPress websites imperiled by critical plugin bug

LinuxSecurity.com - 25 Únor, 2015 - 10:23
LinuxSecurity.com: More than one million websites that run on the WordPress content management application run the risk of being completely hijacked by attackers exploiting critical vulnerability in most versions of a plugin called WP-Slimstat.
Kategorie: Hacking & Security

As many as 1 million+ WordPress sites imperiled by critical plugin bug

Ars Technica - 25 Únor, 2015 - 02:32

More than one million websites that run on the WordPress content management application run the risk of being completely hijacked by attackers exploiting critical vulnerability in most versions of a plugin called WP-Slimstat.

Versions prior to the recently released Slimstat 3.9.6 contain a readily guessable key that's used to sign data sent to and from visiting end-user computers, according to a blog post published Tuesday by Web security firm Sucuri. The result is a SQL injection vector that can be used to extract highly sensitive data, including encrypted passwords and the encryption keys used to remotely administer websites.

"If your website uses a vulnerable version of the plugin, you’re at risk," Marc-Alexandre Montpas, a senior vulnerability researcher at Sucuri, wrote. "Successful exploitation of this bug could lead to Blind SQL Injection attacks, which means an attacker could grab sensitive information from your database, including username, (hashed) passwords and, in certain configurations, WordPress Secret Keys (which could result in a total site takeover)."

Read 3 remaining paragraphs | Comments

Kategorie: Hacking & Security

Google Pwnium Program Now Open All Year

Threatpost - 24 Únor, 2015 - 21:04
Google is expanding its successful Pwnium vulnerability reward program–which has run at various security conferences for a couple of years now–to run continuously and offer an unlimited pool of financial rewards. Pwnium originally was established as an alternative to the Pwn2Own hacking contest at CanSecWest every spring. The Pwn2Own contest has been the origin of […]
Kategorie: Hacking & Security

Attacks Against Critical Infrastructure Seek Operational Intelligence

Threatpost - 24 Únor, 2015 - 20:22
Advanced attacks against industrial control systems are intelligence gathering operations in order to learn the inner workings of ICS infrastructure to facilitate sabotage.
Kategorie: Hacking & Security

NSA Could Be Hoping For Clipper Chip Redux

Threatpost - 24 Únor, 2015 - 19:59
The NSA has a new director, a slew of new challenges and any number of new capabilities at its disposal. But it seems that the agency is intent on fighting the same old battles. Even as fresh revelations about the extent of the NSA’s efforts to get access to encryption keys for mobile communications continue to […]
Kategorie: Hacking & Security

Pwnium V: the never-ending* Pwnium

Google Security Blog - 24 Únor, 2015 - 19:58
Posted by Tim Willis, Hacker Philanthropist, Chrome Security Team

[Cross-posted from the Chromium Blog]

Around this time each year we announce the rules, details and maximum cash amounts we’re putting up for our Pwnium competition. For the last few years we put a huge pile of cash on the table (last year it was e million) and gave researchers one day during CanSecWest to present their exploits. We’ve received some great entries over the years, but it’s time for something bigger.

Starting today, Pwnium will change its scope significantly, from a single-day competition held once a year at a security conference to a year round, worldwide opportunity for security researchers.

For those who are interested in what this means for the Pwnium rewards pool, we crunched the numbers and the results are in: it now goes all the way up to $∞ million*.

We’re making this change for a few reasons:

  • Removing barriers to entry: At Pwnium competitions, a security researcher would need to have a bug chain in March, pre-register, have a physical presence at the competition location and hopefully get a good timeslot. Under the new scheme, security researchers can submit their bugs year-round through the Chrome Vulnerability Reward Program (VRP) whenever they find them. 
  • Removing the incentive for bug hoarding: If a security researcher was to discover a Pwnium-quality bug chain today, it’s highly likely that they would wait until the contest to report it to get a cash reward. This is a bad scenario for all parties. It’s bad for us because the bug doesn’t get fixed immediately and our users are left at risk. It’s bad for them as they run the real risk of a bug collision. By allowing security researchers to submit bugs all year-round, collisions are significantly less likely and security researchers aren’t duplicating their efforts on the same bugs.
  • Our researchers want this: On top of all of these reasons, we asked our handful of participants if they wanted an option to report all year. They did, so we’re delivering.

Logistically, we’ll be adding Pwnium-style bug chains on Chrome OS to the Chrome VRP. This will increase our top reward to $50,000, which will be on offer all year-round. Check out our FAQ for more information.

Happy hunting!

*Our lawyercats wouldn’t let me say “never-ending” or “infinity million” without adding that “this is an experimental and discretionary rewards program and Google may cancel or modify the program at any time.” Check out the reward eligibility requirements on the Chrome VRP page.
Kategorie: Hacking & Security

CloudFlare Deploys New Form of Encryption Across Sites

Threatpost - 24 Únor, 2015 - 19:46
CloudFlare has deployed a new level of encryption on its service that hardens and speeds up users' experience, especially when accessing domains via mobile browsers.
Kategorie: Hacking & Security

The Pirate Bay Goes Down Again and Again... and Then Once Again

The Hacker News - 24 Únor, 2015 - 19:46
Since its return over a month ago, The Pirate Bay — the infamous peer-to-peer file sharing website that has provided only the finest in illegal torrents for more than a decade — has suffered a lot to keep the ship afloat. But, now TPB is experiencing yet more downtime. The Pirate Bay (TPB) torrent search website was down this morning, and users visiting the websites were redirected to the
Kategorie: Hacking & Security

Tax firm H&R Block doesn’t verify client’s e-mail, leaks personal info

Ars Technica - 24 Únor, 2015 - 18:53

With tax season in full swing, it's time for the yearly reminder that the security practices of many tax-preparation services are lacking. Case in point: H&R Block's reported failure to confirm the e-mail addresses of at least some of its online account holders.

The lapse was reported to Ars by reader Aaron Johnson, who said H&R Block in recent days has e-mailed him the name, address, and security question of a complete stranger. Johnson said he is confident he has everything he needs to access this person's account, steal his most valuable personal data, and hijack any owed tax returns. We created an account at H&R Block and were not asked to authenticate the e-mail address we used.

The stranger happens to share Johnson's first and last name, and for reasons that aren't entirely clear, the alter ego occasionally uses Johnson's e-mail address when creating accounts. At no point, Johnson said, did he receive an e-mail from H&R Block requiring him to confirm that his e-mail address was connected to the other person's account.

Read 2 remaining paragraphs | Comments

Kategorie: Hacking & Security

Google Broadens Scope of Unwanted Software Warnings

Threatpost - 24 Únor, 2015 - 17:38
Google is now warning users of its Chrome browser about questionable downloads before they even browse to the site peddling the malware.
Kategorie: Hacking & Security

10,000 motorists' names and addresses published online by parking fine company

Sophos Naked Security - 24 Únor, 2015 - 16:58
Parking fine collection firm PaymyPCN.net accidentally published a database containing 10,000 drivers' names, addresses, photos and emails.

Gemalto: ‘SIM Products Are Secure’

Threatpost - 24 Únor, 2015 - 16:34
Gemalto officials say that while they are still in the process of investigating whether the company was compromised by the NSA and GCHQ to access the encryption keys for its SIM cards, they say they believe their products and platforms are secure. In a statement issued Monday, Gemalto officials said they are still trying to […]
Kategorie: Hacking & Security

Kris McConkey on Hacker OpSec Failures

Threatpost - 24 Únor, 2015 - 16:29
At last week's Security Analyst Summit Kris McConkey, part of PricewaterhouseCoopers' UK Cyber Threat Operations team, discusses OpSec failures: How attackers are still humans and make mistakes like sometimes using personal email addresses and real names in their campaigns.
Kategorie: Hacking & Security

PrivDog Adware Poses Bigger Risk Than Superfish

Threatpost - 24 Únor, 2015 - 15:50
Another shady piece of adware called PrivDog has been unearthed with a similar Superfish-type vulnerability that breaks SSL connections.
Kategorie: Hacking & Security
Syndikovat obsah