Hacking & Security

Critical Flaws in Magento leave Millions of E-Commerce Sites at Risk

The Hacker News - 27 Leden, 2016 - 08:26
If you are using Magento to run your e-commerce website, it's time for you to update the CMS (content management system) now. Millions of online merchants are at risk of hijacking attacks due to a number of critical cross-site scripting (XSS) vulnerabilities in the Magento, the most popular e-commerce platform owned by eBay. Why the Bugs are So Serious? Virtually all versions of
Kategorie: Hacking & Security

Israel’s electric authority hit by “severe” hack attack [Updated]

Ars Technica - 27 Leden, 2016 - 02:35

Israel's Electricity Authority experienced a serious hack attack that officials are still working to repel, the country's energy minister said Tuesday.

"The virus was already identified and the right software was already prepared to neutralize it," Israeli Energy Minister Yuval Steinitz told attendees of a computer security conference in Tel Aviv, according to this article published Tuesday by The Times of Israel. "We had to paralyze many of the computers of the Israeli Electricity Authority. We are handling the situation and I hope that soon, this very serious event will be over … but as of now, computer systems are still not working as they should."

The "severe" attack was detected on Monday as temperatures in Jerusalem dipped to below freezing, creating two days of record-breaking electricity consumption, according to The Jerusalem Post. Steinitz said it was one of the biggest computer-based attacks Israel's power authority has experienced and that it was responded to by members of his ministry and the country's National Cyber Bureau. The response included shutting down portions of Israel's electricity grid. The energy minister didn't identify any suspects behind the attack or provide details about how it was carried out.

Read 3 remaining paragraphs | Comments

Kategorie: Hacking & Security

Password Security — Who's to Blame for Weak Passwords? Users, Really?

The Hacker News - 26 Leden, 2016 - 20:13
The majority of Internet users are vulnerable to cyber threats because of their own weaknesses in setting up a strong password. But, are end-users completely responsible for choosing weak passwords? Give a thought. Recently we wrote an article revealing the list of Worst Passwords of 2015 that proved most of us are still using bad passwords, like '123456' or 'password,' to secure our
Kategorie: Hacking & Security

Amazon Certificate Manager Brings Free SSL Certs to AWS Users

Threatpost - 26 Leden, 2016 - 19:14
Amazon's new Certificate Manager is providing SSL certificates for free to AWS customers but experts warn it's only a matter of time before they're exploited.
Kategorie: Hacking & Security

Moment of truth: Feds must say if they used backdoored Juniper firewalls

Ars Technica - 26 Leden, 2016 - 18:45

(credit: Jeremy Brooks )

Congressional oversight leaders are requiring most federal agencies to audit their networks to see if they use Juniper-manufactured firewalls that for four years contained an unauthorized backdoor for eavesdropping on encrypted communications.

Members of the House of Representatives Committee on Oversight and Government Reform gave the agencies until February 4 to produce documents showing whether they use Juniper's NetScreen line of firewall appliances. The committee is also requiring agency heads who used the vulnerable devices to show how they learned of the eavesdropping threat and whether they fixed it prior to the release of last month's patch. That update removed the unauthorized code from ScreenOS, the operating system that manages NetScreen firewalls.

The Committee on Oversight and Government Reform is the chief oversight body for the US House of Representatives, with broad authority to investigate most matters pertaining to federal agencies. Committee members informed agency heads of the eavesdropping-related investigation involving Juniper hardware in letters dated late last week.

Read 4 remaining paragraphs | Comments

Kategorie: Hacking & Security

Government Agencies Audit for Juniper Backdoor

Threatpost - 26 Leden, 2016 - 15:59
Government agencies have until Feb. 4 to audit their IT infrastructure for the use of backdoored Juniper Networks’ Netscreen firewalls.
Kategorie: Hacking & Security

Do not share the link that crashes iPhones and Mac browsers

Sophos Naked Security - 26 Leden, 2016 - 15:50
When it comes to computer security, please don't be someone of whom your acquaintances say, "With friends like that, who needs enemies?"

Oracle Pushes Java Fix: Patch It or Pitch It

Krebs on Security - 26 Leden, 2016 - 15:18

Oracle has shipped an update for its Java software that fixes at least eight critical security holes. If you have an affirmative use for Java, please update to the latest version; if you’re not sure why you have Java installed, it’s high time to remove the program once and for all.

According to Oracle’s release notes, seven of the eight vulnerabilities may be remotely exploitable without authentication — meaning they could be exploited over a network by malware or miscreants without the need for a username and password. The version with the latest security fixes is Java 8, Update 71. Updates also should be available via the Java Control Panel or from Java.com.

Windows users can check for the program in the Add/Remove Programs listing in Windows, or visit Java.com and click the “Do I have Java?” link on the homepage.

If you really need and use Java for specific Web sites or applications, take a few minutes to update this software. Otherwise, seriously consider removing Java altogether. I have long urged end users to junk Java unless they have a specific use for it (this advice does not scale for businesses, which often have legacy and custom applications that rely on Java). This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants.

If you have an specific use or need for Java, there is a way to have this program installed while minimizing the chance that crooks will exploit unknown or unpatched flaws in the program: unplug it from the browser unless and until you’re at a site that requires it (or at least take advantage of click-to-play, which can block Web sites from displaying both Java and Flash content by default). The latest versions of Java let users disable Java content in web browsers through the Java Control Panel.

Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java.

Many people confuse Java with  JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. For more about ways to manage JavaScript in the browser, check out my tutorial Tools for a Safer PC.

Kategorie: Hacking & Security

OpenSSL bude záplatovat velice závažnou zranitelnost

CSIRT.cz - 26 Leden, 2016 - 14:32

Projekt OpenSSL oznámil, že nová verze, ohlášená na 28. ledna, bude opravovat dvě zranitelnosti, z nichž jedna byla označena jako velmi závažná.

Kategorie: Hacking & Security

Nevinný žert? Odkaz na speciální web dokáže restartovat iPhone

Novinky.cz - bezpečnost - 26 Leden, 2016 - 14:19
Jako lavina se na sociálních sítích začaly šířit odkazy na webové stránky CrashSafari.com. Pokud je otevřete na chytrém telefonu iPhone, počítačovém tabletu iPad nebo na počítačích i noteboocích od Applu, zařízení se prakticky okamžitě restartuje.
Kategorie: Hacking & Security

Why ITIL, COBIT and Other Non-Infosec Based Frameworks Are Infosec’s Best Friends

InfoSec Institute Resources - 26 Leden, 2016 - 14:00

As a current or aspiring security professional, you will know of a range of information security frameworks and enablers. These might include standards, e.g. ISO 27001, PCI DSS; risk management methodologies, e.g. Octave, IRAM 2, and security specific guidelines, e.g. the NIST Special Publications (SP) 800 series and Federal Information Processing Standards (FIPS). The list […]

The post Why ITIL, COBIT and Other Non-Infosec Based Frameworks Are Infosec’s Best Friends appeared first on InfoSec Resources.

Kategorie: Hacking & Security

“You gotta touch the banana” for Wi-Fi access, says sys admin

Sophos Naked Security - 26 Leden, 2016 - 13:08
The Lord of the Fruit Flies swore he wouldn't change it, brown funk be damned, but Bossman has since reportedly eaten the Raspberry Pi-rigged password dispenser.

Why “find my phone” apps keep sending people to one couple’s house

Sophos Naked Security - 26 Leden, 2016 - 13:06
People searching for their lost and stolen smartphones using phone-tracking software keep turning up at the suburban Atlanta home of Christina Lee and Michael Saba.

Hacker who sent heroin to Brian Krebs pleads guilty

Sophos Naked Security - 26 Leden, 2016 - 11:54
Sergey Vovnenko copped a plea, pleading guilty to charges of aggravated identity theft and conspiracy to commit wire fraud.

Máte novou zvukovou zprávu, zkoušejí podvodníci nový trik

Novinky.cz - bezpečnost - 26 Leden, 2016 - 10:54
S novým způsobem, jak se dostat do cizích počítačů vyrukovali v posledních dnech počítačoví piráti. Lidem rozesílají podvodné e-maily, ve kterých se vydávají za zaměstnance Facebooku. Příjemcům tvrdí, že mají pro ně novou zvukovou zprávu. Ve skutečnosti se však snaží do jejich počítačů propašovat škodlivý virus.
Kategorie: Hacking & Security

Bug in Magento puts millions of e-commerce sites at risk of takeover

LinuxSecurity.com - 26 Leden, 2016 - 10:38
LinuxSecurity.com: Millions of online merchants are at risk of hijacking attacks made possible by a just-patched vulnerability in the Magento e-commerce platform.
Kategorie: Hacking & Security

"Internet of Things" security is hilariously broken and getting worse

LinuxSecurity.com - 26 Leden, 2016 - 10:36
LinuxSecurity.com: Shodan, a search engine for the Internet of Things (IoT), recently launched a new section that lets users easily browse vulnerable webcams.
Kategorie: Hacking & Security

Warning — People are Sharing a Link that will Crash and Reboot your iPhone

The Hacker News - 26 Leden, 2016 - 10:11
A new prank circulating on Twitter, Facebook and other social media platform could crash your iPhone or iPad completely.
If you come across a link to crashsafari.com, you are advised not to open it on your iPhone, iPad or even Macs. Doing so will cause Safari application to crash, potentially causing your Apple device to restart.
In case, you want to try this out, just click here to visit the website and watch what happens. Currently, people are spreading the link to CrashSafari.com via Twitter using a URL shortener, and users are tricked into visiting the site without being knowing.

How does this Prank Work?
The prank website (crashsafari.com) generates a ridiculously long, and increasing string of characters and then overloads this text string in the address bar of Apple's default Safari browser.
CrashSafari site's code is very simple and includes:
  • A Header Title that you will never actually see because the browser crashes.
  • A small piece of JavaScript that calls the HTML5 History API thousands of times in a loop, potentially causing Safari to freeze.

Android Users are Vulnerable Too
Safari struggles to process the long string, causing the iPhone to heat up, crash and then reboot.
This same thing happens on iPads that also has Safari browser. However, even Android devices that run Chrome on it heat up and become sluggish, while visiting this website.
Desktop and Laptops Are Affected Too
Even desktop and laptop computers are also affected by this bug, but to a lesser degree depending on system's processing power. Visiting the website will cause Safari on a Mac to crash, showing 'Application Not Responding'.
Chrome on Macs and other computers also becomes not responding. However, restarting the Mac or quitting Chrome on Android devices, as well as rebooting iPhones and iPads, clears the issue.
The 'hack' is otherwise harmless, but it will likely cause you to lose all your open tabs. It works on the latest versions of Apple operating systems, iOS 9.2.1, OS X 10.11.3, as well as some of the beta seeds.
Apparently more than 150,000 people have fallen victim to just one abbreviated link alone. Apple has yet to comment on the issue.
Kategorie: Hacking & Security

Počítačová hra Candy zvyšuje chuť dětí na sladké, zjistil vědec. Jak se jí bránit?

Novinky.cz - bezpečnost - 26 Leden, 2016 - 10:05
Komerční článek – Je to dobrá zpráva pro výrobce a prodejce sladkostí, ale špatná pro rodiče. Oblíbená počítačová hra Candy, v níž děti řeší úkoly spojované s různými cukrovinkami, významně zvyšuje spotřebu sladkého u školáků.
Kategorie: Hacking & Security

Bug in Magento puts hundreds of thousands of sites at risk of takeover

Ars Technica - 26 Leden, 2016 - 02:02

Hundreds of thousands of websites, many that sell good or services, are at risk of hijacking attacks made possible by a just-patched vulnerability in the Magento e-commerce platform.

The stored cross-site scripting (XSS) bug is present in virtually all versions of Magento Community Edition and Enterprise Edition prior to and, respectively, according to researchers from Sucuri, the website security firm that discovered and privately reported the vulnerability. It allows attackers to embed malicious JavaScript code inside customer registration forms. Magento executes the scripts in the context of the administrator account, making it possible to completely take over the server running the e-commerce platform.

"The buggy snippet is located inside Magento core libraries, more specifically within the administrator's backend," a Sucuri advisory explained. "Unless you're behind a WAF or you have a very heavily modified administration panel, you're at risk. As this is a Stored XSS vulnerability, this issue could be used by attackers to take over your site, create new administrator accounts, steal client information, anything a legitimate administrator account is allowed to do."

Read 2 remaining paragraphs | Comments

Kategorie: Hacking & Security
Syndikovat obsah