Subscribe to This Feed

Hardware manufacturer LaCie suffered year-long data breach: DHS Open Source Highlights April 16th

By Kelli Tarala | April 16, 2014

Computer storage manufacturer LaCie stated that the FBI informed the company of a data breach where malware was used to gain access to customer transactions carried out on the company’s Web site. LaCie temporarily disabled the e-commerce portion of its Web site and will be resetting users’ passwords in response.

Full Story:
http://www.net-security.org/secworld.php?id=16693

RCE, information disclosure and XSS flaws found in PayPal Partner Program
A security researcher identified and reported a cross-site scripting (XSS) issue and an information disclosure issue that could be leveraged for remote code execution in the PayPal Partner Program’s payment processor Web site. The issues were later closed by PayPal.

Full Story:
http://news.softpedia.com/news/RCE-Information-Disclosure-and-XSS-Flaws-Found-in-PayPal-Partner-Program-Video-437634.shtml

Expert finds SQL injection, RCE vulnerabilities in Flickr Photo Books
A security researcher identified and reported a SQL injection vulnerability and a remote code execution vulnerability in Flickr’s Photo Books Web site that could allow an attacker to gain access to Flickr’s databases. Yahoo closed the vulnerabilities after a second report by the researcher.

Full Story:
http://news.softpedia.com/news/Expert-Finds-SQL-Injection-RCE-Vulnerabilities-in-Flickr-Photo-Books-Video-437724.shtml

Heartbleed: VMware starts delivering patches
VMware announced that it began issuing patches for its products affected by the Heartbleed OpenSSL vulnerability, with patches for all affected products expected by April 19.

Full Story:
http://www.net-security.org/secworld.php?id=16692

Flash SMS flaw in iOS can be exploited to make the lock screen unresponsive
A security researcher identified a Flash SMS flaw in iOS that can be used to make a device’s lock screen unresponsive, which could be used for ransom attacks. The flaw was fixed with the release of iOS 7.1 but devices running previous versions of the mobile operating system are vulnerable.

Full Story:
http://news.softpedia.com/news/Flash-SMS-Flaw-in-iOS-Can-Be-Exploited-to-Make-the-Lock-Screen-Unresponsive-437566.shtml

Disclaimer: The above information largely has been reproduced from the DHS Open Source Daily Report, a full version of which can be found at http://www.dhs.gov/files/programs/editorial_0542.shtm.  Enclave Security, LLC and its agents used their best efforts in collecting and preparing the information published herein. However, Enclave Security, LLC, does not assume, and hereby disclaims, any and all liability for any loss or damage caused by errors or omissions, whether such errors or omissions resulted from negligence, accident, or other causes.

Topics: DHS Infrastructure Reports | No Comments »

Cyber attacks are targeting Heartbleed flaw, says US CERT: DHS Open Source Highlights April 14th

By Kelli Tarala | April 14, 2014

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a warning April 10 stating that attackers have begun exploiting the Heartbleed vulnerability in OpenSSL and advised affected entities to report any incidents involving the vulnerability.

Full Story:
http://www.scmagazineuk.com/cyber-attacks-are-targeting-heartbleed-flaw-says-us-cert/article/342274/

Expert shows that hackers can abuse Chrome speech recognition API flaw
A security researcher identified a vulnerability in an older version of Chrome’s speech recognition API that could be leveraged to obtain the transcript generated by the browser. The API was introduced in Chrome 11 but may still be used by some Web sites.

Full Story:
http://news.softpedia.com/news/Expert-Shows-That-Hackers-Can-Abuse-Chrome-Speech-Recognition-API-Flaw-437237.shtml

BlackBerry, Cisco products vulnerable to OpenSSL bug
BlackBerry reported that several of its software products are vulnerable to the Heartbleed OpenSSL vulnerability, though its phones were unaffected. Cisco also reported that many of its products, including video communications and phone systems, were also vulnerable.

Full Story:
http://threatpost.com/blackberry-cisco-products-vulnerable-to-openssl-bug/105406

Audit: State sold computers with Social Security numbers, tax info still on them
Washington officials quarantined computers, stopped sales, and established new guidelines after an audit released April 10 determined several State agencies likely gave away or sold roughly 1,800 computers out of 20,000 over the last 2 years containing confidential information, including Social Security numbers, medical records, and tax reforms. The auditors noted about 9 percent of all computers given away or sold held confidential information.

Full Story:
http://blogs.seattletimes.com/today/2014/04/audit-state-sold-computers-with-social-security-numbers-tax-info-still-on-them/

Disclaimer: The above information largely has been reproduced from the DHS Open Source Daily Report, a full version of which can be found at http://www.dhs.gov/files/programs/editorial_0542.shtm.  Enclave Security, LLC and its agents used their best efforts in collecting and preparing the information published herein. However, Enclave Security, LLC, does not assume, and hereby disclaims, any and all liability for any loss or damage caused by errors or omissions, whether such errors or omissions resulted from negligence, accident, or other causes.

Topics: Uncategorized | No Comments »

OpenSSL 1.0.1g released to prevent eavesdropping on communications: DHS Open Source Highlights April 9th

By Kelli Tarala | April 9, 2014

A new version of OpenSSL was released after security researchers from Codenomicon and Google Security identified and reported a vulnerability that exposes all data transmissions, encryption keys, usernames, passwords, and other content via a memory leak known as Heartbleed. The vulnerability affects a variety of applications and users are advised to update as soon as possible.

Full Story:
http://news.softpedia.com/news/OpenSSL-1-0-1g-Released-to-Prevent-Hackers-from-Eavesdropping-on-Communications-436397.shtml

Microsoft drops Windows XP support
Microsoft ended support April 8 for its Windows XP operating system, leaving the widely-used operating system vulnerable to any vulnerabilities identified in the future. The operating system is still used on a significant portion of systems, including personal computers, ATMs, medical systems, industrial control systems, and other critical infrastructure systems.

Full Story:
http://money.cnn.com/2014/04/08/technology/security/windows-xp/

Information disclosure flaw in Flickr fixed after two months
Yahoo fixed an information disclosure vulnerability in its Flickr photo sharing service which could have been exploited to reveal users’ names and email addresses.

Full Story:
http://news.softpedia.com/news/Information-Disclosure-Flaw-in-Flickr-Fixed-After-Two-Months-436497.shtml

Expert finds 8 files vulnerable to SQL injection in Yahoo HK promotions page
Yahoo removed vulnerable files from its Hong Kong promotions subdomain after a security researcher identified and reported several SQL injection vulnerabilities.

Full Story:
http://news.softpedia.com/news/Expert-Finds-8-Files-Vulnerable-to-SQL-Injection-in-Yahoo-HK-Promotions-Pages-436377.shtml

Google kills fake anti-virus app that hit No. 1 on Play charts
Google removed the Virus Shield app from its Google Play store after the app, which briefly was a top download, was found to be a fake app with no functionality. Appbrain estimated that the fake app generated around $40,000 from sales for its developer.

Full Story:
http://www.theregister.co.uk/2014/04/08/

Disclaimer: The above information largely has been reproduced from the DHS Open Source Daily Report, a full version of which can be found at http://www.dhs.gov/files/programs/editorial_0542.shtm.  Enclave Security, LLC and its agents used their best efforts in collecting and preparing the information published herein. However, Enclave Security, LLC, does not assume, and hereby disclaims, any and all liability for any loss or damage caused by errors or omissions, whether such errors or omissions resulted from negligence, accident, or other causes.

Topics: DHS Infrastructure Reports | No Comments »

Medical data breach involves more than 170,000 additional victims: DHS Open Source Highlights April 8th

By Kelli Tarala | April 8, 2014

Los Angeles County officials reported April 3 that the number of victims impacted by a medical data breach rose by 170,200, totaling 338,700 victims, after a February theft of 8 computers during a break-in at the Torrance office of Sutherland Healthcare Solutions. The computers contained personal and medical data, as well as Social Security numbers and billing information.

Full Story:
ttp://www.latimes.com/local/lanow/la-me-ln-sutherland-data-breach-20140403,0,7636728.story

Farm supply store Rural King hacked, attackers access financial information
The Matton, Illinois-based Rural King farm supply store began notifying customers that it experienced a data breach where attackers may have stolen names, payment card numbers, verification codes, phone numbers, addresses, and other information. The breach began February 6, was detected March 7, and attackers were completely blocked out by March 12.

Full Story:
http://news.softpedia.com/news/Farm-Supply-Store-Rural-King-Hacked-Attackers-Access-Financial-Information-436039.shtml

Names, Social Security numbers of 2,500 stolen from state health department
The Michigan Department of Community Health reported April 3 that an encrypted laptop and an unencrypted flash drive containing the personal information of more than 2,500 living and deceased individuals was stolen in January from the State Long Term Care Ombudsman’s Office by an employee.

Full Story:
http://www.wxyz.com/news/state/personal-information-of-2500-stolen-from-state-health-department-flash-drive

‘Phishing’ attack involving MSU payroll information second in last 6 months
Michigan State University officials discovered April 1 that an estimated 10 employees had unauthorized changes to their direct deposit information in what authorities believe was a phishing attack to steal payroll earnings. Authorities continue to investigate the incident.

Full Story:
http://www.lansingstatejournal.com/article/20140404/NEWS06/304040034/-Phishing-attack-MSU-compromises-small-number-employees

DDoS attack enabled by persistent XSS vulnerability on top video content provider’s site.
Incapsula reported that they mitigated an application layer distributed denial of service (DDoS) attack against a client which utilized a cross-site scripting (XSS) vulnerability in a popular video content provider’s Web site. Malicious JavaScript code was injected into a tag associated with users’ profiles, which executed whenever a legitimate user accessed the page

Full Story:
http://news.softpedia.com/news/DDOS-Attack-Enabled-by-Persistent-XSS-Vulnerability-on-Top-Video-Content-Provider-s-Site-436029.shtml

Upatre downloader distributed via banking-themed spam campaign
Researchers at Trend Micro detected a spam campaign using banking-themed emails to distribute the Upatre downloader, which in a sample downloaded the Zeus trojan and the Necurs security-disabling malware.

Full Story:
http://news.softpedia.com/news/Upatre-Downloader-Distributed-via-Banking-Themed-Spam-Campaign-435975.shtml

Five-year-old discovers Xbox password bug, hacks dad’s Live account
A San Diego boy identified and reported a vulnerability in Microsoft’s Xbox Live service that can allow access to a user’s account by repeatedly entering ‘space’ characters and then hitting ‘submit’ when prompted for a password. Microsoft closed the vulnerability after it was reported.

Full Story:
http://www.theregister.co.uk/2014/04/04/five_year_olds_xbox_live_password_hack/

85% of links spotted in cyberattacks in 2013 led to compromised legitimate sites
Websense Security Labs released their 2014 Threat Report, detailing threats and trends during the past year. The report found that 85 percent of malicious links in email and Web attacks were directed at legitimate sites that were compromised by attackers, among other findings.

Full Story:
http://news.softpedia.com/news/85-of-Links-Spotted-in-Cyberattacks-in-2013-Led-to-Compromised-Legitimate-Sites-435939.shtml

Eight defendants charged in identity theft fraud scheme from AT&T customer files
Eight individuals were indicted on 22 counts of identity theft and fraud after a defendant working for a company contracted by AT&T to handle direct sales and customer inquiries used customers’ personal identifying information to fraudulently add the co-conspirators as authorized users to AT&T victims’ accounts, allowing them to make unauthorized wire transfers and obtain unauthorized credit and debit cards.

Full Story:
http://www.justice.gov/usao/fls/PressReleases/140404-03.html

Disclaimer: The above information largely has been reproduced from the DHS Open Source Daily Report, a full version of which can be found at http://www.dhs.gov/files/programs/editorial_0542.shtm.  Enclave Security, LLC and its agents used their best efforts in collecting and preparing the information published herein. However, Enclave Security, LLC, does not assume, and hereby disclaims, any and all liability for any loss or damage caused by errors or omissions, whether such errors or omissions resulted from negligence, accident, or other causes.

Topics: DHS Infrastructure Reports | No Comments »

Millions of consumers at risk from mobile POS flaws: DHS Open Source Highlights April 7th

By Kelli Tarala | April 7, 2014

Security researchers from MWR InfoSecurity presenting April 4 at the SyScan security conference demonstrated how mobile point-of-sale (MPOS) systems can be compromised through several attack techniques, allowing criminals to capture payment card data, cause the devices to accept fraudulent cards, and perform other actions. The vulnerabilities were reported to affect popular MPOS devices but the researchers did not disclose which models are affected.

Full Story:
http://www.scmagazineuk.com/millions-of-consumers-at-risk-from-mobile-pos-flaws/article/341323/

Zeus malware found with valid digital certificate
Comodo researchers April 3 reported finding a variant of the Zeus banking malware that includes a valid digital certificate, making it appear to be a trustworthy Internet Explorer document.

Full Story:
http://www.networkworld.com/news/2014/040414-zeus-malware-found-with-valid-280416.html

Bankeiya info-stealer trojan used in attacks against Japanese users
Researchers at Symantec analyzed operations involving the Infostealer.Bankeiya bank account information stealing malware and found that it used vulnerabilities in Internet Explorer and Java SE to steal large amounts of banking data from Japanese users. The researchers also reported that the Infostealer.Ayufos and Infostealer.Torpplar malware were also commonly used to target online banking users in that country.

Full Story:
http://news.softpedia.com/news/Bankeiya-Info-Stealer-Trojan-Used-in-Attacks-Against-Japanese-Users-435715.shtml

LewisGale patients notified of data breach
LewisGale Regional Health System notified 40 patients in southwest Virginia of a personal data breach after a former employee of a billing service for the health system allegedly obtained records from August 2012 through April 2013. The employee was terminated and is under investigation.

Full Story:
http://www.roanoke.com/news/lewisgale-patients-notified-of-data-breach/article_3d5b4c9a-bb3a-11e3-a946-0017a43b2370.html

Android trojan Waller steals money from QIWI wallets
Researchers at Kaspersky analyzed a piece of Android malware known as SMS.AndroidOS.Waller.a which can use infected devices to send SMSs to premium-rate numbers to earn criminals money and can also steal funds from Visa QIWI Wallet accounts. The malware can also perform other tasks such as update itself and install other malware.

Full Story:
http://news.softpedia.com/news/Android-Trojan-Waller-Sends-Premium-SMSs-Steals-Money-from-QIWI-Wallets-435898.shtml

Disclaimer: The above information largely has been reproduced from the DHS Open Source Daily Report, a full version of which can be found at http://www.dhs.gov/files/programs/editorial_0542.shtm.  Enclave Security, LLC and its agents used their best efforts in collecting and preparing the information published herein. However, Enclave Security, LLC, does not assume, and hereby disclaims, any and all liability for any loss or damage caused by errors or omissions, whether such errors or omissions resulted from negligence, accident, or other causes.

Topics: DHS Infrastructure Reports | No Comments »


« Previous Entries