Infosecurity News
PayPal Vulnerabilities – Just How Serious Were They?
Last week, German security company Vulnerability Lab published details on the Full Disclosure mailing list about a series of bugs it had discovered in PayPal. These were a persistent payment mail encoding vulnerability; a persistent search vulnerability; a persistent POST inject vulnerability; and a China - redirect web vulnerability.
NSA Has Hacked 50,000 Computers Globally
New revelations published by the Dutch newspaper NRC indicate that the NSA's Tailored Access Operations (TAO) may have infected more than 50,000 computer networks around the world with spyware that it can turn on and off at will remotely.
Racing Post Breached; Users' Passwords Stolen
Racing Post, a British horse racing, greyhound racing and betting newspaper, announced Sunday that its website had been breached and usernames, first and last names, passwords, email addresses and date of birth have been stolen.
GitHub Resets Passwords After Mass-scale Brute-force Attack
A methodical brute-force password-guessing attack on web hosting development site GitHub has resulted in a mass password reset and the revocation of various security authorizations.
Symantec Finds the Early Stages of a Server-based Botnet Build
Trojan backdoors have traditionally attacked desktop and now mobile computers. In recent months, however, attackers have started to target servers. Two typical purposes are to use server bandwidth for powerful distributed denial-of-service (DDoS) campaigns and to use the server to compromise web pages to deliver drive-by or water hole attacks against visitors.
Anonymous Said to be Exploiting ColdFusion in Government Hacks
The ongoing cyber-attacks by Anonymous on US government websites are being made possible thanks to an exploit for Adobe ColdFusion.
Lenovo Network Storage Flaw Revealed, and Patched
A new vulnerability in Lenovo network storage devices has been uncovered. The flaw can potentially be exploited by an attacker to gain unauthorized remote read-only access to network-attached storage (NAS) shares.
Botnet Takedowns: Effective or Deceptive?
This year has seen a few high-profile wins for the good guys in the form of botnet takedowns, especially those by Microsoft and Symantec earlier this year. But at least one security researcher is warning against rejoicing too heartily: the takedowns, he said, do little to make an impact on web safety for end users – and actually point out ongoing industry weakness in being able to mitigate bots.
Is there a vBulletin Zero-day Out There?
Last Thursday the Inj3ct0r Team hacking group claimed on Twitter, "Inj3ct0r Team hacked http://vBulletin.com and http://Macrumors.com." By Friday vBulletin admitted the breach, and on Monday it was reported that a zero-day vulnerability used against both MacRumors and vBulletin had been put on sale by Inj3ct0r.
Millions in the UK Targeted by CryptoLocker Ransomware Spam
CryptoLocker, the ransomware menace that has been snowballing in profile of late, is stepping up its game even further. The UK’s National Crime Agency (NCA) is warning that its National Cyber Crime Unit are aware of a mass email spamming event that is affecting tens of millions of residents.
Cyber-risk Transparency Spurring Cyber-insurance Interest
US public companies are more forthcoming with details regarding their cybersecurity risk profiles – and more transparency regarding cyber-risk and cyber-attacks is expected to drive greater adoption of cyber-insurance as a means of demonstrating better corporate risk management.
FBI Issues New Warning on Continuing Anonymous Hacks
Back in August the FBI announced that it had neutralized Anonymous "because of the dismantlement of the largest players." This seemed to be confirmed with the October arrest of Brit Lauri Love for hacking thousands of networks including those of federal agencies.
BadBIOS – the God of Malware?
Over the past few weeks, Dragos Ruiu has provided details of a mystery infection that first attacked his computers some three years ago. He can't find it, he can't get rid of it, it survives reboots and clean installs, and seems to spread via wireless audio waves. It's either the God of Malware, an elaborate hoax, a publicity stunt – or Dragos Ruiu has gone mad.
Fidelity Investments Cyber-heist Suspects Arrested in California
Masterminds behind a large-scale cyber-heist at Fidelity Investments in California have been arrested.
Google Patches 12 Flaws, Pays $11K Bug Bounty in Chrome Update
Google has patched 12 security vulnerabilities in the latest version of its browser, Chrome 31, paying out almost $11,000 in bug bounties in the process.
WikiLeaks Publishes IP Chapter of Secret Trade Agreement
WikiLeaks published Wednesday the full draft text of the intellectual property rights chapter for the secretly negotiated Trans-Pacific Partnership (TPP). TPP is a trade agreement primarily involving Pacific Rim countries (although currently excluding Russia and China), and it accounts for around 40% of global GDP.
Irish Data Center Breach Hits 1.5 Million European Consumers
A breach of a data center in Ireland has compromised the information of 1.5 million people.
MacRumors Breached; 860k Passwords Potentially Compromised
MacRumors was targeted and hacked in a manner similar to the Ubuntu Forums hack in July, announced its founder and editor Tuesday. "It's best to assume that your MacRumors Forum username, email address and (hashed) password is now known," he warned.
How Snowden Breached the NSA from the Inside
There have been many suggestions on how Edward Snowden managed to steal so many top secret documents from the NSA; but the NSA has kept quiet. Now new research claims to know how it was done, and challenges the NSA to deny it.
Trustwave Acquires Application Security Inc
Trustwave, a Chicago-based firm with a wide range of security offerings and a particular specialism in data protection, has bought privately held New York-based Application Security Inc, a specialist in database security. The acquisition is complete, and terms have not been disclosed.
