iT News (blog)

Does Australia need an infosec wake-up call?
iT News (blog)
Is Australia too complacent with regards to its information security? What kind of wake-up call will it take to shake us into action? Earlier this month, two iconic Australian department stores were hacked and a large consignment of customer records ...

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

More than 500 websites that used a free analytics service inadvertently exposed their visitors to a nasty malware attack made possible by a hack of PageFair, the anti-adblocking company that provided the analytics.

The compromise started in the last few minutes of Halloween with a spearphishing e-mail that ultimately gave the attackers access to PageFair's content distribution network account. The attacker then reset the password and replaced the JavaScript code PageFair normally had execute on subscriber websites. For almost 90 minutes after that, people who visited 501 unnamed sites received popup windows telling them their version of Adobe Flash was out-of-date and prompting them to install malware disguised as an official update.

"If you are a publisher using our free analytics service, you have good reason to be very angry and disappointed with us right now,". PageFair CEO Sean Blanchfield wrote in a blog post published Sunday. "For 83 minutes last night, the PageFair analytics service was compromised by hackers, who succeeded in getting malicious javascript to execute on websites via our service, which prompted some visitors to these websites to download an executable file. I am very sorry that this occurred and would like to assure you that it is no longer happening."

Read 2 remaining paragraphs | Comments

[SECURITY] [DSA 3390-1] xen security update

Enlarge (credit: Denis Andzakovic)

Using a password manager is one of the biggest ways that average computer users can keep their online accounts secure, but their protection is pretty much meaningless when an end user's computer is compromised. Underscoring this often ignored truism is a recently released hacking tool that silently decrypts all user names, passwords, and notes stored by the KeePass password manager and writes them to a file.

KeeFarce, as the tool has been dubbed, targets KeePass, but there's little stopping developers from designing similar apps that target virtually every other password manager available today. Hackers and professional penetration testers can run it on computers that they have already taken control of. When it runs on a computer where a logged in user has the KeePass database unlocked, KeeFarce decrypts the entire database and writes it to a file that the hacker can easily access.

In fairness to KeePass developers, they have long warned users that no password manager can secure passwords on a compromised computer. Still, KeeFarce generated interest among security professionals and hobbyists over the past week, in large part because of the ease and convenience it provides.

Read 5 remaining paragraphs | Comments

CVE-2015-7326 (XXE vulnerability in Milton Webdav)
Cross-Site Scripting | Zeuscart V4
[SECURITY] [DSA 3389-1] elasticsearch end-of-life
Accentis Content Resource Management System - XSS
Accentis Content Resource Management System - SQL
[SECURITY] [DSA 3386-1] unzip security update
TCPing 2.1.0 Buffer Overflow
[SECURITY] [DSA 3387-1] openafs security update
[SECURITY] [DSA 3388-1] ntp security update
Internet Storm Center Infocon Status