Hackin9

Home Depot may be the latest victim of retail hackings of customer debit and credit card information.

The suspected breach, first reported on Tuesday by journalist and security researcher Brian Krebs, may involve all 2,200 US stores and has some of the hallmarks of the group that compromised Target, Sally Beauty, and P.F. Chang's, according to Krebs. Home Depot is currently looking into the fraud anomalies and promised to notify customers as soon as it has evidence of a breach.

"At this point, I can confirm that we’re looking into some unusual activity and we are working with our banking partners and law enforcement to investigate," Home Depot spokesman Paula Drake said in a statement to Ars. "Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers."

Read 4 remaining paragraphs | Comments

 

An Apple spokesperson has issued a statement on the company’s investigation of the hacking of female celebrities’ cloud accounts and the theft of photos from their accounts. And Apple is, in essence, blaming the victims. Or at least, their security questions and passwords.

“We wanted to provide an update to our investigation into the theft of photos of certain celebrities,” the statement reads. “When we learned of the theft, we were outraged and immediately mobilized Apple’s engineers to discover the source. Our customers’ privacy and security are of utmost importance to us."

Initial reports from security sources suggested that an exploit of a weakness in Apple's "Find My iPhone" API that allowed a brute force password attack. Apple has discounted those reports, and it blames the success of the attacker on what amounts to social engineering of the accounts—by trying to use personal data to guess passwords or answers to security questions for the accounts in question. "After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords, and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. We are continuing to work with law enforcement to help identify the criminals involved.”

Read 1 remaining paragraphs | Comments

 
[SECURITY] [DSA 3017-1] php-cas security update
 
Apple iOS v7.1.2 - Merge Apps Service Local Bypass Vulnerability
 
[ MDVSA-2014:171 ] dhcpcd
 
Defense in depth -- the Microsoft way (part 18): Microsoft Office 2010 registers command lines with unquoted pathnames
 
[ MDVSA-2014:169 ] bugzilla
 
[ MDVSA-2014:168 ] libvncserver
 
[ MDVSA-2014:167 ] file
 
[ MDVSA-2014:164 ] phpmyadmin
 
[ MDVSA-2014:162 ] catfish
 
[ MDVSA-2014:161 ] subversion
 
[ MDVSA-2014:160 ] gpgme
 

A spokesperson for Apple confirmed that the company is investigating whether an alleged vulnerability in the company’s “Find My iPhone” service and other possible vulnerabilities in its iCloud cloud storage service for Apple devices were used in the hacking of the personal photos of a number of celebrities. The FBI is also investigating whether the accounts of the celebrities were hacked.

Some of the photos, which were leaked through the “/b/” discussion forum on 4chan over the weekend, were apparently taken from iPhones—though it remains unclear when the hacking took place, or even if the same attackers are responsible for all of the leaked images.

“We take user privacy very seriously and are actively investigating this report,” said Apple spokeswoman Nat Kerris in a statement sent to the Wall Street Journal.

Read 5 remaining paragraphs | Comments

 
Re: [FD] SSH host key fingerprint - through HTTPS
 
Re: [FD] SSH host key fingerprint - through HTTPS
 
Re: SSH host key fingerprint - through HTTPS
 
WordPress WebEngage Plugin Multiple Cross Site Scripting Vulnerabilities
 
Re: SSH host key fingerprint - through HTTPS
 
LinuxSecurity.com: Updated krb5 package fixes security vulnerabilities: MIT Kerberos 5 allows attackers to cause a denial of service via a buffer over-read or NULL pointer dereference, by injecting invalid tokens into a GSSAPI application session (CVE-2014-4341, [More...]
 
LinuxSecurity.com: Updated phpmyadmin package fixes security vulnerabilities: In phpMyAdmin before 4.1.14.3, multiple XSS vulnerabilities exist in browse table, ENUM editor, monitor, query charts and table relations pages (CVE-2014-5273). [More...]
 
LinuxSecurity.com: Updated python-imaging packages fix security vulnerability: The Python Imaging Library is vulnerable to a denial of service attack in the IcnsImagePlugin (CVE-2014-3589). [More...] _______________________________________________________________________
 
LinuxSecurity.com: Updated catfish package fixes security vulnerability: Untrusted search path vulnerability in Catfish allows local users to gain privileges via a Trojan horse catfish.py in the current working directory (CVE-2014-2093). [More...]
 
LinuxSecurity.com: Updated subversion packages fix security vulnerability: Bert Huijben discovered that Subversion did not properly handle cached credentials. A malicious server could possibly use this issue to obtain credentials cached for a different server (CVE-2014-3528). [More...]
 
LinuxSecurity.com: Updated gpgme packages fix security vulnerability: A heap-based buffer overflow in gpgme before 1.5.1 could allow a specially crafted certificate to cause crashes or potentially cause arbitrary code execution (CVE-2014-3564). [More...]
 
LinuxSecurity.com: Multiple vulnerabilities have been found in Net-SNMP which could allow remote attackers to cause Denial of Service.
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Multiple vulnerabilities have been found in Wireshark which could allow remote attackers to cause Denial of Service.
 
LinuxSecurity.com: Security Report Summary
 
LinuxSecurity.com: Multiple vulnerabilities have been found in OpenOffice and LibreOffice, the worst of which may result in execution of arbitrary code.
 
QEMU 'virtio_load()' Function Memory Corruption Vulnerability
 
Ignite Realtime Smack 'Hostname' Verification SSL Certificate Security Bypass Vulnerability
 
GNU glibc 'iconv()' Function Denial of Service Vulnerability
 
Python Imaging Library and Pillow 'PIL/IcnsImagePlugin.py' Remote Denial of Service Vulnerability
 
Re: SSH host key fingerprint - through HTTPS
 
Re: [FD] SSH host key fingerprint - through HTTPS
 
Re: [FD] SSH host key fingerprint - through HTTPS
 
[SECURITY] [DSA 3016-1] lua5.2 security update
 
Re: [FD] SSH host key fingerprint - through HTTPS
 
PHP CVE-2014-5120 Multiple Arbitrary File Overwrite Vulnerabilities
 
dhcpcd 'dhcp.c' Denial of Service Vulnerability
 
Net-SNMP Agent MIB Subtree Remote Denial of Service Vulnerability
 
Internet Storm Center Infocon Status