Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

(credit: Ann Oro)

Windows users woke up to something that doesn't happen every day: the disclosure of two zero-day vulnerabilities, one in the Microsoft operating system and the other in Adobe's Flash Player.

The Windows bug is being actively exploited in the wild, making it imperative that users install fixes that Microsoft released today as part of its May Patch Tuesday. Cataloged as CVE-2016-0189, the security flaw allows attackers to surreptitiously execute malicious code when vulnerable computers visit booby-trapped websites. In the days or weeks leading up to Tuesday, it has been exploited in targeted attacks on South Korean websites, according to a blog post published by security firm Symantec. Technically, the vulnerability resides in the JScript and VBScript engines, but IE is the vehicle used to exploit it.

Separately, Adobe officials warned that a newly discovered Flash vulnerability also gives attackers the ability to remotely hijack machines. It was first reported by researchers from security firm FireEye, and exploits exist in the wild. Adobe said it planned to release an update as soon as Thursday.

Read 2 remaining paragraphs | Comments

 

Enlarge (credit: Ron Amadeo)

For years, critics have bemoaned the sad state of security updates available to hundreds of millions of owners of mobile devices running Google's Android operating system. Now, federal regulators are investigating whether Google, Apple, and the rest of the players in the mobile industry are doing everything they can to keep their customers safe.

In a joint action, the Federal Communications Commission and the Federal Trade Commission are ordering mobile operating system developers, hardware manufacturers, and carriers to explain their rationale in deciding when to issue updates, or as is so often the case for Android users, why they don't provide updates. Two of the more glaring examples are a vulnerability dubbed Stagefright disclosed last year and another disclosed in March called Metaphor. Both allow attackers to surreptitiously execute malicious code on Android devices when they view a booby-trapped website.

"There have recently been a growing number of vulnerabilities associated with mobile operating systems that threaten the security and integrity of a user’s device and all the personal, sensitive data on it," Jon Wilkins, chief of the FCC's Wireless Telecommunications Bureau, wrote in a letter to carriers. "One of the most significant to date is a vulnerability in the Android component called 'Stagefright.' It may have the ability to affect close to 1 billion Android devices around the world. And there are many other vulnerabilities that could do just as much harm."

Read 5 remaining paragraphs | Comments

 

(credit: Garrett Ewald)

Technicians from the global payment network SWIFT left Bangladesh's Central Bank vulnerable to an attack that saw attackers steal $81 million, according to Bangladeshi police and bank officials speaking to Reuters.

In February, unknown hackers broke into the Bangladesh Bank and almost got away with just shy of $1 billion. In the event, their fraudulent transactions were cancelled after they managed to transfer $81 million when a typo raised concerns about one of the transactions. That money is still unrecovered. In April, we learned that preliminary investigations had revealed the use of cheap networking and a lack of firewalls, both contributing to the attack.

The new report sheds further light on the incident. The SWIFT organization is owned by 3,000 financial companies and operates a network for sending financial transactions between financial institutions. Technicians from the organization worked at the central bank last year when they were connecting the Bangladesh's real-time gross settlement (RTGS) system to the SWIFT network. Mohammad Shah Alam, leading the probe for the Bangladesh police, told Reuters that the technicians doing this work left "a lot of loopholes" that were not subsequently addressed.

Read 4 remaining paragraphs | Comments

 

You can check out any time you want, and so can card-data stealing criminals. (credit: Novotel Century Hong Kong Hotel)

Hotel chains focus on hospitality, but their security practices have made them entirely too hospitable a target for data theft. Hotels have been brutalized over the past year by a wave of point-of-sale system breaches that have exposed hundreds of thousands of guests' credit card accounts. And those attacks, as a recent episode described by Panda Security's Luis Corrons demonstrates, have become increasingly targeted—in some cases using "spear-phishing" e-mails and malware crafted specifically for the target to gain access to hotels' networks.

In one incident that was uncovered recently, the target "was a small luxury hotel chain," Corrons told Ars. "We discovered the attack, and it was really customized for the specific hotel. This was 100 percent tailored to the specific target."

The attackers used a Word document from the hotel itself—one frequently used by the hotel to allow customers to authorize credit card charges in advance of a stay. The document was actually enclosed as part of a self-extracting file, which also installed two other files on the target machine—one of them an installer for backdoor malware named "adobeUpd.dll" to disguise it and the other a Windows .cmd batch script that both opens the Word document and launches the backdoor.

Read 5 remaining paragraphs | Comments

 

Cybercrime Relies on Human Frailties
PR Newswire (press release)
... build their professional reputations. With an audience of more than half a million and more than 10,000 posts by security experts, Peerlyst is the preeminent platform for spreading InfoSec news, asking a question, finding an expert, or offering ...

and more »
 

The Register

Infosec freeloaders not welcome as malware silo VirusTotal gets tough
The Register
Security firms that use the Google-owned VirusTotal malware database but don't contribute to the silo are going to find themselves out on a limb. For the past 12 years, researchers have been feeding samples of software nasties into VirusTotal, allowing ...

and more »
 

Cybercrime Relies on Human Frailties
SYS-CON Media (press release)
... build their professional reputations. With an audience of more than half a million and more than 10,000 posts by security experts, Peerlyst is the preeminent platform for spreading InfoSec news, asking a question, finding an expert, or offering ...

and more »
 

https://isc.sans.edu/mspatchdays.html?viewday=2016-05-10

--
Alex Stanford - GIAC GWEB GSEC,
Research Operations Manager,
SANS Internet Storm Center
/in/alexstanford

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Notes v4.5 iOS - Arbitrary File Upload Vulnerability
 
Wordpress Truemag Theme - Client Side Cross Site Scripting Web Vulnerability
 
Trend Micro Direct Pass - Filter Bypass & Cross Site Scripting Vulnerability
 
Stanford University - Multiple SQL Injection Vulnerabilities
 

Behind the scenes at security conferences
CSO Online
... conferences, including InfoSec World, one of the industry's longest running events, and works with security SMEs to build classroom training. She also writes and manages MISTI's infosec News & Trends, and contributes blogs and articles to third ...

 
 

Cybercrime Relies on Human Frailties
Virtual-Strategy Magazine
... build their professional reputations. With an audience of more than half a million and more than 10,000 posts by security experts, Peerlyst is the preeminent platform for spreading InfoSec news, asking a question, finding an expert, or offering ...

and more »
 

Cybercrime Relies on Human Frailties
PR Newswire (press release)
... build their professional reputations. With an audience of more than half a million and more than 10,000 posts by security experts, Peerlyst is the preeminent platform for spreading InfoSec news, asking a question, finding an expert, or offering ...

and more »
 

25% of UK employees don't trust their IT teams with their personal data: so how can IT regain trust?
Information Age
Although, these companies received media attention, many others that are impacted don't make the news. In 2015 alone, there were over 121 million penetrations recorded against enterprise ... To keep InfoSec at the forefront of the mind of the end-user ...

 
Internet Storm Center Infocon Status