Information Security News
by Sean Gallagher
A cache of about 13 gigabytes of stolen images from Snapchat—some of them apparently of nude, underage users of the “ephemeral” messaging platform—was posted online Thursday night, many of them to the image-sharing site 4chan’s /b/ discussion board. However, the threads linking to the images have largely been shut down by 4Chan over concerns of trafficking in what could be considered child pornography. Over 100,000 user images and videos were in the cache, according to 4chan discussions.
The images are apparently not from Snapchat’s own network but from the database of a third-party application that allows Snapchat users to save images and videos sent over the service online. In an official statement to the press, a Snapchat spokesperson said, “We can confirm that Snapchat’s servers were never breached, and were not the source of these leaks. Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Service precisely because they compromise our users’ security.”
According to a report by Business Insider, 4chan users who gained access to the images downloaded them and started to create a searchable database indexed by the usernames associated with the images. The files were also briefly hosted on a Web server that hosted Web exploits and malware.
by Robert Lemos
A class of coding vulnerabilities could allow attackers to fool Windows system administrators into running malicious code because of a simple omission: quotation marks.
The attack relies on scripts or batch files that use the command-line interface, or "shell," on a Windows system but contain a simple coding error—allowing untrusted input to be run as a command. In the current incarnation of the exploit, an attacker appends a valid command onto the end of the name of a directory using the ampersand character. A script with the coding error then reads the input and executes the command with administrator rights.
"The scenario... requires a ‘standard’ user with access rights to create a directory to a fileserver and an administrator executing a vulnerable script," Frank Lycops and Raf Cox, security researchers with The Security Factory, said in an e-mail interview. "This allows the attacker to gain the privileges of the user running the script, thus becoming an administrator."
by Sean Gallagher
Hewlett-Packard has alerted some customers that it will be revoking a digital certificate used to sign a huge swath of software—including hardware drivers and other software essential to running on older HP computers. The certificate is being revoked because the company learned it had been used to digitally sign malware that had infected a developer’s PC.
An HP executive told security reporter Brian Krebs that that the certificate itself wasn’t compromised. HP Global Chief Information Security Officer Brett Wahlin said that HP had recently been alerted to the signed malware—a four-year old Windows Trojan—by Symantec. Wahlin said that it appears the malware, which had infected an HP employee's computer, accidentally got digitally signed as part of a separate software package—and then sent a signed copy of itself back to its point of origin. Though the malware has since been distributed over the Internet while bearing HP's certificate, Wahlin noted that the Trojan was never shipped to HP customers as part of the software package.
“When people hear this, many will automatically assume we had some sort of compromise within our code signing infrastructure, and that is not the case,” Wahlin told Krebs. “We can show that we’ve never had a breach on our [certificate authority] and that our code-signing infrastructure is 100 percent intact.”
Posted by InfoSec News on Oct 10http://www.nationaljournal.com/tech/obama-s-cyber-czar-wants-to-replace-passwords-with-selfies-20141009
Posted by InfoSec News on Oct 10http://www.infosecnews.org/arrl-probing-web-server-breach-by-hackers/
Posted by InfoSec News on Oct 10http://www.nbcphiladelphia.com/news/local/Inside-the-Homeland-Security-Investigations-Computer-Forensics-Lab-278677751.html
Posted by InfoSec News on Oct 10http://rapsinews.com/judicial_news/20141010/272331353.html
Posted by InfoSec News on Oct 10http://healthitsecurity.com/2014/10/09/alere-home-monitoring-data-breach-class-suit-thrown-out/
Microsoft have announced the heads-up for this month security patches. With nine bulletins three are rated as critical, one as moderate and five as important.