Information Security News
The 4 Infosec 2014 trends to watch out for
Computer Business Review
Infosec Europe 2014 arrives hot on the heels of one of the most high profile cybersecurity vulnerabilities there's been in years. The Heartbleed bug, a security flaw in the OpenSSL encryption technology that protects websites' data, has cast the ...
by Sean Gallagher
Last week, AOL confirmed that an unknown number of AOL Mail accounts have been hacked. Today, the company urged all its customers to change passwords and security questions, as it determined that information for at least two percent of all its accounts had been compromised. That's an impact of half a million users.
Attackers breached AOL’s systems and gained access to e-mail addresses, encrypted passwords, answers to security questions, and other contact information (including postal mailing addresses). While the mailboxes themselves were not compromised, the attackers used the contact information in a barrage of “spoofed” e-mails from those addresses—messages sent from outside AOL’s network with forged “from” address headers. Those e-mails are part of a large-scale phishing operation containing malicious Web links.
An AOL spokesperson said that the company is working with federal law enforcement to investigate the attack on its servers and that there was no indication that encrypted passwords were cracked by the attackers. The company has also changed its Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy to “p=reject”—meaning that other mail services will automatically discard messages sent by someone using an AOL.com mail address when a message is sent from a non-AOL server.
A day after reports that attackers are exploiting a zero-day vulnerability in Microsoft's Internet Explorer browser, researchers warned of a separate active campaign that was targeting a critical vulnerability in fully patched versions of Adobe's ubiquitous Flash media player.
The attacks were hosted on the Syrian Ministry of Justice website at hxxp://jpic.gov.sy and were detected on seven computers located in Syria, leading to theories that the campaign targeted dissidents complaining about the government of President Bashar al-Assad, according to a blog post published Monday by researchers from antivirus provider Kaspersky Lab. The attacks exploited a previously unknown vulnerability in Flash when people used the Firefox browser to access a booby-trapped page. The attackers appear to be unrelated to those reported on Sunday who exploited a critical security bug in Internet Explorer, a Kaspersky representative told Ars.
While the exploit Kaspersky observed attacked only computers running Microsoft Windows, the underlying flaw, which is formally categorized as CVE-2014-1776 and resides in a Flash component known as the Pixel Bender, is present in the Adobe application built for OS X and Linux machines as well. Adobe has updated all three versions to plug the hole. Because security holes frequently become much more widely exploited in the hours or days after they are disclosed, people on all three platforms should update as soon as possible. People using IE 10 and 11 on Windowws 8 will receive the update automatically, as will users of Google's Chrome browser. It can sometimes take hours for the automatic updates to arrive. Those who are truly cautious should consider manually installing them. Windows users with Firefox installed must run a separate update for both IE and the Mozilla browser.
ISC Handler Rob let us know that @hdmoore Tweeted out: "Upgraded to Ubuntu 14.04? Hold down enter to bypass the lockscreen (what is old is new again): https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1308572 â¦"
The reporter indicates that he was running Ubuntu 14.04 with all the packages updated.
When the screen is locked with password, if holding ENTER, after some seconds the screen freezes and the lock screen crashes. After that the computer is fully unlocked.
The initial report states that the "bug is about the lockscreen being bypassed when Unity crashes/restarts, which is a critcal security issue. The crash will be handled from bug 1308750."
From the bug tracker, the fix has been committed and released. Be cognitive of this issue should you leave an Ubuntu 14.04 host unattended. :-)
InfoSec 2014: Government and industry must work together to protect against ...
In a report released by Infosecurity Europe, the company warns that long-term strategies are necessary to combat evolving cyber threats. The report, Information security: From business barrier to business enabler, also highlights the disconnect between ...
Posted by InfoSec News on Apr 28http://www.israelnationalnews.com/News/News.aspx/179925
Posted by InfoSec News on Apr 28http://www.chicagotribune.com/news/sns-rt-us-usa-cybersecurity-dhs-20140426,0,136919.story
Posted by InfoSec News on Apr 28http://www.wired.com/2014/04/hospital-equipment-vulnerable/
Posted by InfoSec News on Apr 28http://news.techworld.com/security/3513668/tdl4-rootkit-can-be-modified-pwn-any-security-product-bromium-researchers-discover/
Posted by InfoSec News on Apr 28http://www.nextgov.com/cloud-computing/2014/04/lawmakers-want-pentagon-clarify-cloud-security-standards/83245/