Home Tags News
Mozilla's new open-source browser release includes patches for eight security advisories. Three are rated critical. Mozilla came out Oct. 14 with its new Firefox 33 Web browser, providing users with incremental feature updates and patches for eight different security advisories. Firefox 33 follows Mozilla's Firefox 32 release in September, which included fixes for six security advisories. Firefox 33 includes three security advisories that Mozilla rated critical. MFSA 2014-74 is identified by Mozilla as "miscellaneous memory safety hazards" and is associated with the CVE-2014-1574 and CVE-2014-1575 vulnerabilities. The other critical security advisory is MFSA 2014-79, which details a use-after-free memory flaw, identified as CVE-2014-1581, that a security researcher working with Hewlett-Packard's TippingPoint Zero-Day Initiative reported. "Security researcher regenrecht reported, via TippingPoint's Zero-Day Initiative, a use-after-free during text layout when interacting with text direction," Mozilla's security advisory warned. "This results in a crash, which can lead to arbitrary code execution." The third critical advisory, MFSA 2014-77, is associated with the CVE-2014-1578 out-of-bounds WebM video vulnerability. WebM is an open-source video format technology. "Using the Address Sanitizer tool, security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team found an out-of-bounds write when buffering WebM format video containing frames with invalid tile sizes," Mozilla's security advisory warned. "This can lead to a potentially exploitable crash during WebM video playback." Firefox 33 isn't just about patches; it also improves existing security features. Among the features being introduced is a new Content Security Policy (CSP) back-end. Sid Stamm, principal security and privacy engineer at Mozilla, told eWEEK that the new CSP back-end is a more efficient implementation of the CSP feature called Content Security Policy (CSP) that was first introduced in Firefox 4 back in March 2011. The basic idea behind CSP is to help limit the risk of cross-site scripting (XSS) attacks by enabling sites to declare where content can be loaded from. "While this new back-end doesn't add new Web protections, it strengthens some already in Firefox," Stamm said. "This is just one step in our efforts to make Firefox security tools fast and effective." Looking beyond just security fixes, Firefox has been working on a feature called Enhanced Tiles that was in the beta version of Firefox 33. Enhanced Tiles brings users links from Mozilla partners, on a user's new tab page. While the Enhanced Tiles feature was in Firefox 33 Beta, it is not in the final stable release. "Enhanced Tiles are turned on in Nightly, Aurora and Beta and will be in general release soon," Denelle Dixon-Thayer, senior vice president of business and legal affairs at Mozilla, told eWEEK. "We are working with foundational partners but do not currently have any paid advertising in the builds." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Sandworm is just one of multiple zero-day flaws that have been actively exploited that Microsoft is patching. Microsoft is out with one of its October Patch Tuesday releases, which includes eight different security advisories patching 24 Common Vulnerabilities and Exposures (CVEs), including several zero-day flaws that have been actively exploited. Among the zero-day flaws patched is CVE-2014-4114, which has been dubbed "Sandworm" and has already been used in attacks against NATO and the European Union. Microsoft is providing a patch for CVE-2014-4114 with it MS14-060 update. "A vulnerability exists in Windows OLE that could allow remote code execution if a user opens a file that contains a specially crafted OLE object," Microsoft warns in its advisory. "An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user." OLE is Microsoft's Object Linking and Embedding technology that enables content to be linked inside of documents. iSight Partners first found evidence of the CVE-2014-4114 issue on Sept. 3 with an attack that leveraged the exploit in a malicious PowerPoint presentation. The vulnerability is being dubbed Sandworm by iSight due to references in the code to the classic Dune science fiction series, where sandworms play a pivotal role. Another zero-day flaw fixed in the October Patch Tuesday update is CVE-2014-4113, which is a privilege escalation vulnerability. This flaw too has been actively exploiting users. Security firm Crowdstrike is attributing attacks leveraging CVE-2014-4113 to a Chinese malware group that it refers to as Hurricane Panda. Crowdstrike isn't the only security vendor that detected CVE-2014-4113, as FireEye also reported the issue to Microsoft, along with an additional flaw identified as CVE-2014-4148. The CVE-2014-4148 flaw is a TrueType font parsing remote code execution vulnerability. Microsoft is patching both CVE-2014-4113 and CVE-2014-4148 in MS14-058, which is titled "Vulnerabilities in Kernel-Mode Driver Could Allow Remote Code Execution." Dan Caselden, senior malware researcher at FireEye, explained to eWEEK that in the case of CVE-2014-4148, an attacker creates a custom malicious font and embeds the font in some media (e.g., a Web page or a document). The malicious media is then delivered to a victim with the hope that he or she opens the document or Web page. "The program that parses the media (in this case, Microsoft Word) passes the font on to the Windows kernel," Caselden said. "The Windows kernel incorrectly parses the font, resulting in an exploitable state." As has been the case throughout 2014, Microsoft is including a cumulative security update for its Internet Explorer browser as part of the Patch Tuesday update. For October, the MS14-056 IE update patches 14 security vulnerabilities in Microsoft's Web browser. The majority of the vulnerabilities are memory corruption issues that could lead to arbitrary code execution. Microsoft credits Context Information Security, Palo Alto Networks, VeriSign iDefense Labs, Hewlett-Packard's Zero Day Initiative and Qihoo 360 for reporting the IE vulnerabilities. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Head of European cyber-crime centre claims Europol 'roughly knows who they are'
NEWS ANALYSIS: Was this a case of password reuse? Employing unique username/password combinations and two-factor authentication help minimize risk. The popular Dropbox cloud file storage service is denying allegations that it was hacked, as an anonymous source leaked information Dropbox account holders. The anonymous allegation against Dropbox was publicly posted on Pastebin and claims that 6,937,081 Dropbox accounts were hacked, though initially only 400 Dropbox accounts were publicly posted. The anonymous Pastebin poster has requested Bitcoin donations to release more Dropbox user information. For its part, Dropbox is refuting the claim that it was hacked and has stated that its users' content is safe. "The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox," the company wrote in a blog post. "Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox." Dropbox added that it has policies in place to help detect suspicious login activity to help protect users. When suspicious logins occur, Dropbox can reset the user's password. Additionally, Dropbox suggests that users employ two-factor verification to provide an additional layer of protection to their accounts. With two-factor verification, the username and password is supplemented by a second factor (or password) that is generated via a mobile text message to the user's phone. Dropbox isn't the only online service whose users have been victimized by accounts stolen from third-party services and sites. In September, hackers claimed to have obtained information on 5 million Google account holders. At the time, Google denied it had been breached directly and stated, like Dropbox, that the information came from another hacked source. Although Google itself was not breached, the tech giant had to reset the passwords for 100,000 users. There was also collateral damage from the Google account leak that spread to popular online blogging platform WordPress, which also had to reset 100,000 user accounts. The root cause of the Google leak and the new Dropbox account disclosure are not publicly known, but we do know that username/password reuse is a significant threat to Internet security. When users employ the same username and password combination on more than one site, the risk of any one single data breach is compounded. Once again, the need for users to deploy two-factor authentication is crucial. By employing unique username/password combinations and leveraging two-factor authentication tools, the risks of account disclosures and hacks can be minimized. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
The "Selfmite" worm infects mobile devices using a technique that is similar to the Melissa virus from 1999 by texting a short message and a link to victims' contacts. An Android worm has borrowed the propagation techniques of old macro viruses from the 1990s by sending text messages out to a handful of contacts from each infected phone. Known as Selfmite, the program spreads by sending texts with malicious links to a victim's contacts. The original program sent messages to the top-20 contacts in a victim's address book. Security firms have offered differing analyses of the most recent version. A report from antivirus firm Sophos indicates that Selfmite.B has reduced the number of recipients to five, while mobile security firm AdaptiveMobile argued that the worm goes into an infinite loop and keeps sending text messages to every contact. About 100 phones appear to be infected and sending messages, but they have sent more than 150,000 texts in the past 10 days, according to AdaptiveMobile's analysis. "This means that potential victims will continue to receive malicious SMS messages from an infected phone until either the operator detects and blocks these messages or an owner of an infected phone removes the malware," AdaptiveMobile stated. The latest Selfmite worm sends one of two text messages: "Hi buddy, try this, its amazing u know" and "Hey, try it, its very fine" to the first five people in a victim's address book. Such generic messages tend not to spread far, and that seems to be the case for Selfmite, but better crafted ones could fool credulous users, Paul Ducklin, head of technology with Sophos, told eWEEK. "Like the bad old days of computer viruses, it comes from someone you know," he said. "When you get the message, you will be more likely to check it out." The propagation routine is reminiscent of macro viruses and other email worms of the late 1990s, perhaps the best known of which is the Melissa macro virus. In March 1999, the Melissa virus spread through email by sending its host, a Word document, to the top-50 people listed in a victim's address book. The program affected at least 100,000 computers at more than 300 companies, according to estimates at the time. Recently, Visual Basic for Applications, the language used to code most macro viruses in the late 1990s and early 2000s, has made a resurgence as a way of creating scripts to ease the copying of code from the host document to the compromised system. Phones infected with the Selfmite worm were typically added to a pay-per-click advertising network and a pay-per-install affiliate program. The latest version, however, takes different actions based on the location of the infected Android phone. While some malicious applications have snuck into the mobile ecosystem, the users in most danger from these types of malicious programs are in Asia and Eastern Europe, where it is a common practice to download apps from ad-hoc app stores that aren't connected to the Google Play Android app market, which vets applications for malware infections. For most U.S. mobile device owners, using trusted app stores and having a cautious outlook are the best approach. "The walled, or semi-walled, gardens of the App Store and Google Play help a lot, but a killer app might be enough if everyone wants it—remember Flappy Bird?—and is willing to turn on 'Unknown Sources' in Android in order to join in the fun," Ducklin said. "As always, a little caution goes a long way."
Sprint enterprise customers who also buy Google Apps for Business can now add single sign-on capabilities from Ping Identity to add deeper security for mobile employees. Sprint is deepening its Google Apps for Business offerings for enterprise customers by adding new fee-based single sign-on capabilities for mobile workers under a partnership with Ping Identity. The new single sign-on enhancements were unveiled by Sprint in an announcement on Oct. 13. For businesses, the Ping Identity services, which will be available for employees at additional cost beyond the $5 per month per employee cost of Google Apps for Business, will provide cloud-based single sign-on capabilities for easier identity management for corporate IT departments, according to Sprint. The extra cost of the Ping services will depend on the number of employees enrolled and other factors, the company said. The single sign-on will allow users to sign on to all of their business apps with just one username and password while meeting corporate access and security requirements. The new add-on is PingOne, which Ping offers as an identity as-a-service (IDaaS) product that delivers secure access for employees on any device and gives IT one dashboard to manage user access for all applications, according to Sprint. PingOne eliminates the need for employees to manage multiple passwords across various business applications. Sprint introduced subscriptions to Google Apps for Business in July, offering several premiums for customers who buy the services through Sprint directly rather than through Google, according to an earlier eWEEK report. The addition of the Google Apps for Business tools makes it easier for employees to be able to work from anywhere, while lessening the burdens on IT for small and midsize companies. Customers who sign up for Google Apps for Business through Sprint are assigned a Sprint consultant to help with deployment information, while full deployment packages are also available for a fee. End user support is also included 24/7. Subscribers through Sprint also get the use of the Boost eLearning platform, which includes more than 400 apps for user-led learning and training, whether they want to learn a new skill or brush up. Sprint's backing of Google Apps for Business is carrier-agnostic; Sprint can deploy the Google apps across a business, regardless of whether or not all the devices are on the Sprint network. Customers who do purchase Sprint devices and Google Apps for Business will also receive device set-up free from Sprint. Google, meanwhile, is always making improvements to its Google Apps services. In May, Google Apps received several new mobile management tools to help enterprises better manage the Android devices and capabilities of their BYOD users. The updates to the Google Apps Mobile Management for Android tools provide more ways that IT administrators can protect enterprise systems, devices, employees and corporate data. Included in the new features was an inactive account wipe capability that will allow enterprises to set user policies that will wipe an inactive account from a device if it has not been synced for a predetermined number of days. The inactive account wipe capability protects enterprises if a device is lost so that it does not cause a security risk. Also included was new support for EAP-based WiFi networks, so that IT administrators can configure settings and distribute certificate authority- (CA-) based certs for EAP, or Extensible Authentication Protocol, networks. Compromised device detection has also been added so that IT administrators can set policies that will detect signals for common forms of a compromised device, including "rooting" or the installation of a custom "ROM," so that modified devices can be blocked for security reasons. New reporting fields have also been added in the API and Admin console so that IT administrators can better understand the devices that are in use and troubleshoot issues. The added fields include serial number, IMEI, MEID, WiFi MAC address, baseband version, kernel version, build number, mobile operator/carrier, language settings and account ownership/management.
There is no shortage of Linux distributions to serve specific markets and use cases. In the security market, a number of Linux distributions are widely used, including Kali Linux, which is popular with security penetration testers. There's also CAINE L...
The attack and picture leak known as the "Snappening against Snapchat users now has a confirmed root cause, with Snapsaved.com admitting a data breach. The Snapchat picture leak has led to the unintended disclosure of Snapchat user images. Reports of the Snapchat Snappening first emerged Friday, with Snapchat itself claiming that it had not been breached. Instead, Snapchat blamed an un-named third-party app for being the source of the images. That third party has now come forward, and Snapsaved.com is admitting it was hacked. According to Snapsaved.com, the breach affected 500MB of images. "I would like to inform the public that Snapsaved.com was hacked," Snapsaved wrote in a Facebook post. "We had a misconfiguration in our Apache server." Apache HTTP is an open-source Web server that is currently the most widely deployed Web server on the Internet. The Snapsaved.com post confirms that Snapchat itself had not been hacked, and the leaked images do not originate from the Snapchat database. Snapchat is a service that enables users to share images on a temporary basis, and images are not supposed to be stored. As a third-party app, Snapsaved.com enables its users to save Snapchat images. "As soon as we discovered the breach in our systems, we immediately deleted the entire Website and the database associated with it," Snapsaved's Facebook post states. An anonymous researcher claims in a Pastebin post that the Snapsaved data was provided by a Snapsaved.com site administrator. "When the site became unusable, the administrator compiled a full directory of the content and uploaded it to an unindexed Website where you could freely download it," the anonymous poster alleged. Snapsaved.com denies the anonymous poster's claims and stated: "The hacker does not have sufficient information to live up to his claims of creating a searchable database." Whatever the root cause and whatever the actual image database availability, the simple fact of the matter is that user privacy has been violated. Certainly, Snapchat itself has some measure of responsibility here as it is their service that is being used, even though the access is being enabled via a third-party app. Snapchat could and should police the use of its API to protect users from apps that could expose them to risk. For Snapsaved itself, I suspect this is an incident from which the service will not recover. The Snapsaved.com site has been unavailable for most of Oct. 13 and even if the site does come back up, Snapchat (as I suggest) should block or limit access to its API, which would end the viability of a Snapsaved app. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Take that, NSA. Microsoft uses a multi-layered approach to data encryption to help keep Office 365 data away from prying eyes. Rock-solid uptime and a wealth of enterprise-friendly features mean nothing if cloud...
National retailer Kmart, a subsidiary of Sears Holdings Corp., publicly confirmed on Oct. 10 that it had been breached by a form of point-of-sale (POS) malware. While Kmart is reporting the breach today, the company claimed that it only detected the breach yesterday, on Oct. 9. With barely a day of investigation, Kmart has already been able to determine a number of key facts about the breach that affected its stores. Kmart's investigation has led the company to believe that the breach began in early September. While Kmart has not specifically said what type of malware infected its systems, the company noted that the malware used was "undetectable by current antivirus systems." There are multiple known forms of POS malware impacting retailers today. Perhaps the most prevalent is the Backoff malware, which was first reported in August and has infected at least 1,000 retailers. Ice cream chain Dairy Queen reported on Oct. 9 that it was the latest victim of Backoff in an attack that impacted 395 of its stores. Kmart claims its preliminary investigation shows that debit card PIN numbers and Social Security Numbers were not stolen in the breach. Kmart has not yet publicly disclosed how many of its stores have been affected or how many customers may be at risk. In a statement, Kmart emphasized that customers at not liable for any fraudulent charges. "We want our members and customers to be aware of the situation, and we suggest that customers carefully review and monitor their debit and credit card account statements," Kmart said in a statement. "If customers see any sign of suspicious activity, they should immediately contact their card issuer." The company noted that it is working with law-enforcement officials as well as IT security firms as part of an ongoing investigation. Going a step further, Kmart stated it will now be deploying "advanced software" to further protect its customers. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
Over three-quarters of British small and midsize businesses say workplace WiFi is business-critical. By Michael Moore A strong and reliable WiFi connection has emerged as the most critical of all business factors for small and midsize companies, according to a new survey. A study of 500 SMBs by networking firm Netgear has found that three-quarters (75 percent) of SMBs say that having a wireless network has become essential to the running of their business, as firms are increasingly looking to a mobile workforce to enhance productivity and employee flexibility. This rises to 84 percent of firms with more than 100 employees, but many companies say that they are, in fact, being held back by poor network reliability and concerns about data breaches. Risk Fears The study found that one in three firms have struggled to implement an effective and secure wireless service, and a third had considered abandoning plans for a workplace wireless network following a possible data security risk. Just under a third (31 percent) said that they had also considered abandoning wireless plans following a bad experience with poor network quality and reliability; with a quarter (25 percent) saying they were unsure how to introduce wireless into their existing IT infrastructure—which rose to 35 percent of firms with more than 100 employees. But as the costs of installing a network continue to fall as more of us become connected, the benefits of having such wireless infrastructure are being enjoyed by more and more businesses, the survey found. Just under three-fourths (74 percent) of the firms surveyed said that working wirelessly was making them more productive, with two-thirds saying that reliable connections help them keep pace with the competition. "Successful small and medium-sized companies often rely on their employees to do many varied tasks and adapt quickly to customer demands," said Jonathan Hallatt, Netgear's regional director for the U.K., Ireland and South Africa. "People quite simply work better when they can communicate, access and share information from wherever they are in the workplace. A resilient wireless network allows you to respond to guests and colleagues, and take bookings or orders using an Internet-enabled device wherever you happen to be. Productivity will improve and your customers will be happier." Recent findings from Ofcom showed that some SMBs feel that they are unable to benefit from competitively priced infrastructure price plans, with many unable to secure the deals received by large enterprises, which benefit from scale and a competitive market. The regulator has now said it will carry out further research to discern how businesses (rural companies in particular) are able to get the mobile and broadband services they need to operate and grow effectively.