[web applications] – osCommerce 2.3.4 – Multiple vulnerabilities

Chinese Hackers Target Logistics & Shipping Firms With Poisoned Inventory Scanners

'ZombieZero' still actively pushing rigged handheld scanning devices, reviving concerns of doing business with Chinese tech companies.

Crypto certificates impersonating Google and Yahoo pose threat to Windows users

People using Internet Explorer and possibly other Windows applications could be at risk of attacks that abuse counterfeit encryption certificates recently discovered masquerading as legitimate credentials for Google, Yahoo and possibly an unlimited number of other Internet properties.

A blog post published Tuesday by Google security engineer Adam Langley said the fraudulent transport layer security (TLS) certificates were issued by the National Informatics Centre (NIC) of India, an intermediate certificate authority that is trusted and overseen by India's Controller of Certifying Authorities (CCA). The CCA, in turn, is trusted by the Microsoft Root Store, a library that IE and many other Windows apps rely on to process the TLS certificates that banks, e-mail providers, and other online services use to encrypt traffic and prove their authenticity. (Firefox, Thunderbird, and Chrome on Windows aren't at risk. More about that later in this post.)

Unknown scope

In an update posted Wednesday, Langley said the CCA confirmed that the bogus certificates were the result of a compromise of NIC's certificate issuance process. The CCA reportedly said only four certificates were compromised. In a sign the CCA's findings aren't reliable, or at least are only tentative, Langley went on to say Google researchers are aware of still more counterfeit credentials stemming from the NIC breach.

Read 8 remaining paragraphs | Comments

Mobile apps’ cookies leave a data trail behind you

Instagram's cookies and unencrypted Web traffic give you up to anyone watching packets pass by.
Sean Gallagher

Most people know the privacy risk of Web cookies—the bits of data that Web browsers store and return to websites to help them keep track of your credentials, where you are in an application, and other information. Advertisers, social media services, and search engine providers use cookies to track users' travels on the Web to target them for advertising. And as we’ve reported, those cookies can be used by someone surveilling Web traffic to track you as well.

But when people use mobile applications, they’re also vulnerable to the same sort of cookie tracking. Many mobile apps are just Web applications wrapped in a package for an app store—they send cookies back to the same server to identify the user and provide location information and other data about a device to the application vendor, third parties, or anyone who happens to be watching network traffic. Taken together with other data, these cookies can be used to track individuals as they wander the world, posing a significant privacy risk.

There are other components of the Web content consumed by mobile apps that can be used in tracking. Some use REST interfaces that pass data as part of their requests back to servers, and that data is often sent in the clear. JavaScript elements within Web content can also access local device data and send it back as a data structure; this data is often sent unencrypted as well, and the process follows a common enough format for hackers or intelligence organizations to reverse engineer it.

Read 18 remaining paragraphs | Comments

Judge Shoots Down ‘Bitcoin Isn’t Money’ Argument in Silk Road Trial

The government and legal community may still be arguing over whether bitcoin can be defined as “money.” But the judge presiding over the landmark Silk Road drug case has declared that it’s at least close enough to get you locked up for money laundering. In a ruling released Wednesday, Judge Katherine Forrest denied a motion […]

Microsoft drops case that severed DNS hosting for millions of No-IP users

Microsoft has formally settled legal differences with No-IP, the dynamic domain name host that was kneecapped by a botnet takedown that recently knocked out service to millions of legitimate users.

As we reported, Microsoft surrendered the 23 No-IP domains last week. A bare-bones statement e-mailed to journalists Wednesday morning said the agreement settled a controversial lawsuit Microsoft filed in late June that allowed the software maker to confiscate 23 No-IP domain names before the service provider had an opportunity to oppose the maneuver in court. The malware families targeted in the latest takedown infected more than 7.4 million machines in the past year alone, Microsoft said.

A federal judge approved Microsoft's confidential ex parte motion arguing that the software maker was entitled to seize control of the addresses because No-IP owner Vitalwerks Internet Solutions failed to follow industry practices designed to prevent malware operators from abusing the service. In the course of a few hours, millions of connections from law-abiding users were severed. The statement read in part:

Read 2 remaining paragraphs | Comments

[web applications] – Quick.Cart 6.4 & Quick.Cms 5.4 – Cross Site Scripting Vulnerability

Google’s Android security chief: Don’t bother with anti-virus. Is he serious?

Google's chief security engineer for Android, Adrian Ludwig, claims that most users shouldn't bother with anti-virus and that security companies are overstating the problem of Android malware. Can he be serious? ...

[web applications] – WordPress Theme PricerrTheme Shell Upload Vulnerability

[web applications] – WordPress Theme ProjectTheme Shell Upload Vulnerability

[web applications] – Atom CMS Shell Upload / SQL Injection / Bypass Vulnerabilities

[web applications] – Atom CMS Shell Upload / SQL Injection Vulnerabilities

[web applications] – Lime Survey 2.05+ Build 140618 XSS / SQL Injection Vulnerabilities

[web applications] – Dolibarr CMS 3.5.3 – Multiple Security Vulnerabilities

[remote exploits] – Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow Exploit

Facebook Helps Cripple Greek Botnet

Arrests made in Lecpetex malware campaign that was spreading via Facebook, emails.

US nabs a hacker in the Maldives, but Russia sees it as “kidnapping”

The recent arrest of a Russian hacker by the US Department of Homeland Security is stirring up diplomatic difficulties.

The suspect, 30-year-old Roman Valerevich Seleznev, is the son of a Russian lawmaker. The Russian Foreign Ministry, which says he was arrested in an airport in the Maldives, has condemned the tactics used by the US. Seleznev has now been transported to Guam, where he has made his first court appearance.

"We consider this as the latest unfriendly move from Washington," stated the Ministry, according to a Reuters report. The Russian Foreign Ministry's statement (Russian) describes the event as a "kidnapping."

Read 8 remaining paragraphs | Comments

6 Tips for Using Big Data to Hunt Cyberthreats

You need to be smart about harnessing big data to defend against today's security threats, data breaches, and attacks.

The Ex-Google Hacker Taking on the World’s Spy Agencies

Morgan Marquis-Boire is the director of security for First Look Media, the most prolific publisher of Edward Snowden's remaining secrets. His daunting task is to safeguard those documents, as well as the communications of reporters with perhaps the press's most adversarial relationships with Western intelligence agencies.

[webapps] – Photo Org WonderApplications 8.3 iOS – File Include Vulnerability

Photo Org WonderApplications 8.3 iOS - File Include Vulnerability

[webapps] – Dolibarr CMS 3.5.3 – Multiple Security Vulnerabilities

Dolibarr CMS 3.5.3 - Multiple Security Vulnerabilities

Remember macro viruses? Infected Word and Excel files? They’re back…

In 1995, a macro virus called Concept changed the malware landscape completely for several years. Infected Word and Excel files finally died out in the early 2000s, but as SophosLabs researcher Gabor Szappanos explains...they're back!

[web applications] – Netgear WNR1000v3 – Password Recovery Credential Disclosure Vulnerability

Crypto weakness in smart LED lightbulbs exposes Wi-Fi passwords

In the latest cautionary tale involving the so-called Internet of things, white-hat hackers have devised an attack against network-connected lightbulbs that exposes Wi-Fi passwords to anyone in proximity to one of the LED devices.

The attack works against LIFX smart lightbulbs, which can be turned on and off and adjusted using iOS- and Android-based devices. Ars Senior Reviews Editor Lee Hutchinson gave a good overview here of the Philips Hue lights, which are programmable, controllable LED-powered bulbs that compete with LIFX. The bulbs are part of a growing trend in which manufacturers add computing and networking capabilities to appliances so people can manipulate them remotely using smartphones, computers, and other network-connected devices. A 2012 Kickstarter campaign raised more than $1.3 million for LIFX, more than 13 times the original goal of $100,000.

According to a blog post published over the weekend, LIFX has updated the firmware used to control the bulbs after researchers discovered a weakness that allowed hackers within about 30 meters to obtain the passwords used to secure the connected Wi-Fi network. The credentials are passed from one networked bulb to another over a mesh network powered by 6LoWPAN, a wireless specification built on top of the IEEE 802.15.4 standard. While the bulbs used the Advanced Encryption Standard (AES) to encrypt the passwords, the underlying pre-shared key never changed, making it easy for the attacker to decipher the payload.

Read 4 remaining paragraphs | Comments

Black Hat USA 2014: Third-Party Vulns Spread Like Diseases

Understanding the impact of vulnerabilities in libraries and other components

How Google Map Hackers Can Destroy a Business at Will

Beneath its slick interface and crystal clear GPS-enabled vision of the world, Google Maps roils with local rivalries, score-settling, and deception.

[remote] – WordPress MailPoet (wysija-newsletters) Unauthenticated File Upload

Wordpress MailPoet (wysija-newsletters) Unauthenticated File Upload

[webapps] – FireEye Malware Analysis System (MAS) 6.4.1 – Multiple Vulnerabilities

FireEye Malware Analysis System (MAS) 6.4.1 - Multiple Vulnerabilities

[webapps] – Netgear WNR1000v3 – Password Recovery Credential Disclosure Vulnerability

Netgear WNR1000v3 - Password Recovery Credential Disclosure Vulnerability

[web applications] – BoltWire 4.10 Arbitrary File Upload Vulnerability

[remote exploits] – Gitlist Unauthenticated Remote Command Execution Exploit

[remote exploits] – Oracle Event Processing FileUploadServlet Arbitrary File Upload Exploit

[web applications] – FoeCMS Multiple Vulnerabilities

[web applications] – WordPress NextGEN Gallery 2.0.63 Shell Upload Vulnerability