[web applications] – DotNetNuke DNNspot Store 3.0.0 Arbitary File Upload Exploit

[local exploits] – iBackup 10.0.0.32 – Local Privilege Escalation Vulnerability

[web applications] – Incredible PBX 11 2.0.6.5.0 Remote Command Execution Vulnerability

[web applications] – WordPress Database Manager 2.7.1 Command Injection / Credential Leak

[webapps] – iFunBox Free 1.1 iOS – File Inclusion Vulnerability

iFunBox Free 1.1 iOS - File Inclusion Vulnerability

[webapps] – File Manager 4.2.10 iOS – Code Execution Vulnerability

File Manager 4.2.10 iOS - Code Execution Vulnerability

Staples likely breached, retailer defenses back in spotlight

Office supply retailer Staples is investigating a possible breach of its systems following reports from the banking industry of fraudulent credit and debit card transactions at stores in the northeastern United States.

On Tuesday, the company acknowledged that a breach may have occurred and that it had contacted the appropriate law enforcement agencies. The retailer declined to provide further details.

“Staples is in the process of investigating a potential issue involving credit card data and has contacted law enforcement,” a spokesperson said in a statement sent to Ars. “If Staples discovers an issue, it is important to note that customers are not responsible for any fraudulent activity on their credit cards that is reported on a timely basis.”

Read 7 remaining paragraphs | Comments

White Hat Hackers Fight For Legal Reform

Security researchers petition to update digital intellectual property and copyright protection laws that limit their work in finding and revealing security bugs.

In wake of Anonabox, more crowdsourced Tor router projects make their pitch

The Invizbox Tor router hardware—the same as Anonabox, but with truth in advertising.
Invizbox

Last week, Ars reported on the story of Anonabox, an effort by a California developer to create an affordable privacy-protecting device based on the open source OpenWRT wireless router software and the Tor Project’s eponymous Internet traffic encryption and anonymization software. Anonabox was pulled from Kickstarter after accusations that the project misrepresented its product and failed to meet some basic security concerns—though its developers still plan to release their project for sale through their own website.

But Anonabox’s brief campaign on Kickstarter has demonstrated demand for a simple, inexpensive way to hide Internet traffic from prying eyes. And there are a number of other projects attempting to do what Anonabox promised. On Kickstarter competitor Indiegogo there’s a project called Invizbox that looks almost identical to Anonabox—except for the approach its team is taking to building and marketing the device.

Based on the Chinese-built WT 3020A—a small wireless router that appears identical to the box that was the basis for the Anonabox—the Invizbox will have similar specs to the cancelled Kickstarter: 64 megabytes of RAM, 16 megabytes of Flash storage, and the Linux-based OpenWRT embedded OS. The main difference, according to the Dublin, Ireland-based team behind Invizbox (Elizabeth Canavan, Paul Canavan, and Chris Monks) is that their Tor router will be locked down better—and they won’t pretend that they’re using custom-built hardware.

Read 8 remaining paragraphs | Comments

Synthetic Identity Fraud A Fast-Growing Category

Real SSNs tied with fake identities are reaping criminals big profits.

Several Staples Stores Suffer Data Breach

Apple pushes out iOS 8.1 – kills the mobile POODLE and closes some, ahem, “backdoors”

The marquee vulnerablity fixed in iOS 8.1 is, as you might expect, POODLE. But there are other cryptographic fixes in iOS 8.1 that are equally important...because cryptography is notoriously hard to get right first time.

Facebook prowls the internet looking for your password

Facebook explains that it's keeping its eye out for credentials - email, password combinations - dropped on sites after data breaches, running them against its own users' credentials to see if password reuse is going to land its users in trouble.

[remote exploits] – HP Data Protector EXEC_INTEGUTIL Remote Code Execution Exploit

[remote exploits] – Numara / BMC Track-It! FileStorageService Arbitrary File Upload Exploit

[remote exploits] – Joomla Akeeba Kickstart Unserialize Remote Code Execution Exploit

[remote] – Joomla Akeeba Kickstart Unserialize Remote Code Execution

Joomla Akeeba Kickstart Unserialize Remote Code Execution

FBI Director James Comey says Apple and Google go “too far” with default encryption

FBI Director James Comey says Apple and Google go too far with default encryption settings on mobile devices, including the iPhone 6 and Nexus 6 running on Android 5.0 Lollipop. Does the FBI really have a legal right to exploit encryption backdoors to pursue suspects?

[local exploits] – Windows OLE Package Manager SandWorm Exploit

Chinese government launches man-in-middle attack against iCloud

A screen capture shows the warning of a fake iCloud.com certificate—signed by an official Chinese certificate authority.

GreatFire.org, a group that monitors censorship by the Chinese government’s national firewall system (often referred to as the “Great Firewall”), reports that China is using the system as part of a man-in-the-middle (MITM) attack on users of Apple’s iCloud service within the country. The attacks come as Apple begins the official rollout of the iPhone 6 and 6 Plus on the Chinese mainland.

The attack, which uses a fake certificate and Domain Name Service address for the iCloud service, is affecting users nationwide in China. The GreatFire.org team speculates that the attack is an effort to help the government circumvent the improved security features of the new phones by compromising their iCloud credentials and allowing the government to gain access to cloud-stored content such as phone backups.

Chinese iCloud users attempting to log in with Firefox and Chrome browsers would have been alerted to the fraudulent certificate. However, those using Mac OS X’s built-in iCloud login or another browser may not have been aware of the rerouting, and their iCloud credentials would have been immediately compromised. Using two-step verification would prevent the hijacking of compromised accounts.

Read 1 remaining paragraphs | Comments

Nearly Half Of Consumers Will Punish Breached Retailers During Holidays

Consumers say they'll talk with their wallets if they hear their favorite store has played fast and loose with customer data.

Insider Threats: Breaching The Human Barrier

A company can spend all the money it has on technical solutions to protect the perimeter and still not prevent the attack that comes from within.

Whisper CTO trashes reports that it tracks even those users who turn off geolocation

Supposedly anonymous social media app Whisper actually tracks some users - particularly newsworthy ones - even after they've specifically opted out of geolocation, according to reports.

Four online romance scammers jailed – don’t get sucked in to Advance Fee Fraud!

Advance Fee Fraud, or AFF, is an age-old scam that goes back at least to the 16th century. Here are some resources you can use to help vulnerable friends and family keep out of the clutches of online romance scammers...

Why You Shouldn’t Count On General Liability To Cover Cyber Risk

Travelers Insurance's legal spat with P.F. Chang's over who'll pay breach costs will likely illustrate why enterprises shouldn't think of their general liability policies as backstops for cyber risk.

[local] – Windows OLE Package Manager SandWorm Exploit

Windows OLE Package Manager SandWorm Exploit

[local exploits] – Microsoft Office Word 2003+2007+2010 Universal 0day Exploit

[local exploits] – Microsoft Office Word 2003+2007+2010 mscomctl Universal Exploit

[web applications] – Centreon SQL Injection / Command Injection Vulnerability

[remote exploits] – Drupal HTTP Parameter Key/Value SQL Injection Vulnerability

[local exploits] – MS14-060 Microsoft Windows OLE Package Manager Code Execution Exploit

[local exploits] – Linux PolicyKit Race Condition Privilege Escalation Exploit

[remote exploits] – Linux PolicyKit Race Condition Privilege Escalation Exploit

[remote exploits] – MS14-060 Microsoft Windows OLE Package Manager Code Execution Exploit

Apple kills the POODLE – also fixes Shellshock in case you forgot

Apple just shipped OS X 10.10 Yosemite - including a fix for the POODLE vulnerability. Mavericks and Mountain Lion also got updates to kill the POODLE. As for Lion, now three releases off the pace...bad news.