Flaw Archives - IT Security Guru

Flaw Affecting MILLIONS of Encryption Keys Worse than Initially Anticipated

The Gurus — Tue, 07 Nov 2017 10:46:19 +0000

A flaw affecting millions of encryption keys used in some of the highest-stake security settings could be easier to exploit than originally reported and anticipated, cryptographers have reported.
View Full Story
ORIGINAL SOURCE: Ars Technica

The post Flaw Affecting MILLIONS of Encryption Keys Worse than Initially Anticipated appeared first on IT Security Guru.

WordPress plugin with 10,000+ installations being exploited in the wild

The Gurus — Fri, 03 Jun 2016 12:24:25 +0000

A growing number of WordPress websites have been infected by attackers exploiting a vulnerability that remains unpatched in a widely used plugin called WP Mobile Detector, security researchers warned.
The attacks have been under way since last Friday and are mainly being used to install porn-related spamming scripts, according to a blog post published Thursday. The underlying vulnerability in WP Mobile Detector came to light on Tuesday in this post. The plugin has since been removed from the official WordPress plugin directory. As of Wednesday, the plugin reportedly had more than 10,000 active installations, and it appears many remained active at the time this post was being prepared.

Original Source: Arstechnica
View the full story here

The post WordPress plugin with 10,000+ installations being exploited in the wild appeared first on IT Security Guru.

Samsung Smart Home flaws let hackers make keys to front door

The Gurus — Tue, 03 May 2016 10:34:09 +0000

Computer scientists have discovered vulnerabilities in the Samsung Smart Home automation system that allowed them to carry out a host of remote attacks, including digitally picking connected door locks from anywhere in the world.
The attack, one of several proof-of-concept exploits devised by researchers from the University of Michigan, worked against Samsung’s SmartThings, one of the leading Internet of Things (IoT) platforms for connecting electronic locks, thermostats, ovens, and security systems in homes. The researchers said the attacks were made possible by two intrinsic design flaws in the SmartThings framework that aren’t easily fixed. They went on to say that consumers should think twice before using the system to connect door locks and other security-critical components.
Original Source: Arstechnica
View the full story here

The post Samsung Smart Home flaws let hackers make keys to front door appeared first on IT Security Guru.

Nuix: Cybersecurity Industry “Fighting the Wrong Battle for 20 Years"

The Gurus — Wed, 13 Apr 2016 11:19:13 +0000

Chris Pogue of Nuix has penned a whitepaper that argues that the security industry has been “fighting the wrong battle” using the wrong tools for 20 years. He cites the human vulnerability as the factor behind this assertion.
“In the more than 2,500 data breaches I have investigated, I can count exactly zero that were caused by non-human-initiated system failure—like it or not, people are the problem,” said Pogue, Nuix’s Senior Vice President, Cyber Threat Analysis.
The white paper examines five cognitive biases—“bugs in our brain software”—that cause people to make poor decisions. It examines how other industries have learned to deal with these biases by concentrating on changing human behavior, and applies these lessons to the fight against cybercrime.
The abstract for the whitepaper reads: “Over the past 20 years, organizations have expended billions of dollars’ worth of time, energy, and intellectual property pursuing the elusive “next big thing” in cybersecurity. At countless security conferences around the world, vendors have touted their technological achievements and proposed their solutions to scores of hopeful attendees. Despite the collaborative efforts of the entire cyber-industrial machine, very little progress has been made. In fact, by all accounts, the threat landscape has actually gotten worse.”
Effectively it’s arguing that humans are the foot cause of all the flaws and attacks that have led to data being compromised, services being brought down and people in general being duped by cyber criminals. Is this why we’re still seeing huge breaches take place on a regular basis? Read the full whitepaper and decide for yourself.

The post Nuix: Cybersecurity Industry “Fighting the Wrong Battle for 20 Years" appeared first on IT Security Guru.

SQL injection vuln found at Panama Papers firm Mossack Fonseca

The Gurus — Tue, 12 Apr 2016 09:24:30 +0000

Grey hat security researchers have discovered new flaws in the systems of Panama leak firm Mossack Fonseca. A self-styled “underground researcher” claims to have found a SQL injection flaw on one of the corporate systems of the Panamanian lawyers. “They updated the new payment CMS, but forgot to lock the directory /onion/,” he said via the “1×0123” Twitter profile. Mossack Fonseca specialises in helping its clients to set up firms in tax havens such as the British Virgin Islands. The leak of its client information as part of the Panama Papers has created a huge political stink.
Original Source: The Register
View the full story here

The post SQL injection vuln found at Panama Papers firm Mossack Fonseca appeared first on IT Security Guru.

Flaw in CISCO FirePower Firewall allows malware evade detection

The Gurus — Tue, 05 Apr 2016 10:20:09 +0000

Cisco is releasing security updates to fix a critical vulnerability (CVE-2016-1345) that affects one of its newest products, the FirePower firewall. The flaw has been discovered by security researchers at Check Point Security.
According to the security advisory published by Cisco, an attacker can remotely exploit the flaw to allow malware bypass detection measured implemented by the FirePower firewall.
“A vulnerability in the malicious file detection and blocking features of Cisco Firepower System Software could allow an unauthenticated, remote attacker to bypass malware detection mechanisms on an affected system.”states the advisory.
Original Source: Security Affairs
View the full story here

The post Flaw in CISCO FirePower Firewall allows malware evade detection appeared first on IT Security Guru.

Microsoft account-hijacking hole closed 48 hours after bug report

The Gurus — Tue, 05 Apr 2016 09:04:13 +0000

British researcher Jack Whitton has reported a Microsoft account hijacking authentication bug that would have been another arrow in an attacker’s phishing quiver, save for the fact that Microsoft fixed it.
Whitton quietly reported the flaw to Microsoft which pounced and took only two days to process and patch the flaw.
The flaw meant attackers would have been able to set up phishing sites for Microsoft assets like Outlook and then capture tokens which could then be used through manipulated POST data to log into accounts.

Original Source: The Register
View the full story here

The post Microsoft account-hijacking hole closed 48 hours after bug report appeared first on IT Security Guru.

Leaf it out mate! Nissan car hijacked by security researcher

The Gurus — Thu, 25 Feb 2016 12:44:11 +0000

Troy Hunt has uncovered a flaw within the Nissan Leaf’s companion app that allows hackers to see data about recent journeys and meddle with other aspects of the vehicle such as climate control and battery life. All they need is he vehicle identity number (VIN).
Mr. Hunt gave Nissan one month to fix the flaw prior to his unmasking of them in public. His stance on the issue is that Nissan should disable the app, which has no authentication on it. Speaking to IT Security Guru, Richard Kirk , Senior VP at AlienVault, had the following to say:
“According to the research done by Troy Hunt, this is one of the most basic security mistakes that could be made. There is no user authorisation to validate that the user of the app is the owner of the car. It is hard to understand how a major global car manufacturer like Nissan could have a) allowed an app to be designed in such a way and b) not performed some degree of app security assessment and penetration testing before placing the app in the app store.
“If the app or car system developer were to add new app features, such as remote door unlocking or remote engine disablement, and they assumed that the app itself was safe and secure, then there could be serious implications, including either the theft of a car or its contents, or even an accident. This might sound extreme however other car manufacturers already provide similar app features.”
This is why it’s so vulnerable – although not life threatening hacks, it’s essential that security on devices such as cars is kept at a high standard to prevent vulnerabilities such as the Jeep hack of 2015, where experts took control of the vehicle’s systems including brakes, stereo, steering and more – our video report of this is at the bottom of the page.
So are car companion apps really necessary? Or is the security risk just too great to ensure your safety on the roads? Well Mark James, a Security Specialist at ESET told us his take:
“The first thing I would ask myself is do I really need to connect my car to the internet either through website or smartphone app? The most likely answer is no, if you do then make sure you regularly check the information you are sending, most can be configured to turn features on and off and check after each update. We are no longer striding towards an internet connected world we are now running downhill towards anything and everything being connected without regard for security and safety. It may seem like an inconvenience to have authentication to be able to turn your heated seats or steering wheel on when it’s cold and icy in the morning but it’s better than having another portion of your private lives exposed for all to see and plunder.”
So for now, it seems a lot of cases of our ecurity being traded off for the sake of convenience are taking place. So what can apps like this have added to them that’d reduce the risk? Craig Young, Security Resercher at Tripwire recommends that “Nissan [ought to] consider implementing a 2-factor authentication for added protection. This could be as simple as having a more involved first time setup in which mobile devices are issued a device token which will subsequently be sent along with a username and password when connecting to the service.”
If we take this in the context of the countless recent stories on IoT devices being breached, it’s clear that there’s a shortfall in the industry inregard to the security of users. Rainer Kappenberger, Global Product Maganer at HPE Security – Data Security, told us that “companies developing IoT solutions focus on the feature and functionality set that they need to make the consumer experience easy and enjoyable. The developers have the best intentions and do a terrific job creating those applications. However they are typically not security experts and, therefore, implement protocols that either have limited or no security elements incorporated.”
Speaking on the climate within the industry as a whole, he continues “Making sure that security is a first class citizen during the design and development phase of those applications is more critical in the IoT space than ever before. While today’s security best practices focus on the security of the data, with IoT we now must consider the implications to physical security of infrastructure and of people, as we see in the connected car. What if other systems in the car could be breached?”
Kevin Epstein, VP of Proofpoint’s Threat Operations Centred, added that “As the number of such connected devices is expected to grow to more than four times the number of connected computers in the next few years, proof of an ‘internet of things’-based attack has significant security implications for device owners. Many of these devices are poorly protected at best and consumers have virtually no way to detect or fix infections when they do occur.”
Paul Fletcher, cyber security evangelist at managed cloud security provider, Alert Logic, concluded “The Nissan Leaf vulnerability is an issue that needs to be fixed by the manufacturer and while this vulnerability doesn’t have the same impact as the Jeep vulnerabilities documented last year, it’s an entry point into the controls of a vehicle and the potential for a more severe hack is now present. Nissan has an opportunity to embrace this discovery and enhance the security controls of it’s product. Nissan would be smart to launch a “bounty” program, if for no other reason but to market their willingness to put their security controls to the test and build the confidence of their customers and the industry. Only time will tell how serious Nissan takes this threat to it’s vehicles and customers.”

The post Leaf it out mate! Nissan car hijacked by security researcher appeared first on IT Security Guru.

Shopping online at ASDA could put your credit card details at risk

The Gurus — Tue, 19 Jan 2016 10:25:05 +0000

British shoppers might want to check out the following YouTube video by security consultant Paul Moore, especially if they buy their groceries online from ASDA.
Moore says that he notified ASDA of various serious security flaws on its website in March 2014, and was promised a fix “in the next few weeks”.
However, Moore says that after waiting 677 days he has run out of patience.

Original source: Graham Cluley
View the full story here

The post Shopping online at ASDA could put your credit card details at risk appeared first on IT Security Guru.

Google hacker criticized TrendMicro for critical flaws

The Gurus — Tue, 12 Jan 2016 10:50:53 +0000

Tavis Ormandy, a researcher with Google’s Project Zero vulnerability research team, publicly disclosedcritical vulnerabilities in TrendMicro Antivirus that could be exploited to execute malicious code on the targeted system.
Ormandy took only about 30 seconds to find the first code-execution vulnerability affecting the TrendMicro antivirus program.
An attacker could exploit the security flaws to access contents of a password manager built into the TrendMicro security solution. The attackers can view hashed passwords and the plaintext Internet domains they are used for.

Original Source: Security Affairs
View the full story here

The post Google hacker criticized TrendMicro for critical flaws appeared first on IT Security Guru.