- Friday, 14 August 2015
- Hits: 1836
Facebook hands hackers $100k for breaking browsers
Four researchers have scored US$100,000 from Facebook for revealing 11 bugs affecting platforms including the Chrome and Firefox browsers using novel vulnerability discovery methods.
"We all benefit from this kind of work—a large part of why Facebook has been successful in serving nearly 1.5 billion people is because we have been quick to introduce and adopt categories of systems and frameworks that prevent whole classes of vulnerabilities at once," Papagiannis says in a statement. The hacks are detailed in the paper Type Casting Verification: Stopping an Emerging Attack Vector (PDF) in which the quartet offered a #tool to help detect the bad-casting and type-confusion holes. Read more...
Lenovo Caught Using Rootkit to Secretly Install Unremovable Software
Two years ago Chinese firm Lenovo got banned from supplying equipment for networks of the intelligence and defense services various countries due to hacking and spying concerns. Earlier this year, Lenovo was caught red-handed for selling laptops pre-installed with Superfish malware. One of the most popular Chinese computer manufacturers ‘Lenovo’ has been caught once again using a hidden Windows feature to preinstall unwanted and unremovable rootkit software on certain Lenovo laptop and desktop systems it sells. The feature is known as "Lenovo Service Engine" (LSE) – a piece of code presents into the firmware on the computer's motherboard. Read more...
|Major Hacks of the Week|
Fraudsters steal nearly $47 million from Ubiquiti Networks
US networking technology company Ubiquiti Networks has been swindled by fraudsters and has lost nearly $47 million. According to the quarterly financial report the company filed last week with the US Securities and Exchange Commission, they discovered that they have became a victim of a criminal fraud on June 5, 2015. "The incident involved employee impersonation and fraudulent requests from an outside entity targeting the Company’s finance department. This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties," the report says. Read more...
Huge hack attack: UK data cops to probe Carphone Warehouse breach
Britain's data watchdog plans to investigate a massive hack attack on Carphone Warehouse's systems, which has put 2.4 million customers at risk of having their personal info ransacked by wrongdoers. On Saturday afternoon, the company coughed to the mega data breach and added that up to 90,000 subscribers may have had their encrypted credit card details swiped during the incident. Read more...
|Major Vulnerabilities Disclosed|
HTC caught storing fingerprints AS WORLD-READABLE CLEARTEXT
Four FireEye researchers have found a way to steal fingerprints from Android phones packing biometric sensors such as the Samsung Galaxy S5 and the HTC One Max. The team found a forehead-slapping flaw in HTC One Max in which fingerprints are stored as an image file (dbgraw.bmp) in a open "world readable" folder! The team say attackers with some remote code execution exploits in hand can harvest these fingerprints en masse. Read more...
Attackers actively exploit Windows bug that uses USB sticks to infect PCs
Attackers are actively exploiting a vulnerability in all supported versions of Windows that allows them to execute malicious code when targets mount a booby-trapped USB on their computers, Microsoft warned Tuesday in a regularly scheduled bulletin that patches the flaw. The vulnerability is reminiscent of a critical flaw exploited around 2008 by an NSA-tied hacking group dubbed Equation Group and later by the creators of the Stuxnet computer worm that disrupted Iran's nuclear program. Read more...
|Legal, Regulatory and Corporate|
Twitter sees its largest increase from governments wanting account information
Governmental bodies around the world have an appetite for Twitter account information and are wanting more than ever, with the social network reporting its largest increase in requests for account information in the history of its transparency report. United States leading the way by making 56 percent of all global requests, closely followed by Japan, Turkey, South Korea & France Read more...
Cisco network kit warning: Watch out for malware in the firmware
Cisco has warned users to watch out who's got admin access to kit, because it's seen malicious ROM images in the wild. The problem is that this isn't something the Borg can just issue a patch for. Admins – with appropriate credentials, naturally – need to be able to drop new ROM images on their kit as a matter of course."The ability to install an upgraded ROMMON image on IOS devices is a standard, documented feature that administrators use to manage their networks", Cisco says. "In all cases seen by Cisco, attackers accessed the devices using valid administrative credentials", the note states, meaning someone back-tracked the attack to the admin account used. Read more...
|Security and Beyond|
Hackers charged after pocketing $100m from stolen material
An international team of computer hackers and stock traders has been charged with pocketing more than $100 million in illicit profits made from on-selling stolen market-moving media releases. The US Department of Justice said that in addition to the two Ukraine-based ring-leaders, seven defendants from Ukraine and the United States were involved in the criminal conspiracy, making more than $30 million in illegal trades on the pilfered information. "The defendants launched a series of sophisticated and relentless cyber attacks against three major newswire companies, stole highly confidential information, and used [it] to enrich themselves at the expense of public companies and their shareholders." US attorney Paul Fishman said. Read more...
Malvertising set to wreak one BEELLION dollars in damage this year
Records have fallen as malvertising clocked its most prolific month in history, making it one of the biggest threats to endpoint security. If the scourge continues, criminals will have inflicted a billion dollars in damages by the end of the year from a paltry US$12,000 investment, according to researchers at security firm Invincea. In this threat report [PDF], the firm says it blocked some 2100 malvertising attacks against its customers. It says the attacks represent 2.1 million malicious advertisements purchased by maldoers.
|Security Awareness Tip|
How to ward off phishing attacks
As scams continue to proliferate at alarming rates and are becoming more and more difficult to detect. It's important for you to understand how to recognize a phishing attempt and what you can do to protect yourself.
What Can I Do?
- Be cautious about all communications you receive.
- If it appears to be a phishing communication, do not respond. Delete it
- Do not click on any links listed in the email message and do not open any attachments contained in suspicious email.
- Do not enter personal information in a pop-up screen. Legitimate companies, agencies and organizations don't ask for personal information via pop-up screens.
- Install a phishing filter on your email application and also on your web browser. These filters will not keep out all phishing messages, but will reduce the numbers of phishing attempts
Bad guys often use current news, sensational topics, and promises of shocking photos and video to get you to click on malicious links. Don't fall for it! Stop and think before you click.
|Silensec Editorial Team|
Editor: Dr. Almerindo Graziano
Dr. Graziano is the Silensec CEO. He holds an MSc in Electronic Engineering and a PhD in Mobile Computer Security, both from the University of Naples, Italy. Dr. Graziano has consulted in information security for private and government organisations across Europe, Africa and Middle East over the last 15 years. He is also a BSI-certified ISO27001 Lead Auditor trainer and auditor
Vice Editor: George Nicolaou (BSc, MSc)
George Nicolaou (BSc, MSc) leads the Silensec Malware Analysis Lab (MAL). He received his BSc in Computer Science and MSc in Advanced Computing Security from the University of Bath in UK, where he pursued research in malware and vulnerability analysis. For many years George has also been the Head of Research and Development department of the Astalavista Security Community. George is also a frequent speaker at security conferences around the world on advanced malware analysis, reverse engineering and exploit development techniques.
Associate Editor: Joseph Alulu (B.A)
Joseph Alulu leads the Silensec Marketing Department. He holds a Bachelors of Arts Degree from the University of Nairobi in Kenya. He publishes the weekly Silensec Newsletter, keeping you up to date on the latest information security news as well as creating information security awareness.
Please feel free to share this with interested parties via email, and social media. For a free subscription, please subscribe to our Feed. For any questions please click on the following contact us link