Microsoft will patch IE zero day but doesn’t give timeline

May 23, 2014 – 5:38 AM

Microsoft said Thursday it plans eventually to patch a vulnerability in Internet Explorer 8 that it’s known about for seven months, but it didn’t say when.

A security research group within Hewlett-Packard called the Zero Day Initiative (ZDI) released details of the flaw on Wednesday after giving Microsoft months to address it. The group withholds details of vulnerabilities to prevent tipping off hackers but eventually publicizes its findings even if a flaw isn’t fixed.

Microsoft said it had not detected attacks that used the vulnerability, which is a “use-after-free” flaw, which involves the handling of CMarkup objects.

The company did not give a reason for the long delay but said in a statement that some patches take longer to engineer and that “we must test every one against a huge number of programs, applications and different configurations.”

“We continue working to address this issue and will release a security update when ready in order to help protect customers,” it said.

To exploit the flaw, an attacker would have to convince a user to visit a malicious website. If the attack were successful, a hacker would have the same rights as the victim on the computer and could run arbitrary code.

Microsoft’s next patch release, known as “Patch Tuesday,” is scheduled for June 10. It occasionally issues an emergency patch if a vulnerability is being widely used in attacks.

Source:
http://www.pcadvisor.co.uk/news/security/3521302/microsoft-will-patch-ie-zero-day-but-doesnt-give-timeline/

eBay To Ask Users To Change Passwords

May 21, 2014 – 10:23 AM

eBay Inc. (Nasdaq: EBAY) said beginning later today it will be asking eBay users to change their passwords because of a cyberattack that compromised a database containing encrypted passwords and other non-financial data. After conducting extensive tests on its networks, the company said it has no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. However, changing passwords is a best practice and will help enhance security for eBay users.

Information security and customer data protection are of paramount importance to eBay Inc., and eBay regrets any inconvenience or concern that this password reset may cause our customers. We know our customers trust us with their information, and we take seriously our commitment to maintaining a safe, secure and trusted global marketplace.

Cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network, the company said. Working with law enforcement and leading security experts, the company is aggressively investigating the matter and applying the best forensics tools and practices to protect customers.

The database, which was compromised between late February and early March, included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth. However, the database did not contain financial information or other confidential personal information. The company said that the compromised employee log-in credentials were first detected about two weeks ago. Extensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today.

The company said it has seen no indication of increased fraudulent account activity on eBay. The company also said it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users. PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.

Source:
https://blog.ebay.com/ebay-inc-ask-ebay-users-change-passwords/

Free privacy and security scans with McAfee Mobile Security

May 21, 2014 – 5:32 AM

McAfee announced the latest version of McAfee Mobile Security that now enables consumers to run free privacy and security scans. These scans allow users to identify apps that are oversharing personal information.

It also scans for and removes malware and looks for other security threats. McAfee makes it simple for users to perform these scans as soon as the product is installed.

According to McAfee’s Consumer Mobile Security Report, 80% of mobile apps today collect location information about users, 82% know the device ID, and 57% track when people use their phones. Additionally, the apps that aggressively and often unnecessarily collect data leverage potentially dangerous ad libraries, and 35% of these apps contain malware.

McAfee Mobile Security’s privacy scan provides key intelligence about the apps users have installed on a smartphone or tablet. The scan determines how much information each app is able to access and share, then ranks them by level of privacy sensitivity, while also checking for risky URL associations. When an app behaves significantly different than others in its category, the level of risk is raised and reflected in its privacy sharing score. At the conclusion of the privacy scan the user can uninstall suspicious apps with one-click.

Source:
http://www.net-security.org/secworld.php?id=16891

FBI: BlackShades Infected Half-Million Computers

May 19, 2014 – 6:40 PM

More than a half-million computers in over 100 countries were infected by sophisticated malware that lets cybercriminals remotely hijack a computer and its webcam, authorities said as charges were announced Monday against nearly 100 people worldwide.

Authorities said 97 people suspected of using or distributing the malicious software called BlackShades have been arrested in 16 countries, including the software’s owner, a 24-year-old Swedish man.

“This case is a strong reminder that no one is safe while using the Internet,” said Koen Hermans, a Netherlands official in Eurojust, the European Union’s criminal investigation coordination unit. “It should serve as a warning and deterrent to those involved in the manufacture and use of this software.”

U.S. Attorney Preet Bharara called BlackShades a “frightening form of cybercrime,” saying a cybercriminal could buy a $40 malicious program whose capabilities were “sophisticated and its invasiveness breathtaking.” FBI Agent Leo Taddeo said people suspecting they are BlackShades victims should visit FBI.gov to learn how to check computers.

Authorities said the BlackShades Remote Access Tool or “RAT” has been sold since 2010 to several thousand users, generating sales of more than $350,000. The agency said one of the program’s co-creators is cooperating and had provided extensive information.

Source:
http://www.wirelessdesignmag.com/news/2014/05/fbi-blackshades-infected-half-million-computers

Public Hotspots Are a Privacy and Security Minefield: Shield Yourself

May 19, 2014 – 5:38 AM

An axiom among network security pros is that you should treat public Wi-Fi hotspots like the cyber equivalent of public bathrooms: a convenience we all use, but only with the requisite hygiene. You wouldn’t share personal items like a toothbrush or razor with others at an office, gym or airport restroom, but too often people broadcast personal information that could be disastrous in the wrong hands over wireless networks where intercepting data is easier than many people realize. In addition, users on public hotspots leave breadcrumbs documenting their every move on the Internet for anyone, including the hotspot operator to mine through for valuable, and privacy-compromising, insights; a topic I’ll cover in more depth in my next column.

We all know that personal data leaks like a sieve on the Internet writ large, whether through Google ’s collection of search history, Facebook’s aggregation of login credentials and activity tracking (using cookies and social plug-ins) on sites far and wide and other ad networks that track our every move. However the risk is acute out in the wild, in the world of public hotel, airport, cafe and convention center Wi-Fi. While Google and Facebook collect data that profiles and tailors ads and other promotions to their users, at least their customers (i.e. essentially all of us) generally know what we’re signing up for in the bargain. Out in the wilds of public hotspots, there are no the rules.

First off, with public, unencrypted Wi-Fi, you’re never sure who or what you’re really connecting to. We’re all familiar with the rogue access points (APs) using common names like “Linksys” or “Netgear”, but only a rookie would fall for those ruses. However things like Hak5’s legendary (at least among cyber security pros) Wi-Fi Pineapple exploiting convenience features in the Wi-Fi protocol, make it trivially easy to impersonate and intercept all wireless traffic directed to a given hotspot.

Source:
http://www.forbes.com/sites/kurtmarko/2014/05/18/hotspot-security-part1/