Comcast web mail servers hacked, all users at risk

Hacking group NullCrew FTS declared today that it had exploited a security flaw in Comcast’s Zimbra webmail server. It’s believed that the group used what is known as a LFI exploit or local file inclusion vulnerability to obtain usernames and passwords of Comcast ISP users.

The hacking group claims it used this exploit to gain access to the Zimbra LDAP and MySQL database which house the user accounts and passwords. The group posted earlier on pastebin.com a list of what they gained access to, but with no usernames or passwords listed. The posting has since been removed by pastebin.

Every Comcast ISP user has a master account, which is accessible through their Zimbra webmail site. This account can be used to access your payment information, e-mail settings, user account creation and services you purchase from Comcast. Even if you do not use their mail service, you still will have a master account. It is strongly recommended that, if you are a Comcast user, you change your password as soon as possible. 

Comcast performed out-of-schedule maintenance on their mail servers last night, hopefully to fix this exploit. No more information is available at this time on what maintenance was performed.

Source:
http://www.neowin.net/news/comcast-web-mail-servers-hacked-all-users-at-risk

Posted in Internet, Privacy, Security | No Comments

Adobe releases patch for Flash zero-day

Adobe has released a fix for a zero-day vulnerability in Flash Player, which impacts users running Windows, Mac and Linux operating systems.

On Tuesday, the company made the updates available via a security bulletin, urging Windows and Mac users to download Flash Player versions 12.0.0.44 and 11.7.700.261 (for those who cannot update to version 12.0). Those running Flash on Linux systems were directed to install version 11.2.202.336 of the plug-in.

In the bulletin, Adobe said that the previously unknown vulnerability, CVE-2014-0497, had been exploited in the wild. Kaspersky Labs researchers Alexander Polyakov and Anton Ivanov reported the bug to Adobe.

The issue stems from an integer underflow vulnerability, which could allow an attacker to remotely take control of an affected system and execute malicious code.

In its bulletin, Adobe also directed users running versions of Flash for Chrome and Internet Explorer 10 and 11 web browsers to update to the newly released 12.0.0.44 plug-in.

Source:
http://www.scmagazine.com//adobe-releases-patch-for-flash-zero-day/article/332873/

Posted in Internet, Privacy, Security | No Comments

More than 180K Chrome users have installed ad-injecting extensions

More than 180,000 Google Chrome users have installed at least one of a dozen ad-injecting extensions that are serving up spam on 44 different websites, according to findings by the threat and research analysis team with Barracuda Labs.

As of Jan. 30, the “logo quiz game” extension has been installed by nearly 82,000 users, and “counter strike cs portable” extension has been installed by about 27,000 users, according to a Monday post by Jason Ding, research scientist with Barracuda Labs.

Some of the more popular websites impacted by the extensions include youtube.com, yahoo.com, msn.com, imdb.com, myspace.com, and disney.go.com, Ding wrote, explaining all extensions had been served up on the Chrome Web Store directly.

“When users try to download the extensions from the Chrome Web store, it will ask for ‘Access data to all websites’ permissions before users can download and install them,” Ding said in an email to SCMagazine.com on Tuesday. “Once granted these permissions, JavaScript codes are sitting behind users’ browsers, and these extensions are available at users’ Chrome address.”

Ding then delivered the bad news. “The JavaScript code downloaded has a URL point to an outside JavaScript hosted at www.chromeadserver.com [that] will be executed whenever users are browsing a webpage,” he said.

As a result, ads are injected into the websites, sometimes filling in empty spaces on the page, Ding said, adding the JavaScript is solely for spam, only operates in Chrome browsers and does not impact other parts of the user’s system.

Source:
http://www.scmagazine.com/more-than-180k-chrome-users-have-installed-ad-injecting-extensions/article/332673/

Posted in Internet, Security | No Comments

Suspected data breach at Holiday Inn, Marriott hotels

Lodgers at Holiday Inns, Marriott and Renaissance hotels may have had their payment card details compromised following a new disclosure on Monday of suspected point-of-sale device attacks.

White Lodging Services, a hotel management company, warned in a news release it suspects point-of-sale systems at restaurants and lounges on 14 of its properties were compromised between March 20, 2013 and Dec. 16, 2013.

Guests who did not use their card at restaurants and lounges, as well as those who used their room account for purchases from those outlets, were not affected, it said.

The Merrillville, Indiana-based company said it manages hotels under agreement with hotels owners and is a separate entity from the specific hotel brands it operates.

The company said it has contacted federal law enforcement and initiated a forensic review of its properties. It runs more than 169 hotels in 21 U.S. states.

“We deeply regret and apologize for any inconvenience caused by this incident and remain committed to protecting all information entrusted to us by our guests,” it said.

Source:
http://www.pcadvisor.co.uk/news/security/3500285/suspected-data-breach-at-holiday-inn-marriott-hotels/

Posted in Internet, Privacy, Security | No Comments

New Malware Records Everything You Do on Your iPhone

Everyone typically beats up on Android for posing a security risk, with its third-party app stores and Google’s open access policies. But Apple iOS is not entirely above the fray, as a new proof-of-concept (PoC) “screenlogging” malware shows.

Neal Hindocha, a senior security consultant for Trustwave, is planning to demonstrate a PoC malware at the upcoming RSA Conference in San Francisco that goes beyond keylogging to record absolutely every interaction that a person has with his or her iPhone or iPad. It monitors finger-swipes on the touchscreen while taking screenshots, so a criminal would know what the user is doing and with what app.

Parsing that information would be very labor-intensive for a would-be hacker, so the malware is inappropriate for use at scale. But, it could be used for very targeted, small-batch campaigns, such as lifting a specific person’s online banking credentials, or capturing VPN log-in details for corporate espionage purposes. It could even be used to glean log-in details for free Netflix video streaming, or Facebook hijacking – useful for suspicious spouses and concerned parents alike.

The idea was hatched as Trustwave was researching the evolution of financial malware on the Windows platform, Hindocha told Forbes. The finance vertical is beginning to combat keylogging trojans with new types of password approaches, prompting Hindocha to consider corresponding information-capture strategies. Appropriate given the rise of mobile banking, he decided to see how new methods could play out on smart devices.

It records the X and Y axis of a touch on the screen, and then plots the location onto the screenshot. He told Forbes that it can also be programmed to only capture information when users are in a specific app – culling the data a hacker needs to sift through and also improving the targeting capabilities.

Source:
http://www.infosecurity-magazine.com/view/36731/new-malware-records-everything-you-do-on-your-iphone/

Posted in Hardware, Mobile, Privacy, Security | No Comments