eBay takes flak for leaving rigged iPhone listing up for 12 hours

eBay’s getting flak for its chilled response to a serious attack.

On Wednesday, a redirect attack was discovered on the auction site, working to grab customers’  credentials on a spoofed eBay site.

The company left up the listing, which appeared to be advertising an iPhone 5S for sale, for 12 hours after it was reported on Wednesday night.

Paul Kerr, an IT worker from Alloa in Clackmannanshire who the BBC says is also an “eBay PowerSeller”, is responsible for finding and reporting the attack, having clicked on the listing and then having been bounced around through a series of pages.

eBay only took the listing down after the BBC called to follow up on it, the news outlet reports.

A security researcher – Dr. Steven Murdoch from University College London’s Information Security  Research Group – was able to analyse the workings of the malevolent listing before eBay removed it.

He found that the attack was employing cross-site scripting (XSS) – a common technique used to break into websites that works by exploiting a flaw in a site that then allows for the injection of client-side script code by unauthorized users.

Add comment September 19th, 2014

Chinese hackers breached US military contractors, says Senate report

Military contractors for the US Transportation Command were breached by hackers associated with the Chinese government at least 20 times in one year, according to a report released Wednesday by the US Senate Armed Services Committee.

The committee’s investigation identified gaps in cyber-incident reporting requirements at the US  Transportation Command (TRANSCOM), which is responsible for moving US troops and equipment, including to and from war zones.

TRANSCOM was only aware of two of the breaches, even though the FBI and US Department of Defense  were aware of 11 of the 20 successful cyber attacks, revealing a lack of information sharing between agencies.

Add comment September 19th, 2014

Apple ships a sevenfold security surprise, including iOS 8 and OS X 10.9.5

Apple doesn’t have Patch Tuesdays, but it does have Update Surprisedays.

Wednesday 17 September 2014 was one of them.

You probably received notification of seven updates from Apple

iOS 8
Apple TV 7
OS X Mavericks 10.9.5 (Security Update 2014-004 for 10.7 and 10.8)
OS X Server 3.2.1
OS X Server 2.2.3
Xcode (Apple’s development environment) 6.0.1
Safari 6.2 and 7.1

Apple’s OS X Combo updates when I can, which for OS X 10.9.5 includes all the files needed to update from any 10.9.x version, including the original 10.9 release.

The Combo updates are much larger (982MB this time, instead of 275MB for the package that can only update you from OS X 10.9.4), because they include files that were already part of previous point releases.

Add comment September 19th, 2014

Mitigating the Impact of the CyberVor Breach

Start using a password manager

If you are not yet using LastPass or a password manager, we advise getting started immediately. Using a password manager centralizes your logins and passwords in one, secure place.


Run the Security Check

The LastPass Security Check identifies any weak or duplicate passwords, tells you if any sites were affected by Heartbleed, and gives you an overall “security score” so you can understand how you’re progressing with your password security. To run it, click the LastPass icon in your browser toolbar, then under the “Tools” sub-menu select the “Security Check”.


Replace duplicate passwords with generated ones

After running the Security Check, you’ll know which sites have weaker passwords, and you can start updating them. Begin with the most important sites – financial, email, and social. You can launch the site straight from the security check and login, then go to your account settings page on that website, and use LastPass to replace the old password. Repeat for all sites using weak, duplicate, and old passwords.


Turn on multifactor authentication

Multifactor authentication adds another security layer to your account by requiring that you confirm “something you have” (like a Google Authenticator code) after submitting “something you know” (your LastPass email address and master password). LastPass supports 10 multifactor authentication options, giving you the flexibility to choose one that suits your work flow best.



Add comment September 18th, 2014

Apple adds two-step verification for iCloud, effective immediately

At the start of September 2014, a scandal broke when illegally-collected nude photos of 100 celebrities were published online.



Early rumours suggested that this might be down to some sort of iCloud “hack,” because at least some of the photos had been stolen from iCloud accounts, and because the photos all appeared at once, as though they had been grabbed as a job lot.

The photos were apparently stolen from multiple sources in various ways, but released as a job lot by a collector.

Two-step verification

Apple’s response, as we reported at the time, was to urge iCloud users to turn on its two-factor authentication system, known as two-step verification (2SV).

Turning on 2SV only protected certain operations on your Apple account, such as editing your account details or buying products from iTunes or the App Store from a new computer or device.




Add comment September 18th, 2014

New Google transparency report details hike in government user data requests

Governments around the world are demanding increasingly larger amounts of user data from Google, according to the company’s latest Transparency Report

In the first six months of 2014, the company received just under 32,000 data requests from governments, an increase of 15% when compared to the second half of 2013, and two and a half times more than when Google first started publishing the data in 2009.

The latest transparency report, released Monday, is a service Google and other big name companies provide to detail how many times governments ask the company to hand over user information to aid investigation of alleged criminal cases.

According to the report, the top ten countries requesting data from Google this time around were the US, Germany, France, India, the UK, Italy, Singapore, Australia, Spain and Brazil.

Add comment September 18th, 2014

Siri Lets Anyone Bypass Your iPhone’s Lockscreen — Feature or Bug?

Much like beauty, secure design seems to be in the eye of the beholder.

Those who have gotten early access to Apple’s next software release, iOS 8, have started playing around with it, and the security-minded among the previewers have started looking for flaws and bugs. an expert found screen bypass bugs” in iOS, or ways of circumventing the passcode Apple users put on their devices to keep strangers out. In playing around with an iPhone with iOS 8, he quickly discovered what he saw as a bug: Apple’s voice-activated assistant Siri acting like the worst bouncer ever. In iOS 8, he could activate Siri from the homescreen and she would let him circumvent the lockscreen to post to a person’s Facebook page or look at their notes and call history. No passcode necessary. He posted demonstrations on YouTube.

But it turns out this is not new and not a bug. You can do it in iOS 7 as well. Most of my iPhone-using friends and colleagues were surprised when I showed them that I could take their locked iPhones and post a status of my choosing to their Facebook walls on their behalf, see the last 25 people they’d called, or look at recent notes they’d made to themselves. That means a snoopy significant other or a paranoid boss could see who you’ve been talking to. A frenemy could sabotage your Facebook wall. And voyeurs can see what you want your phone to remember. But this may be a tech deja vu moment for some of you as this has all been covered before.

Add comment September 17th, 2014

Android L Preview: 14 New Bug Fixes Including AT&T/T-Mobile MMS Error Fix Found via Developer Preview Hub

Android L developer preview has been in the works ever since Google announced the next platform upgrade for Android 4.4.4 KitKat, a couple of months ago.
Now fresh details of Android L development have surfaced online as a bunch of new bug-fixes including the AT&T/T-Mobile MMS error fix appear in Developer Preview hub, wherein the biggest and most critical bugs in Android L have been patched.

One of the most widespread issues with Nexus devices’ running Android L, has been the inability to send or receive MMS messages through the default Hangouts app while the user is connected via AT&T or T-Mobile network.
Nevertheless, prospective Android users may rejoice with the notion that Google has apparently patched up the issue, which will be available as part of the upcoming public release for Android L.

The report further adds that thirteen other bugs have been marked as “fixed” in the last 24 hours, which is an indication that we might see all these changes (see screenshot below) in the forthcoming final build of Android L.
A few of the most critical bug-fixes in the pipeline for the public release of Android L include missing emoji, lockscreen hangs, jerky chronometer, problem with shadow on moving elements, poor legibility on data usage screen, missing notification in status bar and Wi-Fi Proxy settings resets after disconnecting.

There is still no word on the actual release window for the Android L update, nor any information regarding the new hardware enhancements that will be supported by Google on its new Android platform.
If the past is any indication, we might see a few developer phones running the Android L final release in October or November as was the case in the last three years.

Add comment September 17th, 2014

VMware and Cisco patch vulnerabilities in data-center gear and software

VMware and Cisco Systems released security fixes this week for serious vulnerabilities in networking virtualization and server software typically used in data centers.

Cisco patched a persistent denial-of-service vulnerability that could prevent the out-of-band management of Cisco Unified Computing System (UCS) E-Series Blade servers that are deployed in Cisco Integrated Services Routers Generation 2 (ISR G2).

The vulnerability is located in the SSH (Secure Shell) service of the Cisco Integrated Management Controller (Cisco IMC), a specialized micro-controller embedded in server motherboards that allows systems administrators to monitor and manage servers from outside their OS.

Cisco released version 2.3.1 of the Cisco IMC firmware for UCS E-Series servers on Monday. Customers need to use the Host Upgrade Utility in order to deploy the new firmware.

Security experts team published an alert about the issue last week.

If left unpatched, an attacker could exploit the vulnerability by sending a specially crafted packet to the vulnerable SSH server, forcing the IMC to become unresponsive. This could impact the availability of the entire server.

“Recovery of the Cisco IMC will likely require a restart of the affected E-Series Server via physical interaction with the blade’s power switch, or a restart of the ISR G2 router that the device is installed in,” Cisco said in an advisory. “A restart of the E-Series blades via the power switch will cause a loss of power to the operating system running on the device. A restart of the ISR G2 router will cause a loss of all traffic passing through the router while it restarts as well as impacting the blade servers installed in the device.”

VMware released security updates Thursday for its NSX and vCloud Networking and Security (vCNS) products in order to patch what the company called “a critical information disclosure” vulnerability. The company’s advisory does not clarify what kind of information can be disclosed by exploiting the issue, but both the NSX and vCNS products are used for virtualizing network services.

The VMware NSX allows datacenter administrators to create, provision, snapshot, delete and restore complex networks programmatically from software by utilizing the underlying physical network just for packet forwarding. VCNS provides networking and security functionality for virtualized computing environments through services like a virtual firewall, virtual private network (VPN), load balancing, NAT, DHCP and VXLAN-extended networks.

Add comment September 17th, 2014

New malware spreads over Twitch chat, targets Steam accounts

If you use gaming video streaming site Twitch, you’ll want to be careful what you click on. A new piece of malware spread through Twitch’s chat feature will attempt to bleed your Steam account dry, according to security experts.
The malware spreads through messages posted to Twitch chat that try to entice users into entering a weekly raffle. Click on the link, and a Java program will open up a phony raffle entry form.

Once you fill out and submit the form (which doesn’t actually get sent anywhere), the malware goes to work. It installs and runs a Windows binary that can gain access to your Steam account and add friends, accept friend requests, trade items, and sell items in the market at a discount.

As a result, the malware can “wipe your Steam wallet, armory, and inventory dry,” according to F-Secure, and sell your items at a discount on the Steam Community Market. The idea here is that the attacker can sell uninteresting items from your account, then buy themselves more interesting items. Shady.

Since this all happens on your system, it bypasses Steam’s security measures to prevent others from logging into your account on another PC. We recommends that Steam add new security measures “for those trading several items to a newly added friend and for selling items in the market with a low price based on a certain threshold.”

Add comment September 17th, 2014

Next Posts Previous Posts