• LinkedIn bug allowed data to be stolen from user profiles
    A bug in how LinkedIn autofills data on other websites could have allowed an attacker to silently steal user profile data. The flaw was found in LinkedIn's widely used AutoFill plugin, which allows approved third-party websites to let LinkedIn members automatically fill in basic information from their profile -- such as their name, email address, location, and where they work -- as a quick way to sign up to the site or to receive email newsletters. Right now, there are dozens of sites in the top 10,000 websites ranked by Alexa that have been whitelisted by LinkedIn, including Twitter, Microsoft, LinkedIn, and more. But if any of the sites contains a cross-site scripting (XSS) flaw -- which lets an attacker run malicious code on a website -- an attacker can piggy-back off that whitelisted domain to obtain data from LinkedIn. "This is because the AutoFill button could be made invisible and span the entire page, causing a user clicking anywhere to send the user's information to the website." Email addresses are never displayed on LinkedIn profiles -- unless the user puts it there themselves.Read More
  • Oracle whips out the swatter, squishes 254 security bugs in its gear
    Java was on the receiving end of patches for 14 CVE-listed vulnerabilities, including 12 that are remotely exploitable without user notification. For Oracle's MySQL, the update will see 33 patches for various flaws, two (CVE-2018-2761, CVE-2017-3737) of which are remotely exploitable. Oracle Database, meanwhile, will only need two patches: one for a JavaVM bug (CVE-2018-2841), and one for Oracle GoldenGate (CVE-2018-2832). Oracle Financial Services Applications will get 36 vulnerabilities patched, 18 of those being remotely exploitable flaws. PS: Speaking of Oracle and Java, commercial users of Java SE 8 will no longer receive public updates for the software after January 2019 unless they get a commercial license. "Public updates for Oracle Java SE 8 will remain available for individual, personal use through at least the end of 2020," Oracle added.Read More
  • Future cyber threats will come from inside the architecture
    The cloud, metaphorical repository of everything not on computers directly owned by users, is just a fancy term for “someone else’s computer.” Putting data on the computers of others by necessity requires surrendering some control over the devices, so Skoudis suggested that when using cloud assets, agencies and contractors invest specifically in data inventories and a have a person assigned as data curator. If the computers aren’t in-house, keeping an eye on the data still can be, and since so much of everything in technology today is the collection, maintenance, and use of data, it makes sense to invest resources in tracking data like other inventory. “The provider can do it themselves or you can do a pen test of the end system.” Besides tracking the data itself, Skoudis highlighted the risk of how data, even anonymized data, could be correlated with open-source information to be de-anonymized, citing specifically an example of anonymized Netflix user information that, paired with data gleaned from IMDb, can reveal who those anonymized users were.Read More
  • Google disables “domain fronting” capability used to evade censors
    By wrapping communications to a service with a request to an otherwise innocuous domain or IP address range such as Google's, application developers can conceal requests to domains otherwise blocked by state or corporate censors. A Google representative told Brandom that domain fronting had never been officially supported by Google, and it only worked until last week "because of a quirk of our software stack… as part of a planned software update, domain fronting no longer works. Domain names show up three times during a Web request—as part of a DNS query for the IP address of the site, in the Server Name Indication (SNI) extension of TLS (which tells a server with multiple sites which domain the traffic is for), and in the HTTP "host" header of the Web request. In a domain fronting scheme, the DNS request and SNI extension use the domain name of an unblocked host, but the HTTPS header contains the actual destination—which the request is then forwarded to, as long as it's part of the same CDN.Read More
  • Excel pivot table data leak leads to £120,000 fine for London council
    London’s Royal Borough of Kensington & Chelsea has been fined £120,000 (approximately US $170,000) by the Information Commissioner’s Office (ICO) after it unlawfully identified 943 people who owned vacant properties in the borough. It’s in that climate that the council received three Freedom of Information (FOI) requests for statistics on how many empty properties were in the borough. Responding to the FOI requests, a member of the council produced a pivot table containing a list of named owners against the addresses of empty properties in the borough. When a member of the borough’s FOI team checked that no data had been included in the new spreadsheet, they scrolled through the cells, clicking once to check for hidden data. To make things worse, the entire spreadsheet was published by one of the journalists on an online blog, and one of the property owners exposed by the data breach was distressed to be visited at their home by a journalist.Read More
  • RansSIRIA Ransomware Takes Advantage of the Syrian Refugee Crisis
    A new ransomware called RansSIRIA has been discovered by MalwareHunterTeam that encrypts your files and then states it will donate your ransom payments to Syrian refugees. This ransomware is a variant of the WannaPeace ransomware and is targeting Brazilian victims. According to MalwareHunterTeam, when executed, the ransomware will display a fake Word window that will take some time opening as it encrypts your files.  When done encrypting your files, it will display the screen below, which contains a passionate plea to pay the ransom, which will be used to help Syrian refugees. Finally, after decryption, the ransomware will open the URL https://goo.gl/qNxDFP, which goes to an article at Worldvision about Syrian refugees. The ransomware developers,though, are not donating the rasnsom payments to the Syrian people and are only trying to benefit from others pain and suffering, which makes it that much worse. If you encounter this infection and your files become encrypted, I strongly advise that you do not make the payment and try to recover your files using other means.Read More
  • Google just made using two-factor authentication a complete no-brainer
    Since last year, Google has encouraged users to use “device prompts,” which are a push notification sent to your existing Android device, or the Google app on iOS. As of today, however, device prompts have become even more convenient, as iOS users only need to have the Gmail app installed. Provided that you have two-factor authentication turned on and device prompts enabled within your Google account, you’ll now be able to authorize access directly from the Gmail app. When logging in to Google from a new device or browser, you’ll be asked to tap ‘OK’ on one of your devices. Tap OK, and you’ll be authorized to log in on the new device. Of course, you can still use your backup authentication options like text messages, the Authenticator app, or a second email if you have those enabled.Read More
  • Cyber attack on testing company affected several other states
    At a hearing about the testing problems in the Tennessee legislature on Wednesday, the Chief Operating Officer for the company that administers the tests, Brad Bumgartner, said the same attack affected four or five other states. The  New York State Education Department also reported technical problems with online tests administered by Questar on Tuesday morning, but didn’t say if the problems were caused by a cyber attack. The cyber attack prevented students from submitting the answers to the tests on Tuesday, but a totally unrelated problem stopped them from logging in on Monday. McQueen and Bumgartner said that the cyber attack on Tuesday shouldn’t have kicked students out of the tests. Rep. Shiela Butt, from Columbia, said that she received a text message during the hearing about high school students in her district that had problems logging onto the tests on Wednesday afternoon.    At the hearing, Ted Horrell, the Superintendent of the Lakeland school system near Memphis, said that students in his district and others were forced out of the test.Read More
  • Researchers: Malware app infecting thousands of Facebook accounts
    Hackers have successfully infiltrated tens of thousands of Facebook accounts by targeting users with malware disguised as a painting application, security researchers say. According to data security firm Radware, hackers are using the malware to harvest user credentials, payment methods and other information stored on Facebook accounts across the world. The malware masquerades as a painting application called Relieve Stress Paint and had infected more than 40,000 Facebook user accounts in a matter of days, the firm said Wednesday. According to Radware, hackers are targeting Facebook users through phishing emails or directly through their Facebook accounts, then directing them to a fraudulent website where they are prompted to download the malicious application. Once downloaded, the application runs a malware called Stresspaint in the background, allowing hackers to steal user credentials and use those to collect additional data on the accounts, such as the number of friends a user has or any payment method that may be stored on the account. “The group is specifically interested in users who own Facebook pages and that contain stored payment methods.Read More
  • Critical Unpatched RCE Flaw Disclosed in LG Network Storage Devices
    A security researcher has revealed complete technical details of an unpatched critical remote command execution vulnerability in various LG NAS device models that could let attackers compromise vulnerable devices and steal data stored on them. LG's Network Attached Storage (NAS) device is a dedicated file storage unit connected to a network that allows users to store and share data with multiple computers. The LG NAS flaw is a pre-authenticated remote command injection vulnerability, which resides due to improper validation of the "password" parameter of the user login page for remote management, allowing remote attackers to pass arbitrary system commands through the password field. Using that shell, attackers can then execute more commands easily, one of which could also allow them to download the complete database of NAS devices, including users’ emails, usernames and MD5 hashed passwords. Since passwords protected with MD5 cryptographic hash function can easily be cracked, attackers can gain authorized access and steal users sensitive data stored on the vulnerable devices.Read More