It’s a good time to be a cord-cutter in the U.S. A new study says that 47% of all American households subscribe to Netflix, Hulu Plus, Amazon Prime or a combination of these. And almost half the country has at least one internet-connected TV set. Read more…
More:
Almost Half The U.S. Subscribes To Netflix, Amazon Prime or Hulu Plus
wiredmikey (1824622) writes “Microsoft warned on Monday of a remote code execution vulnerability (CVE-2014-1761) in Microsoft Word 2010 that is being actively exploited in targeted attacks. If successfully exploited, an attacker could gain the same user rights as the current user, Microsoft said, noting that users whose accounts are configured to have fewer user rights on the system could be less impacted than accounts with administrative privileges. ‘The vulnerability could allow remote code execution if a user opens a specially crafted RTF file using an affected version of Microsoft Word, or previews or opens a specially crafted RTF email message in Microsoft Outlook while using Microsoft Word as the email viewer, ‘ Microsoft explained Microsoft did not share any details on the attacks that leveraged the vulnerability, but did credit Drew Hintz, Shane Huntley, and Matty Pellegrino of the Google Security Team for reporting it to Microsoft.” Read more of this story at Slashdot.
See original article:
Microsoft Word Zero-Day Used In Targeted Attacks
An anonymous reader writes with news of the latest major fluctuation in the price people are willing to pay for Bitcoins. From the article: “China’s ban on its financial institutions handling bitcoin causes world’s largest exchange to cease trading, halving the value of the currency from $1, 000 to less than $500 in a matter of days. The country’s central bank took a hard line on Bitcoin in early December when it banned financial institutions from handling the decentralized crypto-currency, and as a result BTC China, the world’s largest bitcoin exchange, has stopped accepting deposits from its users.” Just watch that line trend downward. Read more of this story at Slashdot.
Meshach writes “The FBI has caught the student who called in a bomb threat at Harvard University on December 16. The student used a temporary anonymous email account routed through Tor, but the FBI was able to trace it (PDF) because it originated from the Harvard wireless network. He could face as long as five years in prison, three years of supervised release and a $250, 000 fine if convicted. He made the threat to get out of an exam.” Read more of this story at Slashdot.
Read More:
Harvard Bomb Hoax Perpetrator Caught Despite Tor Use
Trailrunner7 writes “A security researcher discovered a simple vulnerability in Verizon Wireless’s Web-based customer portal that enabled anyone who knows a subscriber’s phone number to download that user’s SMS message history, including the numbers of the people he communicated with. The vulnerability, which has been resolved now, resulted from a failure of the Verizon Web app to check that a number entered into the app actually belonged to the user who was entering it. After entering the number, a user could then download a spreadsheet file of the SMS activity on a target account. Cody Collier, the researcher who discovered the vulnerability, said he decided right away to report it to Verizon because he is a Verizon customer and didn’t want others to have access to his account information. ‘I am a Verizon Wireless customer myself, so upon finding this, I immediately looked for a way to contact Verizon. I wouldn’t want my account information to exposed in such way, ‘ Collier said via email.” Read more of this story at Slashdot.
realized writes “Last week Slashdot covered a new vBulletin exploit. Apparently hackers have been busy since then because according to security firm Imperva, more than 35, 000 sites were recently hacked via this vulnerability. The sad part about this is that it could have all been avoided if the administrator of the websites just removed the /install and/or /core/install folders – something that you would think the installer should do on its own.” Web applications that have write access to directories they then load code from have always seemed a bit iffy to me (wp-content anyone?) Read more of this story at Slashdot.
Original post:
35,000 vBulletin Sites Have Already Been Exploited By Week Old Hole
An anonymous reader writes “vBulletin is a popular proprietary CMS that was recently reported to be vulnerable to an unspecified attack vector. Although vBulletin has not disclosed the root cause of the vulnerability or its impact, we determined the attacker’s methods. The identified vulnerability allows an attacker to abuse the vBulletin configuration mechanism in order to create a secondary administrative account. Once the attacker creates the account, they will have full control over the exploited vBulletin application, and subsequently the supported site.” Read more of this story at Slashdot.
Continue reading here:
Dangerous VBulletin Exploit In the Wild
dstates writes “A team of researchers at the University of Michigan has released Zmap, a tool that allows an ordinary server to scan every address on the Internet in just 45 minutes. This is a task that used to take months, but now is accessible to anyone with a fast internet connection. In their announcement Friday , at the Usenix security conference in Washington they provide interesting examples tracking HTTPS deployment over time, the effects of Hurricane Sandy on Internet infrastructure, but also rapid identification of vulnerable hosts for security exploits. A Washington Post Blog discussing the work shows examples of the rate with which of computers on the Internet have been patched to fix Universal Plug and Play, ‘Debian weak key’ and ‘factorable RSA keys’ vulnerabilities. Unfortunately, in each case it takes years to deploy patches and in the case of UPnP devices, they found 2.56 million (16.7 percent) devices on the Internet had not yet upgraded years after the vulnerability had been described.” Read more of this story at Slashdot.
View the original here:
Researchers Release Tool That Can Scan the Entire Internet In Under an Hour
schwit1 writes “Stomping on the brakes of a 3, 500-pound Ford Escape that refuses to stop–or even slow down–produces a unique feeling of anxiety. In this case it also produces a deep groaning sound, like an angry water buffalo bellowing somewhere under the SUV’s chassis. The more I pound the pedal, the louder the groan gets–along with the delighted cackling of the two hackers sitting behind me in the backseat. Luckily, all of this is happening at less than 5mph. So the Escape merely plows into a stand of 6-foot-high weeds growing in the abandoned parking lot of a South Bend, Ind. strip mall that Charlie Miller and Chris Valasek have chosen as the testing grounds for the day’s experiments, a few of which are shown in the video below. (When Miller discovered the brake-disabling trick, he wasn’t so lucky: The soccer-mom mobile barreled through his garage, crushing his lawn mower and inflicting $150 worth of damage to the rear wall.) The duo plans to release their findings and the attack software they developed at the hacker conference Defcon in Las Vegas next month–the better, they say, to help other researchers find and fix the auto industry’s security problems before malicious hackers get under the hoods of unsuspecting drivers.” Read more of this story at Slashdot.
See the original post:
Hackers Reveal Nasty New Car Attacks
alphadogg writes “The founder of an eavesdropping-resistant instant messaging application called Cryptocat has apologized over a now-fixed bug that made some types of messages more vulnerable to snooping. Cryptocat, which runs inside a web browser, is an open-source application intended to provide users with a high degree of security by using encryption to scramble messages. But Cryptocat warns that users should still be very cautious with communications and not to trust their life with the application. The vulnerability affected group chats and not private conversations. The encryption keys used to encode those conversations were too short, which in theory made it easier for an attacker to decrypt and read conversations.” The bug report/merge request, and an analysis of the bug (although, in light of the Cryptocat’s gracious response, overly acerbic and dismissive of the project). Read more of this story at Slashdot.
More:
Group Chat Vulnerability Discovered in Cryptocat, Project Fixes and Apologizes