Tag: yorker-vanity

A world of hurt after McAfee mistakenly revokes key for signing Mac apps

Travis Nep Smith A McAfee administrator accidentally revoked the digital key used to certify desktop applications that run on Apple’s OS X platform, creating headaches for customers who want to install or upgrade Mac antivirus products. A certificate revocation list  [CRL] hosted by Apple Worldwide developer servers lists the reason for the cancellation as a “key compromise,” but McAfee officials said they never lost control of the sensitive certificate which is used to prove applications are legitimate releases. The revocation date shows as February 6, meaning that for seven days now, customers have had no means to validate McAfee applications they want to install on Macs. “We were told that as a workaround, we should just allow untrusted certificates until they figure it out,” an IT administrator at a large organization, who asked that he not be identified, told Ars. “They’re telling us to trust untrusted certs, and that definitely puts us at risk.” Read 6 remaining paragraphs | Comments

View the original here:
A world of hurt after McAfee mistakenly revokes key for signing Mac apps

Thanks, Adobe. Protection for critical zero-day exploit not on by default

dimland.blogspot.com The recently discovered zero-day attacks targeting critical vulnerabilities in Adobe’s ubiquitous Reader application are able to bypass recently added security defenses unless end users manually make changes to default settings, company officials said. According to an advisory Adobe published Wednesday night , the “protected view” feature prevents the current attacks from working—but only if it’s manually enabled. To turn it on, access Preferences > Security (Enhanced) and then check the “Files from potentially unsafe locations,” or even the “All files” option. Then click OK. There’s also a way for administrators to enable protected view on Windows machines across their organization. The revelation is significant because it means users aren’t protected when using the default version of the widely used document reader. The limitation came to light following the discovery of in-the-wild attacks against current versions of Reader, which are being exploited to surreptitiously install malware on end-user computers. The exploit is also noteworthy because its intricate code base bypasses several additional protections added just four months ago with the goal thwarting malware attacks. Read 6 remaining paragraphs | Comments

Link:
Thanks, Adobe. Protection for critical zero-day exploit not on by default

Zero-day attack exploits latest version of Adobe Reader

FireEye A previously undocumented flaw in the latest version of Adobe Systems’ ubiquitous Reader application is being exploited in online hacks that allow attackers to surreptitiously install malware on end-user computers, a security firm said. The attacks, according to researchers from security firm FireEye, work against Reader 11.0.1 and earlier versions and are actively being exploited in the wild. If true, the attacks are notable because they pierce security defenses Adobe engineers designed to make malware attacks harder to carry out. Adobe officials said they’re investigating the report . “Upon successful exploitation, it will drop two DLLs,” FireEye researchers Yichong Lin, Thoufique Haq, and James Bennett wrote of the online attacks they witnessed. “The first DLL shows a fake error message and opens a decoy PDF document, which is usually common in targeted attacks. The second DLL in turn drops the callback component, which talks to a remote domain.” DLL is the researchers’ shorthand for a file that works with the Microsoft Windows dynamic link library. Read 5 remaining paragraphs | Comments

Taken from:
Zero-day attack exploits latest version of Adobe Reader

Comcast acquires full ownership of NBCUniversal ahead of schedule

Comcast, the nation’s largest cable provider, will consolidate its control over NBCUniversal by buying out the 49 percent of the media company that it doesn’t already own. Comcast will pay General Electric $16.7 billion for the shares and shell out $1.4 billion for related real estate, including the iconic 30 Rockefeller Plaza. Under a deal announced in 2009, General Electric spun NBC, Universal Studios, and various other media properties off into a new joint venture and sold 51 percent of the shares, and effective control, to Comcast. The merger was intensely controversial. Critics charged that the acquisition would further cement Comcast’s already dominant position in the cable market, making it impossible for competitors such as Netflix to compete on a level playing field. But regulators decided not to challenge the merger, settling for a long list of regulatory concessions. Read 4 remaining paragraphs | Comments

View original post here:
Comcast acquires full ownership of NBCUniversal ahead of schedule

Apple releases iOS 6.1.1 for iPhone 4S users with 3G issues (Updated)

Update : Apple has now released the iOS 6.1.1 update mentioned in our original writeup. The update is specifically for the iPhone 4S and “fixes an issue that could impact cellular performance and reliability for iPhone 4S.” This is most likely to address the 3G issues experienced by some users, though it doesn’t sound like iOS 6.1.1 does anything to improve battery life as of yet. Original story : iOS 6.1.1 may be making its way into consumers’ hands sooner than we expected. The first beta of iOS 6.1.1 was only released to Apple’s developer network last week, but the update is reportedly being “rushed” out to customers in order to address 3G performance bugs, according to German iPhone site iFun . It is also said to address other problems like reduced battery life. The software is said to have undergone some carrier testing, though it’s still unclear exactly when Apple plans to publish the update. Read 4 remaining paragraphs | Comments

Original post:
Apple releases iOS 6.1.1 for iPhone 4S users with 3G issues (Updated)

Adobe issues emergency Flash update for attacks on Windows, Mac users

Adobe Systems has released a patch for two Flash player vulnerabilities that are being actively exploited online to surreptitiously install malware, one in attacks that target users of Apple’s Macintosh platform. While Flash versions for OS X and Windows are the only ones reported to be under attack, Thursday’s unscheduled release is available for Linux and Android devices as well. Users of all affected operating systems should install the update as soon as possible. The Mac exploits target users of the Safari browser included in Apple’s OS X, as well as those using Mozilla’s Firefox. That vulnerability, cataloged as CVE-2013-0634, is also being used in exploits that trick Windows users into opening booby-trapped Microsoft Word documents that contain malicious Flash content, Adobe said in an advisory . Adobe credited members of the Shadowserver Foundation , Lockheed Martin’s Computer Incident Response Team, and MITRE with discovery of the critical bug. Read 4 remaining paragraphs | Comments

Continue Reading:
Adobe issues emergency Flash update for attacks on Windows, Mac users

Data siphoned in Fed reserve hack a “bonanza” for spear phishers

Sensitive details on thousands of banking executives lifted from a hacking involving the Federal Reserve represent a potential “bonanza” for spear phishers looking to snare high-value targets in personalized scam e-mails, a security researcher said. The list is no longer readily available online, but according to Chris Wysopal, CTO of security firm Veracode, it contained details from a Federal Reserve-related database that Anonymous-affiliated hackers claimed to breach on Sunday. It included 31 fields, including home addresses, e-mail addresses, login IDs, and cryptographically hashed passwords. “As you can see, this is a spearphishing bonanza and even a password reuse bonanza for whoever can crack the password hashes,” he wrote in a blog post published on Wednesday. “It doesn’t look like any of these are internal Federal Reserve System accounts as those would have FRS AD UIDs associated with each account. Still, this is about the most valuable account dump by quality I have seen in a while.” Read 2 remaining paragraphs | Comments

View article:
Data siphoned in Fed reserve hack a “bonanza” for spear phishers

We’re going to blow up your boiler: Critical bug threatens hospital systems

A picture of a Tridium device running the Niagara AX framework. Tridium More than 21,000 Internet-connected devices sold by Honeywell are vulnerable to a hack that allows attackers to remotely seize control of building heating systems, elevators, and other industrial equipment and in some cases, causes them to malfunction. The hijacking vulnerability in Niagara AX-branded hardware and software sold by Honeywell’s Tridium division was demonstrated at this week’s Kaspersky Security Analyst Summit in San Juan, Puerto Rico. Billy Rios and Terry McCorkle, two security experts with a firm called Cylance , allowed an audience to watch as they executed a custom script that took about 25 seconds to take control of a default configuration of the industrial control software. When they were done they had unfettered control over the device, which is used to centralize control over alarm systems, garage doors, heating ventilation and cooling systems, and other equipment in large buildings. Taking advantage of the flaw would give attackers half a world away the same control on-site engineers have over connected systems. Extortionists, disgruntled or unstable employees, or even terrorists could potentially exploit vulnerabilities that allow them to bring about catastrophic effects, such as causing a large heating system to explode or catch fire or sabotaging large chillers used by hospitals and other facilities. Attackers could also exploit the bug to gain a toehold into networks, which could then be further penetrated using additional vulnerabilities that may be present. Read 12 remaining paragraphs | Comments

View the original here:
We’re going to blow up your boiler: Critical bug threatens hospital systems

Securing your website: A tough job, but someone’s got to do it

In 2006, members of a notorious crime gang cased the online storefronts belonging to 7-Eleven, Hannaford Brothers, and other retailers. Their objective: to find an opening that would allow their payment card fraud ring to gather enough data to pull off a major haul. In the waning days of that year they hit the mother lode, thanks to Russian hackers identified by federal investigators as Hacker 1 and Hacker 2. Located in the Netherlands and California, the hackers identified a garden-variety flaw on the website of Heartland Payment Systems, a payment card processor that handled some 100 million transactions per month for about 250,000 merchants. By exploiting the so-called SQL injection vulnerability, they were able to gain a toe-hold in the processor’s network , paving the way for a breach that cost Heartland more than $12.6 million. The hack was masterminded by the now-convicted Albert Gonzalez and it’s among the most graphic examples of the damage that can result from vulnerabilities that riddle just about any computer that serves up a webpage . Web application security experts have long cautioned such bugs can cost businesses dearly, yet those warnings largely fall on deaf ears. But in the wake of the Heartland breach there was no denying the damage they can cause. In addition to the millions of dollars the SQL injection flaw cost Heartland, the company also paid with its loss of reputation among customers and investors. Read 23 remaining paragraphs | Comments

See the original article here:
Securing your website: A tough job, but someone’s got to do it

How Yahoo allowed hackers to hijack my neighbor’s e-mail account

Reflected XSS vulnerabilities in action Aspect Security When my neighbor called early Wednesday morning, she sounded close to tears. Her Yahoo Mail account had been hijacked and used to send spam to addresses in her contact list. Restrictions had then been placed on her account that prevented her from e-mailing her friends to let them know what happened. In a  blog post  published hours before my neighbor’s call, researchers from security firm Bitdefender said that the hacking campaign that targeted my neighbor’s account had been active for about a month. Even more remarkable, the researchers said the underlying hack worked because Yahoo’s developer blog runs on a version of the WordPress content management system that contained a vulnerability developers addressed more than eight months ago . My neighbor’s only mistake, it seems, was clicking on a link while logged in to her Yahoo account. As someone who received one of the spam e-mails from her compromised account, I know how easy it is to click such links. The subject line of my neighbor’s e-mail mentioned me by name, even though my name isn’t in my address. Over the past few months, she and I regularly sent messages to each other that contained nothing more than a Web address, so I thought nothing of opening the link contained in Wednesday’s e-mail. The page that opened looked harmless enough. It appeared to be an advertorial post on MSNBC.com about working from home, which is something I do all the time. But behind the scenes, according to Bitdefender, something much more nefarious was at work. Read 9 remaining paragraphs | Comments

Read More:
How Yahoo allowed hackers to hijack my neighbor’s e-mail account