September 16, Reuters – (National) Homeland Security websites vulnerable to cyber attack: Audit. The Office of the Inspector General for DHS released a report September 15 citing several deficiencies within DHS’s information systems, including lapses in internal systems used by several agencies that may allow unauthorized individuals to gain access to sensitive data, and the need to establish a cyber-training program for analysts and investigators, among other findings. Source
September 16, Threatpost – (International) Bug in iOS allows writing of arbitrary files via AirDrop. Researchers from Azimuth Security discovered a vulnerability in a library of Apple’s iOS and OS X operating systems which an attacker could leverage via AirDrop with or without the user’s approval to execute a director traversal attack, and arbitrarily write files to any location in an affected device’s file system. Source
September 15, The Register – (International) Thought Heartbleed was dead? Nope – hundreds of thousands of things still vulnerable to attack. The founder of the Shodan search engine reported that over 200,000 devices on the Internet are still vulnerable to the Heartbleed OpenSSL vulnerability discovered in 2014, including 57,272 devices in the U.S. The vulnerability allows an attacker to extract passwords and other sensitive information due to a missing bounds check that allowed repeated data checks from server memory. Source
September 15, Agence France-Presse – (International) Russian pleads guilty in major hacking case. A Russian national arrested in 2012 and extradited to the U.S. in February 2015 pleaded guilty September 15 to leading a hacking and data breach scheme that compromised the Nasdaq stock market and payment systems at 7-Eleven, Carrefour, JC Penny, and other companies, resulting in losses of over $300 million between 2005 and 2012. Source
September 16, Help Net Security – (International) Android 5 bug allows attackers to easily unlock password-protected devices. The University of Texas at Austin Information Security Office discovered a lockscreen bypass vulnerability affecting Android version 5.1.1 in which an attacker could use a large string password with the camera app open to crash the password lockscreen and gain full access to the device. Google addressed the issue in Android 5.1.1 build LMY48M. Source
September 16, Securityweek – (International) WordPress patches XSS, privilege escalation vulnerabilities. The developers of WordPress released version 4.3.1 content management system (CMS) addressing 3 vulnerabilities and 26 bugs, including a cross-site scripting (XSS) flaw related to the processing of shortcode tags in which an attacker could inject malicious JavaScript code into objects rendered on WordPress pages, a flaw that allows users to publish private “sticky” posts that can be combined with the XSS vulnerability, and a separate XSS vulnerability. Source
September 16, Help Net Security – (International) Persistent XSS flaw in SharePoint 2013 revealed, patched. Microsoft patched a persistent cross-site scripting (XSS) vulnerability in SharePoint 2013 in which an attacker could obtain information about a user’s operating system (OS), browser, plugins, and other information in order to steal sensitive information, gain control of the system, and download and execute malicious code remotely. Source
September 16, Securityweek – (International) Major malvertising operation went undetected for three weeks. Security researchers from Malwarebytes discovered a malvertising campaign affecting websites of several major companies including eBay, Drudge Report, and Answers.com, in which attackers were able to redirect victims to malware-serving websites containing the Angler exploit kit (EK) by loading ads through a rogue ad server. The campaign went undetected for nearly three weeks, and 46 percent of the affected users were in the U.S. Source
September 15, Help Net Security – (International) The rise of repeated “low and slow” DDoS attacks. Neustar released research findings revealing an increase in small, repeated distributed denial-of-service (DDoS) attacks from 2014 to early 2015, with 54 percent of companies surveyed being hit by at least 6 attacks. Research also found that the duration of DDoS attacks is increasing, with 10 percent of attacks lasting about a week, among other findings. Source
September 15, Securityweek – (International) Popular mobile travel apps have critical security issues: Report. Bluebox Security released report findings revealing that the top ten most popular mobile travel applications contain critical flaws, including failures to encrypt sensitive data stored on mobile devices, a lack of certificate pinning which leaves users vulnerable to man-in-the-middle (MitM) attacks, and a lack of anti-tampering measures, among other findings. Source
September 15, Reuters – (International) Cisco router break-ins bypass cyber defenses. Security researchers from FireEye discovered attacks in August across multiple industries and government agencies on three continents in which Cisco 1841, 2811, and 3825 routers were implanted with the sophisticated SYNful Knock malware, which can duplicate normal router functions and jump from router to router using device syndication functions. Researchers believe attackers accessed the devices by stealing valid network administration credentials or by gaining direct physical access. Source
September 14, Securityweek – (International) TLS communications exposed to KCI attacks: Researchers. Security researchers from Research Industrial Systems Engineering revealed that a flaw in the Transport Layer Security (TLS) protocol could be leveraged to execute a Key Compromise Impersonation (KCI) attack, allowing a man-in-the-middle (MitM) attacker to take over client-side code running on a victim’s browser, intercept communications, arbitrarily replace web site content, and perform actions on the victim’s behalf. Source