Thursday, February 28, 2013

CCC TechEDge Security News 02.20.13


CCC TechEDge

Security News is a periodic roundup of IT security news important to the California Community Colleges. In this roundup: Dawson student offered job, scholarship <> Latest IE attack brought by same gang that hacked Google <> Google sees one password ring to rule them all <> Secret backdoors found in firewall, VPN gear from Barracuda Networks <> Hackers in China Attacked The Times for Last 4 Months <> For second time in a month, Apple blacklists Java Web plugin <> To prevent hacking, disable Universal Plug and Play now <> WordPress releases version 3.5.1, fixes 3 security issues.

Dawson student offered job, scholarship

By Christopher Curtis and Jan Ravensbergen, The Gazette, 01.23.13
He’s been called a criminal, a liar, a hacker and a thief.
He was kicked out of school and saw his academic record go up in smoke last fall, but now it appears Ahmed Al-Khabaz will have the last laugh.
The 20-year-old computer science student was expelled from Dawson College in November after stumbling upon a potentially disastrous security flaw in the school’s computer system. Al-Khabaz was working on a mobile application for Dawson’s website when he discovered a weakness that could have jeopardized the personal information of more than 250,000 students.Read more.

arstechnica.jpgLatest IE attack brought by same gang that hacked Google—Known for prolific supply of zero-day exploits, Elderwood hackers strike again.

By Dan Goodin, Ars Technica, 01.07.13
Active attacks targeting a critical vulnerability in older versions of Microsoft's Internet Explorer browser have been carried out by an experienced gang of hackers. And over the past four years, the group has penetrated the defenses of Google and dozens of other companies using similar zero-day exploits.
The latest attack, which works against current IE versions of 6, 7, and 8, was found late last month on the CFR.org and Capstoneturbine.com, according to a variety of researchers (including Eric Romang and those from the FireEye Malware Research Lab). Such "watering hole" attacks get their name because they attempt to plant drive-by exploits into sites frequented by the people the attackers hope to infect, similar to a hunter targeting its prey as it drinks water. Read more.

news_services_banner.jpgGoogle sees one password ring to rule them all - Google researchers have proposed a USB key, or even a finger ring, to solve the problems with website passwords

By Zach Miners, IDG News Service, 01.18.13
Google thinks it might have found an answer to the vexing problem of forgotten or weak passwords: "physical" passwords, which might come in the form of a piece of jewelry such as a ring.
In a research paper, two of its engineers write that current strategies to prevent the hijacking of online accounts, including the two-step identity verification system, are insufficient, partly due to the constant threat of attacks that exploit new bugs. Read more.

Secret backdoors found in firewall, VPN gear from Barracuda Networks—The undocumented accounts may have been around for a decade.

By Dan Goodin, Ars Technica, 01.24.13
A variety of firewall, VPN, and spam filtering gear sold by Barracuda Networks contains undocumented backdoor accounts that allow people to remotely log in and access sensitive information, researchers with an Austrian security firm have warned.
The SSH, or secure shell, backdoor is hardcoded into "multiple Barracuda Networks products" and can be used to gain shell access to vulnerable appliances, according to an advisory published by SEC Consult Vulnerability Lab. Read more.

nytlogo379x64.gifHackers in China Attacked The Times for Last 4 Months

By Nicole Perlroth, New York Times, 01.31.13
For the last four months, Chinese hackers have persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees.
After surreptitiously tracking the intruders to study their movements and help erect better defenses to block them, The Times and computer security experts have expelled the attackers and kept them from breaking back in. Read more.

For second time in a month, Apple blacklists Java Web plugin—Even Oracle's "high" security mode can't mitigate latest exploits.

By Chris Foresman, Ars Technica, 01.31.13
For the second time in a month, Apple has effectively blacklisted the current version of the Java Web plugin on OS X. The block comes just days after it was discovered that the latest version of the plugin, which had been rushed out to patch a critical vulnerability, can still be exploited despite its heightened security mechanisms.
Apple has worked to distance itself from Java in recent years. The company deprecated its own version of the Java virtual machine for OS X, instead deferring development to Oracle itself. The browser plugin in particular has become a common vector for malware attacks, and Apple removed the Java Web plugin from recent versions of OS X last year. Those needing the plugin must install it separately. Read more.

To prevent hacking, disable Universal Plug and Play now - Researchers find millions of vulnerable Net-facing printers, cams, and routers.

By Dan Goodin, Ars Technica, 01.29.13
Security experts are advising that a networking feature known as Universal Plug and Play be disabled on routers, printers, and cameras, after finding it makes tens of millions of Internet-connected devices vulnerable to serious attack.
UPnP, as the feature is often abbreviated, is designed to make it easy for computers to connect to Internet gear by providing code that helps devices automatically discover each other over a local network. That often eliminates the hassle of figuring out how to configure devices the first time they're connected. But UPnP can also make life easier for attackers half a world away who want to compromise a home computer or breach a business network, according to a white paper published Tuesday by researchers from security firm Rapid7. Read more.

WordPress releases version 3.5.1, fixes 3 security issues

By Dancho Danchev, ZDNet, 01.25.13
Summary: Release of WordPress v3.5.1, fixes 37 bugs, including three security issues.
The following security issues were addressed:
  • A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions.
  • Two instances of cross-site scripting via shortcodes and post content.
  • A cross-site scripting vulnerability in the external library Plupload. Read more.

Security News is a periodic roundup of IT security news important to the California Community Colleges. The news stories are compiled by CCC TechEDge News staff members.

No comments:

Post a Comment