Let's Encrypt won its Comodo trademark battle – but now fan tools must rename. Popular Bash shell script LetsEncrypt.sh, which is used to manage free SSL/TLS certificates from the Let's Encrypt project, has renamed this week to avoid a trademark row.
This comes in the wake of Let's Encrypt successfully fending off Comodo, which tried to cynically snatch "Let's Encrypt" for itself. Critical flaw in Fiverr.com potentially exposes millions accounts - Security Affairs. The Egyptian Information Security Evangelist, Mohamed Abdelbaset, reported to the colleagues of The Hacker News a serious CSRF (Cross-site request forgery) vulnerability on the popular Fiverr website.
The Fiverr.com website is a marketplace where people offers their services for five dollars per job. Fiverr website is ordinary used by many professionals like blogger and graphic designer, which provides their services starting from just $5, but that depending on complexity could cost much more. The security researcher explained that the CSRF (Cross-site request forgery) which affects the Fiverr.com website allows hackers to compromise any user account, for this reason millions users are potentially at risk.
Tor Warns of Attack Attempting to Deanonymize Users. The Tor Project has disclosed details of an attack which appeared to be an attempt to deanonymize users of the popular anonymity network.
According to Tor Project Leader Roger Dingledine, the attack was detected on July 4 while the organization was trying to identify attacks leveraging a method discovered by researchers at Carnegie Mellon University's CERT. The researchers, Michael McCord and Alexander Volynkin, planned on detailing a way to break the anonymity network by exploiting fundamental flaws in its design and implementation at the upcoming Black Hat security conference, but their presentation was cancelled because their materials had not been approved for public release by the Software Engineering Institute at Carnegie Mellon University. Instagram App Exposes Users to Man-in-the-Middle Attacks: Researcher. A security researcher has released details of an issue affecting the Instagram application for iOS devices that exposes users to hackers launching man-in-the-middle attacks.
Does F-Secure's antivirus turn a blind eye to spook spyware? CEO hits back. Antivirus maker F-Secure has responded to privacy campaigners' concerns over the handling of spook-grade surveillance malware – by insisting its security software slays government spyware wherever it can.
Oracle. Joomla Patches Zero-Day Used in Mass Attacks of Thousands of Websites. A recently patched zero-day vulnerability in the Joomla platform became an open gateway for attackers to compromise thousands of sites, according to findings by security firm Versafe.
Thousands of sites have been compromised in the attack campaign, which was noted by Versafe after the company detected a spike in attacks against Joomla sites in the first half of 2013. The attackers used a zero-day exploit to take over servers and ultimately launch phishing and malware attacks against anyone who visited the compromised sites. Snapchat admits sharing images with US law enforcement. Users of the photo-sharing app Snapchat should not have any assumptions that their images are not being shared with law enforcement.
On Monday, the company admitted in a blog post that it will, and already has, handed photos over to US law enforcement agencies: Spotify warns its Android app users of breach, says to download new version. Spotify has notified users of its music-streaming app that the company's systems and internal company data have been breached.
As a precaution, Spotify is asking Android users to upgrade to a new version of the app. The compromise does not affect Spotify users on iOS or Windows Phone devices. Anti-snooping Message Software Gets Android Release. SAN FRANCISCO - Startup Wickr on Monday released snoop-thwarting messaging software tailored for Android-powered smartphone or tablets, following last year's release of the program for Apple devices.
"Wickr not only offers the most secure form of correspondence but also helps protect our users' contacts as we anonymize this information before it leaves the senders phone," said startup co-founder Robert Statica. "Wickr does not collect any personally identifable information on users nor can we read any messages or contents sent through Wickr, therefore, no criminal or rogue government can take them from us. " Wickr has not released details on numbers of users, but reported seeing "exponential growth" since releasing a free version for Apple mobile devices in June of last year. The free version of Wickr that debuted on Monday was tailored for devices running on Google's Android mobile platform that dominates the smartphone market. 14 antivirus apps found to have security problems.
Build a business case: developing custom apps Organisations should get their antivirus products security tested before deployment because the technology across the board dangerously elevates attack surfaces, COSEINC researcher Joxean Koret says.
COSEINC is a Singapore security outfit that has run a critical eye about 17 major antivirus engines and products and found dangerous local and remotely-exploitable vulnerabilities in 14. US Army ignores shared PC login flaw, asks soldiers to keep quiet. A soldier was made to sign a non-disclosure agreement by the US Army after pointing out a security flaw which allowed accounts on shared PCs to be accessed without proper authentication.
The trivial login issue, which seems to allow soldiers to operate shared PCs with the access rights of the previous user, was exposed last week in a report on BuzzFeed, and has since been confirmed by senior US Army staff. Army staff authenticate on shared computers on bases and in the field using Common Access Code (CAC) smart ID cards. On completing a session the card is removed from the reader and the session should be terminated. However, it appears that the logoff process is often slow and can easily be cancelled by the next user, who can then continue to access the system under the previous user's account. The way the problem was dealt with, on the other hand, could serve as a textbook example of how not to deal with security problems.
Image of army figures courtesy of Shutterstock. GitHub code repository rocked by 'very large DDoS' attack. High performance access to file storage San Francisco–based GitHub, the online repository popular among software developers, suffered a major service outage on Thursday morning due to what it characterizes as a "very large DDoS attack. " This major attack follows a similar one on August 4th. League of Legends is hacked, with crucial user info accessed.
Hackers have breached the system of one of the world's most popular online video games: League of Legends. Riot Games, which developed League of Legends, announced Tuesday that some usernames, e-mail addresses, salted password hashes, first and last names, and even some salted credit card numbers have been accessed. The salted data is somewhat protected, but if users have easily guessable passwords, their information could be susceptible to theft, Riot Games warned.
The affected users are only those who live in North America. While the accessed credit card information is alarming, it pertains only to records from 2011 and earlier. "We are investigating that approximately 120,000 transaction records from 2011 that contained hashed and salted credit card numbers have been accessed," Riot Games wrote in a blog post. Kaspersky - Unvalidated redirection flaw exploitable to serve malware. Ebrahim Hegazy (@Zigoo0) has found an “Unvalidated Redirection Vulnerability” in the website of the giant security solutions vendor “Kaspersky”. Ebrahim Hegazy is the cyber Security Analyst Consultant at Q-CERT who found a SQL Injection in “Avira” website last month, this time he found a Unvalidated Redirection Vulnerability that could be exploited for various purposes such as: Cloned websites (Phishing pages)It could also be used by Black Hats for Malware spreading In the specific case what is very striking is that the link usable for the attacks is originated by a security firm like Kasperky with serious consequences.
Would you trust a link from your security vendor? Anatomy of a password disaster – Adobe’s giant-sized cryptographic blunder. Lavabit, secure email? Hardly, says infosec wizard Moxie Marlinspike. Bitcoin (Probably) Isn't Broken. PayPal. Apple. Google. Microsoft. Facebook. Wordpress. Truecrypt. Pinterest. Oracle. Dropbox. Silent Circle. Sophos. LastPass. Mozilla. Cisco. InterApp Claims It Can Steal Information from Any Phone User. Home » IT Security and Data Protection » Cyber Security » InterApp Claims It Can Steal Information from Any… Earlier this fall, a contributor to The State of Security explained that one of the greatest privacy and security challenges confronting our smartphones today are the apps we choose to install.
He noted in his post how app developers often make money by harvesting data from users’ devices and in turn selling this information to marketers. They also sometimes incorporate third-party libraries and tools into their products in an attempt to further collect user data, the extent and nature of which may or may not be disclosed in the applications’ privacy policies.
Marketers are not the only ones who benefit from the collection of smartphone data.