Researchers find a way around once-reliable security shield

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

For a long time, hackers have been stymied when they get malicious code running on a victim’s machine and have to figure out where in the computer’s memory that code has ended up. Now a team of Dutch researchers has found a technique that undermines that so-called address space layout randomization, creating the You Are Here arrow that hackers need to orient themselves inside a stranger’s computer. That means any of the common memory corruption bugs found in software applications on a daily basis could lead to a much deeper takeover of a target PC or smartphone. Because the attack exploits hardware, it leaves millions of devices at risk regardless of their operating system — and it can’t be fully fixed with a software update. “This technique makes bugs that weren’t exploitable exploitable again. In some sense, it takes us back to the ’90s in terms of security,” says Ben Gras, a researcher at the Free University of Amsterdam. The attack is particularly serious because attackers can pull it off with JavaScript alone, meaning that simply visiting a malicious website can trigger it. Source: Wired

Breach damage ripples through entire organization

sh_data-breach_280Data breaches are becoming more complex, and causing more damage to the affected organization, according to the 2017 Verizon Data Breach Digest, which found the effects spreading to more parts of an enterprise, causing problems outside of IT. “We find that breaches touch every part of an organization up to and including its board of directors,” said Bryan Sartin, of Verizon Enterprise Solutions. “Companies need to be prepared to handle data breaches before they actually happen.” Source: Tech Republic

Homeland Security leader warns RSA of digital attacks

sh_bomb_280America’s adversaries are turning “digital breakthroughs into digital bombs” and launching them against increasingly overmatched defenses, the chairman of the House Homeland Security Committee warned at a keynote address at the 2017 RSA conference. Rep. Michael McCaul, R-Texas, said that from nation-states to terrorists to faceless hackers, “the combatants are everywhere, and the phones in your pockets are the battle space.” Source: FCW

Hitting a sour note in San Antonio

sh_symphony_280Computer hackers broke into the computer network for the San Antonio Symphony, stealing the names, birth dates, Social Security numbers, addresses and W-2 tax forms for about 250 employees. The data breach didn’t compromise data for donors, season ticket holders or other patrons, said symphony President David Gross. Vendor information wasn’t taken either, he said. Source: Express News

Owner of a lonely heart might be the lucky one

sh_lonely-heart_280The FBI is raising an alarm over the rise in “romance scams” in which victims, typically women, are targeted by cyber criminals masquerading online as potential romantic interests. The scammers usually target older divorced or married women on dating and social networking sites, develop relationships with their victims online without meeting in person, and eventually ask for money. Many criminals are members of crime organizations in Nigeria and difficult to catch. Source: The Hill

They‘ve got the meats, but maybe not the security

sh_arbys_280Arby’s Restaurant Group is investigating a malware attack on its payment card system that targeted thousands of customers’ credit and debit cards. The fast-food chain said the breach was contained and malware removed. The malware was on point-of-sale systems inside some Arby’s corporate-owned restaurants. Source: St. Louis Business Journal

Phisher gets Florida school district information

Following an email phishing incident, in which Manatee, Florida, School District employees’ tax information was sent to a scammer, the School Board approved the purchase of identity theft insurance to protect the victimized employees. A payroll employee submitted electronic copies of about 7,700 district employees’ tax forms to a person falsely claiming to be Superintendent Diana Greene. Source: The Bradenton (Fla.) Times

Apple Macintosh might be Russian hackers’ next target

sh_apple_280The Russian hackers linked to the hacking of the Democratic National Committee, APT28, have turned their attention to Apple’s Macintosh computers, releasing new Xagent malware that creates backdoors into Macs that let hackers steal browser passwords, grab screenshots and nab iPhone backups stored on the computer. Apple didn’t immediately respond to a request for comment. Source: CNet

Agency that safeguards election might be abolished

The House Administration Committee approved the Election Assistance Commission (EAC) Termination Act, a bill to abolish the only federal agency tasked with helping states with election administration. The agency sets national standards for new voting machines, and tracks and collects problems. In the 2016 election, 42 states used voting machines that were more than 10 years old. Source: Fortune

That’s the way Yahoo’s cookie crumbles …

sh_yahoo_280Yahoo’s newly issued warning about malicious hacks is related to a third data breach the company disclosed in December 2016. A warning sent to some Yahoo users read: “Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.” Forged cookies are digital keys that allow access to information without re-entering passwords. The leaked data included email addresses, birth dates and answers to security questions. Yahoo declined to say how many people were affected. Source: CNBC

… Which might mean Verizon has room to negotiate

sh_verizon_280Verizon Communications is near a renegotiated deal for Yahoo’s internet properties that would reduce the price of the $4.8 billion agreement by about $250 million after the revelation of security breaches at the web company. In addition to the discount, Verizon and the entity that remains of Yahoo after the deal are expected to share any ongoing legal responsibilities related to the breaches. Source: Bloomberg

Banks targeted by attack similar to the one that hit Sony

Cybersecurity specialists found evidence suggesting that recent attacks on institutions in Poland are part of an international hacking effort targeting financial institutions in the United States, Mexico and the United Kingdom—an attack that shares traits with the 2014 attack on Sony. The hacks began late last year, installing unauthorized code on websites belonging to financial regulators, and then using those to attack computers belonging to a select list of global financial institutions. Source: Market Watch

Blogs get bogged down in security flaw

sh_wordpress_280A security flaw in WordPress blogging software let hackers attack and deface tens of thousands of sites. One estimate suggests more than 1.5 million pages on blogs have been defaced. The security firm that found the vulnerability said some hackers were trying to use it to take over sites rather than just spoil pages. WordPress urged site owners to update software. Source: BBC

Watson, come here! I need you!

IBM is putting Watson onto the case in the cybersecurity field. Watson for Cyber Security takes the same core capabilities of Watson—the ability to read millions of documents and terabytes of information to derive insights a human might not spot—and puts them into a security operations center. With security officers at large corporations sometimes scanning several hundreds of thousands of events happening over their networks each day, IBM says it can add another line of defense by proactively helping to spot breaches and hacking attempts that might slip through unnoticed, then making suggestions on the best response. Source: Forbes

Neither snow, nor rain, but a postal worker

sh_postal-mail_280A Lincoln, Nebraska, postal worker was arrested in a fraudulent credit card case. Police found documents containing private information of 50 individuals. The majority of the information was mail, primarily change-of-address forms. Authorities said they believe that Harris was taking mail from the postal office, changing addresses, and intercepting paperwork. Source: WOWT, Omaha

We’re all in this together, Microsoft says

Microsoft called for a Geneva Convention for cybersecurity, indicating that states need to agree on digital standards that protect the private sector and prevent major cyber incidents. The software giant seeks that technology companies or critical infrastructure not be targeted, assistance for the private sector in detecting and responding to cyber incidents, reporting vulnerabilities to companies, restraint in developing cyber weapons, and limiting offensive operations to avoid a mass event. Source: MeriTalk