Reports

Researchers Sidestep Paypal Two-Factor Authentication

Researchers at DUO Security claim to have found a way of bypassing a two factor authentication feature that secures logins to Paypal.com, eBay’s online payment service. The vulnerability could allow an attacker who has stolen a Paypal customer’s user name and password to gain access to the account, even though the customer had enabled the more secure two-factor authentication option. DUO described the problem in a blog post early Wednesday. According to researcher Zach Lanier, Paypal has published an API (application program interface) for its Security Key two-factor authentication technology that contains a vulnerability that would allow even a non-technical hacker to bypass the second factor when accessing a Paypal customer’s account. An attacker only needs a victim’s PayPal username and password in order to access a two-factor protected account and send money. “The protection offered by the two-factor Security Key mechanism can be bypassed and essentially nullified,” the company wrote in […]

Continue Reading

Why I’m Not in a Hurry for a ‘Smart Home’ – WSJ

If you didn’t read it on Sunday, The Wall Street Journal sent columnist Christopher Mims to the home of SmartThings CEO Alex Hawkinson to get a tast of what ‘smart home’ living is like. Mims came away impressed – but also skeptical that the complexity of layering so much technology into our everyday routines is bound to have more bad outcomes than good ones. “Other than people who have very specific reasons to add automation to their homes, I have no idea why anyone would do it, even if the equipment were free…Even when smart-home technology works as advertised, the complexity it adds to everyday life outweighs any convenience it might provide,” he writes. As for the smart home ‘killer app,’ Mims quotes Hawkinson as saying that home security and monitoring seems to be the most promising application of smart home technology right now. Google’s acquisition of DropCam is just […]

Continue Reading

Reuters Readers Redirected In Ad Network Attack

An online ad network used by the web site of the Reuters news service was the victim of a malicious attack by the Syrian Electronic Army on Sunday. The Syrian Electronic Army claimed responsibility for a malicious ad attack that affected Reuters.com The attack, against the firm Taboola, resulted in visitors to Reuters.com being redirected to a web site operated by the Syrian Electronic Army, a pro- Syrian government group that has taken credit for attacks against The New York Times, The Washington Post, Reuters and other western news outlets in the last year. According to a post on Taboola’s blog, Attackers claiming affiliation with The Syrian Electronic Army (SEA) used a phishing attack to gain access to a Taboola-operated program on Reuters.com early Sunday. The attacker then redirected visitors to articles on Reuters.com to a SEA website.Taboola said it detected the breach at around 7:25 AM East Coast time […]

Continue Reading

Update: Another IPMI Mishap? Researcher Claims Supermicro Devices Vulnerable

There’s more bad news for companies that rely on the Intelligent Platform Management Interface (IPMI) to manage servers and other hardware in their IT environments. Specifically: researcher Zachary Wikholm over at Cari.net has published evidence of what he says is a head-slapping vulnerability affecting devices that use IPMI Base Management Controllers (BMCs) made by the firm SuperMicro. According to Wikholm, servers equipped with Supermicro BMCs store a password file, PSBlock, in plain text and – making matters worse- leave it open to the world on port 49152. “You can quite literally download the BMC password file from any UPnP enabled Supermicro motherboard running IPMI on a public interface,” he wrote. Baseboard Management Controllers (BMCs) are small, embedded systems attached to a system’s motherboard that manage IPMI communications. Wikholm says that Supermicro has fixed the problem in the latest version of its IPMI firmware. However, companies are often reluctant to flash […]

Continue Reading

Code Spaces Probably A ‘Target of Opportunity’

The spectacular collapse this week of Code Spaces, a cloud-based code repository, may have been the result of a an unspectacular “opportunistic” hack, rather than a targeted operation, according to one cloud security expert. The sudden demise of the online application repository has sent shock waves through the tech industry, laying bare what some say are lax practices among many cloud-based application and infrastructure providers. But the attack itself was almost certainly the result of a larger, indiscriminate cyber criminal campaign, said Jeff Schilling, the Chief Security Officer of Firehost, a Texas-based secure cloud provider. “This is something we pretty frequently: companies get held ransom with a DDoS attack, and if that doesn’t work, (the attackers) will resort to doing other things,” Schilling told The Security Ledger. But Code Spaces almost certainly wasn’t the only company the extortionists worked on, Schilling said. Instead, the company was likely caught up in a wide net […]

Continue Reading
1 123 124 125 126 127 152