Researchers from the University of California, Berkeley have published a paper describing security holes in five, web-based password managers including LastPass, My1login and Roboform. According to the paper (PDF), four out of the five password managers inadvertently leaked a user’s credentials for stored web sites due to all-too-common web based security flaws like Cross Site Request Forgery (CSRF) and Cross Site Scripting (XSS). The researchers, Zhiwei Li, Warren He, Devdatta Akwawe and Dawn Song, all of the University of California Berkeley, said that they disclosed the holes in August of last year and that all of the affected firms and that all but one – NeedMyPassword – have since patched the vulnerabilities. All the password managers tested were found to contain one of a short list of security problems. Either they were vulnerable to classic web-based holes (like XSS), or they were found to be susceptible to user interface-focused attacks, like […]
Java
For Smart TVs, Malware May Hide In Broadcast Content
Researchers at Columbia University have published research showing how new technology that combines broadband and broadcast content could enable a wide range of traditional and novel cyber attacks on smart televisions and other devices: forcing them to interact with malicious web pages, harvesting credentials or carrying out denial of service attacks. The paper, published in May, explores potential attacks on combined broadcast-broadband devices that use an industry specification called Hybrid Broadcast-Broadband Television (HbbTV). According to the researchers, Yossef Oren and Angelos D. Keromytis, the HbbTV specification combines broadband technologies like HTML and broadcast features in an insecure manner. The vulnerabilities affect a wide range of smart entertainment devices, including smart televisions, in Europe and the United States. “This enables a large-scale exploitation technique with a localized geographical footprint based on radio frequency (RF) injection, which requires a minimal budget and infrastructure and is remarkably difficult to detect,” the researchers write. “The technical complexity and […]
Veterans Targeted In Attack Using IE 10 Zero Day
Visitors to the web site of the Veterans of Foreign Wars (VFW) are being targeted in an attack that exploits a previously unknown hole in Microsoft’s Internet Explorer 10 web browser, according to warnings Thursday by security firms. Some visitors to the web site of the Veterans of Foreign Wars (VFW), vfw[dot]org, were the victim of a ‘watering hole’ attack that takes advantage of a previously unknown ‘use-after-free’ vulnerability in Microsoft’s Internet Explorer 10 web browser. The VFW site was hacked and then altered to redirect users, silently, to a malicious website programmed to exploit vulnerable versions of IE 10 on systems running 32 bit versions of the Windows operating system. The VFW did not immediately respond to e-mail and phone requests for comment. According to a write-up by the security firm FireEye, the vulnerability allows the attacker to “modify one byte of memory at an arbitrary address” stored […]
Experts: Despite Warnings, Slow Progress Securing Industrial Systems
Despite increased media attention to the security of industrial control systems and critical infrastructure, progress in securing those devices has been slow, experts say. Despite progress in some areas, critical infrastructure – including energy and transportation networks- remains vulnerable to attacks leveled at known security holes for months or years because of a lack of vendor response or customers who lack the incentive or know-how to patch vulnerable systems. That according to some of the world’s top experts in cyber security and industrial systems, who are gathering this week at an industry conference in Miami. The S4 Conference, sponsored by the firm DigitalBond, is one of the premiere conferences for cyber security as it pertains to industrial control systems and often coincides with disclosures from industrial system vendors about serious security holes in their products. The security of industrial control systems has been a top concern of IT security experts and government […]
Cisco Survey: 100% of Fortune 500 Hosting Malware?
If you’re working in IT at a Fortune 500 firm, Cisco Systems has some unwelcome news: you have a malware problem. According to the 2013 Annual Security Report from the networking giant, 100 percent of 30 Fortune 500 firms it surveyed sent traffic to Web sites that host malware. Ninety-six percent of those networks communicated with hijacked servers operated by cyber criminals or other malicious actors and 92 percent transmitted traffic to Web pages without content, which typically host malicious activity. “It was surprising that it was 100 percent, but we know that it’s not if you’re going to be compromised, but when,” said Levi Gundert, a technical lead in Cisco’s Threat Research, Analysis and Communications (TRAC) group in an interview with The Security Ledger. Among the high points (or low points) in Cisco’s Report: Cisco observed the highest number of vulnerabilities and threats on its Intellishield alert service in the 13 years […]
