Software

Vulnerability Undermines WordPress Two-Factor Plugins

The firm Duo Security* said that it has discovered a vulnerability that affects a range of two-factor authentication plugins for the WordPress content management platform. The vulnerability could allow a malicious insider to use credentials for one WordPress site to log into a different site that is part of a ‘multi-site’ WordPress deployment without needing to pass a multi-factor authentication test. In a blog post on Thursday, DUO co-founder and CTO Jon Oberheide said that the vulnerability was discovered as part of an internal review of DUO’s two factor WordPress plugin, but that researchers realized it affects at least two other multi-factor plugins. DUO issued a warning to users of its plugin. The company also reached out to WordPress and to the publishers of other multi factor authentication plugins to address the issue, Oberheide wrote. DUO makes multi-factor authentication technology that allows users to log-in using a combination of username, […]

Continue Reading

Veterans Targeted In Attack Using IE 10 Zero Day

Visitors to the web site of the Veterans of Foreign Wars (VFW) are being targeted in an attack that exploits a previously unknown hole in Microsoft’s Internet Explorer 10 web browser, according to warnings Thursday by security firms.   Some visitors to the web site of the Veterans of Foreign Wars (VFW), vfw[dot]org, were the victim of a ‘watering hole’ attack that takes advantage of a previously unknown ‘use-after-free’ vulnerability in Microsoft’s Internet Explorer 10 web browser. The VFW site was hacked and then altered to redirect users, silently, to a malicious website programmed to exploit vulnerable versions of IE 10 on systems running 32 bit versions of the Windows operating system.  The VFW did not immediately respond to e-mail and phone requests for comment. According to a write-up by the security firm FireEye, the vulnerability allows the attacker to “modify one byte of memory at an arbitrary address” stored […]

Continue Reading

Internet of Dings: Verizon Shelves Home Automation Service

The news this week that search giant Google completed its acquisition of smart-home device maker NEST prompting at least one news outlet to proclaim that the “New Internet of Things Wave” has been set in motion. (Umm…new?) But there’s a cautionary note in the business headlines: news that Verizon shuttered its Verizon Home Monitoring service. Matt Hamblen over at Computerworld.com has the news and the confirmation from Verizon, which launched in 2012 and was designed to sink that company’s hooks deeper into wired homes. Verizon provided a common hardware platform for home automation and entertainment systems to plug into and talk to each other. Users could manage devices remotely from their computer, mobile device or from their televisions using FiOS TV. It comprised video surveillance, environmental control and physical security. In commercials, Verizon trumpeted it as the “ultimate 21st century green energy home control.” Verizon charged users $10 a month […]

Continue Reading

Uncle Sam Makes Mobile, Medical Device Security a Priority in 2014

The U.S. Department of Health and Human Services (HHS) says that it will make the security of mobile devices containing personal health information and networked medical devices areas of intense scrutiny in 2014.   The security of a wide range of devices, from laptops and USB ‘jump drives’ to networked medical devices like dialysis machines and medication dispensing systems will be under review, according to a 2014 Work Plan issued by HHS’s Office of the Inspector General (OIG). (PDF) Among other projects, the  OIG will review hospitals’ plans to protect the loss of protected health information (PHI), as well as similar plans put in place by Medicare and Medicaid contractors in the next year.  OIG will also scrutinize security controls at hospitals that protect networked medical devices. OIG wants to determine if the controls in place are adequate to secure electronic protected health information stored on medical devices. Links between networked […]

Continue Reading

FTC Approves Settlement Over Leaky Surveillance Cam

The US Federal Trade Commission (FTC) announced on Friday that it has approved a settlement with TRENDnet, Inc. over lax security features in its line of SecurView cameras. The FTC said on Friday that it has approved a final order settling charges against the company, whose cameras were found to be poorly secured against external attackers, who could access them and use them to spy on the homes and private lives of hundreds of consumers. [See also: Apple Store Favorite IZON Cameras Riddled with Holes] The FTC complaint stems from a February, 2012 case in which independent security analysts with the web site Console Cowboys published details on how a firmware flaw allowed authentication for Internet-connected SecurView cameras to be bypassed, giving any Internet user (with the know-how) the ability to view the surveillance camera’s live feed. The Commission first announced a settlement with TRENDnet, a Torrance, California company, in September of […]

Continue Reading
1 95 96 97 98 99 123