Editor’s Note: Updated to include information on the brand of EAS device that was compromised. – PFR 2/14/2013 OK – the good news is that the dead aren’t rising from their graves and the Zombie Apocalypse hasn’t begun (yet…). The bad news: a phony EAS (Emergency Alerting System) warning about just such a cataclysm earlier this week may have been the result of a hack of what one security researcher says are known vulnerabilities in the hardware and software that is used to distribute emergency broadcasts to the public in the U.S. The warning from Mike Davis, a Principal Research Scientist at the firm IOActive, comes just days after unknown hackers compromised EAS systems at television stations in the U.S. and broadcast a bogus emergency alert claiming that the “dead were rising from their graves” and attacking people. Published reports say that at least four television stations were the victims […]
Vulnerabilities
Obama CyberSecurity Order Puts Infrastructure Owners On Notice
President Barack Obama issued a long-anticipated Executive Order for improving the nation’s cyber security late Tuesday. The Order, released on the same evening as President Obama addressed both chambers of Congress with his State of the Union Address called cyber attacks “one of the most serious national security challenges we must confront,” and put public and private owners of critical infrastructure in the U.S. on notice that they would need to work closely with the government to reduce the risk of crippling cyber attacks. President Obama issued the Order after Congress failed, in its last session, to agree on comprehensive cyber security legislation. Negotiations over the bill broke down over Republican amendments to a Democratic sponsored bill and concerns from the business community about the cost of complying with some of the more controversial provisions. Among those: a requirement that the Department of Homeland Security be able to audit […]
Adobe Pushes Fix For Flash Player, Cites Attacks On Windows, Mac, Android
Adobe released an urgent fix on Thursday for recent versions of Flash Player, citing ongoing attacks against both Windows, Apple Mac, Linux and Android systems. Adobe released the security updates to fix a vulnerability, CVE-2013-0633 in Flash Player, noting that the vulnerability is being exploited “in the wild” (that is: on the public Internet) in targeted attacks. The attacks involve both web based attacks via malicious or compromised web sites and e-mail based attacks. The web based attacks use malicious Flash (SWF-format) content and target vulnerable versions of the Flash Player for the Firefox and Safari web browsers. The e-mail attacks use a malicious Microsoft Word document delivered as an e-mail attachment. The document contains malicious Flash (SWF) content and the email tries to trick the recipient into opening it. The vulnerability in question, CVE-2013-0633 is described as a buffer overflow in Adobe Flash Player that “allows remote attackers to execute […]
Researchers: Hole In TLS Encryption Could Expose Secure Web Sessions
Researchers at the University of London are going public with a paper that claims to have found a flaw in the specification for Transport Layer Security (TLS) that could leave supposedly secure Web, IM, VoIP and other online sessions exposed to prying eyes. The researchers, Nadhem Al Fardan and Kenny Patterson of the Information Security Group at Royal Holloway, University of London said that the security hole stem from a flaw in the TLS specification, rather than a bug in how TLS is implemented. The two researchers have developed proof of concept attacks that take advantage of the flaw, and that could be used to recover a complete block of TLS-encrypted plaintext, the researchers said. Al Fardan is a Ph.D student in the Information Security Group. Patterson is a professor of Information Security there. The two have discovered other, serious holes in TLS before. Notably: the two discovered a critical […]
Friday Night Massacre: Twitter Hacked, Info on 250k Exposed
What better time to drop some really bad and embarrassing news than late on a Friday afternoon, as everyone is heading out the door? So it was with social media giant Twitter, which dropped a bombshell late Friday: revealing that it had been compromised in an “extremely sophisticated” attack that yielded the account credentials for around 250,000 users. A blog post by Twitter Security Team member Bob Lord on Friday said that the company has been investigating the breach all week long, after detecting unusual patterns of account access across its network. After stopping an attack that was in progress, the company’s investigation revealed that the attackers “may have had access to limited user information – usernames, email addresses, session tokens and encrypted/saltedversions of passwords – for approximately 250,000 users,” Lord wrote. Twitter did not discuss the circumstances of the breach, but reiterated guidance from the U.S. Department of Homeland Security for users to disable Java […]
