Recent Posts

DDoS Attacks Hit Cloud Apps Evernote, Feedly

Large-scale attacks knocked two prominent, web-based services offline late Tuesday, as cyber criminals attempted extort money from the owners of news aggregation site Feedly and the hosted productivity tool Evernote. Feedly – a web site that pulls together news feeds from across the web – remained unreachable early Wednesday, while Evernote was back online. Both companies issued statements confirming that they were the victims of a massive distributed denial of service (DDoS) attack. “We’re actively working to neutralize a denial of service attack. You may experience problems accessing your Evernote while we resolve this,” read a message sent from Evernote’s Twitter account Tuesday evening at around 8:00 PM Eastern Time. And, around 5:00 AM Eastern on Wednesday, Feedly posted a blog entry that reads: “Criminals are attacking feedly (sp) with a distributed denial of service attack (DDoS). The attacker is trying to extort us money to make it stop. We refused to give […]

Continue Reading

IPMI Insecurity Affects 200k Systems

It has been almost a year since security researcher Dan Farmer first warned of the danger posed by Intelligent Platform Management Interface (IPMI) – a ubiquitous protocol used to do remote management of servers. According to a new report, however, that warning went unheeded. Writing last week (PDF), Farmer said that a world-wide scan for systems using the Intelligent Platform Management Interface (IPMI) protocol identified over 230,000 Baseboard Management Controllers (BMCs) exposed to the Internet. As many as 90% of the exposed systems could be compromised by exploiting what Farmer characterized as “basic configuration and protocol weaknesses.” Even more worrying, the 230,000 systems that are Internet accessible are probably just a fraction of all the vulnerable systems that might be attacked, with many deployed on (hackable) corporate and private networks. Farmer is reiterating calls for public and private sector organizations to wake up to the dangers posed by IPMI. Hackers who are able to compromise Baseboard Management […]

Continue Reading

Gameover Not The End: Zeus Malware Still Threatens Fortune 500

Prolexic, a division of Akamai, issued an advisory to Fortune 500 firms on Monday about what it calls “a high-risk threat of continued breaches from the Zeus framework.” The company’s Security Engineering & Response Team (PLXsert) said on Monday that it has observed new payloads from the Zeus crimeware kit in the wild, and that networks of Fortune 500 companies are a prime target. Cyber crime groups are using Zeus to steal login credentials and gain access to web-based enterprise applications, as well as online banking accounts, Akamai warned. “The Zeus framework is a powerhouse crimeware kit that enterprises need to know about to better defend against it,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai, in a statement. “It’s hard to detect, easy to use, and flexible – and it’s being used to breach enterprises across multiple industries.” A variant of Zeus, Gameover, was the subject […]

Continue Reading

FTC Wants To Be Top Cop On Geolocation

The Federal Trade Commission (FTC) is asking Congress to make it the chief rule maker and enforcer of policies for the collection and sharing of geolocation information, according to testimony this week. Jessica Rich, Director of the FTC Bureau of Consumer Protection, told the Senate Judiciary Committee’s Subcommittee for Privacy, Technology that the Commission would like to see changes to the wording of the Location Privacy Protection Act of 2014 (LPPA), draft legislation designed to spell out consumer protections pertaining to the location data. Rich said that the FTC, as the U.S. Government’s leading privacy enforcement agency, should be given rule making and enforcement authority for the civil provisions of the LPPA. The current draft of the law instead gives that authority to the Department of Justice (DOJ).   The LPPA legislation (PDF) was proposed in March by Sen. Al Franken, and co-sponsored by Senators Coons (D-DE) and Warren (D-MA). It proposes updating the Electronic Communications […]

Continue Reading

Heart Attack? Fixes For More Critical Holes In OpenSSL

Just a month after a critical security hole in OpenSSL dubbed “Heartbleed” captured headlines around the globe, The OpenSSL Foundation has issued an other critical software update fixing six more security holes, two of them critical. The Foundation issued its update on Thursday, saying that current versions of OpenSSL contain vulnerabilities that could be used to carry out “man in the middle” (or MITM) attacks against OpenSSL clients and servers. SSL VPN (virtual private network) products are believed to be especially vulnerable. Users of OpenSSL versions 0.9.8, 1.0.0 and 1.0.1 are all advised to update immediately. According to information released by the OpenSSL Foundation, an attacker using a carefully crafted handshake can force the use of “weak keying material in OpenSSL SSL/TLS clients and servers.” That could lay the groundwork for man-in-the-middle attacks in which an attacker positions herself between a vulnerable client and server, decrypting and modifying traffic as it passes through the attacker’s […]

Continue Reading
1 324 325 326 327 328 396