Posted on

Security researchers identify transit system exploit in San Fran and New Jersey, create app to prove it

Mobile security company Intrepidus Group presented evidence during the EUSecWest security conference potentially identifying a major flaw in at least two US transit systems. Creating an Android app named “UltraReset” and using it in tandem with an NFC-enabled Android phone (a Nexus S, in this case), security researchers Corey Benninger and Max Sobell were able to reset and reuse — free of charge — transit access cards in both San Francisco’s MUNI system and New Jersey’s PATH system. Before you go getting any bad ideas, know that Benninger and Sobell haven’t released the app for public use, and warned both transit systems in late 2011 (though neither region has fixed the exploit, the duo claim). PATH and MUNI share a common chip access card — the Mifare Ultralight — which can apparently be reset for 10 extra rides via Android phones with NFC, an OS newer than 2.3.3 (Gingerbread). Starting to sound familiar?

Intrepidus is, however, releasing a modified version of the app, named “UltraCardTester.” The modified app functions just like its nefarious progenitor, except it can’t add time to cards. The app can tell you how many rides you have left, and if a system is open to exploit, but it won’t assist you in the act of exploiting.

Original article at Engadget

Posted on

Internet Explorer security updates released [September 2012]

A 0-day vulnerability affecting all versions of Microsoft Internet Explorer except version 10 on all supported Microsoft operating systems was revealed recently. Microsoft, aware of limited attacks targeting the vulnerability, promised to release an out of band patch for the vulnerability to protect Internet Explorer users from exploits making use of it.

Internet Explorer users have to visit a specially prepared website where the attack is carried out on. A successful attack may give the attacker the same user rights as the user working locally on the computer. It became known that different types of attacks were carried out of which some dropped a trojan on the system.

Internet Explorer users can mitigate the issue by installing Microsoft’s Enhanced Mitigation Experience Toolkit and configuring it to protect Internet Explorer from exploits. Other options that Microsoft suggested to customers was to change the security zone of the Internet and Intranet to high.

A Fix It has been released yesterday that patches the vulnerability on Windows systems, with the promise to release a full patch today.The promised patch has now been released by Microsoft. Windows users can either use the operating system’s built-in Windows Update tool to check for the patch and install it on the system, or download the patch from Microsoft’s Download Center instead once it is released there.

This security update resolves one publicly disclosed and four privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows clients and Moderate for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows servers. Internet Explorer 10 is not affected.

Original article at Ghacks

Posted on

The Man Who Hacked the Bank of France

In 2008 a Skype user looking for cheap rate gateway numbers found himself connected to the Bank of France where he was asked for a password. He typed 1 2 3 4 5 6 and found himself connected to their computer system. The intrusion was rapidly detected but led to the system being frozen for 48 hours as a security measure. Two years of extensive international police inquiries eventually traced the 37-year-old unemployed Breton despite the fact he’d used his real address when he registered with Skype. The man was found not guilty in court today of maliciously breaking into the bank.

Original article at slashdot

Posted on

Executives Remain Confident Of Security Posture, But Evidence Shows They Are Fooling Themselves, Says PwC Report

The people in charge of security at large companies and organizations appear to have a pretty high opinion of their abilities and their preparations for attacks by hackers and other security incidents, even if they evidence shows they’re fooling themselves.

According to a new survey out today by PwC Consulting, prepared in cooperation with the trade magazines CIO and CSO, the general mood among security executives around the world is optimistic. When asked about their security posture in the survey, nearly 70 percent said that they were “very confident” or “somewhat confident” that they have sufficient security policies and practices in place, and more than 70 percent said their policies are “effective.”

Original article at Teamshatter

Posted on

Flaw in Oracle Logon Protocol Leads to Easy Password Cracking

There is a serious vulnerability in the authentication protocol used by some Oracle databases, a flaw that could enable a remote attacker to brute-force a token provided by the server prior to authentication and determine a user’s password. The attacker could then log on as an authenticated user and take unauthorized actions on the database. The researcher who discovered the bug has a tool that can crack some simple passwords in about five hours on a normal PC.

Original article at Threatpost

Posted on

Software engineer pleads guilty to stealing trade secrets

A former senior software engineer for CME Group, a Chicago-based derivatives trading firm, has pleaded guilty to theft of trade secrets for stealing tens of millions of dollars’ worth of computer source code and other information while pursuing plans to improve an electronic trading exchange in China, the U.S. Department of Justice announced.

Original article at HITB

Posted on

Windows Secrets Newsletter website hacked

Windows Secrets is known by many for its newsletter that gets sound out regularly to free and paid subscribers of the site. At its core, it is a news site that is publishing its stories on its website and the newsletter, with some articles released exclusively to paid subscribers of the service. Articles are written by professionals and experts making this one of the few newsletters around the web that is worth subscribing to.

It recently became known that the Windows Secrets Newsletter website got hacked. The attacker managed to brute force an administrator account to gain access to the site. Using the account, the hacker planted malicious code on the site to get access to the site’s database and information. When subscribers and editors started to receive spam that appeared to come from Windows Secrets, site administrators began an investigation to find out what was going on.

They discovered the hacked administrator account and malicious code on the website, and removed all traces of the code and attack from the site. A full audit of the website, servers and sites on the same network is still undergoing.

Windows Secret users need to know what has been compromised. According to site operators, the following information could have been exposed:

subscriber name, e-mail address, reader number, ZIP code (if applicable), geographic region, and hashed password — all the entries on your profile page.

It seems fairly certain that email addresses have been exposed, considering that users have received spam in the last days.  Payment information are not kept on site, and credit card processing is handled by a third party service exclusively. There is no indication at the time of writing that financial information were compromised in the attack.

It is recommended to change the account password at the earliest convenience on this page to protect the account from third party access. Subscribers who have used the same password on other sites should change it on those sites as well as it is likely that the attacker will try to use the email and password combination to log in on popular sites such as Facebook, Twitter or Google (provided that the brute-forcing of hashed passwords is successful of course).

Original article at Ghacks