You are here: Home / Archives for flaw

Millions of printers open to devastating hack attack, researchers say | msnbc

December 1, 2011 By Leave a Comment

Could a hacker from half-way around the planet control your printer and give it instructions so frantic that it could eventually catch fire? Or use a hijacked printer as a copy machine for criminals, making it easy to commit identity theft or even take control of entire networks that would otherwise be secure?

It’s not only possible, but likely, say researchers at Columbia University, who claim they’ve discovered a new class of computer security flaws that could impact millions of businesses, consumers, and even government agencies.

Printers can be remotely controlled by computer criminals over the Internet, with the potential to steal personal information, attack otherwise secure networks and even cause physical damage, the researchers argue in a vulnerability warning first reported by msnbc.com.  They say there’s no easy fix for the flaw they’ve identified in some Hewlett-Packard LaserJet printer lines – and perhaps on other firms’ printers, too – and there’s no way to tell if hackers have already exploited it.

The researchers, who have working quietly for months in an electronics lab under a series of government and industry grants, described the flaw in a private briefing for federal agencies two weeks ago. They told Hewlett-Packard about it last week.

HP said Monday that it is still reviewing details of the vulnerability, and is unable to confirm or deny many of the researchers’ claims, but generally disputes the researchers’ characterization of the flaw as widespread.  Keith Moore, chief technologist for HP’s printer division, said the firm “takes this very seriously,” but his initial research suggests the likelihood that the vulnerability can be exploited in the real world is low in most cases.

via Red Tape – Exclusive: Millions of printers open to devastating hack attack, researchers say.

Filed Under: Tech Bytes Tagged With: , , , , , , , ,

Skype security flaw allows location tracking | TG Daily

October 25, 2011 By Leave a Comment

A glaring security flaw’s been uncovered in Skype and other VoIP systems, potentially allowing hackers to access users’ identities, locations and even files.

Skype claims more than a half-billion registered users, and one report suggests that one in five overseas calls is made using the service.

But researchers headed by a team at the Polytechnic Institute of New York University say that Skype can be used to track not only users’ locations over time but also their peer-to-peer file-sharing activity. It works even when a user’s blocked callers or used a Network Address Translation (NAT) firewall.

And having done this, says the team, it’s easy to link to information such as name, age, address, profession and employer using social media sites such as Facebook and LinkedIn in order to build profiles on a single tracked target or a database of hundreds of thousands.

“These findings have real security implications for the hundreds of millions of people around the world who use VoIP or P2P file-sharing services,” says Keith Ross of NYU-Poly.

“A hacker anywhere in the world could easily track the whereabouts and file-sharing habits of a Skype user – from private citizens to celebrities and politicians – and use the information for purposes of stalking, blackmail or fraud.”

via Skype security flaw allows location tracking | TG Daily.

Filed Under: Tech Bytes Tagged With: , , , , , , , , ,

Adobe to fix Flash flaw that allows webcam spying – Computerworld

October 21, 2011 By Leave a Comment

Adobe is working on a fix for a Flash Player vulnerability that can be exploited via clickjacking techniques to turn on people’s webcams or microphones without their knowledge.

The issue was discovered by a Stanford University computer science student named Feross Aboukhadijeh who based his proof-of-concept exploit on a similar one disclosed back in 2008 by an anonymous researcher.

Technically known as user interface (UI) redressing, clickjacking is a type of attack that combines legitimate Web programming features, like CSS opacity and positioning, with social engineering to trick users into initiating unwanted actions.

For example, clickjacking techniques have been used to trick Facebook users into liking rogue pages or posting spam on their walls by making Like and Share buttons transparent and superimposing them over legitimate-looking ones.

The 2008 webcam spying attack involved loading the Adobe Flash Player Settings Manager, which is actually a page hosted on Adobe’s website, in an invisible iframe and tricking users into enabling webcam and microphone access through it.

via Adobe to fix Flash flaw that allows webcam spying – Computerworld.

Filed Under: Tech Bytes Tagged With: , , , , , , , , ,

Update: Researcher finds serious vulnerability in Skype – Computerworld

July 15, 2011 By Leave a Comment

A security consultant has notified Skype of a cross-site scripting flaw that could be used to change the password on someone’s account, according to details posted online. Skype said it would issue a fix next week.

The consultant, Levent Kayan, based in Berlin, posted details of the flaw on his blog on Wednesday and notified Skype a day later. He said on Friday he hasn’t heard a response yet.

The problem lies in a field where a person can input their mobile phone number. Kayan wrote that a malicious user can insert JavaScript into the mobile phone field of their profile.

When one of their contacts comes online, the malicious user’s profile will be updated, and the JavaScript will be executed when the other contact logs in. Kayan wrote that the other person’s session could be hijacked, and it may be possible to gain control of that person’s computer. An attacker could also change the password on someone’s account.

There are some mitigating factors, such as that the attacker and victim must be friends on Skype. Also, the attack may not immediately execute when the victim logs in. Kayan said he noticed the behavior happened only after the victim logged in several times. But he said in an e-mail that once it happens the first time, “it happens with each re-login.”

via Update: Researcher finds serious vulnerability in Skype – Computerworld.

Filed Under: Tech Bytes Tagged With: , , , , , , , , ,

No Trail E Mail™ Introduces Automatic Self-Destructing Email

May 31, 2011 By Leave a Comment

No Trail E Mail™ provides the only true self-deleting encrypted e-mail service on the internet. Other services may claim to have “self-deleting” email programs, but share a fatal technical flaw; they don’t actually delete the messages at all. They may encrypt the message, and perhaps avoid the network sever in sending the message, but the messages may still exist on the sender’s, recipient’s, and the server’s computer. The only things that are deleted are the encryption keys. A skilled computer forensics technician will be able to recover such messages, using no more sophisticated methods than are used to recover other “deleted” files.

Medical and legal documents have been hacked, compromising individual’s confidential information. People have been fired, sued, arrested, divorced, or have been embarrassed by friends and co-workers from e-mails that have surfaced, either by hackers or subpoenas. Every day the news media reports that someone’s e-mail has surfaced and initiated legal problems or embarrassment.

No Trail E Mail’s™ patent pending process deletes the e-mail after a specific time, in hours or days, or after the e-mail is opened by the recipient. After deleting the message on the No Trail E Mail™ server, it is overwritten several times within one hour. It is physically impossible to retrieve the e-mail because it is not there. This “electronic shredding” is the only method to eliminate the original message and attachments. This prevents hackers or subpoenas from retrieving any e-mail sent by No Trail E Mail™. This is an ideal method for sending confidential or secret documents that must be sent via e-mail.

via No Trail E Mail™ Introduces Automatic Self-Destructing Email.

Filed Under: Tech Bytes Tagged With: , , , , , , , , ,

Microsoft patches critical Outlook drive-by bug – Computerworld

November 9, 2010 By Leave a Comment

Microsoft today patched 11 vulnerabilities, including one in Office that hackers will quickly exploit to launch drive-by attacks, said security experts.

As expected, Microsoft did not ship a fix for the flaw in Internet Explorer (IE) that criminals are currently using to hijack Windows PCs.

Of the 11 flaws addressed in three separate updates, only one was pegged as “critical,” Microsoft’s top ranking in its four-step scoring system. The remaining 10 were all marked “important,” the second-highest rating.

“The one that gives me the heebie-jeebies this month is the Office update,” said Andrew Storms, director of security operations at nCircle Security. “The RTF vulnerability can be triggered simply by viewing a message in Outlook, so all you have to do is receive a [malicious] message. Then the game is over.”

Storms was referring to MS10-087, a five-patch update for Office XP, 2003, 2007 and 2010 on Windows, and Office for Mac 2004, 2008 and 2011.

via Microsoft patches critical Outlook drive-by bug – Computerworld.

Filed Under: Tech Bytes Tagged With: , , , , , , , , ,

Microsoft patches critical Outlook drive-by bug – Computerworld

November 9, 2010 By Leave a Comment

Microsoft today patched 11 vulnerabilities, including one in Office that hackers will quickly exploit to launch drive-by attacks, said security experts.

As expected, Microsoft did not ship a fix for the flaw in Internet Explorer (IE) that criminals are currently using to hijack Windows PCs.

Of the 11 flaws addressed in three separate updates, only one was pegged as “critical,” Microsoft’s top ranking in its four-step scoring system. The remaining 10 were all marked “important,” the second-highest rating.

“The one that gives me the heebie-jeebies this month is the Office update,” said Andrew Storms, director of security operations at nCircle Security. “The RTF vulnerability can be triggered simply by viewing a message in Outlook, so all you have to do is receive a [malicious] message. Then the game is over.”

Storms was referring to MS10-087, a five-patch update for Office XP, 2003, 2007 and 2010 on Windows, and Office for Mac 2004, 2008 and 2011.

via Microsoft patches critical Outlook drive-by bug – Computerworld.

Filed Under: Tech Bytes Tagged With: , , , , , , , , ,

Mozilla quickly patches Firefox flaw • The Register

October 28, 2010 By Leave a Comment

Mozilla has reacted quickly to patch a zero-day vulnerability in its Firefox browser software.

The security flaw was used to run a drive-by-download attack so that Firefox fans visiting the website for the Nobel Peace prize were exposed to malware on Tuesday.

Code planted on the site redirected surfers to a hacker-controlled site that ran a JavaScript-based exploit, specific to Firefox, that attempted to plant a Trojan on vulnerable Windows PCs.

The mechanism of the attack, detected by security researchers on Tuesday, is blocked with the release of the latest version of the open source web browser, Firefox 3.6.12. Mozilla has also released a cross-platform update for the earlier version 3.5.x version of the browser that addresses the same security hole.

via Mozilla quickly patches Firefox flaw • The Register.

Filed Under: Tech Bytes Tagged With: , , , , , , , , ,

Apple’s FaceTime for Mac Hit by Password Security Breach | News & Opinion | PCMag.com

October 22, 2010 By Leave a Comment

Apple brought a beta version of its FaceTime video chat service to the Mac on Wednesday, but does it include a security flaw that could put the security of your Apple password at risk?

A post on Macworld Germany claims that if you log-in to your account via FaceTime for Mac, the password can be changed without supplying the existing password. So if you walk away, someone could sit down at your Mac computer and change the password, which would apply across all Apple products, including iTunes.

via Apple’s FaceTime for Mac Hit by Password Security Breach | News & Opinion | PCMag.com.

Filed Under: Tech Bytes Tagged With: , , , , , , , ,

AFP: German ministers slam Facebook for privacy glitch

October 17, 2010 By Leave a Comment

German ministers criticised social networking site Facebook on Sunday for failing to respect privacy, following a report of a serious flaw that allowed non-subscribers access to private data.

German newspaper Frankfurter Allgemeine reported that a glitch potentially allowed anyone access to the contact lists of subscribers.

New subscribers to Facebook are required to enter their email address. However, by entering the email address of an existing user, it was possible to view their full list of contacts, until they had responded to a security request.

This would potentially allow access to hundreds of names, contact details and other personal information, the newspaper reported.

Germany’s consumer affairs minister Ilse Aigner criticised the company for a “series of dubious practices”.

The glitch shows “Facebook’s lack of respect for the privacy of Internet users”, she told the newspaper.

via AFP: German ministers slam Facebook for privacy glitch.

Filed Under: From The News Tagged With: , , , , , , , , ,
« Older Posts