Security COVERAGE FROM AROUND THE WEB
![[Christofer] Hoff](http://a0.twimg.com/profile_images/2942489392/711bfd0fdc7a2b40594377499395c07e_normal.jpeg){kind=small}
Software developers in Madison will gather at a local startup's offices on Saturday to participate in a "hackathon" run by Foursquare, the New York location-based social networking site. Snowshoe, a maker of mobile apps that markets an aluminum stamp designed to authenticate smartphone transactions, will host the Madison edition of the Foursquare Global Hackathon. An emerging company called hoos.in will co-host the event. At a hackathon, computer programmers, graphic designers, project managers and others collaborate intensively on software projects. Prizes will be awarded to winning projects.Foursquare allows users to post their location from smartphones and other mobile devices and check in on friends.
Conference speakers of the future are to be given the opportunity to be mentored and trained via the ‘rookie track' at next year's Security B-Sides London.With offers of an experienced mentor to help the speaker prepare for a friendly, introductory environment, the rookie track is designed to bring new blood into the speaking circuit.B-Sides London rookie track co-organiser Robin Wood told SC Magazine that they were inviting people who have never spoken at a conference before to submit talks with full support available to help them with it.He said: “It can be very daunting to get up on stage and speak for an hour in front of a large group of peers, so the rookie track is deliberately offering short talks – just 15 minutes, in a controlled environment with only 20 people maximum for the room. “We are hoping that once people have given their first talk they will realise that it isn't as bad as they think it is and will go on to present in the future.”Asked what sort of people they were hoping to attract, Wood said that the target audience was originally students, but a mix of students, junior pen-testers/researchers and general security enthusiasts have already submitted ideas.
Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.
Don't show me this againHi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.
Don't show me this againDon't forget you can subscribe to the SophosLabs YouTube channel to find all our latest videos.
Don't show me this againHi there! If you're new here, you might want to subscribe to our RSS feed for updates.
Don't show me this againAlready using
Google+? Find us on Google+ for the latest security news.
Don't show me this again Earlier this week my colleagues Peter Szabo and Richard Wang respectively discovered and wrote about malware disguised as a Microsoft Excel spreadsheet used to generate Sudoku puzzles to help pass the time.This morning I was contacted by another SophosLabs researcher, Scott Sitar, about a booby-trapped PowerPoint presentation titled "Will the world end in 2012?" Like the Excel spreadsheet, this file contained Visual Basic macro code that drops an executable file called VBA[X].exe, where [X] is a random capital letter. In fact, the macro was functionally identical to that found in the Sudoku puzzle.
Sumit Suman recently visited a site, did not sign up for anything, did not connect via social media, but got a personal email from the site the next day.I’ve learned that there is a “website intelligence” network that tracks form submissions across their customer network. So, if a visitors fills out a form on Site A with their name and email, Site B knows their name and email too as soon as they land on the site.It all started 2 weeks ago when I got a promotional email (anonymized to avoid promotion) offering toI get B2B marketing emails all the time but what caught my eye was the inclusion of a report snapshot for 42Floors.com showing names, companies, and emails of site visitors and the information seemed plausible.I was both skeptical and concerned so I replied to the sales rep and asked how they could identify 42Floors’ visitors without something like an email link click-through. His reply was forthright:For example, if [a visitor] went to XYZ.com and filled out a web form and then [the visitor] later visited 42floors.com, [42Floors] would be able to identify [the visitor] by name/email as well as company details even though [the visitor] never filled out a web form on [42Floors.com].
The FTC has reached a settlement with Epic Marketplace, a large online ad network, related to what the FTC says is the company's practice of sniffing users' browser history for the purpose of serving them targeted ads related to a variety of sensitive topics. The settlement bars Epic from performing history sniffing and requires the company to destroy all of the data it's collected from consumers up to this point through history sniffing.The consent decree from the FTC is the latest in a series of actions from various agencies regarding the practice of history sniffing and tracking users across the Web. The FTC has been focusing on this practice in recent years, putting pressure on ad networks to change their practices and be clearer on their privacy policies and about what they collect. This most recent action from the FTC doesn't involve a fine, but simply bars Epic Marketplace from using history sniffing and from misrepresenting what it collects from consumers.“Consumers searching the Internet shouldn’t have to worry about whether someone is going to go sniffing through the sensitive, personal details of their browsing history without their knowledge,” said FTC Chairman Jon Leibowitz. “This type of unscrupulous behavior undermines consumers’ confidence, and we won’t tolerate it.”
Posted on 4 December 2012. | PhishMe predicts that phishers will be changing their tactics in 2013 resorting to targeted spear phishing emails rather than the mass mails of the past.Posted on 4 December 2012. | This is a guide for managers who want to learn about cybersecurity and discover how to create and implement a plan to protect their organization.Posted on 3 December 2012. | The law created to protect children's online privacy actually increases risk, according to new research from Polytechnic Institute of New York University.Posted on 3 December 2012. | Large numbers of employees use Dropbox and other consumer file sharing services for sensitive work-related data, even if they know that their employer has a specific policy banning the use of such services.Posted on 30 November 2012. | Western Connecticut State University has begun notifying students, their families, and individuals who had other associations with the university that their personal information may have been exposed.
Twitter users with SMS enabled are vulnerable to an attack that allows anyone to
post to their account. The attacker only needs knowledge of the mobile number
associated with a target’s Twitter account. Messages can then be sent to Twitter
with the source number spoofed.Like email, the originating address of a SMS cannot be trusted. Many SMS
gateways allow the originating address of a message to be set to an arbitrary
identifier, including someone else’s number.Facebook and Venmo were also vulnerable to the same spoofing attack, but
the issues were resolved after disclosing to their respective security teams.Users of Twitter that have a mobile number associated with their account and
have not set a PIN code are vulnerable. All of the Twitter SMS
commands can be
used by an attacker, including the ability to post tweets and modify profile
info.All services that trust the originating address of SMS messages implicitly and
are not using a short code are vulnerable.Until Twitter removes the ability to post via non-short code numbers, users
should enable PIN codes (if available in their region) or disable the mobile
text messaging feature.Twitter has a PIN code feature that requires every message to be prepended
with a four-digit alphanumeric code. This feature mitigates the issue, but is
not available to users inside the United States.
A Romanian bug hunter has discovered a "blended threat" targeting Yahoo's Developer Network Web site that allows unauthorized access to Yahoo users' emails and private profile data.At a security conference Sunday, Sergiu Dragos Bogdan demonstrated an abbreviated version of an attack using the YQL console on developer.yahoo.com. Yahoo Query Language is the company's proprietary programming language and used to test queries against Yahoo databases. Authenticated users also can access tables with their own Yahoo account data, such as e-mails and profile data, to mount queries.According to Computerworld, Bogdan showed how an attacker could abuse a feature on the site by loading a specific URL inside an iframe that returned the visitor's "crumb code" -- session- and user-specific authorization code generated when someone visits the YQL console page."However, security mechanisms built into browsers don't allow code running in the context of one domain name to read content from a page hosted on a different domain that was loaded inside an iframe," according to the news article. "This means that while the visitor himself can see the crumb code on the attack page, thanks to the iframe being loaded in his browser, the attack page itself can't read the code or automatically use it to make authenticated YQL queries using the victim's Yahoo session."
First and foremost, I would like to give credit to Rob Fuller, aka Mubix, for the tip on this awesome exploit; Be sure to check out his security blog, Room362. And of course @Ponez for for creating the Sysret vulnerability port for Windows. The Sysret exploit is made possible due to a subtle difference in the way in which Intel processors implement error handling in their version of AMD’s SYSRET instruction. The SYSRET instruction is part of the x86-64 standard defined by AMD. If an operating system is written according to AMD’s spec, but run on Intel hardware, the difference in implementation can be exploited by an attacker to write to arbitrary addresses in the operating system’s memory. Click here for a more detailed description of the Sysret Exploit. The flaw has already been exploited on 64-bit versions of Microsoft Windows 7, FreeBSD, NetBSD and there’s a chance Apple’s OS X may also be vulnerable, according to a blog on Xen.org, an open source community for users of the virtual service.This guide will show you how to use the Sysret exploit to escalate your user permissions (essentially bypassing UAC) on a 64bit Windows 7 (fully patched) machine. This exploit works on 64bit Intel Chips, including Windows and Linux.
Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.
Don't show me this againHi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.
Don't show me this againDon't forget you can subscribe to the SophosLabs YouTube channel to find all our latest videos.
Don't show me this againHi there! If you're new here, you might want to subscribe to our RSS feed for updates.
Don't show me this againAlready using
Google+? Find us on Google+ for the latest security news.
Don't show me this again It was October! The month when slimy worms slither through Facebook! On those cold, dark days when grisly green hands tend to smash through monitors, hungrily grasping at click-happy employees!This, Facebook told Mashable, was the second year that the company celebrated its annual Hacktober: a month-long event wherein its engineers brewed up simulations of security threats that they then unleashed on staff computers.After setting the traps, they sat back and waited to see which employees would fall for them, and which would be good-security doobies and report the fishiness, thereby netting themselves some Facebook-emblazoned swag.
Related Webcasts
This Week's Issue
Free Print Subscription
SubscribeCurrent Government Issue
In this issue:
Subscribe Now
- Data Center Optimization: Federal agencies must increase server utilization and energy efficiency as they squeeze more computer processing into fewer data centers. We explore how the Army, Homeland Security, Veterans Affairs and others are doing that.
- Future Cities: The world's urban centers are growing, creating a civic management challenge of unprecedented scope and complexity. Our exclusive survey reveals the opportunities and challenges for city planners and municipal IT pros.
- Read the Current Issue
Related Whitepapers
Related Reports
