Monthly Archives: November 2014

Google’s Dashboard leverages users about devices accessibility

Google rolls out new tools targeting enterprise apps customers to provide more control over the devices. According to post on Google work blog, this new dashboard shows all the devices that have accessed Google accounts during the last 4 weeks period. It will aid users to figure out unsolicited access at a glance. A guide for managing Google for Work security is also released so that end user will not face any issue during the setup and usage. The dashboard also provide an opportunity of IT managers to have a comprehensive view of device activity and can remotely alter security settings. Google believes that security is a shared responsibility in the cloud environment, so we all should make every step to ensure corporate information is secure. <more>

OOPS!! Another Flash Player update

This month is quite worrisome for Adobe Systems as it issues out-of-cycle Flash Player update. The reason is to fix a highly critical security flaw that allows cybercriminals to take complete control of vulnerable system. This issue was already covered under CVE-2014-8439 – released on 14th October’14 and further restriction being made on 25th November. Adobe credits Sebastien Duquette of ESET, Timo Hirvonen of F-Secure and cyber security researcher Kafeine for finding the vulnerability. According to Timo Hirvonen that they received the Flash exploit from Kafeine and analyzed the exploit by using Angler exploit kit. The result reveals that the issue is different from vulnerabilities patched in APSB14-22 advisory. We contacted the Adobe Product Security Incident Response Team about the issue. They acknowledges it and released an emergency update. <more>

Microsoft rushes patch for Kerberos flaw

Windows security flaw being exploited by cyber criminals got an urgent patch apart from November Patch Tuesday. Kerberos – an authentication system used by all versions of Microsoft Windows is responsible for the issue that allows remote attackers to gain elevated privileges of domain administrator. Microsoft advisory states, “A remote elevation of privilege vulnerability exists in implementations of Kerberos KDC in Microsoft Windows. The vulnerability exists when the Microsoft Kerberos KDC implementations fail to properly validate signatures, which can allow for certain aspects of a Kerberos service ticket to be forged.” Microsoft credits information security and risk management team of Qualcomm for identifying the issue. According to company, Windows Server 2012 and Windows Server 2012 R2 machines are not prone to this vulnerability. Users are advised to apply the patch on earliest basis. <more>

Google patches 42 flaws for Chrome

Google rolls out Chrome 39.0.2171.65 that fixes 42 security flaws in the web browser. Google Chrome now supports Apple Mac OS X running on 64-bit. Google has rewarded $41,500 to cyber security researchers for 12 security flaws reported. Researcher identified as “biloulehibou” got the highest reward of $7,500 for finding out an issue related to Adobe Flash player used in Chrome. Adobe advisory covered this issue under “double-free” vulnerability that allows intruders to execute arbitrary code. Chen Zhang of the NSFocus Security Team rewarded $5,500 for finding two bugs in the Blink rendering engine and Pepper plug-in interface used by Chrome. These issues are related to use-after-free vulnerabilities that allow remote code execution or possibly crash the vulnerable application. Latest version of Google Chrome disable fallback support for SSL 3.0 due to POODLE vulnerability. <more>

BIG Patch Tuesday fixes 33 vulns

November Patch Tuesday contains 14 security bulletins providing fixes for 33 vulnerabilities affecting all versions of Windows. Out of 14 bulletins, 4 bulletins are rated ‘CRITICAL’ whereas 8 bulletins declared ‘Important’ and the remaining 2 bulletins indicate moderate level severity. MS14-065 bulletin addresses 17 vulnerabilities affecting Internet Explorer. Most of the vulns are related to memory corruption and allows remote code execution by enticing a user to view malformed webpage. A vulnerability related to OLE which was previously exploited during Sandworm campaign is also patched under the CVE-2014-6352. A security flaw in the TCP/IP stack in Windows Server that allows remote attackers to execute arbitrary code on the vulnerable system is also patched along with other security bypass and privilege escalation issues. <more>

Apple devices HIT by Masque iOS malware

Security researchers at FireEye identified a new malware dubbed Masque targeting iOS devices. According to cyber security researchers, iOS versions 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta enterprise provisioning features are vulnerable that means almost 95% devices are under attacked by this malware. Hui Xue, design engineer at FireEye believes that at the moment not many users are affected on large scale, but admit that in near future the scope can be widen. FireEye contacted vendor and they are working on it. FireEye advised users to download apps only from Apple App store and don’t click on pop-ups. <more>

Google unleashes ‘nogotofail’ security testing tool

Google rolls out a security testing tool dubbed ‘nogotofail’ designed to help developers and cyber security researchers to make sure that the HTTPS connections are not vulnerable to security flaws or common configuration errors that allow intruders to exploit it. ‘nogotofail’ tool is used to counter ‘goto fail’ security flaw that affected Apple machines and other systems. The tool ensures that internet-connected devices and applications are not susceptible to transport layer security (TLS) and secure sockets layer (SSL) flaws. The deployment of this tool can be made on router, a Linux machine, or a VPN server and works for Android, Chrome OS, iOS, Linux, OS X, and Windows. The aim of this tool is to provide users a risk free HTTPS connection to ensure that their information is transmitted securely over the internet. <more>

Visa’s contactless payment system security flaw

Visa – a digital payment company is under fire for its contactless payment system by a cyber security researcher from Newcastle University. According to researcher, criminals can make illegal huge transactions in any currency from visa holder accounts through point-of-sale machines. The researcher claims, an intruder enters the amount needed to be transferred after creating a fake POS terminal on a mobile phone or ATM. When a Visa card contacts with that POS terminal, approval of transaction is made with a code supplied by the card. That code is used by the bank to release the fund. Lead researcher, Martin Emms told that POS terminal can read a card even it is placed in the wallet. <more>

0-day flaw in Samsung ‘Find My Mobile’ service

Samsung smartphones users are being warned by National Institute of Standards and Technology (NIST) due to a newly discovered zero-day security flaw found in its ‘Find My Mobile’ service. The issue occurs due to improper validation of a lock-code data of the sender received during communication. ‘Find My Mobile’ service provides users to locate their lost devices and allow users to lock down their devices remotely so that no one else is able to access it. Cyber security researcher Mohamed Abdelbaset Elnoby is credited for finding out security vulnerability in the service. The flaw allows remote attackers to lock or unlock the affected device via CSRF attack. <more>

IBM Enterprise Insight Analysis to counter cyber crime

IBM talked about its latest service with a goal to improve data gathering and cater the need to fight against cyber crime promptly and efficiently. IBM launched this service at IBM Insight conference held in Las Vegas. IBM i2 Enterprise Insight Analysis (EIA) uncover hidden patterns found in huge volumes of data within few seconds. It works on data-to-decision process that makes it more reliable findings against cyber threats than formal security analysis which may take long durations to find out. IBM i2 Enterprise Insight Analysis works on IBM Power Systems to investigate “non-obvious” connections between data and uncover hidden activities. <more>