Sucuri Security researchers have discovered yet another malicious campaign redirecting users to sites hosting exploits. As per usual, the attackers are mostly leveraging vulnerabilities in WordPress plugins to compromise sites that will become the first link of the redirection chain.
In this particular campaign, the attackers took advantage of the fact that the site admins still use an old version Slider Revolution (RevSlider) plugin, which contains a critical vulnerability that allows attackers to compromise websites via their database.
“Please don’t think that only the Slider Revolution plugin need to be updated,” the researchers entreated. “Keep all of your plugins and themes up-to-date. Any plugin can have critical vulnerabilities at any given time, known or unknown. Even the most popular plugins can have security issues.”
Source: Year-old flaw in popular WordPress plugin still actively exploited
Las Vegas’ popular Hard Rock Hotel and Casino has been hit by carders, who took off with names, card numbers, expiration dates, and CVV codes (but not PIN numbers or other information) of customers who used their payment cards at several locations within the property.
Not much detail has been offered about how the breach happened, but it’s likely that POS malware has been installed at the affected locations.
Source: Las Vegas’ Hard Rock casino hit by carders
The weak passwords — which are hard-coded and can’t be changed — were only one item on a long list of critical defects uncovered by the review. The Wi-Fi network the machines use is encrypted with wired equivalent privacy, an algorithm so weak that it takes as little as 10 minutes for attackers to break a network’s encryption key. The shortcomings of WEP have been so well-known that it was banished in 2004 by the IEEE, the world’s largest association of technical professionals. What’s more, the WINVote runs a version of Windows XP Embedded that hasn’t received a security patch since 2004, making it vulnerable to scores of known exploits that completely hijack the underlying machine. Making matters worse, the machine uses no firewall and exposes several important Internet ports.
Source: Meet the e-voting machine so easy to hack, it will take your breath away | Ars Technica
The online payment industry was exposed to a slew of attacks in 2013-14, with hackers meticulously examining the payment infrastructure to exploit potential weaknesses. To guard against such security breaches, the payment industry needs to devise global security initiatives and establish common rules.
According to Frost & Sullivan, host card emulation (HCE) has created a new layer of security services. On the other hand, the HCE solutions have raised several concerns as in the absence of a single network, a single protocol and a common set of rules, hackers can breach security layers using sophisticated tools.
Until the recent spate of attacks, banks and financial institutions had been reluctant to invest heavily in protecting their digital transactions. However, new awareness of the huge liabilities and losses that can be incurred through these data leaks is encouraging their support for the use of HCE security technology.
Source: How secure are digital transactions?
Unpatched, vulnerable PDF readers are a big security issue for private PC users, according to Secunia. 14% of PC users in the US (up from 12.9% last quarter) have an unpatched operating system, and that Oracle Java yet again tops the list of applications exposing PCs to security risks.
The security of a PC is significantly affected by the number and type of applications installed on it, and the extent to which these programs are patched:
- Adobe Reader 10 and 11 come in at number three and four on the Most Exposed List. Adobe Reader 10 with a 25% market share, 39 vulnerabilities and unpatched on 65% of PCs. Adobe Reader 11 with a 55% market share, 40 vulnerabilities and unpatched on 18% of PCs.
- Oracle’s Java JRE 7 tops the list as the most exposed application on the US PCs. With a market share of 54%, 77% of users have not installed the latest updates, despite 101 reported vulnerabilities.
- 1 in 20 programs on the average US PC have reached end-of-life, meaning they are no longer supported by the vendor and do not receive security updates. Adobe Flash Player, one of the end-of-life applications, is still installed on no less than 78% of the PCs.
- Other applications in the top 10 include Apple QuickTime, Microsoft Internet Explorer and uTorrent for Windows.
Source: Unpatched, vulnerable PDF readers leave users open to attack
Hackers who want real stealth might want to hack their own body first. An ex-military security specialist tells FORBES an NFC chip in his hand would be a useful tool in any digital criminal’s arsenal, showing off an exploit attacking an Android phone. Is evil biohacking about to go mainstream?
Source: Hacker Implants NFC Chip In His Hand To Bypass Security Scans And Exploit Android Phones – Forbes
Google users can now download their entire Web search history to a desktop, according to instructions posted on the company’s support site.”This gives you access to your data when and where you want,” Google wrote about the service.Google search history has been available to users for a long time, but the ability for individuals to download all of the data at once was released in January, according to Google spokesman Jason Freidenfelds.The service was first reported by an unofficial, third party blog called “Google Operating System” on April 18 and picked up traction online, according to reports.
Source: How to download your entire Google search history
At RSA Conference 2015, Proofpoint released the results of its annual study that details the ways attackers exploit end-users’ psychology to circumvent IT security.
Last year was the year attackers “went corporate” by changing their tactics to focus on businesses rather than consumers, exploiting middle management overload of information sharing, and trading off attack volume for sophistication. Human behavior, not simply system or software vulnerabilities, has significant implications on enterprise security.
“The Human Factor research validates the critical value of threat information—and provides insight into how, when and where attacks are taking place,” said Kevin Epstein, Proofpoint’s vice president of Advanced Security & Governance. “The only effective defense is a layered defense, a defense that acknowledges and plans for the fact that some threats will penetrate the perimeter. Someone always clicks, which means that threats will reach users. Proofpoint’s approach is effective because our systems can determine who those users are, where they are, and what’s happening in real time—and actively protect organizations with real-time automated threat response.”
Source: How attackers exploit end-users’ psychology
Unless your password is at least 12 characters, you are vulnerable.
That should be the minimum password size you use on any service. Generate your password with some kind of offline generator, with diceware, or a passphrase approach – whatever it takes, but make sure your passwords are all at least 12 characters.
Source: Your Password is Too Damn Short
21 percent of respondents to a Kaspersky survey assume their passwords are of no value to criminals. Many often take the easy way out when creating and storing passwords. For example, only 26 percent of those surveyed create a separate password for each account and just 6 percent use password storage software.
However, passwords are the keys to an online account holders’ personal data, private life and even their money, which is very valuable to a criminal.
Despite the fact that passwords provide access to valuable information, the survey shows that respondents are not always careful. Specifically, 18 percent of those surveyed write down their passwords in a notebook and 17 percent freely share their personal account passwords with family members and friends.
“Even if you are not a celebrity or a billionaire, cybercriminals can profit from your credentials,” says Elena Kharchenko, head of consumer product management, Kaspersky Lab. “A password is like a key to your home; you wouldn’t leave your door unlocked, or put your keys where anyone could find them, just because you don’t think you have anything of great value. Complex passwords unique to each account, carefully stored in a safe place, will save you a lot of trouble.”
To protect accounts against unauthorized entry, Kaspersky Lab recommends the following:
- Create a unique password for each account: if one password is stolen, the rest will remain safe.
- Create a complex password that won’t be easy to crack even if cybercriminals are using special programs. That means using at least 8 symbols including upper and lower-case letters, numbers, punctuation marks and no pet names or dates of birth.
- Do not give your password to anyone, not even your friends. If cybercriminals can’t steal it from your device, they might be able do it from someone else’s.
- Store your password in a safe place. Don’t write it down on paper; either remember it or use a special program for storing passwords from a reliable vendor.
Source: Consumers think passwords are of no value to criminals