Friday, September 26, 2014

Critical Bash Bug “Shellshock” might be as big as Heartbleed


bash_bomb


Critical Bash Security Alert!


Last night, researchers disclosed a critical security bug affecting all versions of GNU Bash through 4.3. Any Linux, Unix, or Mac OS X machine running versions 1.14.0 to 4.3 of the command interpreter is vulnerable to remote execution of malicious code. NIST initially assigned the vulnerability to  CVE-2014-6271 and then to CVE- 2014-7169 to account for patching issues, and they have ranked the bug a 10.0 in terms of severity. Because the bug affects potentially hundreds of millions of machines, many are already comparing it to Heartbleed and have given it the name “Shellshock.”


Threat Mitigation


To check for the vulnerability, you can enter the following command into Bash:


env x="() :;; echo vulnerable" bash -c "echo this is a test"


Vulnerable versions will return:


vulnerable

this is a test


Non-vulnerable versions will return:


bash: warning: x: ignoring function definition attempt

bash: error importing function definition for `x"

this is a test


More technical specifics on how Shellshock works can be found at the Red Hat Security Blog. Users and administrators affected by Shellshock should apply patches immediately:


  • Redhat patch

  • CentOS patch

  • Debian patch

  • Ubuntu patch

Shellshock was discovered by Stephane Chazelas of Akamai. The company’s initial statement can be viewed here. As this vulnerability is an Internet-wide security issue, Emsisoft will continue to follow Shellshock as it develops and inform our users of any critical developments.


What should I do if I use Windows?


Those running Windows wondering what to do to stay protected should know that Shellshock does not directly affect their machine, but it could affect computers they interact with when they use the Internet. Unfortunately, there is nothing Emsisoft can do about this since Linux, Unix, and Mac OS X are not operating systems we support. The best we can do for now is sit tight, and hope that administrators who use these systems apply the appropriate patch as soon as possible.


Have a nice (malware-free) day!


 



Related Posts:


  • Zero Day Alert: Unpatched Vulnerability in Internet Explorer

  • IE Zero Day Update: Microsoft Issues Emergency Patch, Even…

  • Patch Tuesday: It Doesn’t Apply to Windows XP

  • The Heartbleed Bug: A Critical Vulnerability in OpenSSL

  • Warning: Internet Explorer Zero Day CVE-2014-1776




Critical Bash Bug “Shellshock” might be as big as Heartbleed

Monday, September 22, 2014

Home Depot – 56 million Cards, Largest Retail Breach on Record

home_depot


After two weeks of investigation, The Home Depot has published confirmation that all POS malware has been eliminated from their stores. They also report that between April and September 2014, approximately 56 million unique payment card credentials were stolen. That makes the event the largest point of sale data breach on record. In addition, the company writes that the breach utilized a completely unique and custom malware, never seen before.


What you need to do: Check your credit and debit card records for transactions at the retailer between April and September 2014. If you shopped there during this time, you should cancel the card that was used and get a new one as soon as possible.


Home Depot’s official statement can be downloaded in PDF format here. Preliminary details from initial disclosure 2 weeks ago can be found on our blog.


Have a great (credit-fraud-free) day!



Related Posts:


  • Home Depot Data Breach – Might be bigger than Target

  • Michaels Arts & Crafts Confirms Data Breach

  • Data Breach Alert: 51 UPS Stores Affected!

  • LaCie Data Breach – Part of a Larger Malware Trend

  • Brick and Mortar Identity Theft Targets 40 million Accounts



Home Depot – 56 million Cards, Largest Retail Breach on Record

Friday, September 19, 2014

Alert: eBay iPhone Listings Redirecting to Phishing Pages

300px-EBay_logo.svgLast night, the BBC published an article stating that eBay item listings are vulnerable to cross site scripting attacks, which can lead users to phishing pages.


Such attacks place malicious code within the listing field that lets sellers link to legitimate third party websites. When users click on links that contain this code, they are redirected to phishing pages that look like the eBay log in page. Users who enter credentials are at risk of having their eBay account compromised.


This type of attack was first discovered by an eBay power user who found it in action on a listing for a cheap iPhone. In addition, the BBC states that they have discovered 2 other eBay item listings from the same account using cross site scripting attacks. eBay has yet to make a statement on the matter, but initial reports indicate that the 3 malicious listings have been removed.


To avoid this phish:


  • Stay away from item listings that seem too good to be true (hint: they are)

  • Only log into a web account after independently navigating to that website on your own

  • Check out eBay’s Marketplace Safety Tips

As yet, the total number of item listings this vulnerability affects is unknown – so be careful where you bid! If you think you might have fallen for a phish, change your password ASAP and keep a close eye on your eBay account.


Emsisoft users are automatically protected from this threat by our products’ Surf Protection technology. Original report from the BBC can be found here.


 



Related Posts:


  • ALERT: You need to change your eBay password, now.

  • ALERT: Spotify Has Been Hacked

  • ALERT: The Google Drive Phishing Scam Returns!

  • Alert: All in One SEO WordPress Plugin Vulnerable

  • Hack Your Facebook Friends? More Like Hack Yourself.



Alert: eBay iPhone Listings Redirecting to Phishing Pages

Thursday, September 18, 2014

Hackers want to steal your Amazon account… using Kindle eBooks?

13510765_s


Do you think about security when you download an eBook? Probably not. But what if that eBook could allow a hacker to gain remote access to your Amazon account and max out all of its credit cards? A Kindle vulnerability from earlier this week, which has since been patched, shows exactly how pirated eBooks could have been used to hack Amazon accounts.


Discovered by independent researcher Benjamin Daniel Mussler, the vulnerability enabled cross site scripting on the Kindle Library management web page accessed through Amazon accounts. Mussler found that the book title metadata on third party eBooks with the .mobi extension could be modified to run a malicious script, instead of displaying the book title in the Kindle Library manager. Such a script could be designed to grab everything a hacker would need to gain access to your Amazon account and make purchases in your name.


Mussler published his findings on Monday, and on Tuesday the vulnerability – which did not affect .azw Amazon eBooks – was patched.


While no longer a direct concern to Kindle users, this latest issue is a good reminder that Internet security is hardly limited to PCs or smartphones. If you are using any device to connect to the Internet, it needs to be secured.


Have a great (paper-free) day!


Mussler’s full report can be found here.



Related Posts:


  • Amazon spam: “Your Order Processed Today”

  • PayPal Vulnerability Publically Disclosed

  • Alert: All in One SEO WordPress Plugin Vulnerable

  • Warning: Dropbox and Box File Sharing Security Bug

  • Alert! Default Browser app on 75% of Androids is vulnerable



Hackers want to steal your Amazon account… using Kindle eBooks?

Alert! Default Browser app on 75% of Androids is vulnerable

140423_androidAndroid Security Alert


A newly discovered flaw in the Android Browser app, installed as the default web browser in all Android versions prior to 4.4, can allow attackers to steal personal information entered into websites and hijack authenticated sessions. For comprehensive protection, we recommend disabling the app as soon as possible and migrating to an alternative browser.


How to find out if you’re vulnerable


First, you will need to find out which version of the Android operating system you’re running. This information can be found under Settings > About Phone. If you’re running an Android Version that’s earlier than 4.4, your Android Browser app is vulnerable.


To disable to the Android Browser app:


Go to Settings > Applications > Manage Applications, and then find Browser (its icon is a little globe). Once you click on Browser, you should be given the option to Force Stop or Disable. You will want to select Disable. But note: some early versions do not allow you to Disable the Browser app at all. If this is the case, you will need to make a conscious effort not to use the app or to use it with caution when you do.


Use a different browsing app until Browser is patched:


Browser is an older app but vulnerable versions still come preloaded on low cost Android devices, which may actually account for up to 75% of the total Android ecosystem today. If migrating to the newest version of Android (currently KitKat 4.4) is not an option, we recommend disabling or discontinuing the use of Browser until it is fixed and downloading an alternative web browser, such as Google Chrome, Mozilla Firefox, or Dolphin.


Anyone needing help identifying whether their Android is vulnerable or transitioning to an alternative browser is encouraged to contact Emsisoft Support.


Same Origin Policy Bypass


This vulnerability was discovered by an independent security researcher named Rafay Baloch. Baloch found that vulnerable versions of Browser fail to enforce the same origin policy. Such failure essentially allows one website to grab things from another website, such as login information entered by a user and/or authentication cookies. This means that if you happen to visit a malicious website designed to exploit this vulnerability and then log into your email in a separate window, your credentials will be stolen and the attacker will be able to log in to your email account.


For more information on this type of attack, see the original report here and a follow up from PC World.


For additional protection, also consider Emsisoft Mobile Security, which can automatically prevent you from accessing malicious websites that leverage this vulnerability with Surf Protection technology.


Have a great (mobile-malware-free) day!


 



Related Posts:


  • OldBoot Bootkits – Advanced Android Malware

  • ALERT: Fake ID Lets Malware Impersonate Legit Android Apps

  • Warning: Adobe Flash Zero Day CVE-2014-0515

  • Security advice: Be careful when using Java

  • No more nude selfies! (at least not on the cloud)



Alert! Default Browser app on 75% of Androids is vulnerable

Thursday, September 11, 2014

5 Million Gmail Usernames and Passwords Compromised

Gmail Security Alert!


New_Logo_Gmail.svg


A number of reports indicate that up to 5 million Gmail usernames and passwords have been dumped on a Russian Bitcoin forum. According to PC World, a good deal of these credentials have been confirmed to be in active use; however, many of the username/password combinations are up to 3 years old. There is also strong evidence that the leaked passwords may actually just be passwords to other websites, where Gmail addresses were just used as usernames.


As yet, Google has not found evidence of any compromise of its systems, and most reports indicate that the information was collected elsewhere.


What does this mean for you?


Besides being another “hacker headline” you may just wish to causally dismiss, this latest breach is yet another reminder that passwords are not perfect. It may also mean that it is time to change your Gmail password, just to be on the safe side. As an additional precaution, you can also enable two-factor authentication on your Gmail account. Google provides information on this security measure here, along with instructions on how to set it up. Spoiler alert: click on your avatar when logged into Gmail (top-right corner), click Account, click the Security tab in your Google+ profile, find 2-Step Verification under Password, and then click Settings.


Also: watch out for fake “email integrity” check sites. These are sites that offer to check whether your email address has been hacked, and while many of them may be legitimate, others can actually be phishing sites setup by hackers, in order to collect email addresses to spam advertisements or malware.


For more information, you can also check out some of the articles listed below:


  • Five Million Gmail addresses and passwords dumped online, PC World

  • Nearly 5 Million Google Passwords leaked on Russian Site, Time.com

  • 5 Million Gmail Usernames, Passwords Hacked And Posted To Russian Bitcoin Forum: Report, International Business Times

Have a nice (malware-free) day!



Related Posts:


  • Emsisoft Security Warning: 16 Million Email Accounts hacked…

  • ALERT: Google Drive Phishing Scam

  • ALERT: You need to change your eBay password, now.

  • Emsisoft Alert: Kickstarter Data Breach

  • ALERT: 18 Million Email Accounts Compromised



5 Million Gmail Usernames and Passwords Compromised

Tuesday, September 9, 2014

Malware Alert: Dyre steals Salesforce login credentials, and doesn’t even call you back

salesforceDoes your company use the Salesforce CRM to track and manage leads and contacts? If so, your employees might just become the targets of a malware attack.


About one week ago, Salesforce published a Security Alert on the Dyre Malware. The alert has stated that Salesforce security partners have discovered a variant of Dyre that can intercept Salesforce login credentials on infected computers, when users log in to Salesforce.com.


Since June 2014, Dyre has been known for its ability to steal credentials from banking websites – most recently being served in a JP Morgan Chase phishing campaign. Dyre can technically intercept information from users interacting with any website, though. It would now seem that Salesforce.com has simply been added to the malware’s list.


Interestingly, this is not the first time Salesforce.com has entered Malware’s cross hairs, either. In February 2014, a variant of Zeus was also found targeting the CRM.


How to Avoid a Dyre Situation


This latest incarnation of Dyre shows us that it isn’t just financial credentials that today’s computerized criminals are after. Any spec of information that can be stolen and squeezed for what it’s worth is fair game on underground markets. Salesforce credentials could, for example, be sold to competing companies.


To avoid Dyre, it is first important to realize that this is not a vulnerability on Salesforce.com.


It is simply a Trojan malware that infects computers and intercepts log in credentials, when they are entered into websites – Salesforce.com being the latest and greatest of the bunch. For companies that use the CRM, this means that compromise could occur whenever an employee logs in to Salesforce. Whether from work or at home, if the computer used to connect to the CRM is infected with Dyre the credentials will be captured by the malware.


Emsisoft currently offers a number of anti-malware solutions that can preemptively detect Dyre to avoid infection and remove Dyre from infected machines. If you’ve reached this page because you heard about the recent Salesforce malware issue, you probably weren’t looking for another sales pitch, so instead we’ll simply offer this little reminder:


Don’t open attachments/click on links from mysterious contacts you don’t know!


Oh, and if you’re looking for an automated solution, why not try Emsisoft Anti-Malware for Business for free ;)


Have a nice (Dyre-free) day!

 



Related Posts:


  • Alert: CHASE Phishing Emails Steal Credentials, Serve Dyre…

  • Achtung: Zugangsdatendiebstahl und Infektionen mit der…

  • Alerte : Mails de hameçonnage usurpant des identifiants de…

  • Zeus Found Crawling through Salesforce.com

  • Alert! Monster.com Serving Gameover Zeus



Malware Alert: Dyre steals Salesforce login credentials, and doesn’t even call you back

Saturday, September 6, 2014

AhelioTech launches Mobile Application for Android!

AhelioTech is proud to announce the AhelioTech mobile application.


Description


AhelioTech works on exceeding our clients’ expectations and stays ahead of our competition with AhelioTech Mobile. AhelioTech Mobile gives you instant access to your AhelioTech account information information on your Android*.Having important features on the go for our clients:

• Create service tickets on the fly

• Review and update tickets on the fly

• More features to come

 


aheliotech-logo-icon





AhelioTech launches Mobile Application for Android!

Thursday, September 4, 2014

No more nude selfies! (at least not on the cloud)

24643348_s


So there was this nude celebrity photo leak over the weekend. If you’ve been on the Internet lately, you might have heard a thing or two about it. Right now, nobody is certain of how it happened.


Initial reports suggested that the leak was due to a security vulnerability in the Find My iPhone feature, dubbed iBrute, which could have allowed hackers to use automated brute force password guessing on the Find My iPhone sign-in page. Apple quickly dismissed this rumor, while patching the vulnerability in the very same breath. According to Apple, the celebrity account credentials were merely cracked by: “a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet.” Likely, this means a group of hackers simply researched celebrities’ personal lives and guessed credentials until they got them right.


As a means of protection, Apple suggested the use of strong passwords and two-factor authentication (2FA).


Soon after, however, a report from Wired pointed to the existence of a software (and others like it) called Elcomsoft Phone Password Breaker. Elcomsoft et al. allow users to create full backups of iCloud data without a security token, even if 2FA is enabled. A report from The Register has now even published a quote from Elcomsoft stating that the software can access data without login credentials:


But now we have discovered a way to gain access to iCloud information without usually necessary login credentials. The new EPPB version suggests law enforcement and investigators an easy password-free access to iCloud accounts extracting essential information in real time without delay no matter if [a] password is available or not.



All of this points to a truth most everyone knew before this whole celebrity nude selfie scandal even took place: If you put it on the cloud, it might just float away.


How to get your self(ies) off the cloud


Cloud storage is convenient. It is also a profitable business. This is why you won’t find many cloud providers publishing instructions on how to disable cloud auto-sync. If you’re storing sensitive data, however, not storing it on the cloud is the simplest and most effective way to prevent a cloud data leak.


To disable photo uploads to iCloud from your iOS device:
Go to Settings > iCloud > Photos or Photo Stream, and then switch to Off.

To disable iCloud entirely, go to the bottom of the menu and select Delete Account.


To disable photo uploads to the Google+ cloud service from your Android device:

Go to the Photos app > General Settings, and then switch Auto-Backup to Off.
Additionally, Android sync settings can be managed and disabled through Settings > Accounts & sync.


And if you must take them, where to put them instead


Perhaps most importantly, it is crucial to remember that when you put something on the cloud – be it iCloud, Google Drive, Dropbox, or any other service provider – that means it can be accessed from anywhere. This can be extremely convenient for everyday file sharing purposes, but dangerous when sensitive data comes into play.


If you are using a smartphone – or any Internet connected device, for that matter – it is important to find out what exactly is being placed on the cloud when you hit Save. You may actually be sharing much more than you want. Once you figure out what is being stored where, you can then implement alternative storage options, such as an encrypted external hard drive.


As navigating each cloud service is different, we recommend that anyone who needs help check out our Malware and Computer Security forum for assistance. There, you can consult an expert for free, even if you are not an Emsisoft customer yet. For enhanced mobile security, you can also consider adding Emsisoft Mobile Security to your repertoire. It can remotely lock or wipe a lost or stolen phone full of… “sensitive data” in just one swipe.


Have a great ( clothing-free ;) day!


 


 



Related Posts:


  • Warning: Dropbox and Box File Sharing Security Bug

  • Protect your laptop data from theft – Here’s how

  • Buzz word: “cloud anti-virus” – what is it…

  • ALERT: You need to change your eBay password, now.

  • ALERT: Google Drive Phishing Scam



No more nude selfies! (at least not on the cloud)