Information Security News
SC Magazine UK
Infosec teams unprepared for new EU data protection laws
SC Magazine UK
More than a third of IT security teams are unprepared for the EU's two incoming data protection laws, according to a new study from FireEye. Infosec teams unprepared for new EU data protection laws. In its latest survey entitled “Mixed State of ...
The National Football League's official app for both iOS and Android puts users at risk by leaking their usernames, passwords, and e-mail addresses in plaintext to anyone who may be monitoring the traffic, according to a report published just five days before Superbowl XLIX, traditionally one of the world's most popular sporting events.
As Ars has chronicled in the past, large numbers of people use the same password and e-mail address to log into multiple accounts. That means that people who have used the NFL app on public Wi-Fi hotspots or other insecure networks are at risk of account hijackings. The threat doesn't stop there: the exposed credentials allow snoops to log in to users' accounts on http://www.nfl.com, where still more personal data can be accessed, researchers from mobile data gateway Wandera warned. Profile pages, for instance, prompt users to enter their first and last names, full postal address, phone number, occupation, TV provider, date of birth, favorite team, greatest NFL Memory, sex, and links to Facebook, Twitter, and other social networks. Combined with "about me" data, the personal information could prove invaluable to spear phishers, who send e-mails purporting to come from friends or employers in hopes of tricking targets into clicking on malicious links or turning over financial data. Adding to the risk, profile pages are transmitted in unencrypted HTTP, making the data susceptible to still more monitoring over unsecured networks, the researchers reported.
"Wandera's scanning technologies have discovered that after the user securely signs into the app with their NFL.com account, the app leaks their username and password in a secondary, insecure (unencrypted) API call," a report published Tuesday warned. "The app also leaks the user’s username and e-mail address in an unencrypted cookie immediately following login and on subsequent calls by the app to nfl.com domains."
Brits need chutzpah to copy Israeli cyberspies' tech creche – ex-spooks
Yoni Heilbronn, VP Marketing at Argus Cyber Security, which specialises in the emerging field of infosec for automobiles, is another Unit 8200 alumnus. "Experience with technology gained in [military] service is applied in private firms," Heilbronn ...
Posted by InfoSec News on Jan 27http://www.newsobserver.com/2015/01/26/4502592_cybersecurity-proves-to-be-a-necessity.html
Posted by InfoSec News on Jan 27http://arstechnica.com/security/2015/01/those-teeth-gnashings-you-hear-are-flash-users-installing-a-new-0day-patch/
Posted by InfoSec News on Jan 27http://krebsonsecurity.com/2015/01/spreading-the-disease-and-selling-the-cure/
Posted by InfoSec News on Jan 27http://www.networkworld.com/article/2875517/security0/startup-finds-malware-intrusions-by-keeping-an-eye-on-processor-radio-frequencies.html
Posted by InfoSec News on Jan 27http://www.healthcareitnews.com/news/ehr-audit-catches-snooping-employee
Posted by InfoSec News on Jan 27http://3vildata.tumblr.com/post/109188919632/about-the-infosec-skills-shortage
Posted by InfoSec News on Jan 27http://www.bbc.com/news/uk-30977267
Adobe Systems is once again rolling out an emergency Flash update that patches a critical vulnerability under active attack to compromise the computers of unsuspecting users.
The latest Flash versions fix a remote code-execution bug that, as Ars reported last week, recently came under attack in the Angler exploit kit. Malware purveyors and other types of online crooks use such kits to seed compromised websites with attack code. Once people visit the sites with vulnerable computers, the booby-trapped pages surreptitiously exploit the vulnerabilities and install backdoors that can be used to log keystrokes, steal passwords, and install new pieces of malware at will.
An advisory Adobe published late last week warned that the bug resides in versions running on Windows, Macs, and Linux systems. So far, reports suggest that in-the-wild exploits are limited only to Windows systems. The vulnerability stems from a so-called use-after-free bug that allows attackers to corrupt the memory of affected computers. Trend Micro has additional technical details here.