August 10, Softpedia – (International) First vulnerability found in Microsoft Edge, affects other software as well. Security researchers discovered a vulnerability in Microsoft’s Server Message Block (SMB) protocol used for local-network file-sharing impacting all versions of Windows, in which a faulty dynamic link library (DLL) could allow an attacker to extract user credentials from a closed Window domain via a man-in-the-middle (MitM) for SMB technique. The vulnerability affects Microsoft’s new Edge Web browser, as well as various software from other developers. Source
August 10, Help Net Security – (International) HTC phone stores fingerprints in easily accessible plaintext. Security researchers from FireEye discovered that several Android devices’ fingerprint scanner authorization frameworks are vulnerable to exploitation, while others store fingerprints in plaintext and fail to secure the device’s sensor. Source
August 10, Securityweek – (International) Default WSUS configuration puts organizations at risk: researchers. Security researchers from Context Information Security revealed that configuration issues in Microsoft Windows Update and Windows Server Update Services could be exploited in a situation in which secure sockets layer (SSL) communication is not enabled and a man-in-the-middle (MitM) attacker could modify metadata to create fake updates and execute arbitrary commands. Source
August 9, IDG News Service – (International) Internal LTE/3G modems can be hacked to help malware survive OS reinstalls. Security researchers from Intel reported that an unsecure Huawei LTE/3G modem firmware update process could allow an attacker to create a malicious firmware image that could be flashed by a malicious program to re-infect the main operating system (OS) even if it is reinstalled, or could be modified to ignore future firmware updates. Source
August 9, IDG News Service – (International) SDN switches aren’t hard to compromise, researcher says. Security researchers from Hellfire Security revealed that software-defined network (SDN) switches running on the Open Network Install Environment (Onie) lacked authentication, encryption, access controls and permissions, potentially enabling an attacker to install persistent malware and monitor all network traffic running through a switch. Source
August 8, Securityweek – (International) Rush to put death records online lets anyone be ‘killed’. Security researchers at Def Con 2015 in Las Vegas revealed that flaws in online portals for submitting death and birth records could easily be exploited to create fake death and birth certificates due to a lack of authentication and credential protocols. Source
August 7, Securityweek – (International) Google disables inline installation of Chrome extensions for deceptive developers. Google disabled inline installations for certain Chrome Web browser extension developers that the company has decided abused the feature to distribute the extensions via deceptive Web sites and advertisements, forcing redirects to extension product details on Chrome’s Web store to provide users with information before installing. Source
August 7, Krebs on Security – (California) Tech firm Ubiquiti suffers $46M cyberheist. Ubiquiti Networks Inc., reported in the week of August 3 that cybercriminals stole $46.7 million from the company via a CEO fraud attack involving employee impersonation and fraudulent requests from an outside entity that targeted the company’s finance department. The company discovered the fraud on June 5 and has been working to recover the funds. Source