October 20, Securityweek – (International) Vulnerabilities found in HP ArcSight products. HP began releasing security updates addressing vulnerabilities in HP’s ArcSight products, including an authentication bypass flaw in the ArcSight Logger interface in which a remote authenticated user without permissions could conduct searches through the Simple Object Access Protocol (SOAP) interface, improper restriction of excessive authentication attempts which could allow brute force attacks on the SOAP interface, and an insufficient compartmentalization vulnerability which could allow a user to escalate privileges to root. Source
October 20, Softpedia – (International) Malware disguises as Google Chrome browser clone. Security researchers from PCRisk and Malwarebytes discovered a new Web browser designed to mimic Google Chrome called eFast, which delivers adware and malware and hijacks file and Uniform Resource Locator (URL) associations on infected systems. The application is based on the Chromium open source browser. Source
October 20, Help Net Security – (International) 250+ iOS apps offered on Apple’s App Store found slurping user data. Security researchers from SourceDNA and Purdue University discovered that over 250 Apple App Store applications are built on a software development kit (SDK) that uses private application program interfaces (APIs) to gather user and device information, despite Apple disallowing the practice. Apple has removed an unspecified number of apps and Youmi, the China-based mobile advertising company that created the SDK is working with the company to resolve the issue. Source
October 20, Help Net Security – (International) A slew of LTE 4G vulnerabilities endanger Android users and mobile carriers. Researchers from Carnegie Mellon University’s Computer Emergency Response Team Coordination Center reported that carriers and users of Long-Term Evolution (LTE 4G) devices are vulnerable to issues that may result in loss of privacy, data spoofing, incorrect billing, and denial-of-service (DoS) attacks due to LTE networks’ reliance on packet switching and the Internet Protocol (IP) schema versus circuit switching used in previous generations. Source
October 20, Help Net Security – (International) 1 in 4 organizations have experienced an APT. ISACA released findings from a study surveying over 660 cybersecurity professionals revealing that about 28 percent of those surveyed have experienced an attack from an advanced persistent threat (APT), that mobile device security continues to be an issue, and that most organizations tend to focus on technical controls instead of education and training when most APT attacks tend to employ social engineering, among other findings. Source
October 20, The Register – (International) Sites cling to a million flawed, fading SHA-1 certificates: Netcraft. Security researchers from Netcraft reported that over a million organizations are still using Secure Hash Algorithm 1 (SHA-1) certificates, that 120,000 were issued this year, and that another 250,000 surveyed are scheduled to live past 2017, despite documented weaknesses in the algorithm’s security. Source
October 19, SC Magazine – (International) Flaws in LibreSSL could open Web servers to attack. Security researchers from Qualys discovered memory leak and buffer overflow vulnerabilities in all versions of LibreSSL which could allow attackers to create a denial-of-service (DoS) condition or execute arbitrary code. LibreSSL is a fork of the Open Secure Sockets Layer (SSL) library intended as a replacement after the Heartbleed vulnerability was discovered in Open SSL’s code, and the vulnerabilities were reportedly addressed in subsequent updates. Source