January 7, SecurityWeek – (International) Unpatched Drupal flaws expose sites to attacks. A researcher from IOActive reported that there were several vulnerabilities in the update process for the Drupal content management system (CMS) versions 6 and 7 series including a cross-site request forgery (CSRF) vulnerability that can be exploited to force website administrators to check for updates, which can enable hackers to deliver server-side request forgery (SSRF) attacks against drupal.org. Additional issues included an authentication vulnerability that allows hackers to launch Man-in-the-Middle (MitM) attacks due to Drupal’s lack of authentication checks, allowing hackers to deliver backdoored versions of Drupal modules to compromise a website, among other vulnerabilities. Source
January 7, SecurityWeek – (International) WordPress 4.4.1 patches XSS vulnerability. WordPress released security and maintenance updates within version 4.4.1 for its content management system (CMS) that resolved 1 vulnerability and 52 non-security issues including a cross-site scripting (XSS) vulnerability that allowed hackers to compromise infected websites. Source
January 7, Help Net Security – (International) HTTPS Bicycle attack reveals password length, allows easier brute-forcing. A security researcher released a report detailing how a new attack, named HTTPS Bicycle attack, can enable hackers to discover the length of a user's password to web applications and potentially make a website or browser more susceptible to brute-force attacks by analyzing and using a packet capture of a user’s Hypertext Transfer Protocol Secure (HTTPS) traffic and the plaintext HTTP headers included in each and every request. The researcher offered preventative measures such as including hashing or padding the passwords to disguise its length. Source
January 7, The Register – (International) Mozilla warns Firefox fans its SHA-1 ban could bork their security. Mozilla advised its users to update its Firefox web browser to the latest iteration as users may not have access to websites with Secure Hash Algorithm 1 (SHA-1) signed Secure Sockets Layer (SSL) certificate due to the company’s rejection of SHA-1-signed certificates, which could allow attackers to spy on users’ activities without the users’ consent. The company reported that websites with the SHA-1-signed certificate were blocked and could not be accessed. Source
January 6, SecurityWeek – (International) Backdoors not patched in many Juniper firewalls. A security researcher reported that Juniper Networks NetScreen devices were still vulnerable to firewall backdoors after an Internet-wide scan revealed that a total of 1,595 devices had potentially unpatched firewalls. The backdoors can be accessed with any username and the “<<<%s(un='%s') = %u” password. Source
January 6, Softpedia – (International) Facebook disabled page scam wants your credit card data, Facebook and PayPal credentials. Researchers from RNLI and Malwarebytes reported that a new scam has been targeting Facebook users into disclosing their Facebook login credentials, their PayPal credentials, and credit card details by spreading the scam via comments left on Facebook pages that demand owners to access a link or have their pages disabled. Source
January 6, Softpedia – (International) Windows and Linux malware linked to Chinese DDoS tool. Researchers from Malware Must Die! reported that the malware, dubbed Linux/DDOSTF primarily targets Linux systems running Elasticsearch servers, with some attacks against Microsoft Windows systems, via a PHP-MySQ webshell that exploits the Windows Management Instrumentation (WMI) infrastructure, enabling attackers to infiltrate the system, upload and execute malicious exploits, and gain system privileges over the infected machine. The malware is distributed as a malicious executable and linkable format (ELF) and shares similarities to an older malware named JrLinux. Source
January 6, WGRZ 2 Buffalo – (National) Email and password breach at Time Warner. Time Warner Cable reported January 6 that approximately 320,000 of its customers may have had their email passwords stolen after login credentials were reportedly gathered through malware via phishing attacks or through data breaches of other companies that stored customer information. Source
January 7, Bloomberg News – (New York) Uber reaches accord with New York over tracking rider data. Uber Technologies Inc., and the New York attorney general reached a settlement agreement January 6 following allegations that the company executives had access to rider’s location data via a geo-location system called “God View.” Uber pledged to encrypt rider location data and require special authentication to access customer information, as well as pay a $20,000 penalty over a September 2014 data breach. Source