Skip to main content

Posts

New Windows 0-Day Exploit Active

Google security officials are advising Windows users to ensure they’re using the latest version 10 of the Microsoft operating system to protect themselves against a “serious” unpatched vulnerability that attackers have been actively exploiting in the wild. Unidentified attackers have been combining an exploit for the unpatched local privilege escalation in Windows with one for a separate security flaw in the Chrome browser that Google fixed last Friday. While that specific exploit combination won’t be effective against Chrome users who are running the latest browser version, the Windows exploit could still be used against people running older versions of Windows. Google researchers privately reported the vulnerability to Microsoft, in keeping with its vulnerability disclosure policy. The flaw, which resides in the Windows win32k.sys kernel driver, gives attackers a means to break out of security sandboxes that Chrome and most other browsers use to keep un-trusted code from interactin...
Post a Comment
Read more
Recent posts

Comcast Mobile Helping Attackers?

A bad security decision by Comcast on the company's mobile phone service made it easier for attackers to port victims' cell phone numbers to different carriers. Comcast in 2017 launched Xfinity Mobile, a cellular service that uses the Verizon Wireless network and Comcast Wi-Fi hotspots. Comcast has signed up 1.2 million mobile subscribers but took a shortcut in the system that lets users switch from Comcast to other carriers. To port a phone line from Comcast to another wireless carrier, a customer needs to know his or her Comcast mobile account number. Carriers generally use pin numbers to verify that a customer seeking to port a number actually owns the number. But Comcast reportedly had set the PIN to 0000 for all its customers, and there was apparently no way for customers to change it. That means that an attacker who acquired a victim's Comcast account number could easily port the victim's phone number to another carrier. Comcast has indicated that the number-por...
Post a Comment
Read more

Foldable Phones are the Future?

What the hottest thing in smartphone tech today? Foldable smartphones. Yep, that's right. We have officially entered the Sci-Fi era, where now screens have no limits! Huawei, a smartphone manufacturing company based in China has just announced a new smartphone to battle it's rival Samsung's Galaxy Fold. The Huawei Mate X, taking a totally different approach compared to Samsung device, is putting the display on the outside of the phone instead of on the inside, and this comes with a number of pros and cons. The Mate X has a massive 8-inch 2480×2200 OLED display that wraps around the phone body. When open, that's a bigger screen than the Galaxy Fold, which is only 7.3-inches. When closed, the Mate X's 8-inch display splits into a 6.6-inch, 2480×1148 display section on the front, and a 6.38-inch, 2480×892 section on the back. So you can decide which side of the phone you would like to use at any given time. Then, if you want something bigger, you just open up the main ...
Post a Comment
Read more

Phishing for Facebook Users

Do you really pay attention to detail when your browsing the web? You go to websites and enter in all sorts of personal information willingly and expect everything to work just fine as planned. Or so you would think. Phishers are deploying what appears to be a clever new trick to snag people’s Facebook passwords by presenting convincing replicas of single sign-on login windows on malicious sites, researchers said this week. Single sign-on (SSO), is a feature that allows people to use their accounts on other sites like;  Facebook, Google, LinkedIn, or Twitter to log in to third-party websites. SSO is designed to make things easier for both end users and websites. Rather than having to create and remember a password for hundreds or even thousands of third-party sites, people can log in using the credentials for a single site. Websites that don’t want to bother creating and securing password-based authentication systems need only access an easy-to-use programming interfac...
Post a Comment
Read more

Has your Password been Breached? Google can Help!

Have you ever wanted to know just how "strong" your passwords really are? Maybe you want to know if your login credentials have been involved in a data breach? Well, Google now has a neat little Chrome Browser extension called "Password Checkup" that can check your credentials against their own database of compromised credentials. Awesome right!  It securely checks credentials used to log in to certain websites. Whether they're manually entered or stored in Chrome's password manager, against hashed credentials stored in an encrypted database of billions of compromised accounts maintained by Google. Elie Bursztein, head of Google's anti-abuse research, says that the protocol behind the service is being presented as a standard for securely checking account security and that the interface may be offered as an open application interface in the future. What does this do for me? It is very important to NEVER share account information to anyone other than you...
Post a Comment
Read more

Hidden Malware within Images Targets Mac Users

Researchers have uncovered a recent malicious advertisement campaign that’s notable for its size, scope, and resourcefulness. A two-day blitz triggered as many as 5 million times per day that used highly camouflaged JavaScript stashed in images to install a trojan on visitors' Mac computers. The ads were served by a group security firm called Confiant, also known as VeryMal, a name that comes from veryield-malyst.com, one of the ad-serving domains the group uses. A run that was active from January 11 to January 13 on about 25 of the top 100 publisher sites triggered the image as many as 5 million times a day. This comes as an attempt to bypass increasingly effective measures available to detect malicious ads, the images uses steganography; which is the ancient practice of hiding code, messages, or other data inside images or text. The end goal is the attack is to deliver this malicious (payload) to users who visit the page that use Mac OS. How does this work exactly? Well, a ...
Post a Comment
Read more

U.S. Government Domains Hit by Hijacking Wave

An emergency directive from the Department of Homeland Security is ordering administrators of most federal agencies to protect their Internet domains against a plethora of attacks that have hit executive branch websites and email servers in the last few weeks. These attacks are directly targeting web, email traffic and possibly other network services using certain techniques that I have personally learned about recently in my IT 460 class. Some on the techniques being; - The attacker begins by compromising user credentials, or obtaining them through alternate means, of an account that can make changes to DNS records. - Next, the attacker alters DNS records, like Address, Mail Exchanger, or Name Server records, replacing the legitimate address of a service with an address the attacker controls. This enables them to direct user traffic to their own infrastructure for manipulation or inspection before passing it on to the legitimate service, should they choose. This creates a ris...
Post a Comment
Read more