{"id":14959,"date":"2014-05-30T17:13:53","date_gmt":"2014-05-30T17:13:53","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=1946"},"modified":"2020-02-26T10:50:59","modified_gmt":"2020-02-26T15:50:59","slug":"information-security-digest-may-14","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/information-security-digest-may-14\/14959\/","title":{"rendered":"Information security digest: May’14"},"content":{"rendered":"

May 2014 proves to be extremely stormy and volatile in regards to information security: still overshadowed by Heartbleed and Windows XP \u201cofficial demise\u201d from April, it has brought a lot of troubles on its own.<\/p>\n

Backbones tapped<\/strong><\/p>\n

Probably the most serious incident disclosed late in May came from eBay, Inc. They acknowledged its database had been compromised two months prior to the announcement, and that they had only discovered that break-in a week before.<\/p>\n

Attacks on eBay and PayPal \u2013 backbones of the world\u2019s e-commerce \u2013 are always worrisome.<\/p>Tweet<\/a><\/blockquote>\n

eBay insisted financial data had not been compromised. Still, intruders have hauled away personal data. The situation had been described in detail in our blog here<\/a>.<\/p>\n

It\u2019s important to mention that this disclosure coincided with another announcement from eBay-owned PayPal (and somewhat overshadowed it). PayPal reported<\/a>\u00a0they have finally plugged the hole in its Manager portal. The bug could have made it easy for an attacker to hijack an admin\u2019s account, change their password, and steal their personal information \u2014 not to mention their savings.<\/p>\n

\n<\/p>

\u00a0<\/p>\n

Manager is a feature of the service that allows users to manage their Payflow account, the company\u2019s name for the gateway \u00a0merchants use to take payments from customers. The bug\u2019s detailed description is available here<\/a>, and potentially it\u2019s very dangerous.<\/p>\n

To a high degree both eBay and PayPal (especially PayPal) are backbones of the world\u2019s e-commerce. Even if hackers fail to retrieve financial data, any degree of success with attacks against them is always troubling. If their defenses are penetrated, then how secure are other e-commerce providers and portals?<\/p>\n

Microsoft\u2019s bugfest<\/strong><\/p>\n

Microsoft is still in hot water after Windows XP support had been cut off in April.<\/p>\n

It didn\u2019t take long for cybercriminals to find and start using a new zeroday in Internet Explorer, which affected all of the browsers\u2019 versions since IE 6 and all of the Windows including XP. After some considerations Microsoft did make a tough decision to issue a patch for IE for Windows XP remaining users too, \u201cas an exception\u201d. Which was met with, let\u2019s say, \u201cmixed reviews\u201d.<\/a> Some view this step as a reluctance of private and business users to move away from an antique and insecure (even though much loved) operational system, still used by millions around the world. A handful of attacks involving new exploits targeting Windows XP users had been reported. This might have influenced Microsoft decision to make \u201can exception\u201d.<\/p>\n

\"ie\"<\/a><\/p>\n

A week after Microsoft bulk-patched an entirety of 13 security issues in Internet Explorer and Sharepoint Server, along with Windows, Office and its .NET Framework. It was the largest patch package of 2014 so far,\u00a0covering some very serious issues<\/a> \u2013 and how can they be not-so-serious given the world-dominant position of Microsoft Windows, Office and ubiquitousness of .NET?<\/p>\n

Given the Microsoft software\u2019s dominant position, its security issues affect many people.<\/p>Tweet<\/a><\/blockquote>\n

Unfortunately, less than two weeks later Microsoft was badly hit with a disclosure of IE8 zeroday vulnerability made by HP\u2019s Zero Day Initiative<\/a>. The vulnerability could enable an attacker to run arbitrary code on vulnerable machines via drive-by downloads or malicious attachments in email messages. ZDI reported the bug to Microsoft quite long ago: according to its own policy, it discloses vulnerability details after 180 days if the vendor hasn\u2019t produced a patch. And the vendor hasn\u2019t.<\/p>\n

For some reason Microsoft remained tight-lipped even after the public disclosure. It acknowledged the problem, saying that some fixes are more complex than the rest, said the problem is being dealt with, but provided no details on how soon it is patched. This led to a well-expected slamfest over the Web: The vulnerability has gone without a patch for a little too long.<\/p>\n

Bitly beetled<\/strong><\/p>\n

The link-shortening service Bitly announced<\/a> that it\u2019s ramping up its development of two-factor authentication following a compromise that leaked user information.<\/p>\n

The breach, first discovered in mid-May<\/a>, spilled users\u2019 email addresses, encrypted (salted and hashed) passwords, API keys and OAuth tokens.<\/p>\n

The service invalidated those credentials shortly after discovering the compromise Thursday, meaning that if users used either Facebook or Twitter to share shortened URLs, they\u2019ll have to reconnect them the next time they log in if they want to publish through them.<\/p>\n

Bitly is a good and widely used tool to save on links\u2019 length (which is especially relevant in Twitter with its 140 symbols limit), which ensures its popularity. According to some data, Bitly shortens more than one billion links per month. It doesn\u2019t charge its users for the services it provides, so there were no risks of direct financial loss. Still, identifiable personal data are in high demand among cybercriminals plotting phishing campaigns, so by no means was this incident \u201charmless\u201d.<\/p>\n

Apple Ransompie<\/strong><\/p>\n

A number of iPhone, iPad and Mac users, largely confined to Australia, discovered their devices had been \u201ctaken hostage\u201d late in May with someone under alias \u201cOleg Pliss\u201d demanding money for the unlocking code. At first this might look ridiculous: iOS based devices and ransomware, closely associated with PC and Android?<\/p>\n

\"ios\"<\/a><\/p>\n

Well, actually it seems there wasn\u2019t any real ransomware infecting the devices. Someone abused Find My Phone function using stolen credentials of the end-users. It\u2019s unclear, where have those credentials come from. Most likely the source is hacked or social-engineered iCloud accounts. Apple was quick to acknowledge the problem with remote lockings but denied that it has anything to do with iCloud:<\/p>\n

\u201cApple takes security very seriously and iCloud was not compromised during this incident. Impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services. Any users who need additional help can contact AppleCare or visit their local Apple Retail Store.\u201d<\/em> (via ZDNet<\/a>).<\/p>\n

Kaspersky Lab Expert Christian Funk said that criminals have been deploying phishing attacks to compromise Apple IDs for a couple of years now. Last year,\u00a0Securelist released a research article<\/a> in which another Kaspersky Lab researcher explained attackers could launch ransomware campaigns against iOS and Mac devices by accessing iCloud accounts.<\/p>\n

Increasing number of attacks against iOS-based devices is an unpleasant but not entirely unexpected development: They are popular enough to attract criminals, and at the same time iOS is still considered safe from malware. Actually it is indeed safer from the common PC and tablet\/phones threats, it is not entirely immune. The incidents described above proves it.<\/p>\n

Alone on Spotify<\/strong><\/p>\n

Spotify reported a security breach and requested the users of its Android app change their passwords. Spotify\u2019s CTO Oskar Stal wrote on the company\u2019s website<\/a> that the company is investigating unauthorized access to its systems and internal company data. He also wrote that certain users will be asked to reset their passwords.<\/p>\n

\"spotify\"<\/a><\/p>\n

Twin Design<\/a> \/ Shutterstock.com<\/a><\/p>\n

\u201cOur evidence shows that only one Spotify user\u2019s data has been accessed and this did not include any password, financial or payment information\u2026 We have contacted this one individual. Based on our findings, we are not aware of any increased risk to users as a result of this incident,\u201d <\/em>Stal wrote.<\/p>\n

Spotify is limiting updates to only its Android users and is not recommending any action for iOS and Windows Phone users. Moreover, it preferred not to disclose anything further. This led to an \u201ceducated guess\u201d from the experts that there must have been some sort of a proof-of-concept attack demonstrated to Spotify teams, prompting them to take wider-than-expected action. If so, this is a good example of responsible reaction to a problem. Then again, it\u2019s all guesswork so far. Spotify decided to not disclose any details.<\/p>\n","protected":false},"excerpt":{"rendered":"

May 2014 appears to be very stormy and volatile in regards to information security. Still overshadowed by Heartbleed and Windows XP “official demise” from April, it has brought a lot of troubles on its own.<\/p>\n","protected":false},"author":209,"featured_media":16136,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[251,93,282,2101,25,38,104,97,686],"class_list":{"0":"post-14959","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-corporate-security","10":"tag-cybercriminals","11":"tag-cybersecurity","12":"tag-ebay-breach","13":"tag-internet-explorer","14":"tag-microsoft","15":"tag-paypal","16":"tag-security-2","17":"tag-spotify"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/information-security-digest-may-14\/14959\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/information-security-digest-may-14\/14959\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/information-security-digest-may-14\/14959\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/corporate-security\/","name":"corporate security"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14959","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=14959"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14959\/revisions"}],"predecessor-version":[{"id":33155,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14959\/revisions\/33155"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/16136"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=14959"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=14959"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=14959"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}