Malwarebytes found to have four vulnerabilities
Malwarebytes, a free anti-malware tool with 250 million users, has been exposed as having four vulnerabilities. The main one described involves the software fetching signature updates via unencrypted HTTP, which could allow an attacker to set up a man-in-the-middle attack. The vulnerabilities are the latest found in a number of discoveries by Google’s Project Zero researcher Tavis Ormandy, who has recently been disclosing a range of vulnerabilities in antivirus software. Malwarebytes have said that they expect to have a patch ready with 3-4 weeks.
eBay refuse to patch ‘severe’ vulnerability
EU and US strike new data sharing agreement
A new pact has been made and outlined between the EU and US, to allow continued sharing of data. It’s been dubbed ‘Privacy Shield’ and basically consists of an annual assurance from the US that they will not carry out surveillance of European citizens. This comes just months after the similar ‘Safe Harbor’ agreement was declared invalid by the European Court of Justice. Such an agreement is needed to protect European data when it’s shared with companies in the US, as in the US the data protection regulations are far less stringent. The pact does immediately cover US companies but is yet to gain full political approval, which could take months.
Vulnerabilities found in two children’s IoT products
Two new flaws in internet-connected ‘smart’ toys have been revealed. Both involving the web service authentication process, the flaws could give attackers access to children’s personal information. The affected toys were a smart teddy bear from Fisher Price and a smartwatch by toy company HereO. Both manufacturers have since fixed the vulnerabilities.
NASA hacked as attackers attempt to crash drone
Hacktivism group Anonsec have again been targeting NASA, this time managing to gain control of a $222m drone. Fortunately, NASA employees managed to take manual control of the drone before it could be crashed into the sea. Anonsec have been targeting NASA for some time, already releasing 276GB of stolen data including personal employee information. The group have even gone so far as to publish details about how they gained access to NASA. After purchasing some insider knowledge of NASA servers, they pentested the network and then managed to break the Admin SSH password in under 1 second before using a hidden packet sniffing tool. NASA themselves are denying that a successful hack took place or that there was any threat to the drone.
Oracle ditches Java plugin for security reasons
Some good news in Java security: Oracle have announced that the next version of their Java software will be dropping support for Java Applets to the user’s web browser. As described by security reporter Brian Krebs, Java plugins have been widely exploited by attackers for ‘drive-by’ malware downloads, as many users have outdated versions of the plugins. Considering 89% of machines in the US run Java in some form, this is a hugely effective form of attack. In 2013 for example, the Flashback Trojan exploited Java plugins to enroll more than 600k Mac OS machines in a huge botnet. Until the new version is released, it’s important that users ensure their plugin is either updated or remove it altogether.
Troy Hunt picks holes in Waitrose’s website security