Security

Identity protection outfit LifeLock picked, popped

Refer-a-friend page gets new 'feature'

Darren Pauli Wed 1 Jul 2015 // 01:14 UTC

Security researchers Eric Taylor and Blake Welsh have disclosed a cross-site scripting vulnerability in US identity protection company LifeLock.

The duo from US outfit Cinder say the vulnerability allows attackers to target the company's three million users with malware and phishing attacks, session jacking, among other acts.

The holes target the refer-a-friend portal of the site.

"All of LifeLock’s 3,000,000-plus customers, including potential customers from the referral system, were left vulnerable to a slew of attacks, including phishing campaigns, session hijacking, and malware and spam campaigns, and many other forms of cross-site scripting based attacks," Welsh told EL Reg.

LifeLock issued a patch for the flaw soon after disclosure hours ago. It is unknown if it has been exploited by malicious actors,

Cross-site scripting vulnerabilities are some of the most common yet still dangerous net scourges around allowing attackers to take advantage of lax validation to inject malicious scripts into input fields. Those scripts can target users stealing cookies, tokens, and a host of other sensitive data sets.

The Open Web Application Security Project has a cheat sheet containing pointers for identifying and closing XSS flaws.

Similar topics

Security

Narrower topics

Corrections Send us news

Other stories you might like

Cisco warns of security holes in its security appliances

Bugs potentially useful for rogue insiders, admin account hijackers

Jessica Lyons Hardcastle Wed 22 Jun 2022 // 20:16 UTC

Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances.
The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.
This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come.

Continue reading
Azure issues not adequately fixed for months, complain bug hunters

Redmond kicks off Patch Tuesday with a months-old flaw fix

Jessica Lyons Hardcastle Tue 14 Jun 2022 // 13:30 UTC

Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.
In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January.
And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse.

Continue reading
Microsoft fixes under-attack Windows zero-day Follina

Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

Jessica Lyons Hardcastle Wed 15 Jun 2022 // 03:02 UTC

Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.
Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.
Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

Continue reading

Inside the RSAC expo: Buzzword bingo and the bear in the room

We mingle with the vendors so you don't have to

Jessica Lyons Hardcastle Tue 14 Jun 2022 // 07:28 UTC

RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids.
Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.
For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

Continue reading
CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure

Nearly 60 holes found affecting 'more than 30,000' machines worldwide

Jessica Lyons Hardcastle Tue 21 Jun 2022 // 04:01 UTC

Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers.
Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries.
The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

Continue reading
1Password's Insights tool to help admins monitor users' security practices

Find the clown who chose 'password' as a password and make things right

Thomas Claburn in San Francisco Tue 21 Jun 2022 // 13:00 UTC

1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.
Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.
"We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

Continue reading

Cisco EVP: We need to lift everyone above the cybersecurity poverty line

It's going to become a human-rights issue, Jeetu Patel tells The Register

Jessica Lyons Hardcastle Mon 6 Jun 2022 // 22:50 UTC

RSA Conference Exclusive Establishing some level of cybersecurity measures across all organizations will soon reach human-rights issue status, according to Jeetu Patel, Cisco EVP for security and collaboration.
"It's our civic duty to ensure that everyone below the security poverty line has a level of safety, because it's gonna eventually get to be a human-rights issue," Patel told The Register, in an exclusive interview ahead of his RSA Conference keynote.
"This is critical infrastructure — financial services, health care, transportation — services like your water supply, your power grid, all of those things can stop in an instant if there's a breach," he said.

Continue reading
Info on 1.5m people stolen from US bank in cyberattack

Time to rethink that cybersecurity strategy?

Jessica Lyons Hardcastle Tue 21 Jun 2022 // 20:53 UTC

A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.
In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.
"Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

Continue reading
Microsoft Defender goes cross-platform for the masses

Redmond's security brand extended to multiple devices without stomping on other solutions

Richard Speed Fri 17 Jun 2022 // 15:30 UTC

Microsoft is extending the Defender brand with a version aimed at families and individuals.
"Defender" has been the company's name of choice for its anti-malware platform for years. Microsoft Defender for individuals, available for Microsoft 365 Personal and Family subscribers, is a cross-platform application, encompassing macOS, iOS, and Android devices and extending "the protection already built into Windows Security beyond your PC."
The system comprises a dashboard showing the status of linked devices as well as alerts and suggestions.

Continue reading
RubyGems polishes security practices with multi-factor authentication push

Faced with rising software supply-chain attacks, package registries are locking things down

Thomas Claburn in San Francisco Thu 16 Jun 2022 // 10:29 UTC

Slowly but surely, software package registries are adopting multi-factor authentication (MFA) to reduce the risk of hijacked accounts, a source of potential software supply chain attacks.
This week, RubyGems, the package registry serving the Ruby development community, said it has begun showing warnings through its command line tool to those maintainers of the hundred most popular RubyGems packages who have failed to adopt MFA.
"Account takeovers are the second most common attack on software supply chains," explained Betty Li, a member of the Ruby community and senior front end developer at Shopify, in a blog post. "The countermeasure against this type of attack is simple: enabling MFA. Doing so can prevent 99.9 percent of account takeover attacks."

Continue reading

ABOUT US

MORE CONTENT

SITUATION PUBLISHING

The Register - Independent news and views for the tech community. Part of Situation Publishing

SIGN UP TO OUR DAILY NEWSLETTER

Security Scorecard

Biting the hand that feeds IT © 1998–2022

Do not sell my personal information Cookies Privacy Ts&Cs