Opera’s code signing certificate gets compromised, resulting in malware getting push out via their automatic update system.
Plus the backdoor that ships in some high-end HP products, your questions, and much much more.
On this week’s TechSNAP!
Use our code tech249 to score .COM for $2.49!
- On June 19th Opera uncovered, halted and contained a targeted attack on their internal network infrastructure.
- There is no evidence of any user data being compromised.
- The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware.
- This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser.
- It is possible that a few thousand Windows users, who were using Opera between 01.00 and 01.36 UTC on June 19th, may automatically have received and installed the malicious software.
- University of Illinois at Chicago has developed ‘CloudSweeper’
- Connects to your gmail account via oauth and scans all of your email
- Finds which accounts you have connected to your gmail
- If an attacker were to compromise your gmail account, they could reset the passwords for and gain control over all of these accounts
- The service uses an index of the value of these accounts from various underground forums
- Tells you how much your gmail account would be worth to an attacker
- Finds services such as: Amazon, Apple, Groupon, Hulu, Newegg, Paypal, Skype, UPlay and Yahoo
- Optionally, it can also scan your email for plain text passwords in emails
- If found, CloudSweeper can connect to gmail via imap and edit these emails, either removing the password entirely (redacting), or encrypting it (replacing it with an encrypted string), Then provides you with a decryption key (a long string of text, or a QRcode for simplicity)
- If you ever need to decrypt the password, you return to CloudSweeper and scan the QRCode
- Krebs on Naming and Shaming Plain Text Passwords
- PasswordFail.com – Browser extension to warn you before you sign up
- HP announced that their D2D/StoreOnce deduplication backup products contained a flaw
- It seems there is an undocumented support user, named ‘HPSupport’, with a fixed 7 character password
- That means that if a person were to brute force that password, they would have SSH access to every StoreOnce device deployed around the world
- It just so happens, that is what someone has done, and they have even been helpful enough to provide the SHA1 hash of the password, so with a little effort, everyone else can brute force the password too
- HP will release a patch to disable this account on July 7th
- “In the interim, customers who wish to disable the backdoor can contact HP support for assistance on this,” the advisory noted. “HP support personnel will provide the assistance to manually disable the HPSupport user account.”
- Full Disclosure researcher
HP Said: “HP identified a potential security issue with older HP StoreOnce models. This does not impact StoreOnce systems with the current version 3.0 software, including the HP StoreOnce B6200 and HP StoreOnce VSA product offerings. HP takes security issues very seriously and is working actively on a fix.”
In December 2010, a similar problem was exposed with some HP NAS devices
Project Morris from the chat room (a frequent contributor) writes in: I was just wondering if you could make this evenings show extra BIG as today is my birthday.
FreeNAS 9.1-BETA released, based on FreeBSD 9-STABLE. Latest and greatest ZFS features including LZ4 compression (better compression with less cpu time), ZFS TRIM Support, Improvements to disk encryption and overhaulted plugin jails (with a fancy GUI editor for PCBSD)
Co-Founder of FreeBSD, Jordan Hubbard, leaves Apple after 12 years to return to working with FreeBSD full time at iXsystems – Focus on FreeNAS/TrueNAS and new products – Happy 20th Anniversary FreeBSD
- Use of Tor and e-mail crypto could increase chances that NSA keeps your data
- Political groups not the only ones targetted for IRS attention, Open Source Foundations were targetted as well
- Design student tries to push ‘NSA Proof’ Crypto-font, that isn’t crypto
- EU creates new rules for ISPs and Telcos, must report to national data protection authorities within 24 hours the full nature and size of the breach, where this is not possible an initial report must be made with full details to follow within 72 hours
- Facebook accidently exposes over 6 million users’ phone numbers and email addresses over the last year (details of friends were added to your address book, even if the privacy settings were not supposed to allow you access to that information)
- Java 6 EOL (no more updates unless you pay for support from Oracle)
- Fixing your NAS by using Open Source