Vulnerabilities


DNSSEC Usage Expands

According to research released by Infoblox and The Measurement Factory, there has been a dramatic increase in the percentage of external name servers that are open to recursion. The study put the latest figure at 79.6 percent, a 27 percent increase from 2007. The number of DNSSEC signed zones increased by roughly 300 percent – indicating that DNSSEC is gaining momentum. However, in raw numbers the amount of DNSSEC signed zones is
miniscule next to the total number of zones out there. Read the full article. [eWEEK]

iPhone, Android, Others Get Man in the Middle Treatment

Security researchers have released a paper detailing successful man-in-the-middle attacks against several smartphones. The SSL enabled log in sessions on the tested, Nokia N95, HTC Tilt, Android G1 and iPhone 3GS devices was sniffed using the publicly available SSLstrip tool, with the attack taking place over insecure Wi-Fi network, now prevalent literally everywhere. Read the full article. [ZDNet]

Verizon Wireless Customers Beware of Trojan Horse

Cyber-criminals have started preying on Verizon
Wireless customers, sending out spam e-mail messages that say their
accounts are over the limit and offering them a “balance checker”
program to review their payments. The e-mail messages, which
look like they come from Verizon Wireless, are fakes; the balance
checker is actually a malicious Trojan horse program. Read the full article. [Computerworld]


The WordPress developers have released security update 2.8.6 to fix two vulnerabilities. WordPress users are advised to install the update as soon as possible if untrusted authors can add content and upload images. At least one of the bugs allows attackers to inject and execute arbitrary PHP code on the server. There appears to be issues, however, with Apache web servers in the new update. Read the full article [The H Security]

Scientists at Microsoft Research have unveiled a new way to secure complex Web applications by effectively cloning the user’s browser and running it remotely. Many of the latest Web applications split their executable code between the server and the client. The problem is detecting whether the code running on the user’s home PC has been compromised in some way. The new Microsoft solution, known as Ripley, was announced on Tuesday at the Association for Computing Machinery’s Computer and Communications Security Conference in Chicago. Read the full article. [MIT Technology Review]

Hackers can exploit
a flaw in Adobe’s Flash to compromise nearly every Web site that allows
users to upload content, including Google’s Gmail, then launch silent
attacks on visitors to those sites, security researchers said today. Adobe
did not dispute the researchers’ claims, but said that Web designers
and administrators have a responsibility to craft their applications
and sites to prevent such attacks. Read the full article. [Computerworld] Read the research. [Foreground Security]

WASHINGTON–There has been a big push in recent years in the security community toward metrics, and measurements of all types have become a hot topic in certain corners of the industry. But measurement for measurement’s sake is useless-and perhaps even counterproductive–if the security team in an organization doesn’t define its goals and parameters ahead of time, experts say.

A new spam campaign is targeting a financial transfer system that
handles trillions of dollars in transactions annually and has proved to
be a fertile target of late for online fraudsters. The spam
messages pretend to come from the National Automated Clearing House
Association (NACHA), a U.S. nonprofit association that oversees the
Automated Clearing House system (ACH). Read the full article. [Computerworld]

Researchers from the Swiss Federal Institute of Technology in Zurich and the French National Institute for Research in Computer Science and Control
have now developed a scheme for protecting implantable medical devices
against wireless attacks. The approach relies on using ultrasound waves
to determine the exact distance between a medical device and the
wireless reader attempting to communicate with it.  Read the full story [Technology Review]

Researchers at the University of Pennsylvania say they’ve discovered a
way to circumvent the networking technology used by law enforcement to
tap phone lines in the U.S.The flaws they’ve found “represent a serious threat to the accuracy and completeness of wiretap records used for both criminal investigation and as evidence in trial,” the researchers say in their paper, set to be presented today at a computer security conference in Chicago. Read the full article. [PC World]

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.