Security & Privacy

Oracle databases easy to hack, says researcher

A researcher showed today that Oracle's databases could be hacked with brute-force attacks using only the database's name and a username, according to Kaspersky Lab Security News.

Esteban Martinez Fayo, who works for AppSec Inc., was demonstrating his discovery at a security conference in Argentina and said that within just five hours on a regular PC using a special tool he could hack through easy passwords and access users' data.

"It's pretty simple," Martinez Fayo told the security blog Dark Reading. "The attacker just needs to know a valid username in the database, and … Read more

Cyberspying effort drops 'Mirage' on energy firms

Researchers have uncovered a new cyberespionage campaign being waged on a large Philippine oil company, a Taiwanese military organization and a Canadian energy firm, as well as targets in Brazil, Israel, Egypt and Nigeria.

The malware being used is called "Mirage" and it leaves a backdoor on the computer that waits for instructions from the attacker, said Silas Cutler, a security researcher at Dell SecureWorks' Counter Threat Unit (CTU).

Victims are carefully targeted with so-called "spear-phishing" e-mails with attachments that are "droppers" designed to look and behave like PDF documents. However, they are actually … Read more

iOS 6 allows tweets, Facebook posts from locked device

Upgrading to iOS 6? Be careful about leaving your locked iPhone unattended unless you change some settings. Otherwise an unscrupulous stranger could order Siri to send tweets and Facebook posts from your account that you didn't make -- even if your phone is locked.

Apple has added the ability for Siri to interact with Twitter and Facebook from the lock screen, just like you can use Siri to send text messages and e-mails and make calls on a locked device running iOS 5. If you don't want Siri to conduct these sorts of activities while the device is … Read more

Japanese Web sites attacked in tense dispute with China

A tense territorial dispute with China has triggered cyberattacks, according to Japan-based reports.

Web sites at 19 Japanese banks and universities, among other institutions, have been hit with attacks in the wake of Japan's nationalization of the Senkaku Islands on September 11, according to Kyodo News Agency and other reports.

The Web site of the Internal Affairs and Communications Ministry statistics bureau, for example, has come under a distributed denial of service (DDoS) attack, Kyodo said.

Tohoku University, an elite science and engineering university, has also been targeted, Kyodo said.

It's not clear who's behind the attacks. … Read more

Facebook plug-in helps people control their data

Facebook today launched a plug-in for Web app developers to use that gives people greater control over what activities of theirs are shared back with Facebook to be broadcast to their friends.

Currently, when people use apps like Spotify that are linked to their Facebook accounts, they have to go to Facebook to change the privacy settings if they don't want to spam all their Facebook friends with the latest song they are listening to. But if developers add the "Shared Activity" plug-in to their apps, users can control the privacy settings related to what is shared … Read more

iPhone 4S, Samsung Galaxy S3 hacked in contest

Dutch and British hackers compromised an iPhone 4S and a Samsung Galaxy S3, respectively, in separate gambits as part of a mobile Pwn2Own contest at a security conference in Amsterdam this week.

Joost Pol, chief executive officer of Dutch research firm Certified Secure, and colleague Daan Keuper created an exploit that allowed them to hijack the address book, photos, browsing history and videos from a fully patched iPhone 4S at the EuSecWest conference, according to CNET sister site ZDNet. And that effort has implications for Apple's new iPhone 5.

"We specifically chose this one because it was present … Read more

Microsoft issues fix for IE hole; full update coming Friday

Microsoft today released so-called "Fix It" software that will protect Windows users from a critical Internet Explorer hole being exploited in attacks until the company releases a cumulative update for IE on Friday.

The Fix It tool "is an easy, one-click solution that will help protect your computer right away. It will not affect your ability to browse the Web, and it does not require a reboot of your computer," Yunsun Wee, Trustworthy Computer Director at Microsoft, said in a blog post. "This will not only reinforce the issue that the Fix It addressed, but … Read more

Chase site hiccups following similar Bank of America issues

The main site for Chase bank was temporarily inaccessible for some today, one day after Bank of America's online banking site had intermittent outages.

"*ALERT* Chase Online is working, though some customers may not get in on the first try. We appreciate your patience as we work through this," the Chase Twitter account tweeted this afternoon.

This morning the message was: "Chase.com is experiencing intermittent issues. We're working to restore full connectivity and apologize for any inconvenience." CNET was unable to access the consumer banking site, Chase.com, but able to get to … Read more

Bromium secures computers by holding apps in isolation

Some of the minds behind virtualization technology used by Amazon Web Services are launching new security software today called Bromium, which is designed to protect against attacks by keeping apps and their individual tasks separate from the operating system.

While traditional antivirus software prevents known malware from infecting machines, and firewalls block unauthorized packets from getting into the network, there isn't really a good solution for the biggest problem in security today -- the naive end user. An unwise click on a malicious attachment or URL is often the easiest way into an organization's network.

"We're … Read more