Yahoo

Facebook, Yahoo Fix Valuable security Holes

February 13th, 2013

Both Facebook and Yahoo! recently fixed security holes that let hackers hijack user accounts. Interestingly, access to methods for exploiting both of the flaws appears to have been sold by the same miscreant in the cybercrime underground.

According to Softpedia, Facebook has addressed a serious vulnerability after being notified by independent security researcher Sow Ching Shiong.

“The security hole allowed hackers to change the passwords of accounts they had compromised without knowing the old passwords. Whenever users change the password that protects their Facebook account, they’re required to enter the current password before they can set the new one. However, the expert found that cybercriminals could change a user’s password without knowing the old one by accessing the “https://www.facebook.com/hacked” URL, which automatically redirected to the compromised account recovery page.”

Information obtained by KrebsOnSecurity indicates that this “exploit” was being sold to a handful of members of an elite underground forum for $4,000 per buyer. The individual selling the exploit is the same hacker that I reported last year as selling access to a vulnerability in Yahoo!  that let attackers hijack email accounts.

In late November 2012, I wrote about a cross-site scripting (XSS) vulnerability in Yahoo! thatwas being sold for $700 in the underground by an Egyptian hacker named TheHell. Shortly after that story, the hacker changed his nickname, but continued selling the exploit. Earlier this week, The Wall Street Journal‘s AllThingsD blog reported that Yahoo! had fixed the flaw I pictured in the video from that blog post.

“Web giant Yahoo just confirmed that it has been dealing with a vulnerability to its email service that may be connected to a surge in breaches of email accounts that are being used to send spam and other annoying content,” wrote Arik Hesseldahl. “I just got a statement from a Yahoo spokeswoman saying that the vulnerability seen in a video has been fixed.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Yahoo! Pushing Java Version Released in 2008

February 5th, 2013

At a time when AppleMozilla and other tech giants are taking steps to prevent users from browsing the Web with outdated versions of JavaYahoo! is pushing many of its users in the other direction: The free tool that it offers users to help build Web sites installs a dangerously insecure version of Java that is more than four years old.

Yahoo! users who decide to build a Web site within the Internet firm’s hosting environment are steered toward using a free tool called SiteBuilder, which is designed to make building simple Web sites a point-and-click exercise. Yahoo! has offered SiteBuilder to its millions of users for years, but unfortunately the tool introduces a myriad of security vulnerabilities on host PCs.

SiteBuilder requires Java, but the version of Java that Yahoo!  bundles with it is Java 6 Update 7. It’s not clear if this is just a gross oversight or if their tool really doesn’t work with more recent versions of Java. The company has yet to respond to requests for comment.

But this version of Java was first introduced in the summer of 2008 and is woefully insecure and out-of-date. Oracle just released Java 6, Update 39, meaning that SiteBuilder installs a version of Java that includes hundreds of known, critical security vulnerabilities that can be used to remotely compromise host PCs.

There are two reasons why this is a big deal: Java is the biggest source of malware infections across an entire industry of exploit packs — crimeware toolkits that are stitched into hacked and malicious Web sites and designed to exploit known browser flaws. Also, Yahoo! is a major Internet company that ought to know better. Sadly, this Yahoo! offering is aimed at small businesses, who are least likely to understand the importance of updating apps like Java and who are most frequently the targets of extremely costly cyberheists.

One final note about SiteBuilder: Building your site with this tool may not only be hazardous to the security of your PC, it may also make it harder for your site to get the recognition it deserves. A bit of searching on this tool turned up some less than flattering results suggestingthat sites built with SiteBuilder do not support an important type of Web site search optimization called “canonicalization.” I’ll leave it to Matt Cutts, a search guru and head of the anti-spam team at Google, to explain why this is such a fundamental pillar of search engine optimization (SEO).

Update, Feb. 13, 4:47 p.m. ET: Yahoo! finally got back to me, issuing the following spin-tastic statement: ““Yahoo! Web Hosting websites can be built and maintained using a variety of tools that give businesses the flexibility to develop sites according to their needs and technical comfort. We will continue to work on delivering the best experiences for our customers.” When asked what readers should take from the above statement, a spokesperson for the company said Yahoo! had tweaked SiteBuilder so that it is now bundled with Java 6 Update 39, and that it will be updated to Java 7 by the end of the month. Hopefully, it won’t be Java 7 Update 1.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta