Security Alerts & News
by Tymoteusz A. Góral

History
#1278 Hackers make the first-ever ransomware for smart thermostats
One day, your thermostat will get hacked by some cybercriminal hundreds of miles away who will lock it with malware and demand a ransom to get it back to normal, leaving you literally in the cold until you pay up a few hundred dollars.

This has been a scenario that security experts have touted as one of the theoretical dangers of the rise of the Internet of Things, internet-connected devices that are often insecure. On Saturday, what sounds like a Mr. Robot plot line came one step closer to being reality, when two white hat hackers showed off the first-ever ransomware that works against a “smart” device, in this case a thermostat.
#1277 Data breach at Oracle’s MICROS point-of-sale division
A Russian organized cybercrime group known for hacking into banks and retailers appears to have breached hundreds of computer systems at software giant Oracle Corp., KrebsOnSecurity has learned. More alarmingly, the attackers have compromised a customer support portal for companies using Oracle’s MICROS point-of-sale credit card payment systems.

Asked this weekend for comment on rumors of a large data breach potentially affecting customers of its retail division, Oracle acknowledged that it had “detected and addressed malicious code in certain legacy MICROS systems.” It also said that it is asking all MICROS customers to reset their passwords for the MICROS online support portal.

MICROS is among the top three point-of-sale vendors globally. Oracle’s MICROS division sells point-of-sale systems used at more than 330,000 cash registers worldwide. When Oracle bought MICROS in 2014, the company said MICROS’s systems were deployed at some 200,000+ food and beverage outlets, 100,000+ retail sites, and more than 30,000 hotels.
#1276 If your company doesn't care about IT, here are four ways to change their mind
Lisa Heneghan, global head of KPMG's CIO advisory practice, spends a large amount of time talking with non-IT board members and says executives recognise the power of technology. "They don't necessarily understand IT but they are keen to learn. That desire presents a great opportunity for CIOs," she says.

Research from KPMG and Harvey Nash suggests the board is looking for IT leaders who can use systems and services to boost business profitability. Almost two-thirds (63 percent) of CIOs indicate projects that make money are a priority, compared to 37 percent who report the CEO is more interested in IT as a cost-saving tool.

CIOs who have been asked to keep costs down might find it unusual to take an upbeat approach to technology spending. However, Heneghan says an open mindset is likely to be rewarded. "The majority of IT leaders have traditionally adopted a defensive stance. CIOs must take an alternative approach," she says.

"They need to appreciate the context of fellow board members and actively debate how IT can help. In IT, we all talk about the importance of adopting an agile culture -- and that's a mentality you also need in the boardroom. As a modern CIO, you must be open to other viewpoints."
#1275 SQL injection – hands in action session
If your website or web application is vulnerable to SQL injection then hackers can play with your database. So be careful with your codes.

Here, today let us think us as hackers and see what happen in the SQL injection.Ok, no more boring text Let us jump into practical .
#1274 Fake boarding pass app gets hacker into fancy airline lounges
As the head of Poland’s Computer Emergency Response Team, Przemek Jaroszewski flies 50 to 80 times a year, and so has become something of a connoisseur of airlines’ premium status lounges. (He’s a particular fan of the Turkish Airlines lounge in Istanbul, complete with a cinema, putting green, Turkish bakery and free massages.) So when his gold status was mistakenly rejected last year by an automated boarding pass reader at a lounge in his home airport in Warsaw, he applied his hacker skills to make sure he’d never be locked out of an airline lounge again.

The result, which Jaroszewski plans to present Sunday at the Defcon security conference in Las Vegas, is a simple program that he’s now used dozens of times to enter airline lounges all over Europe. It’s an Android app that generates fake QR codes to spoof a boarding pass on his phone’s screen for any name, flight number, destination and class. And based on his experiments with the spoofed QR codes, almost none of the airline lounges he’s tested actually check those details against the airline’s ticketing database—only that the flight number included in the QR code exists. And that security flaw, he says, allows him or anyone else capable of generating a simple QR code to both access exclusive airport lounges and buy things at duty free shops that require proof of international travel, all without even buying a ticket.
#1273 'Quadrooter' security flaws said to affect over 900 million Android devices
An attacker would have to trick a user into installing a malicious app, which wouldn't require any special permissions.

If successfully exploited, an attacker can gain root access, which gives the attacker full access to an affected Android device, its data, and its hardware -- including its camera and microphone.
#1272 Risk from Linux kernel hidden in Windows 10 exposed at black hat
A researcher exposes design and control flaws in Windows 10 versions that have the capability to run Linux.

LAS VEGAS—Embedded within some versions of the latest Windows 10 update is a capability to run Linux. Unfortunately, that capability has flaws, which Alex Ionescu, chief architect at Crowdstrike, detailed in a session at the Black Hat USA security conference here and referred to as the Linux kernel hidden in Windows 10.

In an interview with eWEEK, Ionescu provided additional detail on the issues he found and has already reported to Microsoft. The embedded Linux inside of Windows was first announced by Microsoft in March at the Build conference and bring some Ubuntu Linux capabilities to Microsoft's users.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12