Security News

Cybercriminals Finding Ways to Bypass '3D Secure' Fraud Prevention System
2021-03-04 15:17

Security researchers with threat intelligence firm Gemini Advisory say they have observed dark web activities related to bypassing 3D Secure, which is designed to improve the security of online credit and debit card transactions. Gemini's security researchers say that vulnerabilities in earlier versions of 3DS could have been exploited to bypass security.

Hackers share methods to bypass 3D Secure  for payment cards
2021-03-03 20:01

Cybercriminals are constantly exploring and documenting new ways to go around the 3D Secure protocol used for authorizing online card transactions. 3DS adds a layer of security for online purchases using credit or debit cards.

Firewall Vendor Patches Critical Auth Bypass Flaw
2021-03-01 15:59

Germany-based cybersecurity company Genua has fast-tracked a fix for a critical flaw in one of its firewall products. Affected by the critical flaws is the GenuGate High Resistance Firewall, which Genua touts as a two-tier firewall that includes an application-level gateway and a packet filter for blocking malicious data.

ALERT: Malicious Amazon Alexa Skills Can Easily Bypass Vetting Process
2021-02-27 08:19

Researchers have uncovered gaps in Amazon's skill vetting process for the Alexa voice assistant ecosystem that could allow a malicious actor to publish a deceptive skill under any arbitrary developer name and even make backend code changes after approval to trick users into giving up sensitive information. Amazon Alexa allows third-party developers to create additional functionality for devices such as Echo smart speakers by configuring "Skills" that run on top of the voice assistant, thereby making it easy for users to initiate a conversation with the skill and complete a specific task.

Amazon Dismisses Claims Alexa ‘Skills’ Can Bypass Security Vetting Process
2021-02-26 21:53

An Amazon spokesperson told Threatpost that the company conducts security reviews as part of skill certification, and has systems in place to continually monitor live skills for potentially malicious behavior. Finally, before the skills can be actively made public to Alexa users, developers must submit their skills to be vetted and verified by Amazon.

Google looks at bypass in Chromium's ASLR security defense, throws hands up, won't patch garbage issue
2021-02-26 11:58

In early November, a developer contributing to Google's open-source Chromium project reported a problem with Oilpan, the garbage collector for the browser's Blink rendering engine: it can be used to break a memory defense known as address space layout randomization. About two weeks later, Google software security engineer Chris Palmer marked the bug "WontFix" because Google has resigned itself to the fact that ASLR can't be saved - Spectre and Spectre-like processor-level flaws can defeat it anyway, whether or not Oilpan can be exploited.

Cisco Warns of Critical Auth-Bypass Security Flaw
2021-02-25 14:45

A critical vulnerability in Cisco Systems' intersite policy manager software could allow a remote attacker to bypass authentication. The flaw stems from improper token validation on an API endpoint in Cisco's ACI MSO. "A successful exploit could allow the attacker to receive a token with administrator-level privileges that could be used to authenticate to the API on affected MSO and managed Cisco Application Policy Infrastructure Controller devices," said Cisco on Wednesday.

Cisco fixes maximum severity MSO auth bypass vulnerability
2021-02-24 21:03

Cisco has addressed a maximum severity authentication bypass vulnerability found in the API endpoint of the Cisco ACI Multi-Site Orchestrator installed on the Application Services Engine. "A vulnerability in an API endpoint of Cisco ACI Multi-Site Orchestrator installed on the Application Services Engine could allow an unauthenticated, remote attacker to bypass authentication on an affected device," Cisco explained.

CNAME-based tracking increasingly used to bypass browsers’ anti-tracking defenses
2021-02-24 14:16

As browser-makers move to defang third-party cookies, marketers are increasingly switching to alternative tracking techniques. In 2019, Firefox was equipped with Enhanced Tracking Protection by default, blocking known trackers, third-party tracking cookies and cryptomining scripts.

New Hack Lets Attackers Bypass MasterCard PIN by Using Them As Visa Card
2021-02-20 08:01

Cybersecurity researchers have disclosed a novel attack that could allow criminals to trick a point of sale terminal into transacting with a victim's Mastercard contactless card while believing it to be a Visa card. The research, published by a group of academics from ETH Zurich, builds on a study detailed last September that delved into a PIN bypass attack, permitting bad actors to leverage a victim's stolen or lost Visa EMV-enabled credit card for making high-value purchases without knowledge of the card's PIN, and even fool the terminal into accepting unauthentic offline card transactions.