50 million users plus of the Steam gaming and distribution platform are at risk for remote exploits because of vulnerabilities in the platform’s URL protocol handler, researchers at ReVuln wrote in a paper released.
According to ThreatPost, Luigi Auriemma and Donato Ferrante discovered a number of memory corruption issues, including buffer and heap overflows that would allow an attacker to abuse the way the Steam client handles browser requests. Steam runs on Windows, Linux and Mac OSX.
The steam:// URL protocol is used to connect to game servers, load and uninstall games, backup files, run games and interact with news, profiles and download pages offered by Valve, the company that operates the platform. Attackers, Auriemma and Ferrante said, can abuse specific Steam commands via steam:// URLs to inject attacks and run other malicious code on victim machines.
Protect your gaming with BitDefender GameSafe
The Hongkong and Shanghai Banking Corporation, also known as HSBC, was the next victim of a distributed denial-of-service attack (DDoS), making it impossible for customers to conduct their Internet banking services.
According to a statement posted on its website:
On 18 October 2012 HSBC servers came under a denial of service attack which affected a number of HSBC websites around the world.
This denial of service attack did not affect any customer data, but did prevent customers using HSBC online services, including internet banking.
We are taking appropriate action, working hard to restore service. We are pleased to say that some sites are now back up and running.
We are cooperating with the relevant authorities and will cooperate with other organisations that have been similarly affected by such criminal acts.
We apologise for any inconvenience caused to our customers throughout the world.
The update on its website stated, “HSBC restored all of its websites globally to full accessibility as of 11:00 PM EST time last night. ”
DDoS attacks, conducted by cyber criminals, are a means of controlling a certain number of computers to target a single or group of Internet servers, in attempts to overload them. This in turn, causes the server to shutdown, or discontinue its service until the load wears down.
This is only one of the few latest DDoS attacks on corporations or government entities.
Oracle has issued a critical advisory for multiple (30) vulnerabilities in Java Runtime Environment. Most of the flaws involve Java Runtime Environment, however a couple of them are issued for JavaFX.
Here is our update table:
Version affected: JRE version 7 update 7 and previous => need update 9 now
Version affected: JRE version 6 update 35 and previous => need update 37 now
Version affected: JRE version 5 update 36 and previous => no patch available!
As always, you can get the latest Java updates from the following methods:
- WINDOWS = Access Start > Control Panel > Java. Click the Update Tab and select Update Now. (You can also enable automatic updates through this method)
- Any other method: http://www.java.com – click the Free Java Download. It should auto-detect your system.
NOTE: If you use the offline installer found on java.com, make sure you’re aware that it bundles either Ask Toolbar or McAfee Security Scan Plus. It isn’t recommended to install either one, but that choice is up to you.
Read more about different Java issues:
Facebook has announced the expansion of their alliance with antivirus companies in hopes to better secure its users and promote good privacy… here is a quick scope of the details:
Today, we are excited to announce the expansion of our AV Marketplace to include 7 new partners to our growing coalition of security companies. Starting now, Facebook users will be able to download software from – avast!, AVG, Avira, Kaspersky, Panda, Total Defense, and Webroot. Not only do we have new partners but also many of our existing partners – Microsoft, McAfee, Norton, TrendMicro, and Sophos – will begin offering anti-virus software for your mobile devices. You can visit the AV Marketplace now to download your free anti-virus software for PC, Mac and Mobile.
Our new anti-virus partners bring with them both the latest software and comprehensive intelligence. As with our existing partners, these seven companies will help protect Facebook’s community of over a billion users by improving our URL blacklist system. This system scans trillions of clicks per per day, and before each click, the system consults the databases of all our AV Marketplace partners to make sure the website you are about to visit is safe. This means that whenever you click a link on our site you are protected both by Facebook and 12 of the industry leaders in computer security. We will be cooperating with these partners more in the future, and look forward to announcing new tools soon.
Read more now at the Facebook blog
LulzSec member, Raynaldo Rivera, who was arrested at the end of August, appeared in court this past Thursday (Oct. 11), and has plead guilty to the charges of being involved in hacking into Sony Pictures, as well as for stealing personal information, passwords, and other personal data from thousands of users.
Under the plea agreement, Rivera will pay restitution to his victims and faces the maximum penalty: five year prison sentence and a fine of at least $250,000.
Because of this “simple SQL injection“, it costed Sony over $600,000 apparently, which is not cheap change by any means.
Rivera used the HideMyAss proxy service, illegally according to their Terms, to investigate potential vulnerabilities on Sony servers. HideMyAss proxy service cooperated with authorities, providing a report of the data transactions made by the hacker.
The town of Burlington, Washington fell victim to a recent attack by a band of unknown hackers, stealing $400,000 in the operation. Odds are that taxpayer data was stolen, also.
Burlington officials have warned residents in the city that their private data could have been stolen, and becoming targets for identity theft. A number of billing systems in the town were attacked, notably the online automatic utility billing system, which holds a large amount of resident data. Once these systems were attacked, the band of hackers were able to leak $400,000 out of the city’s funds.
According to Computer World, an alert [that was] issued this morning, city administrator Bryan Harrison said all autopay customers should assume that their name, bank account number and routing number was compromised following an intrusion into a city utility billing system.
Authorities are still investigating this issue, and will provide updates soon.
- Police: Hackers Take $400,000 From Washington City Account (seattle.cbslocal.com)
- Hackers steal $487K from Washington town (kgw.com)