Hotel Wi-Fi security crumbles in wake of bored IT admin

What happens when a bored IT admin meets a hotel Wi-Fi network that does not want to cooperate?

Recent security breaches are so egregious and so truly detrimental to the bottom lines of some really well-known brands that they’re — ironically —  becoming decreasingly effective cautionary tales about security. The spin machine is in full swing, and any time lawyers and PR get involved, takeaways for network administrators are lost.

Far better is to search out personal examples of network security misadventures we encounter during the course of our everyday lives. And this holiday season, while on the road visiting family for Christmas, I found something really juicy. It’s also unfortunately something all too common in our enterprise networks, especially when we’re standing up branch office infrastructure.

Read more at: TechTarget-Hotel Wi-Fi security crumbles in wake of bored IT admin by 
Patrick Hubbard

Microsoft working on fix for IE bug that exposes user credentials

Microsoft is working on a fix for a serious vulnerability in all the latest versions of Internet Explorer (IE) that could be exploited to reveal the login credentials of users.

A proof-of-concept attack (POC) uses a cross-site scripting (XSS) security exploit in which the attacker inserts malicious coding into a link that appears to be from a trustworthy source.

When someone clicks on the link, the embedded programming is submitted as part of the client’s web request and can execute on the victim’s computer, typically allowing the attacker to steal information.

The latest zero-day vulnerability reportedly works on IE11 for Windows 7 and 8.1, allowing attackers to steal login credentials and inject malicious content into users’ browsing sessions.

The POC exploit shows that attackers could use malicious web pages to bypass the same origin policy that prevents one site from accessing or modifying browser cookies set by another site.

The flaw was disclosed on the Full Disclosure mailing list by David Leo, a researcher with security consultancy firm Deusen.

The POC exploit page contains a link that when clicked opens the dailymail.co.uk website in a new window, but after seven seconds the site’s content is replaced with “Hacked by Deusen”.

The rogue page is loaded from an external domain, but the browser’s address bar keeps showing http://www.dailymail.co.uk.

The POC attack could also be used to steal HTML-based data the news site stores in cookies on visitors’ computers.

That means attackers could use the exploit to steal authentication cookies many websites use to grant access to user accounts once a visitor has entered a username and password.

Read more at: Microsoft working on fix for IE bug that exposes user credentials by Warwick Ashford