Security Alerts & News
by Tymoteusz A. Góral

#478 After Verizon breach, 1.5 million customer records put up for sale
According to KrebsOnSecurity, "a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise." The entire database was priced at $100,000, or $10,000 for each set of 100,000 customer records. "Buyers also were offered the option to purchase information about security vulnerabilities in Verizon’s Web site," security journalist Brian Krebs reported.
#477 850 million Android devices still at risk of hijack by Stagefright bug
The vulnerability is capable of attacking any Android device running Android 2.2 or higher and allows attackers to hijack of a device without the user even being aware. It does so just by taking advantage of Android's built-in media library, which can be triggered to run malicious code capable of giving the hacker access to all the user's files.
#476 Emergency Java patch re-issued for 2013 vulnerability
Oracle yesterday released an emergency patch for a Java vulnerability that was improperly patched in 2013. Researchers at Security Explorations in Poland two weeks ago disclosed that a Java patch for an issue the company reported in 2013, CVE-2013-5838, was still trivially exploitable, and it enabled attackers to remotely execute code and bypass the Java sandbox.
#475 Certified Ethical Hacker website caught spreading crypto ransomware
EC-Council, the Albuquerque, New Mexico-based professional organization that administers the Certified Ethical Hacker program, started spreading the scourge on Monday. Shortly afterward, researchers from security firm Fox IT notified EC-Council officials that one of their subdomains—which just happens to provide online training for computer security students—had come under the spell of Angler, a toolkit sold online that provides powerful Web drive-by exploits. On Thursday, after receiving no reply and still detecting that the site was infected, Fox IT published this blog post, apparently under the reasonable belief that when attempts to privately inform the company fail, it's reasonable to go public.
#474 Google releases new tool to scan Android apps for accessibility issues
For anyone designing Android apps, Google just released a tool that will help make your apps more accessible for all users. The company's new Accessibility Scanner looks at any Android app and will call out aspects of it that could be improved, particularly for differently abled users. The app will even suggest ways you can alter things for the better.
#473 Iranians indicted over DDoS campaign on banks
The U.S. government on Thursday indicted seven hackers affiliated with the Iranian government for attacks it called “a frightening new frontier in cybercrime.” Accusing the men of carrying out a series of distributed denial of service (DDoS) attacks against 46 financial companies, the Department of Justice announced the charges in a press conference Thursday morning in Washington, D.C.,
#472 Patched Apple bug paved way to root compromises
Researchers at Cisco on Wednesday disclosed details on a flaw in an OS X graphics kernel driver that begs to be chained with any number of other exploits to gain kernel level access on a Mac computer.
Craig Williams, security outreach manager for Cisco Talos, said this is the type of flaw that could be exploited at scale and lead to a wide range of compromises.
#471 PNG Embedded – Malicious payload hidden in a PNG file
Brazilian attacks are evolving day-by-day, becoming more complex and efficient. It is there necessary to be wary of emails from unknown sources, especially those containing links and attached files.

Since the malicious payload hosted in the PNG file cannot be executed without its launcher, it cannot be used as the main infector; that is usually delivered to your mailbox, so it has to be installed by a different module.

This technique allows the criminals to successfully hide the binary inside a file that appears to be a PNG image. It also makes the analysis process harder for antivirus companies as well as bypassing the automated process to detect malicious files on hosting servers.
#470 Malware is being signed with multiple digital certificates to evade detection
Symantec has recently observed various malware families seen in the wild signed with multiple digital certificates. As seen with Suckfly, valid, legitimate certificates can be stolen from an organization, often without their knowledge, and then used to sign malware to evade detection. In this case, attackers have used multiple digital certificates together to increase the chance that the targeted computer considers their malware safe. The attacker's ultimate goal is that their attack goes completely undetected.
#469 Operation C-Major: Information theft campaign targets military personnel in India (PDF report)
The Trend Micro Forward-Looking Threat Research team recently uncovered an information theft campaign in India that has stolen passport scans, photo IDs, and tax information of high-ranking Indian military officers, non-Indian military attaché based in the said country, among others. We came across this operation while monitoring other targeted attack campaigns and what caught our interest, apart from its highly targeted nature, is the lack of sophistication in the tools and tactics it used.
#468 11 enterprise security solutions tested under Windows 10
Many IT departments having Windows 8 PCs not belonging to their fleet of enterprise versions are quickly jumping on the bandwagon of upgrading to Version 10 free of charge. But which security solution works best with Windows 10 clients? AV-TEST tested 11 current versions.
#467 99 problems but two-factor ain’t one
Two-factor authentication is a best practice for securing remote access, but it is also a Holy Grail for a motivated red team. Hiding under the guise of a legitimate user authenticated through multiple credentials is one of the best ways to remain undetected in an environment. Many companies regard their two-factor solutions as infallible and do not take precautions to protect against attackers’ attempts to bypass or backdoor them.
#466 Vulnerability in 70 CCTV DVRs traced back to Chinese firm who ignores researcher
RSA security researcher Rotem Kerner has identified a common vulnerability in the firmware of 70 different CCTV DVR vendors, which allows crooks to execute code and even gain root privileges on the affected devices.
#465 Apple worries that spy technology has been secretly added to the computer servers it buys
Apple's huge success with services like iTunes, the App Store, and iCloud has a dark side. Apple hasn't been able to build the all the data centers it needs to run these enormous photo storage and internet services on its own. And it worries that some of the equipment and cloud services it buys has been compromised by vendors who have agreed to put "back door" technology for government spying, according to a report from The Information's Amir Efrati and Steve Nellis.
#464 Google opens access to its speech recognition API, going head to head with Nuance
Google is planning to compete with Nuance and other voice recognition companies head on by opening up its speech recognition API to third-party developers. To attract developers, the app will be free at launch with pricing to be introduced at a later date.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12