Security Alerts & News
by Tymoteusz A. Góral

History
#619 New system to identify people by their 'brainprints'
Scientists have developed a new system that can identify people using their brain waves or 'brainprint' with 100 per cent accuracy, an advance that may be useful in high-security applications.

Researchers at Binghamton University in US recorded the brain activity of 50 people wearing an electroencephalogram (EEG) headset while they looked at a series of 500 images designed specifically to elicit unique responses from person to person - eg a slice of pizza, a boat, or the word "conundrum."

They found that participants' brains reacted differently to each image, enough that a computer system was able to identify each volunteer's 'brainprint' with 100 per cent accuracy.
#618 Android Security Report: 29 percent of active devices not up to patch vevels
In its annual Android Security Report, published today, Google said that 71 percent of active Android devices are running on Android 4.4.4 and higher, the only versions supported by Google with security updates.

According to the Android developer dashboard, 33.4 percent of devices are on 4.4, or KitKat, with 40.4 percent running Lollipop or Marshmallow. That still leaves a sizeable number of Android devices running on an unsupported, out of date operating system.
#617 Chrome extensions will soon have to tell you what data they collect
Google is about to make it harder for Chrome extensions to collect your browsing data without letting you know about it, according to a new policy announced Friday.

Starting in mid-July, developers releasing Chrome extensions will have to comply with a new User Data Policy that governs how they collect, transmit and store private information. Extensions will have to encrypt personal and sensitive information, and developers will have to disclose their privacy policies to users.

Developers will also have to post a "prominent disclosure" when collecting sensitive data that isn't related to a prominent feature. That's important, because extensions have tremendous power to track users' browsing habits and then use that for nefarious purposes.
#616 Changing your password regularly is a terrible idea, and here's why
If users are forced to change passwords they will mostly choose something that is a slight variation on the original one, or one that they have used elsewhere, or a weaker one. These behaviours can be exploited, CESG said: attackers can often work out the new password, if they have the old one.

Regularly changed passwords are more likely to be written down (another vulnerability) or forgotten, which means lost productivity for users and a pain for the help desk that has to reset it.

"It's one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn't, it turns out, stand up to a rigorous, whole-system analysis." CESG said.
#615 MIT reveals AI platform which detects 85 percent of cyberattacks
On Monday, MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL) said that while many "analyst-driven solutions" rely on rules created by human experts and therefore may miss attacks which do not match established patterns, a new artificial intelligence platform changes the rules of the game.

The platform, AI Squared (AI2), is able to detect 85 percent of attacks -- roughly three times better than current benchmarks -- and also reduces the number of false positives by a factor of five, according to MIT.
#614 US-CERT to Windows users: Dump Apple Quicktime
Microsoft Windows users who still have Apple Quicktime installed should ditch the program now that Apple has stopped shipping security updates for it, warns the Department of Homeland Security‘s U.S. Computer Emergency Readiness Team (US-CERT). The advice came just as researchers are reporting two new critical security holes in Quicktime that likely won’t be patched.

US-CERT cited an April 14 blog post by Christopher Budd at Trend Micro, which runs a program called Zero Day Initiative (ZDI) that buys security vulnerabilities and helps researchers coordinate fixing the bugs with software vendors. Budd urged Windows users to junk Quicktime, citing two new, unpatched vulnerabilities that ZDI detailed which could be used to remotely compromise Windows computers.
#613 Rogue source code repos can compromise Mac security due to old Git version.
Rachel Kroll has discovered that El Capitan comes bundled with an older version of Git that's exposing users to two possible attacks, due to the CVE-2016-2324 and CVE-2016-2315 vulnerabilities present in all Git versions 2.7.3 and prior. El Capitan comes bundled by default with Git 2.6.4.

The two vulnerabilities, both heap-based buffer overflows, allow attackers to execute malicious code on the machine. The only condition for an attack to take place is that a Mac user forks a Git repo that contains malicious code.

The attacker can use the malicious code hidden in the repo to launch an attack on the Mac, compromise the system, and take control of the user's device.
#612 Google Alerts, direct webmaster communication get bugs fixed quickly
“We observe that direct communication with webmasters increases the likelihood of cleanup by over 50 percent and reduces infection lengths by at least 62 percent,” researchers wrote in a report called “Remedying Web Hijacking: Notification Effectiveness and Webmaster Comprehension.” “Absent this open channel for communication, we find browser interstitials—while intended to alert visitors to potentially harmful content—correlate with faster remediation.”
#611 How hackers eavesdropped on a US Congressman using only his phone number
A US congressman has learned first-hand just how vulnerable cellphones are to eavesdropping and geographic tracking after hackers were able to record his calls and monitor his movements using nothing more than the public ten-digit phone number associated with the handset he used.

The stalking of US Representative Ted Lieu's smartphone was carried out with his permission for a piece broadcast Sunday night by 60 Minutes. Karsten Nohl of Germany-based Security Research Labs was able to record any call made to or from the phone and to track its precise location in real-time as the California congressman traveled to various points in the southern part of the state. At one point, 60 minutes played for Lieu a crystal-clear recording Nohl made of one call that discussed data collection practices by the US National Security Agency. While SR Labs had permission to carry out the surveillance, there's nothing stopping malicious hackers from doing the same thing.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12