Security Alerts & News
by Tymoteusz A. Góral

#665 7 million unsalted MD5 passwords leaked by Minecraft community Lifeboat
As security breaches go, they don't get more vexing than this: 7 million compromised accounts that protected passwords using woefully weak unsalted MD5 hashes, and the outfit responsible, still hadn't disclosed the hack three months after it came to light. And as if that wasn't enough, the service recommended the use of short passwords. That's what Motherboard reported Tuesday about Lifeboat, a service that provides custom multiplayer environments to gamers who use the Minecraft mobile app.

The data circulating online included the e-mail addresses and hashed passwords for 7 million Lifeboat accounts. The mass compromise was discovered by Troy Hunt, the security researcher behind the Have I been pwned? breach notification site. Hunt said he had acquired the data from someone actively involved in trading hacked login credentials who has provided similar data in the past.

Hunt reported that some of the plaintext passwords users had chosen were so weak that he was able to discover them simply by posting the corresponding MD5 hash into Google. As if many users' approach to password selection weren't lackadaisical enough, Lifeboat's own Getting started guide recommended "short, but difficult to guess passwords" because "This is not online banking."
#664 Steam patches broken crypto in wake of replay, padding Oracle attacks
The digital gaming platform Steam was quick to patch a cryptographic issue in its client recently that could have allowed an attacker to read sensitive information sent over its network, take over an account, or view plain-text passwords.

Valve, the Bellevue, Wash.-based video game developer that oversees the platform, rolled out new code on its servers late last year to address a handful of issues in its crypto brought to light by a researcher. The private disclosure included flaws he used to leverage a man-in-the-middle attack, a replay attack, and a padding oracle attack. The researcher strung together those flaws to determine that with enough tries he could glean user information from the service.
#663 Firefox 46 patches critical memory vulnerabilities
Mozilla yesterday updated Firefox and patched 10 vulnerabilities, one which was rated critical.

Firefox 46 also included patches for four vulnerabilities that Mozilla rated as high severity. Critical bugs enabled remote code execution without user interaction, while bugs rated high can be exploited to steal browser data or inject code into websites via the browser.
#662 Cisco: Tuto4PC utilities silently install 12M mackdoors
Security experts are warning PC users of scareware computer utilities published by the French firm Tuto4PC that secretly bundle adware and spyware. Cisco’s Talos security research team said several of the company’s utilities, including OneSoftPerDay and System Healer, contain Trojans that exhibit “malicious intent and behavior.”

Talos estimates 12 million users have been enticed to download one of Tuto4PC’s software programs. Researchers say once PC users install one of its utilities, the software acts like malware and installs a Trojan called Wizz.
#661 RuMMS: The latest family of Android malware attacking users in Russia via SMS phishing
Recently we observed an Android malware family being used to attack users in Russia. The malware samples were mainly distributed through a series of malicious subdomains registered under a legitimate domain belonging to a well-known shared hosting service provider in Russia. Because all the URLs used in this campaign have the form of hxxp://yyyyyyyy[.] (where represents the hosting provider’s domain), we named this malware family RuMMS.

To lure the victims to download the malware, threat actors use SMS phishing – sending a short SMS message containing a malicious URL to the potential victims. Unwary users who click the seemingly innocuous link will have their device infected with RuMMS malware. Figure 1 describes this infection process and the main behaviors of RuMMS.
#660 Hundreds of Spotify credentials appear online – users report accounts hacked
A list containing hundreds of Spotify account credentials – including emails, usernames, passwords, account type and other details – has popped up on the website Pastebin, in what appears to be a possible security breach. After reaching out to a random sampling of the victims via email, we’ve confirmed that these users’ Spotify accounts were compromised only days ago. However, Spotify says that it “has not been hacked” and its “user records are secure.”

It’s unclear, then, where these particular account details were acquired, given that they are specific to Spotify, rather than a set of generic credentials that just happen to work on Spotify.
#659 Hacking group “PLATINUM” used Windows’ own patching system against it
Microsoft's Windows Defender Advanced Threat Hunting team works to track down and identify hacking groups that perpetrate attacks. The focus is on the groups that are most selective about their targets and that work hardest to stay undetected. The company wrote today about one particular group that it has named PLATINUM.

The unknown group has been attacking targets in South East Asia since at least 2009, with Malaysia being its biggest victim with just over half the attacks, and Indonesia in second place. Almost half of the attacks were aimed at government organizations of some kind, including intelligence and defense agencies, and a further quarter of the attacks were aimed at ISPs. The goal of these attacks does not appear to have been immediate financial gain—these hackers weren't after credit cards and banking details—but rather broader economic espionage using stolen information.
#658 If you use Waze, hackers can stalk you
Millions of drivers use Waze, a Google-owned navigation app, to find the best, fastest route from point A to point B. And according to a new study, all of those people run the risk of having their movements tracked by hackers.

Researchers at the University of California-Santa Barbara recently discovered a Waze vulnerability that allowed them to create thousands of “ghost drivers” that can monitor the drivers around them—an exploit that could be used to track Waze users in real-time. They proved it to me by tracking my own movements around San Francisco and Las Vegas over a three-day period.

“It’s such a massive privacy problem,” said Ben Zhao, professor of computer science at UC-Santa Barbara, who led the research team.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12