Security Alerts & News
by Tymoteusz A. Góral

History
#682 A dramatic rise in ATM skimming attacks
Skimming attacks on ATMs increased at an alarming rate last year for both American and European banks and their customers, according to recent stats collected by fraud trackers. The trend appears to be continuing into 2016, with outbreaks of skimming activity visiting a much broader swath of the United States than in years past.
Two network cable card skimming devices, as found attached to this ATM.

In a series of recent alerts, the FICO Card Alert Service warned of large and sudden spikes in ATM skimming attacks. On April 8, FICO noted that its fraud-tracking service recorded a 546 percent increase in ATM skimming attacks from 2014 to 2015.

“The number of ATM compromises in 2015 was the highest ever recorded by the FICO Card Alert Service, which monitors hundreds of thousands of ATMs in the US,” the company said. “Criminal activity was highest at non-bank ATMs, such as those in convenience stores, where 10 times as many machines were compromised as in 2014.”
#681 Phony Google update spreads data-stealing Android malware
Android users are being warned of a phony Google update that is pushing malware onto devices.

The attackers behind this scheme are domain squatting URLs that are similar to ones used by Google for legitimate updates, hoping to snare less-than-vigilant users.

Researchers at Zscaler said yesterday in a report that the attackers invested heavily in this tactic to sidestep URL monitoring and security software in place on the device.

“These URLs are observed to be very short lived,” Zscaler said. “And are regularly replaced with newer ones to serve the malware and effectively evade URL based filtering.”
#680 U.S. labels Switzerland an internet piracy haven
The Office of the United States Trade Representative has published its annual Special 301 Report calling out other nations for failing to live up to U.S. IP enforcement standards. This year European ally Switzerland has been placed on the Watch List for protecting file-sharers and playing host to many pirate sites.

Every year the Office of the United States Trade Representative (USTR) publishes its Special 301 Report highlighting countries that aren’t doing enough to protect U.S. intellectual property rights.
#679 Google patches 9 security flaws in new Chrome browser build
Google updated its browser Thursday patching nine security bugs, labeling four as “high” and two as a “medium” risk to computer users. The update was tied to a new Chrome browser build (50.0.2661.94) that fixes the flaws.

Google also shelled out $14,000 tied to bug bounty payouts addressed in this security updates, according to a Google Chrome Team security bulletin.
#678 GCHQ has disclosed over 20 vulnerabilities this year, including ones in Apple iOS
Earlier this week, it emerged that a section of Government Communications Headquarters (GCHQ), the UK's signal intelligence agency, had disclosed a serious vulnerability in Firefox to Mozilla. Now, GCHQ has said it helped fix nearly two dozen individual vulnerabilities in the past few months, including in highly popular pieces of software like iOS.

“So far in 2016 GCHQ/CESG has disclosed more than 20 vulnerabilities across a number of software products,” a GCHQ spokesperson told Motherboard in an email. CESG, or the National Technical Authority for Information Assurance, is the information security wing of GCHQ.

Those issues include a kernel vulnerability in OS X El Captain v10.11.4, the latest version, that would allow arbitrary code execution, and two in iOS 9.3, one of which would have done largely the same thing, and the other could have let an application launch a denial of service attack.
#677 The critical hole at the heart of our cell phone networks
In February 2014, the US ambassador to Ukraine suffered an embarrassing leak. A secret conversation between him and US Assistant Secretary of State Victoria Nuland got posted to YouTube, in which Nuland spoke disparagingly about the European Union.

The conversation occurred over unencrypted phones, and US officials told reporters they suspected the call was intercepted in Ukraine, but didn’t say how. Some people believe it occurred using vulnerabilities in a mobile data network known as SS7, which is part of the backbone infrastructure that telecoms around the world use to communicate between themselves about how to route calls and text messages.

A little-noticed report released by the Ukrainian government a few months after the leak gives credence to this theory. Although the report didn’t mention the ambassador, it revealed that for three days in April that year, location data for about a dozen unidentified mobile phone customers in Ukraine got mysteriously sent to a Russian telecom using SS7 vulnerabilities. Text messages and phone calls of some of those customers also got diverted to Russia, where someone could have eavesdropped on the conversations and recorded them.
#676 AV comparatives: Anti-Spam Test (PDF)
In 2015, we tested the products (with default settings) internally over a 6-month period, using spam mails provided by Abusix. Vendors received examples of isses, to check that our testing methods work, and to provide feedback. Several products had very low scores in the internal test run, and several bugs in the spam-filters and products were discovered and had to be fixed by the vendors. In some cases, poorly-performing third-party spam-filters were fixed or even replaced. In March 2016, we ran this public test.

With any detection test (including spam detection), it is important to test for false alarms. In this case, it should be considered that some programs automatically increase their sensitivity when spam mails make up a large percentage of total mails received. We conducted a short-term false alarm test for this report, by running each product for one week on a customer machine and inspecting afterwards if there were legitimate mails classified wrongly as spam (there were none for any of the products tested). A large-scale test with genuine emails would be impossible without breaching privacy; although this was not as statistically significant as we would like, we feel this was sufficient to demonstrate that none of the tested programs was prone to FPs.
#675 Locky ransomware spreads via Flash and Windows kernel exploits
In early April of this year a zero-day exploit (designated as CVE-2016-1019) was found in Adobe Flash Player. This particular flaw was soon used by the Magnitude Exploit Kit, which led to an Adobe out-of-cycle patch. This flaw was being used to lead to drive-by download attacks with Locky ransomware as the payload.

However, this did not end the threat for users. We recently saw a new variant of this attack that added an unusual twist. On top of the Flash exploit, an old escalation of privileges exploit in Windows (CVE-2015-1701) was used to bypass sandbox technologies.
#674 Almost two-thirds of software companies contributing to open source
Open source’s march toward preeminence in business software continued over the past year, according to a survey released today by open source management provider Black Duck Software and venture capital firm North Bridge.

Roughly two-thirds of respondents to the survey – which was administered online and drew 1,300 respondents – said that their companies encouraged developers to contribute to open-source projects, and a similar proportion said that they were actively engaged in doing so already. That’s a 5% increase from the previous year’s survey.
#673 Hacking Slack accounts: As easy as searching GitHub
A surprisingly large number of developers are posting their Slack login credentials to GitHub and other public websites, a practice that in many cases allows anyone to surreptitiously eavesdrop on their conversations and download proprietary data exchanged over the chat service.

According to a blog post published Thursday, company researchers recently estimated that about 1,500 access tokens were publicly available, some belonging to people who worked for Fortune 500 companies, payment providers, Internet service providers, and health care providers. The researchers privately reported their findings to Slack, and the chat service said it regularly monitors public sites for posts that publish the sensitive tokens.
#672 Toymaker’s website pushes ransomware that holds visitors’ files hostage
The website belonging to Maisto International, a popular maker of remote-controlled toy vehicles, has been caught pushing ransomware that holds visitors' files hostage until they pay a hefty fee.

Malicious files provided by the Angler exploit kit were hosted directly on the homepage of Maisto[.]com, according to antivirus provider Malwarebytes. The attack code exploits vulnerabilities in older versions of applications such as Adobe Flash, Oracle Java, Silverlight, and Internet Explorer. People who visit Maisto[.]com with machines that haven't received the latest updates are surreptitiously infected with the CryptXXX ransomware. Fortunately for victims in this case, researchers from Kaspersky Lab recently uncovered a weakness in the app that allows users to recover their files without paying the extortion demand. People infected with ransomware in other drive-by attacks haven't been so lucky.
#671 Google's OnHub is the first WiFi router to support IFTTT
Google's "smart" OnHub wireless router now supports IFTTT, the web service that automates actions between apps. IFTTT can be triggered when devices connect and disconnect from OnHub — and, in the spirit of IFTTT, what you do based on that information is up to you. OnHub's smart features let users manage and prioritize Wi-Fi to connected devices through an app, and they can now connect to the 300-plus programs and apps supported by IFTTT. OnHub makes a few suggestions in a blog post, which gives a good idea of the sorts of things this new feature will allow.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12