Security Alerts & News
by Tymoteusz A. Góral

History
#691 Samsung Smart Home flaws let hackers make keys to front door
Computer scientists have discovered vulnerabilities in Samsung's Smart Home automation system that allowed them to carry out a host of remote attacks, including digitally picking connected door locks from anywhere in the world.

The attack, one of several proof-of-concept exploits devised by researchers from the University of Michigan, worked against Samsung's SmartThings, one of the leading Internet of Things (IoT) platforms for connecting electronic locks, thermostats, ovens, and security systems in homes. The researchers said the attacks were made possible by two intrinsic design flaws in the SmartThings framework that aren't easily fixed. They went on to say that consumers should think twice before using the system to connect door locks and other security-critical components.

"All of the above attacks expose a household to significant harm—break-ins, theft, misinformation, and vandalism," the researchers wrote in a paper scheduled to be presented later this month at the 2016 IEEE Symposium on Security and Privacy. "The attack vectors are not specific to a particular device and are broadly applicable."
#690 Chrome overtakes Internet Explorer for most popular desktop browser
At the end of every month, using public data sources, we can take a look at trends in the desktop and browser markets and the day has finally arrived where Chrome is now a more popular browser than Internet Explorer.

According to Net Marketshare, they state, according to their data from 40,000 websites for the month of April, that Chrome has 41.66% of the browser market share while Internet Explorer has 41.35% which is a small margin of victory for Google and its Chrome browser. Because this is such a small margin, I originally titled this post as “Google Ties Microsoft For Most Popular Browser” as it is sampling and the margin of error surely outweighs the point differential between these two browsers but that’s not the entire picture once I dug a bit further into the data.
#689 Secret US spy court approved every surveillance request in 2015
The Foreign Intelligence Surveillance Court, the one that NSA whistleblower Edward Snowden revealed is allowing the government to obtain the metadata of every phone call to and from the United States, approved every surveillance request from US authorities in 2015.

Reuters news service, which reviewed a secret document outlining the figures, reported that the FISA Court granted every one of the 1,457 surveillance applications last year. The scope of the surveillance is unknown but vast. A single application is all it takes for the FISA Court to require the nation's telcos to scoop up and retain the telephone metadata on all phone calls. The court, based in the District of Columbia and whose members are appointed by the Supreme Court's chief justice, approved every one of the 1,379 applications for the year 2014 as well, according to the memo.
#688 Google patches more trouble in Mediaserver
Google has re-branded its monthly patch release, bringing a new name and new scope to the newly renamed Android Security Bulletin. While that may be new, the content is definitely familiar.

Once again, critical remote code execution Mediaserver vulnerabilities dominate this month’s patches. Mediaserver has been a front and center security issue since last summer’s Stagefright disclosures. The software serves up media content and interacts with the kernel, making it a tasty target for attacks. Researchers, meanwhile, have called it an “over-privileged” application since it’s granted system access on some devices.
#687 Breaking Steam client cryptography
Older versions of Steam allow an attacker who observes a client connecting to Steam to read sensitive information sent over the network. This allows the attacker to take over the account, bypass SteamGuard, and sometimes view plain-text passwords.

But how? Steam encrypts its entire network connection (at least the Steam-specific parts; there are some suspicious plaintext HTTP requests going around) with AES-256-CBC. And the AES key used (hereafter “session key”) is generated securely on the client, encrypted with RSA-1024 and a hardcoded public key, and sent to Steam; an eavesdropper can’t get at the session key.

RSA and AES aren’t broken- but Steam was.
#686 Verizon's 2016 Data Breach Investigations Report
For the ninth time, the 2016 Data Breach Investigations Report (DBIR) lifts the lid on what's really happening in cybersecurity. The 2016 dataset is bigger than ever, examining over 100,000 incidents, including 2,260 confirmed data breaches across 82 countries. With data provided by 67 contributors including security service providers, law enforcement and government agencies, this year's report offers unparalleled insight into the cybersecurity threats you face.
#685 Eurocops get new cyber powers to hunt down terrorists, criminals
Europe’s police agency Europol has been given enhanced cyber powers to track down terrorists and other criminals.

The new governance rules were approved by the European Parliament’s civil liberties committee on Thursday by a massive majority. MEPs claimed that the new powers come with strong data protection safeguards and democratic oversight.

Last November, the draft rules were given the green light by the European Union's 28 member states. Now the panel's politicos have overwhelmingly thrown their weight behind the measures, by 40 votes to three, with two abstentions.

It means that Europol will be able to more easily set up specialised units to respond immediately to emerging threats, in particular cross-border crimes and terrorist threats
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12