Security Alerts & News
by Tymoteusz A. Góral

#701 How the Pwnedlist got pwned
Last week, I learned about a vulnerability that exposed all 866 million account credentials harvested by, a service designed to help companies track public password breaches that may create security problems for their users. The vulnerability has since been fixed, but this simple security flaw may have inadvertently exacerbated countless breaches by preserving the data lost in them and then providing free access to one of the Internet’s largest collections of compromised credentials.

Pwnedlist is run by Scottsdale, Ariz. based InfoArmor, and is marketed as a repository of usernames and passwords that have been publicly leaked online for any period of time at Pastebin, online chat channels and other free data dump sites.

The service until quite recently was free to all comers, but it makes money by allowing companies to get a live feed of usernames and passwords exposed in third-party breaches which might create security problems going forward for the subscriber organization and its employees.
#700 An analysis of overlapping technologies used by cybercriminals and terrorist organizations
Cybercriminal activities have always involved the abuse of legitimate online tools and services. Examples of these activities come in many forms and can be found everywhere—from using vulnerabilities in software, websites, and web applications as attack vectors, hosting malicious components in cloud services, to leveraging clickbait posts and links on social networking sites to lure hapless users into falling for their schemes. No matter what technology or service rolls out in the future, there will always be room for abuse.

During the course of our research on cybercrime, we found that one particular group appears to share the same level of proficiency as cybercriminals in abusing legitimate services: terrorist groups who can be considered as cybercriminals in their own right, as their online activities also run afoul of the law. The two groups have different motives though, as cybercriminals are motivated by financial gain, while terrorists aim to spread propaganda instead of malware.

This research is about how cybercriminals and terrorists overlap in their abuse of technology and online platforms to benefit their cause. We will focus on their methodologies, the services they abuse, and the tools they’ve homebrewed to streamline said abuse so that their followers can facilitate their activities much more easily.
#699 Huge number of sites imperiled by critical image-processing vulnerability
A large number of websites are vulnerable to a simple attack that allows hackers to execute malicious code hidden inside booby-trapped images.

The vulnerability resides in ImageMagick, a widely used image-processing library that's supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users.

According to developer and security researcher Ryan Huber, ImageMagick suffers from a vulnerability that allows malformed images to force a Web server to execute code of an attacker's choosing. Websites that use ImageMagick and allow users to upload images are at risk of attacks that could completely compromise their security.

"The exploit is trivial, so we expect it to be available within hours of this post," Huber wrote in a blog post published Tuesday. He went on to say: "We have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them. An unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software."
#698 Google expands default HTTPS to Blogspot
Google today flipped the switch on default HTTPS support for its free domain service provider Blogspot, upping the security ante for the millions of users of the popular platform.

Google had previously introduced HTTPS support for Blogspot domains as an option in September 2015. Starting Tuesday, Google said, the browser-to-website encryption technology would be automatically added to every Blogspot domain blog.

“Any time you add encryption to a transport layer it’s a good thing,” said Rick Doten, chief of cyber and information security at Arlington, Va.-based consultancy Crumpton Group. He said, Google is just the most recent company to add encryption to their platform following high-profile encryption moves by WhatsApp and Viber.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12