Security Alerts & News
by Tymoteusz A. Góral

History
#730 Opera launches 'free and unlimited' VPN app for iOS
Opera is on a bit of a privacy tear at the moment. Last month, the company integrated a free and unlimited VPN (virtual private network) into the developer version of its web browser, and last week, it added built-in ad blocking to its desktop and mobile software. Now, Opera has launched a new VPN app for iOS, and, again, it's free to use with unlimited data.

Like Opera's previous VPN integrations, the app uses the US-based SurfEasy VPN service acquired by Opera last March. SurfEasy offers its own standalone apps for Android and iOS, as well as desktop software, but charges a subscription fee after a trial period. Other third-party VPN apps have a similar set-up, or insert ads to pay for their server time. Opera, by comparison, is promising that its mobile VPN is free for life, with no subscription needed. The company said it had no plans to serve users ads "for now."
#729 GoDaddy addresses blind XSS vulnerability affecting online support
Domain registrar GoDaddy fixed a vulnerability affecting systems used by its customer support agents that could have been abused to take over, modify or delete accounts.

Researcher Matthew Bryant said that a riff on a cross-site scripting attack called a blind XSS was to blame. A GoDaddy customer, Bryant wrote on Sunday on his blog that Name fields on a particular GoDaddy page accepted and stored a cross-site scripting payload. He left a generic payload behind, akin to leaving a mine that isn’t triggered until someone steps on it.

As it turns out, no one stepped on the mine until Bryant needed to make a legitimate support call to GoDaddy. The rep on the phone could not access his account, and at the same time Bryant was getting email alerts that his almost-forgotten payloads had fired.
#728 Police allege SWIFT technicians left Bangladesh bank vulnerable
Bangladeshi police this week alleged that technicians associated with the financial network SWIFT introduced vulnerabilities that made it easier for hackers to infiltrate the systems of Bangladesh Bank and carry out a massive heist.

Earlier this year hackers used stolen credentials to inject malware into the bank’s SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, network and made off with $81 million.

According to a report from Reuters on Monday, officials with the country’s law enforcement agency are blaming technicians with the network for introducing weaknesses into the network when it was first connected to Bangladesh’s first real-time gross settlement (RTGS) system last year.
#727 Researcher arrested after reporting pwnage hole in elections site
Vanguard Cybersecurity man David Levin was arrested after disclosing SQL injection vulnerabilities that revealed admin credentials in the Lee County state elections web site.

The Florida Department of Law Enforcement says the 31-year-old Estero man hacked into Lee County state elections website 19 December.

Levin (@realdavidlevin) faced three third-degree felony counts of property crime.

Levin was released under a US$15,000 bond.
#726 Bucbi ransomware gets a big makeover
Two-year-old Bucbi ransomware is making a comeback, with new targeted attacks and a new brute force technique.

Researchers at Palo Alto Networks said they spotted the ransomware recently infecting a Windows Server demanding a 5 bitcoins (or $2,320) ransom. Researchers report the ransomware is no longer randomly seeking victims, as it did two years ago, but instead is targeting attacks.

“In the past this ransomware has found victims indiscriminately via large campaigns employing email attachments and malicious websites,” said Ryan Olson, researcher at Palo Alto in an interview with Threatpost. “Attackers have shifted to using brute-force password attacks.”
#725 How was this Windows Store app able to download adware to a Windows 10 PC?
One of the biggest selling points of the Windows Store is its promise of safety. Apps have to be approved to make it into the store, and the sandbox in which apps run should prevent them from causing any damage or installing malware or unwanted software.

That doesn't mean developers can't try shady tricks. But their options are extremely limited, which is why I was surprised to find an app in the Windows Store last week that actually succeeded in downloading adware to a Windows 10 PC.

An unsophisticated user might have been fooled into going one step further and running that software, resulting in the installation of an annoying piece of adware and potentially much worse.
#724 ImageMagick vulnerability allows for remote code execution, now patched
ImageMagick is a popular software suite that is used to display, convert, and edit images. On May 3, security researchers publicly disclosed multiple vulnerabilities in the open-source image processing tool in this suite, one of which could potentially allow remote attackers to take over websites.

This suite can read and write images in over 200 formats including PNG, JPEG-2000, GIF, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Content management systems frequently use it to process any images before they are shown to the user.

The developers of ImageMagick have released updated versions of their software to fix these vulnerabilities. One vulnerability, CVE-2016-3714, allows for remote code execution on the server. This could be used to compromise Web servers and take over websites. Reports indicate that this vulnerability is already being exploited in the wild. Other reported vulnerabilities allow for HTTP/GET requests to be made from the server and for files to be read, moved, or deleted. Proof of concept code for these vulnerabilities is made available by the researchers.
#723 On the monetization of crypto-ransomware
Over the last few years, technologies and infrastructure, in the form of crypto-currencies, the dark web and well-organized criminal affiliate programs have aligned to create the perfect storm. And from that storm, the crypto-ransomware beast has arisen.

There’s a reason why crypto-ransomware is making the news almost daily – it’s unique compared to every other threat we’ve seen in the last few years in that it offers a tangible service to the victim – pay the ransom and you get your files back. And, as we’ve seen in an increasing number of high-profile cases, this is exactly what people are doing. There’s no need to remind you of a recent case where a hospital shelled out a considerable sum of Bitcoin to recover their infrastructure. It has been estimated that the crypto-ransomware industry makes as much as 100,000,000 EUR per year.

Crypto-ransomware continues be a lucrative money-making vehicle for criminals, and it’s possible it will continue displace alternative malware models such as banking trojans as time goes on. As with all business, focus must invariably shift into models that optimize and improve return on investment. We liken the business models of today’s ransomware campaigns to those of the early Internet era – still very simple in nature and largely unfocused. The bottom line is there’s still a great deal of room for creativity and innovation. The business models behind crypto-ransomware are slowly maturing and recently we’ve started to notice some attempts at innovation.
#722 Lego-driven robot programmed to hack gesture-based security
Among the many clever post-password authentication schemes currently under development is multi-touch gesture analysis. The basic idea is to observe a user's movements on a touchscreen device for some period of time and to come up with a gestural profile unique to that individual. Then, based on this profile, the system can verify a user's identity continuously as they use the device.

The idea sounds fishy, yes. Couldn't some hacker just observe those same gestures and then mimic them to gain access to a system? The answer should be no because the gestures read by the system are interpreted in such a way as to compile biometric profiles of the user's hand/wrist/etc, resulting in a model that can be used to interpret/verify new/different gestures down the line.

While gestural ID systems are getting a lot of research play these days thanks to error rates trending toward the low single-digits, they also tend to take a rosy view of the security world in which hackers attempt to breach such defenses via crude impersonation, e.g. when one hacker-user attempts to mirror some target-user. This is called a zero-effort attack and it stands in contrast to an attack-by-forgery, in which an attempt is made to recreate (rather than mimic) the user-target.

A DARPA-funded report titled "Robotic Robbery on the Touch Screen" published recently in the journal ACM Transactions on Information and System Security looks at gestural authentication through the eyes of a more sophisticated hacker. It presents two Lego-driven robotic attacks on a touch-based authentication system—one is based on gestural statistics collected over time from a large population of users and the other is based on stealing gestural data directly from a user. Both were pretty effective.
#721 Qatar National Bank suffers massive breach
A massive collection of documents from Qatar National Bank, based in Doha, was leaked and posted online to the whistleblower site Cryptome on April 26. The leaked data, which totals 1.4 GBs, apparently includes internal corporate files and sensitive financial data for QNB's customers.

Cryptome reports that the leak comprises 15,460 files, containing details, including passwords, PINs and payment card data, for hundreds of thousands of the bank customers' accounts. Multiple experts have also examined the data, and likewise report that it appears to be legitimate. But Cryptome offered no insights into how the data was obtained, for example, if it was via an external hack attack, or an inside job.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12