Security Alerts & News
by Tymoteusz A. Góral

History
#838 “Forbidden attack” makes dozens of HTTPS Visa sites vulnerable to tampering
Dozens of HTTPS-protected websites belonging to financial services giant Visa are vulnerable to attacks that allow hackers to inject malicious code and forged content into the browsers of visitors, an international team of researchers has found.

In all, 184 servers—some belonging to German stock exchange Deutsche Börse and Polish banking association Zwizek Banków Polskich—were also found to be vulnerable to a decade-old exploit technique cryptographers have dubbed the "forbidden attack." An additional 70,000 webservers were found to be at risk, although the work required to successfully carry out the attack might prove to be prohibitively difficult. The data came from an Internet-wide scan performed in January. Since then, Deutsche Börse has remedied the problem, but, as of Wednesday, both Visa and Zwizek Banków Polskich have allowed the vulnerability to remain and have yet to respond to any of the researchers' private disclosures.

The vulnerability stems from implementations of the transport layer security protocol that incorrectly reuse the same cryptographic nonce when data is encrypted. TLS specifications are clear that these arbitrary pieces of data should be used only once. When the same one is used more than once, it provides an opportunity to carry out the forbidden attack, which allows hackers to generate the key material used to authenticate site content. The exploit was first described in comments submitted to the National Institute of Standards and Technology. It gets its name because nonce uniqueness is a ground rule for proper crypto.
#837 Google's Chrome 51: Less battery drain from video, simpler site logins - plus 42 bug fixes
The Chrome 51 browser has security fixes for numerous bugs and also introduces a new feature to streamline the login process for regularly used sites.
#836 Symantec: Android threats evolve to handle Marshmallow’s new permission model
Mobile malware authors have updated their threats to handle Android’s latest permission-granting model, which was introduced in version 6.0 Marshmallow. The model was designed to let users grant permissions only when apps require them, rather than accepting them all on installation. However, dangerous threats such as Android.Bankosy and Android.Cepsohord have adapted to this method in an attempt to gain the permissions they need to carry out their malicious activities.

Android.Bankosy and Android.Cepsohord are capable of working with the new runtime permission model introduced in Android 6.0 Marshmallow.
#835 Amazon users targets of massive Locky spear-phishing campaign
Amazon customers were targeted in a massive spear phishing campaign where recipients received Microsoft Word documents with a macro that triggered downloads of the Locky ransomware. Researchers at Comodo Threat Research Labs say it is one of the largest spam ransomware campaigns this year.

Fatih Orhan, director of technology at Comodo and the Comodo Threat Research Labs, said the attack occurred on May 17 and lasted about 12 hours and is estimated to have pushed out as many as 30 million spam messages purporting to be an update from Amazon on a shipping order. Orhan told Threatpost the spear phishing campaign is notable not just because of its size, but also because the attackers were able to manipulate email header data to trick sender policy framework (SPF) controls on email gateways.
#834 Virtual assistants such as Amazon's Echo break US child privacy law, experts say
Khaliah Barnes, associate director of the Electronic Privacy Information Center (EPIC), believes that by showing pre-teenage children using voice-activated AI devices, Amazon, Google and Apple are admitting their services are aimed at youngsters.

“When your advertising markets this product to children, and parents with children, that would absolutely trigger COPPA,” she says. “Recording children in the privacy of the home is genuinely creepy, and this warrants additional investigation by the Federal Trade Commission (FTC) and [US] states.”

Jeff Chester agrees. “Online devices have replaced TV as the babysitter, and companies will know there’s a child there by the very nature of the interaction,” he says.

Amazon and Google told the Guardian that they comply with COPPA, while an Apple spokesperson said “we comply and we don’t target kids”. All have extensive privacy policies.
#833 Symantec: SWIFT attackers’ malware linked to more financial attacks
Symantec has found evidence that a bank in the Philippines has also been attacked by the group that stole US$81 million from the Bangladesh central bank and attempted to steal over $1 million from the Tien Phong Bank in Vietnam.

Malware used by the group was also deployed in targeted attacks against a bank in the Philippines. In addition to this, some of the tools used share code similarities with malware used in historic attacks linked to a threat group known as Lazarus. The attacks can be traced back as far as October 2015, two months prior to the discovery of the failed attack in Vietnam, which was hitherto the earliest known incident.

The attack against the Bangladesh central bank triggered an alert by payments network SWIFT, after it was found the attackers had used malware to cover up evidence of fraudulent transfers. SWIFT issued a further warning, saying that it had found evidence of malware being used against another bank in a similar fashion. Vietnam’s Tien Phong Bank subsequently stated that it intercepted a fraudulent transfer of over $1 million in the fourth quarter of last year. SWIFT concluded that the second attack indicates that a “wider and highly adaptive campaign” is underway targeting banks.

A third bank, Banco del Austro in Ecuador, was also reported to have lost $12 million to attackers using fraudulent SWIFT transactions. However, no details are currently known about the tools used in this incident or if there are any links to the attacks in Asia.
#832 Tor to use never-before-seen distributed RNG to generate truly random numbers
The Tor Project says it created something it calls "a distributed RNG" (random number generator) that uses two or more computers to create multiple random numbers and then blends these outputs together. The end result is something that's impossible to crack without knowing which computers from a network contributed to the final random number, and which entropy each one used.
#831 Microsoft may ban your favorite password
To make sure that its users rely on unique, difficult to guess passwords, Microsoft says it is dynamically banning common passwords from Microsoft Account and Azure AD system. The company analyzes data breaches looking for the passwords that are used most often and prevents users from having a password that is found on attack lists (cybercriminals use passwords from these leaks to brute-force accounts).

In a blog post, Alex Weinert, Group Program Manager of Azure AD Identity Protection team, explains that Microsoft is seeing more than 10 million accounts being attacked each day, and that this data is used to dynamically update the list of banned passwords. This list is then used to prevent people from choosing a common or similar password. Available in Microsoft Account Service now, the feature will roll out to all Azure AD tenants in the next month.
#830 US nuclear force 'still uses floppy disks'
The US nuclear weapons force still uses a 1970s-era computer system and floppy disks, a government report has revealed.

The Government Accountability Office said the Pentagon was one of several departments where "legacy systems" urgently needed to be replaced.

The report said taxpayers spent $61bn (£41bn) a year on maintaining ageing technologies.

It said that was three times more than the investment on modern IT systems.

The report said that the Department of Defence systems that co-ordinated intercontinental ballistic missiles, nuclear bombers and tanker support aircraft "runs on an IBM Series-1 Computer - a 1970s computing system - and uses eight-inch floppy disks".
#829 SAS: Big data is a big miss when it comes to IoT
According to SAS, there is a misconception when it comes to the Internet of Things that the more data an organisation has the better, which often results in a surplus of unusable information.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12