Security Alerts & News
by Tymoteusz A. Góral

History
#867 The impossible task of creating a “Best VPNs” list today
For the security minded, one of the scariest revelations from the now three-year-old Snowden leaks had nothing to do with accommodating ISPs (shocking) or overreaching and often vague anti-terrorism practices and policy (an even bigger shock, right?). Instead, when news trickled out about matters like the National Security Agency’s Vulcan data repository or its Diffie-Hellman strategy, online privacy advocates found themselves quaking. Suddenly, seemingly everyone had to re-evaluate one of the most often used tools for maintaining a shred of anonymity online—the VPN.

VPNs, or virtual private networks, are typically used to obfuscate users’ IP addresses and to add a layer of security to Web browsing. They work by routing traffic through a secure, encrypted connection to the VPN’s server. The reasons for using VPNs vary. Some people use VPNs to change their IP address so they can access location-specific media content in a different geographic location or download things on torrent that are less likely to be traced back to them. Others hope to minimize online tracking from advertisers, prevent the negative effects of rogue access to Wi-Fi networks, or even just obfuscate their IP address to specific sites they visit.
#866 Ransomware is working, and the cybercrooks know it
The number of internet domains serving up ransomware has risen massively in just the space of three months, as cybercriminals look to cash in.

Sites designed to host malware, exploit kits, phishing scams, and other threats have also reached their highest-ever level, according to security researchers at Infoblox.

In raw numbers, exploit kits remain the biggest security threat, accounting for just over 50 percent of the index. As in past quarters, Angler remains the top piece of ransomware, but a new contender has emerged from far back in the pack: observations of Neutrino have grown by 300 percent, the researchers said.

"Again in simple terms: Ransomware is working," the report said.
#865 Outlook and Hotmail flooded by spam
Microsoft has tackled a problem with its email filters that had prevented them from properly screening out spam.

It first acknowledged the problem with Outlook and Hotmail on Tuesday evening.

"Some users may be receiving excessive spam mail," a service page update stated.
#864 Samsung: Don't install Windows 10. REALLY
Samsung is advising customers against succumbing to Microsoft’s nagging and installing Windows 10.

The consumer electronics giant's support staff have admitted drivers for its PCs still don’t work with Microsoft's newest operating system and told customers they should simply not make the upgrade.

That’s nearly a year after Microsoft released Windows 10 and with a month to go until its successor – Windows 10 Anniversary Update – lands.

Samsung’s customers have complained repeatedly during the last 12 months of being either unable to install Microsoft’s operating system on their machines or Windows 10 not working properly with components if they do succeed.

However, with the one-year anniversary fast approaching it seems neither of these tech giants have succeeded in solving these persistent problems.
#863 Out-of-the-box exploitation possible on PCs from top 5 OEMs
The next time you're in the market for a new Windows computer, consider this: if it comes from one of the top five manufacturers, it's vulnerable to man-in-the-middle attacks that allow hackers to install malware.

That's the take-away from a report published Tuesday by researchers from two-factor authentication service Duo Security. It found third-party updating tools installed by default threatened customers of Dell, HP, Lenovo, Acer, and Asus. The updaters frequently expose their programming interfaces, making them easy to reverse engineer. Even worse, the updaters frequently fail to use transport layer security encryption properly, if at all. As a result, PCs from all five makers are vulnerable to exploits that allow attackers to install malware.
#862 Tor Browser 6.0: Ditches SHA-1 support, uses DuckDuckGo for default search results
A stable Tor Browser 6.0 has been released; it disabled SHA-1 support, got rid of the Mac Gatekeeper problem, and switched its default search results to DuckDuckGo.
#861 Crypto-ransomware attacks Windows 7 and later, scraps backward compatibility
How do you know that something has become very popular? Simple – when poorly-made knockoff versions start to hit the marketplace. Ransomware, it seems, has hit that point.

The writers behind the new ZCRYPT ransomware family have either scrapped support for Windows XP, or did a sloppy job in creating it. This new family only targets systems with newer versions of Windows, specifically Windows 7 and later. Is ZCRYPT deliberately cutting of older operating systems, or is it just poorly-written malware?
#860 Millions of PCs ship with bloatware riddled with security flaws, say researchers
Most major PC makers are shipping their desktops and notebooks with pre-installed software, which researchers say is riddled with security vulnerabilities.

A highly-critical report by Duo Security released Tuesday said Acer, Asus, Dell, HP and Lenovo all ship with software that contains at least one vulnerability, which could allow an attacker to run malware at the system-level -- in other words, completely compromising an out-of-the-box PC.

The group of PC makers accounted for upwards of 38 million PCs shipped in the first quarter of the year, according to estimates garnered from IDC's latest count.
#859 Got $90,000? A Windows 0-Day could be yours
How much would a cybercriminal, nation state or organized crime group pay for blueprints on how to exploit a serious, currently undocumented, unpatched vulnerability in all versions of Microsoft Windows? That price probably depends on the power of the exploit and what the market will bear at the time, but here’s a look at one convincing recent exploit sales thread from the cybercrime underworld where the current asking price for a Windows-wide bug that allegedly defeats all of Microsoft’s current security defenses is USD $90,000.

So-called “zero-day” vulnerabilities are flaws in software and hardware that even the makers of the product in question do not know about. Zero-days can be used by attackers to remotely and completely compromise a target — such as with a zero-day vulnerability in a browser plugin component like Adobe Flash or Oracle’s Java. These flaws are coveted, prized, and in some cases stockpiled by cybercriminals and nation states alike because they enable very stealthy and targeted attacks.
#858 Flaw in popular WordPress plug-in Jetpack puts over a million websites at risk
Owners of WordPress-based websites should update the Jetpack plug-in as soon as possible because of a serious flaw that could expose their users to attacks.
threat intelligence

Jetpack is a popular plug-in that offers free website optimization, management and security features. It was developed by Automattic, the company behind WordPress.com and the WordPress open-source project, and has over 1 million active installations.

Researchers from Web security firm Sucuri have found a stored cross-site scripting (XSS) vulnerability that affects all Jetpack releases since 2012, starting with version 2.0.
#857 SSL/TLS and PKI timeline
A comprehensive listing of the most important events impacting the security ecosystem. Based on Bulletproof SSL and TLS, by Ivan Ristić.
#856 Hackers find bugs, extort ransom and call it a public service
Crooks breaking into enterprise networks are holding data they steal for ransom under the guise they are doing the company a favor by exposing a flaw. The criminal act is described as bug poaching by IBM researchers and is becoming a growing new threat to businesses vulnerable to attacks.

According to IBM’s X-Force researchers, the new tactic it is a variation on ransomware. In the case of bug poaching, hackers are extorting companies for as much as $30,000 in exchange for details on how hackers broke into their network and stole data. More conventional ransomware attacks, also growing in number, simply encrypt data and demand payment for a decryption key.

Researchers say once the intruders steal the data, there’s no explicit threat that they will break in again or release data if companies don’t pay. Instead, attackers release a simple statement demanding payment in exchange for details on how to fix the vulnerability, said John Kuhn, senior threat researcher for IBM Managed Security Services.
#855 SandJacking attack puts Apple iOS devices at risk to rogue apps
Apple has yet to patch a vulnerability disclosed during last week’s Hack in the Box hacker conference in Amsterdam that allows an attacker with physical access—even on the latest versions of iOS—to swap out legitimate apps with malicious versions undetected on the device.

Researcher Chilik Tamir of mobile security company Mi3 Security disclosed last week during his talk at the show that an iOS mitigation for a previous attack he’d developed was incomplete and with a modification, he could still infect non-jailbroken iOS devices with malicious or misbehaving apps.

Apple declined to comment about the vulnerability it has known about the issue since Jan. 27. On May 23 Apple informed Tamir that it was working on a patch.
#854 PayPal to pull out of Turkey following license denial
PayPal has announced the suspension of its business operations in Turkey as of 6th June, citing failure to obtain a new license for its service in the country.

Turkey has made recent efforts to promote its own domestic tech sector, advancing censorship laws and other regulation to push large international companies out of the market. PayPal, as the latest victim on this trail, posted a statement [Turkish] on its local Turkish website today: “PayPal’s priority has always been its customers. However, a local financial regulator has denied our Turkish payments license and we have had to regretfully comply with its instruction to discontinue our activities in Turkey.” [Roughly translated from Turkish]
#853 US court says no warrant needed for cellphone location data
Police do not need a warrant to obtain a person's cellphone location data held by wireless carriers, a U.S. appeals court ruled on Tuesday, dealing a setback to privacy advocates.

The full 4th U.S. Circuit Court of Appeals in Richmond, Virginia, voted 12-3 that the government can get the information under a decades-old legal theory that it had already been disclosed to a third party, in this case a telephone company.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12