Security Alerts & News
by Tymoteusz A. Góral

#873 Google patches two high-severity flaws in Chrome
Google on Wednesday updated the Chrome browser for the third time since the start of May.

Chrome 51.0.2704.79 for Windows, Mac, and Linux patched 15 vulnerabilities. It also paid out $14,000 in bounties to prolific bug hunters Mariusz Mlynski ($7,500) and Rob Wu ($6,500).

The previous Chrome update on May 27 addressed 42 flaws with Mlynski cashing in to the tune of $30,000 after earning $15,500 in an update pushed out at the start of May.
#872 Android malware finds new ways to derive current running tasks
As we have discussed in our previous blogs, the ability to determine what app is currently running in the foreground is central for mobile banking malware to create overlay "injections" to phish the current running application. Android 5.0 Lollipop and Android 6.0 Marshmallow have thwarted malware’s ability to find the current running task by deprecating getRunningTasks() API, but ever since Google rolled out the Android security enhancement, malware authors have engaged in a cat-and-mouse game of workarounds and fixes. We have been blogging about each of these malware evolutions as we spot them in the wild.

The recent variants of Android.Bankosy and Android.Cepsohord, observed over the last quarter, are using two new tricks to circumvent the new security enhancements. One of these two techniques requires an additional special permission from the user, while another does not require any additional permission at all.
#871 93% of phishing emails are now ransomware
As of the end of March, 93 percent of all phishing emails contained encryption ransomware, according to a report released today by PhishMe.

That was up from 56 percent in December, and less than 10 percent every other month of last year.

And the number of phishing emails hit 6.3 million in the first quarter of this year, a 789 percent increase over the last quarter of 2015.
#870 Twitter pays out over $322,000 to bug bounty hunters
Twitter has revealed that the firm has paid out $322,420 to bug bounty hunters in only two years.

It was not that long ago that researchers seeking to report security vulnerabilities in systems and software had few outlets to do so. Emails and contact forms were the standard communication channel, and should a bug be investigated and deemed valid, the researcher was likely to receive little more than a pat on the back and perhaps public credit.

However, things have changed. Cyberthreats and data breaches are now a daily occurrence, which means businesses looking to protect their products and networks have to either hire in-house or seek external help to discover and fix problems before they can be exploited.
#869 TeamViewer servers go down as users complain on Reddit about getting hacked
Something is happening with TeamViewers servers at the moment, and all clues point to a massive breach that has led to many users going on Reddit and complaining about having their computers hacked, some even reporting seeing new purchases in their PayPal accounts.

The problems started around noon today when users weren't able to connect to the TeamViewer network. A few hours later, the company's website also went down, but the team managed to bring it back online a few hours later.

On Twitter, the TeamViewer team wrote that they're only experiencing issues in some parts of their network, but they denied any security breach, at least on their side.

Some users have reported finding new transactions in their PayPal and bank accounts, while others discovered someone had been poking around their email account.
#868 Symantec warns encryption and privacy are not the same
"Encryption and privacy is not the same thing," said Nick Savvides, Symantec APAC cybersecurity strategy manager.

Encryption is a privacy "enhancing tool", Savvides went on to explain, while privacy is more about handling what information is collected, how the collected information is handled, and what other data can be derived from it. The two are often confused because they are related: Encryption is used to maintain privacy.

Savvides said that unfortunately most websites do not use encryption, highlighting the company's most recent Internet Threat Security Report, which revealed that 97 percent of active websites do not have any basic security and 75 percent have unpatched vulnerabilities, with 16 percent of those being critical.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12