Security Alerts & News
by Tymoteusz A. Góral

History
#903 How your phone, fitness band vibration motors can be hacked for eavesdropping
Besides buzzing to alert you to calls, texts, and alarms, a phone's vibration motor can also function as a solid speech sensor, researchers have demonstrated.

And that means one more potential method for spies to eavesdrop on phone conversations, Nirupam Roy and Romit Roy Choudhury from the University of Illinois at Urbana-Champaign argue in a paper detailing their VibraPhone, a system designed to recover and distill words from currents transmitted by vibration motor circuits.

"We show that the vibrating mass inside the motor, designed to oscillate to changing magnetic fields, also responds to air vibrations from nearby sounds," the pair write.

That the motor did respond to sound wasn't surprising but they didn't expect it could be used to reproduce audible speech and thus act as a kind of microphone.

Besides eavesdropping, the researchers argue it could be used to enable voice control on devices that don't have a microphone, such as fitness trackers, and could be a fairly low overhead on battery power since it operates in passive mode.
#902 Facebook Messenger vulnerability patched
Facebook has patched a vulnerability in the desktop and mobile versions of its Messenger app that allows an attacker to access and modify chats, exposing the victim to potential fraud and malware.

Researchers at Check Point Software Technologies privately disclosed the issue May 2 to Facebook, which patched it two weeks later. The flaw, Check Point said, allows an attacker to, among other things, access chat history and add or change links to a chat session. If the victim is persuaded to click on what is now a malicious link, they could start a malware download or establish a connection to an attacker’s command and control server.

Check Point said the victim would be unaware of the changes, and that chat threads could be deleted or modified, and also links and files could be replaced or added; researcher Roman Zaikin is credited with the discovery.
#901 White hat demonstrates how Better Business Bureau’s site leaked PII
A provocative white hat hacker who has previously disclosed vulnerabilities in both California’s ObamaCare portal and FireEye's core security product has now revealed a serious flaw in the Council of Better Business Bureau’s (CBBB) Web-based complaints application, which is used by nearly a million people annually to file complaints against businesses.

The CBBB criticized the “unauthorized application vulnerability test” but said in a statement that they believe “the motivation was not malicious," and are "not pursuing the matter further."

The CBBB is the umbrella organization for the independent local BBBs, the not-for-profit consumer advocacy groups that operate in the United States, Canada, and Mexico. The BBBs attempt to mediate disputes between consumers and businesses, and also accredit businesses based on how well the business meets the BBB’s “Standards of Trust.”

Independent security researcher Kristian Erik Hermansen discovered the vulnerability while attempting to file a complaint against Verizon. He told Ars the telecoms giant had defrauded a family member and that despite a successful class-action lawsuit against the company, the fraudulent charges were causing the family member credit problems.
#900 'Alarming' rise in ransomware tracked
Cyber-thieves are adopting ransomware in "alarming" numbers, say security researchers.

There are now more than 120 separate families of ransomware, said experts studying the malicious software.

Other researchers have seen a 3,500% increase in the criminal use of net infrastructure that helps run ransomware campaigns.

The rise is driven by the money thieves make with ransomware and the increase in kits that help them snare victims.

Ransomware is malicious software that scrambles the data on a victim's PC and then asks for payment before restoring the data to its original state. The costs of unlocking data vary, with individuals typically paying a few hundred pounds and businesses a few thousand.
#899 Android security: Google's June update splats dozens of critical, high-severity bugs
Google is rolling out its June patches for Android, which contain dozens of fixes for critical and high-severity bugs in the world's most widely-used mobile operating system.

The first Monday of a new month brings the latest Android security bulletin, detailing bugs that affect Google's own Nexus devices and devices from the Android ecosystem.

Secure Android devices should be running Android Security Patch Level of June 01, 2016. Google notified Android partners about the issues in this bulletin on May 2.

One of the most serious bugs fixed in this update is once again Android's Mediaserver component.

A remote code-execution vulnerability in Mediaserver could enable an attacker using a specially-crafted file to cause memory corruption during media file and data processing," Google notes. The bug affects all versions of Android that Google provides patches for, from Android 4.4.4 KitKat through to Android 6.0.1.
#898 Protecting your PC from ransomware gets harder with EMET-evading exploit
Drive-by attacks that install the once-feared TeslaCrypt crypto ransomware are now able to bypass EMET, a Microsoft-provided tool designed to block entire classes of Windows-based exploits.

The EMET-evading attacks are included in Angler, a toolkit for sale online that provides ready-to-use exploits that can be stitched into compromised websites. Short for Enhanced Mitigation Experience Toolkit, EMET has come to be regarded as one of the most effective ways of hardening Windows-based computers from attacks that exploit security vulnerabilities in both the operating system or installed applications. According to a blog post published Monday by researchers from security firm FireEye, the new Angler attacks are significant because they're the first exploits found in the wild that successfully pierce the mitigations.

"The level of sophistication in exploit kits has increased significantly throughout the years," FireEye researchers wrote. "Where obfuscation and new zero days were once the only additions in the development cycle, evasive code has now been observed being embedded into the framework and shellcode."
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12