Security Alerts & News
by Tymoteusz A. Góral

History
#970 Locky, Dridex and Angler among cybercrime groups to experience fall in activity
There has been a sudden drop off in activity relating to a number of major malware families in recent weeks. Dridex (W32.Cridex), Locky (Trojan.Cryptolocker.AF), the Angler exploit kit and Necurs (Backdoor.Necurs), are among the threats who appear affected by this development. Following reports of scaling back in activity by a range of cybercrime gangs, Symantec telemetry has confirmed that some of these groups have virtually ceased operating, while others appear to have greatly scaled back activity.

Locky has been one of the most prevalent ransomware threats in recent months, but Symantec has seen very few new Locky cases, either from spam campaigns or exploit kits since the beginning of June. While the threat has not disappeared, there has been a significant dip in activity, indicating that that there has been some disruption in the actors’ operations or a conscious decision to scale back.
#969 Non-US encryption is 'theoretical,' claims CIA chief in backdoor debate
CIA director John Brennan told US senators they shouldn't worry about mandatory encryption backdoors hurting American businesses.

And that's because, according to Brennan, there's no one else for people to turn to: if they don't want to use US-based technology because it's been forced to use weakened cryptography, they'll be out of luck because non-American solutions are simply "theoretical."

Thus, the choice is American-built-and-backdoored or nothing, apparently.

The spymaster made the remarks at a congressional hearing on Thursday after Senator Ron Wyden (D-OR) questioned the CIA's support for weakening cryptography to allow g-men to peek at people's private communications and data.

Brennan said this was needed to counter the ability of terrorists to coordinate their actions using encrypted communications. The director denied that forcing American companies to backdoor their security systems would cause any commercial problems.
#968 Breached credentials used to access Github repositories
Github is forcing a password reset on some of its users after it detected a number of successful intrusions into its repositories using credentials compromised in other breaches.

“This appears to be the result of an attacker using lists of email addresses and passwords from other online services that have been compromised in the past, and trying them on GitHub accounts,” GitHub said in an advisory published Thursday by Shawn Davenport, GitHub VP of security. “We immediately began investigating, and found that the attacker had been able to log in to a number of GitHub accounts."

GitHub said it detected late Tuesday unauthorized attempts against a large number of GitHub accounts. It stressed that GitHub itself has not been compromised.
#967 Adobe update plugs Flash Player zero-day
Adobe on Thursday issued a critical update for its ubiquitous Flash Player software that fixes three dozen security holes in the widely-used browser plugin, including at least one vulnerability that is already being exploited for use in targeted attacks.

The latest update brings Flash to v. 22.0.0.192 for Windows and Mac users alike. If you have Flash installed, you should update, hobble or remove Flash as soon as possible.

The smartest option is probably to ditch the program once and for all and significantly increase the security of your system in the process. I’ve got more on that approach (as well as slightly less radical solutions ) in A Month Without Adobe Flash Player.
#966 Mozilla tests Firefox Containers: you can isolate shopping, work, personal browsing identities
Mozilla is experimenting with a new feature in Firefox that lets users log in to the same site with two different accounts.

Containers is an "experimental" feature in Firefox Nightly version 50, which is designed to reflect the idea that people project different aspects of themselves in different contexts in real life. Containers brings that concept to the web.

Mozilla security engineer Tanvi Vyas says it will allow "users to log in to multiple accounts on the same site simultaneously and gives users the ability to segregate site data for improved privacy and security."

The feature could improve the browser experience for people who currently use two browsers to log in to, say, two separate Twitter accounts or mail accounts at the same time.

It may also benefit those who use a secondary browser to isolate ad trackers from their primary browser. Vyas notes that users can open private tabs to do these tasks, but this approach lacks some of the conveniences of normal mode.
#965 QuintessenceLabs getting truly random with quantum security
Security firm QuintessenceLabs (QLabs) has taken to quantum computing to find the solution for secure communication.

John Leiseboer, CTO of QLabs, said that the bigger picture of what his organisation does is build random number generators using quantum techniques as well as build key management systems which generate, store, and distribute key material, as well as manage the policies associated with the usage of cryptographic applications.

"We use a special algorithm called one time pad which has some very powerful security properties, the most important being something called information theoretic security which basically means there are no attacks that can be mounted algorithmically or through computational power that can crack it. It is as good as the key itself," Leiseboer said.
#964 GitHub attacker launched massive login campaign using stolen passwords
On June 14, someone using what appears to have been a list of e-mail addresses and passwords obtained from the breach of "other online services" made a massive number of login attempts to GitHub's repository service. A review of logins by GitHub's administrators found that the attacker had gained access to a number of accounts, according to a blog post by Shawn Davenport, Vice President of Security at GitHub.

It’s not clear what the source of the e-mail/password combinations was, but there are certainly plenty of them out there right now—the recent bounty of "megabreaches," consisting of aged passwords from MySpace, Tumblr, LinkedIn and the dating site Fling, totaled more than 642 million accounts in all. And though they date back more than three years, there may have still been some that were being re-used by their owners on GitHub.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12