Security Alerts & News
by Tymoteusz A. Góral

History
#1007 Google launches Android programming course for absolute beginners
If you have an idea for an app but don't know the first thing about building it, Google has the course for you.

Launched on Wednesday, the Google Android Basics Nanodegree offers to teach beginners how to build a simple Android app in Java. There are no prerequisites. Google says the target student is anyone who's used a smartphone to surf the web.

All of the individual courses that make up the Nanodegree are available online for no charge, Google said, while Udacity offers additional paid services.

The course material, developed by Google, is hosted on learning platform Udacity and builds on earlier programs such as the Android Nanodegree for Beginners. The basics course takes around four weeks if the student commits six hours a week and upon completion they'll have created two basic apps built in Android Studio.
#1006 Apple’s official statement on why the iOS 10 kernel is not encrypted
"Some security experts who inspected that new version of iOS got a big surprise.

They found that Apple had not obscured the workings of the heart of its operating system using encryption as the company has done before. Crucial pieces of the code destined to power millions of iPhones and iPads were laid bare for all to see. That would aid anyone looking for security weaknesses in Apple’s flagship software.

Security experts say the famously secretive company may have adopted a bold new strategy intended to encourage more people to report bugs in its software—or perhaps made an embarrassing mistake. Apple declined to comment on why it didn’t follow its usual procedure."
#1005 WordPress security update patches two dozen flaws
WordPress last week updated to version 4.5.3, a security release for all versions of the content management system.

The update patches more than two dozen vulnerabilities, including 17 bugs introduced in the last three releases, all published this year. Many of the vulnerabilities can be exploited remotely and allow an attacker to control of a website running on WordPress.

The platform continues to focus on security; already this year WordPress has updated a handful of times with sizable security updates and in April, turned on free encryption for custom domains hosted on WordPress.

Last week’s update patches vulnerabilities affecting versions 4.5.2 and earlier.
#1004 Unpatched remote code execution flaw exists in Swagger
An unexpected behavior in a relatively new and popular open source API framework called Swagger could lead to code execution, researchers at Rapid7 said.

The company today disclosed some details on the vulnerability, and released a Metasploit exploit module and a proposed patch written by researcher Scott Davis who found the flaw.

Details were privately disclosed on April 19 to the Swagger API team and then on May 9 to CERT, Rapid7 said. To date, Rapid7 Security Research Manager Tod Beardsley told Threatpost, there has been no response from Swagger’s maintainers. Rapid7 said it shared its patch with CERT on June 16 and today made its public disclosure.
#1003 Let’s Encrypt celebrates big HTTPS milestone
Certificate authority Let’s Encrypt is celebrating a major milestone in the young nonprofit’s existence issuing its 5 millionth certificate this month. Let’s Encrypt launched to the general public just seven months ago.

“Our goal is to get the entire web 100 percent HTTPS,” said Josh Aas, executive director for the Internet Security Research Group, the nonprofit that helped launch Let’s Encrypt. “By adding 5 million certificates, representing 7 million unique domains, we are now within reach of encrypting 50 percent of all internet traffic,” Aas said in an interview with Threatpost.

In December 2015, according to data culled from Firefox telemetry, roughly 39.5 percent of Firefox browser page loads were protected by HTTPS connections. Today the number is 45 percent.
#1002 Hackers would like to join your LinkedIn network - and you'd probably accept them
For many LinkedIn is a handy way of keeping up with old colleagues and maybe even finding a new job -- and many think that the bigger their network of contacts, the better.

So if a contact request comes in from a recruiter, even one they had never heard of before, many might think there would be little harm in accepting.

But what if that wasn't a recruiter, but rather a hacker using a fake profile in order to gain access to you, your contact details, and the rest of your network? In connecting you've potentially put yourself and your company at risk of being hacked, breached, or otherwise targeted by cybercriminals.

Certainly people are often more than willing to accept a request from a complete stranger to join their network on LinkedIn.

In fact, according to a survey of 2,000 people by cybersecurity researchers at Intel Security, nearly one quarter (24 percent) say they've connected to someone they don't know on LinkedIn, thus potentially allowing hackers to access to a wealth of information which could be used for spear-phishing, malware drops, and other nefarious means.
#1001 McAfee Labs: Threats Report (PDF)
Partners in crime: investigating mobile app collusion

Mobile operating systems support multiple communication methods between apps running on mobile devices. Unfortunately, these handy interapp communication mechanisms also make it possible to carry out harmful actions in a collaborative fashion. Two or more mobile apps, viewed independently, may not appear to be malicious. However, together they could become harmful by exchanging information with one another. Multiapp threats such as these were considered theoretical for some years, but McAfee Labs recently observed colluding code embedded in multiple applications in the wild. In this Key Topic, we provide a concise definition of mobile app collusion, explain how mobile app collusion attacks are manifested, and how businesses can protect themselves from such attacks.

The state of cryptographic algorithms

Trust is an Internet cornerstone, built on the belief that messages and files freely exchanged on the Internet are authentic. Foundational to that are hashing functions that transform messages and files into a short set of bits. But what happens if cybercriminals break these hashing functions? In this Key Topic, we examine mainstream hashing functions and explain how they become more susceptible to cyberattacks as processor performance increases. We also show the volume of certificates still signed by outdated and weakened hashing functions, including certificates used in industrial and critical infrastructure applications. Finally, we make the case that businesses should actively migrate to stronger hashing functions.

Pinkslipbot: back from its slumber

After three years in hibernation, W32/Pinkslipbot (also known as Qakbot, Akbot, QBot) has re-emerged. This backdoor Trojan with wormlike abilities initially launched in 2007 and quickly earned a reputation for being a damaging, high-impact malware family capable of stealing banking credentials, email passwords, and signing certificates. Pinkslipbot infections dwindled in 2013 but made an aggressive return near the end of 2015. The malware now includes improved features including antianalysis and multilayered encryption abilities to prevent it from being reverse engineered by malware researchers. In this Key Topic, we document its history, evolution, recent updates, and the botnet infrastructure. We also provide details about its self-update and data exfiltration mechanism as well as McAfee Labs’ effort to monitor Pinkslipbot infections and credential theft in real time.
#1000 ‘GODLESS’ mobile malware uses multiple exploits to root devices
We came across a family of mobile malware called Godless (detected as ANDROIDOS_GODLESS.HRX) that has a set of rooting exploits in its pockets. By having multiple exploits to use, Godless can target virtually any Android device running on Android 5.1 (Lollipop) or earlier. As of this writing, almost 90% of Android devices run on affected versions. Based on the data gathered from our Trend Micro Mobile App Reputation Service, malicious apps related to this threat can be found in prominent app stores, including Google Play, and has affected over 850,000 devices worldwide.

Godless is reminiscent of an exploit kit, in that it uses an open-source rooting framework called android-rooting-tools. The said framework has various exploits in its arsenal that can be used to root various Android-based devices. The two most prominent vulnerabilities targeted by this kit are CVE-2015-3636 (used by the PingPongRoot exploit) and CVE-2014-3153 (used by the Towelroot exploit). The remaining exploits are deprecated and relatively unknown even in the security community.

In addition, with root privilege, the malware can then receive remote instructions on which app to download and silently install on mobile devices. This can then lead to affected users receiving unwanted apps, which may then lead to unwanted ads. Even worse, these threats can also be used to install backdoors and spy on users.
#999 Firm pays $950,000 penalty for using WiFi signals to secretly track phone users
A mobile advertising company that tracked the locations of hundreds of millions of consumers without consent has agreed to pay $950,000 (£640,000) in civil penalties and implement a privacy program to settle charges that it violated federal law.

The US Federal Trade Commission alleged in a complaint filed Wednesday that Singapore-based InMobi undermined phone users' ability to make informed decisions about the collection of their location information. While InMobi claimed that its software collected geographical whereabouts only when end users provided opt-in consent, the software in fact used nearby Wi-Fi signals to infer locations when permission wasn't given, FTC officials alleged. InMobi then archived the location information and used it to push targeted advertisements to individual phone users.

Specifically, the FTC alleged, InMobi collected nearby basic service set identification addresses, which act as unique serial numbers for wireless access points. The company, which thousands of Android and iOS app makers use to deliver ads to end users, then fed each BSSID into a "geocorder" database to infer the phone user's latitude and longitude, even when an end user hadn't provided permission for location to be tracked through the phone's dedicated location feature.
#998 Advantech patches WebAccess remote code execution flaws
Advantech has published a new version of its WebAccess product to address vulnerabilities that put installations at risk to remote code execution attacks.

Exploiting the vulnerabilities would be a challenge, however, according to an advisory published Tuesday by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

ICS-CERT said the flaws patched in versions prior to 8.1_20160519 would require an attacker to entice the victim to accept a crafted DLL and load it, decreasing the chances the bugs could be exploited.

“These vulnerabilities are not exploitable remotely and cannot be exploited without user interaction,” ICS-CERT said in its advisory. “The exploit is only triggered when a local user runs the vulnerable application, which in certain scenarios can cause it to load a DLL file from an untrusted source.”
#997 Ransomware a two-year nightmare in the making
The scourge of ransomware over the past two years has been impressive – and not in a good way. The number of frustrated computer users locked out of their PCs is at an all-time high with no signs of the ransomware epidemic relenting.

According to security experts, the last two years have seen an astounding growth in the number of people encountering ransomware. Between April 2015 and March 2016 the number of users hit by ransomware rose 17.7 percent worldwide compared to the prior year, according a new report by Kaspersky Lab.

The in-depth report reveals that tactics have changed significantly for ransomware criminals with crypto ransomware now the dominant strain of ransomware versus Windows blocker ransomware, where a user is blocked from accessing their OS or web browser via a pop-up window.
#996 Nuclear, Angler exploit kit activity has disappeared
Criminal hackers are fickle about their attack vectors. You need to look no further for evidence of this than their constant migration from one exploit kit to another. And while there is an expansive menu of exploit kits, attackers do seem to congregate around a precious few.

Researchers who study exploit kits closely, however, are reporting that two major kits, Angler and Nuclear, may be off the table. Both are responsible for tens of millions of dollars in losses, and countless web-based infections dropping everything from ransomware to click-fraud malware. But the recent arrests of the Russian gang behind the Lurk malware may have put an end to the availability of the Angler Exploit Kit and an expose from Check Point Software Technologies has apparently done in the Nuclear Exploit Kit.

French researcher Kafeine, one who specializes in exploit kits, said he has not seen any Nuclear activity since April 30, and Angler since June 7.
#995 Patched libarchive vulnerabilities have big reach
The libarchive programming library was recently patched against three critical memory-related vulnerabilities that could be abused to execute code on computers running the vulnerable software.

As is the case with most open source software packages, patching the core library is only half the battle; admins must now ensure that third-party software running the library is also fixed, and that’s not an easy task.

“When vulnerabilities are discovered in a piece of software such as libarchive, many third-party programs that rely on, and bundle libarchive are affected,” said Cisco Talos researcher Marcin Noga in a report published Tuesday. “These are what are known as common mode failures, which enable attackers to use a single attack to compromise many different programs/systems. Users are encouraged to patch all relevant programs as quickly as possible.”
#994 154 million voter records exposed, revealing gun ownership, Facebook profiles, and more
When we eventually get to look back on 2016, we might be tempted to label it “The Year of Leaking Voter Lists.”

The year began with many people distraught to learn that a database with voter registration records of 191 million voters had been exposed online. Voter registration lists include name, address, political party, telephone number, and whether the voter voted in the last elections and primaries. It appeared that many Americans never knew that these lists were generally considered public records.

But while they were adjusting to that piece of information, they also learned that there was a second leaking voter database with more than 56 million voter records that exposed not only voter registration data but personal information such as Christian values, bible study, and gun ownership in 19 million profiles.

Both databases had been uncovered by Chris Vickery, a security researcher at the cybersecurity firm MacKeeper. And they were both eventually secured after Chris Vickery, this reporter, and Steve Ragan of CSO began making some phone calls and trying to track down the source of the leaks.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12