Security Alerts & News
by Tymoteusz A. Góral

History
#1018 How to spot Ingenico self-checkout skimmers
A KrebsOnSecurity story last month about credit card skimmers found in self-checkout lanes at some Walmart locations got picked up by quite a few publications. Since then I’ve heard from several readers who work at retailers that use hundreds of thousands of these Ingenico credit card terminals across their stores, and all wanted to know the same thing: How could they tell if their self-checkout lanes were compromised? This post provides a few pointers.

Happily, just days before my story point-of-sale vendor Ingenico produced a tutorial on how to spot a skimmer on self checkout lanes powered by Ingenico iSC250 card terminals. Unfortunately, it doesn’t appear that this report was widely disseminated, because I’m still getting questions from readers at retailers that use these devices.
#1017 Malware can use fan noise to steal data from air-gapped systems
Malicious applications can use the noise emanated by a computer's fan speed to relay information to a nearby recording device and steal data from air-gapped, isolated systems.

Other researchers proved in the past that malware could use low-frequency sounds sent through the computer's speakers to exfiltrate data from targeted systems to a nearby microphone-enabled device.

This particular scenario has been proven feasible over the past years, and because of the likelihood of something like this happening, in environments with tight security, some administrators have removed speakers from air-gapped systems.

Four researchers from the Ben-Gurion University of the Negev in Israel have created Fansmitter, a piece of malware that takes the above scenario, but instead of speakers, it uses a computer's fans to send data from the infected host.

Because all data is basically a sequence of ones and zeros, the researchers created Fansmitter to take over the computer's fan speed and make it work at two different speeds, corresponding to a binary "1" and a binary "0".

Fansmitter works with CPU, GPU, or chassis-mounted fans, and can be effective from one to four meters away. Researchers consider this a reliable distance up to which a microphone or a smartphone can be left behind to record sounds emanated from the computer.
#1016 Chrome bug makes it easy to download movies from Netflix and Amazon Prime
For the past decade, Hollywood’s battle against online pirates has been mainly been focused on leaked DVD screeners and illegal streaming sites. Now a pair of security researchers say they’ve discovered a vulnerability in the Google Chrome browser that allows people to save illegal copies of movies from streaming sites like Netflix and Amazon Prime.

The vulnerability, first reported by Wired, takes advantage of the Widevine EME/CDM technology that Chrome uses to stream encrypted video from content providers. Researchers David Livshits from the Cyber Security Research Center at Ben-Gurion University and Alexandra Mikityuk of Telekom Innovation Laboratories discovered a way to hijack streaming video from the decryption module in the Chrome browser after content has been sent from services like Netflix or Amazon Prime.
#1015 Selfrando technique mitigates attacks unmasking Tor users
The FBI’s apparent capability to unmask users of the Tor Network has caused hand-wringing among those concerned with privacy and civil liberties, many of whom are busy trying to win legal battles to get law enforcement to confess as to how they’re doing it.

A team of academics and researchers, however, have come up with a technique called selfrando they believe defends against such attacks.

The technique will be presented next month at the Privacy Enhancing Technologies Symposium (PETS) in Darmstadt, Germany, but according to the researchers, the Tor Project is already conducting field tests in hardened versions of the Tor Browser used for testing purposes.

The team of nine includes; Mauro Conti of the University of Padua, Stephen Crane and Andrei Homescu of Immunant, Tommaso Frassetto, Christopher Liebchen and Ahmad-Reza Sadeghi of the Technische Universität Darmstadt, Mike Perry and Georg Koppen of The Tor Project, and Per Larsen of the University of California, Irvine. They have already published a paper explaining their work titled “Selfrando: Securing the Tor Browser against De-anonymization Exploits.”
#1014 Popular anime site (Jkanime) infected, redirecting to exploit kit, ransomware
An anime site popular in Mexico and South America has been infected with malware redirecting visitors to a Neutrino Exploit Kit landing page.

The site, Jkanime, streams anime video and has 33 million monthly visitors.

Neutrino is currently the top dog among exploit kits after two of the bigger kits, Angler and Nuclear, have apparently been abandoned

Researchers at Forcepoint, a Raytheon company, disclosed the attacks this week. Nicholas Griffin, senior security researcher said the payload is the CryptXXX 3.0 ransomware, which has mainly been distributed by Neutrino since Angler’s disappearance in late June.
#1013 Severe Swagger vulnerability compromises NodeJS, PHP, Java
Researchers have discovered a vulnerability within the Swagger specification which may place tools based on NodeJS, PHP, Ruby, and Java at risk of exploit.

According to Rapid7, the vulnerability has been found in injectable code payloads through the Swagger Code Generator for NodeJS, PHP, Ruby, and Java. If exploited, attackers can remotely execute code in a client or server to interact with definition of service systems, a concept the team says could be an "interesting space for future research."

Other similar programming languages in the tool are possibly affected.
#1012 Malvertising and ransomware: the Bonnie and Clyde of advanced threat (PDF)
A lot of folks in the business (and consumer) world are shaking in their boots about ransomware. It’s understandable. Ransomware is a dangerous threat and, if not protected against, can do serious damage to a company’s data, reputation, and bottom line.

But the truly alarming part is that ransomware is being delivered by malvertising. Malvertising can do this without you knowing (until it’s too late) and without your users taking a single “unsafe” action online. And even mainstream websites are being infected by malvertising—blacklisting dodgy domains doesn’t solve the problem for you or your users.

So malvertising and ransomware. A match made in hell. Let’s take a closer look at the destruction left in their wake and what businesses can do to protect against them.
#1011 Has the Lizard Squad returned to ruin your day again?
It seems that those annoying cyberyobs that call themselves the Lizard Squad might have struck again. Sigh! It looks like they’ve run a DDoS (Distributed Denial of Service) attack against Blizzard’s Battle.net servers, stopping players of the popular Overwatch game from – well – playing.

A DDoS is cybervandalism that involves flooding a system with so much data that it’s unusable. If skillful hacking is like picking the lock to a door then a DDoS is stopping others from using the door by piling things up in front of it.
#1010 GozNym: Living in America
IBM X-Force researchers who study cybercrime threats and malware configurations report that the GozNym banking malware, a Trojan hybrid previously covered in early April, is expanding the reach of its nefarious redirection attacks to the U.S.

Not two months after setting up and launching redirection attacks on banks in Poland, GozNym’s operators are testing those out on four of the largest banks in the U.S. Unsurprisingly for GozNym, the attackers are focusing the malware’s configuration on business banking services.

The list of redirection targets appears limited at this time, but past cases such as Dridex’s redirection campaigns prove that these attacks often begin with a few targets and then expand.
#1009 Internet trolls hack popular YouTube channel WatchMojo
Late Wednesday evening, hackers operating under the name Poodle Corp. compromised the WatchMojo.com YouTube channel and started tagging dozens of videos.

The account hijacking was quickly detected, and the company turned to YouTube for assistance.

WatchMojo is known for their Top 10 videos on a number of topics. In 2013, the brand was listed as the 50th largest channel on YouTube. On Twitter, the company said they're aware "of the hack on our YouTube channel and we're working with YouTube to fix the changes."
#1008 HTML5 ads aren't that safe compared to Flash, experts say
A study from GeoEdge, an ad scanning vendor, reveals that Flash has been wrongly accused as the root cause of today's malvertising campaigns, but in reality, switching to HTML5 ads won't safeguard users from attacks because the vulnerabilities are in the ad platforms and advertising standards themselves.

The evidence exists to proclaim Flash as one of today's most vulnerable and insecure software applications. Targeted in cyber-espionage and malvertising campaigns, Flash has gotten a bad reputation, and for a good reason.

Security researchers have discovered vulnerabilities in Flash almost every month, and for many years, Adobe has been slow to patch them. Things changed recently after browser vendors threatened to have the plugin disabled for most of their users.

But Adobe's new approach to Flash security issues came a little too late, as the community had already worked for years at adding the appropriate features to HTML5 and other standards in order to replace Adobe's piece of junk.

HTML5 was officially released in October 2014, and slowly but surely, started to replace Flash in the advertising market, where many ad networks such as Google and Amazon have announced they'll stop taking static Flash ads, even if still allowing Flash for video ads.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12