Security Alerts & News
by Tymoteusz A. Góral

History
#1104 Facebook Messenger end-to-end encryption not on by default
Facebook today began a test program rolling out opt-in end-to-end encryption for its Messenger service called Secret Conversations.

The end-to-end encryption is based on the Signal protocol developed by Open Whisper Systems, the same protocol that stands up the crypto in the Signal and WhatsApp messaging applications.

The Facebook version of the encryption service is not on by default and is available only on one device at a time.

“Starting a secret conversation with someone is optional. That’s because many people want Messenger to work when you switch between devices, such as a tablet, desktop computer or phone,” Facebook said in its announcement. “Secret conversations can only be read on one device and we recognize that experience may not be right for everyone.”
#1103 Researchers add software bugs to reduce the number of… software bugs
Researchers are adding bugs to experimental software code in order to ultimately wind up with programs that have fewer vulnerabilities.

The idea is to insert a known quantity of vulnerabilities into code, then see how many of them are discovered by bug-finding tools.

By analyzing the reasons bugs escape detection, developers can create more effective bug-finders, according to researchers at New York University in collaboration with others from MIT’s Lincoln Laboratory and Northeastern University.

They created large-scale automated vulnerability addition (LAVA), which is a low-cost technique that adds the vulnerabilities. “The only way to evaluate a bug finder is to control the number of bugs in a program, which is exactly what we do with LAVA,” says Brendan Dolan-Gavitt, a computer science and engineering professor at NYU’s Tandon School of Engineering.
#1102 Stress-reducing MDM tips for businesses managing Apple devices
ver since employee-owned devices, and particularly iPhones and iPads, began appearing in offices, organizations of all sizes have struggled to properly administer and secure non-corporate-owned smartphones and tablets. In fact, the trend became so pronounced it spawned a new acronym: BYOD, for Bring Your Own Device.

Businesses are torn about satisfying sometimes competing initiatives: accommodate employees' iPhone and iPad adoption, enable employee productivity, efficiently deploy and administer applications, and secure business data from unauthorized access. The way to balance these interests is to use a mix of capable platforms as part of your mobile device management (MDM) strategy.
#1101 Antivirus software is 'increasingly useless' and may make your computer less safe
Is your antivirus protecting your computer or making it more hackable?

Internet security experts are warning that anti-malware technology is becoming less and less effective at protecting your data and devices, and there's evidence that security software can sometimes even make your computer more vulnerable to security breaches.

This week, the U.S. Department of Homeland Security's Computer Emergency Readiness Team (CERT) issued a warning about popular antivirus software made by Symantec, some of it under the Norton brand, after security researchers with Google's Project Zero found critical vulnerabilities.

"These vulnerabilities are as bad as it gets. They don't require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible," wrote Google researcher Tavis Ormandy in a blog post. Symantec said it had verified and addressed the issues in updates that users are advised to install.

It's not the only instance of security software potentially making your computer less safe.

Concordia University professor Mohammad Mannan and his PhD student Xavier de Carné de Carnavalet recently presented research on antivirus and parental control software packages, including popular brands like AVG, Kaspersky and BitDefender, that bypass some security features built into internet browsers to verify whether sites are safe or not in order to be able to scan encrypted connections for potential threats. In theory, they should make up for it with their own content verification systems.
#1100 Cyber spies are still using these old Windows flaws to target their victims
Hackers using only the most basic forms of cyberattack have been able to successfully steal files from high-profile governmental and diplomatic targets.

A cyber-espionage operation has targeted individuals and organisations across the globe, although the vast majority of attacks have focused on Chinese government and diplomatic entities, individuals associated with them and partners of these organisations.

Cybersecurity researchers from Kaspersky Lab's Global Research and Analysis team have been investigating the "aggressive cyber-espionage activity" since February. The researchers suggest that it originates in India and that attacks are undertaken using old exploits, low-budget malware tools and basic social engineering methods.
#1099 Privacy Shield data pact gets European approval
A revised pact governing EU-US data flows has been approved by European governments.

The Privacy Shield agreement replaces the previous accord, called Safe Harbour, that was struck down in October 2015.

Safe Harbour let US companies self-certify that they were doing enough to protect data about Europeans.

The European Court of Justice threw out Safe Harbour after leaks showed data was being spied upon.
#1098 Putin is literally breaking the internet
Earlier today, President Putin ordered the Federal Security Service to produce “encryption keys” capable of decrypting all data on the internet. No one is really sure what this means exactly, but the FSB has two weeks to make them, Meduza reports. That’s just one part of the Russian government’s silly and insanely expensive new plan for internet surveillance, signed into law under the “anti-terrorist” bill today and going into effect on July 20th.

These regulations aren’t just terrifyingly invasive. They’re technically nonsense, and they’re so costly to try to implement that they could put many internet and phone service providers out of business, force noncomplying foreign companies out of Russia and kick a massive dent into Kremlin’s already crumbling infrastructure budget.
#1097 Best practices for managing the security of BYOD smartphones and tablets
The practice of employees using personal phones and tablets at work is already widespread, with the number of such devices forecast to hit one billion by 2018.

The challenge posed to enterprises by the Bring Your Own Device (BYOD) trend is that it forces them to keep corporate data safe on a plethora of different mobile computers that are not directly under IT's control. Worse, each device can potentially be running a different OS, with different apps installed and different vulnerabilities.

How should organisations approach the security of these devices in a way that doesn't interfere with employees' ability to work?
#1096 CryptXXX, Cryptobit ransomware spreading through campaign
Researchers have spotted several types of ransomware, including CryptXXX and a fairly new strain, Cryptobit, being pushed through the same shady series of domains.

The campaign, called Realstatistics, has tainted thousands of sites built on both Joomla! and WordPress content management systems. Researchers with security company Sucuri observed the campaign injecting bogus analytics code, including the url realstatistics[.]info, into the PHP template of infected sites over the past few days.

In a post to the company’s blog on Wednesday, Sucuri CTO and founder Daniel Cid claimed the campaign was redirecting visitors first to the Neutrino Exploit Kit. If the kit was able to successfully exploit either a Flash or PDF reader vulnerability, it left them saddled with the ransomware du jour, CryptXXX.
#1095 Google is experimenting with post-quantum cryptography
Anticipating the development of large quantum computers that could theoretically break the security protocol behind HTTPS, Google announced Thursday that it's experimenting with post-quantum cryptography in Chrome.

The company is adding a post-quantum key-exchange algorithm to a small fraction of connections between desktop Chrome and Google's servers, Google software engineer Matt Braithwaite explained. The post-quantum algorithm will be added on top of the existing, elliptic-curve key-exchange algorithm that's typically used, ensuring the same level of security for users.

The experiment is currently enabled in Chrome Canary, and users can look for it by opening the Security Panel under Developer Tools and looking for "CECPQ1".
#1094 Google fixes high-risk Android vulnerabilities in July update
Google is rolling out patches for Android in the July security bulletin, which contains dozens of security fixes for weaknesses in the Android system, many of which are deemed critical.

With a slight delay due to Independence Day weekend, Google released the latest security advisory on Wednesday for the Android mobile operating system. It affects Google's Nexus product range and any handset or tablet based on Android.

The most severe issue patched is a set of critical flaws in Mediaserver, which could enable remote code execution on a vulnerable device through different methods, including fraudulent emails, phishing campaigns, web browser injections, and MMS when processing media files.

Google has also patched remote code execution flaws discovered within OpenSSL, BoringSSL, and Bluetooth protocols.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12