Security Alerts & News
by Tymoteusz A. Góral

History
#1119 Millions of Xiaomi phones at risk of remotely installed malware
Millions of Xiaomi phones are vulnerable to a flaw that could allow an attacker to remotely install malware.

The vulnerability, now fixed, was found in the analytics package in Xiaomi's custom-built Android-based operating system. Security researchers at IBM, who found the flaw, discovered a number of apps in the package that were vulnerable to a remote code execution flaw through a man-in-the-middle attack -- one of which would allow an attacker to run arbitrary code at the system-level.
#1118 IoT medical devices: A prescription for disaster
If you’re sick and sitting in a drab hospital room hooked-up to a dialysis pump, the last thing you want to worry about is hackers. But according to IT healthcare security experts, there is a chance that life-saving dialysis machine is infected with malware, could even be processing fraudulent credit card transactions, or is part of a DDoS attack as it cleans your blood.

Hospitals are prime targets for hackers who see internet-connected healthcare equipment as low-hanging fruit when it comes to making a quick buck by stealing medical records, nefariously sucking up computer resources or perpetrating a ransomware attack, said Yong-Gon Chon, CEO of Cyber Risk Management.

“This equipment saves lives and can’t be taken offline like a laptop that goes back to IT for a week to be wiped and re-imaged,” Chon said. Hospitals are getting hammered by hackers targeting IoT devices. He said modern hospital security systems too often overlook IoT devices when it comes to security, making them an easy target.
#1117 Executive's guide to mobile security (free ebook)
Attacks against mobile devices are growing more widespread and more sophisticated. That's the bad news. The good news? Enterprises are growing more diligent about protecting against mobile threats, and security vendors are rolling out new and innovative platforms for mobility management.

But even with better tools in hand, IT, and business leaders still face rough terrain, trying to stay ahead of emerging risks and build the best defenses against them.
#1116 HTTPS is not a magic bullet for Web security
We're in the midst of a major change sweeping the Web: the familiar HTTP prefix is rapidly being replaced by HTTPS. That extra "S" in an HTTPS URL means your connection is secure and that it's much harder for anyone else to see what you're doing. And on today's Web, everyone wants to see what you're doing.

HTTPS has been around nearly as long as the Web, but it has been primarily used by sites that handle money—your bank's website, shopping carts, social networks, and webmail services like Gmail. But these days Google, Mozilla, the EFF, and others want every website to adopt HTTPS. The push for HTTPS everywhere is about to get a big boost from Mozilla and Google when both companies' Web browsers begin to actively call out sites that still use HTTP.

The plan is for browsers to start labeling HTTP connections as insecure. In other words, instead of the green lock icon that indicates a connection is secure today, there will be a red icon to indicate when a connection is insecure. Eventually secure connections would not be labeled at all, they would be the assumed default.

Google has also been pushing HTTPS connections by "using HTTPS as a ranking signal," meaning Google takes the security of a connection (or lack thereof) into consideration when ranking sites in search results. For the time being, Google says that HTTPS is "a very lightweight signal... carrying less weight than other signals such as high-quality content." However, the company says that it "may decide to strengthen" this indicator as a means to encourage more sites to adopt HTTPS.
#1115 Time management tips: How to create meetings that work
Meetings are a plague on modern business: bored staff can waste months of their lives nodding along when they could be doing something more productive.

Research suggests the average employee attends a total of 60 meetings per month, and that 30 per cent of workplace time is wasted in the process.

So what are the best time management tips for executives? ZDNet speaks to four experts who give their view on keeping meetings tight and workers productive.
#1114 The state of mobile device security: Android vs. iOS
The big question is: who takes the gold? While Android has made significant progress, iOS remains more prevalent in the enterprise, Zumerle said, with the consistency of experience being a major factor.

"The majority of enterprises still feel it is easier for them to secure their enterprise data on the iOS platform," Zumerle said.

That may be the case now, but it could change over the next year or two, depending on the trajectory of the two companies' mobile strategies.The real winners in all this are the users, who will continue to benefit from enhanced security as Apple and Google seek to stay ahead of continuing threats.
#1113 Industrial cybersecurity threat landscape
Industrial control systems (ICS) surround us: they are used in electric, water and wastewater, oil and natural gas, transportation, chemical, pharmaceutical, pulp and paper, food and beverage, and discrete manufacturing (e.g., automotive, aerospace, and durable goods). Smart cities, smart houses and cars, medical equipment – all of that is driven by ICS.

Expansion of the Internet makes ICS easier prey to attackers. The number of ICS components available over the Internet increases every year. Taking into account that initially many ICS solutions and protocols were designed for isolated environments, such availability often provides a malicious user with multiple capabilities to cause impact to the infrastructure behind the ICS due to lack of security controls. Moreover, some components are vulnerable themselves. The first available information about vulnerabilities in ICS components is related to 1997, only two vulnerabilities were published that year. Since then the number of vulnerabilities significantly increased. Over the past five years this index has increased from 19 vulnerabilities in 2010 to 189 vulnerabilities in 2015.

Sophisticated attacks on ICS systems are not somewhat new anymore. It is worth remembering an incident in 2015 in Ivano-Frankivsk, Ukraine where around a half of houses were left without electricity because of a cyber-attack against the Prykarpattyaoblenergo power company, and it was only one of multiple victims of the BlackEnergy APT campaign.
#1112 How Poland’s intrusive new spying law could bug world leaders at NATO summit
Polish spies could be secretly eyeballing world leaders attending the NATO summit in Warsaw, but it's impossible to know if such snooping is taking place—all thanks to a new law that came into force just last week.

The new anti-terrorism legislation was signed by Polish president Andrzej Duda on June 22. It came into force one week later. Under the law, secret surveillance may be carried out on any foreigner for up to three months without a court order. This includes undercover audio and video taping, bugging private premises, and accessing private electronic and phone communications.

National leaders including British Prime Minister David Cameron, US President Barack Obama, Canadian Prime Minister Justin Trudeau (who will face tough questions over his decision not to invest in military aircraft), German Chancellor Angela Merkel, and French President Francois Hollande are all in the Polish capital for the summit over the next few days.
#1111 The Dropping Elephant – aggressive cyber-espionage in the Asian region
Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.

Overall, the activities of this actor show that low investment and ready-made offensive toolsets can be very effective when combined with high quality social engineering. We have seen more such open source toolset dependency with meterpreter and BeEF, and expect to see this trend continue.
#1110 DroidJack uses side-load. It's super effective! Backdoored Pokemon GO Android app found
Pokemon GO is the first Pokemon game sanctioned by Nintendo for iOS and Android devices. The augmented reality game was first released in Australia and New Zealand on July 4th and users in other regions quickly clamored for versions for their devices. It was released on July 6th in the US, but the rest of the world will remain tempted to find a copy outside legitimate channels. To that end, a number of publications have provided tutorials for "side-loading" the application on Android. However, as with any apps installed outside of official app stores, users may get more than they bargained for.

In this case, Proofpoint researchers discovered an infected Android version of the newly released mobile game Pokemon GO [1]. This specific APK was modified to include the malicious remote access tool (RAT) called DroidJack (also known as SandroRAT), which would virtually give an attacker full control over a victim’s phone. The DroidJack RAT has been described in the past, including by Symantec [2] and Kaspersky [3]. Although we have not observed this malicious APK in the wild, it was uploaded to a malicious file repository service at 09:19:27 UTC on July 7, 2016, less than 72 hours after the game was officially released in New Zealand and Australia.

Likely due to the fact that the game had not been officially released globally at the same time, many gamers wishing to access the game before it was released in their region resorted to downloading the APK from third parties. Additionally, many large media outlets provided instructions on how to download the game from a third party [4,5,6]. Some even went further and described how to install the APK downloaded from a third party [7]:

“To install an APK directly you'll first have to tell your Android device to accept side-loaded apps. This can usually be done by visiting Settings, clicking into the Security area, and then enabling the "unknown sources" checkbox."
#1109 CISSP certification: Are multiple choice tests the best way to hire infosec pros?
Want a job in infosec? Your first task: hacking your way through what many call the "HR firewall" by adding a CISSP certification to your resume.

Job listings for security roles often list the CISSP (Certified Information Systems Security Professional) or other cybersecurity certifications, such as those offered by SANS, CompTIA, and Cisco, as a requirement. This is especially true in the enterprise space, including banks, insurance companies, and FTSE 100 corporations. But at a time when the demand for good infosec people sees companies outbidding each other to hire top talent, and ominous studies warn of a looming cybersecurity skills shortage, experts are questioning whether certifications based on multiple choice tests are really the best way to recruit the right people.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12