Security Alerts & News
by Tymoteusz A. Góral

History
#1134 Little Snitch bug leaves some Mac systems open to attack
Trusted Mac OS X firewall Little Snitch is vulnerable to local privilege escalation attacks that could give criminals the ability plant rootkits and keyloggers on some El Capitan systems.

The Little Snitch firewall vulnerability was found by Synack Director of Research and well-known OS X hacker Patrick Wardle. Affected are 3.x versions of the Little Snitch firewall software released prior to build 3.6.2 running on El Capitan. Wardle did not test versions of Little Snitch released prior to 3.x.

In January, Wardle discovered that the firewall software contained a local escalation of privileges (EoP) vulnerability that any local user (or malware) could exploit. The following month, Little Snitch’s developer Objective Development released the (3.6.2) version of the firewall that fixed the problem.

“This is a serious flaw and an important software update that Little Snitch users could have easily missed,” Wardle told Threatpost.
#1133 Ranscam ransomware deletes victims’ files outright
Researchers have observed ransomware so sophisticated over the last few months that we’ve seen a variant tease researchers with strings of hidden code and another composed entirely of JavaScript. But not every attacker is technically proficient; researchers are suggesting the ones behind a new strain of ransomware may just be plain lazy.

The ransomware Ranscam simply deletes users’ files, even if the victim chooses to pay, researchers at Cisco’s Talos Security Intelligence and Research Group claim, no encryption needed.

Like the ransomware’s name implies, Ranscam is just that: a ‘scam.’

According to two researchers with the group, Edmund Brumaghin and Warren Mercer, who wrote about it on Monday, after a user’s machine is infected, Ranscam starts out like any other type of ransomware. Victims are encouraged to pay 0.2 BTC ($130 US) to unlock their files, which Ranscam claims have been moved to a hidden partition and encrypted.
#1132 xDedic hacked server market resurfaces on Tor domain
The xDedic market has resurfaced, this time on a Tor network domain and with the inclusion of a new $50 USD enrollment fee.

XDedic’s original domain (xdedic[.]biz) disappeared shortly after a June 16 Kaspersky Lab report describing how xDedic provided a platform for the sale of compromised RDP servers. At the time of the report, there were 70,000 hacked servers for sale for as little as $6, and the website was doing brisk business.

Researchers at Digital Shadows reported today that a June 24 post to the Russian-language forum, exploit[.]in, included a link to the .onion site now hosting xDedic.

“The new xDedic site was found to be identical in design to the previous site and although discussion in the exploit[.]in thread indicated that accounts on the previous site had not been transferred to the new site, accounts could be freely registered,” Digital Shadows wrote in an incident report shared with Threatpost. “However, following registration, accounts had to be credited with $50 USD in order to activate them.”
#1131 Adobe patches 52 vulnerabilities in Flash Player
Adobe today pushed out an updated Flash Player that patched 52 vulnerabilities, most of which led to remote code execution on compromised machines.

The 52 flaws represent one of the biggest security updates in Flash this year, in what has been a busy time around the beleaguered software. Already, Adobe has had to push out emergency updates addressing zero day vulnerabilities under attack by criminals and APT attackers.

None of the flaws patched today are currently under attack in the wild.
#1130 Ransomware 'stopped' by new software
The solution - dubbed CryptoDrop - detected the malware and stopped it after it had encrypted just a handful of files, said its developers.

Patrick Traynor, an associate professor in UF's department of computer and information science, worked with PhD student Nolen Scaife and Henry Carter, from Villanova University, on the software.

"Our system is more of an early-warning system," Mr Scaife said.

"It doesn't prevent the ransomware from starting... it prevents the ransomware from completing its task… so you lose only a couple of pictures or a couple of documents rather than everything that's on your hard drive, and it relieves you of the burden of having to pay the ransom."
#1129 Billion-dollar scams: The numbers behind BEC fraud
Business email compromise (BEC), or CEO fraud, continues to be the bane of companies in 2016. BEC scams are low-tech financial fraud in which spoofed emails from CEOs are sent to financial staff to request large money transfers. While they require little expertise and skill, the financial rewards for the fraudsters can be high. An Austrian aerospace manufacturer recently fired its president and CFO after it lost almost US$50 million to BEC fraudsters.

In light of recent warnings from the FBI regarding BEC, we took an in-depth look at Symantec’s Email Security.cloud data to get a better understanding of the state of BEC fraud today.
#1128 Now it’s easy to see if leaked passwords work on other sites
Over the past few months, a cluster of megabreaches has dumped account credentials for a mind-boggling 642 million accounts into the public domain, where they can then be used to compromise other accounts that are protected by the same password. Now, there's software that can streamline this vicious cycle by testing for reused passcodes on Facebook and other popular sites.

Shard, as the command-line tool has been dubbed, is designed to allow end users to test if a password they use for one site is also used on Facebook, LinkedIn, Reddit, Twitter, or Instagram, its creator, Philip O'Keefe, told Ars. The security researcher said he developed the tool after discovering that the randomly generated eight-character password protecting several of his accounts was among the more than 177 million LinkedIn passwords that were leaked in May.
#1127 Serious flaw fixed in widely used WordPress plug-in
If you're running a WordPress website and you have the hugely popular All in One SEO Pack plug-in installed, it's a good idea to update it as soon as possible. The latest version released Friday fixes a flaw that could be used to hijack the site's admin account.

The vulnerability is in the plug-in's Bot Blocker functionality and can be exploited remotely by sending HTTP requests with specifically crafted headers to the website.

The Bot Blocker feature is designed to detect and block spam bots based on their user agent and referer header values, according to security researcher David Vaartjes, who found and reported the issue.
#1126 How to hack mobile devices using YouTube videos
Researchers have devised a way to leverage YouTube to hack mobile devices.

A team from the University of California, Berkeley, and Georgetown University have developed the means to compromise a mobile device using hidden voice commands embedded within a YouTube video.

In order for the device to be attacked, the intended victim needs to do nothing more than watch the YouTube content.

The researchers say on their project page that the hidden voice commands used by the attack are "unintelligible to human listeners but which are interpreted as commands by devices."
#1125 BMW Core Web Portal & ConnectedDrive - exploitation of car configurations
Today we will talk about two vulnerabilities that was discovered by Vulnerability Laboratory core team member "Benjamin Kunz Mejri", the vulnerabilities which are not patched yet! There are two main bugs both related to the BMW online service and web app for ConnectedDrive .

The first vulnerability found in the BMW ConnectedDrive web-application. The vulnerability allows remote attackers to manipulate specific configured parameters to compromise the affected web-application service. A vehicle identification number,commonly abbreviated to VIN, or chassis number, is a unique code including a serial number, used by the automotive industry to identify individual motor vehicles, towed vehicles, motorcycles, scooters and mopeds as defined in ISO 3833.

The vulnerability is located in the session management of the VIN adding procedure. Remote attackers are able to bypass the secure validation approval of the VIN when processing to create it. Remote attackers are able to change with a live session tamper the action information to create or update. Thus allows an attacker to bypass the invalid VIN exception to add a new configuration finally. Thus interaction results in the takeover of other vehicle identification numbers to view or manipulate the configuration. The session validation flaw can be exploited with a low-privilege user account, leading to manipulation of VIN numbers and configuration settings such as compromising registered and valid VIN numbers through the ConnectedDrive portal. The settings available through the ConnectedDrive portal include the ability to lock/unlock the vehicle, manage song playlists, access email accounts, manage routes, get real-time traffic information, and so on.

After the successful exploitation to integrate the vin in the portal the attacker can login with the connectedrive ios application. The attacker includes the illegal vin to his account via portal and can access the configuration via mobile application or portal. Thus way an attacker is able to unauthorized access the info-tainment-system of bmw cars to interact without hardware manipulation or cable access.
#1124 MIT researchers devise new anonymity network following Tor bug
Computer scientists at Massachusetts Institute of Technology have devised a new anonymity network they say is more secure than Tor.

For the uninitiated, anonymity networks like Tor let you hide your location and Web activity, offering people living under repressive regimes, for instance, protection from prying eyes monitoring their Internet use. But following the recent discovery of vulnerabilities in Tor, researchers at MIT's Computer Science and Artificial Intelligence Laboratory and the École Polytechnique Fédérale de Lausanne have been working on a more secure anonymity scheme. Now they say they have succeeded.
#1123 Google to train 2 million Indian Android developers
Google has announced its new “Android Fundamentals” training program, which aims to train and certify up to two million Android developers in India. An Android Fundamentals training course, soon to be available online and at schools country-wide, is focused on training, testing and certifying Android developers to prepare students for careers using Android technology.
#1122 Jigsaw ransomware decrypted, again
The four-month-old Jigsaw ransomware has been defeated again. The ransomware, that packs an emotional punch with its creepy graphics and hallmark countdown clock, can be overcome simply by tricking the ransomware code into thinking you’ve already paid.

Researchers at Check Point published a fix for those infected by Jigsaw. The ransomware originally got is name for infecting computers and then displaying the menacing image of “Billy the Puppet” from the horror movie franchise Saw. Jigsaw threatens to delete thousands of files an hour if you don’t pay 0.4 Bitcoins or $150; restarting your PC costs you 1,000 deleted files.
#1121 Cisco unveils three DNA network security technologies
Cisco has announced three new technologies for its Digital Network Architecture (DNA) solution to enable network engineers, application developers, channel partners, and IT customers to embed improved and simplified security within their network infrastructure layer: Umbrella Branch, Stealthwatch Learning Network License, and Meraki MX Security Appliances with Advanced Malware Protection (AMP) and Threat Grid.

All three are designed to improve mobility and cloud security threats, according to the networking giant.

The first technology, Cisco's Umbrella Branch cloud-delivered security software, provides businesses with increased control over guest Wi-Fi usage via content filtering. It can be activated on the Cisco Integrated Services Routers (ISR) 4,000 series, and works to filter and block malware, command and control (C2) callbacks, and phishing threats before they reach the network.
#1120 Cisco bolsters cloud security offering with new solutions
Cisco has announced six new cloud-based services and solutions as part of its security portfolio: Umbrella Roaming, Defense Orchestrator, Security for Digital Transformation, Umbrella Branch, Stealthwatch Learning Network License, and Meraki MX Security Appliances with Advanced Malware Protection (AMP) and Threat Grid.

The new services form part of Cisco's suite of solutions to embed security in the access points and endpoints on the network; according to CEO Chuck Robbins, 47 percent of Cisco's security portfolio is now delivered via software.

The first new simplified security offering, Cisco Umbrella Roaming, is an AnyConnect module to protect a business' roaming employees from off-network threats and site connections while working remotely.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12