Security Alerts & News
by Tymoteusz A. Góral

#1151 Cisco patches DoS flaw in NCS 6000 routers
Cisco Systems today released patches for two products, including one for a vulnerability rated a high criticality in Cisco IOS XR for the Cisco Network Convergence System series routers.

The flaw rests in the management of system timer resources and could allow an attacker to remotely crash the router.

“An attacker could exploit this vulnerability by sending a number of Secure Shell (SSH), Secure Copy Protocol (SCP), and Secure FTP (SFTP) management connections to an affected device,” Cisco said in its advisory. “An exploit could allow the attacker to cause a leak of system timer resources, leading to a nonoperational state and an eventual reload of the RP on the affected platform.”
#1150 Security software priorities shift from defence to detection and response
The worldwide security software market was worth $22.1bn last year -- up by 3.7 percent from 2014.

Firms are tackling the unrelenting hacker threat by investing in security information and event management technology. The tech handles threat detection and security incident response through the real-time collection and analysis of security events. Spending in this area is growing faster than in any other segment of the security market, up 15.8 per cent, according to analyst Gartner. The sharpest decline in the security spending was on consumer-focused software, which fell 5.9 per cent year on year.

Gartner said interest in technologies focused solely on preventing security breaches is on the wane, in contrast to offerings that enable detection and response.

"Organizations are shifting security budgets from prevention to prediction, detection and response, and security vendors need to be capture this shifting spend," it said, pointing to identity governance and administration and data loss prevention technologies as growth areas.
#1149 Google hit by fresh European Union anti-trust charges
The European Commission has stepped up pressure on Google, alleging that it abused its dominance in internet shopping and restricted competition.

It also accused Google of stopping websites from showing adverts from the search engine's competitors.

And it strengthened an existing charge that Google favours its own comparison shopping services in search results.
#1148 Android banking malware blocks victims’ outgoing calls to customer service
In March 2016, newer variants of the Android.Fakebank.B family arrived with call-barring functionality. The feature aims to stop customers of Russian and South Korean banks from cancelling payment cards that the malware stole. The latest version of the threat shows how Android banking malware continues to evolve.

Once installed, the new Android.Fakebank.B variants register a BroadcastReceiver component that gets triggered every time the user tries to make an outgoing call. If the dialed number belongs to any of the customer service call centers of the target banks, the malware programmatically cancels the call from being placed.
#1147 The FBI says its malware isn’t malware because the FBI is good
The FBI is facing accusations that malware it deployed while running Operation Playpen, a sting that infiltrated and maintained a dark web child pornography website for two weeks and eventually led to more than 100 arrests, was illegal. But the agency swears that using malware was good because, well, the FBI had good intentions.

Some judges have actually ruled to throw out evidence obtained by the malware the FBI used on the basis that it did not have the proper warrants. (The DOJ and FBI just had a major breakthrough with the supreme court in modifying Rule 41, giving them expansive new hacking powers, but we’ll get to that in a second.) According to a legal brief filed by they FBI, “A reasonable person person or society would not interpret the actions taken by a law enforcement officer pursuant to a court order to be malicious.”
#1146 Popular Android, iPhone stocks app leaks your trading activities
The popular SeekingAlpha mobile application for tracking stocks and shares on Android and iOS devices harbours a serious security flaw leading to information leaks.

Discovered by Derek Abdine of Rapid7, the vulnerability "leaks personally identifiable and confidential information, including the username and password to the associated account, lists of stock symbols the user is interested, and HTTP cookies," according to the team.

Seeking Alpha describes itself as a "platform for investment research" and provides users with tools and content for investors to ferret out information on public stocks, investment opportunities and other securities.
#1145 Mozilla begins process of letting Firefox rust
Mozilla has announced it has taken a small step towards replacing much of Firefox's C++ code with its safer alternative language, Rust.

When Firefox 48 ships on August 2, it will contain a Rust-built mp4 track metadata parser that will be available on Windows and 32-bit Linux desktops for the first time. Users of Mac OS X and 64-bit Linux have had the new parser available since Firefox 45.

"Media formats are known to have been used to trick decoders into exposing nasty security vulnerabilities that exploit memory management bugs in web browsers' implementation code," Dave Herman, Mozilla Research principal researcher and director of strategy, said in a blog post. "This makes a memory-safe programming language like Rust a compelling addition to Mozilla's tool-chest for protecting against potentially malicious media content."
#1144 Chrysler launches Detroit’s first ‘bug bounty’ for hackers
When a pair of hackers exposed security flaws a year ago in a Jeep Cherokee, Fiat Chrysler could have responded by trying to keep other hackers away from its products with intimidation or lawsuits. The demo led to a 1.4-million-vehicle recall, after all. But instead, the company is trying a smarter approach: offering to pay for hacks.

On Wednesday the Italian-owned Detroit automaker announced that it will pay “bounties” of as much as $1,500 to security researchers who alert the company to hackable flaws in its software. That makes the company the first major carmaker to officially shell out dollars in exchange for security vulnerability information, a sign of Detroit’s growing awareness of the looming threat of digital attacks on vehicles. “It’s a very big move,” says Casey Ellis, the CEO of Bugcrowd, the firm running Fiat Chrysler’s bug bounty program. “This is basically creating normalcy around the dialogue between hackers and vehicle manufacturers for the purposes of making vehicles safer.”
#1143 Cisco Jasper will help us solve the IoT data-delivery problem
Cisco's $1.4 billion acquisition of cloud-based Internet of Things (IoT) platform Jasper will enable the latter to continue its bid to solve the problem of data delivery for mobile providers, and taking the complexity out of IoT for enterprises.

Calling Jasper the "technical interface" for the more than 30 mobile operator groups for which it provides an IoT platform, Macario Namie, head of IoT Strategy for Cisco Jasper, said Jasper was founded 12 years ago to solve one major problem: Enabling enterprises to put connected products on mobile networks worldwide.

"For us, being part of Cisco, number one we still very much believe that the opportunity that existed for us as an independent business is just even that much greater," Namie told ZDNet.
#1142 Drupal patches remote code execution vulnerabilities in three modules
Developers with the open source content management framework Drupal today patched a series of highly critical remote code execution bugs in three separate modules. If exploited, the bugs could let an attacker take over any site running the modules.

Fixes for pushed for RESTful Web Services, a module used for creating REST APIs, Coder, a module used for code analysis, and Webform Multiple File Upload, a module used for collecting files from site visitors.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12