Security Alerts & News
by Tymoteusz A. Góral

History
#1183 Internet of Things security is dreadful: Here's what to do to protect yourself
British parents haven't learnt their lesson from the discovery two years ago of a Russian website that offered links to unsecured baby monitors, according to the UK's privacy watchdog.

This has prompted the Information Commissioner's Office (ICO) to reissue its wake-up call from 2014 to parents over the security of baby monitors. Two years on from the discovery of the Russian site, the ICO says parents still haven't changed their behaviour, and it's calling on them to take responsibility for the security of their devices.

"Internet of Things products such as baby monitors, music systems and photo or document storage, which can be accessed online, are at risk of revealing your personal details to other people," it warned.
#1182 ARM, Symantec build security standard for Internet of Things
The lack of a cohesive cybersecurity standard around the Internet of Things and connected devices could result in highly-damaging security breaches that could compromise any industrial, corporate, or home network.

There are already billions of devices -- ranging from sensors, to cars, to hospital equipment and more -- connected to the internet and Gartner estimates that 5.5 million new 'things' are going online every single day. Over five billion devices are currently connected and the figure is expected to rise to 20 billion by 2020.

However, there isn't any sort of standard applied to security in Internet of Things devices, and experts are already predicting a major cybersecurity breach linked back to an unsecured connected device within the next two years.
#1181 Oracle patches record 276 vulnerabilities with July critical patch update
Oracle has one-upped itself once again. The company fixed a record 276 vulnerabilities – more than half of which are remotely exploitable – as part of its July Critical Patch Update released Tuesday afternoon.

The quarterly patch update resolves vulnerabilities in 84 different products, including Oracle Database Server, Oracle Fusion Middleware, and Oracle’s E-Business Suite to name a few. The number of fixes exceeds the previous all time high, 248 patches, pushed by Oracle in January and marks more than double the amount of vulnerabilities addressed by the company in its last CPU in April.

Like the April CPU, more than 50 percent of the vulnerabilities, 159 in total, can be exploited remotely without authentication. Oracle Fusion Middleware is the biggest culprit; 35 of the 40 vulnerabilities that affect the software are remotely exploitable. The company’s E-Business Suite – in which 21 of the 23 vulnerabilities are remotely exploitable – and Oracle Sun Systems Products Suite – in which 21 of the 34 vulnerabilities are remotely exploitable – also merit attention.
#1180 SoakSoak botnet pushing neutrino exploit kit and CryptXXX ransomware
Researchers are reporting a surge in CryptXXX ransomware infections delivered via business websites compromised to redirect to the Neutrino Exploit Kit. Attackers are targeting websites running the Revslider slideshow plugin for WordPress, according to a report released Tuesday by Invincea.

Behind the attacks, said Pat Belcher, director of security research at Invincea, is the SoakSoak botnet, active since 2014 and known for its automated ability to scan websites for vulnerabilities.

“We are seeing a surge in these type of attacks targeting slideshow and video components on popular websites,” Belcher said.
#1179 Firefox to block non-essential Flash content In August 2016, require click-to-activate In 2017
Browser plugins, especially Flash, have enabled some of our favorite experiences on the Web, including videos and interactive content. But plugins often introduce stability, performance, and security issues for browsers. This is not a trade-off users should have to accept.

Mozilla and the Web as a whole have been taking steps to reduce the need for Flash content in everyday browsing. Starting in August, Firefox will block certain Flash content that is not essential to the user experience, while continuing to support legacy Flash content. These and future changes will bring Firefox users enhanced security, improved battery life, faster page load, and better browser responsiveness.
#1178 Attackers launch multi-vector DDoS attacks that use DNSSEC amplification
Almost 60 percent of all DDoS attacks observed during the first quarter of this year were multi-vector attacks, Akamai said in a report released last month. The majority of them used two vectors, and only 2 percent used five or more techniques.

The DNS (Domain Name System) reflection technique used in this large attack was also interesting, because attackers abused DNSSEC-enabled domains in order to generate larger responses.

DNS reflection involves abusing misconfigured DNS resolvers that respond to spoofed requests. Attackers can send DNS queries to these servers on the Internet by specifying the target's Internet Protocol (IP) address as the request's source address. This causes the server to direct its response to the victim instead of the real source of the DNS query.
#1177 Wave of business websites hijacked to deliver crypto-ransomware
If you've visited the do-it-yourself project site of Dunlop Adhesives, the official tourism site for Guatemala, or a number of other legitimate (or in some cases, marginally legitimate) websites, you may have gotten more than the information you were looking for. These sites are redirecting visitors to a malicious website that attempts to install CryptXXX—a strain of cryptographic ransomware first discovered in April.

The sites were most likely exploited by a botnet called SoakSoak or a similar automated attack looking for vulnerable WordPress plugins and other unpatched content management tools, according to a report from researchers at the endpoint security software vendor Invincea. SoakSoak, named for the Russian domain it originally launched from, has been around for some time and has exploited thousands of websites. In December of 2014, Google was forced to blacklist over 11,000 domains in a single day after the botnet compromised their associated websites by going after the WordPress RevSlider plugin.
#1176 Library of Congress hit with a denial-of-service attack
Some of the U.S. Library of Congress’s websites are currently inaccessible as the result of a denial-of-service attack, the Library of Congress announced Monday.

The cyberattack was originally detected on July 17, a spokesperson told FedScoop. The attack has also caused other websites hosted by the LOC, including the U.S. Copyright Office, to go down. Library of Congress employees were reportedly unable to access their work email accounts or visit internal websites.

"The Library is working to maintain access to its online services while ensuring security," the spokesperson said.
#1175 Software flaw puts mobile phones and networks at risk of complete takeover
A newly disclosed vulnerability could allow attackers to seize control of mobile phones and key parts of the world's telecommunications infrastructure and make it possible to eavesdrop or disrupt entire networks, security experts warned Tuesday.

The bug resides in a code library used in a wide range of telecommunication products, including radios in cell towers, routers, and switches, as well as the baseband chips in individual phones. Although exploiting the heap overflow vulnerability would require great skill and resources, attackers who managed to succeed would have the ability to execute malicious code on virtually all of those devices. The code library was developed by Pennsylvania-based Objective Systems and is used to implement a telephony standard known as ASN.1, short for Abstract Syntax Notation One.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12