Security Alerts & News
by Tymoteusz A. Góral

History
#1214 New attack that cripples HTTPS crypto works on Mac, Windows and Linux
A key guarantee provided by HTTPS encryption is that the addresses of visited websites aren't visible to attackers who may be monitoring an end user's network traffic. Now, researchers have devised an attack that breaks this protection.

The attack can be carried out by operators of just about any type of network, including public Wi-Fi networks, which arguably are the places where Web surfers need HTTPS the most. It works by abusing a feature known as WPAD—short for Web Proxy Autodisovery—in a way that exposes certain browser requests to attacker-controlled code. The attacker then gets to see the entire URL of every site the target visits. The exploit works against virtually all browsers and operating systems. It will be demonstrated for the first time at next week's Black Hat security conference in Las Vegas in a talk titled Crippling HTTPS with Unholy PAC.

"People rely on HTTPS to secure their communication even when the LAN/Wi-Fi cannot be trusted (think public Wi-Fi/hotels/cafes/airports/restaurants, or compromised LAN in an organization)," Itzik Kotler, cofounder and CTO of security firm SafeBreach and one of the scheduled speakers, wrote in an e-mail. "We show that HTTPS cannot provide security when WPAD is enabled. Therefore, a lot of people are actually exposed to this attack when they engage in browsing via non-trusted networks."
#1213 KeySniffer vulnerability opens wireless keyboards to snooping
Wireless keyboards made by eight different companies suffer from a vulnerability that can allow attackers to eavesdrop on keystrokes from up to 250 feet away, researchers warned Tuesday.

If exploited, the vulnerability, dubbed KeySniffer, could let an attacker glean passwords, credit card numbers, security questions and answers – essentially anything typed on a keyboard, in clear text.

Keyboards manufactured by Hewlett-Packard, Toshiba, Kensington, Insignia, Radio Shack, Anker, General Electric, and EagleTec are affected, according to Marc Newlin, a researcher with Bastille Networks that discovered the vulnerability.
#1212 Unpatched smart lighting flaws pose IoT risk to businesses
A host of web-based vulnerabilities in Orsam Lightify smart lighting products remain unpatched, despite private notification to the vendor in late May and CVEs assigned to the issues in June by CERT/CC.

Researchers at Rapid7 today publicly disclosed some of the details on each of the nine vulnerabilities with temporary mitigation advice users can deploy until a fix is available.

Orsam Lightify products are indoor and outdoor lighting products that can be managed over the web or through a mobile application. The products are used commercially and in homes, and the vulnerabilities are just the latest to affect connected devices.

Researchers Deral Highland, principal security consultant at Rapid7, said that a weak default WPA2 pre-shared key on the Pro solution (CVE-2016-5056) is the most critical of the nine flaws. The keys use only eight characters from a limited set of numerals and letters, making it possible to capture a WPA2 authentication handshake and crack the PSK offline in fewer than six hours.
#1211 Amazon Silk browser ignored SSL searches, failing to protect your privacy
Amazon's Silk internet browser contained a serious bug which not only ignored SSL security standards in Google searches but prevented redirection to the secure version of the search engine.

The Google Chrome-based Silk browser, loaded with Amazon Kindle tablets, was set up without Secure Sockets Layer (SSL) technology -- which encrypts communication between servers and web browsers -- and also prevented automatic redirections to Google's SSL version of the tech giant's search engine.

This security problem left user connections unencrypted and potentially open to man-in-the-middle (MitM) attacks and snooping.
#1210 Microsoft Authenticator – coming August 15th! Supports AzureAD & Microsoft acct!
"On August 15th, we will start releasing the new “Microsoft Authenticator” apps in all mobile app stores. This new app combines the best parts of our previous authenticator apps into a new app which works with both Microsoft accounts and Azure AD accounts

As many of you know, we’ve had separate authenticator apps for Microsoft account and Azure AD for quite a while – the Azure Authenticator for enterprise customers and the Microsoft account app for consumers. With the new Microsoft Authenticator, we’ve combined the best of both into a single app that supports enterprise and consumer scenarios."
#1209 In-the-wild Ransomware Protection Comparative Analysis 2016 Q3 (PDF)
“Ransomware is a Cryptovirology attack carried out using covertly installed malware that encrypts the victim's files and then requests a ransom payment in return for the ecryption key that is needed to recover the encrypted files. Thus, ransomware is an access - denial type of attack that prevents legitima te users from accessing files since it is intractable to decrypt the files without the decryption key”.

Before ransomware was trendy among cyber-criminals, a malware infection was not a high priority for most users. Financial malware could be defeated via fraud detection, spammed Facebook walls were cleaned, and life could continue uninterrupted. Sometimes, the presence of the malware was not even noticed for months. But this has changed since ransomware became prevalent. The use of crypto-currencies like Bitcoin made it easy to cash out quickly. And because the malware has to only run for some minutes on the victim’s computer, most reactive protections failed quickly, and left the users unprotected against these cyber criminals. Multiple generic ransomware protection emerged to solve this issue.

Zemana Ltd. commissioned MRG Effitas to conduct a comparative analys is of its Zemana AntiMalware product, and other prevalent generic ransomware tools.
#1208 Windows UAC bypass leaves systems open to malicious DLLs
Researchers have crafted a stealthy new way of bypassing Windows User Account Controls (UAC) that opens the door to attacks on targeted systems. According researchers, the bypass technique can fly under the radar of security solutions that monitor for this type of circumvention.

The UAC bypass technique works on Windows 10 systems, and as opposed a number of other UAC bypasses techniques, this one does not raise red flags because it doesn’t rely on a privileged file copy or code injection, according to Matt Graeber and Matt Nelson who found the workaround and outlined it in a technical breakdown on the Enigmaox3 website.
#1207 O2 customer data sold on dark net
O2 customer data is being sold by criminals on the dark net, the Victoria Derbyshire programme has learned.

The data was almost certainly obtained by using usernames and passwords first stolen from gaming website XSplit three years ago to log onto O2 accounts.

When the login details matched, the hackers could access O2 customer data in a process known as "credential stuffing".

O2 says it has reported the case to law enforcement, and is helping inquiries.

It is highly likely that this technique will have been used to log onto other companies' accounts too.
#1206 Facebook admits blocking WikiLeaks’ DNC email links, but won’t say why
Facebook has acknowledged it blocked links to WikiLeaks’ DNC email dump, though (again) hasn’t explained why.

On Twitter, WikiLeaks noted that there was a workaround for posting links.
#1205 New evidence suggests DNC hackers penetrated deeper than previously thought
The suspected hacking of a Democratic National Committee consultant's personal Yahoo Mail account provides new evidence that state-sponsored attackers penetrated deeper than previously thought into the private communications of the political machine attempting to defeat Republican nominee Donald Trump.

According to an article published Monday by Yahoo News, the suspicion was raised shortly after DNC consultant Alexandra Chalupa started preparing opposition research on Trump Campaign Chairman Paul Manafort. Upon logging in to her Yahoo Mail account, she received a pop-up notification warning that members of Yahoo's security team "strongly suspect that your account has been the target of state-sponsored actors." After Chalupa started digging into Manafort's political and business dealings in Ukraine and Russia, the warnings had become a "daily occurrence," Yahoo News reported, citing a May 3 e-mail sent to a DNC communications director.
#1204 NIST prepares to ban SMS-based two-factor authentication
The US National Institute for Standards and Technology (NIST) has released the latest draft version of the Digital Authentication Guideline that contains language hinting at a future ban of SMS-based Two-Factor Authentication (2FA).

According to the latest DAG draft version, NIST officials are discouraging companies from using SMS-based authentication, even saying that SMS-based 2FA might be considered insecure in future versions of the guideline. The exact paragraph in the NIST DAG draft is:

“If the out of band verification is to be made using a SMS message on a public mobile telephone network, the verifier SHALL verify that the pre-registered telephone number being used is actually associated with a mobile network and not with a VoIP (or other software-based) service. It then sends the SMS message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change. OOB using SMS is deprecated, and will no longer be allowed in future releases of this guidance.”
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12