Security Alerts & News
by Tymoteusz A. Góral

History
#1243 Firefox 48 released with multi-process support, mandatory add-on signing
Mozilla will debut Firefox 48 today, and looking back over the history of Firefox, the upcoming release marks one of the most important updates the browser has ever received.

Firefox 48 will be the version where Mozilla starts migrating users to using multi-process threads (e10s, Electrolysis), ships its first Rust component, and where mandatory add-on signing is actively enforced in the main stable branch without a way to deactivate or go around the feature.
#1242 Users alerted after Disney forum is breached
Disney has been forced to notify users of its Playdom Forum that hackers have made off with sensitive personal information which could put their privacy and online security at risk.

The “unauthorized party” infiltrated the Disney servers on 9 and 12 July, acquiring usernames, email addresses, and passwords for playdomforums.com accounts as well as IP addresses, the firm said in a statement on Friday.
#1241 Black Hat conference updates app to address privacy and social engineering concern
Black Hat confirmed with Lookout an hour before we published our findings that they have taken measures to disable the social components found within the Black Hat USA 2016 conference app. This addresses the major privacy and social concerns brought to Black Hat by Lookout during the disclosure period. Users of the existing app do not need to do anything as the update is controlled by Black Hat and is pushed out automatically to the app.
#1240 Intrusive applications: 6 security issues to watch out for in hooking
For over a year our enSilo researchers have been looking into hooking engines and injection methods used by different vendors. It all started back in 2015 when we noticed injection issue in AVG but this was only the tip of the iceberg. A few months after that we noticed similar issues in McAfee and Kaspersky Anti-Virus. At that point we decided to extend our research and look into the security implications of hooking engines and injection techniques. The results were depressing.
#1239 The Jeep hackers are back to prove car hacking can get much worse
Almost exactly a year ago, Chrysler announced a recall for 1.4 million vehicles after a pair of hackers demonstrated to WIRED that they could remotely hijack a Jeep’s digital systems over the Internet. For Chrysler, the fix was embarrassing and costly. But now those two researchers have returned with work that asks Chrysler and the automotive industry to imagine an alternate reality, one where instead of reporting their research to the automaker so it could be fixed, they had kept working on it in secret—the way malicious hackers would have. In doing so, they’ve developed a new hack that offers a sobering lesson: It could have been—and still could be—much worse.

At the Black Hat security conference later this week, automotive cybersecurity researchers Charlie Miller and Chris Valasek will present a new arsenal of attacks against the same 2014 Jeep Cherokee they hacked in 2015. Last year, they remotely hacked into the car and paralyzed it on highway I-64—while I was driving in traffic. They were even able disable the car’s brakes at low speeds. By sending carefully crafted messages on the vehicle’s internal network known as a CAN bus, they’re now able to pull off even more dangerous, unprecedented tricks like causing unintended acceleration and slamming on the car’s brakes or turning the vehicle’s steering wheel at any speed. “Imagine last year if instead of cutting the transmission on the highway, we’d turned the wheel 180 degrees,” says Chris Valasek. I can imagine. But he spells it out anyway. “You wouldn’t be on the phone with us. You’d be dead.”
#1238 Ringleader of global network behind thousands of online scams arrested in Nigeria
RIVER STATE, Nigeria – The head of an international criminal network behind thousands of online frauds has been arrested in a joint operation by INTERPOL and the Nigerian Economic and Financial Crime Commission (EFCC).

The 40-year-old Nigerian national, known as ‘Mike’, is believed to be behind scams totalling more than USD 60 million involving hundreds of victims worldwide. In one case a target was conned into paying out USD 15.4 million.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12