Security Alerts & News
by Tymoteusz A. Góral

History
#1254 New attack steals SSNs, e-mail addresses, and more from HTTPS pages
The HTTPS cryptographic scheme protecting millions of websites is vulnerable to a newly revived attack that exposes encrypted e-mail addresses, social security numbers, and other sensitive data even when attackers don't have the ability to monitor a targeted end user's Internet connection.

The exploit is notable because it doesn't require a man-in-the-middle position. Instead, an end user need only encounter an innocuous-looking JavaScript file hidden in an Web advertisement or hosted directly on a webpage. The malicious code can then query a variety of pages protected by the secure sockets layer or transport layer security protocols and measure the precise file sizes of the encrypted data they transmit. As its name suggests, the HEIST technique—short for HTTP Encrypted Information can be Stolen Through TCP-Windows—works by exploiting the way HTTPS responses are delivered over the transmission control protocol, one of the Internet's most basic building blocks.
#1253 Hacker compromises Fosshub to distribute MBR-hijacking malware
A hacking crew that goes by the name of PeggleCrew has compromised Fosshub and embedded malware inside the files hosted on the website and offered for download.

According to Cult of Peggle, one of the group's four members, the team breached the website and embedded a malware payload inside some of the files hosted on Fosshub, a downloads portal, in the same category as Softpedia.

"In short, a network service with no authentication was exposed to the internet," the hacker told Softpedia in an email. "We were able to grab data from this network service to obtain source code and passwords that led us further into the infrastructure of FOSSHub and eventually gain control of their production machines, backup and mirror locations, and FTP credentials for the caching service they use, as well as the Google Apps-hosted email."
#1252 Bitcoin value falls off cliff after $77M stolen in Hong Kong exchange hack
The value of bitcoins plummeted 20 percent after almost 120,000 units of the digital currency were stolen from Bitfinex, a major Bitcoin exchange.

The Hong Kong-based exchange said it had discovered a security breach late Tuesday, and has suspended all transactions.

“We are investigating the breach to determine what happened, but we know that some of our users have had their Bitcoins stolen. We are undertaking a review to determine which users have been affected by the breach. While we conduct this initial investigation and secure our environment, bitfinex.com will be taken down and the maintenance page will be left up,” said the company on its website.
#1251 SMiShing and the rise of mobile banking attacks
Brazilian cybercriminals are clearly setting their sights on users of mobile banking, with a huge rise in incidents registered in the country over the last two years. In order to carry out these attacks they are using SMiShing (phishing via SMS) and registering new mobile phish domains created especially for this purpose.

In 2015, mobile banking usage in Brazil reached 11.2 billion transactions, an increase of 138% compared to the 4.7 billion transactions registered in 2014. Mobile banking is now the second most popular channel for accessing a bank account in the country – there are more than 33 million active accounts, according to the Brazilian Federation of Banks. Such numbers and the possibility of cheaply sending SMS messages are very attractive to cybercriminals, who are investing their time and effort to create new attacks.
#1250 FBI's hacking tool found to have compromised dozens of computers in Austria
The FBI is already having problems here at home with the hacking tool it deployed during its dark web child porn investigation. A few judges have ruled that the warrant used to deploy the Network Investigative Technique (NIT) was invalid because the FBI's "search" of computers around the United States violated Rule 41(b)'s jurisdictional limits.

Now, we'll get to see how this stacks up against international law. It's already common knowledge that the FBI obtained user information from computers around the world during its two weeks operating as the site administrator for the seized Playpen server. More information is now coming to light, thanks (inadvertently) to a foreign government's inquiries into domestic anti-child porn efforts.
#1249 Google patches dozens of critical Qualcomm components flaws
Google today patched more than three-dozen critical vulnerabilities in Qualcomm components embedded in the Android operating system, all of them allowing attackers to gain a foothold on devices to launch further attacks.

The Qualcomm-related patches are among dozens in the monthly Android Security Bulletin, which marks its first anniversary this week after its maiden voyage a year ago during the Black Hat USA 2015 hacker conference. This year’s Black Hat begins tomorrow in Las Vegas.
#1248 Hackers hijack a big rig truck’s accelerator and brakes
When cybersecurity researchers showed in recent years that they could hack a Chevy Impala or a Jeep Cherokee to disable the vehicles’ brakes or hijack their steering, the results were a disturbing wakeup call to the consumer automotive industry. But industrial automakers are still due for a reminder that they, too, are selling vulnerable computer networks on wheels—ones with direct control of 33,000 pounds of high velocity metal and glass.

At the Usenix Workshop on Offensive Technologies conference next week, a group of University of Michigan researchers plan to present the findings of a disturbing set of tests on those industrial vehicles. By sending digital signals within the internal network of a big rig truck, the researchers were able to do everything from change the readout of the truck’s instrument panel, trigger unintended acceleration, or to even disable one form of semi-trailer’s brakes. And the researchers found that developing those attacks was actually easier than with consumer cars, thanks to a common communication standard in the internal networks of most industrial vehicles, from cement mixers to tractor trailers to school buses.
#1247 Data of 200 nillion Yahoo users pops up for sale on the Dark Web
A listing has been published today on TheRealDeal Dark Web marketplace, claiming to be offering data on over 200 million Yahoo users.

While Yahoo says it is currently investigating the breach, the listing has almost instant credibility since it's been put up for sale by the infamous Peace_of_Mind (Peace), the same hacker behind many other verified and proven breaches.

If the name still doesn't ring a bell, you should know that Peace previously sold data dumps from sites such as LinkedIn, MySpace, Tumblr, Fling.com, and VK.com. In total, this hacker sold the personal details of over 800 million users, and probably more.
#1246 Hackers break into Telegram, revealing 15 million users’ phone numbers
(Reuters) — Iranian hackers have compromised more than a dozen accounts on the Telegram instant messaging service and identified the phone numbers of 15 million Iranian users, the largest known breach of the encrypted communications system, cyber researchers told Reuters.

The attacks, which took place this year and have not been previously reported, jeopardized the communications of activists, journalists and other people in sensitive positions in Iran, where Telegram is used by some 20 million people, said independent cyber researcher Collin Anderson and Amnesty International technologist Claudio Guarnieri, who have been studying Iranian hacking groups for three years.
#1245 Cloud storage provider Backblaze really likes the reliability of the new 8TB drives
Cloud backup and storage service provider Backblaze recently posted its hard drive stats for Q2 2016, revealing hard drive failure data generated within the quarter spanning from April through June, 2016. The report is based on data drives, not boot drives, that are deployed across the company’s data centers in quantities of 45 or more.

According to the report, the company saw an annualized failure rate of 19.81 percent with the Seagate ST4000DX000 4TB drive in a quantity of 197 units working 18,428 days. The next in line was the WD WD40EFRX 4TB drive in a quantity of 46 units working 4,186 days. This model had an annualized failure rate of 8.72 percent for that quarter.
#1244 Bitfinex bitcoin exchange offline after potentially costly security breach
Cryptocurrency exchange platform Bitfinex has confirmed it has experienced a security breach, halting all trading, deposit, and withdrawal activities on Tuesday night.

A Reddit user claiming to be the director of Community and Product Development at Bitfinex has said the loss from the hack stands at 119,756 bitcoins -- currently the approximate equivalent of $65 million.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12