Security Alerts & News
by Tymoteusz A. Góral

History
#1270 Can you trust that invoice? Nigerian 419 scammers ply new wire-wire trade via compromised email
Former Nigerian 419 scammers are turning to more sophisticated and bigger-paying jobs that start with compromising the email accounts of staff responsible for selling, and then waiting for a juicy request for a quote.

According to Dell SecureWorks, these new-generation Nigerian scammers are known as 'waya-waya' or wire-wire, and conduct wire fraud by compromising a supplier's email.

The FBI warned earlier this year that businesses have been exposed to an estimated $3.1bn in potential losses due to so-called business email compromise (BEC) since 2013. These crimes usually take the form of an attacker spoofing the email account of a CEO and then ordering a subordinate to transfer funds to a supposed supplier's account.

However, SecureWorks' says its probe into one Nigerian operation uncovered a far more "devious" attack than spoofing the boss's email account. The attackers instead are compromising a seller's email account to place themselves between the buyer and seller during a transaction.
#1269 Italian malware is spying on Chinese Android users: But why?
An Android remote access Trojan (RAT) of suspected Italian origins is spying on specially selected users in China and Japan and uploading audio and images to a remote command and control server.

Discovered by cybersecurity researchers at Bitdefender, the RAT specifically targets rooted Android devices based on their IMEI [International Mobile Station Equipment Identity] and has the ability to take screenshots, listen to phonecalls and potentially even take full control of the device. All of these put the user at risk of becoming a further victim of hacking and fraud.

Researchers note that it's only usually advanced persistent threats which tend to exhibit this type of selectivity when selecting victims to infect, suggesting that this Android RAT could be part of a wider campaign of attack which is yet to be uncovered.
#1268 Microsoft cranks up encryption in .Net framework
Microsoft has released .Net Framework 4.6.2, tightening security in multiple areas, including the BCL (Base Class Library). The new version also makes improvements to the SQL client, Windows Communication Foundation, the CLR (Common Language Runtime), and the ASP.Net web framework.

The security focus in the BCL impacts PKI capabilities, and X.509 certificates now support the FIPS 186-3 digital signature algorithm. "This support enables X.509 certificates with keys that exceed 1024-bit," Microsoft's Stacey Haffner said. "It also enables computing signatures with the SHA-2 family of hash algorithms (SHA256, SHA384, and SHA512)."
#1267 Fake Prisma apps found on Google Play
Before the release of the Android version of Prisma, a popular photo transformation app, fake Prisma apps flooded the Google Play Store.

ESET researchers discovered fake Prisma apps of different types, including several dangerous trojan downloaders. The Google Play security team removed them from the official Android store at ESET’s notice. Prior to that point, Prisma copycats reached over 1.5 million downloads by fans.

Prisma is a unique photo editor released by Prisma labs, Inc. First released for iOS, it received excellent ratings among users on iTunes, the Apple app store. Android users were eager for it and many couldn’t wait to see it on Google Play where Prisma’s release was scheduled for July 24th, 2016.

As with many other popular apps on Google Play in the past, fake versions flooded the store before the official release date, riding the wave of user impatience.
#1266 This ATM hack could allow thieves to make off with thousands
A security vulnerability in the newest generation of ATMs can be exploited to make them distribute tens of thousands in cash, despite the chip and PIN systems designed to prevent hackers from carrying out exactly this sort of activity.

Speaking at the Black Hat conference in Las Vegas, Weston Hecker, a senior security consultant at cybersecurity firm Rapid7 demonstrated how the bypass could allow criminals to make off with up to $50,000 from a machine in under 15 minutes.

Researchers have previously warned our old ATMs are an easy target for cybercriminals, but this new warning appears to demonstrate that even the latest machines are vulnerable.

The technique -- achieved with a $2,000 kit -- sees criminals alter a point-of-sale machine by adding a device which is placed in the gap between where the ATM user's card chip will be and the roof of the area where the card is inserted.
#1265 BlackHat2016: badWPAD – The doubtful legacy of the WPAD protocol
WPAD is a protocol that allows computers to automatically discover Web proxy configurations and is primarily used in networks where clients are only allowed to communicate to the outside world through a proxy – which is the case in most enterprises. To easily configure proxy settings for different types of applications which require an internet connection, WPAD, also known as “autoproxy”, was first implemented and promoted by Netscape® 2.0 in 19961 for Netscape Navigator® 2.0. The tool can apply to any system that supports proxy auto-discovery, like most browsers, operating systems and some applications not working from operating systems.

Warnings of security issues have been around for many years. These risks have been recognized in the security community for years, but for some reason been left largely ignored. In fact it is relatively easy to exploit WPAD. In basic terms, the security issue with the WPAD protocol revolves around the idea that whenever the protocol makes a request to a proxy, anyone else can create a service that answers that request and can practically impersonate the real web proxy (Man-in-the-Middle attack).
#1264 HEIST: HTTP encrypted Information can be stolen through TCP-windows (PDF)
Over the last few years, a worryingly number of attacks against SSL/TLS and other secure channels have been discovered. Fortunately, at least from a defenders perspective, these attacks require an adversary capable of observing or manipulating network traffic. This pre-vented a wide and easy exploitation of these vulnerabilities. In contrast, we introduce HEIST, a set of techniques that allows us to carry out attacks against SSL/TLS purely in the browser. More generally, and surprisingly, with HEIST it becomes possible to exploit certain flaws in network protocols without having to sniff actual traffic.

HEIST abuses weaknesses and subtleties in the browser, and the underlying HTTP, SSL/TLS, and TCP layers. In particular, we discover a side-channel attack that leaks the exact size of any cross-origin response. This side-channel abuses the way responses are sent at the TCP level. Combined with the fact that SSL/TLS lacks length-hiding capabilities, HEIST can directly infer the length of the plaintext message. Concretely, this means that compression-based attacks such as CRIME and BREACH can now be performed purely in the browser, by any malicious website or script, without requiring a man-in-the-middle position. Moreover, we also show that our length-exposing attacks can be used to obtain sensitive information from unwitting victims by abusing services on popular websites.

Finally, we explore the reach and feasibility of exploiting HEIST. We show that attacks can be performed on virtually every web service, even when HTTP/2 is used. In fact, HTTP/2 allows for more damaging attack techniques, further increasing the impact of HEIST. In short, HEIST is a set of novel attack techniques that brings network-level attacks to the browser, posing an imminent threat to our online security and privacy.
#1263 Lack of encryption leads to large scale cookie exposure
LAS VEGAS—There’s been an abundance of attacks against crypto over the last few years but a much simpler, scarier threat, cookie hijacking, remains significantly overlooked in the eyes of researchers.

Two academics, Suphannee Sivakorn, a PhD student at Columbia University, and Jason Polakis, an assistant professor at the University of Illinois discussed just how woefully inadequate the encryption protecting some services is in a talk at Black Hat Thursday.

The pair studied 25 popular websites, from search engines such as Google, Yahoo, and Bing, to news sites such as the Huffington Post, MSN, and the New York Times. Fifteen of the sites supported HTTPS but not universally. Many of them offer personalization over HTTP, something that can lead to complicated interoperability and flawed access control, according to Sivakorn and Polakis.
#1262 Are smart city transport systems vulnerable to hackers?
Cybersecurity experts say we won't have to imagine for much longer. It's only a matter of time before hackers become interested in smart city transportation clouds.

Taking control of parking, traffic lights, signage, street lighting, automated bus stops and many other systems could be appealing to bad guys from many walks of life including political activists and terrorists.

Moscow has already experienced its first major transportation hack, albeit to make a serious point about security.

Denis Legezo, a researcher with Kaspersky Lab, was able to manipulate traffic sensors and capture data simply by looking up a hardware user manual that was readily available online from the sensor manufacturer.

A similar story comes from Cesar Cerrudo, the chief technology officer at security company IOActive Labs, who found vulnerabilities in systems used in the US, UK, France, Australia and China.

There's a scene in Die Hard 4 where hackers create chaos by manipulating traffic signals with a few keystrokes. It's not that easy, Mr Cerrudo wrote in a blog in 2014.

Even so, he discovered that it would have been possible to create havoc using cheap computer hardware.
#1261 Pokemon GO DDoS attacks postponed as PoodleCorp botnet suffers security breach
he hacking crew that promised to launch DDoS attacks on the Pokemon GO servers on August 1 suffered a minor setback yesterday, after someone hacked their site, dumped the database, and shared it with data breach index service LeakedSource.

The hacking crew's moniker is PoodleCorp, being a relatively new unit on the cyber-crime scene, which has made a name for itself by defacing popular YouTube channels.

The group had already launched a successful DDoS attack on Pokemon GO servers on July 16 and annoyed much of the Pokemon GO fanbase.

Seeing the huge media attention they received from that attack, two days later, on July 18, the group promised to launch another DDoS attack on Pokemon GO, much bigger than the first one, but on August 1.

August 1 came and went. Pokemon GO players didn't report anything. However, today, PoodleCorp's name surfaced online again after LeakedSource announced they added details from PoodleCorp.org domain to their massive database of breached sites.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12