Security Alerts & News
by Tymoteusz A. Góral

History
#1309 Researchers find serious flaws in iMessage encryption
“Our analysis shows that iMessage has significant vulnerabilities that can be exploited by a sophisticated attacker. In particular, we outline a novel chosen ciphertext attack on Huffman compressed data, which allows retrospective decryption of some iMessage payloads in less than 2^18 queries. The practical implication of these attacks is that any party who gains access to iMessage ciphertexts may potentially decrypt them remotely and after the fact,” the researchers wrote in a paper delivered at the USENIX Security Symposium last week.
#1308 Cloud hacking trick allows undetectable changes to VM memory
Hacking researchers have uncovered a new attack technique which can alter the memory of virtual machines in the cloud.

The team, based at Vrije Universiteit, Amsterdam, introduced the attack, dubbed Flip Feng Shui (FFS) in a paper titled Flip Feng Shui: Hammering a Needle in the Software Stack. They explained hackers could use the technique to crack the keys of secured VMs or install malicious code without it being noticed.

The de-duplication attack enables third parties to not only view and leak data, but also to modify it – installing malware or allowing unauthorised logins.
#1307 One in five vehicle vulnerabilities are ‘Hair on Fire’ critical
In-brief: One of every five software vulnerabilities discovered in vehicles in the last three years are rated “critical” and are unlikely to be resolved through after the fact security fixes, according to an analysis by the firm IOActive.

One of every five software vulnerabilities discovered in vehicles in the last three years are rated “critical” and are unlikely to be resolved through after the fact security fixes, according to an analysis by the firm IOActive.

“These are the high priority ‘hair on fire’ vulnerabilities that are easily discovered and exploited and can cause major impacts to the system or component,” the firm said in its report, which it released last week. The report was based on an analysis of more than 150 vehicle security flaws identified over three years by IOActive or publicly disclosed by way of third-party firms.
#1306 New attacks can monitor keystrokes, steal sensitive data from Android phones
Researchers from an Austrian university have developed techniques that allow them to perform cache attacks on non-rooted Android phones that can monitor the keystrokes, screen taps, and even observe code execution inside the ARM processor’s TrustZone secure execution environment.

The attacks the team developed are complex and rely on a number of individual building blocks. The techniques are similar to some used against Intel x86 processor-based systems, but the team from Graz University of Technology in Austria shows that they can be used on ARM-based systems, such as Android phones, as well.
#1305 Disable WPAD now or have your accounts and private data compromised
The Web Proxy Auto-Discovery Protocol (WPAD), enabled by default on Windows and supported by other operating systems, can expose computer users' online accounts, web searches, and other private data, security researchers warn.

Man-in-the-middle attackers can abuse the WPAD protocol to hijack people's online accounts and steal their sensitive information even when they access websites over encrypted HTTPS or VPN connections, said Alex Chapman and Paul Stone, researchers with U.K.-based Context Information Security, during the DEF CON security conference this week.
#1304 LinkedIn suffers huge bot attack that steals members’ personal data
Data thieves used a massive “botnet” against professional networking site LinkedIn and stole member’s personal information, a new lawsuit reveals.

The Mountain View firm filed the federal suit this week in an attempt to uncover the perpetrators.

“LinkedIn members populate their profiles with a wide range of information concerning their professional lives, including summaries (narratives about themselves), job histories, skills, interests, educational background, professional awards, photographs and other information,” said the company’s complaint, filed in Northern California U.S. District Court.

“During periods of time since December 2015, and to this day, unknown persons and/or entities employing various automated software programs (often referred to as ‘bots’) have extracted and copied data from many LinkedIn pages.”
#1303 DDoSCoin: New crypto-currency rewards users for participating in DDoS attacks
In the most innovative, weirdest, and stupidest idea of the month, two researchers from the University of Colorado Boulder and the University of Michigan have created a crypto-currency that rewards people for participating in DDoS attacks.

Called DDoSCoin, this digital currency rewards a person (called miner) for using their computer as part of a DDoS attack.
#1302 EU struggles to determine growing cost of cyberattacks
After painstakingly calculating the true cost of cybercrime in the European Union researchers conclude it’s nearly impossible to come up with hard numbers.

In a study released this week by the European Union Agency For Network And Information Security (ENISA) researchers assert that it’s vitally important to identify the magnitude of cybercrime against the European Union. But despite an abundance of studies addressing the economic impact of cybercrime, “the measurement of the real impact of incidents in terms of the costs needed for full recovery proved to be quite a challenging task.”
#1301 Visa alert and update on the Oracle breach
Credit card industry giant Visa on Friday issued a security alert warning companies using point-of-sale devices made by Oracle‘s MICROS retail unit to double-check the machines for malicious software or unusual network activity, and to change passwords on the devices. Visa also published a list of Internet addresses that may have been involved in the Oracle breach and are thought to be closely tied to an Eastern European organized cybercrime gang.
#1300 Why moving piece by piece to the cloud will see businesses succeed more
The conversation around whether it's a good idea for a business to migrate their on-premises legacy infrastructure into the cloud is no longer the focus, according to Bulletproof CEO Anthony Woodward. Rather, many C-level executives are now looking at what are the best ways to use the so-called cornerstone tool to transform their business.

Woodward believes there are two key drivers behind the increasing adoption of Infrastructure-as-a-Service (IaaS). The first is that businesses believe cloud will give them the competitive advantage to move faster, and the second motivator is that businesses are being required to transform for fear they may be outmanoeuvred by new entrants to the market.
#1299 Google waves goodbye to Linux for new IoT OS Fuchsia - coming soon to Raspberry Pi
Google has started building a new open-source operating system that doesn't rely on the Linux kernel.

While Android and Chrome OS have Linux at their heart, Google's new OS, dubbed Fuchsia, opts for a different kernel to create a lightweight but capable OS, suitable for running all Internet of Things devices, from embedded systems to higher-powered phones and PCs.

Instead of the Linux kernel, Google's new OS uses Magenta, which itself is based on LittleKernel, a rival to commercial OSes for embedded systems such as FreeRTOS and ThreadX.

According to Android Police, Magenta can target smartphones and PCs thanks to user-mode support and a capability-based security model not unlike Android 6.0's permissions framework.
#1298 Linux bug leaves 1.4 billion Android users vulnerable to hijacking attacks
An estimated 80 percent of Android phones contain a recently discovered vulnerability that allows attackers to terminate connections and, if the connections aren't encrypted, inject malicious code or content into the parties' communications, researchers from mobile security firm Lookout said Monday.

As Ars reported last Wednesday, the flaw first appeared in version 3.6 of the Linux operating system kernel, which was introduced in 2012. In a blog post published Monday, Lookout researchers said that the Linux flaw appears to have been introduced into Android version 4.4 (aka KitKat) and remains present in all future versions, including the latest developer preview of Android Nougat. That tally is based on the Android install base as reported by statistics provider Statista, and it would mean that about 1.4 billion Android devices, or about 80 percent of users, are vulnerable.
#1297 Shark: New Ransomware-as-a-Service threat takes bite of proceeds
A new type of ransomware known as Shark (Trojan.Ransomcrypt.BG) is being distributed on the cyberunderground. The malware’s authors use the “Ransomware-as-a-Service” (RaaS) business model, freely distributing the ransomware builder to aspiring attackers, but requiring a 20 percent cut of any ransom payments it generates.

Shark is distributed through a professional looking website that features information about the ransomware and instructions on how to download and configure it. Its authors boast that it is fully customizable, uses a fast encryption algorithm, supports multiple languages, and is “undetectable” by antivirus software.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12