Security Alerts & News
by Tymoteusz A. Góral

History
#1319 Google Chrome, Firefox address bar spoofing vulnerability
Google security team themselves state that "We recognize that the address bar is the only reliable security indicator in modern browsers" and if the only reliable security indicator could be controlled by an attacker it could carry adverse affects, For instance potentially tricking users into supplying sensitive information to a malicious website due to the fact that it could easily lead the users to believe that they are visiting is legitimate website as the address bar points to the correct website.
In my paper "Bypassing Browser Security Policies For Fun And Profit" I have uncovered various Address Bar Spoofing techniques as well as bugs affecting modern browsers. In this blog post I would discuss about yet another "Address Bar Spoofing" vulnerability affecting Google Chrome's Omnibox. Omnibox is a customized address bar api developed for better user experience such as search suggestions, URL prediction, instant search features so on and so forth.
#1318 Sage data breach may impact hundreds of business customers
Sage Group has admitted to a data breach which may affect hundreds of UK business customers.

Over the weekend, the accounting software company revealed that the network compromise was caused by someone using an internal login without authorization.

The breach has hit UK customers, of which between 200 and 300 could be involved in the aftermath.

However, it is not yet known whether any information was leaked, how much, or whether the unauthorized access was just someone having a look around -- simply because they could.
#1317 Privacy lawsuit over Gmail will move forward
Thanks to a judge's order, Google must face another proposed class-action lawsuit over its scanning of Gmail. The issue is a lingering headache for the search giant, which has faced allegations for years now that scanning Gmail in order to create personalized ads violates US wiretapping laws.

In a 38-page order (PDF), US District Judge Lucy Koh rejected Google's argument that the scanning takes place within the "ordinary course of business."

"Not every practice that is routine or legitimate will fall within the scope of the 'ordinary course of business'," Judge Koh wrote.

Koh noted that while Google has to scan for other reasons, like virus and spam prevention, the company didn't have to scan for advertising purposes. She noted that in April 2014, Google "ceased intercepting, scanning, and analyzing, for advertising purposes, the contents of emails transmitted via Google Apps for Education."
#1316 Operation Ghoul: targeted attacks on industrial and engineering organizations
Kaspersky Lab has observed new waves of attacks that started on the 8th and the 27th of June 2016. These have been highly active in the Middle East region and unveiled ongoing targeted attacks in multiple regions. The attackers try to lure targets through spear phishing emails that include compressed executables. The malware collects all data such as passwords, keystrokes and screenshots, then sends it to the attackers.

We found that the group behind this campaign targeted mainly industrial, engineering and manufacturing organizations in more than 30 countries. In total, over 130 organizations have been identified as victims of this campaign. Using the Kaspersky Security Network (KSN) and artifacts from malware files and attack sites, we were able to trace the attacks back to March 2015. Noteworthy is that since the beginning of their activities, the attackers’ motivations are apparently financial, whether through the victims’ banking accounts or through selling their intellectual property to interested parties, most infiltrated victim organizations are considered SMBs (Small to Medium size businesses, 30-300 employees), the utilization of commercial off-the-shelf malware makes the attribution of the attacks more difficult.

In ancient Folklore, the Ghoul is an evil spirit associated with consuming human flesh and hunting kids, originally a Mesopotamian demon. Today, the term is sometimes used to describe a greedy or materialistic individual.
#1315 $2.5 million-a-year ransomware-as-a-service ring uncovered
Researchers claim to have found the largest ransomware-as-a-service (RaaS) ring to date. The operation generates an estimated $2.5 million annually and targets computer users with a new variant of the notorious Cerber ransomware.

According to a research report published today by Check Point Software Technologies and IntSights, the RaaS ring consists of 161 active campaigns with eight new campaigns launched daily. For the month of July, it’s estimated that criminals earned closed to $200,000 from victims paying approximately 1 bitcoin ($590) to decrypt files locked by the Cerber ransomware.

“These groups have become increasingly organized and shrewd about how to maintain infections, grow their enterprise, and evade detection,” said Maya Horowitz, threat intelligence group manager with Check Point.
#1314 FalseCONNECT vulnerability affects software from Apple, Microsoft, Oracle and more
Researcher Jerry Decime has revealed details about a security vulnerability that allows an attacker to gain a Man-in-the-Middle position and intercept HTTPS traffic thanks to flaws in the implementation of proxy authentication procedures in various products.

According to Decime, there is a flaw in how applications from several vendors respond to HTTP CONNECT requests via HTTP/1.0 407 Proxy Authentication Required responses.

This flaw manifests itself only in network environments where users utilize proxy connections to get online. This type of setup is often used in enterprise networks where companies deploy powerful firewalls.

Decime explains that an attacker that has a foothold in a compromised network and has the ability to listen to proxy traffic can sniff for HTTP CONNECT requests sent to the local proxy.
#1313 Easy to carry out, difficult to fight against: Why ransomware is booming in 2016
When it comes to tech security threats, 2016 has been the year of ransomware, with numerous high-profile organisations forced to pay ransoms in order to regain access to crucial files and systems after becoming victims of data-encrypting malware. The surge in ransomware even saw the US and Canada issue a rare joint cyber alert in an effort to warn against its dangers.

But ransomware is far from a new phenomenon -- the first instance, dubbed PC Cyborg, was written in 1989 -- so why is it now suddenly booming? There's a combination of factors; one of them is simply that people are becoming more reliant on computers to store files and victims don't want to lose that data, so are often willing to pay a ransom to get it back.
#1312 LinkedIn sues 100 individuals for scraping user data from the site
Professional social network LinkedIn is suing 100 anonymous individuals for data scraping. It is hoped that a court order will be able to reveal the identities of those responsible for using bots to harvest user data from the site.

The Microsoft-owned service takes pride in the relationship it has with its users and the security it offers their data. Its lawsuit seeks to use the data scrapers' IP addresses and then discover their true identity in order to take action against them.
#1311 Now data-stealing Marcher Android malware is posing as security update
The notorious Marcher malware is now disguising itself as an Android firmware update, in another demonstration of how cybercriminal tactics are constantly evolving in order to dupe unsuspecting users into installing malicious software.

The Marcher malware has been around since March 2013, and was previously distributed through fake Amazon and Google Play store apps. Once Marcher is installed on an Android device -- it hasn't appeared on any other operating system -- cybercriminals send the victim an alert to log-in to their banking apps, allowing the crooks to make off with the stolen information.
#1310 VeraCrypt audit under way; email mystery cleared up
To say the VeraCrypt audit, which begins today, got off to an inauspicious start would be an understatement.

On Sunday, two weeks after the announcement that the open source file and disk encryption software would be formally scrutinized for security vulnerabilities, executives at one of the firms funding the audit posted a notice that four emails between the parties involved had been intercepted.

“We have now had a total of four email messages disappear without a trace, stemming from multiple independent senders. Not only have the emails not arrived, but there is no trace of the emails in our ‘sent’ folders. In the case of OSTIF, this is the Google Apps business version of Gmail where these sent emails have disappeared,” the post to the Open Source Technology Improvement Fund (OSTIF) website read. “This suggests that outside actors are attempting to listen in on and/or interfere with the audit process.”
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12