Security Alerts & News
by Tymoteusz A. Góral

History
#1449 Critical MySQL vulnerability disclosed
A researcher has published details and a limited proof-of-concept exploit for a critical vulnerability in MySQL that has been patched by some vendors, but not yet by Oracle.

The vulnerability allows an attacker to remotely or locally exploit a vulnerable MySQL database and execute arbitrary code, researcher Dawid Golunski of Legal Hackers wrote today in an advisory.

The flaw affects MySQL 5.7.15, 5.6.33 and 5.5.52. It has been patched in vendor deployments of MySQL in MariaDB and PerconaDB. Golunski said in his advisory that he reported the vulnerability to Oracle and other affected vendors on July 29. MariaDB and PerconaDB patched their versions of the database software before the end of August. Golunski said that since more than 40 days have passed and the two vendor fixes are public, he decided to disclose.
#1448 Fire drill knocks ING bank's data centre offline
A fire extinguisher test in a bank's data centre has gone wrong in an "unprecedented" manner, causing its cash machines, online banking operations and website to go offline.

For much of Saturday, ING's Romanian customers could not access their money.

The bank said the discharge of its gas-based fire suppression system had caused "unexpected" damage to its computer servers.

A report by Motherboard suggests that the equipment was too noisy.

A spokeswoman for ING was unable to confirm this detail.

But she did acknowledge the problem had lasted from 13:00 to 23:00 local time and the bank had been unable to explain the situation to customers as its own communications system had been affected.
#1447 Cisco’s network bugs are front and center in bankruptcy fight
Game of War: Fire Age, your typical melange of swords and sorcery, has been one of the top-grossing mobile apps for three years, accounting for hundreds of millions of dollars in revenue. So publisher Machine Zone was furious when the game’s servers, run by hosting company Peak Web, went dark for 10 hours last October. Two days later, Machine Zone fired Peak Web, citing multiple outages, and later sued.

Then came the countersuit. Peak Web argued in court filings that Machine Zone was voiding its contract illegally, because the software bug that caused the game outages resided in faulty network switches made by Cisco Systems, and according to Peak Web’s contract with Machine Zone, it wasn’t liable. In December, Cisco publicly acknowledged the bug’s existence—too late to help Peak Web, which filed for bankruptcy protection in June, citing the loss of Machine Zone’s business as the reason. The Machine Zone-Peak Web trial is slated for March 2017.
#1446 Now you can buy a USB stick that destroys anything in its path
For just a few bucks, you can pick up a USB stick that destroys almost anything that it's plugged into. Laptops, PCs, televisions, photo booths -- you name it.

Once a proof-of-concept, the pocket-sized USB stick now fits in any security tester's repertoire of tools and hacks, says the Hong Kong-based company that developed it. It works like this: when the USB Kill stick is plugged in, it rapidly charges its capacitors from the USB power supply, and then discharges -- all in the matter of seconds.

On unprotected equipment, the device's makers say it will "instantly and permanently disable unprotected hardware".
#1445 Two critical bugs and more malicious apps make for a bad week for Android
It was a bad week for millions of Android phone users. Two critical vulnerabilities were disclosed but remain unpatched in a large percentage of devices, while, separately, malicious apps were downloaded as many as 2.5 million times from Google's official Play Marketplace.

The vulnerabilities, which are similar in severity to the Stagefright family of bugs disclosed last year, have been fixed in updates Google began distributing Tuesday. A large percentage of Android phones, however, aren't eligible to receive the fixes. Even those that do qualify don't receive them immediately (the September updates are currently not available as over-the-air downloads for either of the Nexus 5X devices in my household). That gives attackers crude blueprints for exploiting vulnerabilities that remain unpatched on millions of devices.
#1444 Re-thinking security fundamentals: How to move beyond the FUD
Around ten years ago, a new movement spread throughout computing: design thinking. It seems so obvious in hindsight, but the notion that the user experience presented by your product was something that had to be considered and prioritized at every step -- instead of layered on at the end -- was revolutionary at the time.

It's long past time for a similar type of movement: security thinking.

For far too long, security has been an afterthought in the product development process. Passwords are stored in plain text at companies with hundreds of millions of users; people have proven time and time again that they will click on a link that seems so obviously suspicious; the most common password is, well, "password"; and large companies with tons of internal and external applications focus on plugging holes in the walls while attackers parachute into their networks. These aren't technical challenges; they are cultural challenges born of the obsession to rush products to market in search of rapid growth, or to hire a passel of security consultants who recommend layers of security products that cost more every year.
#1443 Blue light has a dark side
Exposure to blue light at night, emitted by electronics and energy-efficient lightbulbs, harmful to your health.

blue light at night is harmful to your healthUntil the advent of artificial lighting, the sun was the major source of lighting, and people spent their evenings in (relative) darkness. Now, in much of the world, evenings are illuminated, and we take our easy access to all those lumens pretty much for granted.

But we may be paying a price for basking in all that light. At night, light throws the body's biological clock—the circadian rhythm—out of whack. Sleep suffers. Worse, research shows that it may contribute to the causation of cancer, diabetes, heart disease, and obesity.
#1442 Cryptocurrency mining malware discovered targeting Seagate NAS hard drives
A malware variant named Mal/Miner-C (also known as PhotoMiner) is infecting Internet-exposed Seagate Central Network Attached Storage (NAS) devices and using them to infect connected computers to mine for the Monero cryptocurrency.

Miner-C, or PhotoMiner, appeared at the start of June 2016, when a report revealed how this malware was targeting FTP servers and spreading on its own to new machines thanks to worm-like features that attempted to brute-force other FTP servers using a list of default credentials.
#1441 MalwareMustDie spotted a new ELF trojan backdoor, which is now targeting IoT devices
Experts from MalwareMustDie have analyzed in August samples of a particular ELF trojan backdoor, dubbed ELF Linux/Mirai, which is now targeting IoT devices. The name of the malware is the same of the binary,”mirai.*,” and according to the experts, several attacks have been detected in the wild.

The ELF Linux/Mirai is very insidious; it is still undetected by many antivirus solutions as confirmed by the very low detection ratio in the VirusTotal online scanning service.

“The reason for the lack of detection is because of the lack of samples, which are difficult to fetch from the infected IoT devices, routers, DVR or WebIP Camera, the Linux with Busybox binary in embedded platform, which what this threat is aiming.” states the analysis from MalwareMustDie Blog.
#1440 Wordpress urges users to update now to fix critical security holes
Wordpress is urging webmasters to update their CMS packages as quickly as possible to protect their domains from critical vulnerability exploits.

On Thursday, the content management system (CMS) provider released a security advisory alongside the latest version of Wordpress, 4.6.1. Now available, the update patches two serious security problems, a cross-site scripting vulnerability and a path traversal security flaw.

The XSS flaw, discovered by SumOfPwn researcher Cengiz Han back in July at the Summer of Pwnage bug bounty project, allows attackers to use a crafted image file, upload to Wordpress, and inject malicious JavaScript code into the software.
#1439 Picture perfect: CryLocker ransomware uploads user information as PNG files
Taking advantage of legitimate sites for command-and-control (C&C) purposes is typically done by most malware to avoid rousing suspicion from their targets. While most ransomware directly sends the gathered information to their designated C&C servers, there are some variants that slightly differ. CuteRansomware, for instance, uses Google Docs to pass information from the infected system to the attackers.

One of the latest ransomware families, CryLocker (detected as RANSOM_MILICRY.A), does the same by taking advantage of Imgur, a free online image hosting site that allows users to upload and share photos to their contacts. During our monitoring of activities related to exploit kits, we spotted both Rig and Sundown distributing this threat.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12