Security Alerts & News
by Tymoteusz A. Góral

#1502 Cisco warns of command injection flaw in Cloud platform
It’s already been a busy month of patching for Cisco Systems, and on Wednesday the networking giant rolled out nine more security updates addressing critical vulnerabilities across its core product lines.

Most notably, Cisco is warning of two security holes (one rated critical, the other high) found in its Cisco Cloud Services Platform 2100 (CCSP). One could allow an unauthenticated remote attacker to execute arbitrary code on a targeted system. The other is a command injection vulnerability found in the web-based GUI of the CCSP. This critical vulnerability could allow a remote attacker to gain root access privileges on CCSP’s underlying OS and execute arbitrary commands.

In both CCSP cases, Cisco has released software patches to fix the vulnerabilities.
#1501 Don’t plug it in! Scammers post infected USB sticks through letterboxes
Unexpectedly received a USB stick in the post? Whatever you do … DON’T PLUG IT IN!!

Police in the Australian state of Victoria are warning the public about cybercriminals’ latest tactic: randomly dropping unmarked USB sticks containing malware through letterboxes.

The criminals are of course hoping that the unsuspecting recipients will plug the freebie USB drives into their computers.
#1500 A bite of Python
Being easy to pick up and progress quickly towards developing larger and more complicated applications, Python is becoming increasingly ubiquitous in computing environments. Though apparent language clarity and friendliness could lull the vigilance of software engineers and system administrators -- luring them into coding mistakes that may have serious security implications. In this article, which primarily targets people who are new to Python, a handful of security-related quirks are looked at; experienced developers may well be aware of the peculiarities that follow.
#1499 More than 840,000 Cisco devices are vulnerable to NSA-related exploit
More than 840,000 Cisco networking devices from around the world are exposed to a vulnerability that's similar to one exploited by a hacking group believed to be linked to the U.S. National Security Agency.

The vulnerability was announced by Cisco last week and it affects the IOS, IOS XE, and IOS XR software that powers many of its networking devices. The flaw allows hackers to remotely extract the contents of a device's memory, which can lead to the exposure of sensitive information.

The vulnerability stems from how the OS processes IKEv1 (Internet Key Exchange version 1) requests. This key exchange protocol is used for VPNs (Virtual Private Networks) and other features that are popular in enterprise environments.
#1498 Bug that hit Firefox and Tor browsers was hard to spot—now we know why
A recently fixed security vulnerability that affected both the Firefox and Tor browsers had a highly unusual characteristic that caused it to threaten users only during temporary windows of time that could last anywhere from two days to more than a month.

As a result, the cross-platform, malicious code-execution risk most recently visited users of browsers based on the Firefox Extended Release on September 3 and lasted until Tuesday, or a total of 17 days. The same Firefox version was vulnerable for an even longer window last year, starting on July 4 and lasting until August 11. The bug was scheduled to reappear for a few days in November and for five weeks in December and January. Both the Tor Browser and the production version of Firefox were vulnerable during similarly irregular windows of time.

While the windows were open, the browsers failed to enforce a security measure known as certificate pinning when automatically installing NoScript and certain other browser extensions. That meant an attacker who had a man-in-the-middle position and a forged certificate impersonating a Mozilla server could surreptitiously install malware on a user's machine. While it can be challenging to hack a certificate authority or trick one into issuing the necessary certificate for, such a capability is well within the means of nation-sponsored attackers, who are precisely the sort of adversaries included in the Tor threat model. Such an attack, however, was only viable at certain periods when Mozilla-supplied "pins" expired.
#1497 SWIFT confirms banks still being targeted, announces mitigation tool
SWIFT’s chief information security officer said Wednesday that the cooperative is still seeing cases where its customers’ environments have been compromised.

“The threat is persistent, adaptive and sophisticated – and it is here to stay,” Alain Desausoi, the cooperative’s CISO said, adding fraudulent attempts continue to be made through its network to trick banks to send payments.

Desausoi was speaking at the Financial Times Cyber Security Summit Europe in London. In a conversation with Kara Scannell, the publication’s investigations correspondent, the CISO touched on the security of SWIFT’s customers and described a new tool the cooperative, announced Tuesday, aimed at strengthening its customers existing fraud controls and designed to mitigate future cyber threats.

The tool, called Daily Validation Reports, will give banks and other clients the ability to review a daily summary of their messages. According to a press release issued by the Brussels-based cooperative, the tool is slated for release in December and will help customers verify message activity and tip them off to any unusual patterns.
#1496 IoT devices being increasingly used for DDoS attacks
Malware targeting the Internet of Things (IoT) has come of age and the number of attack groups focusing on IoT has multiplied over the past year. 2015 was a record year for IoT attacks, with eight new malware families emerging. More than half of all IoT attacks originate from China and the US. High numbers of attacks are also emanating from Russia, Germany, the Netherlands, Ukraine and Vietnam.

Poor security on many IoT devices makes them soft targets and often victims may not even know they have been infected. Attackers are now highly aware of lax IoT security and many pre-program their malware with commonly used and default passwords.

IoT attacks have long been predicted, with plenty of speculation about possible hijacking of home automation and home security devices. However, attacks to date have taken a different shape. Attackers tend to be less interested in the victim and the majority wish to hijack a device to add it to a botnet, most of which are used to perform distributed denial of service (DDoS) attacks.
#1495 Future attack scenarios against ATM authentication systems
A lot has already been said about current cyber threats facing the owners of ATMs. The reason behind the ever-growing number of attacks on these devices is simple: the overall level of security of modern ATMs often makes them the easiest and fastest way for fraudsters to access the bank’s money. Naturally, the banking industry is reacting to these attacks by implementing a range of security measures, but the threat landscape is continually evolving. In order to prepare banks for what they should expect to see from criminals in the near future, we’ve prepared an overview report of future cyberthreats to ATMs. The report will – we hope – help the industry to better prepare for a new generation of attack tools and techniques.

The report comprises two papers in which we analyze all existing methods of authentication used in ATMs and those expected to be used in the near future, including: contactless authentication through NFC, one-time password authentication and biometric authentication systems, as well as potential vectors of attacks using malware, through to network attacks and attacks on hardware components.
#1494 Massive web attack hits security blogger
One of the biggest web attacks ever seen has been aimed at a security blogger after he exposed hackers who carry out such attacks for cash.

The distributed denial of service (DDoS) attack was aimed at the website of industry expert Brian Krebs.

At its peak, the attack aimed 620 gigabits of data a second at the site.

Text found in attack data packets suggested it was mounted to protest against Mr Krebs' work to uncover who was behind a prolific DDoS attack.

In a blogpost, Mr Krebs detailed the attack, which began late on Tuesday night and quickly ramped up to its peak attack rate.

DDoS attacks are typically carried out to knock a site offline - but Mr Krebs' site stayed online thanks to work by security engineers, who said the amount of data used was nearly twice the size of the largest attack they had ever seen.
#1493 Malware evades detection with novel technique
Researchers have found a new strain of document-based macro malware that evades discovery by lying dormant when it detects a security researcher’s test environment.

The malware, according to researcher Caleb Fenton with security firm SentinelOne, evades detection simply by counting the number of documents – or the lack thereof – that reside on a PC and not executing if a certain number are not present.

Fenton, who discovered the malware after several failed attempts to trigger the sample into acting maliciously, said the typical lack of documents in a virtual machine and sandboxed test environment make it easy, in this case, for malware authors to fly under the radar.
#1492 Yahoo is expected to confirm a massive data breach, impacting hundreds of millions of users
Yahoo is poised to confirm a massive data breach of its service, according to several sources close to the situation, hacking that has exposed several hundred million user accounts.

While sources were unspecific about the extent of the incursion, since there is the likelihood of government investigations and legal action related to the breach, they noted that it is widespread and serious.

Earlier this summer, Yahoo said it was investigating a data breach in which hackers claimed to have access to 200 million user accounts and one was selling them online. “It’s as bad as that,” said one source. “Worse, really.”

The announcement, which is expected to come this week, also has possible larger implications for the $4.8 billion sale of Yahoo’s core business — which is at the core of this hack — to Verizon. The scale of the liability could bring untold headaches to the new owners. Shareholders are likely to worry that it could lead to an adjustment in the price of the transaction.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12