Security Alerts & News
by Tymoteusz A. Góral

#1551 Boy, 12, gets €100k bill from Google after confusing Adwords with Adsense
A child in Spain has received a bill of €100,000 from Google after confusing its AdWords and AdSense services.

José Javier, 12, had signed up for Google's AdWords programme in order to make money from advertisements placed alongside YouTube videos of his band, the Torrevieja llamada Los Salerosos – en inglés, the Torrevieja Fun Guys – named after the Alicante town in which he lives.

Unfortunately for the young musician, Google's AdWords programme is for those wishing to advertise at cost, rather than run advertisements for profit. According to a report Spanish daily El País, José and a friend planned to buy instruments, play music, get rich and buy a mansion by subscribing to the service.

According to El País, after the story hit the press Google's Spanish offices sent out a statement regarding the billing, explaining that the megacorporation's team has "analysed the case", and not only hasn't received payment from the family, but will proceed to cancel the outstanding balance on its Adwords service.
#1550 Enabling on-body transmissions with commodity device (PDF)
We show for the first time that commodity devices can be used to generate wireless data transmissions that are confined to the human body. Specifically, we show that commodity input devices such as fingerprint sensors and touchpads can be used to transmit information to only wireless receivers that are in contact with the body. We characterize the propagation of the resulting transmissions across the whole body and run experiments with ten subjects to demonstrate that our approach generalizes across different body types and postures. We also evaluate our communication system in the presence of interference from other wearable devices such as smartwatches and nearby metallic surfaces. Finally, by modulating the operations of these input devices, we demonstrate bit rates of up to 50 bits per second over the human body.
#1549 FastPOS updates in time for the retail sale season
Most point-of-sale (PoS) threats follow a common process: dump, scrape, store, exfiltrate. FastPOS (initially detected by Trend Micro as TSPY_FASTPOS.SMZTDA) was different with the way it removed a middleman and went straight from stealing credit card data to directly exfiltrating them to its command and control (C&C) servers.

FastPOS was true to its moniker—pilfer data as fast as possible, as much as it can, even at the expense of stealth. The malware is a reflection of how PoS threats, though no longer novel, are increasingly used against businesses and their customers. As such, FastPOS’s update does not come as a surprise—in time for the oncoming retail season to boot.

The samples we analyzed were compiled during the second week of September, and feedback from our Smart Protection Network confirmed that they are already deployed against small-medium businesses. FastPOS’s developer also seemed to have wasted no time validating his code by confirming its functionality in a full infection. It only took about a month from when its C&C domain was registered (mid-August) to the launch of its new campaign, making it faster than their previous operation in 2015.
#1548 Unmasking Tor users with DNS
Researchers at the KTH Royal Institute of Technology, Stockholm, and Princeton University in the USA have unveiled a new way to attack Tor and deanonymise its users.

The attack, dubbed DefecTor by the researchers’ in their recently published paper The Effect of DNS on Tor’s Anonymity, uses the DNS lookups that accompany our browsing, emailing and chatting to create a new spin on Tor’s most well established weakness; correlation attacks.
#1547 Facebook rolls out opt-in encryption for 'secret' Messenger chats
As of today, all of Facebook's 900 million Messenger users should be able to choose to have specific chat threads end-to-end encrypted, protecting a message from all eyes except the sender and recipient. Called Secret Conversations, the feature also allows users to set messages to self-destruct anywhere between five seconds to one day.

Once a Secret Conversation is initiated, Facebook's app says that the conversation has been "encrypted from one device to the other". Encrypted conversations can be started from the home page by tapping a new message and then tapping the Secret button on the top right corner of the page, followed by the contact you want to start a secret chat with.
#1546 Our insulin pumps could be hacked, warns Johnson & Johnson
The Animas OneTouch Ping insulin pump contains vulnerabilities that could be exploited by a malicious attacker to remotely trigger an insulin injection.

Security researcher Jay Radcliffe – who is himself a Type I diabetic – discovered the flaws and wrote about his findings.

What Radcliffe discovered was that there were security weaknesses in how the medical device communicated wirelessly. Specifically, a lack of encryption meant that instructions were being sent in cleartext. Combined with weak pairing between the remote and pump, this could open opportunities for remote attackers to spoof the controller and trigger unauthorized insulin injections.

If the user does not cancel the insulin delivery on the pump, there is the potential for an attacker to cause harm and potentially create a hypoglycemic reaction.

Although the risk of widespread exploitation of the flaws is considered relatively low, and no-one should panic, Animas’s parent company Johnson & Johnson has issued an advisory to users of the insulin infusion pump:
#1545 Feds accuse two 19-yo of hacking for Lizard squad and PoodleCorp
The FBI is accusing two teenagers, one from the US and one from the Netherlands, of being members of the hacking groups Lizard Squad and PoodleCorp, which have gained notoriety for targeting online gaming services such as Blizzard's World of Warcraft, and League of Legends, among others.

On Wednesday, the US Department of Justice announced that 19-year-olds Zachary Buchta, from Maryland, and Bradley Jan Willem Van Rooy, from the Netherlands, had been charged with computer crimes associated with a series of distributed denial of service (DDoS) attacks launched against gaming services, and for selling DDoS-for-hire services and stolen credit cards.
#1544 This new Mac attack can secretly monitor your webcam, microphone
In recent years we've seen malware that targets webcams and microphones in an effort to secretly record what a person says and does.

Even the NSA has developed code that remotely switches on a person's webcam.

But things are different when it comes to Mac malware, because each Apple laptop has a hard-wired light indicator that tells the user when it's in use. At least you know you're being watched.

That could change with a new kind of webcam piggyback attack, according to research by Synack's Patrick Wardle, which he will present Thursday at the Virus Bulletin conference.
#1543 Why the latest Windows 10 cumulative update is failing and how you can recover
Updated 5-Oct-2016: Well, that was fast. Microsoft released a fix-it script and an explanation. Details here: Microsoft releases fix for Windows 10 cumulative update issues

Those of us who routinely monitor Microsoft's support forums knew last week that something was wrong with the latest cumulative update to Windows 10. We learned yesterday that Microsoft has now acknowledged the issue and is working on a fix.

The problem occurs with Cumulative Update KB3194496, which was released for Windows 10 version 1607 on Sept. 29, 2016.

For most users running the latest public release of Windows (version 1607, also known as the Anniversary Update), this cumulative update completes successfully and brings the current build number to 14393.222.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12