Security Alerts & News
by Tymoteusz A. Góral

History
#1601 5900 online stores found skimming [analysis]
Online skimming is just like physical skimming: your card details are stolen so that other people can spend your money. However, online skimming is more effective because a) it is harder to detect and b) it is near impossible to trace the thieves.

In short: hackers gain access to a store’s source code using unpatched software flaws in various popular e-commerce software. Once a store is under control of a perpetrator, a (Javascript) wiretap is installed that funnels live payment data to an off-shore collection server (mostly in Russia). This wiretap operates transparently for customers and the merchant. Skimmed credit cards are then sold on the dark web for the going rate of $30 per card .
#1600 VeraCrypt patches critical vulnerabilities uncovered in audit
An audit of open source file and disk encryption package VeraCrypt turned up a number of critical vulnerabilities that have been patched in the month since the assessment was wrapped up.

The audit, which began Aug. 16, was funded by the Open Source Technology Improvement Fund (OSTIF) and executed by two researchers at Quarkslab.

The examination was carried out against VeraCrypt 1.18; VeraCrypt is a fork of TrueCrypt, the once-popular and de facto standard for free FDE, which was abandoned in 2014 under mysterious circumstances as the project’s maintainers said the code was no longer safe to use. TrueCrypt was soon thereafter audited by the Open Crypto Audit Project and a number of vulnerabilities were uncovered, but no backdoors as was feared in the aftermath of the initial Snowden leaks.
#1599 XG.fast DSL does 10Gbps over telephone lines
Nokia has achieved a connection speed of 5Gbps—about 625MB/sec—over 70 metres of conventional twisted-pair copper telephone wire, and 8Gbps over 30 metres. The trial used a relatively new digital subscriber line (DSL) protocol called XG.fast (aka G.fast2).

XG.fast is the probable successor of G.fast, which was successfully trialled in a few countries over the past couple of years and will soon begin to commercially roll out. (In an unusual turn of events, the UK will probably be the first country with G.fast.)

Fundamentally, both G.fast and XG.fast are best described as "VDSL on steroids." Basically, while a VDSL2 signal frequency maxes out around 17MHz, G.fast starts at 106MHz (it can be doubled to 212MHz) and XG.fast uses between 350MHz and 500MHz. This means that there's a lot more bandwidth (the original meaning of the word), which in turn can be used for transferring data at higher speeds.

By way of example, VDSL2 can do around 100Mbps over that 17MHz channel; G.fast can do about 700Mbps at 106MHz; and XG.fast can go all the way up to 10Gbps at 500MHz with two bonded telephone lines.
#1598 Why is Java so insecure? Buggy open source components take the blame
Open-source and Java components used in applications remain a weak spot for the enterprise, according to a new analysis.

Java applications in particular are posing a challenge, with 97 percent of these applications containing a component with at least one known vulnerability, according to a new report from code-analysis security vendor Veracode.

Veracode's annual security report is based on 300,000 assessments it has run on enterprise applications over the 18 months to March 31, 2016, and includes software from open-source projects, commercial vendors, large and small businesses, and software outsourcers.
#1597 Attackers hiding stolen credit card numbers in images
Researchers are encouraging developers who use Magento to remain vigilant about securely configuring their sites, as attackers have been embedding credit card swipers in sites running the open source e-commerce platform.

The swipers, or scrapers, are bits of malicious code that collect credit card numbers, login details and other information and forward it to attackers. While criminals have been targeting sites running the platform for months, they’ve only just recently started embedding that information in obscure image files.

In an even more confounding twist, in one recent instance an image that was hiding stolen credit card numbers was legitimate and publicly viewable, meaning an attacker wouldn’t even have to go to the trouble of accessing the site to get the information. They could simply view or download the image from the affected site.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12