Security Alerts & News
by Tymoteusz A. Góral

#1645 Don’t Skype and Type! Acoustic eavesdropping in VOIP (PDF)
Acoustic emanations of computer keyboards represent a serious privacy issue. As demonstrated in prior work, spectral and temporal properties of keystroke sounds might reveal what a user is typing. However, previous attacks assumed relatively strong adversary models that are not very practical in many real-world settings. Such strong models assume: (i) adversary’s physical proximity to the victim, (ii) precise profiling of the victim’s typing style and keyboard, and/or (iii) significant amount of victim’s typed information (and its corresponding sounds) available to the adversary.

In this paper, we investigate a new and practical keyboard acoustic eavesdropping attack, called Skype & Type (S&T), which is based on Voice-over-IP (VoIP). S&T relaxes prior strong adversary assumptions. Our work is motivated by the simple observation that people often engage in secondary activities (including typing) while participating in VoIP calls. VoIP software can acquire acoustic emanations of pressed keystrokes (which might include passwords and other sensitive information) and transmit them to others involved in the call. In fact, we show that very popular VoIP software (Skype) conveys enough audio information to reconstruct the victim’s input – keystrokes typed on the remote keyboard. In particular, our results demonstrate that, given some knowledge on the victim’s typing style and the keyboard, the attacker attains top-5 accuracy of 91.7% in guessing a random key pressed by the victim. (The accuracy goes down to still alarming 41.89% if the attacker is oblivious to both the typing style and the keyboard). Finally, we provide evidence that Skype & Type attack is robust to various VoIP issues (e.g., Internet bandwidth fluctuations and presence of voice over keystrokes), thus confirming feasibility of this attack.
#1644 The Dyn report: What we know so far about the world's biggest DDoS attack
First, there was nothing -- nothing -- surprising about this attack. As Paul Mockapetris, creator of the Domain Name System (DNS), said, "The successful DDoS attack on DYN is merely a new twist on age-old warfare. ... Classic warfare can be anticipated and defended against. But warfare on the internet, just like in history, has changed. So let's take a look at the asymmetrical battle in terms of the good guys (DYN) and the bad guys (Mirai botnets), and realize and plan for more of these sorts of attacks."

This new twist came from the Internet of Things (IoT). Surprised? Please. We knew all along that not only could the IoT be used to attack networks, it would be used to target the internet.

IoT vendors must improve their security. Or, as Lyndon Nerenberg, an internet engineer, said on the North American Network Operators Group (NANOG), the professional association for internet engineering, architecture, and operations, mailing list, "The way this will get solved is for a couple of large ISPs and DDoS targets to sue a few of these IoT device manufacturers into oblivion."
#1643 Remote code execution vulnerabilities plague LibTIFF library
A researcher is warning this week of three vulnerabilities, all which can lead to remote code execution, that exist in the LibTIFF library. The library is a set of functions that helps support TIFF image files.

While there hasn’t been an official LibTIFF release that fixes the issues, users can get patches for two of the vulnerabilities via the library’s LibTIFF CVS repository.

Tyler Bohan, a senior research engineer with Cisco Talos, discussed details around all three of the vulnerabilities in a blog post on Tuesday.
#1642 Lawmakers asking what ISPs can do about DDoS attacks
IoT botnets and DDoS attacks have prominent lawmakers asking government agencies some probing questions about what can be done.

Sen. Mark Warner (D-VA) on Tuesday sent a letter to the Federal Communications Commission—as well as the Federal Trade Commission and Homeland Security—querying among other things whether ISPs have a legal standing to boot insecure connected devices from their networks. Warner wrote:

“Under the Federal Communications Commission’s (FCC’s) Open Internet rules, ISPs cannot prohibit the attachment of “non-harmful devices” to their networks. It seems entirely reasonable to conclude under the present circumstances, however, that devices with certain insecure attributes could be deemed harmful to the “network” – whether the ISP’s own network or the networks to which it is connected. While remaining vigilant to ensure that such prohibitions do not serve as a pretext for anticompetitive or exclusionary behavior, I would encourage regulators to provide greater clarity to internet service providers in this area."
#1641 Paypal fixes 'worrying' security bug
A security researcher has found a simple way round one of the systems Paypal uses to protect users' accounts.

Deleting a few characters in the data which web browsers send to Paypal let Henry Hoggard bypass Paypal's two-factor authentication scheme.

This system is supposed to make accounts more secure by using extra methods to confirm someone's identity.

Paypal said it patched the bug days after it was reported.
#1640 Windows Atom tables can be abused for code injection attacks
Researchers have identified a way attackers could use atom tables in all versions of Windows to inject malicious code into a computer and bypass detection by security products at the same time.

The technique has been nicknamed AtomBombing by researchers at enSilo, and opens the door to perform man-in-the-browser attacks, access encrypted passwords, or remotely take screenshots of targeted systems.

AtomBombing does not exploit a Windows vulnerability and cannot be fixed with a patch. EnSilo urges security professionals to monitor for code injection in API calls to fend off possible attacks.
#1639 Microsoft Office malware: Now more users get anti-hacker, macro-blocking features
Citing a growth in macro-borne threats, Microsoft has opted to give Office 2013 users a feature from Office 2016 to selectively block macros and the malware they can carry.

Office macros are a double-edged sword for the enterprise. They can improve productivity by automating routine tasks in Excel and Word, but they can be coded to deliver malware.

Even though it's been possible since the days of Office 97 to disable macros by default, users have always had the option of enabling them, which has presented attackers with a way of spreading malware since the Melissa virus in 1999. More recently, macros have been used to deliver banking Trojans and ransomware.

Fortunately, Microsoft earlier this year introduced a new feature in Group Policy for Office 2016 that allowed admins to block macros from loading in risky scenarios, such as when staff are opening Office email attachments from unknown senders, or when opening a file from Dropbox. Admins could also allow macros to run for certain trusted workflows.
#1638 Flash Player zero-day being exploited in targeted attacks
A newly discovered zero-day vulnerability in Adobe Flash Player is being exploited by attackers in the wild. Adobe released a Security Bulletin (APSB16-36) yesterday which patches the vulnerability (CVE-2016-7855).

The critical vulnerability affects Adobe Flash Player and earlier versions for the following operating systems: Windows, Mac, Linux, Chrome OS.

According to Adobe, an exploit for the vulnerability exists in the wild and is being used in limited, targeted attacks against users running Windows versions 7, 8.1, and 10.
#1637 Joomla update fixes two critical issues, 2FA error
Web developers who run the content management system Joomla! are strongly encouraged to update their sites immediately.

The company on Tuesday pushed out the most recent version of the CMS, 3.6.4, fixing two critical issues that can lead to account creation and elevated privileges, according to a release update published by the Joomla! Project.
#1636 Dyn DDoS could have topped 1 Tbps
As more time passes, researchers are getting insight into the size and structure of the DDoS attack against DNS provider Dyn last week, and the capabilities of the Mirai botnet.

First, Dyn released a truncated post-mortem on the attack with admittedly some omissions as a law enforcement investigation continues. Executive Vice President of Products Scott Hilton published a report yesterday that explains how the first of two sizable attacks began at 7 a.m. against its Managed DNS platform in Asia, Europe and South America before concentrating on the U.S. East region. A large number of IP addresses honed in with UDP and TCP packets targeting port 53, Hilton said.
#1635 Cisco patches critical vulnerability in facility events response system
Cisco Systems issued a security bulletin Wednesday for a critical vulnerability found in its IP Interoperability and Collaboration System (IPICS). The feature is a key part of a mechanism used by Cisco to facilitate emergency responses for “facility events.”

The vulnerability (CVE-2016-6397), according to Cisco, could allow an attacker to access the IPICS communications interface and cause the system to become unavailable. A software fix has been released to address the flaw and no workaround is available, according to Cisco.
#1634 Could your 'smart' home be a weapon of web destruction?
Do you use a webcam to check on Tiddles the cat or Bonzo the dog while you're at work?

If so, you could be unwittingly turning your internet-connected "smart" home into a weapon of web destruction.

That's the unsettling conclusion to be drawn from the recent web attacks that made use of a botnet army of compromised connected devices, from webcams to printers, to knock out a number of popular websites.

The smart home, it seems, is pretty dumb when it comes to security.

Wi-fi routers, digital video recorders, controllable lighting, security cameras - all these devices offer a potentially easy way in to your network and then the wider internet.

As the Internet Society warned last year: "The interconnected nature of IoT [internet of things] devices means that every poorly secured device that is connected online potentially affects the security and resilience of the internet globally."
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12