Security Alerts & News
by Tymoteusz A. Góral

#1660 Critical vulnerabilities pose a serious threat to Joomla sites
Joomla, the world’s second most popular web content management system (CMS), has been under sustained attack for several days, thanks to a nasty pair of vulnerabilities disclosed last week.

Security announcements 20161001 (CVE-2016-8870) and 20161002 (CVE-2016-8869) describe how flaws in Joomla’s user registration code could allow an attacker to “register on a site when registration has been disabled” and then “register … with elevated privileges”.

If the significance of those two statements hasn’t entirely sunk in let me make it plain: taken together, the vulnerabilities can be used to unlock any site running Joomla, anywhere on the internet, with little more than a polite request detailing what you’d like to be called and how much power you want.
#1659 Web Bluetooth API privacy
Web Bluetooth - a web API under development, and will be one of the core components of Web of Things, the application layer of Internet of Things. It will enable sensors, beacons and user devices to communicate with each other. But at first: it will enable a web browser to contact the user's connected devices such as smartphones, kettles, toasters, TVs, thermostats, heart rate monitors, and so on. Imagine a world where every web site can connect to devices near you - or on you.

It's imperative to design this layer with security and privacy in mind. We currently experience some of the cheers related to widely distributed Internet of Things devices used as massive attack tools.
#1658 Security update patches 13 Android vulnerabilities discovered by Trend Micro
Mobile threats are trending upward, with vulnerability exploits gaining traction. The silver lining? More of these vulnerabilities are also disclosed, analyzed and detected. This helps better mitigate Android devices from zero-days and malware, enabling OEMs/vendors to more proactively respond to these threats. This is echoed by our continuous initiatives on Android vulnerability research: from June to August 2016, for instance, we’ve discovered and disclosed 13 vulnerabilities to Google. Their real-world impact ranges from battery drainage and unauthorized capture of photos, videos, and audio recordings, to system data leakage and remote control. This is on top of 16 other security flaws we’ve uncovered that were cited in Android/Google’s security bulletins from January to September this year.

The 13 vulnerabilities were not rated as critical, but they provide more attack vectors for the bad guys. A root exploit can be developed by chaining some of them, for instance. A malicious app can target a vulnerability in the camera server to compromise its driver to ultimately gain root privilege to the device.
#1657 AtomBombing: A code injection that bypasses current security solutions
Our research team has uncovered new way to leverage mechanisms of the underlying Windows operating system in order to inject malicious code. Threat actors can use this technique, which exists by design of the operating system, to bypass current security solutions that attempt to prevent infection. We named this technique AtomBombing based on the name of the underlying mechanism that this technique exploits.

AtomBombing affects all Windows version. In particular, we tested this against Windows 10.

Unfortunately, this issue cannot be patched since it doesn’t rely on broken or flawed code – rather on how these operating system mechanisms are designed.
#1656 Killing Mirai: Active defense against an IoT botnet
In recent weeks the world has witnessed the concept of an IoT botnet turn from theory to reality, with devastating consequences. While the ISPs, DDoS mitigation services, and others scramble to figure out how to augment traditional defenses to handle this new threat, we decided to investigate a less conventional approach. Attackers often rely on exploiting vulnerabilities in software we own to install their tools on our systems. When these tools reside on an IoT device things become even more complicated, because the attacker may now have more access to device than we do. So why not use their own strategy against them?

This is the first in a series of posts that will uncover vulnerabilities in the Mirai botnet, and show how exploiting these vulnerabilities can be used to stop attacks. Note, we are not advocating counterattack, but merely showing the possibility of using an active defense strategy to combat a new form of an old threat.
#1655 Google joins Mozilla and Apple in distrusting WoSign certificates
With the release of Chrome version 56, expected to happen in January 2017, certificates issued by WoSign and its recently acquired StartCom certificate authority (CA) after midnight on October 21 will not be trusted by the browser.

Google said in a blog post that certificates issued prior to October 21 would be trusted if they complied with Chrome's Certificate Transparency policy, or the domain using the credentials was on a whitelist of domains known to be customers of the two authorities.

"Due to a number of technical limitations and concerns, Google Chrome is unable to trust all pre-existing certificates while ensuring our users are sufficiently protected from further misissuance," Andrew Whalley of Chrome Security said. "As a result of these changes, customers of WoSign and StartCom may find their certificates no longer work in Chrome 56."
#1654 Kaspersky DDOS intelligence report for Q3 2016
In the last few months the scale of the global ‘Cybercrime as a Service’ infrastructure has been revealed – fully commercialized, with DDoS as one of the most popular services capable of launching attacks the likes of which have never seen before in terms of volume and technological complexity.

Against this background, Europol published the 2016 Internet Organized Crime Threat Assessment (IOCTA) on 28 September, which is based on the experiences of law enforcement institutions within the EU member states. The report clearly ranks DDoS in first place as a key threat and that any “Internet facing entity, regardless of its purpose or business, must consider itself and its resources to be a target for cybercriminals”.

Most likely, this stems from early September when Brian Krebs, an industry security expert, published an investigation outlining the business operations of a major global DDoS botnet service called vDOS and its principal owners, two young men in Israel. The culprits have been arrested and investigations are ongoing, but the sheer scale of their business is stunning.
#1653 Your home’s online gadgets could be hacked by ultrasound
This may have happened to you. You idly browse a pair of shoes online one morning, and for the rest of the week, those shoes follow you across the Internet, appearing in adverts across the websites you visit.

But what if those ads could pop out of your browser and hound you across different devices? This is the power of ultrasound technology, says Vasilios Mavroudis at University College London – and it offers a whole new way in for hacking attacks and privacy invasions. He and his colleagues will spell out their concerns at next week’s Black Hat cybersecurity conference in London.

So far, this kind of ultrasound technology has mainly been used as a way for marketers and advertisers to identify and track people exposed to their messages, like a cross-device cookie. High-frequency audio “beacons” are embedded into TV commercials or browser ads. These sounds, which are inaudible to the human ear, can be picked up by any nearby device that has a microphone and can then activate certain functions on that device. But the technology has many more applications. Some shopping reward apps, such as Shopkick, already use it to let retailers push department or aisle-specific ads and promotions to customers’ phones as they shop.

“It doesn’t require any special technology,” Mavroudis says. “If you’re a supermarket, all you need are regular speakers.”
#1652 Bug bounty hunter launches accidental DDoS attack on 911 systems via iOS bug
The Maricopa County Sheriff's Office Cyber Crimes Unit arrested Meetkumar Hiteshbhai Desai, an 18-year-old teenager from the Phoenix area, for flooding the 911 emergency system with hang-up calls.

According to a press release from the Maricopa County Sheriff's Office, Desai created a JavaScript exploit, which he shared on Twitter and other websites with his friends.

People accessing Desai's link from their iPhones saw their phone automatically dial and redial 911.

As Desai told Maricopa County officers, he was only interested in discovering bugs in iOS, which he could report to Apple and thus possibly earn money or recognition among his friends.

Desai said that he received a tip about a bug in iOS, which he successfully exploited. During his tests, the teenager created several weaponized versions of this bug which would constantly dial a phone number, or show annoying popups.

The teenager says he wanted to prank his friends, thinking it would be "funny," but when he shared the weaponized link online, he shared a version that instead of showing annoying popups, redialed a phone number, which in this case was 911.
#1651 Google identified major vulnerability in Apple’s OS and iOS cores
Google’s Project Zero team, established two years ago as a task-force against zero day exploits, identified a coding exploit in the underlying kernel of Apple’s OSX and it’s mobile operating system iOS, which could allow for root-level escalation of privileges for an attacker in a non-updated version of the OS.

The exploit was reported to Apple in June by PZ member Ian Beer, after which Apple requested a 60-day period of grace to address the problem before it went public. Google initially refused the request, but eventually agreed a deadline of September 21st to disclose the exploit.

However, the fix that Apple created for the problem directly prior to disclosure was unsuccessful, and that deadline was allowed to pass. In effect Apple got nearly five months to address the issue – which it has now done, with this week’s release of OSX 10.12.1 and last week’s release of iOS 10.1, which also featured a remedy for the kernel vulnerability.
#1650 How security flaws work: SQL injection
Thirty-one-year-old Laurie Love is currently staring down the possibility of 99 years in prison. Love was recently told he'll face extradition to the US, where he stands accused of attacking systems belonging to the US government. The attack was allegedly part of the #OpLastResort hack in 2013, which targeted the US Army, the US Federal Reserve, the FBI, NASA, and the Missile Defense Agency in retaliation over the tragic suicide of Aaron Swartz as the hacktivist infamously awaited trial.

Love is accused of participating in the #OpLastResort initiative through SQL injection attacks, an increasingly common tactic. SQL injections have recently been detected against state electoral boards, and these attacks are regularly implicated in thefts of financial info. Today, they've become a significant and recurring problem.
#1649 New, more-powerful IoT botnet infects 3,500 devices in 5 days
There's a new, more powerful Internet-of-things botnet in town, and it has managed to infect almost 3,500 devices in just five days, according to a recently published report.

Linux/IRCTelnet, as the underlying malware has been named, borrows code from several existing malicious IoT applications. Most notably, it lifts entire sections of source code from Aidra, one of the earliest known IoT bot packages. Aidra was discovered infecting more than 30,000 embedded Linux devices in an audacious and ethically questionable research project that infected more than 420,000 Internet-connected devices in an attempt to measure the security of the global network. As reported by the anonymous researcher, Aidra forced infected devices to carry out a variety of distributed denial-of-service attacks but worked on a limited number of devices.
#1648 Microsoft says Russian APT group behind zero-day attacks
Microsoft has singled out Sofacy, an APT group long thought to have ties to Russia’s military intelligence arm GRU, as the entity behind targeted attacks leveraging Windows kernel and Adobe Flash zero days in targeted attacks.

The group, which Microsoft calls Strontium, is also known as APT28, Tsar Team and Sednit among other identifiers.

Microsoft said the zero day vulnerability, the existence of which along with limited details were disclosed on Monday by Google, will be patched Nov. 8. Google said yesterday it privately disclosed both zero days, which were used in tandem in these targeted attacks against unknown victims, to Microsoft and Adobe on Oct. 21. Adobe rushed an emergency patch for Flash Player on Oct. 26, while Microsoft had yet to acknowledge the vulnerability until Google’s disclosure. Microsoft was critical of Google’s action yesterday and reiterated its stance today in a post, providing some details on the vulnerability and attacks.
#1647 Firefox disables loophole that allows sites to track users via battery status
Mozilla Firefox is dropping a feature that lets websites see how much battery life a visitor has left, following research showing that it could be used to track browsers.

The feature, called the battery status API, allows websites to request information about the capacity of a visitor’s device, such as whether or not it’s plugged in and charging, how long it will last until it is empty, and the percentage of charge remaining.

It was intended to allow websites to offer less energy-intensive versions of their sites to visitors with little battery power left: for instance, a mapping site could download less information, or a social network could disable autoplaying video.
#1646 Phony Android Flash player installs banking malware
Security researchers warn that a bogus Flash Player app aimed at Android mobile devices has surfaced and is luring victims to download and install banking malware that steals credit card information and can defeat two-factor identification schemes.

Wells Fargo, Discovery Financial and Chase customers, along with services such as Skype, Snapchat and Facebook are targeted in these attacks. Fortinet researchers said Tuesday the phony Flash Player was spotted Oct. 21. While it is not available via the Google Play app store, it’s unclear how it’s being distributed.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12