Security Alerts & News
by Tymoteusz A. Góral

#1681 Tesco Bank: 20,000 customers lose money
Tesco Bank has halted online payments for current account customers after money was taken from 20,000 accounts.

The bank's chief executive Benny Higgins told the BBC he was "very hopeful" customers would be refunded within 24 hours.

About 40,000 accounts saw suspicious transactions over the weekend, of which half had money taken, he said.

Customers will still be able to use their cards for cash withdrawals, chip and pin payments, and bill payments.

They can also use online banking, but cannot make online transactions until the situation is back under control, Mr Higgins told the BBC's Today programme.

Earlier, the bank confirmed some accounts "have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently".

Mr Higgins also apologised for the "worry and inconvenience" that customers have faced.
#1680 Admins, update your databases to avoid the MySQL bug
MySQL, MariaDB, and PerconaDB administrators need to check their database versions, as attackers can chain two critical vulnerabilities and completely take over the server hosting the database.

The two critical vulnerabilities, which can lead to arbitrary code execution, root privilege escalation, and server compromise, affect MySQL and forks like Percona Server, Percona XtraDB Cluster, and MariaDB, according to security researcher Dawid Golunski, who provided details of the vulnerability on LegalHackers. Administrators should install the latest updates as soon as possible, or in cases where the patches cannot be applied, they should disable symbolic link support within the database server configuration by setting symbolic-links=0 in my.cnf.
#1679 Inside the RIG exploit kit
Today’s most prolific exploit kit is RIG, which has filled a void left by the departure of Angler, Neutrino and Nuclear. That has made it public enemy No. 1 when it comes exploit kits. Now Cisco Talos researchers are hoping to shed new light into the ongoing development of the potent EK in hopes of neutralizing the RIG EK threat.

As with the unraveling of any EK, one of the keys to stopping infection rates is determining infection routes and how adversaries bypass security software and device.

In a deep analysis of RIG, Cisco Talos team outlined recently the unique nature of the exploit kit. In a nutshell, like other exploit kits the crew behind RIG are using gates to redirect their victims to their exploit kit. But what makes RIG unique, according Cisco Talos researchers is the way RIG combines different web technologies, such as DoSWF, JavaScript, Flash and VBscript to obfuscate the attack.
#1678 Test-run DDoS attacks against Liberia cease
Intermittent DDoS attacks powered by the largest of the many Mirai-powered botnets targeting the African nation of Liberia have ceased today.

Researcher Kevin Beaumont who disclosed the attacks on Thursday said also that the domain controlling the attacker’s command and control infrastructure was disabled by registrar eNom; that domain pre-dates the DDoS attacks two weeks ago against Dyn.

While the attacks against Liberia have been shut down, they did this week periodically interrupt Internet service to the country and one mobile service provider told the IDG News Service that the attacks were “killing” its business and revenue.
#1677 Android spyware targets business executives
Overreliance on smartphones, both in out personal and professional lives, is a reality for many of us. These devices hold a lot of sensitive information – information that could be worth a lot to some people, especially if you are a high-positioned executive in a thriving business.

Researchers from mobile security outfit Skycure have recently analyzed a malicious app they found on an Android 6.0.1 device owned by a VP at a global technology company.

The name of the malicious package is “”, and it comes disguised as a Google Play Services app. It disables Samsung’s SPCM service in order to keep running, installs itself as a system package to prevent removal by the user (if it can get root access), and also hides itself from the launcher.
#1676 Microsoft delays Enhanced Mitigation Experience Toolkit support cut-off to July 2018
Microsoft has extended by 18 months its end-of-life date for its Enhanced Mitigation Experience Toolkit (EMET) to July 2018.

At least some of you IT pros probably were aware, but I had not realized that Microsoft, until its announcement on November 3, was planning to drop EMET 5.5x support in January 2017 before the reprieve.

In a November 3 blog post entitled "Moving Beyond EMET," Microsoft officials noted that the first version of EMET was introduced in 2009.

Back then, "despite substantial improvements in Windows OS security during that same period, it was clear that the way we shipped Windows at the time (3-4 years between major releases) was simply too slow to respond quickly to emerging threats. Our commercial customers were particularly exposed since it often took years to deploy new OS versions in large scale environments," said the Softies.
#1675 New Bizarro sundown exploit kit spreads Locky
A new exploit kit has arrived which is spreading different versions of Locky ransomware. We spotted two cases of this new threat, which is based on the earlier Sundown exploit kit. Sundown rose to prominence (together with Rig) after the then-dominant Neutrino exploit kit was neutralized.

Called Bizarro Sundown, the first version was spotted on October 5 with a second sighting two weeks later, on October 19. Users in Taiwan and Korea made up more than half of the victims of this threat. Bizarro Sundown shares some features with its Sundown predecessor but added anti-analysis features. The October 19 attack also changed its URL format to closely resemble legitimate web advertisements. Both versions were used exclusively by the ShadowGate/WordsJS campaign.
#1674 This evil office printer hijacks your cellphone connection
Julian Oliver has for years harbored a strange obsession with spotting poorly disguised cellphone towers, those massive roadside antennae draped in fake palm fronds to impersonate a tree, or even hidden as spoofed lamp posts and flag poles. The incognito base stations gave him another, more mischievous idea. What about a far better-disguised cell tower that could sit anonymously in office, invisibly hijacking cellphone conversations and texts?

Earlier this week, the Berlin-based hacker-artist unveiled the result: An entirely boring-looking Hewlett Packard printer that also secretly functions as a rogue GSM cell base station, tricking your phone into connecting to it rather than your phone carrier’s tower, effectively intercepting your calls and text messages.

“For quite some time I’ve had an interest in this bizarre uncanny design practice of disguising cell towers as other things like trees,” says Oliver. “So I decided to build one into a printer, the most ubiquitous of indoor flora, and have it actually antagonize people’s implicit trust in these technologies.”
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12