Security Alerts & News
by Tymoteusz A. Góral

History
#1711 Chinese company installed secret backdoor on hundreds of thousands of phones
Security firm Kryptowire has uncovered a backdoor in the firmware installed on low-cost Android phones, including phones from BLU Products sold online through Amazon and Best Buy. The backdoor software, initially discovered on the BLU R1 HD, sent massive amounts of personal data about the phones and their users’ activities back to servers in China that are owned by a firmware update software provider. The data included phone number, location data, the content of text messages, calls made, and applications installed and used.

The company, Shanghai AdUps Technologies, had apparently designed the backdoor to help Chinese phone manufacturers and carriers track the behavior of their customers for advertising purposes. AdUps claims its software runs updates for more than 700 million devices worldwide, including smartphones, tablets, and automobile entertainment systems. It is installed on smartphones from Huawei and ZTE sold in China.
#1710 VMware patches VM escape vulnerability
VMware quickly turned around a patch for a critical code execution flaw that was worth $150,000 to the researchers who found it.

While there have been no reported public exploits, the vulnerability is serious because it could allow an attacker to access a virtual instance and run code on the host machine.

The bug was exploited during last week’s PwnFest hacker contest in South Korea, which ran alongside the Power of Community conference. Hackers from China’s Qihoo 360 also took down Google’s new Pixel mobile device, as well as Microsoft Edge and Adobe Flash, winning more than a half-million dollars in the process.
#1709 Privacy experts fear Donald Trump running global surveillance network
Privacy activists, human rights campaigners and former US security officials have expressed fears over the prospect of Donald Trump controlling the vast global US and UK surveillance network.

They criticised Barack Obama’s administration for being too complacent after the 2013 revelations by the NSA whistleblower, Edward Snowden, and making only modest concessions to privacy concerns rather than carrying out major legislative changes.

The concern comes after Snowden dismissed fears for his safety if Trump, who called him “a spy who has caused great damage in the US”, was to strike a deal with Vladimir Putin to have him extradited.

Snowden, in a video link-up from Moscow with a Netherlands-based tech company on Thursday, said it would be “crazy to dismiss” the prospect of Trump doing a deal but if personal safety was a major concern for him, he would not have leaked the top-secret documents in the first place.
#1708 Microsoft: Windows 7 is way more exposed to ransomware than Windows 10
If you want to escape the clutches of ransomware, the best thing you can do is install the Windows 10 Anniversary Update, according to Microsoft.

Microsoft says there's been a 400 percent rise in ransomware encounters affecting Windows since 2015, but older versions of Windows are more exposed to it and more prone to actual infection after an encounter. Microsoft says it has "made Windows 10 Anniversary Update the most secure Windows ever".

Devices on Windows 10 are 58 percent less likely to run into ransomware than Windows 7, Microsoft argues in a new white paper detailing in-built defenses against the extortion-ware.

Ransomware arrives either through email or the browser, both of which Microsoft has battened down in Windows 10.
#1707 Major Linux security hole gapes open
The security hole this time is with how Debian and Ubuntu, and almost certainly other Linux distributions, implement Linux Unified Key Setup-on-disk-format (LUKS). LUKS is the standard mechanism for implementing Linux hard disk encryption. LUKS is often put into action with Cryptsetup. It's in Cryptsetup default configuration file that the problem lies and it's a nasty one.

As described in the security report, CVE-2016-4484, the hole allows attackers "to obtain a root initramfs [initial RAM file system] shell on affected systems. The vulnerability is very reliable because it doesn't depend on specific systems or configurations. Attackers can copy, modify, or destroy the hard disc as well as set up the network to exflitrate data. This vulnerability is specially serious in environments like libraries, ATMs, airport machines, labs, etc, where the whole boot process is protected (password in BIOS and GRUB) and we only have a keyboard or/and a mouse."
#1706 Kaspersky Lab Black Friday Threat Overview 2016
The Internet has changed forever how people shop. By 2018, around one in five of the world’s population will shop online; with ever more people doing so on a mobile device rather than a computer. In fact, it is estimated that by the end of 2017, 60% of e-commerce will come from smartphones. That’s millions of people enthusiastically browsing and buying while at home, at work, in restaurants, airports, and railway stations, walking down the street, standing in stores, and on holiday, often outside the protective reach of a secure, private wireless network.

Regardless of the device used, every interaction and transaction will generate a cloud of data that brands will want to capture in order to deliver ever more targeted and personalized offers. Unfortunately, others are waiting to seize consumers’ information too – through insecure public Wi-Fi networks, phishing emails and infected websites, among others. They are the cybercriminals, and they don’t have a consumer’s or even a brand’s best interests at heart.

The risks facing retailers and online shoppers peak during the busiest shopping days of the year: the late November Thanksgiving weekend that runs from Black Friday through to Cyber Monday, and all through December to Christmas and the New Year.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12