Security Alerts & News
by Tymoteusz A. Góral

#1722 BlackNurse revisited: what you need to know
BlackNurse isn’t really an “attack”.

It’s more of a reminder of why DDoSes work: if you bombard the network port on a router with lots of redundant packets, you force the router to do purposeless extra work.

The extra work steals some of the router’s performance away from legitimate users, and thus legitimate traffic gets held up in the snarl.

Unfortunately, if you pick your time-wasting packets carefully, you may be able to find some router models that do even more extra work than you might expect in order to dispose of your malicious traffic.

At that point, you can cause additional harm to those routers, simply by picking the content that makes them work hardest.

BlackNurse’s “extra harm” traffic turns out to be a special sort of network packet known as an ICMP reply, short for Internet Control Message Protocol.
#1721 Qualcomm launches bug bounty program for Snapdragon chips, modems
Qualcomm has launched a bug bounty program to entice researchers to submit reports on security flaws in Snapdragon processors, LTE modems, and hardware.

The program, administered by HackerOne, was announced on Thursday in what Qualcomm says is the "first of its kind" to be announced by a major silicon vendor.

Qualcomm's vulnerability rewards program focuses on the Snapdragon processor range, used to power mobile devices such as smartphones and tablets, alongside LTE modems and "related technologies."

Details are thin on the ground at the moment in relation to what types of security flaws Qualcomm is particularly interested in, but on the bug bounty's page, the company asks researchers to submit details in their reports including vulnerability types -- such as buffer overflow or integer overflow bugs -- and the potential impact of a problem, such as remote code execution or information leaks.
#1720 IoT devices in the enterprise
In the months prior to the recent attacks, which used Internet of things (IoT) devices to carry out massive distributed-denial-of-service (DDoS) attacks, the ThreatLabZ research team had begun studying the use of IoT devices on the networks of Zscaler customers.

In light of their notoriously poor security, we knew that IoT devices were relatively easy to compromise, so there’s been concern over the potential to use them for spreading malware, stealing credentials, leaking data, sniffing traffic, or even moving laterally on a network to scan for sensitive data. The devices themselves can also be exploited for malicious purposes, such as spying in the case of cameras. Or, as we saw last month, creating large, destructive botnets.

We analyzed data going back to July for recent IoT device footprints based on the traffic we are seeing in the Zscaler cloud. We looked at the types of devices in use, the protocols they used, the locations of the servers with which they communicated, and the frequency of their inbound and outbound communications over a two-month period (26 August 2016 to 26 October 2016). Our primary purpose was to determine if any of the devices posed a threat to customer security, and eventually we also looked at whether the devices that were used in the Dyn and KrebsOnSecurity attacks were also in use by our customers.

Finally, we analyzed IoT traffic patterns on the days of the DDoS attacks to see if there had been any unusual behavior on those days, such as spikes in bandwidth use or variations in the destination of IoT traffic.
#1719 Android banking malware whitelists itself to stay connected with attackers
Recent variants of Android.Fakebank.B have been updated to work around the battery-saving process Doze. The variants display a pop-up message asking the user to add the threat to the Battery Optimizations exceptions whitelist. If this technique works, then the malware can stay connected to command and control servers even when the device is dormant.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12