Security Alerts & News
by Tymoteusz A. Góral

History
#1775 New large-scale DDoS attacks follow schedule
A powerful new botnet is being blamed for massive and sustained DDoS attacks that security researchers at CloudFlare compare to Mirai when it comes to intensity and scope.

The attacks began Nov. 23 and ran for eight hours daily, similar to an average workday. The consistent attacks occurred for seven straight days, starting each day at 10 a.m. PST. On the eighth day, the attackers turned up the heat, with DDoS assaults lasting 24 hours. Peak volumes reached 400 Gbps, close to that of Mirai, where attacks peaked at 620 Gbps.
#1774 One bit to rule a system: analyzing CVE-2016-7255 exploit in the wild
Recently, Google researchers discovered a local privilege escalation vulnerability in Windows which was being used in zero-day attacks, including those carried out by the Pawn Storm espionage group. Microsoft was able to release a patch by the next Patch Tuesday, November 8. This entry provides a complete analysis of the vulnerability based on samples acquired in the wild.

This is an easily exploitable vulnerability which can be found in all supported versions of Windows, from Windows 7 to Windows 10. The exploit code we’ve seen in the wild only affects 64-bit versions of Windows, although both 32- and 64-bit versions have the underlying flaw. Let us examine this vulnerability in some detail to understand the techniques used by the attacker. By changing one bit, the attacker can elevate the privileges of a thread, giving administrator access to a process that would not have it under normal circumstances.
#1773 Exploit company exodus sold Firefox zero-day earlier this year
This week, an exploit was publicly distributed that could break into the computers of those using the Tor Browser or Firefox. The Tor Project and Mozilla patched the underlying vulnerability on Wednesday.

One research company gave details of the exploit method used to a defensive cybersecurity firm last year so it could protect its own clients’ systems. In turn, the exploit research company went on to sell details of the recent Firefox vulnerability to another customer for offensive purposes this year, according to two sources.

The case highlights the often antithetical relationship between companies that research and develop exploits, and those who maintain the affected software. But it also shows an instance of a company selling related exploit information to both defensive and offensive customers.

Back in December 2015, cybersecurity firm Fortinet announced it had added an intrusion detection system (IDS) signature for a Firefox zero-day; that is, a security issue unknown to Mozilla which develops Firefox. IDS signatures are used to detect particular exploits or types of attack.
#1772 Bypassing CSP using polyglot JPEG
James challenged me to see if it was possible to create a polyglot JavaScript/JPEG. Doing so would allow me to bypass CSP on almost any website that hosts user-uploaded images on the same domain. I gleefully took up the challenge and begun dissecting the format. The first four bytes are a valid non-ASCII JavaScript variable 0xFF 0xD8 0xFF 0xE0. Then the next two bytes specify the length of the JPEG header. If we make that length of the header 0x2F2A using the bytes 0x2F 0x2A as you might guess we have a non-ASCII variable followed by a multi-line JavaScript comment. We then have to pad out the JPEG header to the length of 0x2F2A with nulls.
#1771 A beginner’s guide to beefing up your privacy and security online
With Thanksgiving behind us, the holiday season in the US is officially underway. If you're reading Ars, that can only mean one thing: you'll be answering technical questions that your relatives have been saving since the last time you visited home.

This year in addition to doing the regular hardware upgrades, virus scans, and printer troubleshooting, consider trying to advise the people in your life about better safeguarding their security and privacy. Keeping your data safe from attackers is one of the most important things you can do, and keeping your communications and browsing habits private can keep that data from being used to track your activities.

This is not a comprehensive guide to security, nor should it be considered good enough for professional activists or people who suspect they may be under targeted surveillance. This is for people who use their phones and computers for work and in their personal lives every single day and who want to reduce the chances that those devices and the accounts used by those devices will be compromised. And while security often comes at some cost to usability, we've also done our best not to impact the fundamental utility and convenience of your devices.
#1770 New SmsSecurity variant roots phones, abuses accessibility features and TeamViewer
In January of 2016, we found various “SmsSecurity” mobile apps that claimed to be from various banks. These apps supposedly generated one-time passwords (OTPs) that account holders could use to log into the bank; instead they turned out to be malicious apps that stole any password sent via SMS messages. These apps were also capable of receiving commands from a remote attacker, allowing them to take control of a user’s device.

Since then, we’ve found some new variants of this attack that add new malicious capabilities. These capabilities include: anti-analysis measures, automatic rooting, language detection, and remote access via TeamViewer. In addition, SmsSecurity now cleverly uses the accessibility features of Android to help carry out its routines in a stealthy manner, without interaction from the user. We detect these malicious apps as ANDROIDOS_FAKEBANK.OPSA.
#1769 Google fixes 12 high-severity flaws In Chrome browser
Google is urging Windows, Mac and Linux users to update their Chrome browsers to fix multiple vulnerabilities that could allow malicious third parties to take control of targeted systems.

Released Thursday, Chrome version 55.0.2883.75 for Windows, Mac, and Linux fixes those security issues. It also introduces a number of new features to the browser to enhance the way it handles panning gestures and to support CSS automatic hyphenation.

The United States Computer Emergency Readiness Team (US-CERT) issued an alert around the Chrome update on Thursday in conjunction with Google, detailing a list of 26 bug bounty payments totaling $70,000 paid to external researchers. According to Google, another 10 security fixes were tackled by Google itself.
#1768 Buffer overflow exploit can bypass Activation Lock on iPads running iOS 10.1.1
Apple's Activation Lock feature, introduced in iOS 7 in 2013, deters thieves by associating your iPhone and iPad with your Apple ID. Even if a thief steals your device, puts it into Recovery Mode, and completely resets it, the phone or tablet won't work without the original user's Apple ID and password. This makes stolen iDevices less valuable since they become more difficult to resell, and it has significantly reduced iPhone theft in major cities.

The feature has been difficult to crack, but a new exploit disclosed by Vulnerability Lab security analyst Benjamin Kunz Mejri uses a buffer overflow exploit and some iPad-specific bugs to bypass Activation Lock in iOS 10.1.1.
#1767 Amazon offers DDoS protection with Shield
This isn't far from the first such service. Akamai, CloudFlare, and Incapsula all offer DDoS mitigation services. AWS Shield, however, is only for AWS customers.

What Amazon brings to the DDoS battle-line is the sheer scale of Amazon Web Services (AWS). This family of services makes up the world's largest public cloud.

Werner Vogels, Amazon CTO, in announcing Shield at AWS re:Invent, claimed, "I think this will really help you protect yourselves even against the largest and most sophisticated attacks that we've seen out there."

I wish them luck with that. Even AWS might shake some with an assault of the magnitude that took down the Dyn Domain Name System (DNS) provider earlier this year. 1.2 Terabits per second (Tbps), which is estimated to be the attack's high point, would be enough to wreck anyone's day.
#1766 Fake Apple chargers fail safety tests
Investigators have warned consumers they face potentially fatal risks after 99% of fake Apple chargers failed a basic safety test.

Trading Standards, which commissioned the checks, said counterfeit electrical goods bought online were an "unknown entity".

Of 400 counterfeit chargers, only three were found to have enough insulation to protect against electric shocks.

It comes as Apple has complained of a "flood" of fakes being sold on Amazon.

Apple revealed in October that it was suing a third-party vendor, which it said was putting customers "at risk" by selling power adapters masquerading as those sold by the Californian tech firm.
#1765 Analysis of multiple vulnerabilities in AirDroid
AirDroid is a popular remote management tool for Android. It has an estimated user base of over 50 million devices according to the Google Play Store.
Our research highlights how insecure communication channels make millions of users vulnerable to Man-in-the-Middle (MITM) attacks, information leakage and remote hijacking of update APK which leads to a remote code execution by a malicious party. The attacker exploits the app’s built-in functionalities and uses them against its users.
#1764 UK's new Snoopers' Charter just passed an encryption backdoor law by the backdoor
Among the many unpleasant things in the Investigatory Powers Act that was officially signed into law this week, one that has not gained as much attention is the apparent ability for the UK government to undermine encryption and demand surveillance backdoors.

As the bill was passing through Parliament, several organizations noted their alarm at section 217 which obliged ISPs, telcos and other communications providers to let the government know in advance of any new products and services being deployed and allow the government to demand "technical" changes to software and systems.

This was the proposed wording in the Code of Practice accompanying the legislation:

CSPs subject to a technical capacity notice must notify the Government of new products and services in advance of their launch, in order to allow consideration of whether it is necessary and proportionate to require the CSP to provide a technical capability on the new service.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12