Security Alerts & News
by Tymoteusz A. Góral

#1645 Don’t Skype and Type! Acoustic eavesdropping in VOIP (PDF)
Acoustic emanations of computer keyboards represent a serious privacy issue. As demonstrated in prior work, spectral and temporal properties of keystroke sounds might reveal what a user is typing. However, previous attacks assumed relatively strong adversary models that are not very practical in many real-world settings. Such strong models assume: (i) adversary’s physical proximity to the victim, (ii) precise profiling of the victim’s typing style and keyboard, and/or (iii) significant amount of victim’s typed information (and its corresponding sounds) available to the adversary.

In this paper, we investigate a new and practical keyboard acoustic eavesdropping attack, called Skype & Type (S&T), which is based on Voice-over-IP (VoIP). S&T relaxes prior strong adversary assumptions. Our work is motivated by the simple observation that people often engage in secondary activities (including typing) while participating in VoIP calls. VoIP software can acquire acoustic emanations of pressed keystrokes (which might include passwords and other sensitive information) and transmit them to others involved in the call. In fact, we show that very popular VoIP software (Skype) conveys enough audio information to reconstruct the victim’s input – keystrokes typed on the remote keyboard. In particular, our results demonstrate that, given some knowledge on the victim’s typing style and the keyboard, the attacker attains top-5 accuracy of 91.7% in guessing a random key pressed by the victim. (The accuracy goes down to still alarming 41.89% if the attacker is oblivious to both the typing style and the keyboard). Finally, we provide evidence that Skype & Type attack is robust to various VoIP issues (e.g., Internet bandwidth fluctuations and presence of voice over keystrokes), thus confirming feasibility of this attack.
#1644 The Dyn report: What we know so far about the world's biggest DDoS attack
First, there was nothing -- nothing -- surprising about this attack. As Paul Mockapetris, creator of the Domain Name System (DNS), said, "The successful DDoS attack on DYN is merely a new twist on age-old warfare. ... Classic warfare can be anticipated and defended against. But warfare on the internet, just like in history, has changed. So let's take a look at the asymmetrical battle in terms of the good guys (DYN) and the bad guys (Mirai botnets), and realize and plan for more of these sorts of attacks."

This new twist came from the Internet of Things (IoT). Surprised? Please. We knew all along that not only could the IoT be used to attack networks, it would be used to target the internet.

IoT vendors must improve their security. Or, as Lyndon Nerenberg, an internet engineer, said on the North American Network Operators Group (NANOG), the professional association for internet engineering, architecture, and operations, mailing list, "The way this will get solved is for a couple of large ISPs and DDoS targets to sue a few of these IoT device manufacturers into oblivion."
#1643 Remote code execution vulnerabilities plague LibTIFF library
A researcher is warning this week of three vulnerabilities, all which can lead to remote code execution, that exist in the LibTIFF library. The library is a set of functions that helps support TIFF image files.

While there hasn’t been an official LibTIFF release that fixes the issues, users can get patches for two of the vulnerabilities via the library’s LibTIFF CVS repository.

Tyler Bohan, a senior research engineer with Cisco Talos, discussed details around all three of the vulnerabilities in a blog post on Tuesday.
#1642 Lawmakers asking what ISPs can do about DDoS attacks
IoT botnets and DDoS attacks have prominent lawmakers asking government agencies some probing questions about what can be done.

Sen. Mark Warner (D-VA) on Tuesday sent a letter to the Federal Communications Commission—as well as the Federal Trade Commission and Homeland Security—querying among other things whether ISPs have a legal standing to boot insecure connected devices from their networks. Warner wrote:

“Under the Federal Communications Commission’s (FCC’s) Open Internet rules, ISPs cannot prohibit the attachment of “non-harmful devices” to their networks. It seems entirely reasonable to conclude under the present circumstances, however, that devices with certain insecure attributes could be deemed harmful to the “network” – whether the ISP’s own network or the networks to which it is connected. While remaining vigilant to ensure that such prohibitions do not serve as a pretext for anticompetitive or exclusionary behavior, I would encourage regulators to provide greater clarity to internet service providers in this area."
#1641 Paypal fixes 'worrying' security bug
A security researcher has found a simple way round one of the systems Paypal uses to protect users' accounts.

Deleting a few characters in the data which web browsers send to Paypal let Henry Hoggard bypass Paypal's two-factor authentication scheme.

This system is supposed to make accounts more secure by using extra methods to confirm someone's identity.

Paypal said it patched the bug days after it was reported.
#1640 Windows Atom tables can be abused for code injection attacks
Researchers have identified a way attackers could use atom tables in all versions of Windows to inject malicious code into a computer and bypass detection by security products at the same time.

The technique has been nicknamed AtomBombing by researchers at enSilo, and opens the door to perform man-in-the-browser attacks, access encrypted passwords, or remotely take screenshots of targeted systems.

AtomBombing does not exploit a Windows vulnerability and cannot be fixed with a patch. EnSilo urges security professionals to monitor for code injection in API calls to fend off possible attacks.
#1639 Microsoft Office malware: Now more users get anti-hacker, macro-blocking features
Citing a growth in macro-borne threats, Microsoft has opted to give Office 2013 users a feature from Office 2016 to selectively block macros and the malware they can carry.

Office macros are a double-edged sword for the enterprise. They can improve productivity by automating routine tasks in Excel and Word, but they can be coded to deliver malware.

Even though it's been possible since the days of Office 97 to disable macros by default, users have always had the option of enabling them, which has presented attackers with a way of spreading malware since the Melissa virus in 1999. More recently, macros have been used to deliver banking Trojans and ransomware.

Fortunately, Microsoft earlier this year introduced a new feature in Group Policy for Office 2016 that allowed admins to block macros from loading in risky scenarios, such as when staff are opening Office email attachments from unknown senders, or when opening a file from Dropbox. Admins could also allow macros to run for certain trusted workflows.
#1638 Flash Player zero-day being exploited in targeted attacks
A newly discovered zero-day vulnerability in Adobe Flash Player is being exploited by attackers in the wild. Adobe released a Security Bulletin (APSB16-36) yesterday which patches the vulnerability (CVE-2016-7855).

The critical vulnerability affects Adobe Flash Player and earlier versions for the following operating systems: Windows, Mac, Linux, Chrome OS.

According to Adobe, an exploit for the vulnerability exists in the wild and is being used in limited, targeted attacks against users running Windows versions 7, 8.1, and 10.
#1637 Joomla update fixes two critical issues, 2FA error
Web developers who run the content management system Joomla! are strongly encouraged to update their sites immediately.

The company on Tuesday pushed out the most recent version of the CMS, 3.6.4, fixing two critical issues that can lead to account creation and elevated privileges, according to a release update published by the Joomla! Project.
#1636 Dyn DDoS could have topped 1 Tbps
As more time passes, researchers are getting insight into the size and structure of the DDoS attack against DNS provider Dyn last week, and the capabilities of the Mirai botnet.

First, Dyn released a truncated post-mortem on the attack with admittedly some omissions as a law enforcement investigation continues. Executive Vice President of Products Scott Hilton published a report yesterday that explains how the first of two sizable attacks began at 7 a.m. against its Managed DNS platform in Asia, Europe and South America before concentrating on the U.S. East region. A large number of IP addresses honed in with UDP and TCP packets targeting port 53, Hilton said.
#1635 Cisco patches critical vulnerability in facility events response system
Cisco Systems issued a security bulletin Wednesday for a critical vulnerability found in its IP Interoperability and Collaboration System (IPICS). The feature is a key part of a mechanism used by Cisco to facilitate emergency responses for “facility events.”

The vulnerability (CVE-2016-6397), according to Cisco, could allow an attacker to access the IPICS communications interface and cause the system to become unavailable. A software fix has been released to address the flaw and no workaround is available, according to Cisco.
#1634 Could your 'smart' home be a weapon of web destruction?
Do you use a webcam to check on Tiddles the cat or Bonzo the dog while you're at work?

If so, you could be unwittingly turning your internet-connected "smart" home into a weapon of web destruction.

That's the unsettling conclusion to be drawn from the recent web attacks that made use of a botnet army of compromised connected devices, from webcams to printers, to knock out a number of popular websites.

The smart home, it seems, is pretty dumb when it comes to security.

Wi-fi routers, digital video recorders, controllable lighting, security cameras - all these devices offer a potentially easy way in to your network and then the wider internet.

As the Internet Society warned last year: "The interconnected nature of IoT [internet of things] devices means that every poorly secured device that is connected online potentially affects the security and resilience of the internet globally."
#1633 Project management tips: Five ways to keep your project and your team on target
The ongoing Australian Federal Court case between music studios and internet service providers (ISPs) has seen Telstra, Optus, TPG, and Foxtel argue that they should be reimbursed for the costs associated with blocking access to KickAss Torrents and its related proxy sites that infringe or facilitate the infringement of copyright.

During the hearing in Sydney on Tuesday morning, counsel representing the four music studios -- Universal Music Australia, Sony Music Entertainment Australia, Warner Music Australia, and J Albert & Son -- said this case differs from the piracy site-blocking case between Foxtel/Roadshow and ISPs that is also currently facing Federal Court judgment in two important respects: The nature of the blocking, or specifically whether it should be domain name server (DNS) or internet protocol (IP) blocking; and "the way of dealing with future infringements".
#1632 Microsoft: Beware this fake Windows BSOD from tech support scammers' malware
Microsoft has sounded the alarm over a fake installer for its Security Essentials, which attempts to trick victims into contacting bogus help centers.

Tech-support scammers have stepped up their technical game, prompting a "severe" warning from Microsoft over new Windows malware that mimics Microsoft's free Security Essentials antivirus, and then displays a fake blue screen of death, or BSoD, with an error message and a suggestion to call a 1800 number that is not a Microsoft support center.

The malware, which Microsoft calls Hicurdismos, disables Task Manager to prevent the user from terminating the fake BSoD and hides the mouse cursor to make the user think Windows is not responding.
#1631 Android phones rooted by “most serious” Linux escalation bug ever
There's a new method for rooting Android devices that's believed to work reliably on every version of the mobile operating system and a wide array of hardware. Individuals can use it to bypass limitations imposed by manufacturers or carriers, but it could also be snuck into apps for malicious purposes.

The technique comes courtesy of a Linux privilege-escalation bug that, as came to light last week, attackers are actively exploiting to hack Web servers and other machines. Dirty Cow, as some people are calling the vulnerability, was introduced into the core Linux kernel in 2007. It's extremely easy to exploit, making it one of the worst privilege-elevation flaws ever to hit the open-source OS.

Independent security researcher David Manouchehri told Ars that this proof-of-concept code that exploits Dirty Cow on Android gets devices close to root. With a few additional lines, Manouchehri's code provides persistent root access on all five of the Android devices he has tested.
#1630 The “notification” ransomware lands in Brazil
It’s unusual for a day to go by without finding some new variant of a known ransomware, or, what is even more interesting, a completely new one. Unlike the previously reported and now decrypted Xpan ransomware, this same-but-different threat from Brazil has recently been spotted in the wild. This time the infection vector is not a targeted remote desktop intrusion, but a more massively propagated malicious campaign relying on traditional spam email.

Since the infection is not done manually by the bad guys, their malware has a higher chance of being detected and we believe that is one of the reasons for them to have added one more level of protection to the code, resorting to a binary dropper to launch the malicious payload.
#1629 HackerOne CEO: Every computer system is subject to vulnerabilities
Every computer system in the world is vulnerable to hackers and criminals, according to Marten Mickos, CEO of HackerOne. That's nothing new with major data breaches at Yahoo and the federal government.

But not to worry, teams of ethical hackers could be an answer to the growing cybersecurity concerns.

"There are far more ethical hackers, white hat hackers, in the world than criminals," Mickos told CNBC's "Squawk Alley" on Thursday. "So when you just invite the good guys to help you, you will always be safe. It's like a neighborhood watch. You're asking the good guys around you to help you see what's wrong with your system and help you fix it."
#1628 Mozilla turning TLS 1.3 on by default with Firefox 52
When Mozilla ships Firefox 52, on or around March 7, 2017, the browser will come with the cryptographic protocol TLS 1.3 on by default.

Martin Thomson, a principle engineer at Mozilla broke the news Wednesday in an email to Mozilla Development Platform members.

“TLS 1.3 removes old and unsafe cryptographic primitives, it is built using modern analytic techniques to be safer, it is always forward secure, it encrypts more data, and it is faster than TLS 1.2,” Thomson wrote.
#1627 Serious dirty COW Linux vulnerability under attack
A nine-year-old Linux vulnerability that affects most of the major distributions has been recently used in public attacks. The flaw, nicknamed Dirty Cow because it lives in the copy-on-write (COW) feature in Linux, is worrisome because it can give a local attacker root privileges.

While the Linux kernel was patched on Wednesday, the major distributions are preparing patches. Red Hat, for example, told Threatpost that it has a temporary mitigation available through the kpatch dynamic kernel patching service that customers can receive through their support contact.
#1626 Adding a phone number to your Google account can make it LESS secure.
Recently, account takeovers, email hacking, and targeted phishing attacks have been all over the news. Hacks of various politicians, allegedly carried out by Russian hackers, have yielded troves of data. Despite the supposed involvement of state-sponsored agents, some hacks were not reliant on complex zero-day attacks, but involved social engineering unsuspecting victims. These kinds of attacks are increasingly likely to be used against regular people.
#1625 Mirai-Fueled IoT botnet behind DDoS attacks on DNS providers
A botnet of connected things strung together by the Mirai malware is responsible for Friday’s distributed denial-of-service attacks against DNS provider Dyn. The DDoS attacks impacted Internet service on the East Coast of the United States, and were responsible for keeping Dyn and a number of its high-profile customers offline during different times during the day.

Level 3 Communications, a large service provider located in Colorado, said that it was monitoring the attacks and that it believed 10 percent of the IP-enabled cameras, DVRs, home networking gear and other connected devices compromised by Mirai were involved in Friday’s attacks.
#1624 Cisco develops system to automatically cut-off pirate video streams
Cisco says it has developed a system to disable live pirate streams . The network equipment company says its Streaming Piracy Prevention platform utilizes third-party forensic watermarking to shut down pirate streams in real-time, without any need to send takedown notices to hosts or receive cooperation from third parties.

While torrents continue to be one of the Internet’s major distribution methods for copyrighted content, it’s streaming that’s capturing the imagination of the pirating mainstream.
#1623 Russians seek answers to central Moscow GPS anomaly
MOSCOW (AP) — Joggers, taxi drivers, players of Pokemon Go and senior Russian officials are seeking an explanation of why mobile phone apps that use GPS are malfunctioning in central Moscow.

A programmer for Russian internet firm Yandex, Grigory Bakunov, said Thursday his research showed a system for blocking GPS was located inside the Kremlin, the heavily guarded official residence of Russian President Vladimir Putin.

Users of GPS have complained on social media in recent months that when they are near the Kremlin their GPS-powered apps stop working or show them to be in Moscow's Vnukovo airport, 29 kilometers (18 miles) away.

The problem has frustrated those requesting taxis via services such as Uber or looking to catch Pokemons in the popular game played on mobile devices. Large numbers of people running the Moscow marathon last month complained that their jogging apps lost track of how far they had run when they passed the Kremlin.
#1622 Hacked cameras, DVRs powered today’s massive internet outage
A massive and sustained Internet attack that has caused outages and network congestion today for a large number of Web sites was launched with the help of hacked “Internet of Things” (IoT) devices, such as CCTV video cameras and digital video recorders, new data suggests.

Earlier today cyber criminals began training their attack cannons on Dyn, an Internet infrastructure company that provides critical technology services to some of the Internet’s top destinations. The attack began creating problems for Internet users reaching an array of sites, including Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix.
#1621 Using Rowhammer bitflips to root Android phones is now a thing
Researchers have devised an attack that gains unfettered "root" access to a large number of Android phones, exploiting a relatively new type of bug that allows adversaries to manipulate data stored in memory chips.

The breakthrough has the potential to make millions of Android phones vulnerable, at least until a security fix is available, to a new form of attack that seizes control of core parts of the operating system and neuters key security defenses. Equally important, it demonstrates that the new class of exploit, dubbed Rowhammer, can have malicious and far-reaching effects on a much wider number of devices than was previously known, including those running ARM chips.
#1620 Free tool protects PCs from master boot record attacks
Cisco's Talos team has developed an open-source tool that can protect the master boot record of Windows computers from modification by ransomware and other malicious attacks.

The tool, called MBRFilter, functions as a signed system driver and puts the disk's sector 0 into a read-only state. It is available for both 32-bit and 64-bit Windows versions and its source code has been published on GitHub.

The master boot record (MBR) consists of executable code that's stored in the first sector (sector 0) of a hard disk drive and launches the operating system's boot loader. The MBR also contains information about the disk's partitions and their file systems.
#1619 Dyn DDoS part 2: The hackers strike back
I told you so. I warned you we were on the verge of attacks that could knock the internet off, and now we're seeing the first of them. Dyn, a major Domain Name System (DNS) service provider, is being assaulted by a global Distributed Denial of Service (DDoS) attack. Because Dyn provides DNS services for household-name websites such as AirBnB, GitHub, Spotify, Reddit, and Twitter, these sites have essentially been down for hours.

At this point we don't know a lot about the attacks. We can presume they are massive in scale. How big is that? Try terabit-per-second DDoS levels.

According to Andrew Sullivan, Dyn fellow and chair of the Internet Architecture Board on the Internet Outage announcement mailing list, the attack is being made against "the Dyn managed DNS infrastructure, which is the anycast deployment." This is the service that major companies use to make sure their DNS services work smoothly. Without these services -- think of them as the internet's master phonebook -- you can't easily find websites.
#1618 Dyn, a managed DNS service, hit with attack, popular sites see performance issues
Dyn, which provides managed domain name service via its Anycast Network, said it has been hit by a distributed denial of service attack that has led to spotty performance by a bevy of popular sites such as Reddit and Twitter.

The DDOS attack notice was posted on Dyn's web site. The incident is affecting Dyn's customers in the US East Coast region. Although the Dyn customer sites are appearing they seem to be slow. We've received a few reports that sites were down too.
#1617 FruityArmor APT group used recently patched Windows zero-day
One of the four zero-day vulnerabilities Microsoft patched last week was being used by an APT group called FruityArmor to carry out targeted attacks, escape browser-based sandboxes, and execute malicious code in the wild.

Anton Ivanov, a researcher at Kaspersky Lab, was credited by Microsoft for discovering the vulnerability last Tuesday but little was known about how it was actually being exploited until today.

The vulnerability, CVE-2016-3393, stemmed from the way a component, Windows graphics device interface (GDI), handled objects in memory. GDI is an application programming interface in Windows that helps apps that use graphics and formatted text on the video display and printer.
#1616 Mobile applications leak device, location data
Both Android and iOS apps leak data, leaving users vulnerable to data theft, denial-of-service attacks, and remote SIM card rooting.

In a report released Thursday “Are mobile apps a leaky tap in the enterprise?” researchers at Zscaler assert that Android and iOS users are equally vulnerable to a wide range of mobile security threats tied to mobile apps.

According to the report, enterprises are challenged by both a growing number of BYOD devices invading the workplace along with users downloading risky apps from third-party sources. In its study of 45 million transactions during a three-month period, Zscaler identified privacy leakage as the most serious problem with too many apps sending metadata, location and personal identifiable information to the developer’s server or an ad server. The report calls on companies to enforce stricter mobile device management programs to protect users and network assets.
#1615 This ransomware is now one of the three most common malware threats
The threat of ransomware attacks continues to grow. One particular strain of the cryptographic file-locking malicious software has now risen to become one of the top three most prevalent forms of malware used by hackers and cybercriminals.

Ransomware has exploded in 2016 and is increasingly targeting business networks instead of individual users. The total cost of damages related to these attacks is set to top $1 billion this year.

It's the Locky family which is currently most prevalent family of ransomware. The malware infamously took down the network of a high-profile Los Angeles hospital in February, and its notoriety has led to it entering the top three most common forms of malware.
#1614 Locky ransomware learns new evasive tricks
For several weeks security experts have had success slowing Locky ransomware infection rates. That’s been due to aggressive efforts to combat the Trojan downloader Nemucod, used in recent campaigns to distribute Locky. But now researchers say hackers behind Locky are changing tactics, giving the ransomware new legs.

According to the Microsoft Malware Protection Center team, Locky ransomware authors have shifted the type of malicious attachments used in their spam campaigns to evade detection. They have observed Locky authors moving away from the use of .wsf files hiding Nemucod.
#1613 3.2 million debit cards compromised; SBI, HDFC Bank, ICICI, YES Bank and Axis worst hit
MUMBAI: Banks in India will either replace or ask users to change the security codes of as many as 3.2 million debit cards in what's emerging as one of the biggest ever breaches of financial data in India, people aware of the matter said. Several victims have reported unauthorised usage from locations in China.

Of the cards, 2.6 million are said to be on the Visa and Master-Card platform and 600,000 on the RuPay platform. The worst-hit of the card-issuing banks are State Bank of India, HDFC Bank, ICICI Bank, YES Bank and Axis Bank, the people said.
#1612 Weebly confirms hack; millions of Foursquare accounts also exposed
Another day, another hack.

Weebly and Foursquare are the latest in a long line of tech companies under scrutiny for their security practices. On Thursday, breach notification site LeakedSource posted details of the attacks in a blog post explaining what happened.

More than 43.4 million accounts were stolen in the attack, thought to have been carried out in February.

According to a sample of the data seen by ZDNet, each record in this mega breach contains a username, email address, password, and IP address. Stolen passwords were stored with bcrypt, a strong system for scrambling passwords.
#1611 The Reign of Ransomware (PDF)
By the end of 2015, we predicted that 2016 would be the Year of Online Extortion. This particular forecast was influenced by the proliferation of stolen data from data breach incidents used for online extortion, and an increasing number of similar online threats.

True enough, the first half of 2016 witnessed a surge of ransomware attacks launched against a variety of industries. During the first half of 2016 we blocked and detected almost 80 million ransomware threats. The rapid rise of ransomware cases could be a clear indication of ransomware’s effectiveness in granting cybercriminals the satisfaction of easy monetary reward. With the rising number of ransomware cases and more enterprises continuously losing money and opting to pay ransom, we believe that the Reign of Ransomware will stay prevalent.
#1610 Cisco ASA software identity firewall feature buffer overflow vulnerability
A vulnerability in the Identity Firewall feature of Cisco ASA Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.

The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending a crafted NetBIOS packet in response to a NetBIOS probe sent by the ASA software. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or cause a reload of the affected system.

Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed and transparent firewall mode and in single or multiple context mode. This vulnerability can be triggered by IPv4 traffic.

Cisco has released software updates that address this vulnerability. There is a workaround that addresses this vulnerability.
#1609 “Most serious” Linux privilege-escalation bug ever is under active exploit
A serious vulnerability that has been present for nine years in virtually all versions of the Linux operating system is under active exploit, according to researchers who are advising users to install a patch as soon as possible.

While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation vulnerability rather than a more serious code-execution vulnerability, there are several reasons many researchers are taking it extremely seriously. For one thing, it's not hard to develop exploits that work reliably. For another, the flaw is located in a section of the Linux kernel that's a part of virtually every distribution of the open-source OS released for almost a decade. What's more, researchers have discovered attack code that indicates the vulnerability is being actively and maliciously exploited in the wild.

"It's probably the most serious Linux local privilege escalation ever," Dan Rosenberg, a senior researcher at Azimuth Security, told Ars. "The nature of the vulnerability lends itself to extremely reliable exploitation. This vulnerability has been present for nine years, which is an extremely long period of time."
#1608 Linux kernel bugs: we add them in and then take years to get them out
Kees Cook is a Google techie and security researcher whose interests include the Linux Kernel Self Protection Project.

The idea of “self-protection” doesn’t mean giving up on trying to create secure code in the first place, of course.

It may sound like an irony, but I’m happy to accept that writing secure code requires that you simultaneously write code that is predicated on insecurity.
#1607 Oracle puts out 253 fixes and a request to please apply patches NOW!
Better go make a fresh pot of coffee and pull up a seat: Oracle’s put out a bonanza of a patch dump, offering 253 fixes for 76 products.

Of those, 15 are critical, with a Common Vulnerability Scoring System (CVSS) score of 9.0 or over. Some allow complete system compromise over HTTP.

In its short-form advisory, Oracle also passed on a “please will you fix these things immediately” message, saying that it’s seeing successful attacks on systems that customers didn’t get around to patching.
#1606 Your dynamic IP address is now protected personal data under EU law
Europe's top court has ruled that dynamic IP addresses can constitute "personal data," just like static IP addresses, affording them some protection under EU law against being collected and stored by websites.

But the Court of Justice of the European Union (CJEU) also said in its judgment on Wednesday that one legitimate reason for a site operator to store them is "to protect itself against cyberattacks."

The case was referred to the CJEU by the German Federal Court of Justice, after an action brought by German Pirate Party politician Patrick Breyer. He asked the courts to grant an injunction to prevent websites that he consults, run by federal German bodies, from collecting and storing his dynamic IP addresses.
#1605 Russian hacker, wanted by FBI, is arrested in Prague, Czechs say
PRAGUE — A man identified as a Russian hacker suspected of pursuing targets in the United States has been arrested in the Czech Republic, the police announced Tuesday evening.

The suspect was captured in a raid at a hotel in central Prague on Oct. 5, about 12 hours after the authorities heard that he was in the country, where he drove around in a luxury car with his girlfriend, according to the police. The man did not resist arrest, but he had medical problems and was briefly hospitalized, the police said in a statement.

David Schön, a police spokesman, said on Wednesday that the arrest of the man, whose name has not been released, was not announced immediately “for tactical reasons.”
#1604 Flaw in Intel chips could make malware attacks more potent
Researchers have devised a technique that bypasses a key security protection built into just about every operating system. If left unfixed, this could make malware attacks much more potent.

ASLR, short for "address space layout randomization," is a defense against a class of widely used attacks that surreptitiously install malware by exploiting vulnerabilities in an operating system or application. By randomizing the locations in computer memory where software loads specific chunks of code, ASLR often limits the damage of such exploits to a simple computer crash, rather than a catastrophic system compromise. Now, academic researchers have identified a flaw in Intel chips that allows them to effectively bypass this protection. The result are exploits that are much more effective than they would otherwise be.
#1603 LinkedIn says hacking suspect is tied to breach that stole 117M passwords
An alleged Russian hacker arrested in the Czech Republic following an FBI-coordinated tip-off is suspected of taking part in a 2012 breach of LinkedIn that resulted in the theft of more than 117 million user passwords, representatives of the professional networking site said Wednesday.

"Following the 2012 breach of LinkedIn member information, we have remained actively involved with the FBI's case to pursue those responsible," company officials said in a statement. "We are thankful for the hard work and dedication of the FBI in its efforts to locate and capture the parties believed to be responsible for this criminal activity."
#1602 Spreading the DDoS disease and selling the cure
Earlier this month a hacker released the source code for Mirai, a malware strain that was used to launch a historically large 620 Gbps denial-of-service attack against this site in September. That attack came in apparent retribution for a story here which directly preceded the arrest of two Israeli men for allegedly running an online attack for hire service called vDOS. Turns out, the site where the Mirai source code was leaked had some very interesting things in common with the place vDOS called home.

The domain name where the Mirai source code was originally placed for download — santasbigcandycane[dot]cx — is registered at the same domain name registrar that was used to register the now-defunct DDoS-for-hire service vdos-s[dot]com.

Normally, this would not be remarkable, since most domain registrars have thousands or millions of domains in their stable. But in this case it is interesting mainly because the registrar used by both domains — a company called — has apparently been used to register just 38 domains since its inception by its current owner in 2012, according to a historic WHOIS records gathered by
#1601 5900 online stores found skimming [analysis]
Online skimming is just like physical skimming: your card details are stolen so that other people can spend your money. However, online skimming is more effective because a) it is harder to detect and b) it is near impossible to trace the thieves.

In short: hackers gain access to a store’s source code using unpatched software flaws in various popular e-commerce software. Once a store is under control of a perpetrator, a (Javascript) wiretap is installed that funnels live payment data to an off-shore collection server (mostly in Russia). This wiretap operates transparently for customers and the merchant. Skimmed credit cards are then sold on the dark web for the going rate of $30 per card .
#1600 VeraCrypt patches critical vulnerabilities uncovered in audit
An audit of open source file and disk encryption package VeraCrypt turned up a number of critical vulnerabilities that have been patched in the month since the assessment was wrapped up.

The audit, which began Aug. 16, was funded by the Open Source Technology Improvement Fund (OSTIF) and executed by two researchers at Quarkslab.

The examination was carried out against VeraCrypt 1.18; VeraCrypt is a fork of TrueCrypt, the once-popular and de facto standard for free FDE, which was abandoned in 2014 under mysterious circumstances as the project’s maintainers said the code was no longer safe to use. TrueCrypt was soon thereafter audited by the Open Crypto Audit Project and a number of vulnerabilities were uncovered, but no backdoors as was feared in the aftermath of the initial Snowden leaks.
#1599 DSL does 10Gbps over telephone lines
Nokia has achieved a connection speed of 5Gbps—about 625MB/sec—over 70 metres of conventional twisted-pair copper telephone wire, and 8Gbps over 30 metres. The trial used a relatively new digital subscriber line (DSL) protocol called (aka G.fast2). is the probable successor of, which was successfully trialled in a few countries over the past couple of years and will soon begin to commercially roll out. (In an unusual turn of events, the UK will probably be the first country with

Fundamentally, both and are best described as "VDSL on steroids." Basically, while a VDSL2 signal frequency maxes out around 17MHz, starts at 106MHz (it can be doubled to 212MHz) and uses between 350MHz and 500MHz. This means that there's a lot more bandwidth (the original meaning of the word), which in turn can be used for transferring data at higher speeds.

By way of example, VDSL2 can do around 100Mbps over that 17MHz channel; can do about 700Mbps at 106MHz; and can go all the way up to 10Gbps at 500MHz with two bonded telephone lines.
#1598 Why is Java so insecure? Buggy open source components take the blame
Open-source and Java components used in applications remain a weak spot for the enterprise, according to a new analysis.

Java applications in particular are posing a challenge, with 97 percent of these applications containing a component with at least one known vulnerability, according to a new report from code-analysis security vendor Veracode.

Veracode's annual security report is based on 300,000 assessments it has run on enterprise applications over the 18 months to March 31, 2016, and includes software from open-source projects, commercial vendors, large and small businesses, and software outsourcers.
#1597 Attackers hiding stolen credit card numbers in images
Researchers are encouraging developers who use Magento to remain vigilant about securely configuring their sites, as attackers have been embedding credit card swipers in sites running the open source e-commerce platform.

The swipers, or scrapers, are bits of malicious code that collect credit card numbers, login details and other information and forward it to attackers. While criminals have been targeting sites running the platform for months, they’ve only just recently started embedding that information in obscure image files.

In an even more confounding twist, in one recent instance an image that was hiding stolen credit card numbers was legitimate and publicly viewable, meaning an attacker wouldn’t even have to go to the trouble of accessing the site to get the information. They could simply view or download the image from the affected site.
#1596 VeraCrypt 1.18 Security Assessment (PDF)
This report describes the results of the security assessment of VeraCrypt 1.18 made by Quarkslab between Aug. 16 and Sep. 14, 2016 and funded by OSTIF. Two Quarkslab engineers worked on this audit, for a total of 32 man-days of study.
#1595 Hacked Republican website skimmed donor credit cards for 6 months
A website used to fund the campaigns of Republican senators was infected with malware that for more than six months collected donors' personal information, including full names, addresses, and credit card data, a researcher said.

The storefront for the National Republican Senatorial Committee was one of about 5,900 e-commerce platforms recently found to be compromised by malicious skimming software, according to researcher and developer Willem de Groot. He said the NSRC site was infected from March 16 to October 5 by malware that sent donors' credit card data to attacker-controlled domains. One of the addresses—jquery-code[dot]su—is hosted by dataflow[dot]su, a service that provides so-called bulletproof hosting to money launderers, sellers of synthetic drugs and stolen credit card data, and other providers of illicit wares or services.
#1594 Free SSL providers spark unprecedented growth in encrypted traffic
If recent telemetry from Mozilla is indeed representative of the Internet, then it would appear that half of all traffic in transit is encrypted, a more than 10 percent jump from last December.

The emergence of free Certificate Authorities such as Let’s Encrypt, and similar gratis HTTPS certificate services offered by Cloudflare, Amazon and others has resulted in unprecedented growth of encrypted traffic.

“SSL was too difficult for too long, and in the last year, it’s gotten a lot easier,” said Josh Aas, executive director of the Internet Security Research Group and former Mozilla developer. “A lot of people know they want to use SSL, but the cost and difficulty has been a problem.”
#1593 TrickBot banking trojan could be Dyre rewrite
Despite the fact that the criminals allegedly behind the creation and distribution of the Dyre banking Trojan are in a Russian jail, a new piece of malware in the wild has enough similarities to Dyre that researchers are wondering whether there’s a connection.

The new malware is called TrickBot and for now, it’s targeting banks in Australia given a number of webinjects found in the code. TrickBot looks like a rewrite of Dyre, researchers at Fidelis Cybersecurity said, cautioning that while there are some similar aspects between the two, such as the loader used by both, there are a number of new features in TrickBot that cast some doubt on the connection.
#1592 These free ransomware decryption tools have rescued data from 2,500 locked devices
A set of free ransomware decryption tools has helped 2,500 people rescue their data, depriving cyber-crooks of more than €1.35 million in ransom.

The tools -- part of the No More Ransom project -- were launched three months ago by the Dutch National Police, Europol, Intel Security, and Kaspersky Lab.

During the first two months, more than 2,500 people have managed to decrypt their devices without having to pay criminals, using the main decryption tools on the site (CoinVault, WildFire, and Shade), Europol said. On average 400,000 people visit the website every day.

"This has deprived cybercriminals of an estimated €1.35 million in ransoms," said Europol.
#1591 Fantastic malware and where to find them
We, as malware analysts, are always in need for new samples to analyze in order to learn, train or develop new techniques and defenses. I’m sharing here my private collection of repositories, databases and lists which I use on a daily basis. Some of them are updated frequently and some of them are not. The short description under each link wasn’t written by me, it was written by the owners of the repositories.
#1590 Android banking trojan asks for selfie with your ID
In the first half of 2016 we noticed that Android banking Trojans had started to improve their phishing overlays on legitimate financial apps to ask for more information. Victims were requested to provide “Mother’s Maiden Name,” “Father’s Middle Name,” “Maternal Grandmothers Name,” or a “Memorable Word.” Attackers used that data to respond to security questions and obtain illegal access to the victims’ bank accounts.

Recently the McAfee Labs Mobile Research Team found a new variant of the well-known Android banking Trojan Acecard (aka Torec, due to the use of Tor to communicate with the control server) that goes far beyond just asking for financial information. In addition to requesting credit card information and second-factor authentication, the malicious application asks for a selfie with your identity document—very useful for a cybercriminal to confirm a victim’s identity and access not only to banking accounts, but probably also even social networks.
#1589 Beware of all-powerful DDoS malware infecting cellular gateways, feds warn
This week, the US government-backed ICS-CERT warned that the troubling new generation of computer attacks is powered by malware that can infect cellular modems used to connect automotive and industrial equipment to the Internet.

An advisory published Wednesday listed five industrial control devices manufactured by Sierra Wireless that are vulnerable to malware known as Mirai when default passwords that ship with the equipment aren't changed on the gateways. The advisory referenced a separate notice from Sierra Wireless (PDF) that reported infections have succeeded against actual devices by connecting to the ACEmanager, a graphical interface used to remotely administer and configure them.
#1588 Android devices that contain Foxconn firmware may have a secret backdoor
Some Android devices that contain firmware created by Foxconn may be vulnerable via a debugging feature left inside the OS bootloader, which acts as a backdoor and bypasses authentication procedures for any intruder with USB access to a vulnerable phone.

Foxconn is a Taiwanese company that assembles the electronic parts of several Android smartphone manufacturers (OEMs).

The reason this backdoor exists in the bootloader, the piece of code responsible for booting up the Android OS, is because various OEMs allow Foxconn to create and supply firmware for some of the electronics they use to glue all the parts of an Android device together.
#1587 Evernote confirms a serious bug caused data loss for some Mac users
A number of Evernote users are now being alerted via email message of a serious bug that may cause data loss in certain versions of the company’s Mac application. Not all Evernote Mac users were affected by this bug, however, but those who received the email will need to update their Mac app immediately in order to protect themselves from experiencing the issue.

According to the email sent to users, the bug can cause images and other attachments to be deleted under specific conditions, when using Evernote for Mac. The company claims only “a small number of people” have been impacted by the glitch, which occurs in the version of the Mac software released in September, and less frequently, in the versions released since this June.
#1586 Almost 6,000 online shops hit by hackers
Almost 6,000 web shops are unknowingly harbouring malicious code that is stealing the credit card details of customers, suggests research.

The code has been injected into the sites by cyberthieves, said Dutch developer Willem De Groot.

He found the 5,925 compromised sites by scanning for the specific signature of the data-stealing code in website software.

Some of the stolen data was sent to servers based in Russia, he said.
#1585 Cisco patches critical bug in video conferencing server hardware
On Wednesday Cisco Systems patched a critical vulnerability found in its Cisco Meeting Server hardware, a key component in its enterprise audio, web and video conferencing service.

The flaw, according to a Cisco Security Advisory, could allow an unauthenticated remote attacker to masquerade as a legitimate user. “A successful exploit could allow an attacker to access the system as another user,” according to Cisco.
#1584 Beware of the student loan forgiveness scam spam
According to reports, 42 million people owe US$1.3 trillion in student debt in America today. With most of these student loans being government-backed, the student debt industry in America is big business and estimated to be worth $140 billion annually.

Scammers globally have been quick to take advantage of the desperate plight of graduates struggling with student debt by preying on them with seductive offers, such as student loan forgiveness. In recent research into the activities of the Ascesso (aka Tofsee) malware family (Trojan.Ascesso), Symantec observed several spam runs attempting to send out thousands of student loan forgiveness scam emails.
#1583 Google plugs 21 security holes in Chrome
Google on Wednesday patched 21 security vulnerabilities in Chrome, including a half dozen rated high severity that were reported by external researchers and were eligible for a bounty.

Bug hunters earned a total of $30,000 in bounties, with a top payout of $7,500 to an unnamed researcher for a universal cross-site scripting flaw found in Blink, the Chrome browser engine.

The Chrome 54 update (54.0.2840.59) applies to the Windows, Mac, and Linux versions of the browser. Google said in its security bulletin the updates will roll out over the next days and weeks to Chrome browsers.
#1582 Operations of a Brazilian payment card fraud group
Brazil has been designated a major hub for financially motivated eCrime threat activity. Brazilian threat actors are targeting domestic and foreign entities and individuals, with frequent targeting of U.S. assets. The country routinely places in "Top Five" lists of various global cyber crime rankings, and multiple sources claim that financially motivated threat activity in the country has increased within the past few years.

In this blog we provide insight into the tactics, techniques and procedures (TTPs) of a Brazilian cyber crime group that specializes in payment card fraud operations. The threat actors, observed by FireEye Labs, use a variety of different methods to either compromise or acquire already compromised payment card credentials, including sharing or purchasing dumps online, hacking vulnerable merchant websites and compromising payment card processing devices. Once in their possession, the actors use these compromised payment card credentials to generate further card information. The main methods used by the observed group to launder and monetize illicit funds include online purchases of various goods and services as well as ATM withdrawals.

Based on extensive observation of this group's activity, we are able to characterize their operations lifecycle starting with the initial operational setup; followed by the methods used to compromise credentials or, conversely, purchase already compromised credentials; then the process of generating new cards for subsequent abuse, which includes validation and cloning; and finally the subsequent monetization strategies.
#1581 Amazon resets customer passwords, while LeakedSource discloses massive update
Last weekend, and continuing on to earlier this week, Amazon sent password reset notifications to customers whose accounts were likely using recycled credentials. In somewhat related news, LeakedSource said on Tuesday they’ve added nearly 40 million hacked accounts to their database.
#1580 IoT devices as proxies for cybercrime
Multiple stories published here over the past few weeks have examined the disruptive power of hacked “Internet of Things” (IoT) devices such as routers, IP cameras and digital video recorders. This post looks at how crooks are using hacked IoT devices as proxies to hide their true location online as they engage in a variety of other types of cybercriminal activity — from frequenting underground forums to credit card and tax refund fraud.

Recently, I heard from a cybersecurity researcher who’d created a virtual “honeypot” environment designed to simulate hackable IoT devices. The source, who asked to remain anonymous, said his honeypot soon began seeing traffic destined for Asus and Linksys routers running default credentials. When he examined what that traffic was designed to do, he found his honeypot systems were being told to download a piece of malware from a destination on the Web.
#1579 A SSHowDowN in security: IoT devices enslaved through 12 year old flaw
A vulnerability which has existed for over a decade in OpenSSH has led to today's IoT devices being used in targeted attacks.

In what researchers call the "Internet of Unpatchable Things," a 12-year-old security flaw is being exploited by attackers in a recent spate of SSHowDowN Proxy attacks.

The Internet of Things (IoT) is an emerging market full of Wi-Fi and networked devices including routers, home security systems, and lighting products. While the idea of making your home more efficient and automating processes is an appealing one, unfortunately, vendors en masse are considering security as an afterthought for thousands of devices now in our homes, leaving our data vulnerable.
#1578 Feds strike another multi-national “tech support” scam
Federal authorities say a group of scammers that "bilked millions" from US consumers with pop-up ads and hijacked Web browsers has been sued by the Federal Trade Commission.

The scheme, which operates under the name Global Access Tech Support, used pop-up ads that told consumers their computers were "hacked, infected, or otherwise compromised," according to the FTC complaint (PDF) published yesterday. Consumers are then instructed to call a toll-free number in the message. The pop-ups "are typically designed so that consumers are unable to close or navigate around them, rendering consumers' web browser unusable."
#1577 Fighting the person should be cybersecurity best practice: Nuix
One major mistake organisations and governments are making in protecting their systems is neglecting the importance of focusing on the person at the end of the attack, according to Keith Lowry, senior vice president at Sydney-based intelligence, analytics, and cybersecurity software firm Nuix.

The 25-year cyber-veteran said that the majority of all insider threat programs he has been privy to begin with the foundation of technology, and that in reality, the foundation of a counter-insider threat program needs to start with recognising there is a person at the other end.

"It's about people using technology -- it's not about technology by itself -- and too many people focus on the fact that it's all technology and therefore the answer to it must be a piece of technology," Lowry said.
#1576 CryPy: ransomware behind Israeli lines
A Tweet posted recently by AVG researcher, Jakub Kroustek, suggested that a new ransomware, written entirely in Python, had been found in the wild, joining the emerging trend for Pysomwares such as the latest HolyCrypt, Fs0ciety Locker and others.

This Python executable comprises two main files. One is called and the other The first is responsible for error-logging on Windows platforms, while the second, the encryptor, is the actual locker. Within the encryptor are a number of functions including two calls to the C&C server. The C&C is hidden behind a compromised web server located in Israel. The Israeli server was compromised using a known vulnerability in a content management system called Magento, which allowed the threat actors to upload a PHP shell script as well as additional files that assist them in streaming data from the ransomware to the C&C and back.

A notable point to mention is that the server was also used for phishing attacks, and contained Paypal phishing pages. There are strong indications that a Hebrew-speaking threat actor was behind these phishing attacks. The stolen Paypal credentials were forwarded to another remote server located in Mexico and which contains the same arbitrary file upload technique, only with a different content management.

It is a known practice for attackers to look for low-hanging fruit into which they can inject their code in order to hide their C&C server. One such example was the CTB-Locker for web servers reported last March.
#1575 Most businesses haven't inspected cloud services for malware
Echoing the findings we reported earlier that companies leave cloud protection to third-parties, a new study from cloud security company Netskope reveals most companies don't scan their cloud services for malware either.

The study conducted with the Ponemon Institute shows 48 percent of companies surveyed don't inspect the cloud for malware and 12 percent are unsure if they do or not. Of those that do inspect 57 percent of respondents say they found malware.
#1574 CSP Evaluator
CSP Evaluator allows developers and security experts to check if a Content Security Policy (CSP) serves as a strong mitigation against cross-site scripting attacks. It assists with the process of reviewing CSP policies, which is usually a manual task, and helps identify subtle CSP bypasses which undermine the value of a policy. CSP Evaluator checks are based on a large-scale study and are aimed to help developers to harden their CSP and improve the security of their applications. This tool (also available as a Chrome extension) is provided only for the convenience of developers and Google provides no guarantees or warranties for this tool.
#1573 AVTECH shuns security firm and leaves all products vulnerable without a patch
AVTECH, a Taiwanese CCTV equipment manufacturer, has failed to respond to Search-Lab, a Hungarian security firm that spent more than a year trying to inform the company about 14 security bugs affecting the firmware of all its products.

Almost a year after it first contacted the hardware maker, Search-Lab published a public advisory about the vulnerabilities it discovered, warning sysadmins that their AVTECH products may be in danger of exploitation.
#1572 Surge of email attacks using malicious WSF attachments
Symantec has seen a major increase in the number of email-based attacks using malicious Windows Script File (WSF) attachments over the past three months. Ransomware groups in particular have been employing this new tactic. In the past two weeks, Symantec has blocked a number of major campaigns distributing Locky (Ransom.Locky) which involved malicious WSF files.

WSF files are designed to allow a mix of scripting languages within a single file. They are opened and run by the Windows Script Host (WSH). Files with the .wsf extension are not automatically blocked by some email clients and can be launched like an executable file.
#1571 Five myths about machine learning in cybersecurity
Machine learning has long permeated all areas of human activity. It not only plays a key role in the recognition of speech, gestures, handwriting and images – without machine learning it would be difficult to imagine modern medicine, banking, bioinformatics and any type of quality control. Even the weather forecast cannot be made without machines capable of learning and generalization.

I would like to warn about, or dispel, some of the misconceptions associated with the use of ML in the field of cybersecurity.
#1570 Adobe fixes 81 vulnerabilities in Acrobat, Reader, Flash
Adobe patched 81 vulnerabilities across Acrobat, Reader, and Flash on Tuesday, including a handful of critical bugs that if exploited, could allow an attacker to take control of a system.

The lion’s share of vulnerabilities – 71 in total – exist in the company’s Acrobat and Reader platforms.

According to a security bulletin published by the company on Tuesday, most of the Acrobat and Reader updates address memory corruption, use-after-free, and buffer overflow vulnerabilities – all which can lead to code execution – in the software. Two additional patches fix a bypass restriction on JavaScript API execution and a separate security bypass vulnerability that existed in the software. The update brings Acrobat DC and Reader DC to version 15.006.30243 and Acrobat XI and Reader XI to 11.0.18 on both Windows and Macintosh machines.
#1569 IoT botnet uses HTTP traffic to DDoS targets
The IoT botnet behind some of the largest publicly recorded DDoS attacks is flooding its targets with HTTP traffic, generating more than one million requests per second in some cases, in order to bring down web applications.

The attacks were recorded prior to the release of the source code fueling the Mirai malware, which scans the public Internet for IoT devices guarded by weak or default credentials and corrals them into a giant botnet.

Researchers at Cloudflare today published a report on two recent attacks that characterize a recent switch away from SYN flood- and ACK flood-based attacks at Layer 3, to HTTP-based attacks at Layer 7.
#1568 Nuclear power plant disrupted by cyber attack
The head of an international nuclear energy consortium said this week that a cyber attack caused a “disruption” at a nuclear power plant at some point during the last several years.

Yukiya Amano, the head of the International Atomic Energy Agency (IAEA) didn’t go into detail about the attack, but warned about the potential of future attacks, stressing on Monday that the idea of cyber attacks that impact nuclear infrastructure isn’t an “imaginary risk.’
#1567 Microsoft patches five zero days under attack
Microsoft today patched a handful of zero-day vulnerabilities that have been publicly attacked in Internet Explorer, Edge, Windows and Office products. The security updates were included among 10 Patch Tuesday bulletins, half of which were rated critical by Microsoft.

Today also signaled the first time Microsoft issued security updates for older Windows versions (Windows 7 and 8, and Windows Server 2008 and 2012) as single, cumulative security and feature updates.
#1566 Odinaff Trojan attacks banks and more, monitoring networks and stealing credentials
A previously undocumented banking Trojan is targeting financial institutions across the globe and is being used by cybercriminals to spy on networks of compromised organisations and stealthily defraud them of funds.

The Odinaff trojan has been active since January this year, carrying out attacks against organisations operating in the banking, securities, trading, and payroll sectors, as well as those which provide support services to these industries.

According to cybersecurity researchers at Symantec, the Trojan contains custom-built malware tools purposely built for exploring compromised networks, stealing credentials, and monitoring and recording employee activity in attacks which researchers say can be highly lucrative for hackers -- and bear the hallmarks of the Carbanak financial Trojan.
#1565 NSA could put undetectable “trapdoors” in millions of crypto keys
Researchers have devised a way to place undetectable backdoors in the cryptographic keys that protect websites, virtual private networks, and Internet servers. The feat allows hackers to passively decrypt hundreds of millions of encrypted communications as well as cryptographically impersonate key owners.

The technique is notable because it puts a backdoor—or in the parlance of cryptographers, a "trapdoor"—in 1,024-bit keys used in the Diffie-Hellman key exchange. Diffie-Hellman significantly raises the burden on eavesdroppers because it regularly changes the encryption key protecting an ongoing communication. Attackers who are aware of the trapdoor have everything they need to decrypt Diffie-Hellman-protected communications over extended periods of time, often measured in years. Knowledgeable attackers can also forge cryptographic signatures that are based on the widely used digital signature algorithm
#1564 Ransomware: Expert advice on how to keep safe and secure
On the one hand, ransomware can be extremely scary – the encrypted files can essentially be considered damaged and beyond repair. But if you have properly prepared your system, it is really nothing more than a nuisance.

There are a few things that you can do to keep ransomware from wrecking your day. Let’s start with what can be done in advance to help prevent malware from getting onto your system in the first place, and to minimize damage if it does happen.
#1563 On the StrongPity waterhole attacks targeting Italian and Belgian encryption users
The StrongPity APT is a technically capable group operating under the radar for several years. The group has quietly deployed zero-day in the past, effectively spearphished targets, and maintains a modular toolset. What is most interesting about this group’s more recent activity however, is their focus on users of encryption tools, peaking this summer. In particular, the focus was on Italian and Belgian users, but the StrongPity watering holes affected systems in far more locations than just those two. Adding in their creative waterholing and poisoned installer tactics, we describe the StrongPity APT as not only determined and well-resourced, but fairly reckless and innovative as well.
#1562 Remove ransomware infections from your PC using these free tools
Ransomware, a variety of malware which encrypts user files and demands payment in return for a key, has become a major threat to businesses and the average user alike.

Coming in a variety of forms, ransomware most often compromises PCs through phishing campaigns and fraudulent emails. Once a PC is infected, the malware will encrypt, move, and potentially delete files, before throwing up a landing page demanding a ransom in Bitcoin.

Demands for payment can range from a few to thousands of dollars. However, giving in and paying the fee not only further funds the development and use of this malware, but there is no guarantee any decryption keys given in return will work.
#1561 Europe to push new security rules amid IoT mess
The European Commission is drafting new cybersecurity requirements to beef up security around so-called Internet of Things (IoT) devices such as Web-connected security cameras, routers and digital video recorders (DVRs). News of the expected proposal comes as security firms are warning that a great many IoT devices are equipped with little or no security protections.

According to a report at, the Commission is planning the new IoT rules as part of a new plan to overhaul the European Union’s telecommunications laws. “The Commission would encourage companies to come up with a labeling system for internet-connected devices that are approved and secure,” wrote Catherine Stupp. “The EU labelling system that rates appliances based on how much energy they consume could be a template for the cybersecurity ratings.”
#1560 How Shodan helped bring down a ransomware botnet
Shodan is a search engine that looks for internet-connected devices. Hackers use it to find unsecured ports and companies use it to make sure that their infrastructure is locked down. This summer, it was also used by security researchers and law enforcement to shut down a ransomware botnet.

The Encryptor RaaS botnet offered ransomware as a service, allowing would-be criminals to get up and going quickly with their ransomware campaigns, without having to write code themselves, according to report released last week.

The ransomware first appeared in the summer of 2015. It didn't make a big impact -- in March, Cylance reported that it had just 1,818 victims, only eight of whom had paid the ransom.

But it had a few things going for it that could have spelled success.
#1559 Android battles to fix the holes where the rain gets in
Google’s security mavens have been hard at work this month, patching an impressive 78 Android flaws in the firm’s latest update.

All-told, seven issues are rated ‘critical’, including a hat-trick of kernel-level holes, a privilege flaw in the MediaTek video driver and three biggies affecting Qualcomm silicon.

Qualcomm turns out to be a bit of a theme with 31 vulnerabilities (identified by CVE numbers) mentioning the chip maker by name.

If 78 sounds like a lot of security holes to fix at once, it’s actually down on recent months. In July, the number reached an all-time high of 108, followed by another 103 in August.
#1558 Europol, IOCTA 2016. Internet Organised Crime Threat Assessment (PDF)
The 2016 Internet Organised Crime Threat Assessment (IOCTA) reports a continuing and increasing acceleration of the security trends observed in previous assessments. The additional increase in volume, scope and financial damage combined with the asymmetric risk that characterises cybercrime has reached such a level that in some EU countries cybercrime may have surpassed traditional crime in terms of reporting. Some attacks, such as ransomware, which the previous report attributed to an increase in the aggressiveness of cybercrime, have become the norm, overshadowing traditional malware threats such as banking Trojans.

The mature Crime-as-a-Service model underpinning cybercrime continues to provide tools and services across the entire spectrum of cyber criminality, from entry-level to top-tier players, and any other seekers, including parties with other motivations such as terrorists. The boundaries between cybercriminals, Advanced Persistent Threat (APT) style actors and other groups continue to blur. While the extent to which extremist groups currently use cyber techniques to conduct attacks appears to be limited, the availability of cybercrime tools and services, and illicit commodities such as firearms on
the Darknet, provide ample opportunities for this situation to change.
#1557 BadKernel vulnerability affects one in 16 Android smartphones
A security bug in Google's V8 JavaScript engine is indirectly affecting around one in 16 Android devices, impacting smartphone models from all major vendors, such as LG, Samsung, Motorola, and Huawei.

The issue at play here has been discovered and fixed in the summer of 2015 and affected the Google V8 JavaScript engine, between versions 3.20 and 4.2.

Despite this bug being public for more than a year, only in August 2016 did Chinese security researchers discover that the V8 issue also affected a whole range of Android-related products where the older V8 engine versions had been deployed.
#1556 Cloud Security Alliance lays out security guidelines for IoT development
The Cloud Security Alliance (CSA) Internet of Things (IoT) working group has published a report to guide designers and developers on basic security measures it believes must be incorporated throughout the development process.

The report, Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products, says that because IoT is broad-ranging and developing at great pace, identifying controls that can be applied against IoT products is difficult, noting its main reason for compiling the report is to give designers and developers a starting point to work from.
#1555 Latest intelligence for September 2016
The RIG exploit kit was the most active web attack toolkit in September and the number of new malware variants reached its highest point of the last year.
#1554 Cisco warns of critical flaws in Nexus switches
Cisco Systems released several critical software patches this week for its Nexus 7000-series switches and its NX-OS software. The vulnerabilities can allow remote access to systems, enabling a hacker to execute code or commands on targeted devices.

According to Wednesday’s Cisco Security Advisory, both the Nexus 7000 and 7700 series switches are susceptible to overlay transport virtualization buffer overflow flaws. This bug (CVE-2016-1453) is due to “incomplete input validation performed on the size of overlay transport virtualization packet header parameters,” Cisco said.
#1553 Arrested NSA contractor may have hoarded secrets to work from home
Investigators have little doubt that a National Security Agency contractor arrested in August hoarded mountains of classified material, but so far they've found no evidence that he leaked anything to anyone, The New York Times reported Friday.

Still, even if Harold T. Martin III didn't intentionally leak anything, federal officials remain highly concerned. Martin's home computers had "minimal security protection," leaving open the possibility, however remote, that hackers broke in and stole data that could compromise vital national security programs.
#1552 Spotify ads slipped malware onto PCs and Macs
Spotify's ads crossed from nuisance over to outright nasty this week, after the music service’s advertising started serving up malware to users on Wednesday. The malware was able to automatically launch browser tabs on Windows and Mac PCs, according to complaints that surfaced online.

As is typical for this kind of malware, the ads directed users’ browsers to other malware-containing sites in the hopes that someone would be duped into downloading more malicious software. The “malvertising” attack didn’t last long as Spotify was able to quickly correct the problem.

“We’ve identified an issue where a small number of users were experiencing a problem with questionable website pop-ups in their default browsers as a result of an isolated issue with an ad on our Free tier,” Spotify said on several threads in its support forums. “We have now identified the source of the problem and have shut it down. We will continue to monitor the situation.”
#1551 Boy, 12, gets €100k bill from Google after confusing Adwords with Adsense
A child in Spain has received a bill of €100,000 from Google after confusing its AdWords and AdSense services.

José Javier, 12, had signed up for Google's AdWords programme in order to make money from advertisements placed alongside YouTube videos of his band, the Torrevieja llamada Los Salerosos – en inglés, the Torrevieja Fun Guys – named after the Alicante town in which he lives.

Unfortunately for the young musician, Google's AdWords programme is for those wishing to advertise at cost, rather than run advertisements for profit. According to a report Spanish daily El País, José and a friend planned to buy instruments, play music, get rich and buy a mansion by subscribing to the service.

According to El País, after the story hit the press Google's Spanish offices sent out a statement regarding the billing, explaining that the megacorporation's team has "analysed the case", and not only hasn't received payment from the family, but will proceed to cancel the outstanding balance on its Adwords service.
#1550 Enabling on-body transmissions with commodity device (PDF)
We show for the first time that commodity devices can be used to generate wireless data transmissions that are confined to the human body. Specifically, we show that commodity input devices such as fingerprint sensors and touchpads can be used to transmit information to only wireless receivers that are in contact with the body. We characterize the propagation of the resulting transmissions across the whole body and run experiments with ten subjects to demonstrate that our approach generalizes across different body types and postures. We also evaluate our communication system in the presence of interference from other wearable devices such as smartwatches and nearby metallic surfaces. Finally, by modulating the operations of these input devices, we demonstrate bit rates of up to 50 bits per second over the human body.
#1549 FastPOS updates in time for the retail sale season
Most point-of-sale (PoS) threats follow a common process: dump, scrape, store, exfiltrate. FastPOS (initially detected by Trend Micro as TSPY_FASTPOS.SMZTDA) was different with the way it removed a middleman and went straight from stealing credit card data to directly exfiltrating them to its command and control (C&C) servers.

FastPOS was true to its moniker—pilfer data as fast as possible, as much as it can, even at the expense of stealth. The malware is a reflection of how PoS threats, though no longer novel, are increasingly used against businesses and their customers. As such, FastPOS’s update does not come as a surprise—in time for the oncoming retail season to boot.

The samples we analyzed were compiled during the second week of September, and feedback from our Smart Protection Network confirmed that they are already deployed against small-medium businesses. FastPOS’s developer also seemed to have wasted no time validating his code by confirming its functionality in a full infection. It only took about a month from when its C&C domain was registered (mid-August) to the launch of its new campaign, making it faster than their previous operation in 2015.
#1548 Unmasking Tor users with DNS
Researchers at the KTH Royal Institute of Technology, Stockholm, and Princeton University in the USA have unveiled a new way to attack Tor and deanonymise its users.

The attack, dubbed DefecTor by the researchers’ in their recently published paper The Effect of DNS on Tor’s Anonymity, uses the DNS lookups that accompany our browsing, emailing and chatting to create a new spin on Tor’s most well established weakness; correlation attacks.
#1547 Facebook rolls out opt-in encryption for 'secret' Messenger chats
As of today, all of Facebook's 900 million Messenger users should be able to choose to have specific chat threads end-to-end encrypted, protecting a message from all eyes except the sender and recipient. Called Secret Conversations, the feature also allows users to set messages to self-destruct anywhere between five seconds to one day.

Once a Secret Conversation is initiated, Facebook's app says that the conversation has been "encrypted from one device to the other". Encrypted conversations can be started from the home page by tapping a new message and then tapping the Secret button on the top right corner of the page, followed by the contact you want to start a secret chat with.
#1546 Our insulin pumps could be hacked, warns Johnson & Johnson
The Animas OneTouch Ping insulin pump contains vulnerabilities that could be exploited by a malicious attacker to remotely trigger an insulin injection.

Security researcher Jay Radcliffe – who is himself a Type I diabetic – discovered the flaws and wrote about his findings.

What Radcliffe discovered was that there were security weaknesses in how the medical device communicated wirelessly. Specifically, a lack of encryption meant that instructions were being sent in cleartext. Combined with weak pairing between the remote and pump, this could open opportunities for remote attackers to spoof the controller and trigger unauthorized insulin injections.

If the user does not cancel the insulin delivery on the pump, there is the potential for an attacker to cause harm and potentially create a hypoglycemic reaction.

Although the risk of widespread exploitation of the flaws is considered relatively low, and no-one should panic, Animas’s parent company Johnson & Johnson has issued an advisory to users of the insulin infusion pump:
#1545 Feds accuse two 19-yo of hacking for Lizard squad and PoodleCorp
The FBI is accusing two teenagers, one from the US and one from the Netherlands, of being members of the hacking groups Lizard Squad and PoodleCorp, which have gained notoriety for targeting online gaming services such as Blizzard's World of Warcraft, and League of Legends, among others.

On Wednesday, the US Department of Justice announced that 19-year-olds Zachary Buchta, from Maryland, and Bradley Jan Willem Van Rooy, from the Netherlands, had been charged with computer crimes associated with a series of distributed denial of service (DDoS) attacks launched against gaming services, and for selling DDoS-for-hire services and stolen credit cards.
#1544 This new Mac attack can secretly monitor your webcam, microphone
In recent years we've seen malware that targets webcams and microphones in an effort to secretly record what a person says and does.

Even the NSA has developed code that remotely switches on a person's webcam.

But things are different when it comes to Mac malware, because each Apple laptop has a hard-wired light indicator that tells the user when it's in use. At least you know you're being watched.

That could change with a new kind of webcam piggyback attack, according to research by Synack's Patrick Wardle, which he will present Thursday at the Virus Bulletin conference.
#1543 Why the latest Windows 10 cumulative update is failing and how you can recover
Updated 5-Oct-2016: Well, that was fast. Microsoft released a fix-it script and an explanation. Details here: Microsoft releases fix for Windows 10 cumulative update issues

Those of us who routinely monitor Microsoft's support forums knew last week that something was wrong with the latest cumulative update to Windows 10. We learned yesterday that Microsoft has now acknowledged the issue and is working on a fix.

The problem occurs with Cumulative Update KB3194496, which was released for Windows 10 version 1607 on Sept. 29, 2016.

For most users running the latest public release of Windows (version 1607, also known as the Anniversary Update), this cumulative update completes successfully and brings the current build number to 14393.222.
#1542 Chip card lawsuit to move forward against Visa, Mastercard, others
A federal judge has ruled it is plausible that four national credit-card companies improperly conspired “in lockstep” to set a deadline of Oct. 1, 2015 for requiring retailers to upgrade their technology to accept embedded chip cards for credit and debit card purchases.

In an order issued Friday (Case number C 16-01150 WHA), U.S. District Court Judge William Alsup agreed with two small Florida businesses -- B & R Supermarket and Grove Liquors — which brought the lawsuit in March.

Alsup’s ruling also allows the antitrust case against Visa, Mastercard, American Express and Discover Financial Services to move forward in federal court for the Northern District of California.
#1541 53% of DDoS attacks result in additional compromise
DDoS attack volume has remained consistently high and these attacks cause real damage to organizations, according to Neustar. The global response also affirms the prevalent use of DDoS attacks to distract as “smokescreens” in concert with other malicious activities that result in additional compromise, such as viruses and ransomware.

Distributed denial-of-service attacks are no longer isolated events limited to large, highly visible, targets. Sophisticated attacks hit companies of all sizes, in all industries,” said Rob Ayoub, research director, Security Products, IDC.

Neustar collected responses from more than 1,000 information security professionals, including CISOs, CSOs and CTOs to determine how DDoS attacks are impacting their organization and how they are mitigating the threat.
#1540 These ten cities are home to the biggest botnets
According to new data from cybersecurity researchers at Symantec, Turkey plays host to the highest botnet population in EMEA, with its most populous urban centre of Istanbul and capital city Ankara containing the highest and second highest number of botnet controlled devices in EMEA.

Behind Turkey, Italy ranks as the second-most bot-populated country, with Hungary third. That pattern is also reflected in the ranking of cities with the highest bot population with Italian capital Rome in third, followed by the Hungarian cities of Budapest and Szeged in fourth and fifth, according to the research from Norton by Symantec.

These parts of the world are an attractive target for hackers because they're markets and cities which have recently seen a huge increase in high-speed internet and connected devices but where security awareness may be lagging.
#1539 Major security flaw in Samsung Knox could give hackers 'full control' of your phone
Samsung hasn't had the best few weeks. Security experts have disclosed three vulnerabilities in the system the company created to "enhance security" of the Android operating system.

Researchers from Israeli firm Viral Security Group exposed the flaws in Samsung's Knox system, which they say "allowed full control" of a Samsung Galaxy S6 and the Galaxy Note 5 used for testing back in June.

The vulnerabilities, which require an existing flaw to operate, were reported to Samsung earlier this year. The company says it fixed them in a recent security update.
#1538 After Mozilla inquiry, Apple untrusts Chinese certificate authority
Following a Mozilla-led investigation that found multiple problems in the SSL certificate issuance process of WoSign, a China-based certificate authority, Apple will make modifications to the iOS and macOS to block future certificates issued by the company.

Although there is no WoSign root certificate in Apple's trusted certificate store, a WoSign intermediate CA certificate is cross-signed by two other CAs that Apple trusts: StartCom and Comodo. This means that until now Apple products have automatically trusted certificates issued through the WoSign intermediate CA.
#1537 OpenJPEG zero-day flaw leads to remote code execution
Cisco Talos researchers have uncovered a severe zero-day flaw in the OpenJPEG JPEG 2000 codec which could lead to remote code execution on compromised systems.

On Friday, researchers from Cisco revealed the existence of the zero-day flaw in the JPEG 2000 image file format parser implemented in OpenJPEG library. The out-of-bounds vulnerability, assigned as CVE-2016-8332, could allow an out-of-bound heap write to occur resulting in heap corruption and arbitrary code execution.

OpenJPEG is an open-source JPEG 2000 codec. Written in C, the software was created to promote JPEG 2000, an image compression standard which is in popular use and is often used for tasks including embedding images within PDF documents through software including Poppler, MuPDF and Pdfium.
#1536 Over 400 instances of Dresscode malware found on Google Play store, say researchers
More than 400 apps available via the official Google Play Store contain the Dresscode Trojan malware, according to researchers.

The Dresscode malware first appeared in April: once downloaded by an unwary user, Dresscode can be used by those controlling it to conduct cyberespionage, download sensitive data, or recruit other devices on the network into a botnet.

Cybersecurity researchers at Trend Micro have warned that over 400 instances of Dresscode malware are available for download from the Google Play store where, using a similar technique to the Viking Horde malware, it masquerades as a legitimate application to trick the user into downloading it.
#1535 Security company finds five “zero-day” flaws in EMC management console
Digital Defense announced today that it privately revealed a set of five zero-day vulnerabilities in Dell EMC's vApp Manager for Unisphere for VMAX, a Web application used to manage all of EMC's storage platforms. The flaws would allow an attacker with access to the network storage devices to send malicious Adobe Flash Action Message Format (AMF) messages to the Web application server running on the storage system. That means attackers could run arbitrary commands against the storage system and potentially gain complete control of the storage devices or shut them down. The flaws have been patched by EMC via security advisories on the vulnerabilities available only to Dell EMC customers.
#1534 Polyglot – the fake CTB-locker
Cryptor malware programs currently pose a very real cybersecurity threat to users and companies. Clearly, organizing effective security requires the use of security solutions that incorporate a broad range of technologies capable of preventing a cryptor program from landing on a potential victim’s computer or reacting quickly to stop an ongoing data encryption process and roll back any malicious changes. However, what can be done if an infection does occur and important data has been encrypted? (Infection can occur on nodes that, for whatever reason, were not protected by a security solution, or if the solution was disabled by an administrator.) In this case, the victim’s only hope is that the attackers made some mistakes when implementing the cryptographic algorithm, or used a weak encryption algorithm.
#1533 Researchers break MarsJoke ransomware encryption
Victims infected with the MarsJoke ransomware can decrypt their files after researchers last week cracked the encryption in the CTB-Locker lookalike.

A trio of researchers from Kaspersky Lab’s Global Research and Analysis Team–Anton Ivanov, Orkhan Mamedov, and Fedor Sinitsyn–described Monday how errors in the cryptography, a/k/a Polyglot, used in the ransomware enabled them to break it.

The biggest mistake developers behind the ransomware made was in the way they implemented its pseudo-random number generator. Researchers said a weak random string in the key generator could be broken. That allowed them to search for a set of possible keys produced by the generator in just “a few minutes” on a standard PC.
#1532 Multiple Linux distributions affected by crippling bug In systemd
The following command, when run as any user, will crash systemd:

NOTIFY_SOCKET=/run/systemd/notify systemd-notify ""

After running this command, PID 1 is hung in the pause system call. You can no longer start and stop daemons. inetd-style services no longer accept connections. You cannot cleanly reboot the system. The system feels generally unstable (e.g. ssh and su hang for 30 seconds since systemd is now integrated with the login system). All of this can be caused by a command that's short enough to fit in a Tweet.
#1531 This high-tech card is being rolled out by French banks to eliminate fraud
Forget fraud, these new bank cards are about to change everything.

Your bank security is pretty broken. It’s not your fault, it’s just really hard to keep people’s money safe, especially online.

Part of the problem is that once your card details are stolen – whether through a phishing attack or by someone copying the digits on the back – fraudsters are free to go on a spending spree until you notice something’s up.

They’re getting away with millions, and it’s a problem affecting over half a million people in the first half of 2016 alone.

Normally by the time you get around to actually cancelling your card, it’s all too late.

But what if the numbers on your card changed every hour so that, even if a fraudster copied them, they’d quickly be out of date?

That’s exactly what two French banks are starting to do with their new high-tech ebank cards.
#1530 Source code powering potent IoT DDoS just went public
A hacker has released computer source code that allows relatively unsophisticated people to wage the kinds of extraordinarily large assaults that recently knocked security news site KrebsOnSecurity offline and set new records for so-called distributed denial-of-service attacks.

KrebsOnSecurity's Brian Krebs reported on Saturday that the source code for "Mirai," a network of Internet-connected cameras and other "Internet of things" devices, was published on Friday. Dale Drew, the chief security officer at Internet backbone provider Level 3 Communications, told Ars that Mirai is one of two competing IoT botnet families that have recently menaced the Internet with record-breaking distributed denial-of-service (DDoS) attacks—including the one that targeted Krebs with 620 gigabits per second of network traffic, and another that hit French webhost OVH and reportedly peaked at more than 1 terabit per second.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12