Security Alerts & News
by Tymoteusz A. Góral

#1756 Secret Europol terror data found online
A police officer working for Europol exposed sensitive data about security investigations to the internet.

The European Union's law enforcement agency acknowledged the error ahead of a Dutch documentary's broadcast.

The TV programme Zembla said it had found more than 700 pages of confidential dossiers, including details of terrorism probes, on a hard drive linked to the net.

It said the networked drive was not password protected.

Europol said it had launched an investigation into the matter.

"Although this case relates to Europol sensitive information dating from around 10 years ago, Europol immediately informed the concerned member states," a spokesman for the law agency said.
#1755 The Internet of Things is making hospitals more vulnerable to hackers
Ransomware and denial of service attacks are just a glimpse of things to come: hospitals are the next big target for cyber-attacks and the introduction of Internet of Things (IoT) devices make healthcare even more vulnerable.

Connected medical devices can bring increased patient safety and efficiency, particularly if connected to clinical information systems, but European tech security agency Enisa is warning that introducing such technologies also increases risks.

As a result, it said, hospitals need to change their attitude towards security: "The need for improved, and even remote, patient care drives hospitals to transform by adapting smart solutions, ignoring sometimes the emerging security and safety issues. Nothing comes without a price: hospitals are the next target for cyber-attacks," Enisa warned.
#1754 Muni system hacker hit others by scanning for year-old Java vulnerability
The attacker who infected servers and desktop computers at the San Francisco Metropolitan Transit Agency (SFMTA) with ransomware on November 25 apparently gained access to the agency's network by way of a known vulnerability in an Oracle WebLogic server. That vulnerability is similar to the one used to hack a Maryland hospital network's systems in April and infect multiple hospitals with crypto-ransomware. And evidence suggests that SFMTA wasn't specifically targeted by the attackers; the agency just came up as a target of opportunity through a vulnerability scan.

In an e-mail to Ars, SFMTA spokesperson Paul Rose said that on November 25, "we became aware of a potential security issue with our computer systems, including e-mail." The ransomware "encrypted some systems mainly affecting computer workstations," he said, "as well as access to various systems. However, the SFMTA network was not breached from the outside, nor did hackers gain entry through our firewalls. Muni operations and safety were not affected. Our customer payment systems were not hacked. Also, despite media reports, no data was accessed from any of our servers."
#1753 The Tor Phone prototype: a truly private smartphone?
The Tor Project has long offered high-security alternatives for folk who are especially concerned about their privacy. But as the world goes mobile, and is increasingly accessed through smartphones, users become vulnerable to a whole new set of compromises.

That’s where the Tor Phone prototype comes in – and it’s just been significantly improved.
#1752 900,000 Germans knocked offline, as critical router flaw exploited
As many as 900,000 Deutsche Telekom customers were knocked offline on Sunday and Monday as an attempt was made to hijack broadband routers into a botnet.

Malicious hackers are commandeering vulnerable Zyxel and Speedport routers, commandeering them into a botnet which they can command to launch huge denial-of-service attacks against websites. The vulnerability exploits the TR-069 and TR-064 protocols, which are used by ISPs to manage hundreds of thousands of internet devices remotely.

In this particular case, an attack was able to fool the vulnerable routers into downloading and executing malicious code, with the intention of crashing or exploiting them. Compromised routers could then be commanded to change their DNS settings, steal Wi-Fi credentials, or bombard websites with unwanted traffic.
#1751 Firefox 0day in the wild is being used to attack Tor users
There's a zero-day exploit in the wild that's being used to execute malicious code on the computers of people using Tor and possibly other users of the Firefox browser, officials of the anonymity service confirmed Tuesday.

Word of the previously unknown Firefox vulnerability first surfaced in this post on the official Tor website. It included several hundred lines of JavaScript and an introduction that warned: "This is an [sic] JavaScript exploit actively used against TorBrowser NOW." Tor cofounder Roger Dingledine quickly confirmed the previously unknown vulnerability and said engineers from Mozilla were in the process of developing a patch.
#1750 Amazon and eBay sellers' VAT fraud rife despite crackdown
Huge numbers of VAT fraudsters are illegally selling goods tax-free to British shoppers on Amazon and eBay this Christmas, despite new government efforts to crack down on this ballooning £1bn VAT evasion crisis.

A Guardian investigation found a wide variety of popular goods being illegally sold without VAT on Britain’s leading shopping sites. They range from cheap Christmas tree lights, electric toothbrushes and thermal socks to expensive laptops, iPads, music keyboards, violins and pingpong tables.

In some cases, VAT fraudsters offer unbeatable prices. Mostly, however, their prices remain in line with law-abiding competitors and the proceeds of evasion disappear overseas, often to China.
#1749 PayPal fixes OAuth token leaking vulnerability
PayPal fixed an issue that could have allowed an attacker to hijack OAuth tokens associated with any PayPal OAuth application.

The vulnerability was publicly disclosed on Monday by Antonio Sanso, a senior software engineer at Adobe, after he came across the issue while testing his own OAuth client. For its part, PayPal remedied the vulnerability about three weeks ago.

The OAuth flaw, according to Sanso, stemmed from the token request and acquisition process. For starters, PayPal allows developers to create and edit their own apps through its developer application dashboard. After creating them, developers can register those apps and obtain an access token for them by sending a request to the company, which acts an authorization server. That PayPal server could be overridden however, Sanso found.
#1748 New wave of Mirai attacking home routers
Starting from yesterday, many DSL customers in Germany were reporting problems with their routers, which weren’t able to connect to their ISP anymore or that the internet connection was very weak. Today we saw news, that a malicious attack could be the reason for this widespread problem.

Fortunately we got some more technical details from users reporting the specific behaviour. With this information, were able to get hands on some samples and were able to reconstruct some details.
#1747 Microsoft update servers left all Azure RHEL instances hackable
Microsoft has patched flaws that attackers could exploit to compromise all Azure Red Hat Enterprise Linux (RHEL) instances.

Software engineer Ian Duffy found the flaws while building a secure RHEL image for Microsoft Azure. During that process he noticed an installation script Azure uses in its preconfigured RPM Package Manager contains build host information that allows attackers to find all four Red Hat Update Appliances which expose REST APIs over HTTPS.
#1746 Malicious code and the Windows integrity mechanism
Ask any expert who analyzes malicious code for Windows which system privileges malware works with and wants to acquire and, without a second thought, they’ll tell you: “Administrator rights”. Are there any studies to back this up? Unfortunately, I was unable to find any coherent analysis on the subject; however, it is never too late to play Captain Obvious and present the facts for public evaluation.

My goal wasn’t to review the techniques of elevating system privileges; the Internet already has plenty of articles on the subject. New mechanisms are discovered every year, and each technique deserves its own review. Here, I wanted to look at the overall picture and talk about the whole range of Windows operating systems in all their diversity dating back to Windows Vista, but without discussing specific versions.
#1745 ATM insert skimmers: A closer look
KrebsOnSecurity has featured multiple stories about the threat from ATM fraud devices known as “insert skimmers,” wafer-thin data theft tools made to be completely hidden inside of a cash’s machine’s card acceptance slot. For a closer look at how stealthy insert skimmers can be, it helps to see videos of these things being installed and removed. Here’s a look at promotional sales videos produced by two different ATM insert skimmer peddlers.

Traditional ATM skimmers are fraud devices made to be placed over top of the cash machine’s card acceptance slot, usually secured to the ATM with glue or double-sided tape. Increasingly, however, more financial institutions are turning to technologies that can detect when something has been affixed to the ATM. As a result, more fraudsters are selling and using insert skimming devices — which are completely hidden from view once inserted into an ATM.
#1744 ImageGate - malware in image and graphic files (VIDEO)
Check Point® Software Technologies Ltd. (NASDAQ: CHKP) today announced its security researchers have identified a new attack vector, named ImageGate, which embeds malware in image and graphic files. Furthermore, the researchers have discovered the hackers’ method of executing the malicious code within these images through social media applications such as Facebook and LinkedIn.
#1743 It’s the final countdown for SHA1 SSL certificates
We’re in the final days of what are loosely known as SHA-1 SSL certificates. In certificates of this sort, the cryptographic hash or “message digest” that is used as a digital fingerprint is caclulated, as the name suggests, using the SHA-1 algorithm.

To be a cryptographic hash, rather than just a plain old checksum, an algorithm needs to create a fingerprint that is genuinely hard to forge. In other words, if I take a message M and create a digital fingerprint by calculating f(M) = X, you shouldn’t be able to go backwards from X and figure out anything about M.

You shouldn’t be able to come up with a message of your own, N say, such that f(N) is also X. And you shouldn’t be able to come up with two different messages that have the same fingerprint, where f(A)= f(B) but A is not equal to B.

Unless these conditions are met, the hashing function f() simply isn’t safe enough to use as any sort of digital fingerprint and therefore has no place in cryptography.
#1742 Research on unsecured WiFi networks across the world
The very nature of wireless Wi-Fi networks means that hackers or criminals simply need to be located near an access point in order to eavesdrop and intercept network traffic. Poorly configured access point encryption or services that allow data to be sent without any encryption pose a serious threat to user data.

Confidential data can be protected by encrypting traffic at wireless access points. In fact, this method of protection is now considered essential for all Wi-Fi networks. But what actually happens in practice? Is traffic always encrypted on public Wi-Fi networks? How does the situation differ from country to country? Kaspersky Security Network statistics can answer all these questions. We compared the situation with Wi-Fi traffic encryption in different countries using data from our threat database. We counted the number of reliable and unreliable networks in each country that has more than 10 thousand access points known to us (this obviously excludes Antarctica and other regions where there is not enough data to draw any conclusions).
#1741 This cheap and nasty ransomware will try to encrypt files across your network and removable drives
One of the cheaper forms of ransomware that crooks can buy on the dark web has evolved worm-like capabilities which enable it to move across networks and external drives, and even to re-encrypt files which have already been encrypted by other ransomware.

The Stampado ransomware is available to buy on the dark web for just $39, and is described by the seller as 'cheap and easy to manage ransomware' and offers buyers a 'full lifetime license'.

While it might be expected that cheap ransomware offers wannabe cybercriminals very little bang for their buck, cybersecurity researchers at Zscaler have analysed Stampado and have found it to contain self-propagating features which make it extremely effective -- it can spread across multiple devices and drives connected to the infected system.
#1740 New decryption tool for Crysis ransomware
Since it first appeared, ransomware’s profitable business – in short, compromising and encrypting data belonging to companies and users and requesting payment in exchange for the restoration of infected files –has grown rapidly.

One of the threats that has had a significant impact and infected a considerable number of users worldwide was the family detected by ESET solutions as Win32/Filecoder.Crysis. However, and luckily, ESET has developed a free tool to decrypt files and recover the information that might have been compromised.
#1739 Siemens-branded CCTV webcams require urgent firmware patch
Siemens-branded IP-based CCTV cameras are the latest internet-connected devices to be found vulnerable to hacking attacks.

In this particular instance, according to a security advisory issued by Siemens, the vulnerability – known as CVE-2016-9155 – could be remotely exploited by malicious attackers to trick CCTV cameras into revealing admin passwords:

"The latest update for SIEMENS-branded IP-based CCTV cameras fixes a vulnerability that could allow a remote attacker to obtain administrative credentials from the integrated web server."

Until patches can be applied, restricting access to the integrated web server with appropriate mechanisms is recommended
#1738 Ransomware abusing encrypted chat app Telegram protocol cracked
Ransomware which abuses the Telegram app API has been stopped in its tracks only weeks after discovery.

The malware, TeleCrypt, is typical ransomware in the way that the malicious code operates. If Russian-speaking victims accidentally run and execute the software -- potentially through malicious downloads or phishing attacks -- TeleCrypt will encrypt a system and throw up a warning page blackmailing the user into paying a 'ransom' to retrieve their files.

In this case, victims are faced with a demand for 5,000 rubles ($77) for the "Young Programmers Fund."
#1737 Great. Now even your headphones can spy on you
Cautious computer users put a piece of tape over their webcam. Truly paranoid ones worry about their devices’ microphones—some even crack open their computers and phones to disable or remove those audio components so they can’t be hijacked by hackers. Now one group of Israeli researchers has taken that game of spy-versus-spy paranoia a step further, with malware that converts your headphones into makeshift microphones that can slyly record your conversations.

Researchers at Israel’s Ben Gurion University have created a piece of proof-of-concept code they call “Speake(a)r,” designed to demonstrate how determined hackers could find a way to surreptitiously hijack a computer to record audio even when the device’s microphones have been entirely removed or disabled. The experimental malware instead repurposes the speakers in earbuds or headphones to use them as microphones, converting the vibrations in air into electromagnetic signals to clearly capture audio from across a room.

“People don’t think about this privacy vulnerability,” says Mordechai Guri, the research lead of Ben Gurion’s Cyber Security Research Labs. “Even if you remove your computer’s microphone, if you use headphones you can be recorded.”
#1736 WordPress plugins leave BlackFriday shoppers vulnerable
Researchers are calling into question the safety of some of the top WordPress e-commerce plugins used on over 100,000 commercial websites prepping for Black Friday and Cyber Monday online sales.

In reviewing the top 12 WordPress e-commerce plugins, application security testing firm Checkmarx found four with severe vulnerabilities tied to reflected XSS (cross-site scripting), SQL injection and file manipulation flaws.

“If these vulnerabilities are exploited, users of over 135,000 websites could find their personal data, including credit card information, threatened,” according to Checkmarx’s analysis of the plugins, published Tuesday.

One of the four plugins contained three vulnerabilities, the other three contained one each.
#1735 Exploit code released for NTP vulnerability
A researcher has released a proof-of-concept exploit for a vulnerability in the Network Time Protocol daemon that could crash a server with a single, malformed packet.

The Network Time Foundation’s NTP Project on Monday patched the bug and nine others with the release of NTP 4.2.8p9.

The vulnerability affected NTP 4.2.7p22 up to NTP 4.2.8p9, and ntp-4.3.0 up to, but not including ntp-4.3.94, researcher Magnus Stubman said.

Stubman released an exploit on Monday that crashes the NTP daemon and creates a denial-of-service condition.
#1734 Elegant 0-day unicorn underscores “serious concerns” about Linux security
Recently released exploit code makes people running fully patched versions of Fedora and other Linux distributions vulnerable to drive-by attacks that can install keyloggers, backdoors, and other types of malware, a security researcher says.

One of the exploits—which targets a memory corruption vulnerability in the GStreamer framework that by default ships with many mainstream Linux distributions—is also noteworthy for its elegance. To wit: it uses a rarely seen approach to defeat address space layout randomization and data execution prevention, which are two of the security protections built in to Linux to make software exploits harder to carry out. ASLR randomizes the locations in computer memory where software loads specific chunks of code. As a result, code that exploits existing flaws often results in a simple computer crash rather than a catastrophic system compromise. Meanwhile, DEP, which is often referred to as NX or No-Execute, blocks the execution of code that such exploits load into memory.
#1733 Cisco: Security landscape plagued by too many vendors
Vendor saturation is one of the biggest challenges currently plaguing the cybersecurity market, according to system engineer security for Cisco Systems Ronny Guillaume, who is concerned that organisations are surrounded by too much noise to truly understand what it is they actually need to protect their business.

"Studies have shown that companies have up to 70 different security vendors installed and in their company to solve problems," he said.

"Now imagine if you had to go and look at 70 different security products and understand what's going on within your specific network -- it's almost impossible."

Speaking in Sydney on Tuesday, Guillaume pointed to the data breach that plagued US discount retail giant Target nearly three years ago.
#1732 InPage zero-day used in attacks against banks
A zero-day vulnerability in InPage publishing software used primarily in Urdu, Pashto and Arabic-speaking nations has been publicly exploited in attacks against financial institutions and government agencies in the region.

While there are more than 10 million InPage users in Pakistan and India alone, there are a significant number of users in the U.S., U.K. and across Europe as well.

Researchers at Kaspersky Lab today disclosed the vulnerability after a number of attempts to privately report the bug to InPage were ignored.
#1731 Small Business Information Security: The Fundamentals (PDF)
NIST developed this interagency report as a reference guideline about cybersecurity for small businesses. This document is intended to present the fundamentals of a small business information security program in non-technical language.
#1730 Malicious images on Facebook lead to Locky ransomware
Researchers have discovered an attack that uses Facebook Messenger to spread Locky, a family of malware that has quickly become a favorite among criminals.

The Ransomware is delivered via a downloader, which is able to bypass whitelisting on Facebook by pretending to be an image file.

The attack was discovered on Sunday by malware researcher Bart Blaze, and confirmed later in the day by Peter Kruse, another researcher that specializes in internet-based crime and malware.
GET YOUR DAILY SECURITY NEWS: Sign up for CSO's security newsletters

The attack leverages a downloader called Nemucod, which is delivered via Facebook Messenger as a .svg file.
#1729 Symantec buys anti-ID fraud firm LifeLock for $2.3 billion
Symantec, one of the biggest consumer computer security firms in the world, is about to become even bigger with plans to buy LifeLock—an identity-theft protection service.

The proposed $2.3 billion (£1.86 billion) deal has been okayed by the boards of directors of both companies, and is expected to close in the first quarter of 2017, pending regulatory approval.

LifeLock's shareholders will receive $24 (£19.45) per share—a 16 percent premium to its closing price on Friday of $20.75.

Symantec, which owns the Norton suite of cybersecurity software, claimed that the deal will make it the world's largest consumer-facing online protection outfit.
#1728 Here’s a secret: ɢ is not
In fact, the letter ‘G’ is a Latin Letter Small Capital, Unicode 0262. Compared side by side with a real capital G, they would look like ‘ɢ G’ — see the difference? Notice how the ‘G’ in the image is the same size as the lowercase letter ‘o’? It’s not the G you thought it was.
#1727 The odd, 8-year legacy of the Conficker worm
Eight years ago, on November 21st, 2008, Conficker reared its ugly head. And since then, the “worm that roared” – as ESET’s distinguished researcher Aryeh Goretsky puts it – has remained stubbornly active.

Targeting Microsoft Windows, it has compromised home, business and government computers across 190 countries, leading experts to call it the most notorious and widespread worm since the emergence of Welchia some five years earlier.

Conficker, as we’ll go onto explore, spawned numerous versions, each promising different attack methods (from injecting malicious code to phishing emails and copying itself to the ADMIN part of a Windows machine). Ultimately though, the worm leveraged – and indeed, continues to leverage – an old, unpatched vulnerability to crack passwords and hijack Windows computers into a botnet. These botnets would then be used to distribute spam or install scareware (again, as they are today).
#1726 Android user locked out of Google after moving cities
An Android user has been locked out of his Google account apparently because he moved cities, according to a post on Reddit.

The explanation offered by Google support staff was that since his address details differed, billing information with Google wasn't current and hence the user's purchases could look fraudulent.

The user in question does not know for sure that this is the reason; during his interactions with Google support to find out why he had been locked out, he was told that "It is our policy to not discuss the specific reasons for an account closure."

This, apparently, is official Google policy.
#1725 Powerful backdoor/rootkit found preinstalled on 3 million Android phones
Almost three million Android phones, many of them used by people in the US, are vulnerable to code-execution attacks that remotely seize full control of the devices, researchers said Thursday.

Until recently, the flaw could have been exploited by anyone who took the time to obtain two Internet domains that remained unregistered despite being hardwired into the firmware that introduced the vulnerability. After discovering the vulnerability, researchers from security ratings firm BitSight Technologies registered the addresses and control them to this day. Even now, the failure of the buggy firmware to encrypt communications sent to a server located in China makes code-execution attacks possible when phones don't use virtual private networking software when connecting to public hotspots and other unsecured networks.
#1724 Second Chinese firm in a week found hiding backdoor in firmware of Android devices
Security researchers have discovered that third-party firmware included with over 2.8 million low-end Android smartphones allows attackers to compromise Over-the-Air (OTA) update operations and execute commands on the target's phone with root privileges.

Mobile experts from Anubis Networks discovered the problem this week. This is the second issue of its kind that came to light this week after researchers from Kryptowire discovered a similar secret backdoor in the firmware of Chinese firm Shanghai Adups Technology Co. Ltd..

This time around, the problem affected Android firmware created by another Chinese company named Ragentek Group.
#1723 iPhones vulnerable to yet another lockscreen bypass
iPhone aficionados at iDeviceHelp and EverythingApplePro have discovered yet another way for someone who has physical access to your phone to access your messages, photos, and contacts, even if the phone is locked with both a passcode and properly configured TouchID.

EverythingApplePro and iDeviceHelp published full proof-of-concept videos of this bypass on YouTube, in case you’d like to follow along at home.

The demonstration shows the bypass on an iPhone 7 using the iOS 10.2 beta 3, as well as an iPhone 4 using iOS 8 and even on an iPad, showing that this flaw affects any iDevice that can receive Facetime or phone calls.

This is not the first time (by a long shot) that clever iPhone users have found lock screen bypasses to access information that should be locked down, including photos, messages, and contacts. In fact, we’ve been covering flaws like this since at least 2013.
#1722 BlackNurse revisited: what you need to know
BlackNurse isn’t really an “attack”.

It’s more of a reminder of why DDoSes work: if you bombard the network port on a router with lots of redundant packets, you force the router to do purposeless extra work.

The extra work steals some of the router’s performance away from legitimate users, and thus legitimate traffic gets held up in the snarl.

Unfortunately, if you pick your time-wasting packets carefully, you may be able to find some router models that do even more extra work than you might expect in order to dispose of your malicious traffic.

At that point, you can cause additional harm to those routers, simply by picking the content that makes them work hardest.

BlackNurse’s “extra harm” traffic turns out to be a special sort of network packet known as an ICMP reply, short for Internet Control Message Protocol.
#1721 Qualcomm launches bug bounty program for Snapdragon chips, modems
Qualcomm has launched a bug bounty program to entice researchers to submit reports on security flaws in Snapdragon processors, LTE modems, and hardware.

The program, administered by HackerOne, was announced on Thursday in what Qualcomm says is the "first of its kind" to be announced by a major silicon vendor.

Qualcomm's vulnerability rewards program focuses on the Snapdragon processor range, used to power mobile devices such as smartphones and tablets, alongside LTE modems and "related technologies."

Details are thin on the ground at the moment in relation to what types of security flaws Qualcomm is particularly interested in, but on the bug bounty's page, the company asks researchers to submit details in their reports including vulnerability types -- such as buffer overflow or integer overflow bugs -- and the potential impact of a problem, such as remote code execution or information leaks.
#1720 IoT devices in the enterprise
In the months prior to the recent attacks, which used Internet of things (IoT) devices to carry out massive distributed-denial-of-service (DDoS) attacks, the ThreatLabZ research team had begun studying the use of IoT devices on the networks of Zscaler customers.

In light of their notoriously poor security, we knew that IoT devices were relatively easy to compromise, so there’s been concern over the potential to use them for spreading malware, stealing credentials, leaking data, sniffing traffic, or even moving laterally on a network to scan for sensitive data. The devices themselves can also be exploited for malicious purposes, such as spying in the case of cameras. Or, as we saw last month, creating large, destructive botnets.

We analyzed data going back to July for recent IoT device footprints based on the traffic we are seeing in the Zscaler cloud. We looked at the types of devices in use, the protocols they used, the locations of the servers with which they communicated, and the frequency of their inbound and outbound communications over a two-month period (26 August 2016 to 26 October 2016). Our primary purpose was to determine if any of the devices posed a threat to customer security, and eventually we also looked at whether the devices that were used in the Dyn and KrebsOnSecurity attacks were also in use by our customers.

Finally, we analyzed IoT traffic patterns on the days of the DDoS attacks to see if there had been any unusual behavior on those days, such as spikes in bandwidth use or variations in the destination of IoT traffic.
#1719 Android banking malware whitelists itself to stay connected with attackers
Recent variants of Android.Fakebank.B have been updated to work around the battery-saving process Doze. The variants display a pop-up message asking the user to add the threat to the Battery Optimizations exceptions whitelist. If this technique works, then the malware can stay connected to command and control servers even when the device is dormant.
#1718 Beyond cyber espionage lies cyber sabotage and cyber disinformation
"Cyber espionage is a fact of life internationally. And the fact that it continues to be a fact of life internationally is a product of the fact that it has been so successful internationally."

So said David Irvine, former director-general of the Australian Security Intelligence Organisation (ASIO), and former head of the Australian Secret Intelligence Service (ASIS), at Fortinet's Security 361° Symposium in Sydney on Wednesday.

News of cyber espionage is commonplace now, with nearly every story pointing the finger at unspecified nation-state actors. Well, unless they straight-up finger China. Or Russia. Or Iran.

Irvine mentioned the breach of the Australian parliamentary network in 2011, and the breach of the Bureau of Meteorology revealed in 2015. But he was particularly impressed with the breach of the US Office of Personnel Management (OPM), revealed in 2015.
#1717 This $5 device can hack your locked computer In one minute
Next time you go out for lunch and leave your computer unattended at the office, be careful. A new tool makes it almost trivial for criminals to log onto websites as if they were you, and get access to your network router, allowing them to launch other types of attacks.

Hackers and security researchers have long found ways to hack into computers left alone. But the new $5 tool called PoisonTap, created by the well-known hacker and developer Samy Kamkar, can even break into password-protected computers, as long as there’s a browser open in the background.Kamkar explained how it works in a blog post published on Wednesday.

And all a hacker has to do is plug it in and wait.

“It’s entirely automated. You plug it in, you leave it there for a minute, then you pull it out and you walk away,” Kamkar told Motherboard in a phone call. “You don’t even need to know how to do anything.”

PoisonTap is built on a Raspberry Pi Zero microcomputer. Once it’s plugged into a USB port, it emulates a network device and attacks all outbound connections by pretending to be the whole internet, tricking the computer to send all traffic to it. Once the device is positioned in the middle like this, it can steal the victim’s cookies, as long as they come from websites that don’t use HTTPS web encryption, according to Kamkar.
#1716 Mozilla patches 29 vulnerabilities, prevents MIME confusion attacks, in Firefox 50
Mozilla addressed 29 vulnerabilities, three rated critical, when it released the latest iteration of its flagship browser, Firefox 50 and Firefox ESR 45.5, on Tuesday.

Firefox developers said this week that it might take some effort, but at least two of the critical bugs could be exploited to run arbitrary code. Both bugs stemmed from memory safety issues in Firefox 49, released in mid-September.

According to a security advisory published by Mozilla, both issues showed evidence of memory corruption and were discovered by Mozilla developers and community members.
#1715 This ransomware uses your social media profiles to personalise its demands
A newly discovered form of ransomware scrapes the social media accounts and local files of victims in order to tailor a customised demand, and threatens court action if it isn't paid.

Dubbed 'Ransoc' by cybersecurity researchers at Proofpoint due to its connection with social media including Facebook, LinkedIn, and Skype, this ransomware represents yet another evolution of the malicious software which has boomed during 2016.

It isn't the first ransomware variant to use social engineering in an attempt to scare the victim into paying up, but Ransoc is unique in how it attempts to turn the users' files against them -- especially if illegally downloaded files are on the system.

Perhaps because it focuses on exploiting this fear, Ransoc doesn't encrypt the victims' files in the same way as ransomware like Locky does, but rather makes its demands via the desktop or browser after infecting the system through malvertising traffic aimed at Internet Explorer on Windows and Safari on OS X.
#1714 Metasploitable3: An intentionally vulnerable machine for exploit testing
Metasploitable3 is a free virtual machine that allows you to simulate attacks largely using Metasploit. It has been used by people in the security industry for a variety of reasons: such as training for network exploitation, exploit development, software testing, technical job interviews, sales demonstrations, or CTF junkies who are looking for kicks.
#1713 The web-shaking Mirai botnet is splintering - but also evolving
Over the last few weeks, a series of powerful hacker attacks powered by the malware known as Mirai have used botnets created of internet-connected devices to clobber targets ranging from the internet backbone company Dyn to the French internet service provider OVH. And just when it seemed that Mirai might be losing steam, new evidence shows that it’s still dangerous—and even evolving.

Researchers following Mirai say that while the number of daily assaults dipped briefly, they’re now observing development in the Mirai malware itself that seems designed to allow it to infect more of the vulnerable routers, DVRs and other internet-of-things (IoT) gadgets it’s hijacked to power its streams of malicious traffic. That progression could actually increase the total population available to the botnet, they warn, potentially giving it more total compute power to draw on.

“There was an idea that maybe the bots would die off or darken over time, but I think what we are seeing is Mirai evolve,” says John Costello, a senior analyst at the security intelligence firm Flashpoint. “People are really being creative and finding new ways to infect devices that weren’t susceptible previously. Mirai is not going away.”
#1712 Cryptsetup vulnerability grants root shell access on some Linux systems
A vulnerability in cryptsetup, a utility used to set up encrypted filesystems on Linux distributions, could allow an attacker to retrieve a root rescue shell on some systems. From there, an attacker could have the ability to copy, modify, or destroy a hard disk, or use the network to exfiltrate data.

Cryptsetup, a utility used to setup disk encryption based on the dm-crypt kernel module, is usually deployed in Debian and Ubuntu. Researchers warned late last week that if anyone uses the tool to encrypt system partitions for the operating systems, they’re likely vulnerable.

Two researchers, Hector Marco of the University of the West of Scotland and Ismael Ripoll, of the Polytechnic University of Valencia, in Spain, disclosed the vulnerability on Friday at DeepSec, a security conference held at the Imperial Riding School Renaissance Vienna Hotel in Austria.

According to the researchers, the script with the vulnerability (CVE-2016-4484) is in the Debian cryptsetup package 2:1.7.2-3 and earlier. Systems that use Dracut, an infrastructure commonly deployed on Fedora in lieu of initramfs – a simple RAM file system directory, are also vulnerable, according to the researchers. The pair say additional Linux distributions outside of Debian and Ubuntu may be vulnerable, they just haven’t tested them yet.
#1711 Chinese company installed secret backdoor on hundreds of thousands of phones
Security firm Kryptowire has uncovered a backdoor in the firmware installed on low-cost Android phones, including phones from BLU Products sold online through Amazon and Best Buy. The backdoor software, initially discovered on the BLU R1 HD, sent massive amounts of personal data about the phones and their users’ activities back to servers in China that are owned by a firmware update software provider. The data included phone number, location data, the content of text messages, calls made, and applications installed and used.

The company, Shanghai AdUps Technologies, had apparently designed the backdoor to help Chinese phone manufacturers and carriers track the behavior of their customers for advertising purposes. AdUps claims its software runs updates for more than 700 million devices worldwide, including smartphones, tablets, and automobile entertainment systems. It is installed on smartphones from Huawei and ZTE sold in China.
#1710 VMware patches VM escape vulnerability
VMware quickly turned around a patch for a critical code execution flaw that was worth $150,000 to the researchers who found it.

While there have been no reported public exploits, the vulnerability is serious because it could allow an attacker to access a virtual instance and run code on the host machine.

The bug was exploited during last week’s PwnFest hacker contest in South Korea, which ran alongside the Power of Community conference. Hackers from China’s Qihoo 360 also took down Google’s new Pixel mobile device, as well as Microsoft Edge and Adobe Flash, winning more than a half-million dollars in the process.
#1709 Privacy experts fear Donald Trump running global surveillance network
Privacy activists, human rights campaigners and former US security officials have expressed fears over the prospect of Donald Trump controlling the vast global US and UK surveillance network.

They criticised Barack Obama’s administration for being too complacent after the 2013 revelations by the NSA whistleblower, Edward Snowden, and making only modest concessions to privacy concerns rather than carrying out major legislative changes.

The concern comes after Snowden dismissed fears for his safety if Trump, who called him “a spy who has caused great damage in the US”, was to strike a deal with Vladimir Putin to have him extradited.

Snowden, in a video link-up from Moscow with a Netherlands-based tech company on Thursday, said it would be “crazy to dismiss” the prospect of Trump doing a deal but if personal safety was a major concern for him, he would not have leaked the top-secret documents in the first place.
#1708 Microsoft: Windows 7 is way more exposed to ransomware than Windows 10
If you want to escape the clutches of ransomware, the best thing you can do is install the Windows 10 Anniversary Update, according to Microsoft.

Microsoft says there's been a 400 percent rise in ransomware encounters affecting Windows since 2015, but older versions of Windows are more exposed to it and more prone to actual infection after an encounter. Microsoft says it has "made Windows 10 Anniversary Update the most secure Windows ever".

Devices on Windows 10 are 58 percent less likely to run into ransomware than Windows 7, Microsoft argues in a new white paper detailing in-built defenses against the extortion-ware.

Ransomware arrives either through email or the browser, both of which Microsoft has battened down in Windows 10.
#1707 Major Linux security hole gapes open
The security hole this time is with how Debian and Ubuntu, and almost certainly other Linux distributions, implement Linux Unified Key Setup-on-disk-format (LUKS). LUKS is the standard mechanism for implementing Linux hard disk encryption. LUKS is often put into action with Cryptsetup. It's in Cryptsetup default configuration file that the problem lies and it's a nasty one.

As described in the security report, CVE-2016-4484, the hole allows attackers "to obtain a root initramfs [initial RAM file system] shell on affected systems. The vulnerability is very reliable because it doesn't depend on specific systems or configurations. Attackers can copy, modify, or destroy the hard disc as well as set up the network to exflitrate data. This vulnerability is specially serious in environments like libraries, ATMs, airport machines, labs, etc, where the whole boot process is protected (password in BIOS and GRUB) and we only have a keyboard or/and a mouse."
#1706 Kaspersky Lab Black Friday Threat Overview 2016
The Internet has changed forever how people shop. By 2018, around one in five of the world’s population will shop online; with ever more people doing so on a mobile device rather than a computer. In fact, it is estimated that by the end of 2017, 60% of e-commerce will come from smartphones. That’s millions of people enthusiastically browsing and buying while at home, at work, in restaurants, airports, and railway stations, walking down the street, standing in stores, and on holiday, often outside the protective reach of a secure, private wireless network.

Regardless of the device used, every interaction and transaction will generate a cloud of data that brands will want to capture in order to deliver ever more targeted and personalized offers. Unfortunately, others are waiting to seize consumers’ information too – through insecure public Wi-Fi networks, phishing emails and infected websites, among others. They are the cybercriminals, and they don’t have a consumer’s or even a brand’s best interests at heart.

The risks facing retailers and online shoppers peak during the busiest shopping days of the year: the late November Thanksgiving weekend that runs from Black Friday through to Cyber Monday, and all through December to Christmas and the New Year.
#1705 CrySis ransomware master decryption keys released
The threat posed by a ransomware family known as CrySis was diminished considerably on Sunday when the master decryption keys were released to the public.

Researchers at Kaspersky Lab said they have already folded the keys into the company’s Rakhni decryptor and victims of CrySis versions 2 and 3 now have a means of recovering their lost files.

The key was posted at 1 a.m. Eastern time to the forums by a user known only as crss7777, said founder Lawrence Abrams. Abrams speculates that it could have been the ransomware developer who posted the key on the site’s CrySis support forum page; the post included a Pastebin link to a header file written in C that contains the master decryption keys and instructions on how to use them.
#1704 Australian banks dismiss Android NFC past in Apple Pay negotiations
Sorry Australians with an Android phone, but you simply don't spend enough money to make it worthwhile to develop NFC solutions for you -- that would be one way to sum up the latest joint submission from CBA, NAB, Westpac, and Bendigo Bank to seek approval from the Australian Competition and Consumer Commission (ACCC) to collectively negotiate with Apple to gain access to the NFC element within iPhones.

The joint submission [PDF] from the banks is a response to those that have gone before it from Apple and the general public that have called on the ACCC to stare down the banks.

Core to the bank's argument is the idea that the public will benefit if Apple is made to acquiesce and hand over access to its precious NFC hardware.

"Without access to the iPhone's NFC functionality, there simply will not be the same incentives and ability to innovate for the benefit of Australian customers on either the iPhone platform or other platforms," the submission from the banks concludes.
#1703 Snapchat, Skype among apps not protecting users’ privacy
Tech companies like Snapchat and Skype’s owner Microsoft are failing to adopt basic privacy protections on their instant messaging services, putting users’ human rights at risk, Amnesty International said today.

The organization’s new ‘Message Privacy Ranking’ assesses the 11 companies with the most popular messaging apps on the way they use encryption to protect users’ privacy and freedom of expression across their messaging apps.
#1702 AdultFriendFinder network hack exposes 412 million accounts
A massive data breach targeting adult dating and entertainment company Friend Finder Network has exposed more than 412 million accounts.

The hack includes 339 million accounts from, which the company describes as the "world's largest sex and swinger community."

That also includes over 15 million "deleted" accounts that wasn't purged from the databases.

On top of that, 62 million accounts from, and 7 million from were stolen, as well as a few million from other smaller properties owned by the company.

The data accounts for two decades' worth of data from the company's largest sites, according to breach notification LeakedSource, which obtained the data.
#1701 Smartphone WiFi signals can leak your keystrokes, passwords, and PINs
The way users move fingers across a phone's touchscreen alters the WiFi signals transmitted by a mobile phone, causing interruptions that an attacker can intercept, analyze, and reverse engineer to accurately guess what the user has typed on his phone or in password input fields.

This type of attack, nicknamed WindTalker, is only possible when the attacker controls a rogue WiFi access point to collect WiFi signal disturbances.

Control over the WiFi access point is also imperial since the attacker must also know when to collect WiFi signals from the victim, in order to capture the exact moment when the target enters a PIN or password.

The attacker can achieve this by using the access over the WiFi access point to sniff the user's traffic and detect when he's accessing pages with authentication forms.
#1700 Russian banks hit by cyber-attack
Five Russian banks have been under intermittent cyber-attack for two days, said the country's banking regulator.

The state-owned Sberbank was one target of the prolonged attacks, it said.

Hackers sought to overwhelm the websites of the banks by deluging them with data in what is known as a Distributed Denial of Service (DDoS) attack.

Security firm Kaspersky said the attacks were among the largest it had seen aimed at Russian banks.
#1699 BlackNurse low-volume DoS attack targets firewalls
A type of denial of service attack relevant in the 1990s has resurfaced with surprising potency against modern-day firewalls. Dubbed a BlackNurse attack, the technique leverages a low-volume Internet Control Message Protocol (ICMP) -based attack on vulnerable firewalls made by Cisco, Palo Alto, SonicWall and others, according to researchers.

TDC Security Operations Center, a security firm that published a technical report (PDF) on BlackNurse this week, said the attack is more traditionally called a “ping flood attack.” In this type of assault, traffic volume doesn’t matter as much as the type of packets sent, researchers said.

According to TDC, BlackNurse is based on ICMP Type 3 (Destination Unreachable) Code 3 (Port Unreachable) requests. These are packet replies typically returned to ping sources indicating the destination port is “unreachable,” according to researchers.
#1698 OpenSSL patches high-severity DoS bug
OpenSSL on Thursday patched three vulnerabilities in its latest update, and reminded users running version 1.0.1 of the cryptographic library that that security support will end Dec. 31.

Of the three bugs, only one was rated high severity and could lead to OpenSSL crashes. Only OpenSSL 1.1.0 is affected, earlier versions are not. Users should upgrade to OpenSSL 1.1.0c.

The vulnerability was privately disclosed by Robert Swiecki, an information security engineer at Google.

The flaw affects TLS connections using ChaCha20-Poly1305, OpenSSL said; ChaCha20-Poly1305 is a ciphersuite in AEAD mode, and was recently standardized.

“TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash,” OpenSSL said. “This issue is not considered to be exploitable beyond a DoS.”
#1697 Tech support scammers bite Chrome users with forgotten 2014 bug
Tech support scammers have started exploiting a two-year-old bug in Google Chrome to trick victims into believing their PC is infected with malware.

The bug was discovered in Chrome 35 in July 2014 in the history.pushState() HTML5 function, a way of adding web pages into the session history without actually loading the page in question.

The developer who reported the issue published code showing how to add so many items into Chrome’s history list that the browser would effectively freeze.

It’s taken a while for cybercriminals to get around to exploiting this bug, but they’re now using it in a new attack reported by researcher slipstream/RoL.

From the descriptions of those who fell foul of the attack, Chrome would pop up a 'Prevent this page from creating additional dialogs' window, after which the browser would lock up.
#1696 New attack reportedly lets 1 modest laptop knock big servers offline
Researchers said they have discovered a simple way lone attackers with limited resources can knock large servers offline when they're protected by certain firewalls made by Cisco Systems and other manufacturers.

The denial-of-service technique requires volumes of as little as 15 megabits, or about 40,000 packets per second, to sever the Internet connection of vulnerable servers. The requirements are in stark contrast to recent attacks targeting domain name service provider Dyn and earlier security site KrebsOnSecurity and French Web host OVH. Those assaults bombarded sites with volumes approaching or exceeding 1 terabit per second. Researchers from Denmark-based TDC Security Operations Center have dubbed the new attack technique BlackNurse.
#1695 The first cryptor to exploit Telegram
Earlier this month, we discovered a piece of encryption malware targeting Russian users. One of its peculiarities was that it uses Telegram Messenger’s communication protocol to send a decryption key to the threat actor. To our knowledge, this is the first cryptor to use the Telegram protocol in an encryption malware case.
#1694 What the Trump win means for tech, science, and beyond
Trump’s presidency could bring big changes to regulation of Internet service providers—but most of the changes are difficult to predict because Trump rarely discussed telecom policy during his campaign. The Federal Communications Commission’s net neutrality rules could be overturned or weakened, however, if Trump still feels the same way he did in 2014. At the time, he tweeted, “Obama’s attack on the internet is another top down power grab. Net neutrality is the Fairness Doctrine. Will target conservative media.”

Trump has promised "a temporary moratorium on new agency regulations," and he would like the FCC to fine journalists who are critical of him. Trump seems likely to take a deregulatory approach to telecom, benefiting Internet service providers who protested various new rules implemented under Democratic FCC Chairman Tom Wheeler. Aside from net neutrality, Trump hasn't discussed any specific telecom regulations that he’d like to change.
#1693 Netflix account takeover through automated phone calls
In the last few weeks I took a closer look on caller ID spoofing and the impact which this “feature” can have on todays online services. A few months ago I came across a great blogpost from Shubham Shah which is an Australian security researcher and pentester. You can find the post here.

He did great work 2 ½ years ago – he analyzed the impact of caller ID spoofing on 2 factor authentication on many popular services like Google, Facebook and so on. The caller ID is basically the number which gets displayed on the phone on the receiving end of the call. He was able to bypass the 2 factor authentication on this services quite effectively. For bypassing 2FA he used a long known issue which affects the authentication of voicemails - I will cover this topic in detail later on in this post.
#1692 Pawn Storm ramps up spear-phishing before zero-days get patched
The effectiveness of a zero-day quickly deteriorates as an attack tool after it gets discovered and patched by the affected software vendors. Within the time between the discovery of the vulnerability and the release of the fix, a bad actor might try to get the most out of his previously valuable attack assets. This is exactly what we saw in late October and early November 2016, when the espionage group Pawn Storm (also known as Fancy Bear, APT28, Sofacy, and STRONTIUM) ramped up its spear-phishing campaigns against various governments and embassies around the world. In these campaigns, Pawn Storm used a previously unknown zero-day in Adobe’s Flash (CVE-2016-7855, fixed on October 26, 2016 with an emergency update) in combination with a privilege escalation in Microsoft’s Windows Operating System (CVE-2016-7255) that was fixed on November 8, 2016.

After the fix of CVE-2016-7855 in Adobe’s Flash, Pawn Storm probably devalued the two zero-days in its attack tool portfolio. Instead of only using it against very high profile targets, they started to expose much more targets to these vulnerabilities. We saw several campaigns against still-high-profile targets since October 28 until early November, 2016.
#1691 Disassembling a mobile trojan attack
In early August we detected several cases of a banking Trojan being downloaded automatically when users viewed certain news sites on their Android devices. Later it became apparent that this was being caused by advertising messages from the Google AdSense network, and was not restricted to news sites. In fact, any site using AdSense to display adverts could potentially have displayed messages that downloaded the dangerous Trojan-Banker.AndroidOS.Svpeng and automatically saved it to the device’s SD card. This behavior surprised us: typically, the browser warns users about downloading a potentially dangerous file, and offers them a choice of whether or not to save the file. We intercepted traffic coming from the attacked device when this sort of “advert” was displayed, and figured out how the malicious program was downloaded and automatically saved.
#1690 China’s new cybersecurity law is bad news for business
The Chinese government has passed new cybersecurity regulations Nov. 7 that will put stringent new requirements on technology companies operating in the country. The proposed Cybersecurity Law comes with data localization, surveillance, and real-name requirements.

The regulation would require instant messaging services and other internet companies to require users to register with their real names and personal information, and to censor content that is “prohibited.” Real name policies restrict anonymity and can encourage self-censorship for online communication.

The law also includes a requirement for data localization, which would force “critical information infrastructure operators” to store data within China’s borders. According to Human Rights Watch, an advocacy organization that is opposing the legislation, the law does not include a clear definition of infrastructure operators, and many businesses could be lumped into the definition.
#1689 Fake shopping apps are invading the iPhone
For tech-focused scammers, knocking off sneakers and handbags is so last decade.

Thieves in the digital age are slamming consumers right in the app.

A slew of knockoff shopping apps have quietly infiltrated Apple’s App Store in recent months, looking to lure unsuspecting iPhone owners with bogus deals on everything from jewelry to designer duds.

The fake apps mimic the look of legit apps — and have proliferated since this summer, experts said.

It didn’t help that earlier this month, Apple introduced search ads in its App Store. The fake apps are buying search terms, it would appear, to increase their exposure to consumers.
#1688 Clever Gmail hack let attackers take over accounts
Google patched a hole in its Gmail verification system last week that allowed an attacker to hijack a targeted Google Gmail account.

The discovery was made by Ahmed Mehtab, a security researcher and founder of Security Fuse. The hack is simple to execute and requires less than dozen steps to pull off.

The hack exploits an authentication or verification bypass vulnerability in a Gmail feature that allows you to send email from a second Gmail account. Mehtab said the attack is “similar to account takeover but here I — as an attacker — can hijack email addresses by confirming the ownership of email (account).” Exploiting the hack, an attacker can send email as if it was being sent from the compromised account. In addition, the attacker could have email forwarded to the compromised Gmail address.
#1687 Adobe patches nine code execution flaws in Flash Player
Two weeks after rushing out an emergency patch for a zero-day vulnerability, Adobe today released another Flash Player security update.

The new release patched nine vulnerabilities, all of which expose the host system to remote code execution. Adobe said it is not aware of public exploits against any of the vulnerabilities.

Adobe said desktop versions and earlier are affected on Windows and Mac platforms, as well as Google Chrome and Microsoft Edge and Internet Explorer 11 on Windows 10 and Windows 8.1.
#1686 Google stops AdSense attack that forced banking trojan on Android phones
Google has shut down an operation that combined malicious AdSense advertisements with a zero-day attack exploiting Chrome for Android to force devices to download banking fraud malware.

Over a two-month span, the campaign downloaded the Banker.AndroidOS.Svpeng banking trojan on about 318,000 devices monitored by Kaspersky Lab, researchers from the Moscow-based anti-malware provider reported in a blog post published Monday. While the malicious installation files weren't automatically executed, they carried names such as last-browser-update.apk and WhatsApp.apk that were designed to trick targets into manually installing them. Kaspersky privately reported the scam to Google, and engineers from the search company put an end to the campaign, although the timing of those two events wasn't immediately clear.
#1685 TrickBot banking trojan adds new browser manipulation tools
The TrickBot banking Trojan, a close relative to Dyre, has a growing target list and new browser manipulation techniques, experts at IBM X-Force said.

“We expect to see it amplify infection campaigns and fraud attacks, sharpen its aim on business and corporate accounts,” wrote Limor Kessem, executive security advisor with IBM in a security bulletin Tuesday.

TrickBot, Kessem said, has matured quickly over the past three months during its testing and development stage. She added, the banking Trojan has also implemented two of the “most advanced browser manipulation techniques observed in banking malware in the past few years.”
#1684 IPv4 addresses exhausted, networking standards must support IPv6
The slow move to IPv6 has crept past another milestone, with the Internet Architecture Board (IAB) stating on Monday that the pool of unassigned IPv4 addresses have been allocated.

"As a result, we are seeing an increase in both dual-stack (that is, both IPv4 and IPv6) and IPv6-only deployments, a trend that will only accelerate," the IAB said in a blog post. "Therefore, networking standards need to fully support IPv6."
#1683 Google releases supplemental patch for dirty COW vulnerability
Google’s November Android Security Bulletin, released Monday, patched 15 critical vulnerabilities and addressed 85 CVEs overall. But conspicuously absent is a fix for the Linux race condition vulnerability known as Dirty Cow (Copy-on-Write) that also impacts Android.

While Google didn’t issue an official fix for the Dirty Cow vulnerability (CVE-2016-5195), it did release “supplemental” firmware updates for its Nexus and Pixel handsets. According to Michael Cherny, head of security research at Aqua Security, Samsung also released the fix for Dirty Cow this month (SMR-NOV-2016), while other handset makers have not.
#1682 Microsoft patches zero-day disclosed by Google
Microsoft followed through and today patched a zero day vulnerability being exploited in public attacks that was publicly disclosed by Google researchers nine days ago.

The victims have yet to have been identified, but Microsoft did accuse the Sofacy APT gang of carrying out the attacks. Sofacy is generally thought to have ties to Russian military intelligence and its targets are strategic, such as government and diplomatic agencies, military and defense contractors, and public policy think-tanks.

Google’s disclosure on Oct. 31 came 10 days after it privately reported the vulnerability to Microsoft, along with a Flash zero day to Adobe also used in these attacks.
#1681 Tesco Bank: 20,000 customers lose money
Tesco Bank has halted online payments for current account customers after money was taken from 20,000 accounts.

The bank's chief executive Benny Higgins told the BBC he was "very hopeful" customers would be refunded within 24 hours.

About 40,000 accounts saw suspicious transactions over the weekend, of which half had money taken, he said.

Customers will still be able to use their cards for cash withdrawals, chip and pin payments, and bill payments.

They can also use online banking, but cannot make online transactions until the situation is back under control, Mr Higgins told the BBC's Today programme.

Earlier, the bank confirmed some accounts "have been subject to online criminal activity, in some cases resulting in money being withdrawn fraudulently".

Mr Higgins also apologised for the "worry and inconvenience" that customers have faced.
#1680 Admins, update your databases to avoid the MySQL bug
MySQL, MariaDB, and PerconaDB administrators need to check their database versions, as attackers can chain two critical vulnerabilities and completely take over the server hosting the database.

The two critical vulnerabilities, which can lead to arbitrary code execution, root privilege escalation, and server compromise, affect MySQL and forks like Percona Server, Percona XtraDB Cluster, and MariaDB, according to security researcher Dawid Golunski, who provided details of the vulnerability on LegalHackers. Administrators should install the latest updates as soon as possible, or in cases where the patches cannot be applied, they should disable symbolic link support within the database server configuration by setting symbolic-links=0 in my.cnf.
#1679 Inside the RIG exploit kit
Today’s most prolific exploit kit is RIG, which has filled a void left by the departure of Angler, Neutrino and Nuclear. That has made it public enemy No. 1 when it comes exploit kits. Now Cisco Talos researchers are hoping to shed new light into the ongoing development of the potent EK in hopes of neutralizing the RIG EK threat.

As with the unraveling of any EK, one of the keys to stopping infection rates is determining infection routes and how adversaries bypass security software and device.

In a deep analysis of RIG, Cisco Talos team outlined recently the unique nature of the exploit kit. In a nutshell, like other exploit kits the crew behind RIG are using gates to redirect their victims to their exploit kit. But what makes RIG unique, according Cisco Talos researchers is the way RIG combines different web technologies, such as DoSWF, JavaScript, Flash and VBscript to obfuscate the attack.
#1678 Test-run DDoS attacks against Liberia cease
Intermittent DDoS attacks powered by the largest of the many Mirai-powered botnets targeting the African nation of Liberia have ceased today.

Researcher Kevin Beaumont who disclosed the attacks on Thursday said also that the domain controlling the attacker’s command and control infrastructure was disabled by registrar eNom; that domain pre-dates the DDoS attacks two weeks ago against Dyn.

While the attacks against Liberia have been shut down, they did this week periodically interrupt Internet service to the country and one mobile service provider told the IDG News Service that the attacks were “killing” its business and revenue.
#1677 Android spyware targets business executives
Overreliance on smartphones, both in out personal and professional lives, is a reality for many of us. These devices hold a lot of sensitive information – information that could be worth a lot to some people, especially if you are a high-positioned executive in a thriving business.

Researchers from mobile security outfit Skycure have recently analyzed a malicious app they found on an Android 6.0.1 device owned by a VP at a global technology company.

The name of the malicious package is “”, and it comes disguised as a Google Play Services app. It disables Samsung’s SPCM service in order to keep running, installs itself as a system package to prevent removal by the user (if it can get root access), and also hides itself from the launcher.
#1676 Microsoft delays Enhanced Mitigation Experience Toolkit support cut-off to July 2018
Microsoft has extended by 18 months its end-of-life date for its Enhanced Mitigation Experience Toolkit (EMET) to July 2018.

At least some of you IT pros probably were aware, but I had not realized that Microsoft, until its announcement on November 3, was planning to drop EMET 5.5x support in January 2017 before the reprieve.

In a November 3 blog post entitled "Moving Beyond EMET," Microsoft officials noted that the first version of EMET was introduced in 2009.

Back then, "despite substantial improvements in Windows OS security during that same period, it was clear that the way we shipped Windows at the time (3-4 years between major releases) was simply too slow to respond quickly to emerging threats. Our commercial customers were particularly exposed since it often took years to deploy new OS versions in large scale environments," said the Softies.
#1675 New Bizarro sundown exploit kit spreads Locky
A new exploit kit has arrived which is spreading different versions of Locky ransomware. We spotted two cases of this new threat, which is based on the earlier Sundown exploit kit. Sundown rose to prominence (together with Rig) after the then-dominant Neutrino exploit kit was neutralized.

Called Bizarro Sundown, the first version was spotted on October 5 with a second sighting two weeks later, on October 19. Users in Taiwan and Korea made up more than half of the victims of this threat. Bizarro Sundown shares some features with its Sundown predecessor but added anti-analysis features. The October 19 attack also changed its URL format to closely resemble legitimate web advertisements. Both versions were used exclusively by the ShadowGate/WordsJS campaign.
#1674 This evil office printer hijacks your cellphone connection
Julian Oliver has for years harbored a strange obsession with spotting poorly disguised cellphone towers, those massive roadside antennae draped in fake palm fronds to impersonate a tree, or even hidden as spoofed lamp posts and flag poles. The incognito base stations gave him another, more mischievous idea. What about a far better-disguised cell tower that could sit anonymously in office, invisibly hijacking cellphone conversations and texts?

Earlier this week, the Berlin-based hacker-artist unveiled the result: An entirely boring-looking Hewlett Packard printer that also secretly functions as a rogue GSM cell base station, tricking your phone into connecting to it rather than your phone carrier’s tower, effectively intercepting your calls and text messages.

“For quite some time I’ve had an interest in this bizarre uncanny design practice of disguising cell towers as other things like trees,” says Oliver. “So I decided to build one into a printer, the most ubiquitous of indoor flora, and have it actually antagonize people’s implicit trust in these technologies.”
#1673 security flaw places millions of websites at risk
An XSS vulnerability discovered on the platform is putting millions of websites and their users at risk of attack.

The website hosting provider, which provides free drag-and-drop website building tools, hosts millions of websites with 87 million registered users -- and all of which are currently vulnerable to an XSS bug which can be utilized by attackers to create worms capable of taking over administrator accounts. This, in turn, gives attackers full control over websites.

On Wednesday, Matt Austin, security research engineer with Contrast Security, said in a blog post that has a severe DOM XSS vulnerability which can be exploited by simply adding a single parameter to any site created on
#1672 Teen pleads guilty to creating DDoS tool used in 1.7 million attacks
A 19-year-old UK teenager from Hertfordshire has pleaded guilty to creating and running the Titanium Stresser booter service, with which he launched 594 denial of service (DDoS) attacks.

According to a statement put out by the Bedfordshire Police, Adam Mudd developed the tool when he was just 15 years old.

He didn’t just use it to launch his own DDoS attacks. He also sold it online and ran it as a service, distributing it to cyber crooks.

Investigators are still working out the total amount Mudd made from the attacks, but their preliminary estimate is around $385,000.

Investigators determined that Mudd’s stressor – which is a tool used to flood networks with data, bogging them down until they’re dead in the water, non-functioning and vulnerable to compromise – was used in more than 1.7 million DDoS attacks worldwide.
#1671 Mirai botnet attackers are trying to knock an entire country offline
One of the largest Distributed Denial-of-Service (DDoS) attacks happened this week and almost nobody noticed.

Since the cyberattack on Dyn two weeks ago, the internet has been on edge, fearing another massive attack that would throw millions off the face of the web. The attack was said to be upwards of 1.1Tbps -- more than double the attack a few weeks earlier on security reporter Brian Krebs' website, which was about 620Gbps in size, said to be one of the largest at the time. The attack was made possible by the Mirai botnet, an open-source botnet that anyone can use, which harnesses the power of insecure Internet of Things (IoT) devices.

This week, another Mirai botnet, known as Botnet 14, began targeting a small, little-known African country, sending it almost entirely offline each time.

Security researcher Kevin Beaumont, who was one of the first to notice the attacks and wrote about what he found, said that the attack was one of the largest capacity botnets ever seen.
#1670 Cisco patches critical bugs in 900 series routers, prime home server
Cisco Systems has issued two critical advisories addressing flaws in a variety of enterprise-class products ranging from its 900 Series Routers to its Cisco Prime Home server and cloud-based network management platform.

Service providers running Cisco ASR 900 Series routers are being warned that a vulnerability in the Transaction Language 1 (TL1) code of the router could allow an unauthenticated, remote attacker to cause a reload of, or remotely execute code on, the affected system, according to the advisory.

Cisco said software updates are available to patch the flaw (CVE-2016-6441) and that workarounds are also available that address the security vulnerability.
#1669 Outlook web access two-factor authentication bypass exists
Enterprises running Exchange Server have been operating under a false sense of security with regard to two-factor authentication implementations on Outlook Web Access (OWA) adding an extra layer of protection.

A design weakness has been exposed that can allow an attacker to easily bypass 2FA and access an organization’s email inboxes, calendars, contacts and more.

The problem lies in the fact that Exchange Server also exposes the Exchange Web Services (EWS) interface alongside OWA and it is not covered by two-factor authentication. EWS is enabled by default and shares the same port and server as OWA, meaning an attacker with [stolen] credentials can remotely access EWS, which talks to the same backend infrastructure as OWA, and would enable access a user’s inbox.
#1668 GitLab patches command execution vulnerability
Developers with GitLab this week fixed a critical vulnerability in the open source repository management software that could have led to command execution and allowed an authenticated user to gain access to sensitive application files, tokens, or secrets.

HackerOne cofounder Jobert Abma unearthed the vulnerability last week and reported it to the company through GitLab’s bug bounty program. GitLab addressed the issue (CVE-2016-9086) when it rolled out version 8.13.3 of the software late Wednesday.
#1667 Cisco job applicants warned of potential mobile site data leak
Users of Cisco's Professional Careers mobile site,, have been warned of a potential leak of their data, which the networking giant is pinning on an incorrect security setting.

"Cisco's investigation found this to be the result of an incorrect security setting following system maintenance on a third-party's website," the company said in its advisory. "Upon learning this, the setting was immediately corrected and user passwords to the site were reset."

The setting was found to be in place between August and September 2015, and July and August 2016, the company said.
#1666 10 gadgets every white hat hacker needs in their toolkit
Sometimes, during security audits, we may encounter a situation where everything is being managed correctly. In other words security patches, policies, network segmentation, antivirus, and user awareness, to name just a few measures, are being applied properly. That’s when, in order to continue the analysis from the perspective of a security researcher or consultant, social engineering and a number of other tools, some of which we will look at in this post, start to play more importance, being perhaps the only ones that can allow an attacker to penetrate the target system.

The tools in question are mainly pieces of hardware designed for security research or projects. So here’s a list of the 10 tools every white hat hacker needs.
#1665 NSS Labs tests leading web browsers for secure end user experience
Socially engineered malware (SEM) remains one of the most common security threats facing Internet users today, claiming as much as one third of Internet users as victims. These attacks pose a significant risk to individuals and organizations by threatening to compromise, damage, or acquire sensitive personal and corporate information. Europeans and Americans have increasingly found themselves targets of ransomware over the last 12 months.

Phishing attacks pose a significant risk to individuals and organizations alike, by threatening to compromise or acquire sensitive personal and corporate information. In 2016, over 145,000 unique email phishing campaigns were reported each month, and 125,000 unique phishing websites were detected each month— the highest ever recorded. Phishing attacks are becoming more complex and sophisticated, making these attacks harder to detect and difficult to prevent.
#1664 LastPass brings free password management to all your devices
LastPass now allows users to set up password vaults across multiple devices and browsers for free.

On November 2, the password management company said that starting today, LastPass has upgraded the firm's free solution to include synchronization to multiple devices.

While users have always been able to use certain features for free -- such as password generation, secure notes, automatic saving, and password filling on one device -- this information can now be spread across any internet-connected device, which was once a premium-only feature.
#1663 Critical MySQL vulnerabilities can lead to server compromise
Critical vulnerabilities in MySQL and vendor deployments by database servers MariaDB and PerconaDB have been identified that can lead to arbitrary code execution, root privilege escalation and server compromise.

Dawid Golunski of Legal Hackers published details around two proof-of-concept exploits for the vulnerabilities on Tuesday.

Both vulnerabilities affect MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier, along with MySQL database forks such as Percona Server and MariaDB.

The first vulnerability, a privilege escalation/race condition bug (CVE-2016-6663) is the more severe of the two. It can allow a local system user that has access to a database to escalate their privileges and execute arbitrary code as the database system user, Golunski said in an advisory. From there, an attacker could successfully access all of the databases on the affected database server.
#1662 Three ways hackers can invade your home (VIDEO)
Even your kettle could give them a way in, as cyber security expert Ken Munro explains as the chancellor announces plans to improve cybersecurity.
#1661 Another internet outage takes down services in US and UK
Parts of the internet went down across the U.S. and in the U.K. Wednesday morning as service provider Level 3 Communications reported an outage.

Level 3, which provides internet and voice services to businesses, said the company did not yet know the cause of the outage, which temporarily disrupted or slowed service to some customers.

By early afternoon, the company said the network was "operating under normal conditions."

"We continue to monitor for any residual issues stemming from this morning's incident," Nikki Wheeler, senior director of media relations, wrote in an email.

Some users complained on Twitter and Reddit about continued service interruptions into Wednesday afternoon.

As of Wednesday evening, Wheeler said they'd found the issue, which they believed to be "a configuration error."
#1660 Critical vulnerabilities pose a serious threat to Joomla sites
Joomla, the world’s second most popular web content management system (CMS), has been under sustained attack for several days, thanks to a nasty pair of vulnerabilities disclosed last week.

Security announcements 20161001 (CVE-2016-8870) and 20161002 (CVE-2016-8869) describe how flaws in Joomla’s user registration code could allow an attacker to “register on a site when registration has been disabled” and then “register … with elevated privileges”.

If the significance of those two statements hasn’t entirely sunk in let me make it plain: taken together, the vulnerabilities can be used to unlock any site running Joomla, anywhere on the internet, with little more than a polite request detailing what you’d like to be called and how much power you want.
#1659 Web Bluetooth API privacy
Web Bluetooth - a web API under development, and will be one of the core components of Web of Things, the application layer of Internet of Things. It will enable sensors, beacons and user devices to communicate with each other. But at first: it will enable a web browser to contact the user's connected devices such as smartphones, kettles, toasters, TVs, thermostats, heart rate monitors, and so on. Imagine a world where every web site can connect to devices near you - or on you.

It's imperative to design this layer with security and privacy in mind. We currently experience some of the cheers related to widely distributed Internet of Things devices used as massive attack tools.
#1658 Security update patches 13 Android vulnerabilities discovered by Trend Micro
Mobile threats are trending upward, with vulnerability exploits gaining traction. The silver lining? More of these vulnerabilities are also disclosed, analyzed and detected. This helps better mitigate Android devices from zero-days and malware, enabling OEMs/vendors to more proactively respond to these threats. This is echoed by our continuous initiatives on Android vulnerability research: from June to August 2016, for instance, we’ve discovered and disclosed 13 vulnerabilities to Google. Their real-world impact ranges from battery drainage and unauthorized capture of photos, videos, and audio recordings, to system data leakage and remote control. This is on top of 16 other security flaws we’ve uncovered that were cited in Android/Google’s security bulletins from January to September this year.

The 13 vulnerabilities were not rated as critical, but they provide more attack vectors for the bad guys. A root exploit can be developed by chaining some of them, for instance. A malicious app can target a vulnerability in the camera server to compromise its driver to ultimately gain root privilege to the device.
#1657 AtomBombing: A code injection that bypasses current security solutions
Our research team has uncovered new way to leverage mechanisms of the underlying Windows operating system in order to inject malicious code. Threat actors can use this technique, which exists by design of the operating system, to bypass current security solutions that attempt to prevent infection. We named this technique AtomBombing based on the name of the underlying mechanism that this technique exploits.

AtomBombing affects all Windows version. In particular, we tested this against Windows 10.

Unfortunately, this issue cannot be patched since it doesn’t rely on broken or flawed code – rather on how these operating system mechanisms are designed.
#1656 Killing Mirai: Active defense against an IoT botnet
In recent weeks the world has witnessed the concept of an IoT botnet turn from theory to reality, with devastating consequences. While the ISPs, DDoS mitigation services, and others scramble to figure out how to augment traditional defenses to handle this new threat, we decided to investigate a less conventional approach. Attackers often rely on exploiting vulnerabilities in software we own to install their tools on our systems. When these tools reside on an IoT device things become even more complicated, because the attacker may now have more access to device than we do. So why not use their own strategy against them?

This is the first in a series of posts that will uncover vulnerabilities in the Mirai botnet, and show how exploiting these vulnerabilities can be used to stop attacks. Note, we are not advocating counterattack, but merely showing the possibility of using an active defense strategy to combat a new form of an old threat.
#1655 Google joins Mozilla and Apple in distrusting WoSign certificates
With the release of Chrome version 56, expected to happen in January 2017, certificates issued by WoSign and its recently acquired StartCom certificate authority (CA) after midnight on October 21 will not be trusted by the browser.

Google said in a blog post that certificates issued prior to October 21 would be trusted if they complied with Chrome's Certificate Transparency policy, or the domain using the credentials was on a whitelist of domains known to be customers of the two authorities.

"Due to a number of technical limitations and concerns, Google Chrome is unable to trust all pre-existing certificates while ensuring our users are sufficiently protected from further misissuance," Andrew Whalley of Chrome Security said. "As a result of these changes, customers of WoSign and StartCom may find their certificates no longer work in Chrome 56."
#1654 Kaspersky DDOS intelligence report for Q3 2016
In the last few months the scale of the global ‘Cybercrime as a Service’ infrastructure has been revealed – fully commercialized, with DDoS as one of the most popular services capable of launching attacks the likes of which have never seen before in terms of volume and technological complexity.

Against this background, Europol published the 2016 Internet Organized Crime Threat Assessment (IOCTA) on 28 September, which is based on the experiences of law enforcement institutions within the EU member states. The report clearly ranks DDoS in first place as a key threat and that any “Internet facing entity, regardless of its purpose or business, must consider itself and its resources to be a target for cybercriminals”.

Most likely, this stems from early September when Brian Krebs, an industry security expert, published an investigation outlining the business operations of a major global DDoS botnet service called vDOS and its principal owners, two young men in Israel. The culprits have been arrested and investigations are ongoing, but the sheer scale of their business is stunning.
#1653 Your home’s online gadgets could be hacked by ultrasound
This may have happened to you. You idly browse a pair of shoes online one morning, and for the rest of the week, those shoes follow you across the Internet, appearing in adverts across the websites you visit.

But what if those ads could pop out of your browser and hound you across different devices? This is the power of ultrasound technology, says Vasilios Mavroudis at University College London – and it offers a whole new way in for hacking attacks and privacy invasions. He and his colleagues will spell out their concerns at next week’s Black Hat cybersecurity conference in London.

So far, this kind of ultrasound technology has mainly been used as a way for marketers and advertisers to identify and track people exposed to their messages, like a cross-device cookie. High-frequency audio “beacons” are embedded into TV commercials or browser ads. These sounds, which are inaudible to the human ear, can be picked up by any nearby device that has a microphone and can then activate certain functions on that device. But the technology has many more applications. Some shopping reward apps, such as Shopkick, already use it to let retailers push department or aisle-specific ads and promotions to customers’ phones as they shop.

“It doesn’t require any special technology,” Mavroudis says. “If you’re a supermarket, all you need are regular speakers.”
#1652 Bug bounty hunter launches accidental DDoS attack on 911 systems via iOS bug
The Maricopa County Sheriff's Office Cyber Crimes Unit arrested Meetkumar Hiteshbhai Desai, an 18-year-old teenager from the Phoenix area, for flooding the 911 emergency system with hang-up calls.

According to a press release from the Maricopa County Sheriff's Office, Desai created a JavaScript exploit, which he shared on Twitter and other websites with his friends.

People accessing Desai's link from their iPhones saw their phone automatically dial and redial 911.

As Desai told Maricopa County officers, he was only interested in discovering bugs in iOS, which he could report to Apple and thus possibly earn money or recognition among his friends.

Desai said that he received a tip about a bug in iOS, which he successfully exploited. During his tests, the teenager created several weaponized versions of this bug which would constantly dial a phone number, or show annoying popups.

The teenager says he wanted to prank his friends, thinking it would be "funny," but when he shared the weaponized link online, he shared a version that instead of showing annoying popups, redialed a phone number, which in this case was 911.
#1651 Google identified major vulnerability in Apple’s OS and iOS cores
Google’s Project Zero team, established two years ago as a task-force against zero day exploits, identified a coding exploit in the underlying kernel of Apple’s OSX and it’s mobile operating system iOS, which could allow for root-level escalation of privileges for an attacker in a non-updated version of the OS.

The exploit was reported to Apple in June by PZ member Ian Beer, after which Apple requested a 60-day period of grace to address the problem before it went public. Google initially refused the request, but eventually agreed a deadline of September 21st to disclose the exploit.

However, the fix that Apple created for the problem directly prior to disclosure was unsuccessful, and that deadline was allowed to pass. In effect Apple got nearly five months to address the issue – which it has now done, with this week’s release of OSX 10.12.1 and last week’s release of iOS 10.1, which also featured a remedy for the kernel vulnerability.
#1650 How security flaws work: SQL injection
Thirty-one-year-old Laurie Love is currently staring down the possibility of 99 years in prison. Love was recently told he'll face extradition to the US, where he stands accused of attacking systems belonging to the US government. The attack was allegedly part of the #OpLastResort hack in 2013, which targeted the US Army, the US Federal Reserve, the FBI, NASA, and the Missile Defense Agency in retaliation over the tragic suicide of Aaron Swartz as the hacktivist infamously awaited trial.

Love is accused of participating in the #OpLastResort initiative through SQL injection attacks, an increasingly common tactic. SQL injections have recently been detected against state electoral boards, and these attacks are regularly implicated in thefts of financial info. Today, they've become a significant and recurring problem.
#1649 New, more-powerful IoT botnet infects 3,500 devices in 5 days
There's a new, more powerful Internet-of-things botnet in town, and it has managed to infect almost 3,500 devices in just five days, according to a recently published report.

Linux/IRCTelnet, as the underlying malware has been named, borrows code from several existing malicious IoT applications. Most notably, it lifts entire sections of source code from Aidra, one of the earliest known IoT bot packages. Aidra was discovered infecting more than 30,000 embedded Linux devices in an audacious and ethically questionable research project that infected more than 420,000 Internet-connected devices in an attempt to measure the security of the global network. As reported by the anonymous researcher, Aidra forced infected devices to carry out a variety of distributed denial-of-service attacks but worked on a limited number of devices.
#1648 Microsoft says Russian APT group behind zero-day attacks
Microsoft has singled out Sofacy, an APT group long thought to have ties to Russia’s military intelligence arm GRU, as the entity behind targeted attacks leveraging Windows kernel and Adobe Flash zero days in targeted attacks.

The group, which Microsoft calls Strontium, is also known as APT28, Tsar Team and Sednit among other identifiers.

Microsoft said the zero day vulnerability, the existence of which along with limited details were disclosed on Monday by Google, will be patched Nov. 8. Google said yesterday it privately disclosed both zero days, which were used in tandem in these targeted attacks against unknown victims, to Microsoft and Adobe on Oct. 21. Adobe rushed an emergency patch for Flash Player on Oct. 26, while Microsoft had yet to acknowledge the vulnerability until Google’s disclosure. Microsoft was critical of Google’s action yesterday and reiterated its stance today in a post, providing some details on the vulnerability and attacks.
#1647 Firefox disables loophole that allows sites to track users via battery status
Mozilla Firefox is dropping a feature that lets websites see how much battery life a visitor has left, following research showing that it could be used to track browsers.

The feature, called the battery status API, allows websites to request information about the capacity of a visitor’s device, such as whether or not it’s plugged in and charging, how long it will last until it is empty, and the percentage of charge remaining.

It was intended to allow websites to offer less energy-intensive versions of their sites to visitors with little battery power left: for instance, a mapping site could download less information, or a social network could disable autoplaying video.
#1646 Phony Android Flash player installs banking malware
Security researchers warn that a bogus Flash Player app aimed at Android mobile devices has surfaced and is luring victims to download and install banking malware that steals credit card information and can defeat two-factor identification schemes.

Wells Fargo, Discovery Financial and Chase customers, along with services such as Skype, Snapchat and Facebook are targeted in these attacks. Fortinet researchers said Tuesday the phony Flash Player was spotted Oct. 21. While it is not available via the Google Play app store, it’s unclear how it’s being distributed.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12