Security Alerts & News
by Tymoteusz A. Góral

History
#1824 Census outage marked boom year for global DDoS attacks
The magnitude of distributed denial of service (DDoS) attacks rose consistently throughout 2016, a report from communications and analysis firm, Neustar has revealed.

The company said in a new report that the frequency of DDoS attack mitigations by Neustar has increased by 40 per cent compared to the same period of time in 2015.

Based on the firm’s global survey of more than 1,000 IT security professionals, results also showed that 85 per cent of attacked organisations were attacked more than once and 44 per cent were attacked more than five times.
#1823 Strong protection for MacOS Sierra: 12 packages put to the test
Every MacOS Sierra user can fortify their system protection with a good security solution. While Apple does provide good proprietary system protection for MacOS Sierra, infections do occur consistently. Many of the 12 packages currently tested offer good protection and put hardly any load on the Mac. Some of them are even available as freeware.

Even if there are far fewer malware samples out there for MacOS Sierra than for windows, this does not make them any less dangerous. Too often, the danger of a successful malware attack is played down and described as improbable. But when it does happen, it wreaks total havoc. One of the improbable cases involving hundreds of thousands of hijacked Macs was in fact called Flashback. There continue to be malware programs with a valid Apple certificate, in which case they are not stopped by the protection integrated in MacOS Sierra.
#1822 Cyber criminal jailed for five years for his part in £840k fraud
A 29-year-old cyber criminal has been jailed following an investigation by the Metropolitan Police’s Falcon Cyber Crime Unit. Detectives identified the man as being a key player in an organised criminal network that was illegally accessing online bank accounts around the world to steal around £840,000 from victims.

Tomasz Skowron (10.09.87) of Meredith Road, Worthing was sentenced on Monday, 19 December at Croydon Crown Court to five years and three months’ imprisonment after he pleaded guilty to conspiracy to defraud, fraud and money laundering offences.

Skowron was linked to a major online banking fraud after detectives from the Met’s Falcon (Fraud and linked crime online) Cyber Crime Unit identified that he was responsible for several fraudulent payments into money mule accounts, and that several thousand pounds had also been paid directly into accounts under his control.

In December 2014, a malware virus infected computers and victims around the world, with several victims and companies in Australia being affected. From intelligence received from the banking industry, officers identified several fraudulent payments had been made from the Commonwealth Bank of Australia into UK bank accounts. Working closely with the banks involved, officers managed to identify a common IP address that was linked to several of the payments made into UK accounts.
#1821 Op-ed: Why I’m not giving up on PGP
Every once in a while, a prominent member of the security community publishes an article about how horrible OpenPGP is. Matthew Green wrote one in 2014 and Moxie Marlinspike wrote one in 2015. The most recent was written by Filippo Valsorda, here on the pages of Ars Technica, which Matthew Green says "sums up the main reason I think PGP is so bad and dangerous."

In this article I want to respond to the points that Filippo raises. In short, Filippo is right about some of the details, but wrong about the big picture. For the record, I work on GnuPG, the most popular OpenPGP implementation.
#1820 Google using Project Wycheproof to scan crypto software for security holes
The Google Security Team has a new set of security tests to check cryptographic software libraries for known weaknesses. The company has already used Project Wycheproof to create more than 80 test cases that have so far uncovered more than 40 security bugs.

The project is developed and maintained by members of the Google Security Team, but isn’t an official Google product. It’s named after Mount Wycheproof, the smallest mountain in the world.

“The main motivation for the project is to have a goal that is achievable,” Google security engineers Daniel Bleichenbacher and Thai Duong wrote in the company’s security blog. “The smaller the mountain the more likely it is to be able to climb it!”

Security holes already uncovered using Project Wycheproof include the ability to recover the private key of widely used DSA and ECDHC implementations. As part of the project, the team provides “ready-to-use” tools to check Java Cryptography Architecture providers such as Bouncy Castle and the default providers in OpenJDK.
#1819 Cyberattack suspected in Ukraine power outage
Security experts are investigating whether a power outage that affected parts of the Ukrainian capital, Kiev, and the surrounding region this weekend was the result of a cyberattack. If confirmed, it would be the second blackout caused by hackers in Ukraine.

The incident affected the automation control systems at the northern power substation near Novi Petrivtsi, a village near Kiev, close to midnight between Saturday and Sunday. This resulted in complete power loss for the northern part of Kiev on the right bank of the Dnieper river and the surrounding region.

Engineers from Ukrenergo, Ukraine's national power company, switched the equipment to manual control mode and started restoring power within 30 minutes, said Vsevolod Kovalchuk, acting director of Ukrenergo, in a post on Facebook. Full power was restored to all affected areas in about an hour and 15 minutes.
#1818 Protect your PC from ransomware with RansomFree
Cybereason’s mission is to put an end to cyber crime. And in order to put an end to one of the most profitable cyber operations of the recent years – ransomware – we have to make it unprofitable for the criminals. That’s why we are launching RansomFree: free, easy-to-install ransomware protection software, available for download for every individual and business that lacks the budget and skills to fight back.
#1817 The many evolutions of Locky
First spotted in February 2016, the Locky crypto-ransomware has become a dangerous threat to both large organisations and residential users alike. In this blog we give a brief overview of what Locky is and cover the significant aspects of its infamous history.
#1816 Report: $3-5M in ad fraud daily from Methbot
New research suggests that an elaborate cybercrime ring is responsible for stealing between $3 million and $5 million worth of revenue from online publishers and video advertising networks each day. Experts say the scam relies on a vast network of cloaked Internet addresses, rented data centers, phony Web sites and fake users made to look like real people watching short ad segments online.

Online advertising fraud is a $7 billion a year problem, according to AdWeek. Much of this fraud comes from hacked computers and servers that are infected with malicious software which forces the computers to participate in ad fraud. Malware-based ad fraud networks are cheap to acquire and to run, but they’re also notoriously unstable and unreliable because they are constantly being discovered and cleaned up by anti-malware companies.

Now researchers say they’ve uncovered a new class of ad robot or “bot” fraud that was designed from the ground up to keep its nose clean — running not on infected hosts but instead distributed across a vast, rented network of dedicated Web servers and computers.
#1815 Practical reverse engineering part 5 - digging through the firmware
I’m gonna explain some basic theory on the Linux architecture, disassembling binaries, and other related concepts. Feel free to skip some of the parts marked as [Theory]; the real hunt starts at ‘Looking for the Default WiFi Password Generation Algorithm’. At the end of the day, we’re just: obtaining source code in case we can use it, using grep and common sense to find potentially interesting binaries, and disassembling them to find out how they work.
#1814 Bypassing exploit protection of NORTON Security
Norton could detect only StackPivots, and it's done with help of ring3 hooks on critical functions, like LoadLibrary, VirtualProtect and VirtualAlloc. So they have injected their JUMPS in function's prologue and intercept all calls. In their handler they can check if current stack frame is "original". If not, then they raising an exception like on that screenshot. So if during exploit there are no Stack Pivotings happened (let's say simple BoF where ROP and shellcode in the same stack) then attack will be not stopped and detected.
#1813 The banker that encrypted files
Many mobile bankers can block a device in order to extort money from its user. But we have discovered a modification of the mobile banking Trojan Trojan-Banker.AndroidOS.Faketoken that went even further – it can encrypt user data. In addition to that, this modification is attacking more than 2,000 financial apps around the world.

We have managed to detect several thousand Faketoken installation packages capable of encrypting data, the earliest of which dates back to July 2016. According to our information, the number of this banker’s victims exceeds 16,000 users in 27 countries, with most located in Russia, Ukraine, Germany and Thailand.

Trojan-Banker.AndroidOS.Faketoken is distributed under the guise of various programs and games, often imitating Adobe Flash Player.
#1812 0-days hitting Fedora and Ubuntu open desktops to a world of hurt
If you run a mainstream distribution of Linux on a desktop computer, there's a good chance security researcher Chris Evans can hijack it when you do nothing more than open or even browse a specially crafted music file. And in the event you're running Chrome on the just-released Fedora 25, his code-execution attack works as a classic drive-by.

The zero-day exploits, which Evans published on Tuesday, are the latest to challenge the popular conceit that Linux, at least in its desktop form, is more immune to the types of attacks that have felled Windows computers for more than a decade and have increasingly snared Macs in recent years.

While Evans' attacks won't work on most Linux servers, they will reliably compromise most desktop versions of Linux, which employees at Google, Facebook, and other security conscious companies often use in an attempt to avoid the pitfalls of Windows and Mac OS X. Three weeks ago, Evans released a separate Linux zero-day that had similarly dire consequences.
#1811 Mobile ransomware: How to protect against it
In our previous post, we looked at how malware can lock devices, as well as the scare tactics used to convince victims to pay the ransom. Now that we know what bad guys can do, we’ll discuss the detection and mitigation techniques that security vendors can use to stop them. By sharing these details with other researchers, we hope to improve the industry’s collective knowledge on mobile ransomware mitigation.
#1810 This $300 device lets you steal a Mac encryption password in 30 seconds
If you’re paranoid, and you know what hackers can do when they can get their hands on your computer even for just a few moments, you probably already know that you shouldn’t leave your laptop unattended.

Now, if you’re an Apple user, you have another great reason not to do that.

Using a contraption that costs around $300 and some open source software, a hacker could steal your MacBook password from your own laptop while it’s sleeping or locked in just 30 seconds. This would allow them to unlock the computer and even decrypt the files on your hard drive. In other words, game over.
#1809 Hit by ransomware? No More Ransom portal adds 32 more free decryption tools to help you
A scheme which enables victims of ransomware to decrypt their files and data for free is now offering even more decryption tools thanks to new partners pledging to help take the fight to cybercriminals.

Launched by Europol, the Dutch National Police, Intel Security, and Kaspersky Lab in July this year, the No More Ransom initiative provides keys to unlocking encrypted files, as well as information on how to avoid getting infected in the first place.

The website initially launched with four tools for unlocking different types of ransomware, including the notorious CryptXXX. During its first two months, No More Ransom helped 2,500 people rescue their data, depriving cybercriminals of more than €1.35 million in ransom.
#1808 Bye, privacy: Evernote will let its employees read your notes
Evernote is changing its privacy policy to let employees read its customers' notes, and they can't opt out.

Users have until Jan. 23 to move their notes out of the company's system and delete their accounts if they want to avoid the sanctioned snooping. Companies using Evernote Business can have their administrators opt out, but users won't have individual control over it.

The change a push by the company to enhance its machine learning capabilities by letting a select number of employees view the private information of its users to help with the training of algorithms.
#1807 DNSChanger exploit kit hijacks routers, not browsers
Attackers are targeting more than 166 router models with an exploit kit called DNSChanger that is being distributed via malvertising. Researchers at Proofpoint said the exploit kit is unique because the malvertising component of the attack doesn’t target browsers, rather a victim’s router.

Some of the vulnerable routers include specific models made by D-Link, Netgear and those that serve the SOHO market such as Pirelli and Comtrend, according to Proofpoint which published its research Tuesday. Owners of routers vulnerable to DNSChanger are urged to update their equipment’s firmware.

The router vulnerability exploited by DNSChanger is not to be confused vulnerabilities found in Netgear routers last week that could allow an attack to gain root access to devices remotely.
#1806 IBM finds most businesses pay ransomware remands
IBM Security report reveals that 70 percent of businesses impacted by Ransomware pay attackers, but there is hope in sight, as IBM's Resilient Incident Response Platform adds a new Dynamic Playbook to help organizations respond to attacks.

There has been a chorus line of vendors in 2016 proclaiming an increase in ransomware threats. IBM is now adding to the mix with a security study released on Dec. 14, reporting that 70 percent of businesses impacted by ransomware end up paying the ransom. IBM is going a step beyond just reporting on ransomware, with a new Dynamic Playbook for Ransomware capabilities in its Resilient Incident Response platform.

The 23-page IBM Security study surveyed 600 business leaders and 1,021 consumers in the U.S. 46 percent of business respondents reported that they had experienced ransomware in their organizations. Of the 46 percent that have been impacted by ransomware, 70 percent admitted that their organization paid the ransom.
#1805 Flash will become click-to-run in Edge, Chrome in 2017
The Windows 10 Creators Update, due in spring next year, is going to make almost all Flash content click-to-run in the Edge browser.

The Windows 10 Anniversary Update already applied click-to-run to most online advertising, following in the steps of Safari and Chrome. In the next major update, Microsoft will extend the restrictions on Flash. By default, Flash will not be loaded or offered to sites, and users will have to opt to enable it on a site-by-site basis. A handful of popular, Flash-dependent sites will see the plugin enabled automatically, with Microsoft intending to cut down this whitelist as more and more sites switch their interactive content to be native HTML5.

Earlier this year, Google announced a similar plan for Chrome. Currently, 1 percent of users of the stable Chrome 55 release have click-to-run enabled by default, along with 50 percent of users of the Chrome 56 beta release. When the stable Chrome 56 release is made in February, Flash click-to-run will be enabled by default for everyone. Google also intends to whitelist the ten most popular flash-dependent sites, though it says that this whitelist will only be in place for a year.
#1804 'One billion' affected by Yahoo hack
Yahoo has said more than one billion user accounts may have been affected in a hacking attack dating back to 2013.

The internet giant said it appeared separate from a 2014 breach disclosed in September, when Yahoo revealed 500 million accounts had been accessed.

Yahoo said names, phone numbers, passwords and email addresses were stolen, but not bank and payment data.

The company, which is being taken over by Verizon, said it was working closely with the police and authorities.

Yahoo said in a statement that it "believes an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts."

The breach "is likely distinct from the incident the company disclosed on September 22, 2016".

However, the three-year-old hack was uncovered as part of continuing investigations by authorities and security experts into the 2014 breach, Yahoo said.

Account users were urged to change their passwords and security questions.
#1803 First version of zandboxed Tor browser available
Developers at the Tor Project have started working on a sandboxed version of the Tor Browser, currently available as an early alpha version for Linux systems.

Sandboxing is a security mechanism employed to separate running processes. In computer security, sandboxing an application means separating its process from the OS, so vulnerabilities in that app can't be leveraged to extend access to the underlying operating system.

This is because the sandboxed application works with its own separate portion of disk and memory that isn't linked with the OS.
#1802 SWIFT confirms new cyber thefts, hacking tactics
Cyber attacks targeting the global bank transfer system have succeeded in stealing funds since February’s heist of $81 million from the Bangladesh central bank as hackers have become more sophisticated in their tactics, according to a SWIFT official and a previously undisclosed letter the organization sent to banks worldwide.

The messaging network in a Nov. 2 letter seen by Reuters warned banks of the escalating threat to their systems, according to the SWIFT letter. The attacks and new hacking tactics underscore the continuing vulnerability of the SWIFT messaging network, which handles trillions of dollars in fund transfers daily.

"The threat is very persistent, adaptive and sophisticated – and it is here to stay," SWIFT said in the November letter to client banks, seen by Reuters.
#1801 Malware found in the firmware of 26 low-cost Android devices
Security researchers have found malware hidden in the firmware of several low-end Android smartphones and tablets, malware which is used to show ads and install unwanted apps on the devices of unsuspecting users.
#1800 Beta firmware updates available for vulnerable Netgear routers
Netgear has begun pushing out beta versions of firmware updates that will address a critical vulnerability that was disclosed late last week.

The networking vendor also confirmed that many more routers in its Nighthawk line are vulnerable than originally reported. The flaw allows attackers to carry out command injection attacks, and are reportedly trivial to exploit.

“While we are working on the production version of the firmware, we are providing a beta version of this firmware release. This beta firmware has not been fully tested and might not work for all users,” Netgear said an advisory updated today. “NETGEAR is offering this beta firmware release as a temporary solution, but NETGEAR strongly recommends that all users download the production version of the firmware release as soon as it is available.”
#1799 Modern attacks on Russian financial institutions
Today, Virus Bulletin published the paper we presented in Denver earlier this year titled Modern Attacks on Russian Financial Institutions. In this paper, we review the different actors targeting financial institutions in this region and which systems they are targeting.

Over the past few years, attacks against Russian financial institutions have increased substantially. One key aspect of this trend is the specialization of the threat actors. This is clearly visible in some of the attacks that are highlighted in our paper, such as the one targeting the ruble exchange rate. In this case documented by Group-IB, fraudsters were able to control a trading terminal, which they used to issue buy and sell orders for the Russian ruble.
#1798 Android, iOS secure ID: Estonia says it's taking digital authentication to new levels
Using a mobile device to access e-services and provide digital signatures isn't new in Estonia. A very popular SIM-based mobile digital identity system, called Mobiil-ID, was introduced in 2007.

But now Estonia's certification authority Certification Centre, or SK, says it's going to launch a new digital authentication app for Android and iOS called Smart-ID early next year.

SK's CEO Kalev Pihl tells ZDNet that although the new app, developed with Norwegian tech firm Cybernetica, isn't built to replace the old system, it's seen as a way of drawing in all the potential clients who for various reasons are not using Mobiil-ID.
#1797 Apple ships iOS 10.2, fixes ‘Find my iPhone’ hole plus five lockscreen bugs
Apple just released iOS 10.2, the latest upgrade for its iDevices.

Lots of the articles you may have seen so far talk about the new features that were introduced, listed by Apple on the Software Update screen.
#1796 Three serious Linux kernel security holes patched
The good news is developers are looking very closely at Linux's core code for possible security holes. The bad news is they're finding them.

At least the best news is that they're fixing them as soon as they're uncovered.

The latest three kernel vulnerabilities are designated CVE-2016-8655, CVE-2016-6480, and CVE-2016-6828. Of these, CVE-2016-8655 is the worst of the bunch. It enables local users, which can include remote users with virtual and cloud-based Linux instances, to crash the system or run arbitrary code as root.
#1795 Fancy Bear ramping up infowar against Germany - and rest of West
US intelligence agencies have been forthright in their insistence that the Russian government was behind not only the hacking of the Democratic National Committee (DNC) and other political organizations in the US, but a concerted effort to undermine confidence in the results of the US presidential election, including attacks on state election officials' systems. But the US is not the only country that the Russian government has apparently targeted for these sorts of operations—and the methods used in the DNC hack are being applied increasingly in attempts to influence German politics, Germany's chief of domestic intelligence warned yesterday.

In a press release issued on December 8, Germany's Bundesamt für Verfassungsshutz (BfV), the country's domestic intelligence agency, warned of an ever-mounting wave of disinformation and hacking campaigns by Russia focused on increasing the strength of "extremist groups and parties" in Germany and destabilizing the German government. In addition to propaganda and disinformation campaigns launched through social media, the BfV noted an increased number of "spear phishing attacks against German political parties and parliamentary groups" using the same sort of malware used against the Democratic National Committee in the US.
#1794 Netgear users advised to stop using affected routers after severe flaw found
Several leading Netgear routers are vulnerable to a severe security flaw.

An advisory posted on Friday in Carnegie Mellon University's public vulnerability database (CERT) said that Netgear's R7000 and R6400 routers, running current and recent firmware respectively, are vulnerable to an arbitrary command injection flaw.

If exploited, the vulnerability could let an unauthenticated attacker run commands with root privileges.

The code to exploit the vulnerability -- effectively just a URL -- has been released publicly, allowing anyone to carry out attacks.
#1793 Sony closes backdoors in IP-enabled cameras
Sony, in late November, provided a firmware update for a popular IP-enabled camera line used by enterprises and law enforcement alike that closed off remote administration backdoors. The backdoors could be abused to draft these devices into botnets or allow for manipulation of images and advancement into the network.

The update for the Sony IPELA Engine IP Cameras was made available Nov. 28, more than a month after it was privately disclosed by SEC-Consult researcher Stefan Viehbock.

“An attacker can use cameras to take a foothold in a network and launch further attacks, disrupt camera functionality, send manipulated images/video, add cameras into a Mirai-like botnet or to just simply spy on you,” SEC-Consult wrote today in its public disclosure. The company said 80 different Sony cameras were backdoored.
#1792 Researchers find fresh fodder for IoT attack cannons
New research published this week could provide plenty of fresh fodder for Mirai, a malware strain that enslaves poorly-secured Internet of Things (IoT) devices for use in powerful online attacks. Researchers in Austria have unearthed a pair of backdoor accounts in more than 80 different IP camera models made by Sony Corp. Separately, Israeli security experts have discovered trivially exploitable weaknesses in nearly a half-million white-labeled IP camera models that are not currently sought out by Mirai.

In a blog post published today, Austrian security firm SEC Consult said it found two apparent backdoor accounts in Sony IPELA Engine IP Cameras — devices mainly used by enterprises and authorities. According to SEC Consult, the two previously undocumented user accounts — named “primana” and “debug” — could be used by remote attackers to commandeer the Web server built into these devices, and then to enable “telnet” on them.
#1791 Zeus variant ‘Floki bot’ targets PoS data
Researchers have observed an uptick in attacks using the banking malware Floki Bot against U.S., Canadian and Brazilian banks, and insurance firms.

Floki Bot, which uses code from the once notorious Zeus banking Trojan, has evolved and unlike its predecessor, is targeting point-of-sale systems via aggressive spear phishing campaigns and the RIG exploit kit.

Cisco Talos and Flashpoint security researchers coordinated the release of reports on Floki Bot on Wednesday. Both firms warn the malware is quickly gaining popularity within Dark Web criminal forums.

“Floki Bot is currently being actively bought and sold on several darknet markets,” wrote Cisco Talos in its report released Wednesday. “It will likely continue to be seen in the wild as cybercriminals continue to attempt to leverage it to attack systems in an aim to monetize their efforts.”
#1790 Bluetooth 5 official: Faster data transfer, increased range for seamless IoT
The Bluetooth Special Interest Group on Wednesday announced the next generation of Bluetooth, called Bluetooth 5, is set for new devices in the coming months.

First shown this summer, Bluetooth 5 is said to have doubled data-transfer speeds, quadrupled network range, and eight times broadcast message capacity over Bluetooth 4. Bluetooth 5 also includes updates to reduce interference with other Bluetooth devices.

The new standard comes as smart home devices, fitness trackers, and more rely heavily on the wireless standard during the Internet of Things (IoT) era. Now, on Wednesday, technology firms can begin work to release products with Bluetooth 5.
#1789 PowerShell threats surge: 95.4 percent of analyzed scripts were malicious
Malicious PowerShell scripts are on the rise, as attackers are using the framework’s flexibility to download their payloads, traverse through a compromised network, and carry out reconnaissance. Symantec analyzed PowerShell malware samples to find out how much of a danger they posed.

Of all of the PowerShell scripts analyzed through the BlueCoat Malware Analysis sandbox, 95.4 percent were malicious. This shows that externally sourced PowerShell scripts are a major threat to enterprises.
#1788 Goldeneye ransomware: the resumé that scrambles your computer twice
Hindsight is a wonderful thing.

With hindsight, few of us would ever fall victim to ransomware: most ransomware attacks rely on talking us past at least one security speed bump…

…and those speed bumps sometimes seem very obvious after the event.

Nevertheless, even the most careful and self-confident of us – and all of us who haven’t been hit by ransomware – need to admit that there are times when we’ve behaved online in a way that ended well, but more by accident than by design.

In other words, we’ve all opened emails and attachments that turned out to be unwanted but didn’t lead to malware, only to wonder afterwards quite what it was about the email or the document that made us trust it.
#1787 Here are some best practices for preventing DDoS attacks
Distributed denial-of-service (DDoS) made lots of headlines in late October when a massive DDoS attack on Domain Name System (DNS) service provider Dyn temporarily disrupted some of the most popular sites on the internet.

As with any other major cyber security breach, the attack likely has many boards of directors and CEOs wondering whether their organization might be next, and what can be done to defend against such incidents.

DDoS attacks are clearly on the rise. A report by content delivery network provider Akamai earlier this year said such incidents are increasing in number, severity and duration. It noted a 125 percent increase in DDoS attacks year over year and a 35 percent jump in the average attack duration.
#1786 Ransomware gives free decryption keys to victims who infect others
Researchers say they have uncovered ransomware still under development that comes with a novel and nasty twist.

Infected victims of the ransomware known as Popcorn Time, have the option to either pay up, or they can opt to infect two others using a referral link. If the two new ransomware targets pay the ransom, the original target receives a free key to unlock files on their PC.

“I have never seen anything like this in ransomware. This is definitely a first,” said Lawrence Abrams who runs BleepingComputer.com and who was first to report on the Popcorn Time ransomware.
#1785 Buffer overflow in BSD libc library patched
The BSD libc library was updated recently to address a buffer overflow vulnerability that could have allowed an attacker to execute arbitrary code.

The library is part of the POSIX library, which is used in BSD operating systems, like FreeBSD, NetBSD, OpenBSD. The libc library is also used in Apple’s OS X operating system.

According to Garret Wassermann, a vulnerability analyst at Carnegie Mellon’s Software Engineering Institute CERT/CC who disclosed the vulnerability yesterday, only a handful of implementations that use the library have publicly applied the fix.

The issue stems from problem with the obuf variable in the link_ntoa() function in linkaddr.c. Because of improper bounds checking, an attacker could have been able to read or write from memory.
#1784 Phishing made easy: Time to rethink your prevention strategy? (PDF)
By examining a phishing campaign, researchers at the Imperva Defense Center have uncovered new ways cybercriminals are leveraging compromised servers to lower the cost of phishing. Phishing is the starting point for most network and data breaches. The campaigns run mostly from compromised web servers and distribute all kinds of malware including ransomware. In this report, we present the different tools used to compromise web servers, phishing platforms offered as a service, fi nancial motivations and the business models of phishing campaigns. We also highlight the importance of intelligence sharing which helped attribute with high confi dence the phishing campaign to a group of known cybercriminals.

Phishing campaigns are often orchestrated from compromised web servers while hosting providers and businesses remain totally unaware of the malicious activity. Compromised web servers used in Phishing as a Service (PhaaS) platforms signifi cantly lower the costs of a phishing campaign and help the cybercriminals hide their tracks. The 2016 Verizon Data Breach Investigations Report (VZ DBIR) documents a signifi cant increase in phishing success over 2015 primarily due to human factors. Endpoint protection mechanisms have failed to contain the spread of malware. If more web servers are hardened, there is a good chance the phishing threat can be mitigated.

The best way to protect web servers from being compromised is to deploy web application fi rewalls (WAFs) that can detect and block advanced injection techniques. The phishing-based malware distribution mechanism relying on compromised servers can be contained only by increasing the security on web servers. If WAFs were deployed as ubiquitously as network fi rewalls, the cybercriminal industry would be seriously crippled.
#1783 Phishing-as-a-service is making it easier than ever for hackers to steal your data
Phishing is already the easiest way for hackers to steal data and it's getting even easier thanks to the rise of organised criminal groups on the dark web offering phishing-as-a-service schemes to budding cybercriminals and ever-lowering the cost of entry.

According to cybersecurity researchers, this approach to phishing is about a quarter of the cost and twice as profitable as traditional unmanaged -- and labour intensive -- phishing campaigns and follows in the footsteps of other cybercrime-as-a-service campaigns.

The 'Phishing made easy' report from Imperva's Hacker Intelligence Initiative details how a Phishing-as-a-Service (PhaaS) store on the Russian black market offers a "complete solution for the beginner scammer" including databases of emails, templates of phishing scams, and a backend database to store stolen credentials.
#1782 Millions exposed to malvertising that hid attack code in banner pixels
Millions of people visiting mainstream websites over the past two months have been exposed to a novel form of malicious ads that embed attack code in individual pixels of the banners.

Researchers from antivirus provider Eset said "Stegano," as they've dubbed the campaign, dates back to 2014. Beginning in early October, its unusually stealthy operators scored a major coup by getting the ads displayed on a variety of unnamed reputable news sites, each with millions of daily visitors. Borrowing from the word steganography—the practice of concealing secret messages inside a larger document that dates back to at least 440 BC—Stegano hides parts of its malicious code in parameters controlling the transparency of pixels used to display banner ads. While the attack code alters the tone or color of the images, the changes are almost invisible to the untrained eye.

The malicious script is concealed in the alpha channel that defines the transparency of pixels, making it extremely difficult for even sharp-eyed ad networks to detect. After verifying that the targeted browser isn't running in a virtual machine or connected to other types of security software often used to detect attacks, the script redirects the browser to a site that hosts three exploits for now-patched Adobe Flash vulnerabilities.
#1781 Hackers gamify DDoS attacks with collaborative platform
A Turkish hacking crew is luring participants to join its DDoS platform to compete with peers to earn redeemable points that are exchangeable for hacking tools and click-fraud software. The goal, security researchers say, is to “gamify” DDoS attacks in order to attract a critical mass of hackers working toward a unified goal.

The hacking platform is called Surface Defense and is being promoted in Turkish-language Dark Web forums including Turkhackteam and Root Developer, according to Forcepoint Security Labs, the security firm that first uncovered and reported the DDoS platform.

Promoters of Surface Defense are actively recruiting Turkish hackers that may be sympathetic to Turkish nationalist beliefs, Forcepoint believes. Targets of the DDoS attacks range from the Kurdistan Workers Party, German Christian Democratic Party and the Armenian National Institute website in Washington D.C., said Carl Leonard, principal security analyst at Forcepoint. “It’s unclear if those behind the Surface Defense platform are indeed politically motivated or they are simply using politics as a marketing tool to lure hackers into their network.”
#1780 Critical vulnerability patched in Roundcube webmail
Open source webmail provider Roundcube has released an update that addresses a critical vulnerability in all default configurations that could allow an attacker to run arbitrary code on the host operating system.

The flaw is serious because it’s relatively simple to exploit and can allow an attacker to access email accounts or move deeper onto the network.

Researchers at RIPS Technologies, a German company specializing in PHP application security analysis, privately disclosed the bug Nov. 21. Roundcube had the vulnerability fixed on Github a day later, and made an updated version publicly available Nov. 28. Versions 1.0 to 1.2.2 are vulnerable, and users are advised to update to 1.2.3.
#1779 Backdoor accounts found in 80 Sony IP security camera models
Many network security cameras made by Sony could be taken over by hackers and infected with botnet malware if their firmware is not updated to the latest version.

Researchers from SEC Consult have found two backdoor accounts that exist in 80 models of professional Sony security cameras, mainly used by companies and government agencies given their high price.

One set of hard-coded credentials is in the Web interface and allows a remote attacker to send requests that would enable the Telnet service on the camera, the SEC Consult researchers said in an advisory Tuesday.

The second hard-coded password is for the root account that could be used to take full control of the camera over Telnet. The researchers established that the password is static based on its cryptographic hash and, while they haven’t actually cracked it, they believe it’s only a matter of time until someone does.
#1778 Dirty COW vulnerability patched in Android security bulletin
The Dirty Cow vulnerability lived in Linux for close to a decade, and while it was patched in October in the kernel and in Linux distributions, Android users had to wait for more than a month for their fix.

Today, Google included a patch for CVE-2016-5195 in the monthly Android Security Bulletin, the final one for 2016. The Dirty Cow patch is one of 11 critical vulnerabilities, all of which are in the Dec. 5 patch level; a separate Dec. 1 patch level was also released today that included patches for 10 high-severity vulnerabilities.

In last month’s bulletin, Google partially addressed Dirty Cow with a supplemental firmware update for Nexus and Pixel handsets, while Samsung was the lone handset maker to release a patch in November.
#1777 Google preparing "Invisible ReCAPTCHA" system for no user interaction
Google engineers are working on an improved version of the reCAPTCHA system that uses a computer algorithm to distinguish between automated bots and real humans, and requires no user interaction at all.

Called "Invisible reCAPTCHA," and spotted by Windows IT Pro, the service is still under development, but the service is open for sign-ups, and any webmaster can help Google test its upcoming technology.

Invisible reCAPTCHA comes two years after Google has revolutionized CAPTCHA technologies by releasing the No CAPTCHA reCAPTCHA service that requires users to click on one checkbox instead of solving complex visual puzzles made up of words and numbers.
#1776 Thieves can guess your secret Visa card details in just seconds
Thieves can guess your secret Visa payment card data in as little as six seconds, according to researchers at Newcastle University in the UK. Bad actors can use browser bots to distribute guesses across hundreds of legitimate online merchants.

The attack starts out with a card's 16-digit number, which can be obtained in a variety of ways. Attackers can buy numbers on black-market websites, often for less than $1 apiece, or use a smartphone equipped with a near-field communication reader to skim them. The numbers can also be inferred by combining your first six digits—which are based on the card brand, issuing bank, and card type—with a verification formula known as the Luhn Algorithm. Once an attacker has a valid 16-digit number, four seconds is all they need to learn the expiration date and the three-digit card-verification value that most sites use to verify the validity of a credit card. Even when sites go a step further by adding the card holder's billing address to the process, the technique can correctly guess the information in about six seconds.
#1775 New large-scale DDoS attacks follow schedule
A powerful new botnet is being blamed for massive and sustained DDoS attacks that security researchers at CloudFlare compare to Mirai when it comes to intensity and scope.

The attacks began Nov. 23 and ran for eight hours daily, similar to an average workday. The consistent attacks occurred for seven straight days, starting each day at 10 a.m. PST. On the eighth day, the attackers turned up the heat, with DDoS assaults lasting 24 hours. Peak volumes reached 400 Gbps, close to that of Mirai, where attacks peaked at 620 Gbps.
#1774 One bit to rule a system: analyzing CVE-2016-7255 exploit in the wild
Recently, Google researchers discovered a local privilege escalation vulnerability in Windows which was being used in zero-day attacks, including those carried out by the Pawn Storm espionage group. Microsoft was able to release a patch by the next Patch Tuesday, November 8. This entry provides a complete analysis of the vulnerability based on samples acquired in the wild.

This is an easily exploitable vulnerability which can be found in all supported versions of Windows, from Windows 7 to Windows 10. The exploit code we’ve seen in the wild only affects 64-bit versions of Windows, although both 32- and 64-bit versions have the underlying flaw. Let us examine this vulnerability in some detail to understand the techniques used by the attacker. By changing one bit, the attacker can elevate the privileges of a thread, giving administrator access to a process that would not have it under normal circumstances.
#1773 Exploit company exodus sold Firefox zero-day earlier this year
This week, an exploit was publicly distributed that could break into the computers of those using the Tor Browser or Firefox. The Tor Project and Mozilla patched the underlying vulnerability on Wednesday.

One research company gave details of the exploit method used to a defensive cybersecurity firm last year so it could protect its own clients’ systems. In turn, the exploit research company went on to sell details of the recent Firefox vulnerability to another customer for offensive purposes this year, according to two sources.

The case highlights the often antithetical relationship between companies that research and develop exploits, and those who maintain the affected software. But it also shows an instance of a company selling related exploit information to both defensive and offensive customers.

Back in December 2015, cybersecurity firm Fortinet announced it had added an intrusion detection system (IDS) signature for a Firefox zero-day; that is, a security issue unknown to Mozilla which develops Firefox. IDS signatures are used to detect particular exploits or types of attack.
#1772 Bypassing CSP using polyglot JPEG
James challenged me to see if it was possible to create a polyglot JavaScript/JPEG. Doing so would allow me to bypass CSP on almost any website that hosts user-uploaded images on the same domain. I gleefully took up the challenge and begun dissecting the format. The first four bytes are a valid non-ASCII JavaScript variable 0xFF 0xD8 0xFF 0xE0. Then the next two bytes specify the length of the JPEG header. If we make that length of the header 0x2F2A using the bytes 0x2F 0x2A as you might guess we have a non-ASCII variable followed by a multi-line JavaScript comment. We then have to pad out the JPEG header to the length of 0x2F2A with nulls.
#1771 A beginner’s guide to beefing up your privacy and security online
With Thanksgiving behind us, the holiday season in the US is officially underway. If you're reading Ars, that can only mean one thing: you'll be answering technical questions that your relatives have been saving since the last time you visited home.

This year in addition to doing the regular hardware upgrades, virus scans, and printer troubleshooting, consider trying to advise the people in your life about better safeguarding their security and privacy. Keeping your data safe from attackers is one of the most important things you can do, and keeping your communications and browsing habits private can keep that data from being used to track your activities.

This is not a comprehensive guide to security, nor should it be considered good enough for professional activists or people who suspect they may be under targeted surveillance. This is for people who use their phones and computers for work and in their personal lives every single day and who want to reduce the chances that those devices and the accounts used by those devices will be compromised. And while security often comes at some cost to usability, we've also done our best not to impact the fundamental utility and convenience of your devices.
#1770 New SmsSecurity variant roots phones, abuses accessibility features and TeamViewer
In January of 2016, we found various “SmsSecurity” mobile apps that claimed to be from various banks. These apps supposedly generated one-time passwords (OTPs) that account holders could use to log into the bank; instead they turned out to be malicious apps that stole any password sent via SMS messages. These apps were also capable of receiving commands from a remote attacker, allowing them to take control of a user’s device.

Since then, we’ve found some new variants of this attack that add new malicious capabilities. These capabilities include: anti-analysis measures, automatic rooting, language detection, and remote access via TeamViewer. In addition, SmsSecurity now cleverly uses the accessibility features of Android to help carry out its routines in a stealthy manner, without interaction from the user. We detect these malicious apps as ANDROIDOS_FAKEBANK.OPSA.
#1769 Google fixes 12 high-severity flaws In Chrome browser
Google is urging Windows, Mac and Linux users to update their Chrome browsers to fix multiple vulnerabilities that could allow malicious third parties to take control of targeted systems.

Released Thursday, Chrome version 55.0.2883.75 for Windows, Mac, and Linux fixes those security issues. It also introduces a number of new features to the browser to enhance the way it handles panning gestures and to support CSS automatic hyphenation.

The United States Computer Emergency Readiness Team (US-CERT) issued an alert around the Chrome update on Thursday in conjunction with Google, detailing a list of 26 bug bounty payments totaling $70,000 paid to external researchers. According to Google, another 10 security fixes were tackled by Google itself.
#1768 Buffer overflow exploit can bypass Activation Lock on iPads running iOS 10.1.1
Apple's Activation Lock feature, introduced in iOS 7 in 2013, deters thieves by associating your iPhone and iPad with your Apple ID. Even if a thief steals your device, puts it into Recovery Mode, and completely resets it, the phone or tablet won't work without the original user's Apple ID and password. This makes stolen iDevices less valuable since they become more difficult to resell, and it has significantly reduced iPhone theft in major cities.

The feature has been difficult to crack, but a new exploit disclosed by Vulnerability Lab security analyst Benjamin Kunz Mejri uses a buffer overflow exploit and some iPad-specific bugs to bypass Activation Lock in iOS 10.1.1.
#1767 Amazon offers DDoS protection with Shield
This isn't far from the first such service. Akamai, CloudFlare, and Incapsula all offer DDoS mitigation services. AWS Shield, however, is only for AWS customers.

What Amazon brings to the DDoS battle-line is the sheer scale of Amazon Web Services (AWS). This family of services makes up the world's largest public cloud.

Werner Vogels, Amazon CTO, in announcing Shield at AWS re:Invent, claimed, "I think this will really help you protect yourselves even against the largest and most sophisticated attacks that we've seen out there."

I wish them luck with that. Even AWS might shake some with an assault of the magnitude that took down the Dyn Domain Name System (DNS) provider earlier this year. 1.2 Terabits per second (Tbps), which is estimated to be the attack's high point, would be enough to wreck anyone's day.
#1766 Fake Apple chargers fail safety tests
Investigators have warned consumers they face potentially fatal risks after 99% of fake Apple chargers failed a basic safety test.

Trading Standards, which commissioned the checks, said counterfeit electrical goods bought online were an "unknown entity".

Of 400 counterfeit chargers, only three were found to have enough insulation to protect against electric shocks.

It comes as Apple has complained of a "flood" of fakes being sold on Amazon.

Apple revealed in October that it was suing a third-party vendor, which it said was putting customers "at risk" by selling power adapters masquerading as those sold by the Californian tech firm.
#1765 Analysis of multiple vulnerabilities in AirDroid
AirDroid is a popular remote management tool for Android. It has an estimated user base of over 50 million devices according to the Google Play Store.
Our research highlights how insecure communication channels make millions of users vulnerable to Man-in-the-Middle (MITM) attacks, information leakage and remote hijacking of update APK which leads to a remote code execution by a malicious party. The attacker exploits the app’s built-in functionalities and uses them against its users.
#1764 UK's new Snoopers' Charter just passed an encryption backdoor law by the backdoor
Among the many unpleasant things in the Investigatory Powers Act that was officially signed into law this week, one that has not gained as much attention is the apparent ability for the UK government to undermine encryption and demand surveillance backdoors.

As the bill was passing through Parliament, several organizations noted their alarm at section 217 which obliged ISPs, telcos and other communications providers to let the government know in advance of any new products and services being deployed and allow the government to demand "technical" changes to software and systems.

This was the proposed wording in the Code of Practice accompanying the legislation:

CSPs subject to a technical capacity notice must notify the Government of new products and services in advance of their launch, in order to allow consideration of whether it is necessary and proportionate to require the CSP to provide a technical capability on the new service.
#1763 Working in tech? Five tips on avoiding burnout
Modern IT leadership is all about managing change. From overseeing operational IT concerns to driving transformation programmes, CIOs have to deal with ever-increasing pressure from all directions.

So how can IT leaders manage the stresses and strains of the role?

ZDNet speaks to five CIOs and gets their best practice tips for avoiding burnout.
#1762 More than a million Android devices rooted by Gooligan malware
A new version of an existing piece of malware has emerged in some third-party Android app stores and researchers say it has infected more than a million devices around the world, giving the attackers full access to victims’ Google accounts in the process.

The malware campaign is known as Gooligan, and it’s a variant of older malware called Ghost Push that has been found in many malicious apps. Researchers at Check Point recently discovered several dozen apps, mainly in third-party app stores, that contain the malware, which is designed to download and install other apps and generate income for the attackers through click fraud. The malware uses phantom clicks on ads to generate revenue for the attackers through pay-per-install schemes, but that’s not the main concern for victims.
#1761 Shamoon: Back from the dead and destructive as ever
Shamoon (W32.Disttrack), the aggressive disk-wiping malware which was used in attacks against the Saudi energy sector in 2012, has made a surprise comeback and was used in a fresh wave of attacks against targets in Saudi Arabia.

The malware used in the recent attacks (W32.Disttrack.B) is largely unchanged from the variant used four years ago. In the 2012 attacks, infected computers had their master boot records wiped and replaced with an image of a burning US flag. The latest attacks instead used a photo of the body of Alan Kurdi, the three year-old Syrian refugee who drowned in the Mediterranean last year.
#1760 Hackers reuse passwords to access 26,500 UK National Lottery accounts
Earlier this week UK National Lottery operator Camelot released a statement saying it believed hackers had accessed the accounts of around 26,500 of its 9.5 million online players:

"As part of our online security monitoring, we became aware of suspicious activity on a very small proportion of our players’ online National Lottery Accounts"

Thankfully, fewer than 50 of those accounts have been touched since the hackers accessed them. And any activity was limited to personal details being changed, potentially by the players themselves. Camelot clarified:

"We do not hold full debit card or bank account details in National Lottery players’ online accounts and no money has been taken or deposited."
#1759 Report: Most cybercriminals earn $1,000 to $3,000 a month
Most cybercriminals make between $1,000 and $3,000 a month, but 20 percent earn $20,000 a month or more, according to a recent report.

The data is based on a survey conducted by a closed underground community, said report author Andrei Barysevich, director of advanced collection at cybersecurity firm Recorded Future.

"We actually saw criminals who made way more than that, $50,000 to $200,000 a month," he said. "This is what they keep, this is not revenues, but pure profit. This is what they can spend on loose women, fast cars and nice clothes."
#1758 HDDCryptor: subtle updates, still a credible threat
Since first writing about the discovery of HDDCryptor back in September, we have been tracking this ransomware closely as it has evolved. Last week, a new version was spotted in the wild, and based on our analysis, we believe that this variant is the one used in a recent attack against San Francisco Municipal Transport Agency (SFMTA).

In this attack, as we’ve seen with other versions of HDDCryptor, the ransomware dropped some tools to perform full disk encryption, as well as the encryption of mounted SMB drives. We believe the threat actors behind the attack don’t use exploit kits and automated installers to instantly compromise and infect victims. Instead, they first attempt to gain access to the machine, most likely through a more targeted attack or exploit, before manually triggering and executing the malware. While we don’t have specific information on how this was accomplished across SFMTA’s 2,000 machines, it is highly likely that it was through scheduling a job to run on all of the devices using some form of admin credentials.
#1757 Mozilla and Tor release urgent update for Firefox 0-day under active attack
Developers with both Mozilla and Tor have published browser updates that patch a critical Firefox vulnerability being actively exploited to deanonymize people using the privacy service.

"The security flaw responsible for this urgent release is already actively exploited on Windows systems," a Tor official wrote in an advisory published Wednesday afternoon. "Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available, the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately."
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12