Security Alerts & News
by Tymoteusz A. Góral

History
#683 Cybersecurity report imagines threat scenarios
The Center for Long-Term Cybersecurity at UC Berkeley’s School of Information lays out five cybersecurity threat scenarios in a new report, Cybersecurity Futures 2020. The report is available online.

Berkeley professor Steve Weber, faculty director of the center, said the narratives explore how emerging and as-yet-unknown forces could shape technology and security in the years ahead. He stressed that they are not predictions.

“Cybersecurity is one of the fastest moving targets in today’s research and policy domains,” Weber said. “We need to try to look ahead systematically, if we are going to have a chance of really protecting the core values we care about where human beings and digital technologies intersect.”
#682 A dramatic rise in ATM skimming attacks
Skimming attacks on ATMs increased at an alarming rate last year for both American and European banks and their customers, according to recent stats collected by fraud trackers. The trend appears to be continuing into 2016, with outbreaks of skimming activity visiting a much broader swath of the United States than in years past.
Two network cable card skimming devices, as found attached to this ATM.

In a series of recent alerts, the FICO Card Alert Service warned of large and sudden spikes in ATM skimming attacks. On April 8, FICO noted that its fraud-tracking service recorded a 546 percent increase in ATM skimming attacks from 2014 to 2015.

“The number of ATM compromises in 2015 was the highest ever recorded by the FICO Card Alert Service, which monitors hundreds of thousands of ATMs in the US,” the company said. “Criminal activity was highest at non-bank ATMs, such as those in convenience stores, where 10 times as many machines were compromised as in 2014.”
#681 Phony Google update spreads data-stealing Android malware
Android users are being warned of a phony Google update that is pushing malware onto devices.

The attackers behind this scheme are domain squatting URLs that are similar to ones used by Google for legitimate updates, hoping to snare less-than-vigilant users.

Researchers at Zscaler said yesterday in a report that the attackers invested heavily in this tactic to sidestep URL monitoring and security software in place on the device.

“These URLs are observed to be very short lived,” Zscaler said. “And are regularly replaced with newer ones to serve the malware and effectively evade URL based filtering.”
#680 U.S. labels Switzerland an internet piracy haven
The Office of the United States Trade Representative has published its annual Special 301 Report calling out other nations for failing to live up to U.S. IP enforcement standards. This year European ally Switzerland has been placed on the Watch List for protecting file-sharers and playing host to many pirate sites.

Every year the Office of the United States Trade Representative (USTR) publishes its Special 301 Report highlighting countries that aren’t doing enough to protect U.S. intellectual property rights.
#679 Google patches 9 security flaws in new Chrome browser build
Google updated its browser Thursday patching nine security bugs, labeling four as “high” and two as a “medium” risk to computer users. The update was tied to a new Chrome browser build (50.0.2661.94) that fixes the flaws.

Google also shelled out $14,000 tied to bug bounty payouts addressed in this security updates, according to a Google Chrome Team security bulletin.
#678 GCHQ has disclosed over 20 vulnerabilities this year, including ones in Apple iOS
Earlier this week, it emerged that a section of Government Communications Headquarters (GCHQ), the UK's signal intelligence agency, had disclosed a serious vulnerability in Firefox to Mozilla. Now, GCHQ has said it helped fix nearly two dozen individual vulnerabilities in the past few months, including in highly popular pieces of software like iOS.

“So far in 2016 GCHQ/CESG has disclosed more than 20 vulnerabilities across a number of software products,” a GCHQ spokesperson told Motherboard in an email. CESG, or the National Technical Authority for Information Assurance, is the information security wing of GCHQ.

Those issues include a kernel vulnerability in OS X El Captain v10.11.4, the latest version, that would allow arbitrary code execution, and two in iOS 9.3, one of which would have done largely the same thing, and the other could have let an application launch a denial of service attack.
#677 The critical hole at the heart of our cell phone networks
In February 2014, the US ambassador to Ukraine suffered an embarrassing leak. A secret conversation between him and US Assistant Secretary of State Victoria Nuland got posted to YouTube, in which Nuland spoke disparagingly about the European Union.

The conversation occurred over unencrypted phones, and US officials told reporters they suspected the call was intercepted in Ukraine, but didn’t say how. Some people believe it occurred using vulnerabilities in a mobile data network known as SS7, which is part of the backbone infrastructure that telecoms around the world use to communicate between themselves about how to route calls and text messages.

A little-noticed report released by the Ukrainian government a few months after the leak gives credence to this theory. Although the report didn’t mention the ambassador, it revealed that for three days in April that year, location data for about a dozen unidentified mobile phone customers in Ukraine got mysteriously sent to a Russian telecom using SS7 vulnerabilities. Text messages and phone calls of some of those customers also got diverted to Russia, where someone could have eavesdropped on the conversations and recorded them.
#676 AV comparatives: Anti-Spam Test (PDF)
In 2015, we tested the products (with default settings) internally over a 6-month period, using spam mails provided by Abusix. Vendors received examples of isses, to check that our testing methods work, and to provide feedback. Several products had very low scores in the internal test run, and several bugs in the spam-filters and products were discovered and had to be fixed by the vendors. In some cases, poorly-performing third-party spam-filters were fixed or even replaced. In March 2016, we ran this public test.

With any detection test (including spam detection), it is important to test for false alarms. In this case, it should be considered that some programs automatically increase their sensitivity when spam mails make up a large percentage of total mails received. We conducted a short-term false alarm test for this report, by running each product for one week on a customer machine and inspecting afterwards if there were legitimate mails classified wrongly as spam (there were none for any of the products tested). A large-scale test with genuine emails would be impossible without breaching privacy; although this was not as statistically significant as we would like, we feel this was sufficient to demonstrate that none of the tested programs was prone to FPs.
#675 Locky ransomware spreads via Flash and Windows kernel exploits
In early April of this year a zero-day exploit (designated as CVE-2016-1019) was found in Adobe Flash Player. This particular flaw was soon used by the Magnitude Exploit Kit, which led to an Adobe out-of-cycle patch. This flaw was being used to lead to drive-by download attacks with Locky ransomware as the payload.

However, this did not end the threat for users. We recently saw a new variant of this attack that added an unusual twist. On top of the Flash exploit, an old escalation of privileges exploit in Windows (CVE-2015-1701) was used to bypass sandbox technologies.
#674 Almost two-thirds of software companies contributing to open source
Open source’s march toward preeminence in business software continued over the past year, according to a survey released today by open source management provider Black Duck Software and venture capital firm North Bridge.

Roughly two-thirds of respondents to the survey – which was administered online and drew 1,300 respondents – said that their companies encouraged developers to contribute to open-source projects, and a similar proportion said that they were actively engaged in doing so already. That’s a 5% increase from the previous year’s survey.
#673 Hacking Slack accounts: As easy as searching GitHub
A surprisingly large number of developers are posting their Slack login credentials to GitHub and other public websites, a practice that in many cases allows anyone to surreptitiously eavesdrop on their conversations and download proprietary data exchanged over the chat service.

According to a blog post published Thursday, company researchers recently estimated that about 1,500 access tokens were publicly available, some belonging to people who worked for Fortune 500 companies, payment providers, Internet service providers, and health care providers. The researchers privately reported their findings to Slack, and the chat service said it regularly monitors public sites for posts that publish the sensitive tokens.
#672 Toymaker’s website pushes ransomware that holds visitors’ files hostage
The website belonging to Maisto International, a popular maker of remote-controlled toy vehicles, has been caught pushing ransomware that holds visitors' files hostage until they pay a hefty fee.

Malicious files provided by the Angler exploit kit were hosted directly on the homepage of Maisto[.]com, according to antivirus provider Malwarebytes. The attack code exploits vulnerabilities in older versions of applications such as Adobe Flash, Oracle Java, Silverlight, and Internet Explorer. People who visit Maisto[.]com with machines that haven't received the latest updates are surreptitiously infected with the CryptXXX ransomware. Fortunately for victims in this case, researchers from Kaspersky Lab recently uncovered a weakness in the app that allows users to recover their files without paying the extortion demand. People infected with ransomware in other drive-by attacks haven't been so lucky.
#671 Google's OnHub is the first WiFi router to support IFTTT
Google's "smart" OnHub wireless router now supports IFTTT, the web service that automates actions between apps. IFTTT can be triggered when devices connect and disconnect from OnHub — and, in the spirit of IFTTT, what you do based on that information is up to you. OnHub's smart features let users manage and prioritize Wi-Fi to connected devices through an app, and they can now connect to the 300-plus programs and apps supported by IFTTT. OnHub makes a few suggestions in a blog post, which gives a good idea of the sorts of things this new feature will allow.
#670 Kaspersky DDoS Intelligence Report for Q1 2016
* In Q1, resources in 74 countries were targeted by DDoS attacks (vs. 69 in Q4 of 2015).
* 93.6% of the targeted resources were located in 10 countries.
* China, the US and South Korea remained the leaders in terms of number of DDoS attacks and number of targets. France and Germany were newcomers to the Top 10.
* The longest DDoS attack in Q1 2016 lasted for 197 hours (or 8.2 days) which is far less than the previous quarter’s maximum (13.9 days). Multiple attacks on the same target became more frequent (up to 33 attacks on one resource during the reporting period).
* SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios, while the number of UDP attacks continues to fall from quarter to quarter.
* Overall, command servers remained located in the same countries as the previous quarter, but Europe’s contribution increased – the number of C&C servers in the UK and France grew noticeably.
#669 American Samoa domain registry was exposing client data since the mid-1990s
A British security researcher that goes online only by the name of InfoSec Guy revealed today that American Samoa domain registry ASNIC was using an outdated domain name management system that contained a bug allowing anyone to view the personal details of any .as domain owner.

The researcher also claims that anyone knowing of this bug would have been able to edit and delete any .as domain, just by altering the ASNIC domain info URL.

"By simply Base64 encoding an .as domain name and appending it to an URL on the nic.as website, it was possible to view the entire domain record for the domain (including unencrypted passwords for domain owners, technical contacts, and billing contacts)," the researcher wrote on his blog two days ago.
#668 Malware and non-malware ways for ATM jackpotting.
Cash machines have been part of our lives since 1967 when a London branch of Barclays Bank unveiled the first ATM. Millions of people around the world now use ATMs every day to withdraw cash, pay in to their account or make a variety of payments. When using ATMs people give little or no thought to the hardware, software or security of the machines. Unfortunately, ATM manufacturers and their primary customers – banks – don’t pay much attention to the security of cash machines either. This is confirmed by the increasing number of thefts from ATMs using non-destructive methods, i.e. without the use of metal cutting tools or explosives.
#667 Users are patching Windows, but QuickTime and Java vulnerabilities remain, says Secunia
In the January-March quarter, 93.9 percent of UK users had patched their Windows operating system, and 96.2 percent had patched other Microsoft software, such as Microsoft Office (PDF). However, 11.9 percent still had unpatched third-party software. The figures for the USA were slightly worse: 93.5 percent had patched the OS, 96.1 percent had patched other Microsoft software, and 12.7 percent had unpatched third-party software (PDF).

The major problems are Apple's QuickTime and iTunes, Oracle Java JRE, and Adobe Reader.

In the UK, for example, unpatched Java installations climbed from 36 to 41 percent compared with the first quarter of last year, and unpatched QuickTime installations increased from 55 to 61 percent. Fortunately, for most users, both programs can be uninstalled without a significant penalty. (Adobe Creative Suite users may have a QuickTime problem.)
#666 Former Tor developer created malware for the FBI to hack Tor users
Matt Edman is a cybersecurity expert who worked as a part-time employee at Tor Project, the nonprofit that builds Tor software and maintains the network, almost a decade ago.

Since then, he's developed potent malware used by law enforcement to unmask Tor users. It's been wielded in multiple investigations by federal law-enforcement and U.S. intelligence agencies in several high-profile cases.

“It has come to our attention that Matt Edman, who worked with the Tor Project until 2009, subsequently was employed by a defense contractor working for the FBI to develop anti-Tor malware,” the Tor Project confirmed in a statement after being contacted by the Daily Dot.
#665 7 million unsalted MD5 passwords leaked by Minecraft community Lifeboat
As security breaches go, they don't get more vexing than this: 7 million compromised accounts that protected passwords using woefully weak unsalted MD5 hashes, and the outfit responsible, still hadn't disclosed the hack three months after it came to light. And as if that wasn't enough, the service recommended the use of short passwords. That's what Motherboard reported Tuesday about Lifeboat, a service that provides custom multiplayer environments to gamers who use the Minecraft mobile app.

The data circulating online included the e-mail addresses and hashed passwords for 7 million Lifeboat accounts. The mass compromise was discovered by Troy Hunt, the security researcher behind the Have I been pwned? breach notification site. Hunt said he had acquired the data from someone actively involved in trading hacked login credentials who has provided similar data in the past.

Hunt reported that some of the plaintext passwords users had chosen were so weak that he was able to discover them simply by posting the corresponding MD5 hash into Google. As if many users' approach to password selection weren't lackadaisical enough, Lifeboat's own Getting started guide recommended "short, but difficult to guess passwords" because "This is not online banking."
#664 Steam patches broken crypto in wake of replay, padding Oracle attacks
The digital gaming platform Steam was quick to patch a cryptographic issue in its client recently that could have allowed an attacker to read sensitive information sent over its network, take over an account, or view plain-text passwords.

Valve, the Bellevue, Wash.-based video game developer that oversees the platform, rolled out new code on its servers late last year to address a handful of issues in its crypto brought to light by a researcher. The private disclosure included flaws he used to leverage a man-in-the-middle attack, a replay attack, and a padding oracle attack. The researcher strung together those flaws to determine that with enough tries he could glean user information from the service.
#663 Firefox 46 patches critical memory vulnerabilities
Mozilla yesterday updated Firefox and patched 10 vulnerabilities, one which was rated critical.

Firefox 46 also included patches for four vulnerabilities that Mozilla rated as high severity. Critical bugs enabled remote code execution without user interaction, while bugs rated high can be exploited to steal browser data or inject code into websites via the browser.
#662 Cisco: Tuto4PC utilities silently install 12M mackdoors
Security experts are warning PC users of scareware computer utilities published by the French firm Tuto4PC that secretly bundle adware and spyware. Cisco’s Talos security research team said several of the company’s utilities, including OneSoftPerDay and System Healer, contain Trojans that exhibit “malicious intent and behavior.”

Talos estimates 12 million users have been enticed to download one of Tuto4PC’s software programs. Researchers say once PC users install one of its utilities, the software acts like malware and installs a Trojan called Wizz.
#661 RuMMS: The latest family of Android malware attacking users in Russia via SMS phishing
Recently we observed an Android malware family being used to attack users in Russia. The malware samples were mainly distributed through a series of malicious subdomains registered under a legitimate domain belonging to a well-known shared hosting service provider in Russia. Because all the URLs used in this campaign have the form of hxxp://yyyyyyyy[.]XXXX.ru/mms.apk (where XXXX.ru represents the hosting provider’s domain), we named this malware family RuMMS.

To lure the victims to download the malware, threat actors use SMS phishing – sending a short SMS message containing a malicious URL to the potential victims. Unwary users who click the seemingly innocuous link will have their device infected with RuMMS malware. Figure 1 describes this infection process and the main behaviors of RuMMS.
#660 Hundreds of Spotify credentials appear online – users report accounts hacked
A list containing hundreds of Spotify account credentials – including emails, usernames, passwords, account type and other details – has popped up on the website Pastebin, in what appears to be a possible security breach. After reaching out to a random sampling of the victims via email, we’ve confirmed that these users’ Spotify accounts were compromised only days ago. However, Spotify says that it “has not been hacked” and its “user records are secure.”

It’s unclear, then, where these particular account details were acquired, given that they are specific to Spotify, rather than a set of generic credentials that just happen to work on Spotify.
#659 Hacking group “PLATINUM” used Windows’ own patching system against it
Microsoft's Windows Defender Advanced Threat Hunting team works to track down and identify hacking groups that perpetrate attacks. The focus is on the groups that are most selective about their targets and that work hardest to stay undetected. The company wrote today about one particular group that it has named PLATINUM.

The unknown group has been attacking targets in South East Asia since at least 2009, with Malaysia being its biggest victim with just over half the attacks, and Indonesia in second place. Almost half of the attacks were aimed at government organizations of some kind, including intelligence and defense agencies, and a further quarter of the attacks were aimed at ISPs. The goal of these attacks does not appear to have been immediate financial gain—these hackers weren't after credit cards and banking details—but rather broader economic espionage using stolen information.
#658 If you use Waze, hackers can stalk you
Millions of drivers use Waze, a Google-owned navigation app, to find the best, fastest route from point A to point B. And according to a new study, all of those people run the risk of having their movements tracked by hackers.

Researchers at the University of California-Santa Barbara recently discovered a Waze vulnerability that allowed them to create thousands of “ghost drivers” that can monitor the drivers around them—an exploit that could be used to track Waze users in real-time. They proved it to me by tracking my own movements around San Francisco and Las Vegas over a three-day period.

“It’s such a massive privacy problem,” said Ben Zhao, professor of computer science at UC-Santa Barbara, who led the research team.
#657 Gmail for Android gets Microsoft Exchange support
Google today updated Gmail for Android with a very notable feature: support for Microsoft Exchange. You can download the latest version of the app now from Google Play (if you don’t see it, don’t worry: Google says the gradual rollout may take three or more days).

But wait, didn’t Gmail for Android already have Exchange support? Yes, but only on Nexus devices. We reached out to Google to make sure that’s what is new today, and sure enough: “Exchange support was previously only available on our Nexus devices, but as of today, Exchange support covers mail, contacts, and calendar data in Android across all devices,” a Google spokesperson told VentureBeat.
#656 New decryptor unlocks CryptXXX ransomware
Researchers at Kaspersky Lab today published a solution for victims, a utility that helps recover files scrambled by CryptXXX.

Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, said the malware contained an undisclosed weakness in the malware’s crypto implementation that opened the door to the development of the decryptor. The decryptor was added to an existing ransomware utility that also recovers files lost to Rannoh, AutoIt, Fury, Crybola, and Cryaki.

“It looks dangerous because of Angler (i.e. it has a potential for massive propagation),” Sinitsyn said. “Also, it has additional functionality to steal sensitive data, which is another big threat, even if the victim manages to decrypt the files.”
#655 Building a home lab to become a malware hunter - a beginner’s guide
As time goes by, criminals are developing more and more complex methods of obscuring how their malware operates, making it increasingly difficult to detect and analyze. The list of tactics used is seemingly endless and can include obfuscation, packers, executing from memory with no file drop, and P2P botnet architecture with frontline command and control servers (C2s) and gateways being compromised websites. Add to these tactics the concerns about Domain Generations Algorithms (DGA), Fast Flux and Dynamic DNS, and you complicate the mix even further.

Tracking all of these elements might be difficult, but in all honesty, you don't need 10 years of experience in malware analysis and a bunch of certificates to help you win this battle. You just need to experiment. One great way to learn about malware is to build your own home lab and play with actual malware samples within this environment. This can be a fun and educational project even if you are not an InfoSec pro. If you do happen to be an InfoSec pro, the things you learn in your home lab just might help you do your job more effectively. So how do you set one up? A few simple guidelines will get you started.
#654 New FAREIT strain abuses PowerShell
In 2014, we began seeing attacks that abused the Windows PowerShell. Back then, it was uncommon for malware to use this particular feature of Windows. However, there are several reasons for an attacker to use this scripting technique.

For one, users cannot easily spot any malicious behavior since PowerShell runs in the background. Another is that PowerShell can be used to steal usernames, passwords, and other system information without an executable file being present. This makes it an attractive tool for attackers for carrying out malicious activities while avoiding easy detection.

Last March 2016, we noted that PowerWare crypto-ransomware also abused PowerShell. Recently, we spotted a new attack where PowerShell was abused to deliver a FAREIT variant. This particular family of information stealers has been around since 2011.
#653 Protecting against unintentional regressions to cleartext traffic in your Android apps
When your app communicates with servers using cleartext network traffic, such as HTTP, the traffic risks being eavesdropped upon and tampered with by third parties. This may leak information about your users and open your app up to injection of unauthorized content or exploits. Ideally, your app should use secure traffic only, such as by using HTTPS instead of HTTP. Such traffic is protected against eavesdropping and tampering.

Many Android apps already use secure traffic only. However, some of them occasionally regress to cleartext traffic by accident. For example, an inadvertent change in one of the server components could make the server provide the app with HTTP URLs instead of HTTPS URLs. The app would then proceed to communicate in cleartext, without any user-visible symptoms. This situation may go unnoticed by the app’s developer and users.

Even if you believe your app is only using secure traffic, make sure to use the new mechanisms provided by Android Marshmallow (Android 6.0) to catch and prevent accidental regressions.
#652 Android ransomware attacks using Towelroot, Hacking Team exploits
A menacing wave of ransomware that locks up Android devices and demands victims pay $200 in Apple iTunes gift card codes is raising concern among security researchers. The ransomware attacks, they say, open a new chapter for Android vulnerabilities similar to Microsoft’s obsolete, unpatched and unsupported Windows XP operating system.

“This is a new and troubling development for the Android OS. This ransomware thrives on outdated Android devices that are not patched and will likely never be,” said Andrew Brandt, researcher at Blue Coat and the analyst who discovered the vulnerability.
#651 4U Storage Pods offer 240TB of storage for 3.6¢/GB
For the last few years, we've looked at the hard disk reliability numbers from cloud backup and storage company Backblaze, but we've not looked at the systems it builds to hold its tens of thousands of hard disks. In common with some other cloud companies, Backblaze publishes the specs and designs of its Storage Pods, 4U systems packed with hard disks, and today it announced its sixth generation design, which bumps up the number of disks (from 45 to 60) while driving costs down even further.
#650 Active drive-by exploits critical Android bugs, care of Hacking Team
An ongoing drive-by attack is forcing ransomware onto Android smartphones by exploiting critical vulnerabilities in older versions of Google's mobile operating system still in use by millions of people, according to research scheduled to be published Monday.

The attack combines exploits for at least two critical vulnerabilities contained in Android versions 4.0 through 4.3, including an exploit known as Towelroot, which gives attackers unfettered "root" access to vulnerable phones. The exploit code appears to borrow heavily from, if not copy outright, some of these Android attack scripts, which leaked to the world following the embarrassing breach of Italy-based Hacking Team in July. Additional data indicates devices running Android 4.4 may also be infected, possibly by exploiting a different set of vulnerabilities.
#649 Threat spotlight: Exploit Kit goes international hits 150+ countries
Talos is constantly monitoring the threat landscape and exploit kits are a constantly evolving component of it. An ongoing goal of Talos is to expose and disrupt these kits to protect the average internet user being targeted and compromised. We were able to gain unprecedented insight into Angler exploit kit and reveal details of the activity that were previously unknown. Now we have focused our attention on the Nuclear exploit kit with similar results.

Nuclear exploit kit has been steadily compromising users for years and has been effective in evolving as well as adding new exploits to their arsenal. However, it has been operating largely off the radar compared to some of the more prolific kits that are active today. This lack of deep visibility was one of the driving forces behind the deep investigation into its activity. What we found was a sophisticated threat that has been successfully targeting and compromising users in more than 10,000 different cities in more than 150 countries.

We continued digging through our data and wound up with a list of 10-15 IP's that were hosting the Nuclear EK. This allowed us to focus on the providers hosting the activity. At this point the first key piece was identified: DigitalOcean. We were able to determine that practically all the Nuclear activity we were tracking was being hosted by DigitalOcean. Talos established contact with DigitalOcean and notified them of the activity and the details associated with the threat. DigitalOcean's security team validated the malicious nature of the hosts and collaborated with Talos to provide valuable intel, during the take down, to help expose how the kit operates.
#648 Opera is doubling the server capacity after the built-in VPN launch
The U.S. was the country with the biggest number of users followed by Russia, the U.K., Germany, France and Poland. This clearly shows that online privacy is gaining importance in all over the world.
#647 Facebook usage over Tor passes 1M per month
The number of people using the Tor anonymizing browser to access Facebook has passed the one million mark this month for the first time, Facebook has announced.

Tor (aka The Onion Router) is a network technology designed to increase the privacy of web users by encrypting and randomly routing Internet connections via a worldwide network of volunteer relays — thereby making it harder for individual web connections to be traced back to a particular user.

Facebook created a dedicated onion address for Tor access back in October 2014, aimed at making it easier for users to connect via Tor, given that the way the network routes traffic can be flagged by site security infrastructure.

Facebook also expanded its Tor support at the start of this year by rolling out support for the Android Orbot proxy, giving Android Facebook users an easier way to use Tor.
#646 MongoDB configuration error exposed 93 million Mexican voter records
A 132 GB database, containing the personal information on 93.4 million Mexican voters has finally been taken offline. The database sat exposed to the public for at least eight days after its discovery by researcher Chris Vickery, but originally went public in September 2015.

Vickery, who works as a security researcher at Kromtech (the company behind MacKeeper), discovered the MongoDB instance on April 14, but had difficulty tracking down the person or company responsible for placing the voter data on Amazon's AWS. He first reached out to the U.S. State Department, as well as the Mexican Embassy, but had little success.
#645 MIT launches experimental bug bounty program
The effectiveness of bug bounty programs is difficult to deny, especially after adoption of one at Uber, which announced last month it would begin paying $10,000 for critical bugs, and the Department of Defense, whose Hack the Pentagon illustrates the government’s softening stance on hackers.

The Massachusetts Institute of Technology announced this week that it will follow in those footsteps and launch its own experimental bug bounty program, becoming one of the first academic institutions to reward hackers who find and responsibly disclose vulnerabilities on the school’s sites.
#644 “Nuclear” exploit kit service cashes in on demand from cryptoransomware rings
Security researchers at Cisco Talos and Check Point have published reports detailing the inner workings of Nuclear, an "exploit kit" Web service that deployed malware onto victims' computers through malicious websites. While a significant percentage of Nuclear's infrastructure has been recently disrupted, the exploit kit is still operating—and looks to be a major contributor to the current crypto-ransomware epidemic.

Introduced in 2010, Nuclear has been used to target millions of victims worldwide, giving attackers the ability to tailor their attacks to specific locations and computer configurations. Though not as widely used as the well-known Angler exploit kit, it has been responsible for dropping Locky and other crypto-ransomware onto more than 140,000 computers in more than 200 countries, according to statistics collected by Check Point. The Locky campaign appeared to be placing the greatest demand on the Nuclear pay-to-exploit service.
#643 $10 router blamed in Bangladesh bank hack
Hackers managed to steal $80m (£56m) from Bangladesh's central bank because it skimped on network hardware and security software, reports Reuters.

The bank had no firewall and used second-hand routers that cost $10 to connect to global financial networks.

Better security and hardware would have hampered the attackers, Reuters said, quoting an official investigator.

The hackers aimed to steal $1bn but made mistakes that led to the theft being spotted and stopped.
#642 PowerShell used for spreading Trojan.Laziok through Google Docs
Through our multi-flow detection capability, we recently identified malicious actors spreading Trojan.Laziok malware via Google Docs. We observed that the attackers managed to upload the payload to Google Docs in March 2016. During the brief time it was live, users accessing the malicious page from Internet Explorer (versions 3 to 11) would have become the unwilling hosts for the infostealer payload without any security warning. After we alerted Google about its presence, they quickly cleaned it and the original URL involved in propagation also went down.
#641 Avast SandBox escape via IOCTL requests
A design flaw in Avast Sandbox allows a potentially harmful program to escape the sandbox and infect the host by dropping its files out of it and/or by modifying existing legitimate files of any type.

Affected Products:

Avast Internet Security v11.x.x
Avast Pro Antivirus v11.x.x
Avast Premier v11.x.x
Avast Free Antivirus v11.x.x

Avast Business Security v11.x.x

Avast Endpoint Protection v8.x.x
Avast Endpoint Protection Plus v8.x.x
Avast Endpoint Protection Suite v8.x.x
Avast Endpoint Protection Suite Plus v8.x.x
Avast File Server Security v8.x.x
Avast Email Server Security v8.x.x
#640 How I hacked Facebook, and found someone's backdoor script
As a pentester, I love server-side vulnerabilities more than client-side ones. Why? Because it’s way much cooler to take over the server directly and gain system SHELL privileges.

Of course, both vulnerabilities from the server-side and the client-side are indispensable in a perfect penetration test. Sometimes, in order to take over the server more elegantly, it also need some client-side vulnerabilities to do the trick. But speaking of finding vulnerabilities, I prefer to find server-side vulnerabilities first.

With the growing popularity of Facebook around the world, I’ve always been interested in testing the security of Facebook. Luckily, in 2012, Facebook launched the Bug Bounty Program, which even motivated me to give it a shot.
#639 Core Windows utility can be used to bypass AppLocker
A core Windows command-line utility, Regsvr32, used to register DLLs to the Windows Registry can be abused to run remote code from the Internet, bypassing whitelisting protections such as Microsoft’s AppLocker.

A researcher who requested anonymity found and privately disclosed the issue to Microsoft on Tuesday. It’s unknown whether Microsoft will patch this issue with a security bulletin, or in a future release.

Regsvr32, also known as Microsoft Register Server, is a Microsoft-signed binary that runs as default on Windows. The researcher’s proof-of-concept allows him to download and run JavaScript or VBScript from a URL provided via the command line. Abusing this situation presumes an attacker would already be present on the box, the researcher said.
#638 Cisco patches Denial-of-Service flaws across three products
Cisco released software updates to address five separate denial of service vulnerabilities, all which the company considers either high or critical severity, across its product line this week.

According to a series of security advisories issued on Wednesday, three of the five vulnerabilities exist in Cisco’s Wireless LAN Controller (WLC) devices, commonly used to manage and secure wireless networks in the enterprise.

The most pressing WLC vulnerability, marked critical, stems from improper handling of HTTP traffic, meaning an attacker could send a request to a device and from there trigger a buffer overflow condition, and subsequently, a denial of service condition.

The issue affects a wide spectrum of Cisco WLC devices, including those running 7.2, 7.3, 7.4 prior to 7.4.140.0(MD), 7.5, 7.6, and 8.0, prior to 8.0.115.0(ED).
#637 UK intel agencies spy indiscriminately on millions of innocent folks
The UK's intelligence agencies (MI5, MI6, and GCHQ) are spying on everything you do, and with only the flimsiest of safeguards in place to prevent abuse, according to more than a thousand pages of documents published today as a result of a lawsuit filed by Privacy International.

The documents reveal the details of so-called "Bulk Personal Datasets," or BPDs, which can contain "hundreds to millions of records" on people who are not suspected of any wrongdoing.

These records can be “anything from your private medical records, your correspondence with your doctor or lawyer, even what petitions you have signed, your financial data, and commercial activities,” Privacy International legal officer Millie Graham Wood said in a statement. "The information revealed by this disclosure shows the staggering extent to which the intelligence agencies hoover up our data."
#636 Adobe patches DOM-XSS flaw in analytics AppMeasurement for Flash library
Adobe today patched a vulnerability in the Adobe Analytics AppMeasurement for Flash library, which can be added to Flash projects to measure the usage of Flash-based content.

The vulnerability is a DOM-based cross-site scripting flaw that can be abused for cookie theft, said researcher Randy Westergren Jr., who privately disclosed the issue to Adobe.

Unlike traditional cross-site scripting exploits, where a payload is dropped onto a page in response to a HTTP(S) request, DOM-based XSS attacks modify the DOM environment in the browser used by client-side script, and malicious code affects the execution client-side code contained on a site, according to OWASP.
#635 Opera bundles free, unlimited VPN client into its browser
Opera Software has become the first major browser maker to introduce a built-in VPN client for its Web users.

The Norwegian company said that the latest version of its browser is only available via its "Developer" channel, and added that the VPN service is currently free of charge, and has no limits in traffic or usage time.

Opera users can choose between the firm's VPN servers in the US, Canada, and Germany—with the promise that the list of locations will grow longer soon.

The main advantages of having a VPN client built into the browser include improving public Wi-Fi security, hiding the IP address, and bypassing website access restrictions, Opera said.
#634 Test of telephone support services for Windows consumer security software 2016 (PDF)
Given the numerous risks to be found on the Internet today, effective antimalware software is essential when going online. If a user is unable to install or activate their security program, or it is not working as expected, rapid help from an expert is called for. Arguably the quickest way of getting assistance is to pick up the phone and speak to one of the manufacturer’s support agents. The aim of Support Tests is to assess how quickly and effectively the vendor’s support services cope with typical questions.

This report was initially requested and commissioned by PCgo and PC Magazin Germany.
#633 Sony trots out 2-factor authentication 5 years after breach
Five years after a hack exposed the data of 77 million users, Sony is finally adding two-factor authentication to its PlayStation Network.

The company did not provide details on the new service, but did say it was still under development and would be released at a later date. As passwords fall out of favor as a security construct, the current popular alternative is two-factor authentication, which requires the user have a second factor in order to gain access to a service.

Popular two-factor authentication schemes today include one-time passcodes sent via mobile SMS or to an email address. In addition, some online services, such as Google, are beginning to explore two-factor authentication using technology based on public key cryptography.
#632 Can Switzerland become a safe haven for the world's data?
As United States and European Union regulators debate a sweeping new data-privacy agreement, Switzerland is presenting itself as a viable neutral location for storing the world’s data thanks to strict privacy laws and ideal infrastructure.

The Swiss constitution guarantees data privacy under Article 13. The country’s laws protecting privacy are similar to those enacted by the E.U. Swiss data protections are also, in some cases, much stricter than those of the E.U., according to Nicola Benz, attorney at Swiss law firm Froriep. And since Switzerland is not part of the E.U., data stored there remains outside the reach of the union’s authorities.

“Swiss law contains things that we call blocking statutes,” Benz said, “which mean that foreign authorities can’t conduct their authority’s functions on Swiss soil unless they follow the proper judicial channels.” The country’s tight privacy laws could make the small nation more attractive to privacy-focused start-ups. And it already has tha
#631 Oracle fixes 136 vulnerabilities with April critical patch update
Oracle fixed 136 vulnerabilities across 46 different products this week as part of its quarterly Critical Patch Update. More than half of the CVEs, 72, could be remotely exploitable without authentication.

Fixes for a slew of products, including Oracle’s Database Server, E-Business Suite, Fusion Middleware, along with its Sun Products line, Java SE platform, and MySQL database, were pushed on Tuesday. The update is the company’s second batch of patches for 2016 and as far as the number of fixes goes, is much more in line with Oracle’s traditional patch updates compared to January’s mammoth CPU which was record-setting and addressed 248 patches.

#630 Latest TeslaCrypt targets new file extensions, invests heavily in evasion
TeslaCrypt, like many of its ransomware cousins, doesn’t sleep on past success. Researchers at Endgame Inc., have found two updates for the cryptoransomware in the past two weeks that invest heavily in obfuscation and evasion techniques, and also target a host of new file extensions.

These samples, researcher Amanda Rousseau told Threatpost, were found in attachments of large-scale spam campaigns purporting to be shipping delivery notifications.

Version 4.1A has been in circulation for about a week, Rousseau said, and targets a wide range of the usual file extensions, plus a handful of news ones that merit notice: .7z; .apk; .asset; .avi; .bak; .bik; .bsa; .csv; .d3dbsp; .das; .forge; .iwi; .lbf; .litemod; .litesql; .ltx; .m4a; .mp4; .rar; .re4; .sav; .slm; .sql; .tiff; .upk; .wma; .wmv; and .wallet. The use of spam to move TeslaCrypt is also a departure from recent outbreaks where exploit kits were infecting WordPress and Joomla websites and silently loading ransomware onto co
#629 DRAM bitflipping exploits that hijack computers just got easier
New research into the "Rowhammer" bug that resides in certain types of DDR memory chips raises a troubling new prospect: attacks that use Web applications or booby-trapped videos and documents to trigger so-called bitflipping exploits that allow hackers to take control of vulnerable computers.

The scenario is based on a finding that the Rowhammer vulnerability can be triggered by what's known as non-temporal code instructions. That opens vulnerable machines to several types of exploits that haven't been discussed in previous research papers. For instance, malicious Web applications could use non-temporal code to cause code to break out of browser security sandboxes and access sensitive parts of an operating system. Another example: attackers could take advantage of media players, file readers, file compression utilities, or other apps already installed on Rowhammer-susceptible machines and cause the apps to trigger the attacks.
#628 RansomWhere?: Generic ransomware detection comes to Apple OS X
Researcher Patrick Wardle, director of researcher at Synack and a known OS X hacker, today released his own generic OS X ransomware detector called "RansomWhere?". The utility monitors home directories on OS X machines for untrusted processes that are encrypting files. The user is presented with an alert while RansomWhere? blocks the process and waits for the user to decide whether to allow or terminate the process.

“I saw that existing approaches aren’t working,” Wardle said “Antivirus has its shortcomings. KeRanger was signed with a legitimate Apple developer ID certificate that passed it off as a legitimate application. Gatekeeper is not going to block that. You’ve got to think outside the box and take an approach that is not specimen specific."
#627 MULTIGRAIN – POS attackers make an unhealthy addition to the pantry
FireEye recently discovered a new variant of a point of sale (POS) malware family known as NewPosThings. This variant, which we call “MULTIGRAIN”, consists largely of a subset of slightly modified code from NewPosThings. The variant is highly targeted, digitally signed, and exfiltrates stolen payment card data over DNS. The addition of DNS-based exfiltration is new for this malware family; however, other POS malware families such as BernhardPOS and FrameworkPOS have used this technique in the past.

Using DNS for data exfiltration provides several advantages to the attacker. Sensitive environments that process card data will often monitor, restrict, or entirely block the HTTP or FTP traffic often used for exfiltration in other environments. While these common internet protocols may be disabled within a restrictive card processing environment, DNS is still necessary to resolve hostnames within the corporate environment and is unlikely to be blocked.
#626 New crypto-ransomware JIGSAW plays nasty games
The evolution of crypto-ransomware in terms of behavior takes a step forward, and a creepy one at that. We have recently encountered a nasty crypto-ransomware variant called JIGSAW. Reminiscent to the horror film Saw, this malware toys with users by locking and deleting their files incrementally. To an extent, it instills fear and pressures users into paying the ransom. It even comes with an image of Saw’s very own Billy the puppet, and the red analog clock to boot.

It’s no longer a surprise that crypto-ransomware is the prevalent threat in today’s computing landscape, given its promise of quick ROI for the cybercriminals behind it. It’s also not surprising that many have joined this bandwagon. These days, the name of the crypto-ransomware game is to add “unique” features or “creative” ways to instill fear and put more pressure to users to pay up, despite the fact that, when it comes to their technical routines, there’s not much difference among these malware. JIGSAW joins notable
#625 CryptXXX: new ransomware from the actors behind reveton, dropping via Angler
Proofpoint researchers recently found a previously undocumented ransomware spreading since the end of March through Bedep after infection via the Angler Exploit Kit (EK). Combining our findings with intelligence shared by Frank Ruiz (Fox IT InTELL) lead us to the same conclusion: this project is conducted by the same group that was driving Reveton ransomware operations and is closely tied to Angler/Bedep. Dubbed "CryptXXX", this new ransomware is currently asking a relatively high $500 per computer to unlock encrypted files. Angler is the number one exploit kit by volume, making the potential impact of new ransomware in the hands of experienced actors with access to this vector quite significant.
#624 Python-based PWOBot targets European organizations
We have discovered a malware family named ‘PWOBot’ that is fairly unique because it is written entirely in Python, and compiled via PyInstaller to generate a Microsoft Windows executable. The malware has been witnessed affecting a number of Europe-based organizations, particularly in Poland. Additionally, the malware is delivered via a popular Polish file-sharing web service.

The malware itself provides a wealth of functionality, including the ability to download and execute files, execute Python code, log keystrokes, spawn a HTTP server, and mine Bitcoins via the victim’s CPUs and GPUs.

There are at least 12 variants of PWOBot, and the malware has been observed in attacks dating back to late 2013. More recent attacks have been observed affecting organizations between mid-to-late 2015.
#623 Netflix: VPN blockade backlash doesn’t hurt us
Netflix CEO Reed Hastings says that the recent crackdown on VPN and proxy users hasn't hurt the company's results. The VPN blockade only affects a small but vocal minority, according to Hastings, and there are no signs that hordes of subscribers are abandoning ship.

Earlier this year Netflix announced that it would increase its efforts to block customers who circumvent geo-blockades.

As a result it has become harder to use VPN services and proxies to access Netflix content from other countries, something various movie studios have repeatedly called for.

With the application of commercial blacklist data, Netflix already blocks IP-addresses that are linked to such services, something which also affects well-intentioned customers who merely use a VPN to protect their privacy.
#622 FBI tells congress it needs hackers to keep up with tech company encryption
A high ranking technology official with the FBI told members of Congress Tuesday that the agency is incapable of cracking locked phones and devices on its own, even with additional resources.

Amy Hess, the agency’s executive assistant director for science and technology told a panel of the House Energy and Commerce Committee that encrypted communications continue to pose a challenge to the American law enforcement, and to the safety of the American public. But when asked by lawmakers to provide a practical solution beyond the FBI’s talking points, she said that the cooperation of technology companies would be necessary.
#621 Security firm SurfWatch Labs discovers secret plan to hack numerous websites and forums
Security researchers from SurfWatch Labs have shut down a secret plan to hack and infect hundreds or possibly thousands of forums and websites hosted on the infrastructure of Invision Power Services, makers of the IP.Board forum platform, now known as the IPS Community Suite.

The plan belonged to a malware coder known as AlphaLeon, who at the start of March this year started selling a new trojan called Thanatos.

Advertised as a MaaS (Malware-as-a-Service) rentable platform, to be attractive to its customers, Thanatos had to run on a very large number of infected hosts. In the infosec community this structure is called a botnet, and the bigger it is, the easier is to carry out all sorts of cyber-attacks.
#620 Google is partially dangerous - according to Google
Searching on Google.com might be dangerous—don't take my word for it, take Google's. The search giant's own Transparency Report for Google.com gives itself a current rating of "partially dangerous.'"

The reason for the "partially dangerous" status? According to the report, "Some pages on google.com contain deceptive content right now."

Google's Safe Browsing technology scans Websites for potential risks to warn users before they visit unsafe sites. I first wrote about Safe Browsing a decade ago, back in 2006, when it was first included in Mozilla's Firefox 2.0 Web browser as a feature to help make the Web safer for us all.

The fact that Google Safe Browsing rates Google.com as partially dangerous is not scurrilous in any way; rather, it is a testament to Google's honesty and the integrity of its mission to do no evil.
#619 New system to identify people by their 'brainprints'
Scientists have developed a new system that can identify people using their brain waves or 'brainprint' with 100 per cent accuracy, an advance that may be useful in high-security applications.

Researchers at Binghamton University in US recorded the brain activity of 50 people wearing an electroencephalogram (EEG) headset while they looked at a series of 500 images designed specifically to elicit unique responses from person to person - eg a slice of pizza, a boat, or the word "conundrum."

They found that participants' brains reacted differently to each image, enough that a computer system was able to identify each volunteer's 'brainprint' with 100 per cent accuracy.
#618 Android Security Report: 29 percent of active devices not up to patch vevels
In its annual Android Security Report, published today, Google said that 71 percent of active Android devices are running on Android 4.4.4 and higher, the only versions supported by Google with security updates.

According to the Android developer dashboard, 33.4 percent of devices are on 4.4, or KitKat, with 40.4 percent running Lollipop or Marshmallow. That still leaves a sizeable number of Android devices running on an unsupported, out of date operating system.
#617 Chrome extensions will soon have to tell you what data they collect
Google is about to make it harder for Chrome extensions to collect your browsing data without letting you know about it, according to a new policy announced Friday.

Starting in mid-July, developers releasing Chrome extensions will have to comply with a new User Data Policy that governs how they collect, transmit and store private information. Extensions will have to encrypt personal and sensitive information, and developers will have to disclose their privacy policies to users.

Developers will also have to post a "prominent disclosure" when collecting sensitive data that isn't related to a prominent feature. That's important, because extensions have tremendous power to track users' browsing habits and then use that for nefarious purposes.
#616 Changing your password regularly is a terrible idea, and here's why
If users are forced to change passwords they will mostly choose something that is a slight variation on the original one, or one that they have used elsewhere, or a weaker one. These behaviours can be exploited, CESG said: attackers can often work out the new password, if they have the old one.

Regularly changed passwords are more likely to be written down (another vulnerability) or forgotten, which means lost productivity for users and a pain for the help desk that has to reset it.

"It's one of those counter-intuitive security scenarios; the more often users are forced to change passwords, the greater the overall vulnerability to attack. What appeared to be a perfectly sensible, long-established piece of advice doesn't, it turns out, stand up to a rigorous, whole-system analysis." CESG said.
#615 MIT reveals AI platform which detects 85 percent of cyberattacks
On Monday, MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL) said that while many "analyst-driven solutions" rely on rules created by human experts and therefore may miss attacks which do not match established patterns, a new artificial intelligence platform changes the rules of the game.

The platform, AI Squared (AI2), is able to detect 85 percent of attacks -- roughly three times better than current benchmarks -- and also reduces the number of false positives by a factor of five, according to MIT.
#614 US-CERT to Windows users: Dump Apple Quicktime
Microsoft Windows users who still have Apple Quicktime installed should ditch the program now that Apple has stopped shipping security updates for it, warns the Department of Homeland Security‘s U.S. Computer Emergency Readiness Team (US-CERT). The advice came just as researchers are reporting two new critical security holes in Quicktime that likely won’t be patched.

US-CERT cited an April 14 blog post by Christopher Budd at Trend Micro, which runs a program called Zero Day Initiative (ZDI) that buys security vulnerabilities and helps researchers coordinate fixing the bugs with software vendors. Budd urged Windows users to junk Quicktime, citing two new, unpatched vulnerabilities that ZDI detailed which could be used to remotely compromise Windows computers.
#613 Rogue source code repos can compromise Mac security due to old Git version.
Rachel Kroll has discovered that El Capitan comes bundled with an older version of Git that's exposing users to two possible attacks, due to the CVE-2016-2324 and CVE-2016-2315 vulnerabilities present in all Git versions 2.7.3 and prior. El Capitan comes bundled by default with Git 2.6.4.

The two vulnerabilities, both heap-based buffer overflows, allow attackers to execute malicious code on the machine. The only condition for an attack to take place is that a Mac user forks a Git repo that contains malicious code.

The attacker can use the malicious code hidden in the repo to launch an attack on the Mac, compromise the system, and take control of the user's device.
#612 Google Alerts, direct webmaster communication get bugs fixed quickly
“We observe that direct communication with webmasters increases the likelihood of cleanup by over 50 percent and reduces infection lengths by at least 62 percent,” researchers wrote in a report called “Remedying Web Hijacking: Notification Effectiveness and Webmaster Comprehension.” “Absent this open channel for communication, we find browser interstitials—while intended to alert visitors to potentially harmful content—correlate with faster remediation.”
#611 How hackers eavesdropped on a US Congressman using only his phone number
A US congressman has learned first-hand just how vulnerable cellphones are to eavesdropping and geographic tracking after hackers were able to record his calls and monitor his movements using nothing more than the public ten-digit phone number associated with the handset he used.

The stalking of US Representative Ted Lieu's smartphone was carried out with his permission for a piece broadcast Sunday night by 60 Minutes. Karsten Nohl of Germany-based Security Research Labs was able to record any call made to or from the phone and to track its precise location in real-time as the California congressman traveled to various points in the southern part of the state. At one point, 60 minutes played for Lieu a crystal-clear recording Nohl made of one call that discussed data collection practices by the US National Security Agency. While SR Labs had permission to carry out the surveillance, there's nothing stopping malicious hackers from doing the same thing.
#610 Your phone number is all a hacker needs to read texts, listen to calls and track you
Hackers have again demonstrated that no matter how many security precautions someone takes, all a hacker needs to track their location and snoop on their phone calls and texts is their phone number.

The hack, first demonstrated by German security researcher Karsten Nohl in 2014 at a hacker convention in Hamburg, has been shown to still be active by Nohl over a year later for CBS’s 60 Minutes.

The hack uses the network interchange service called Signalling System No. 7 (SS7), also known as C7 in the UK or CCSS7 in the US, which acts as a broker between mobile phone networks. When calls or text messages are made across networks SS7 handles details such as number translation, SMS transfer, billing and other back-end duties that connect one network or caller to another.
#609 Web host 123-reg deletes sites in clean-up error
The company, which hosts 1.7m sites in the UK, said an error made during maintenance "effectively deleted" what was on some of its servers.

"We can conclude that the issues faced have resulted in some data loss for some customers," the firm admitted.

It has started a "recovery process", but said customers with their own data backup to rebuild their own websites.

The web host, which has 800,000 customers in the UK, would not say how many websites had been deleted but said it was a "small proportion".
#608 WhatsApp vs Telegram
The competition for the most secure instant messaging tool has been running for years. It re-surfaced this month when WhatsApp announced it has completed implementing end-to-end encryption. Curiously, in security research circles, this has resulted in endless debates between WhatsApp and Telegram. Very much like Emacs vs Vi, everybody has a (strong) opinion, but there is no general consensus.
#607 Ransomware: past, present, and future
Ransomware as we know it today has a sort of 'spray and pray' mentality; they hit as many individual targets as they can as quickly as possible. Typically, payloads are delivered via exploit kits or mass phishing campaigns. Recently a number of scattered ransomware campaigns deliberately targeting enterprise networks, have come to light. We believe that this is a harbinger of what's to come -- a portent for the future of ransomware.

Traditionally, malware was never terribly concerned with the destruction of data or denial of access to its contents; With few notable exceptions, data loss was mostly a side-effect of malware campaigns. Most actors were concerned with sustained access to data or the resources a system provided to meet their objectives. Ransomware is a change to this paradigm from subversion of systems to outright extortion; actors are now denying access to data, and demanding money to restore access to that data. This paper will discuss the latest ransomware trends as w
#606 Widespread JBoss backdoors a major threat
Recently a large scale ransomware campaign delivering Samsam changed the threat landscape for ransomware delivery. Targeting vulnerabilities in servers to spread ransomware is a new dimension to an already prolific threat. Due to information provided from our Cisco IR Services Team, stemming from a recent customer engagement, we began looking deeper into the JBoss vectors that were used as the initial point of compromise. Initially, we started scanning the internet for vulnerable machines. This led us to approximately 3.2 million at-risk machines.
#605 FinFisher's account of how he broke into Hacking Team servers
Almost a year after carrying out his attacks, the hacker behind the Hacking Team data breach has published a step-by-step explainer on how he breached the company's servers and stole all their data.
#604 Hybrid GozNym malware targets customers of 24 financial institutions
A group of cybercriminals have combined two powerful malware programs to create a new online banking Trojan that has already stolen millions of dollars from customers of 24 U.S. and Canadian banks.

The new threat has been dubbed GozNym by researchers from IBM X-Force because it combines the stealthy Nymaim malware and the Gozi banking Trojan.

The new computer Trojan targets 22 websites that belong to banks, credit unions and e-commerce platforms based in the U.S., and two that belong to financial institutions from Canada. Business banking services appear to be a top target for GozNym's creators, according to the IBM researchers.
#603 New full duplex radio chip transmits and receives wireless signals at once
A new wireless chip can perform a feat that could prove quite useful for the next generation of wireless technology: transmitting and receiving signals on the same frequency, at the same time with the help of a single antenna. This approach instantly doubles the data capacity of existing technology though is not yet capable of power levels necessary to operate on traditional mobile networks.

Last year, Harish Krishnaswamy, an electrical engineer at Columbia University demonstrated the ability to transmit and receive signals on the same frequency using two antennas in a full duplex radio that he built. Now, Negar Reiskarimian, a PhD student under Krishnaswamy, has embedded this technology on a chip that could eventually be used in smartphones and tablets. This time, the transmitter and receiver share a single antenna.
#602 MIT's new bug finder uncovers flaws in Web apps in 64 seconds
Finding bugs in Web applications is an ongoing challenge, but a new tool from MIT exploits some of the idiosyncrasies in the Ruby on Rails programming framework to quickly uncover new ones.

In tests on 50 popular Web applications written using Ruby on Rails, the system found 23 previously undiagnosed security flaws, and it took no more than 64 seconds to analyze any given program.

Ruby on Rails is distinguished from other frameworks because it defines even its most basic operations in libraries. MIT's researchers took advantage of that fact by rewriting those libraries so that the operations defined in them describe their own behavior in a logical language.
#601 CISCO: Out-of-date apps put 3 million servers at risk of crypto ransomware infections
More than 3 million Internet-accessible servers are at risk of being infected with crypto ransomware because they're running vulnerable software, including out-of-date versions of Red Hat's JBoss enterprise application, researchers from Cisco Systems said Friday.

About 2,100 of those servers have already been compromised by webshells that give attackers persistent control over the machines, making it possible for them to be infected at any time, the Cisco researchers reported in a blog post. The compromised servers are connected to about 1,600 different IP addresses belonging to schools, governments, aviation companies, and other types of organizations.
#600 VMware patches critical session-handling vulnerability
VMware fixed a critical vulnerability in one of its products this week that if exploited by an attacker, could’ve led to a man-in-the-middle attack. According to an advisory, the problem existed in VMware’s Client Integration plugin, a collection of tools present in a handful of other products the company ships, including some versions of its vCenter Server, vCloud Director, and vRealize Automation Identity Appliance.
#599 Microsoft's OneDrive short URLs pointed attackers right at your private files
Researchers have found that shortened URLs from cloud services can also be abused by attackers to locate private resources, such as files or even driving directions to medical appointments.

Researchers from Cornell Tech university have published a paper demonstrating serious privacy risks from using short URLs in cloud services such as Microsoft's OneDrive and Google Maps.
#598 Adobe patches Creative Cloud desktop in new security update
Adobe has released a set of new patches for the Creative Cloud Desktop application and RoboHelp Server 9 following last week's critical update of Adobe Flash Player.

The latest security advisory includes the resolution of a vulnerability in the JavaScript API for Adobe Creative Cloud Libraries. The flaw, assigned CVE-2016-1034, allows attackers to remotely read and write files on a client's file system through sync features, potentially leading to malware downloads and hijacking.
#597 ‘Blackhole’ Exploit Kit author gets 7 years
A Moscow court this week convicted and sentenced seven hackers for breaking into countless online bank accounts — including “Paunch,” the nickname used by the author of the infamous “Blackhole” exploit kit. Once an extremely popular crimeware-as-a-service offering, Blackhole was for several years responsible for a large percentage of malware infections and stolen banking credentials, and likely contributed to tens of millions of dollars stolen from small to mid-sized businesses over several years.

According to Russia’s ITAR-TASS news network, Dmitry “Paunch” Fedotov was sentenced on April 12 to seven years in a Russian penal colony. In October 2013, the then 27-year-old Fedotov was arrested along with an entire team of other cybercriminals who worked to sell, develop and profit from Blackhole.
#596 Online banking and plastic card-related fraud in India increases 35 percent
The incidence of ATM, credit, debit card and net banking-related fraud has gone up by more than 35 percent between 2012-13 and 2015-16 in India, according to country's federal bank Reserve Bank of India (RBI).

According to RBI data, 8,765 cases were reported by banks in 2012-13 and the corresponding figures for subsequent three years were 9,500 (2013-14), 13,083 (2014-15) and 11,997 (in the first nine months of 2015-16) respectively. India ranked third after Japan and the US as countries most affected by online banking malware in 2014.
#595 Australia: Cybercriminals now target payroll, invoicing, and superannuation systems
Cybercriminals targeting Australia are shifting their focus to second-tier targets such as payroll systems, invoicing systems, and superannuation brokers, according to federal agent Scott Mellis, team leader of cybercrime operations with the Australian Federal Police (AFP) in Melbourne.

"I blame the banks for all this. They've done a really good job of securing their retail banking platforms, God bless 'em," Mellis told the Australian Cyber Security Centre (ACSC) Conference in Canberra on Wednesday.
#594 Urgent Call to Action: Uninstall QuickTime for Windows Today
First, Apple is deprecating QuickTime for Microsoft Windows. They will no longer be issuing security updates for the product on the Windows Platform and recommend users uninstall it. Note that this does not apply to QuickTime on Mac OSX.

Second, our Zero Day Initiative has just released two advisories ZDI-16-241 and ZDI-16-242 detailing two new, critical vulnerabilities affecting QuickTime for Windows. These advisories are being released in accordance with the Zero Day Initiative’s Disclosure Policy for when a vendor does not issue a security patch for a disclosed vulnerability. And because Apple is no longer providing security updates for QuickTime on Windows, these vulnerabilities are never going to be patched.
#593 0-day exploits more than double as attackers prevail in security arms race
The number of attacks that exploited previously unknown software vulnerabilities more than doubled in 2015 as hackers raced against security defenders to find effective ways to infect end users with malware, according to a recently released report.

The number of "zero-day" exploits—a term that was coined because affected software developers have zero days to release a patch that keeps users protected—reached an unprecedented 54, according to researchers at security firm Symantec. That number compared with 24 in 2014, 23 in 2013, and 14 in 2012. The increase was partly caused by the breach of Italy-based zero day broker Hacking Team, which spilled six closely guarded zero days into the public domain. It also came as Adobe and other developers significantly reduced the time it took to release patches that plugged zero-day holes.
#592 Underwriters Labs refuses to share new IoT cybersecurity standard
UL, the 122-year-old safety standards organisation whose various marks (UL, ENEC, etc.) certify minimum safety standards in fields as diverse as electrical wiring, cleaning products, and even dietary supplements, is now tackling the cybersecurity of Internet of Things (IoT) devices with its new UL 2900 certification. But there's a problem: UL's refusal to freely share the text of the new standard with security researchers leaves some experts wondering if UL knows what they're doing.
#591 Broken IBM Java patch prompts another disclosure
For the second time in two weeks, researchers have discovered a three-year-old broken patch for a vulnerability in IBM’s Java SDK implementation. The flaw allows for an attacker to execute code outside the Java sandbox, and still affects current versions of IBM SDK, 7 and 8, released in January.

Details of the vulnerability and proof-of-concept code were disclosed by Polish consultancy Security Explorations. The organization announced, on March 7, a change in internal policy whereby the company will disclose bugs if the vendor’s patch is broken or incomplete.
#590 Qbot malware morphs quickly to evade detection
The Qbot malware is back and hard at work again with infections reported on 54,517 machines, according to researchers at BAE Systems—with 85 percent of those impacted systems residing in the United States. Qbot’s latest incarnation has learned new tricks since its early days in 2009, and is riling security professionals with its ability to evade detection. So far, BAE Systems reports, the criminals behind this latest Qbot wave have repurposed the original Qbot source code and tweaked it in such a way that the most recent version can slip through most security systems.
#589 Cisco report: Cybersecurity to help businesses deliver digital growth strategies
Cybersecurity to businesses is no longer just about reducing risk, but is now being considered at a board level as part of the business strategy, according to new research by Cisco.

The Cybersecurity as a Growth Advantage report shows that 64 percent of executives recognise that cybersecurity is fundamental to their digital growth strategy, with nearly one third believing the primary purpose of cybersecurity is to be a growth enabler, while another 44 percent of executives believe cybersecurity is a competitive advantage.
#588 Let's Encrypt free security certificate program leaves beta
Let's Encrypt has announced that the free secure certificate program is leaving beta in its push to encrypt 100 percent of the web.

The certificate authority (CA) announced on Tuesday that the Let's Encrypt program has left the beta stage of testing after four months, having issued over 1.5 million HTTPS certificates to approximately three million websites worldwide.

In a blog post, Let's Encrypt said the project is pushing "much closer" to the overall target of providing free security certificates to every webmaster online.
#587 The future of Firefox is … Chrome
Senior VP Mark Mayo caused a storm by revealing that the Firefox team is working on a next-generation browser that will run on the same technology as Google's Chrome browser.

"Let's jump right in and say yes, the rumors are true, we're working on browser prototypes that look and feel almost nothing like the current Firefox," Mayo wrote in a blog post.

"The premise for these experiments couldn't be simpler: what we need a browser to do for us – both on PCs and mobile devices – has changed a lot since Firefox 1.0, and we're long overdue for some fresh approaches."

The biggest surprise, however, was that the project, named Tofino, will not use Firefox's core technology – Gecko – but will instead plumb for Electron, which is built on the technology behind Google's rival Chrome browser, called Chromium.
#586 Jigsaw ransomware decrypted: Will delete your files until you pay the Ransom
A new ransomware has been released that not only encrypts your files, but also deletes them if you take too long to make the ransom payment of $150 USD. The Jigsaw Ransomware, named after the iconic character that appears in the ransom note, will delete files every hour and each time the infection starts until you pay the ransom. At this time is currently unknown how this ransomware is distributed.
#585 Microsoft Security Bulletin Summary for April 2016
This month the vendor is releasing 13 bulletins, six of which are rated Critical.
#584 BAE Systems warns about shape-shifting strain of Qbot malware
The incident response team at BAE Systems is warning of a strain of the virulent Qbot malware that has hit thousands of public sector computers around the world.

The malware – also known as the Qakbot botnet – first appeared in 2009 and was uploading 2GB of stolen confidential information to its FTP servers each week by April 2010 from private and public sector computers, including 1,100 on the NHS network in the UK.
#583 ZeuS banking trojan resurfaces as Atmos variant
Old nemeses die hard, especially when you’re banking malware named ZeuS. According to Denmark-based Heimdal Security, the potent 9-year-old malware ZeuS has morphed into the up-and-coming Atmos malware – now targeting banks in France. Researchers are warning that the criminals behind Atmos have been putting the finishing touches on this latest malware threat – perfecting how, where and what it will target. For now, Heimdal Security said, it’s focused on banks, but tomorrow the sky is the limit.
#582 New Adobe Flash Player exploit used by Magnitude and Nuclear exploit kits
Last week, Adobe released an emergency patch to address a critical zero-day vulnerability (CVE-2016-1019) in Flash Player. The type confusion vulnerability is currently being actively exploited in the wild. Symantec has observed that exploit kits (EKs), including but not limited to Magnitude and Nuclear, have already started exploiting the vulnerability.
#581 New threat can auto-brick Apple devices
On Feb. 11, 2016, researcher Zach Straley posted a Youtube video exposing his startling and bizarrely simple discovery: Manually setting the date of your iPhone or iPad all the back to January. 1, 1970 will permanently brick the device (don’t try this at home, or against frenemies!). Not long after Straley’s video began pulling in millions of views, security researchers Patrick Kelley and Matt Harrigan wondered: Could they automate the exploitation of this oddly severe and destructive date bug? The researchers discovered that indeed they could, armed with only $120 of electronics (not counting the cost of the bricked iDevices), a basic understanding of networking, and a familiarity with the way Apple devices connect to wireless networks.
#580 Real Future: What happens when you dare expert hackers to hack you
Last year, after reporting on the hacks of Sony Pictures, JPMorgan Chase, Ashley Madison, and other major companies, REAL FUTURE's Kevin Roose got curious about what it felt like to be on the victim’s side of a giant data breach.
#579 Meet the Cryptoworm, the future of ransomware
Ransomware is evolving and soon will share the same deadly efficiencies as notorious worms of the past, such as Conficker and SQL Slammer. In fact, according to security researchers at Cisco Talos, today’s newest ransomware, SamSam, is a harbinger of a new wave of more malicious, tenacious and costly ransomware to come. “Ransomware authors are always looking for bigger payouts and to further their reach,” said Joe Marshall, security research manager with Cisco Talos. “We believe ransomware authors are going to look to past successful campaigns when they look to cast a wider net in the future.”
#578 Microsoft's 'blue screen of death' is getting more descriptive with QR codes
The Windows Blue Screen of Death isn't known for being particularly descriptive, but Microsoft may be looking to change that in a future version of Windows 10.

A Reddit user posted a picture last week that shows a new version of the dreaded blue screen, one with a QR code and a link where users can get more information about the error that caused their computer to crash.
#577 Mobile devices used to execute DNS malware against home routers
Attacks against home routers have been going around for years—from malware that rigs routers to DNS rebinding attacks and backdoors, among others. Just last year one of our researchers reported a Domain Name System (DNS) changer malware that redirected users to malicious pages when they visited specific websites. This enabled cyber crooks to get hold of the victims’ online credentials, such as passwords and PINs.
#576 Google developers create API for direct USB access via web pages
Two Google developers, Reilly Grant and Ken Rockot, have uploaded an unofficial (for now) draft to the World Wide Web Consortium's Web Incubator Community Group (W3C WICG) that describes a method of interconnecting USB-capable devices to Web pages.

The WebUSB API draft, published on March 21, describes an API (Application Program Interface) that will provide a safe way to expose USB-capable devices to Web services.

This API doesn't address USB thumb drives as some of you might think, but all devices that connect to PCs through USB ports, and can vary from USB keyboards to complex Internet of Things (IoT) equipment.
#575 Surveillance cameras sold on Amazon infected with malware
Security researcher Mike Olsen has warned that some products sold through the Amazon marketplace are habouring a dark secret -- malware.

Olsen said in a blog post that while scouring Amazon for a decent set of outdoor surveillance cameras for a friend, he came across a deal for 6 PoE cameras and recording equipment.

The seller, Urban Security Group, had generally good reviews and was offering a particular Sony setup on sale.
#574 More big-name sites hit by rash of malicious ads that attack end users
Some of the Netherland' most popular websites have fallen victim to a malvertising campaign that managed to compromise a widely used ad platform, security researchers reported on Monday.

The malicious ads were served over at least 11 sites including marktplaats.nl, the Netherlands equivalent to eBay and the country's seventh most visited website, according to a blog post published by security firm Fox IT. Other affected sites included news site nu.nl (which is ranked No. 14), weather site buienradar.nl (54), and startpagina.nl (67). Other widely visited sites were operated by commercial TV stations and magazines.
#573 Sweden military servers hacked, used in 2013 attack on US banks
The attack knocked out the web pages of as many as 20 major US banks and financial institutions, sometimes for several days.

Speaking to AFP, military spokesman Mikael Abramsson said that a server in the Swedish defense system had a flaw which was exploited by hackers to carry out the attacks, confirming a report in the Swedish daily DN.
#572 Petya ransomware encryption system cracked
An unidentified programmer has produced a tool that exploits shortfalls in the way the malware encrypts a file that allows Windows to start up.

In notes put on code-sharing site Github, he said he had produced the key generator to help his father-in-law unlock his Petya-encrypted computer.

The malware, which started circulating in large numbers in March, demands a ransom of 0.9 bitcoins (£265).

It hid itself in documents attached to emails purporting to come from people looking for work.
#571 Syrian government hacked, 43 GB of data spilled online by hacktivists
Analysts from Risk Based Security (RBS) examined the data dump, which they say contained 38,768 folders with 274,477 files from 55 different website domains, belonging to both national agencies and private companies. The data contained database dumps, and even server passwords.
#570 Academics claim Google Android two-factor authentication is breakable
If attackers have control over the browser on the PC of a user using Google services (like Gmail, Google+, etc.), they can push any app with any permission on any of the user's Android devices, and activate it - allowing one to bypass 2-factor authentication via the phone. Moreover, the installation can be stealthy (without any icon appearing on the screen). For short, we refer to the vulnerability as the BAndroid (Browser-to-Android) vulnerability and to attacks that abuse it as BAndroid attacks.
#569 A look into Adobe Flash player CVE-2016-1019 0-day attack
CVE-2016-1019 affects all versions of Adobe Flash Player but is only currently exploitable to versions 20.0.0.306 and earlier. It is a type confusion vulnerability which exists in Action script 2 FileReference class’s type checking mechanism.
#568 Mumblehard takedown ends army of Linux servers from spamming
One year after the release of the technical analysis of the Mumblehard Linux botnet, we are pleased to report that it is no longer active. ESET, in cooperation with the Cyber Police of Ukraine and CyS Centrum LLC, have taken down the Mumblehard botnet, stopping all its spamming activities since February 29th, 2016.
#567 Big data's biggest problem: It's too hard to get the data in
While big data has been turned into more of a marketing term than a technology, it still has enormous untapped potential. But, one big issue has to get solved first.
#566 Sophisticated bribe scheme helped crooks whitelist malware on Chinese antivirus
Malware operators utilized this particular attack scenario in China, where they bribed the employees of an authorized gaming company in order to embed samples of their malware in the source code of one of their many mobile apps.
#565 Researchers help shut down spam botnet that enslaved 4,000 Linux machines
Known as Mumblehard, the botnet was the product of highly skilled developers. It used a custom "packer" to conceal the Perl-based source code that made it run, a backdoor that gave attackers persistent access, and a mail daemon that was able to send large volumes of spam. Command servers that coordinated the compromised machines' operations could also send messages to Spamhaus requesting the delisting of any Mumblehard-based IP addresses that sneaked into the real-time composite blocking list, or CBL, maintained by the anti-spam service.
#564 Every voter in Philippines exposed in mega hack
The database of the Philippine Commission on Elections (COMELEC) has been breached and the personal information of 55 million voters potentially exposed in what could rank as the worst ever government data breach anywhere.
#563 Over 135 million modems and routers vulnerable to denial-of-service flaw
The problem lies with how a widely-used modem, the Arris Surfboard SB6141, handles authentication and cross-site requests.

Arris (formerly Motorola) said that it has sold more than 135 million of the Surfboard SB6141 modems, but an Arris spokesperson disputed that the figure was "not an accurate representation" of the units impacted and that only a "subset" of Surfboard devices were affected.

Millions of Comcast, Time Warner Cable, and Charter customers (and more) were shipped one of these modems when they first subscribed.
#562 Symantec: Latest intelligence for march 2016
The Latest Intelligence for March 2016 reveals that the average number of mobile malware variants has reached 50 per family.
#561 HTTPS everywhere: encryption for all WordPress.com sites
On Friday, WordPress announced that it is bringing free HTTPS to all -- "million-plus" -- custom domains, essentially ramping up security on every blog and website. The publishing platform says it partnered with Let's Encrypt project to implement HTTPS across such a voluminous number of sites.
#560 OK, panic - newly evolved ransomware is bad news for everyone
This week's ransomware attack at Maryland's MedStar Health hospital network is a prime example. For more than a week, 10 hospitals operated without access to their central networks, because the Windows servers controlling MedStar's domains were locked down by the ransomware variant known as Samsam. Security firms report that there have been many other incidents with Samsam over the past few months. Some attacks have encrypted the contents of hundreds of servers and desktops.
#559 50 million Turkish citizens could be exposed in massive data breach
Nearly 50 million Turkish citizens, more than half of the country’s population, may have had their personal details exposed in a massive new data breach revealed this week.

As reported by The Telegraph, a compressed file has been posted online by an unnamed group appearing to contain information including names, addresses, parents’ first names, cities of birth, birth dates, and national identifier numbers used by the Turkish government.

The authenticity of the leak was partially verified by the Associated Press, which ran 10 non-public Turkish ID numbers against names listed in the data dump, eight of which were an exact match.
#558 FBI: $2.3 billion lost to CEO email scams
The U.S. Federal Bureau of Investigation (FBI) this week warned about a “dramatic” increase in so-called “CEO fraud,” e-mail scams in which the attacker spoofs a message from the boss and tricks someone at the organization into wiring funds to the fraudsters. The FBI estimates these scams have cost organizations more than $2.3 billion in losses over the past three years.

In an alert posted to its site, the FBI said that since January 2015, the agency has seen a 270 percent increase in identified victims and exposed losses from CEO scams. The alert noted that law enforcement globally has received complaints from victims in every U.S. state, and in at least 79 countries.
#557 Linux botnet attacks increase in scale
Hackers are using malware which targets Linux to build botnets to launch distributed denial of service (DDoS attacks) security researchers have warned.

The so-called BillGates Trojan botnet family of malware - apparently so named by the virus writers because it targets machines running Linux, not Windows - has been labelled with a "high" risk factor in a threat advisory issued by Akamai's Security Intelligence Research Team.
#556 FBI quietly admits to multi-year APT attack, sensitive data stolen
The FBI issued a rare bulletin admitting that a group named Advanced Persistent Threat 6 (APT6) hacked into US government computer systems as far back as 2011 and for years stole sensitive data. The FBI alert was issued in February and went largely unnoticed. Nearly a month later, security experts are now shining a bright light on the alert and the mysterious group behind the attack.
#555 Mac adware OSX.Pirrit unleashes ad overload, for now
Researchers discovered a Mac OS X variant of the Windows-based Pirrit adware that creates a proxy server on infected Mac computers and injects ads into webpages. According to researchers at Boston-based Cybereason Labs, the adware, dubbed OSX.Pirrit, is mostly benign, serving up just ads, but has the potential to morph into something more sinister.
#554 Edge to follow Chrome’s lead, make Flash ads click-to-play
Google announced an equivalent change to Chrome last year. Since September 2015, Chrome too has tried to pause non-essential Flash content. Google's argument was that this behavior would be much better for battery life and that stopping ads from playing would make the browser less of a power hog. Microsoft also suggests that battery life will improve, but the company is positioning the change as more of a standards-compliance issue. Microsoft says that there are now many standardized alternatives to Flash and that developers should continue to adopt these technologies and phase out their use of Adobe's proprietary platform.
#553 Latest Flash 0-day being used to push ransomware
Exploits for a zero-day vulnerability in Adobe Flash Player are being aggressively distributed in two exploit kits. The zero day, meanwhile, was patched by Adobe in an emergency update released Thursday night. Attackers are using the previously unpatched flaw in the maligned Flash Player to infect victims with either Locky or Cerber ransomware. Locky is a relatively new crypto-ransomware strain, spread primarily via spam with attachments enticing users to enable macros in Word documents that download the malware onto machines. Cerber is also crypto-ransomware that includes a feature where the infected machine will speak to the victim.
#552 Locky: the encryptor taking the world by storm
In February 2016, the Internet was shaken by an epidemic caused by the new ransomware Trojan Locky (detected by Kaspersky Lab products as Trojan-Ransom.Win32.Locky). The Trojan has been actively propagating up to the present day. Kaspersky Lab products have reported attempts to infect users with the Trojan in 114 countries around the world.
#551 Panic over! Apple fixes iPhone 6S lockscreen bug
The fix turned out to be surprisingly easy, and didn’t even require Apple to push out an iOS update. (Just as well, because the latest iOS update, 9.3.1, came out less than a week ago.)

It seems that all Apple had to do to patch against this flaw, or perhaps more accurately to work around it, was to reconfigure Siri not to process “open Twitter” commands from the lockscreen.
#550 How CERN fights hackers
Security is all about balance—keeping users and data safe has to sit alongside usability and efficiency. At CERN, the European Organization for Nuclear Research and home of the Large Hadron Collider (LHC), Stefan Lueders has the daunting task of coordinating the security of systems while maintaining an environment of academic freedom.
#549 Google reCAPTCHA cracked in new automated attack
A trio of security researchers have devised a new automated attack that can break the CAPTCHA systems employed by Google and Facebook.

The researchers utilized a large number of factors in putting together their attack, leveraging tricks to bypass CAPTCHA security measures (cookies, tokens) and machine learning to "guess" the correct (image) CAPTCHA answer with a higher degree of accuracy than previous studies.
#548 WhatsApp encryption a good start, but far from a security cure-all
“End to end encryption is a good thing, but it’s really just the beginning of good security,” said Jonathan Zdziarski, a leading independent security researcher and forensics expert. “No question about it, this is good tech. But just like any tech it’s not perfect. The real question: Is WhatsApp’s owner Facebook going to be responsible with this technology? A lot of people view Facebook as the antithesis of privacy,” Zdziarski said.
#547 Vulnerable WordPress and Drupal may have contributed to the Panama Papers Breach
The firm ran its unencrypted emails through an outdated (2009) version of Microsoft’s Outlook Web Access. Outdated open source software running the frontend of the firm’s websites is also now suspected to have provided a vector for the compromise.
#546 Ubuntu patches kernel vulnerabilities
Several vulnerabilities in Ubuntu’s implementation of the Linux kernel, including a use-after-free vulnerability and a timing side-channel vulnerability, were patched today. An advisory issued by Ubuntu Wednesday morning urges users to patch if they’re running 14.04 LTS or any derivative builds.
#545 First Windows 10 preview with bash support is out now
The first Windows 10 Insider Preview build that includes support for native Linux bash on Windows is now out. This was some of the biggest news to come out of Build last week, as Microsoft works to make Windows even more attractive to developers.
#544 Crypto ransomware targets called by name in spear-phishing blast
For the past decade, spear phishing—the dark art of sending personalized e-mails designed to trick a specific person into divulging login credentials or clicking on malicious links—has largely been limited to espionage campaigns carried out by state-sponsored groups. That made sense. The resources it takes to research the names, addresses, and industries of large numbers of individuals was worth it when targeting a given organization that had blueprints or some other specific piece of data prized by the attacker. But why go through the trouble to spread crypto ransomware or banking trojans to the masses when a single scam e-mail could do the trick?
#543 Quanta LTE router beset by over 20 critical security flaws
Pierre Kim, an independent security researcher, came across these issues while testing devices installed with the latest firmware. According to his findings, Quanta 4G WiFi Router QDH, Quanta 4G WiFi Router UNE, Quanta 4G WiFi Router MOBILY (QDH-Mobily - CPE342X), and Quanta 4G WiFi Router Yoomee versions are affected.

Other Quanta CPE (Customer-Premises Equipment) variations that run the same vulnerable version may also be vulnerable. Based on the languages in which the help manuals are provided, the Quanta routers may be found in English, French, Chinese and Arabic-speaking countries.
#542 Phishing email that knows your address
A new type of phishing email that includes the recipient's home address has been received by thousands of people, the BBC has learned.
#541 Apple iPhone 6S, 6S Plus vulnerable to new lock screen bypass flaw
A security flaw in Apple's newest iPhones lets anyone bypass the phone's passcode and access personal information.

Anyone with physical access to an affected phone can access the user's contacts, photos, text and picture messages, emails, and phone settings, according to the disclosure.
#540 Nexus Security Bulletin—April 2016
The most severe of these issues is a Critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files.

Android Security Advisory 2016-03-18 previously discussed use of CVE-2015-1805 by a rooting application. CVE-2015-1805 is resolved in this update. There have been no reports of active customer exploitation or abuse of the other newly reported issues. Refer to the Mitigations section for further details on the Android security platform protections and service protections such as SafetyNet, which improve the security of the Android platform.
#539 Obtaining login tokens for an Outlook, Office or Azure account
This is pretty similar to Wes’s awesome OAuth CSRF in Live, except it’s in the main Microsoft authentication system rather than the OAuth approval prompt.
#538 Microsoft patches severe account hijacking security flaw
Microsoft has taken only 48 hours to patch a critical account authentication flaw which allowed attackers to use harvested login tokens.

According to British security researcher Jack Whitton, the vulnerability could be exploited through phishing websites designed to harvest login tokens to later compromise user accounts and data.
#537 Samsam may signal a new trend of targeted ransomware
Samsam, unlike more conventional ransomware, is not delivered through drive-by-downloads or emails. Instead, the attackers behind Samsam use tools such as Jexboss to identify unpatched servers running Red Hat’s JBoss enterprise products. Once the attackers have successfully gained entry into one of these servers by exploiting vulnerabilities in JBoss, they use other freely available tools and scripts to collect credentials and gather information on networked computers. Then they deploy their ransomware to encrypt files on these systems before demanding a ransom.
#536 NoScript and other popular Firefox add-ons open millions to new attack
The attack is made possible by a lack of isolation in Firefox among various add-ons installed by an end user. The underlying weakness has been described as an extension reuse vulnerability because it allows an attacker-developed add-on to conceal its malicious behavior by invoking the capabilities of other add-ons. Instead of directly causing a computer to visit a booby-trapped website or download malicious files, the add-on exploits vulnerabilities in popular third-party add-ons that allow the same nefarious actions to be carried out. Nine of the top 10 most popular Firefox add-ons contain exploitable vulnerabilities. By piggybacking off the capabilities of trusted third-party add-ons, the malicious add-on faces much better odds of not being detected.
#535 Emergency update coming for Flash vulnerability under attack
Adobe will release an emergency Flash Player update as soon as Thursday, patching a critical vulnerability that is being publicly attacked. Adobe said the vulnerability is in version 21.0.0.197 and earlier for Windows, Mac OS X, Linux and Chrome OS.

“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said in an advisory published late this afternoon.
#534 BREACH attacks revived to steal private messages from Gmail and Facebook
The research was shared late last week in Singapore at Black Hat Asia where Dimitris Karakostas of the National Technical University of Athens and Dionysis Zindros of the University of Athens debuted their attack framework called Rupture, and demonstrated how BREACH can be resurrected to steal private messages sent over Gmail and Facebook.
#533 WhatsApp enables end-to-end encryption for all forms of communications by default
"WhatsApp has always prioritized making your data and communication as secure as possible. And today, we're proud to announce that we've completed a technological development that makes WhatsApp a leader in protecting your private communication: full end-to-end encryption. From now on when you and your contacts use the latest version of the app, every call you make, and every message, photo, video, file, and voice message you send, is end-to-end encrypted by default, including group chats."
#532 Multiple critical vulnerabilities in Quanta routers won’t be patched
Researcher Pierre Kim found the flaws and reasons that the flaws are due to incompetence, or at worst, calls them “a deliberate act of security sabotage from the vendor.”
#531 US: Four tax scams to watch out for this tax season
Tax season is a ripe time for phishing and spreading malware; without fail, tax-related online scams remain a most popular type of phishing scam each and every year. Through our threat intelligence network, we have identified four types of tax scams that individuals and businesses should be wary of as they’re preparing to file their taxes in 2016.
#530 Firefox add-on flaw leaves Apple and Windows computers open to attack
In a report “CrossFire: An Analysis of Firefox Extension-Reuse Vulnerabilities” researchers claim 2,000 Firefox extensions – including nine of the top 10 extensions – are exploitable via “extension-reuse vulnerabilities.” Researchers tested the desktop version of the Firefox browser running on Mac OS X and Windows platforms finding them both vulnerable.
#529 Wordpress, Joomla domains under attack through jQuery JavaScript library
Hackers are using the jQuery JavaScript library to inject malicious code into millions of Wordpress and Joomla Web domains, researchers say.

According to cybersecurity firm Avast, fake jQuery injections have become a very popular attack of late. In a blog post, the team said a particular attack method which has surged in popularity over the past few months includes the use of a fake jQuery script injected into the head section of websites powered by the Wordpress and Joomla content management systems, leading to a web of infection supported by compromised and malicious domains.
#528 ‘Surreptitious sharing’ Android API flaw leaks data, private keys
Researchers have identified a vulnerability in an Android API used by messaging apps such as Skype and perhaps more concerning, privacy-centric apps such as Signal, and Telegram, that could lead to privilege escalation and data loss including private keys.
#527 Cisco ‘high severity’ flaw lets malware bypass FirePower firewall
Technology vendor Cisco is pushing out security updates to customers to address a critical vulnerability found in its recently introduced line of FirePower firewall products. The vulnerability, according to Cisco, allows attackers to slip malware onto critical systems without detection. The flaw is also impacts Snort, an open source network-based intrusion detection system also owned by Cisco.
#526 Google patches old Android flaw exploited by rooting application
The public exploit—a rooting application—was privately disclosed to Google on March 15 by Zimperium researchers, and a less than a month after CORE Team researchers reported that CVE-2015-1805, which was patched in 2014 in the Linux kernel, also affects Android devices.
#525 US and Canada issue ransomware advisory
Ransomware clearly has people on many fronts worried, so much so that the United States and Canada took an unprecedented step last week to issue a joint advisory on the threat posed by crypto-ransomware.
#524 Executive's guide to integrating the hybrid cloud (free ebook)
Considerable controversy surrounds the viability and value of the hybrid cloud. The latest ebook from ZDNet and TechRepublic analyzes the business advantages and potential shortcomings of an integrated cloud strategy.
#523 FreeBSD 10.3 arrives, adds Skylake support and improves UEFI boot loader
The update, released on Monday, is available for amd64, i386, ia64, powerpc, powerpc64, sparc64, and armv6 architectures. The stable version follows three release candidates published through March and updates version 10.2 released in August.
#522 Security gaps found in massive Visa database
Cyber-defense experts found security gaps in a State Department system that could have allowed hackers to doctor visa applications or pilfer sensitive data from the half-billion records on file, according to several sources familiar with the matter –- though defenders of the agency downplayed the threat and said the vulnerabilities would be difficult to exploit.
#521 Mozilla co-founder's ad-blocking Brave browser will pay you bitcoin to see safe ads
Brave, a new privacy- and speed-focused web browser helmed by Mozilla co-founder Brendan Eich, has a plan to get you to unblock ads.

First announced in January, Brave is a web browser for Windows, Mac, Linux, iOS, and Android that has ad blocking built in. But instead of eliminating ads entirely, Brave wants to replace them with speedier, non-intrusive ads from its own network. Users who agree to see these ads will then get paid in bitcoin.
#520 Hacker reveals $40 attack that steals police drones from 2km away
Black Hat Asia IBM security guy Nils Rodday says thieves can hijack expensive professional drones used widely across the law enforcement, emergency, and private sectors thanks to absent encryption in on-board chips. Rodday says the $28,000 quadcopters can be hijacked with less than $40 of hardware, and some basic knowledge of radio communications.
#519 FBI mum on how exactly it hacked Tor
According to a court filing earlier this week, the FBI is refusing to comply with a judge’s request to answer just how it was able to compromise Tor and in turn, trigger a wave of child pornography investigations last year.
#518 New ransomware KimcilWare targets Magento websites
New ransomware called KimcilWare is targeting websites running the Magento ecommerce platform, used by the likes of Vizio, Olympus and Nike. According to security experts from the MalwareHunterTeam, hackers exploit vulnerabilities in the Magento ecommerce platform and install the KimcilWare ransomware on the webserver. Once installed, attackers use Rijndael block ciphers to encrypt website files and demanding Bitcoin payment ranging from $140 USD and $415 USD for decryption.
#517 Maktub ransomware creators want your money fast
The Maktub Locker infection comes in the usual way: A spam mail from some company with an executable file (.exe) disguised as a text/pdf document. This file will open an “Updating our privacy policies and terms of service” text file that we will read because everyone reads them all the time, don’t we? But while we are doing that, the original file will start encrypting our files just as the other cryptolockers do.
#516 PayPal vulnerability allowed attackers to send fraudulent emails
Disclosed on Vulnerability Lab this week, researcher Kunz Mejri revealed the existence of an application-side mail encoding web vulnerability and filter bypass issue in the official PayPal online Web application.
#515 PHP, Python and Google Go fail to detect revoked TLS certificates
A simple experiment carried out by Web security vendor Sucuri highlights that, four years after the release of a groundbreaking study on the state of SSL/TLS certificates in non-browser applications, some programming languages fail to provide developers with the appropriate tools to validate certificates.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12