Security Alerts & News
by Tymoteusz A. Góral

#852 Microsoft removes 260-character path length limit in Windows 10 Redstone
Windows 10 build 14352, a preview version of the upcoming Anniversary Update (also known as Redstone), comes with an eagerly awaited change that Microsoft hasn’t yet announced publicly.

The 260-character path length limit in Windows can be removed with the help of a new policy, thus allowing you to run operations with files regardless of their path or file name. While this new rule is not enabled by default, admins can turn it on by following these instructions.

Launch the Registry Editor by clicking the Start menu and typing “regedit.exe,” and then navigate to the following path:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects\{48981759-12F2-42A6-A048-028B3973495F}Machine\System\CurrentControlSet\Policies

Look for an entry called “LongPathsEnabled,” and if it does not exist, simply right-click Policies, select New DWORD (32-bit), name it “LongPathsEnabled” (without the quotes), enter value 1, and you’re good to go.
#851 Alert: Microsoft warns of ZCryptor ransomware with self-propagation features
Microsoft has released an alert today warning about a new ransomware variant called ZCryptor, which comes with the ability to self-propagate via removable and network drives.

A security researcher named Jack, behind the MalwareForMe blog, first discovered and wrote about this threat on May 24. Three days later, Microsoft 's security team also took note of the new wave of infections.

“We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior,” Microsoft's Malware Protection Center alert reads. “This ransom leverages removable and network drives to propagate itself and affect more users.”
#850 Homeland Security warns thousands of industrial energy systems can be remotely hacked
Homeland Security has said that an internet-connected industrial monitoring device -- typically used in US industrial power plants and energy facilities -- is vulnerable to a string of serious security vulnerabilities.

The US government department's Computer Emergency Readiness Team (CERT) posted an advisory, saying that the ESC 8832 data controller, which allows a plant worker to see exactly how an industrial unit is working at a glance, could be trivially exploited by a "low skilled" attacker.

"The device supports different accounts with distribution of system privileges. An attacker can gain access to functions, which are not displayed in the menu for the user by means of brute force of a parameter," said the advisory.
#849 Small users in a big network
Children use the Internet for schoolwork, socializing, watching films and cartoons, playing games and much more. But, as we all know, browsing the web can be an unsafe business. In order to control their children’s online activity many parents use specialized software – so-called parental control.

This software is usually capable of controlling the amount of time a child spends online or using the computer, which apps can be launched and what personal data can be disclosed. One of the most important features of a parental control product, however, is the ability to restrict access to web resources containing undesirable content.

This article examines the statistics of visits by children to websites with specific categories of content. For this we will use Kaspersky Security Network (KSN) statistics based on notifications by the Parental Control module in Kaspersky Lab products. These statistics will allow us to estimate which categories of undesirable websites children visit most often.
#848 Altair co-founder: Affordable LTE chips to make IoT real by 2018
The move toward an Internet of Things (IoT) world is already happening and it will be simplified, streamlined, and most importantly, cost-effective by the year 2018 thanks to the lowered cost of LTE chipsets and bandwidths, says Altair Semiconductor co-founder Eran Eshed.
#847 Bangladesh Bank officials perhaps played a part in $81m heist
Officials of Bangladesh Bank may have been involved in the calculated theft of $81 million from its account with the New York Federal Reserve Bank, the head of a government-appointed panel investigating the cyber heist has told reporters.

After learning how the organisation worked, the group of cyber attackers broke into the computer systems of the Bangladesh central bank in February and issued instructions through the SWIFT network to transfer $951 million of its deposits held at the New York Federal Reserve Bank to accounts in the Philippines and Sri Lanka.

The group had installed malware in systems at the bank's Dhaka headquarters, which allowed them to spend several weeks spying upon the bank's systems and processes.
#846 Samsung launches 1g-weighing 512GB SSD
Samsung has begun mass production of solid-state drive (SSD) that weights only 1 gram but can pack up to 512GB memory for PCs, the company announced.

The world's largest memory chip maker launched the PM971-NVMe series, the first non-volatile memory express (NVMe) SSDs in a single ball grid array (BGA) package.

The BGA NVMe SSD weighs only 1 gram and measures 20mm x 16mm x 1.5mm, but packs all SSD components in it such as 16 48-layer 256-Gb V-NAND flash chips, one 20-nanometer 4Gb LPDDR4 mobile DRAM, and a high-performance controller.
#845 Hackers stole 65 million passwords from Tumblr, new analysis reveals
On May 12, Tumblr revealed that it had just found out about a 2013 data breach affecting “a set” of users’ email addresses and passwords, but the company refused to reveal how many users were affected.

As it turns out, that number is 65 million, according to an independent analysis of the data.

Troy Hunt, a security researcher who maintains the data breach awareness portal Have I Been Pwned, recently obtained a copy of the stolen data set.

Hunt told Motherboard that the data contained 65,469,298 unique emails and passwords. (Tumblr did not immediately respond to a request to confirm the figure).
#844 Reddit forces password reset of 100,000 users
Reddit is enforcing the reset of 100,000 user accounts in the wake of a stream of hacked accounts.

A "general uptick" in account hijacking and takeovers, mainly by malicious -- and spam-based -- third-parties has prompted the move, according to the forum.

In a blog post this week, Reddit said that the increased rate of account takeovers comes on the heels of recent password dumps, such as the LinkedIn data breach which led to the release of data belonging to millions of users.

Reddit itself has not been compromised. Rather, password dumps, weak password choice and reusing the same account credentials for different sites are contributing to the problem.

"We've ramped up our ability to detect the takeovers, and sent out 100k password resets in the last 2 weeks," Reddit says. "More are to come as we continue to verify and validate that no one except for you is using your account."
#843 Fearing forced Windows 10 upgrades, users are disabling critical updates instead
“I fear some segment of consumers will turn off Windows Update as a result,” Wes Miller, research vice president at Directions on Microsoft, told me. “Which is a very bad side effect.”

Indeed it is. Windows Update delivers critical updates to your PC, plugging holes in the operating system and slamming the door on potential hack attacks. Keeping your operating system patched is a crucial part of staying secure on the modern web. That’s why PCWorld and many other technology experts advise users that the best course of action is usually to leave the Windows default intact, letting the OS download and install Recommended updates automatically. Doing otherwise is dangerous, unless you’re an expert yourself.

Using that critical avenue to push Windows 10 on people—pardon, “make it easier for consumers to upgrade to Windows 10”—violates the trust people hold in the sanctity of Windows Update. And, yes, as a direct result of Microsoft’s actions, at least some people are disabling Windows Update on their Windows 7 and 8 PCs.
#842 Fiverr suffers six-hour DDoS attack after removing DDoS-for-hire listings
The incident took place on the morning of May 27 (European timezones), and the service admitted its problems on its Twitter account. At the time of writing, Fiverr has been back up and functioning normally for more than two hours.
#841 Hackers claim to have a stunning 427 million Myspace passwords
There’s an oft-repeated adage in the world of cybersecurity: There are two types of companies, those that have been hacked, and those that don’t yet know they have been hacked.

MySpace, the social media behemoth that was, is apparently in the second category. The same hacker who was selling the data of more than 164 million LinkedIn users last week now claims to have 360 million emails and passwords of MySpace users, which would be one of the largest leaks of passwords ever. And it looks like the data is being circulated in the underground by other hackers as well.
#840 CVE-2015-2545: overview of current threats
CVE-2015-2545 is a vulnerability discovered in 2015 and corrected with Microsoft’s update MS15-099. The vulnerability affects Microsoft Office versions 2007 SP3, 2010 SP2, 2013 SP1 and 2013 RT SP1.

The error enables an attacker to execute arbitrary code using a specially crafted EPS image file. The exploit uses PostScript and can evade Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protection methods.

The exploit was discovered in the wild in August 2015, when it was used in a targeted attack by the Platinum group, presumably against targets in India. Over the following months, there was significant growth in the number of threat actors using the vulnerability as a primary tool for initial penetration, with both the attack groups and their targets located in South-East and Central Asia and the Far East.

In this research paper, we discuss examples of attacks using the CVE-2015-2545 vulnerability undertaken by some of these groups.
#839 12 more banks now being investigated over Bangladeshi SWIFT heist
The investigation into the attempted $1 billion electronic heist at the Bangladesh central bank has expanded to as many as 12 more banks that all use the SWIFT payment network.

Security firm FireEye, investigating the hack, has been contacted by numerous other banks, including some in New Zealand and the Philippines. While most of the attempted transfers in the original heist were cancelled, some $81 million was sent to the Philippines and subsequently laundered through casinos. The SWIFT organization in a statement said that some of these reports may be false positives, and that banks should rigorously review their computing environments to look for hackers.
#838 “Forbidden attack” makes dozens of HTTPS Visa sites vulnerable to tampering
Dozens of HTTPS-protected websites belonging to financial services giant Visa are vulnerable to attacks that allow hackers to inject malicious code and forged content into the browsers of visitors, an international team of researchers has found.

In all, 184 servers—some belonging to German stock exchange Deutsche Börse and Polish banking association Zwizek Banków Polskich—were also found to be vulnerable to a decade-old exploit technique cryptographers have dubbed the "forbidden attack." An additional 70,000 webservers were found to be at risk, although the work required to successfully carry out the attack might prove to be prohibitively difficult. The data came from an Internet-wide scan performed in January. Since then, Deutsche Börse has remedied the problem, but, as of Wednesday, both Visa and Zwizek Banków Polskich have allowed the vulnerability to remain and have yet to respond to any of the researchers' private disclosures.

The vulnerability stems from implementations of the transport layer security protocol that incorrectly reuse the same cryptographic nonce when data is encrypted. TLS specifications are clear that these arbitrary pieces of data should be used only once. When the same one is used more than once, it provides an opportunity to carry out the forbidden attack, which allows hackers to generate the key material used to authenticate site content. The exploit was first described in comments submitted to the National Institute of Standards and Technology. It gets its name because nonce uniqueness is a ground rule for proper crypto.
#837 Google's Chrome 51: Less battery drain from video, simpler site logins - plus 42 bug fixes
The Chrome 51 browser has security fixes for numerous bugs and also introduces a new feature to streamline the login process for regularly used sites.
#836 Symantec: Android threats evolve to handle Marshmallow’s new permission model
Mobile malware authors have updated their threats to handle Android’s latest permission-granting model, which was introduced in version 6.0 Marshmallow. The model was designed to let users grant permissions only when apps require them, rather than accepting them all on installation. However, dangerous threats such as Android.Bankosy and Android.Cepsohord have adapted to this method in an attempt to gain the permissions they need to carry out their malicious activities.

Android.Bankosy and Android.Cepsohord are capable of working with the new runtime permission model introduced in Android 6.0 Marshmallow.
#835 Amazon users targets of massive Locky spear-phishing campaign
Amazon customers were targeted in a massive spear phishing campaign where recipients received Microsoft Word documents with a macro that triggered downloads of the Locky ransomware. Researchers at Comodo Threat Research Labs say it is one of the largest spam ransomware campaigns this year.

Fatih Orhan, director of technology at Comodo and the Comodo Threat Research Labs, said the attack occurred on May 17 and lasted about 12 hours and is estimated to have pushed out as many as 30 million spam messages purporting to be an update from Amazon on a shipping order. Orhan told Threatpost the spear phishing campaign is notable not just because of its size, but also because the attackers were able to manipulate email header data to trick sender policy framework (SPF) controls on email gateways.
#834 Virtual assistants such as Amazon's Echo break US child privacy law, experts say
Khaliah Barnes, associate director of the Electronic Privacy Information Center (EPIC), believes that by showing pre-teenage children using voice-activated AI devices, Amazon, Google and Apple are admitting their services are aimed at youngsters.

“When your advertising markets this product to children, and parents with children, that would absolutely trigger COPPA,” she says. “Recording children in the privacy of the home is genuinely creepy, and this warrants additional investigation by the Federal Trade Commission (FTC) and [US] states.”

Jeff Chester agrees. “Online devices have replaced TV as the babysitter, and companies will know there’s a child there by the very nature of the interaction,” he says.

Amazon and Google told the Guardian that they comply with COPPA, while an Apple spokesperson said “we comply and we don’t target kids”. All have extensive privacy policies.
#833 Symantec: SWIFT attackers’ malware linked to more financial attacks
Symantec has found evidence that a bank in the Philippines has also been attacked by the group that stole US$81 million from the Bangladesh central bank and attempted to steal over $1 million from the Tien Phong Bank in Vietnam.

Malware used by the group was also deployed in targeted attacks against a bank in the Philippines. In addition to this, some of the tools used share code similarities with malware used in historic attacks linked to a threat group known as Lazarus. The attacks can be traced back as far as October 2015, two months prior to the discovery of the failed attack in Vietnam, which was hitherto the earliest known incident.

The attack against the Bangladesh central bank triggered an alert by payments network SWIFT, after it was found the attackers had used malware to cover up evidence of fraudulent transfers. SWIFT issued a further warning, saying that it had found evidence of malware being used against another bank in a similar fashion. Vietnam’s Tien Phong Bank subsequently stated that it intercepted a fraudulent transfer of over $1 million in the fourth quarter of last year. SWIFT concluded that the second attack indicates that a “wider and highly adaptive campaign” is underway targeting banks.

A third bank, Banco del Austro in Ecuador, was also reported to have lost $12 million to attackers using fraudulent SWIFT transactions. However, no details are currently known about the tools used in this incident or if there are any links to the attacks in Asia.
#832 Tor to use never-before-seen distributed RNG to generate truly random numbers
The Tor Project says it created something it calls "a distributed RNG" (random number generator) that uses two or more computers to create multiple random numbers and then blends these outputs together. The end result is something that's impossible to crack without knowing which computers from a network contributed to the final random number, and which entropy each one used.
#831 Microsoft may ban your favorite password
To make sure that its users rely on unique, difficult to guess passwords, Microsoft says it is dynamically banning common passwords from Microsoft Account and Azure AD system. The company analyzes data breaches looking for the passwords that are used most often and prevents users from having a password that is found on attack lists (cybercriminals use passwords from these leaks to brute-force accounts).

In a blog post, Alex Weinert, Group Program Manager of Azure AD Identity Protection team, explains that Microsoft is seeing more than 10 million accounts being attacked each day, and that this data is used to dynamically update the list of banned passwords. This list is then used to prevent people from choosing a common or similar password. Available in Microsoft Account Service now, the feature will roll out to all Azure AD tenants in the next month.
#830 US nuclear force 'still uses floppy disks'
The US nuclear weapons force still uses a 1970s-era computer system and floppy disks, a government report has revealed.

The Government Accountability Office said the Pentagon was one of several departments where "legacy systems" urgently needed to be replaced.

The report said taxpayers spent $61bn (£41bn) a year on maintaining ageing technologies.

It said that was three times more than the investment on modern IT systems.

The report said that the Department of Defence systems that co-ordinated intercontinental ballistic missiles, nuclear bombers and tanker support aircraft "runs on an IBM Series-1 Computer - a 1970s computing system - and uses eight-inch floppy disks".
#829 SAS: Big data is a big miss when it comes to IoT
According to SAS, there is a misconception when it comes to the Internet of Things that the more data an organisation has the better, which often results in a surplus of unusable information.
#828 Wekby APT gang using DNS tunneling for command and control
Palo Alto Networks is reporting a shift in malware tactics used by the APT group Wekby that has added a rare but effective new tool to its bag of tricks. The security firm reported on Tuesday that over the past week, Wekby attackers are turning to the technique known as DNS tunneling in lieu of more conventional HTTP delivery of command and controls for remote access control of infected computer networks.

Researchers discovered the change in strategy while monitoring an undisclosed U.S.-based high-tech firm targeted by the gang. Palo Alto Networks call the DNS tunneling malware pisloader, adding it has existed for some time but is seldom used. The use of the DNS-based attacks differs from the Wekby’s go-to malware HTTPBrowser, which is still used widely by the group, according to Ryan Olson, researcher at Palo Alto Networks Unit 42 team.
#827 Skimmers found at Walmart: a closer Look
Recent local news stories about credit card skimmers found in self-checkout lanes at some Walmart locations reminds me of a criminal sales pitch I saw recently for overlay skimmers made specifically for the very same card terminals.

Much like the skimmers found at some Safeway locations earlier this year, the skimming device pictured below was designed to be installed in the blink of an eye at self-checkout lanes — as in recent incidents at Walmart stores in Fredericksburg, Va. and Fort Wright, Ky. In these attacks, the skimmers were made to piggyback on card readers sold by payment solutions company Ingenico.
#826 APT groups finding success with patched Microsoft flaw
A Microsoft Office vulnerability patched six months ago continues to be a valuable tool for APT gangs operating primarily in Southeast Asia and the Far East.

Researchers at Kaspersky Lab today published a report describing how attackers continue to flourish exploiting CVE-2015-2545, a remote code execution vulnerability where an attacker crafts an EPS image file embedded in an Office document designed to bypass memory protections on Windows systems.

Exploits have been used primarily to gain an initial foothold on targeted systems. Those targets are largely government and diplomatic agencies and individuals in India and Asia, as well as satellite offices of those agencies in Europe and elsewhere.

The Office flaw was patched in September in MS15-099 and updated again in November. Yet APT groups seem to be capitalizing on lax patching inside these high-profile organizations to carry out espionage. Some criminal organizations have also made use of exploits against this particular flaw, in particular against financial organizations in Asia, Kaspersky researchers said in their report.
#825 Major DNS (NS1) provider hit by mysterious, focused DDoS attack
Unknown attackers have been directing an ever-changing army of bots in a distributed denial of service (DDoS) attack against NS1, a major DNS and traffic management provider, for over a week. While the company has essentially shunted off much of the attack traffic, NS1 experienced some interruptions in service early last week. And the attackers have also gone after partners of NS1, interrupting service to the company's website and other services not tied to the DNS and traffic-management platform. While it's clear that the attack is targeting NS1 in particular and not one of the company's customers, there's no indication of who is behind the attacks or why they are being carried out.

NS1 CEO Kris Beevers told Ars that the attacks were yet another escalation of a trend that has been plaguing DNS and content delivery network providers since February of this year. "This varies from the painful-but-boring DDoS attacks we've seen," he said in a phone interview. "We'd seen reflection attacks [also known as DNS amplification attacks] increasing in volumes, as had a few content delivery networks we've talked to, some of whom are our customers."
#824 Scary and fascinating: The future of big data
Bernard Marr, a leading expert on big data explains how the technology will transform work.
#823 How RTF malware evades static signature-based detection
Rich Text Format (RTF) is a document format developed by Microsoft that has been widely used on various platforms for more than 29 years. The RTF format is very flexible and therefore complicated. This makes the development of a safe RTF parsers challenging. Some notorious vulnerabilities such as CVE-2010-3333 and CVE-2014-1761 were caused by errors in implementing RTF parsing logic.

In fact, RTF malware is not limited to exploiting RTF parsing vulnerabilities. Malicious RTF files can include other vulnerabilities unrelated to the RTF parser because RTF supports the embedding of objects, such as OLE objects and images. CVE-2012-0158 and CVE-2015-1641 are two typical examples of such vulnerabilities – their root cause does not reside in the RTF parser and attackers can exploit these vulnerabilities through other file formats such as DOC and DOCX.

Another type of RTF malware does not use any vulnerabilities. It simply contains embedded malicious executable files and tricks the user into launching those malicious files. This allows attackers to distribute malware via email, which is generally not a vector for sending executable files directly.

Plenty of malware authors prefer to use RTF as an attack vector because RTF is an obfuscation-friendly format. As such, their malware can easily evade static signature based detection such as YARA or Snort. This is a big reason why, in this scriptable exploit era, we still see such large volumes of RTF-based attacks.
#822 Will CryptXXX replace TeslaCrypt after ransomware shakeup?
The departure of TeslaCrypt from the ransomware circle has gone and made waves in the cybercriminal world. Bad guys appear to be jumping ships in hopes of getting a chunk out of the share that was previously owned by TeslaCrypt. In line with this recent event, indicators are pointing to a new strong man in the ransomware game: CryptXXX.

CryptXXX (detected as RANSOM_WALTRIX.C) has been the recipient of recent updates; one of which took place after a free decryption tool surfaced that allowed victims to disregard the ransom. Not only does it encyrpt files, recent CryptXXX variants now have a lockscreen technique that prevents users from accessing their desktops.
#821 Beware of keystroke loggers disguised as USB phone chargers, FBI warns
FBI officials are warning private industry partners to be on the lookout for highly stealthy keystroke loggers that surreptitiously sniff passwords and other input typed into wireless keyboards.

The FBI's Private Industry Notification is dated April 29, more than 15 months after whitehat hacker Samy Kamkar released a KeySweeper, a proof-of-concept attack platform that covertly logged and decrypted keystrokes from many Microsoft-branded wireless keyboards and transmitted the data over cellular networks. To lower the chances that the sniffing device might be discovered by a target, Kamkar designed it to look almost identical to USB phone chargers that are nearly ubiquitous in homes and offices.
#820 Unraveling Turla APT attack against Swiss defense firm
Ever since hackers targeted Swiss defense contractor RUAG, government officials have been tight lipped about the breach. But on Monday Switzerland’s CERT (Computer Emergency Readiness Team) spilled the beans on the attack against the firm and the how perpetrators pulled it off.

While Monday’s report falls short when it comes to outlining the type of data stolen, it goes into rare detail on how it was taken. For example, central to the attack was malware from the Turla family and the use of a sophisticated mix of Trojans and rootkits. Additionally, security experts assert that RUAG computers were infected as early as 2014, according the report, making the attack slow and methodical.

It wasn’t until early May that the public even became aware of the attacks. That’s when Swiss defense minister Guy Parmelin went public about a breach against his government that took place in January during the World Economic Forum in Davos, Switzerland. Parmelin also revealed the attack included penetration of RUAG’s system where attackers breached the company’s servers stealing an undisclosed amount of data.
#819 SWIFT to unveil new security plan in the wake of Bangladesh heist
After learning how the organisation worked, the group of cyberattackers stole the Bangladeshi bank's SWIFT code and made a series of transaction requests for cash to be sent from the country's New York-based account to entities across Asia, mainly the Philippines and Sri Lanka.

The group had installed malware in systems at the banks' Dharka headquarters, which allowed them to spend several weeks spying upon the bank's systems and processes.

The breach was uncovered by accident, with an alert only raised as a result of a small spelling error on one of the transactions which blocked other queries that had not yet been processed.
#818 This sneaky botnet shows why you shouldn't use the same password for everything
While automated attacks by a networked army of computers aren't a new problem, the methods that botnets are using are getting more complex.

They're also increasing in number with the latest cybercrime report from ThreatMetrix suggesting that the number of attacks between January and March this year is up by over a third, compared with just the previous quarter. The report states that 311 million bot attacks were detected and stopped by its technology in the opening three months of 2016.

Botnet attacks used to just be large volume distributed denial of service (DDoS) or spam attacks, designed to overwhelm servers to the point of collapse or act as a distraction in order to allow cybercriminals to hack into the targeted system without being detected.

Now however, the cybersecurity researchers say that botnets are being used in a new way - to test stolen login details in a way which allows them to evade detection by security systems.
#817 SWIFT network doubles down on security
The SWIFT banking network on Friday updated financial institutions worldwide of new security resources it has developed in the wake of massive fraud. Officials also reminded banks of their role in securing their respective infrastructures.

Banks in Bangladesh, Vietnam and Ecuador have been infiltrated by attackers who stole credentials for the SWIFT system to move out tens of millions of dollars; Bangladesh Bank was the most egregious case where attackers were able to steal more than $80 million. It has been reported that the bank was not running a firewall and was using $10 commodity switches to manage computers connected to the SWIFT network.

SWIFT, which stands for Society for Worldwide Interbank Financial Telecommunication, is a private network used by financial organizations to send and receive transactions.

Hackers have been targeting banks with weak or non-existent security to steal credentials for the SWIFT network to make fraudulent transactions. In a May 13 statement after the attack on the Vietnamese bank, SWIFT hinted that insiders at the respective banks could also be involved.
#816 Google plans to bring password-free logins to Android apps by year-end
Google’s plan to eliminate passwords in favor of systems that take into account a combination of signals – like your typing patterns, your walking patterns, your current location, and more – will be available to Android developers by year-end, assuming all goes well in testing this year. In an under-the-radar announcement Friday afternoon at the Google I/O developer conference, the head of Google’s research unit ATAP (Advanced Technology and Projects) Daniel Kaufman offered a brief update regarding the status of Project Abacus, the name for a system that opts for biometrics over two-factor authentication.

As you may recall, Project Abacus was first introduced at Google I/O last year, where it was described as an ambitious plan to move the burden of passwords and PINs from the user to the device.

Today, secure logins – like those used by banks or in the enterprise environment – often require more than just a username and password. They tend to also require the entry of a unique PIN, which is generally sent to your phone via SMS or emailed. This is commonly referred to as two-factor authentication, as it combines something you know (your password) with something you have in your possession, like your phone.
#815 Persistent EITest malware campaign jumps from Angler to Neutrino
A two-year-old EITest malware campaign is still going strong, fueled by the fact it has shifted its distribution technique over time. Now, researchers at the SANS Institute’s Internet Storm Center, are reporting EITest is morphing again based on analysis of the malware campaign conducted earlier this month.

According to researcher Brad Duncan, the EITest malware campaign is being refueled by the fact it is shifting from the Angler exploit kit to the Neutrino exploit kit.

“During its run, I had only noticed the EITest campaign use Angler EK to distribute a variety of malware payloads. That changed earlier this month, when I noticed an EITest gate leading to Neutrino EK instead of Angler,” Duncan wrote in an Internet Storm Center post.
#814 Two exploit kits spreading attacks for recent Flash Player zero day
Exploits for the most recent Adobe Flash Player zero-day vulnerability have been integrated into the Neutrino and Magnitude exploit kits, and are leading compromised computers to different ransomware strains and a credential-stealing Trojan.

A French researcher who goes by the handle Kafeine told Threatpost that Neutrino has embedded a working exploit for CVE-2016-4117 while Magnitude has not fully implemented the exploit.

Kafeine said that Magnitude is firing exploits for Flash Player up to version, but the payloads are not executing, despite the presence of references to the vulnerable code. It could be that the exploit was not implemented correctly; Kafeine said that as of this morning the payloads were not working.

Detection rates on VirusTotal for the Neutrino exploit remains low, only five of 56 as of this morning.
#813 Windows 10 problem? Now everyone can gripe to Microsoft via Feedback Hub
If you've got a complaint about Windows 10 or suggestions for how to make it better, you can now tell Microsoft using the Feedback Hub app.

Until now, Feedback Hub has been available exclusively to Windows users who participate in Microsoft's Insider Program. But now, just ahead of this summer's Windows 10 Anniversary Update, Microsoft has opened it up to all 300 million Windows 10 users.
#812 Crooks used SQL injections to hack Drupal sites and install fake ransomware
Unknown attackers are leveraging a two-year-old vulnerability in Drupal installations to break into sites and install Web-based ransomware that hijacks the website's main page but fails to encrypt any files.

The first victims recorded complaining about this new strain of ransomware appeared in late March, on the official Drupal forums. Site admins were describing their websites as "being locked" with a message that read:

“ Website is locked. Please transfer 1.4 BitCoin to address 3M6SQh8Q6d2j1B4JRCe2ESRLHT4vTDbSM9 to unlock content. ”

Forkbombus Labs says that the threat actor behind this campaign starts by scanning websites for the presence of /CHANGELOG.txt (Drupal CMS specific file) and /joomla.xml files.

The attacker's scanning bot extracts the Drupal site's version, then uses the CVE-2014-3704 vulnerability to break into the affected websites and eventually change the admin user's password.

CVE-2014-3704 is an SQL injection vulnerability that affects Drupal 7.x installations prior to version 7.32.
#811 Ransomware adds DDoS capabilities to annoy other people, not just you
Ransomware developers seem to have found another way to monetize their operations by adding a DDoS component to their malicious payloads.

Security researchers from Invincea reported this past Wednesday on a malware sample that appeared to be a modified version of an older threat, the Cerber ransomware.

The malware analysis team that inspected the file discovered that, besides the file encryption and screen locking capabilities seen in most ransomware families, this threat also comes with an additional payload, which, when put under observation, seemed to be launching network packets towards a network subnet.

This type of behavior is specific to DDoS bots, and this was the first time something like this was seen bundled with ransomware.
#810 1.4 bil. yen stolen from 1,400 convenience store ATMs across Japan
TOKYO (Kyodo) -- A total of 1.4 billion yen ($12.7 million) in cash has been stolen from some 1,400 automated teller machines in convenience stores across Japan in the space of two hours earlier this month, investigative sources said Sunday.

Police suspect that the cash was withdrawn at ATMs using counterfeit credit cards containing account information leaked from a South African bank.

Japanese police will work with South African authorities through the International Criminal Police Organization to look into the major theft, including how credit card information was leaked, the sources said.
#809 Microsoft warns of sneaky new macro trick
Microsoft is warning of an innovative new technique attackers are using to sneak macro malware past virus detection engines and add to the already huge uptick in reported macro attacks.

According to researchers at Microsoft’s Malware Protection Center, they stumbled upon the macro technique in a file containing VBA project scripts with a sample of well-known malicious macro malware called TrojanDownloader:O97M/Donoff. It wasn’t the malware that piqued Microsoft’s interest, it was the attacker’s never-before-seen obfuscation technique.

It wasn’t immediately obvious that the macro file was actually malicious, wrote Marianne Mallen and Wei Li, both antivirus researchers at the Microsoft Malware Protection Center, who co-authored a blog post earlier this week on their discovery. “It [was] a Word file that contains seven VBA modules and a VBA user form with a few buttons (using the CommandButton elements),” wrote both authors.
#808 Instagram patches brute-force authentication flaws
Facebook on Thursday patched a pair of vulnerabilities that enabled brute-force attacks against Instagram passwords, and also hardened its password policy.

Researcher Arne Swinnen privately disclosed the flaws in December and in February respectively. One bug was patched in February, while the other went through two rounds of fixes before the issue was resolved on May 10. Swinnen received a combined $5,000 bounty.

The severity of the vulnerabilities was exacerbated by Instagram’s weak password policies and its practice of enumerating userIDs incrementally put accounts in jeopardy with minimal effort, Swinnen said.

“This could have allowed an attacker to compromise many accounts without any user interaction, including high-profile ones,” Swinnen wrote in a report describing details of both vulnerabilities.
#807 Microsoft: Terrorists no longer welcome on OneDrive or Hotmail
Microsoft outlined new anti-terrorism policies today. Terrorists are no longer welcome to use Microsoft's online services, and the company will remove terrorist content when it's reported to be on the company's systems.
#806 DARPA extreme DDoS project transforming network attack mitigation
Researchers with the Defense Advanced Research Projects Agency (DARPA) have quickly moved to alter the way the military, public and private enterprises protect their networks from high-and low-speed distributed denial-of-service attacks with a program called Extreme DDoS Defense (XD3).

The agency has since September awarded seven XD3 multi-million contracts to Georgia Tech, George Mason University, Invincea Labs, Raytheon BBN, Vencore Labs (two contracts) and this week to the University of Pennsylvania to radically alter DDOS defenses. One more contract is expected under the program.

The UPenn project is developing defenses against distributed denial of service attacks that target specific protocols and their logic. These attacks are often difficult to diagnose and stop because the total volume of malicious traffic may be very low. The UPenn project attempts to pinpoint the specific protocol component that is under attack and then massively replicate that component to blunt the effects of the attack, DARPA stated.
#805 Think you're not being tracked? Now websites turn to audio fingerprinting to follow you
New research into web-tracking techniques has found some websites using audio fingerprinting for identifying and monitoring web users.

During a scan of one million websites, researchers at Princeton University have found that a number of them use the AudioContext API to identify an audio signal that reveals a unique browser and device combination.

"Audio signals processed on different machines or browsers may have slight differences due to hardware or software differences between the machines, while the same combination of machine and browser will produce the same output," the researchers explain.

The method doesn't require access to a device's microphone, but rather relies on the way a signal is processed. The researchers, Arvind Narayanan and Steven Englehardt, have published a test page to demonstrate what your browser's audio fingerprint looks like.

"Using the AudioContext API to fingerprint does not collect sound played or recorded by your machine. An AudioContext fingerprint is a property of your machine's audio stack itself," they note on the test page.
#804 These are the worst passwords from the LinkedIn hack
A list of the worst passwords in the LinkedIn hack is remarkably familiar, but unremarkably depressing.

A list of the most popular passwords used by LinkedIn in 2012, at the time of the hack that recently came to light (again), was published by LeakedSource. The cache of 117 million accounts were hashed with the SHA-1 algorithm, a once-strong hashing system that was recently pushed into deprecation as it could be cracked.

But because the passwords weren't salted -- a process that makes it harder to decrypt.

It's estimated that about 90 percent of the passwords were decrypted -- a figure that will likely grow over time.

Last year -- which would've been two years after the LinkedIn breach -- the most popular password was, unsurprisingly, at the top of this list.
#803 Thousands of Ubiquiti AirOS routers hit with worm attacks
A worm is reportedly spreading across thousands of Ubiquiti Networks routers running outdated firmware. In a security advisory, a Ubiquiti spokesperson said that over the past week, the worm has been using a known exploit to infect airOS M devices. The worm creates its own account on the compromised device and, from there, conducts mass infections of other routers both within the same subnet and on other networks.

The attacks affect the following Ubiquiti devices running outdated firmware: airMAX M, airMAX AC, airOS 802.11G, ToughSwitch, airGateway, airFiber.

Any router that runs older versions of the firmware and has its HTTP/HTTPS interface exposed to the Internet could be infected. Ubiquiti released a patch for this vulnerability almost a year ago. However, as is often the case on these devices, many routers may still have old firmware installed.
#802 If you clicked anything online, Google probably knows about it
"Google is a serial tracker"

Researchers reveal that Google-owned domains, from where browsers load tracking code, account for the top 5 most popular trackers and 12 of the top 20 tracker domains.

In fact, after studying the Top 1 Million sites, researchers discovered over 81,000 different domains from where tracking code was loaded. Taking a closer look at the data researchers said that only 123 of these third-party trackers are found on more than 1 percent of all sites.

"This suggests that the number of third parties that a regular user will encounter on a daily basis is relatively small," Princeton Web Census researchers explained. "The effect is accentuated when we consider that different third parties may be owned by the same entity. In fact, Google, Facebook, and Twitter are the only third-party entities present on more than 10% of sites."

All of this means there's a high chance that you visit a website, or click on a link, and that one of the three companies mentioned above already knows about it. This is certainly true for Google, who loads some sort of tracking code on four out of five websites.
#801 Master decryption key released for TeslaCrypt ransomware
The criminals behind the TeslaCrypt ransomware have closed up shop and publicly released the master decryption key that unlocks files encrypted by the malware.

The news is significant given the investment and constant innovation devoted to TeslaCrypt, which has been one of the most active crypto-ransomware strains since it debuted in February 2015.

Researchers at Bleeping Computer said that researchers had noticed hints that distribution TeslaCrypt was being phased out in favor of CryptXXX ransomware, even though criminals behind the respective ransomware are likely different. A researcher from ESET, Bleeping Computer’s Lawrence Abrams said, asked for the master decryption key on a TeslaCrypt support site and the attackers capitulated, posting the key along with a message that partially read: “Project closed.”
#800 France DGSE: Spy service sets school code-breaking challenge
France's external intelligence service, the DGSE, has sponsored a school competition to find the nation's most talented young code-breakers.

It is the first time the DGSE has got involved in such a project in schools.

The first round drew in 18,000 pupils, and just 38 competed in the final on Wednesday, won by a Parisian team.

A DGSE spokesman said the aim was to spread awareness about intelligence work. Security is a major concern after last year's jihadist attacks in Paris.

DGSE stands for Directorate-General for External Security. It has 6,200 staff - 63% of them civilians - and an annual budget of about €750m (£575m; $839m).
#799 Archive of historic BT 'email' hack preserved
An archive detailing a historic hack and its fallout has been handed over to the National Museum of Computing.

Previously, the cache of documents, press cuttings and letters had been kept by Robert Schifreen, who hacked BT's Prestel system in 1984.

He and Steve Gold took control of Prestel and penetrated the email inbox belonging to the Duke of Edinburgh.

The legal case around the hack helped define computer misuse laws in the UK and around the world.
#798 Robin Hood hacker donates $11,000 of stolen bitcoin to help fight ISIS
A Kurdish region of Syria that borders territory held by the Islamic State militant group (ISIS) has received an $11,000 donation in allegedly stolen bitcoin from a vigilante hacker.

The pseudonymous Phineas Fisher donated 25 bitcoins to a crowdfunding campaign set up by members of the Rojava region’s economic committee, described by Fisher as “one of the most inspiring revolutionary projects in the world.”
#797 Google fights French 'right to be forgotten' order
Google has appealed to France's highest court after the country's data watchdog ordered it to delete some of its search results globally.

In 2015, the Commission on Informatics and Liberty (CNIL) said Google should respect French "right to be forgotten" rulings worldwide.

But Google said the ruling could lead to abuse by "less open and democratic" countries.

The company is now appealing against a 100,000-euro (£76,000) CNIL fine.
#796 Android Qualcomm vulnerability impacts 60 percent of devices
A flaw in mobile chip maker Qualcomm’s mobile processor, used in 60 percent of Android devices, allows attackers to take control over a targeted phone or tablet under specific conditions. Researchers at Duo Labs said the vulnerability is tied to Android’s problem-plagued mediaserver, coupled with a security hole in Qualcomm’s Secure Execution Environment (QSEE).

This QSEE vulnerability, discovered by Gal Beniamini last week, is troubling because it impacts both old versions of the Android operating system and new Marshmallow versions. Google has issued a patch for the exploit, however Duo estimates only a small fraction of Android devices have received the fix.

Duo researchers are careful to give perspective to its analysis of the QSEE vulnerability (CVE-2015-6639) and stress that while a majority of Android devices are vulnerable to attack via this exploit, security concerns aren’t as dire as attacks from the similar and more malicious Stagefright.
#795 ESET releases new decryptor for TeslaCrypt ransomware
Have you been infected by one of the new variants (v3 or v4) of the notorious ransomware TeslaCrypt? If your encrypted files had the extensions .xxx, .ttt, .micro, .mp3 or were left unchanged, then ESET has good news for you: we have a decryptor for TeslaCrypt.
#794 Ransomware activity spikes in March, steadily increasing throughout 2016
Based on data from FireEye Dynamic Threat Intelligence, ransomware activity has been rising fairly steadily since mid-2015. We observed a noticeable spike in March 2016.
#793 Magento – unauthenticated remote code execution
The vulnerability (CVE-2016-4010) allows an attacker to execute PHP code at the vulnerable Magento server unauthenticated. This vulnerability actually consists of many small vulnerabilities, as described further in the blog post.

The vulnerability assumes one of the RPCs (REST or SOAP) is enabled. As both are enabled by default, and one of them is actually required by the system, this assumption will not be a problem in the absolute majority of installations.
In this document I will use the SOAP API, as XML is more readable in this case.

This vulnerability works on both the Community Edition and Enterprise Edition of the system.
#792 Foreign hackers may be targeting presidential candidates
Foreign hackers may have the campaigns of U.S. presidential candidates in their sights, the nation's top intelligence official warned Wednesday.

The FBI and Homeland Security are working with the campaigns to tighten security and prevent the cyber intruders from penetrating their defenses, Director of National Intelligence James Clapper said.

Clapper warned that there are likely to be cyber attacks as Hillary Clinton and Bernie Sanders battle for the Democratic nomination and Donald Trump tries to rally Republican support for his candidacy. He did not say what actual attacks on the campaigns, if any, have already occurred.
#791 Updated Skimer malware infects ATMs worldwide
Researchers from Kaspersky Labs warn that the Skimer malware, first spotted in 2009, is once again infecting ATM machines worldwide. An improved version of Backdoor.Win32.Skimer has been discovered infecting machines worldwide. The new Skimer allows criminal access to card data, including PIN numbers, as well as to the actual cash located in the machine.

The malicious installers use the packer Thermida to disguise the Skimer malware which is then installed on the ATM. If the ATM file system is FAT32, the malware drops the file netmgr.dll in the folder C:\Windows\System32. If the ATM has an NTFS file system, netmgr.dll is placed in the executable file of the NTFS data stream, which makes detection and analysis of the malware more difficult.

Unlike other skimming malware programs, like Tyupkin, which becomes active in a specific time frame and is awakened by a ‘magic code’, Skimer may lie dormant for months until it is activated with the physical use of a ‘magic card.’ The magic card gives access control to the malware, which then offers a list of options that are accessed by inputting a choice on the pin pad.
#790 LinkedIn user? Your data may be up for sale
Reports indicate that a LinkedIn data breach may have led to the sale of sensitive data belonging to 117 million users.

According to Motherboard, the company's website experienced a data breach in 2012, but the true consequences of the breach are only now becoming apparent.

Founded in 2002, LinkedIn catered for approximately 400 million users in 2015. The company provides a social network alternative for finding professional and work connections, sharing resumes and potentially finding new posts.

Users of LinkedIn's website in 2012 discovered that roughly 6.5 million user account passwords were posted online, and the company never completely confirmed just who was impacted by the security incident.
#789 Twitter ads could be exposing you to malware attacks
Over the past four days, some Twitter users have been noticing something strange: a flurry of tweets that appear to depict a young person removing their underwear.

They’re “promoted tweets”—essentially ads users have paid Twitter put in people’s timelines whether they’re following the advertiser or not.

Brands and celebrities use them to promote themselves. But these tweets were different. Not only did they feature unsettling images, which multiple users suggested might be child pornography, they also linked to a phishing site made to resemble YouTube.

So far this same picture has been sent from at least a dozen users’ accounts, though it no longer appears on any of their timelines. One of the senders claimed their account had been hacked.
#788 Microsoft comes through with rollup of updates and fixes for Windows 7
The convenience rollup -- officially known as Windows 7 SP1 convenience rollup -- isn't Service Pack 2 for Windows 7, but it's the next best thing.

The new Windows 7 convenience rollup is cumulative back to Service Pack 1, which Microsoft released in 2011. It doesn't include updates to IE 11 (which are released separately) or updates to .NET releases. But it does include core Windows fixes, security fixes and hot fixes.

In January this year, I asked Microsoft officials about plans to deliver this convenience rollup -- something execs announced a year ago. Officials said Microsoft's update strategy was all about Windows as a Service, a k a Windows 10, moving forward.
#787 It's trivially easy to identify you based on records of your calls and texts
Contrary to the claims of America's top spies, the details of your phone calls and text messages—including when they took place and whom they involved—are no less revealing than the actual contents of those communications.

In a study published online Monday in the journal Proceedings of the National Academy of Sciences, Stanford University researchers demonstrated how they used publicly available sources—like Google searches and the paid background-check service Intelius—to identify "the overwhelming majority" of their 823 volunteers based only on their anonymized call and SMS metadata.

Using data collected through a special Android app, the Stanford researchers determined that they could easily identify people based on their call and message logs.

The results cast doubt on claims by senior intelligence officials that telephone and Internet "metadata"—information about communications, but not the content of those communications—should be subjected to a lower privacy threshold because it is less sensitive.
#786 Google set to kill SSLv3 and RC4 in SMTP, Gmail in June
Google clarified this week exactly when it plans to disable support for the RC4 stream cipher and the SSLv3 protocol on the company’s SMTP servers and Gmail’s web servers.

It turns out the end will come sooner than later; the company announced it will begin to disable both a month from now, on June 16.

Adam Langley, a security engineer with the company, announced last fall that Google was planning on moving away from both RC4 and SSLv3, citing a long history of weakness in the cipher and protocol. Langley initially failed to provide a timeline but acknowledged the company was looking to rid Chrome, Android, webcrawlers, and SMTP servers of RC4 and SSLv3 in the medium term.
#785 SourceForge tightens zecurity with malware scans
After taking down the controversial DevShare program in early February, the new owners of popular software repository, SourceForge, have begun scanning all projects it hosts for malware in an attempt to regain trust that was lost by Dice Holdings, the site’s previous owners.

It appears as if the new owners at SourceForge are serious about fixing the mistakes made by the site’s previous owners. FOSS Force has learned that as of today, the software repository used by many free and open source projects is scanning all hosted projects for malware. Projects that don’t make the grade will be noticeably flagged with a red warning badge located beside the project’s download button.
#784 IBM scientists achieve storage memory breakthrough
ZURICH, May 17, 2016 /PRNewswire/ -- For the first time, scientists at IBM (NYSE: IBM) Research have demonstrated reliably storing 3 bits of data per cell using a relatively new memory technology known as phase-change memory (PCM).

The current memory landscape spans from venerable DRAM to hard disk drives to ubiquitous flash. But in the last several years PCM has attracted the industry's attention as a potential universal memory technology based on its combination of read/write speed, endurance, non-volatility and density. For example, PCM doesn't lose data when powered off, unlike DRAM, and the technology can endure at least 10 million write cycles, compared to an average flash USB stick, which tops out at 3,000 write cycles.

This research breakthrough provides fast and easy storage to capture the exponential growth of data from mobile devices and the Internet of Things.
#783 Banking trojan outwits Google VerifyApps scanner
Google Play’s first line of defense against malware was circumvented by attackers who managed to sneak a malicious app called “Black Jack Free” into the official app store. The app was discovered by Lookout Security and removed by Google last week. Lookout estimates that 5,000 people downloaded the app that can siphon financial data from phones, intercept SMS messages and drop additional malicious apps onto a targeted phone.

Google relies on the automated system called VerifyApps to vet apps submitted to the Google Play app store. It isn’t perfect, but security experts say they are surprised that something as glaring as a banking Trojan was able to slip past Google’s defenses.

“The greatest danger to Android users are apps downloaded from third-party stores,” said Christoph Hebeisen, manager of security research and response at Lookout. “What this Trojan shows is that people, even when behaving sensibly and only downloading apps only from Google Play, can still get hit by malware.”
#782 Symantec Antivirus products vulnerable to horrid overflow bug
Whoever thought loading an anti-virus engine into the Windows kernel was a good idea should finally have proof that they were completely and utterly wrong.

That proof has arrived from Tavis Ormandy of Google's Project Zero team, who discovered the Symantec Antivirus Engine was vulnerable to a buffer overflow when parsing malformed portable-executable (PE) header files.

"Such malformed PE files can be received through incoming email, downloading of a document or application, or by visiting a malicious web site," Symantec said in its advisory on the issue dubbed CVE-2016-2208.

"No user interaction is required to trigger the parsing of the malformed file."
#781 Groundbreaking gadget claims to fit in your ear and translate foreign languages in real-time
Trying to understand someone who doesn't speak your language could be a thing of the past, thanks to this new piece of technology.

Pilot earphones act like much like Babel Fish in 'Hitchhiker's Guide To The Galaxy' - they let two people who speak a different language understand each other.

The gadget will launch to translate between English, French, Spanish and Italian in Autumn of this year.

Pilot will cost $129 (£90) ​and will be available for pre-order on their website.

It works by being connected to two different people, speaking two different languages, and translates what they are saying in your ear.
#780 Random number generator 'improved'
The new solution takes two "weak" random sources to generate a single, high-quality random number.

That made it a faster, more practical solution for an almost-perfectly random number, said Prof Alan Woodward, of Surrey University, and it could have implications for encryption and security.
#779 Firefox tops Microsoft browser market share for first time
Firefox has gingerly pulled ahead of Microsoft’s Internet Explorer and Edge browsers for the first time across the globe.

Mozilla’s Firefox grabbed 15.6 percent of worldwide desktop browser usage in April, according to the latest numbers from Web analytics outfit StatCounter.
#778 Indian organizations targeted in Suckfly attacks
In March 2015, Symantec published a blog on Suckfly, an advanced cyberespionage group that conducted attacks against a number of South Korean organizations to steal digital certificates. Since then we have identified a number of attacks over a two-year period, beginning in April 2014, which we attribute to Suckfly. The attacks targeted high-profile targets, including government and commercial organizations. These attacks occurred in several different countries, but our investigation revealed that the primary targets were individuals and organizations primarily located in India.

While there have been several Suckfly campaigns that infected organizations with the group’s custom malware Backdoor.Nidiran, the Indian targets show a greater amount of post-infection activity than targets in other regions. This suggests that these attacks were part of a planned operation against specific targets in India.
#777 Inside the million-machine clickfraud botnet
Online advertising is a multi-billion dollar business mostly ran by Google, Yahoo or Bing via AdSense-like programs. The current generation of clickbots such as the Redirector.Paco Trojan have taken abuse to a whole new level, burning through companies’ advertising budget at an unprecedented pace.

The malware’s objective is to redirect all traffic performed when using a popular search engine (such as Google, Yahoo or Bing) and replace the results with others obtained from a Google custom search. The goal is to help cyber-criminals earn money from the AdSense program.

Google’s AdSense for Search program places contextually relevant ads on Custom Search Engine’s search results pages and shares a portion of its advertising revenue with AdSense partners.

To redirect the traffic the malware performs a few simple registry tweaks. It modifies the “AutoConfigURL” and “AutoConfigProxy” values from the “Internet Settings” registry key so that for every request that a user makes, a PAC (Proxy auto-config) file will be queried. This file tells the browser to redirect the traffic to a different address.
#776 Apple has fixed a bug that let hackers bypass iPhone lock screen
Apple has fixed a security flaw that could let a hacker access personal data on a user's iPhone.

The company fixed the flaw in a software update, iOS 9.3.2, which is rolling out to iPhone and iPad users across the globe.

Anyone with physical access to an affected phone would've been able to access the user's contacts, photos, text and picture messages, emails, and phone settings by exploiting how Siri processes data.

The vulnerability was first discovered last month by two researchers, apparently working independent of each other. But Apple credited YouTube user videosdebarraquito with finding the flaw.
#775 Ukrainian hacker pleads guilty to insider trading in US
A Ukrainian man has pleaded guilty to his role in an insider trading scheme that netted more than $30 million (£20.8 million) in illicit profits.

Vadym Iermolovych, 28, admitted to hacking into newswire agencies and using the unpublished information to gain advantage on the stock market.

Thirty-two people have been charged in connection with the global scheme.

Prosecutors said the defendants used 800 stolen news releases to make trades using the insider information.
#774 Indefinite prison for suspect who won’t decrypt hard drives, feds say
Federal prosecutors urged a federal appeals court late Monday to keep a child-porn suspect behind bars—where he already has been for seven months—until he unlocks two hard drives that the government claims contains kid smut.

The suspect, a Philadelphia police sergeant relieved of his duties, has refused to unlock two hard drives and has been in jail ever since a judge ordered him to do so seven months ago—and after finding him in contempt of court. The defendant can remain locked up until a judge lifts the contempt order.

The government said Monday he should remain jailed indefinitely until he complies. The authorities also said that it's not a violation of the man's Fifth Amendment right against compelled self incrimination because it's a "foregone conclusion" that illegal porn is on the drives, and that he is only being asked to unlock the drives, not divulge their passcodes.

"This is not a fishing expedition on the part of the government," federal prosecutors told the 3rd US Circuit Court of Appeals of Philadelphia.
#773 Microsoft is adding more ads to the Windows 10 Start menu
Microsoft is planning to double the amount of promoted apps in the Start menu with the upcoming Anniversary Update to Windows 10. The software maker revealed at its WinHEC conference last week that the amount will increase from five currently up to 10 in the Anniversary Update that's due to roll out in July. Promoted apps are typically used on new PCs as links to encourage Windows 10 users to download Store apps, and different apps are promoted in different countries.
#772 Hacker fans give Mr. Robot website free security checkup
The USA Network show Mr. Robot has drawn a good deal of praise for its accurate (relative to other TV shows) portrayal of hacking and computer security. So, naturally, the site for the show has drawn a slightly different sort of adoring fan—"white hat" hackers looking for security holes.

On May 10, USA Network launched a new site for Mr. Robot promoting the July debut of the series' second season—a JavaScript-powered page that uses text input and mimics a Linux shell (complete with a GRUB bootup message). On the same day, as Forbes' Thomas Fox-Brewster reported, a hacker operating under the name Zemnmez reported a cross-site scripting (XSS) vulnerability in the Mr. Robot site that could have been used to trick the site's visitors into giving up their Facebook profile data. Zenmez sent an e-mail about the vulnerability to Mr. Robot writer Sam Esmail; within a few hours, according to NBC Universal (USA Network's corporate parent), the vulnerability was removed.
#771 That time a patient’s heart procedure was interrupted by a virus scan
A heart patient undergoing a medical procedure earlier this year was put at risk when misconfigured antivirus software caused a crucial lab device to hang and require a reboot before doctors could continue.

The incident, described in an alert issued by the Food and Drug Administration, highlights the darker side of using computers and computer networks in mission-critical environments. While a computer crash is little more than an annoyance for most people at home or in offices, it can have far more serious consequences in hospitals, power generation facilities, or other industrial settings.

The computer system at issue in the FDA alert is known under the brand name Merge Hemo and is sold by Hartland, Wisconsin-based Merge Healthcare. It comprises a patient data module and a monitor PC that are connected by a serial cable. It's used to provide doctors with real-time diagnostic information from a patient undergoing a procedure known as a cardiac catheterization, in which doctors insert a tube into a blood vessel to see how well the patient's heart is working.
#770 Breach of crime forum could cause a world of pain for members
A website that openly facilitated the brokering of compromised passwords, stolen bitcoins, and other sensitive data has been hacked, exposing login data, IP addresses, e-mail addresses, purchase histories, and private messages for some 500,000 members., a hacker forum that used the tagline "expect the unexpected," was compromised earlier this month in a hack that exposed virtually all of the private data associated with it, security researchers said. As of publication time, more than a week later, the resulting 1.3 gigabyte compressed archive file remained available on a popular data breach sharing site on the clear Web. It was easily accessible to anyone, including hacking victims, fellow hackers, and law enforcement agents. The dump was discovered by analysis firm Risk Based Security and confirmed by Troy Hunt, operator of the have i been pwned? breach disclosure service.

"When services such as are compromised and data is leaked, often it exposes members who prefer to remain anonymous and hide behind screen names," the Risk Based Security blog post stated. "By simply searching by e-mail or IP addresses, it can become evident who might be behind various malicious deeds. As you can imagine, this can lead to significant problems for forum users."
#769 Malware attacks on two banks have links with 2014 Sony Pictures hack
Bangladesh Bank, a commercial bank in Vietnam and ... Sony Pictures are the unlikely bedfellows in a tale of cyber intrigue uncovered by security researchers at BAE Systems.

Researchers Sergei Shevchenko and Adrian Nish have found some links between malware involved in the 2014 attack on Sony Pictures and attacks on two banks involving the theft of credentials for the SWIFT financial transfer network.

The U.S. Federal Bureau of Investigation said North Korea was to blame for the Sony attack (although security experts are divided on the matter).

So is North Korea seeking to boost its foreign currency reserves? Or is someone else conducting a false flag operation -- or just reusing old code?

The link between two pieces of malware used in attacks on Bangalore Bank and on a commercial bank in Vietnam is unambiguous. Shevchenko and Nish decompiled them and found that they used an identical function to wipe a file from an infected computer. The function first fills the file with random characters to ensure nothing can be recovered from the sectors it occupies on the disk, then changes the file's name to a random string before deleting it.
#768 UC students suit claims Google scanned accounts without permission
SAN JOSE -- Legal action against Google by four UC Berkeley students has ballooned into two lawsuits by 890 U.S. college students and alumni alleging the firm harvested their data for commercial gain without their consent.

But the students' claims may be derailed by a dispute over whether they should file their cases individually, rather than as a group.

Hundreds of U.S. college students and alumni in 21 states joined the original lawsuit filed in January by the four Berkeley students. On April 29, another 180 filed a separate lawsuit making the same claim: that Google's Apps for Education, which provided them with official university email accounts to use for school and personal communication, allowed Google until April 2014 to scan their emails without their consent for advertising purposes.

Google did not respond to requests for comment.
#767 Announcing Certbot: EFF's client for Let's Encrypt
EFF is proud to introduce Certbot, a powerful tool to help websites encrypt their traffic. Certbot is the next iteration of the Let's Encrypt Client; it obtains TLS/SSL certificates and can automatically configure HTTPS encryption on your server. It's still in beta for now, but we plan to release Certbot 1.0 later this year.

As you may know, Let’s Encrypt is a certificate authority, co-founded by EFF, Mozilla, and researchers from the University of Michigan. With the help from many others, Let’s Encrypt is now one of the world’s largest certificate authorities, used by millions of people around the world to enable HTTPS on their website.

Certbot communicates with the Let’s Encrypt CA through a protocol called ACME. While there are many ACME clients available to choose from, Certbot continues to be the most popular choice for organizations and developers that run their own webservers.
#766 Malware-laced porn apps behind wave of Android lockscreen attacks
Incidents of Android lockscreen malware masquerading as porn apps are a growing concern to security analysts who are forecasting an uptick in attacks. Once infected, Android users bitten by this malware appear to be locked out of their device and are forced to undergo a complex extraction of the app to win back control of their phone or tablet.

The warning comes from Dell SonicWALL Threats Research Team that said this yet-to-be-named variant of lockscreen malware is immature, but potent.

“We have found over a 100 different apps that contain this malware and suspect that the authors behind the apps are gearing up for a much larger more deadly assault,” said Alex Dubrovsky, director of software engineering and threat research at Dell.
#765 Google devs planing Flash's demise with new "HTML5 by default" Chrome setting
In a Google Groups thread named "Intent to implement: HTML5 by Default," the Google developers announced initial plans to implement a new feature in the Chromium core that will disable the playback of Flash content by default, and use HTML5 instead, if available.

The feature is scheduled to ship with Chromium builds in Q4 2016, according to the current timeline.

"If a site offers an HTML5 experience, this change will make that the primary experience," Anthony LaForge, Technical Program Manager at Google explained. "We will continue to ship Flash Player with Chrome, and if a site truly requires Flash, a prompt will appear at the top of the page when the user first visits that site, giving them the option of allowing it to run for that site."

The Chromium team will basically implement a permanent "Ask to activate" feature for all websites running Flash content, similar to what Firefox has been optionally providing its users for some time now.

"This change reflects the maturity of HTML5 and its ability to deliver an excellent user experience," LaForge also noted. "While Flash historically has been critical for rich media on the web, today in many cases HTML5 provides a more integrated media experience with faster load times and lower power consumption."
#764 Runkeeper is secretly tracking you around the clock and sending your data to advertisers
FitnessKeeper, the company behind running app Runkeeper, is in hot water in Europe. The company will receive a formal complaint on Friday from the Norwegian Consumer Council for breaching European data protection laws. It turns out that Runkeeper tracks its users’ location all the time – not just when the app is active – and sends that data to advertisers.

The NCC, a consumer rights watchdog, is conducting an investigation into 20 apps’ terms and conditions to see if the apps do what their permissions say they do and to monitor data flows. Tinder has already been reported to the Norwegian data protection authority for similar breaches of privacy laws. The NCC’s investigation into Runkeeper discovered that user location data is tracked around the clock and gets transmitted to a third party advertiser in the U.S. called
#763 Cerber ransomware on the eise, fueled by Dridex botnets
Starting in April security experts at FireEye spotted a massive uptick in Cerber ransomware attacks delivered via a rolling wave of spam. Researchers there link the Cerber outbreaks to the fact that attackers are now leveraging the same spam infrastructure credited for making the potent Dridex financial Trojan extremely dangerous.

Cerber, which is best known for its high-creep factor in using text-to-speech to “speak” its ransom note to victims, was first spotted in the wild in February. Its typical distribution method was via exploit kits, with Magnitude and Nuclear Pack exploiting a zero day in Adobe Flash Player (CVE-2016-1019). But as recently as May 4, FireEye reports, Cerber is now part of a spam campaign linked to Dridex botnets.
#762 Latest Petya ransomware strain comes with a failsafe: Mischa
The Petya ransomware strain signaled a new escalation for crypto-malware when it surfaced in March. For the first time, ransomware went beyond encrypting files on local and shared drives and instead set its sights on locking up the Master File Table on compromised machines.

Petya did have its shortcomings and before long, researchers were able to develop a tool that recovered some files lost to infections.

The criminals behind Petya, meanwhile, have addressed another weakness where the malware would not execute if it were not granted administrative privileges in order to target the MFT. A new installer for Petya was found and disclosed on Thursday. It comes with a failsafe; if its installer is not granted the privileges it seeks, it instead installs another strain of ransomware known as Mischa.

The original Petya executable came with a manifest that requested administrator privileges, said researcher Lawrence Abrams of Bleeping Computer.
#761 France's after work email ban is one step closer to reality
France is that much closer to becoming the first country to ban after-work emails.

The country's lower parliamentary house passed a bill this week that would ban companies with 50 or more employees from sending emails outside regular work hours, BBC News reported.

It now goes to the Senate, where members will study it before sending it back to the National Assembly to enshrine it in French law.
#760 Linksys WRT routers won’t block open source firmware, despite FCC rules
New rules that affect open source firmware on Wi-Fi routers will be implemented on June 2, but not all network hardware will prevent the loading of third-party software.

Linksys has been collaborating with chipmaker Marvell and the makers of OpenWrt to make sure its latest WRT routers can comply with the new rules without blocking open source firmware, company officials told Ars.

Linksys’s effort stands in contrast with TP-Link, which said it would entirely prevent loading of open source firmware on its routers to satisfy the new Federal Communications Commission requirements.

Blocking third-party firmware is the easiest way to comply with the FCC rules, which aim to limit interference with other devices by preventing user modifications that cause radios to operate outside their licensed RF (radio frequency) parameters.

The FCC wrote its rules in response to interference with FAA Doppler weather radar systems. Routers using certain portions of the 5GHz band were already required to use dynamic frequency selection (DFS) in order to detect nearby radar systems and avoid operating on the same channel. But it’s possible for users to disable dynamic frequency selection—the FCC has called this a “major cause of harmful interference.” Most cases of interference have been caused either by disabling DFS or “devices that have been modified to operate in frequency bands in which they are not certified to operate,” the FCC says.
#759 Second bank cyber-attack detected by Swift after Bangladesh raid
A cyber-attack, similar to one that saw $81m (£56m) stolen from Bangladesh's central bank, has hit a second bank.

The warning about the second attack came from Swift, which oversees the financial messaging network that underpins global money transfers.

Swift said the target was a commercial bank but did not name the organisation or reveal if any cash had been taken.

The attack used techniques and tools resembling those used to steal cash from Bangladesh in February, it said.

Swift is used by about 11,000 financial institutions around the world to move large amounts of cash.

The attackers had a "deep and sophisticated knowledge of specific operational controls" at the targeted bank, and could have been aided in their theft by "malicious insiders", said Swift.

In both attacks the thieves sought to submit fraudulent messages to the Swift network to transfer large amounts of cash to accounts they controlled.
#758 Facebook wants to teach you how to hack
Facebook wants to teach the next generation security skills and hopes the release of the Capture the Flag (CTF) platform to the open-source community will be a valuable contribution.

Gulshan Singh, a software engineer on Facebook's threat infrastructure team said in an announcement on Wednesday the social media giant hopes to make "security education easier and more accessible," especially for students.

As a result, the company has decided to release the CTF platform as a "safe and legal" way to teach kids how to learn and refine skills related to reverse-engineering, forensics, web application security, cryptography, and binary exploitation without getting into trouble with the law.
#757 Apache incubating project promises new Internet security framework
VANCOUVER, BC -- A new incubating project at the Apache Software Foundation (ASF) promises a more secure Internet that doesn't require monolithic trust hierarchies and centralized certificate authorities. And it could eliminate the need for complex passwords, too.

At ApacheCon North America in Vancouver yesterday, telecommunications juggernaut NTT Group, along with its Silicon Valley-based innovation center NTT i3 and cryptography and cybersecurity specialist MIRACL, joined forces to contribute their security and authentication code to a new open source project: Apache Milagro (incubating).

By eliminating the need for a central trust authority and the public key infrastructure (PKI) model built 40 years ago for a client-server world, the new incubating project aims to provide a better framework for blockchain applications, cloud computing services, mobile and containerized developer applications.
#756 Walmart sues Visa, wants to require PINs for all chip-enabled debit cards
This week, Walmart sued Visa in New York State Court, saying it wanted to be able to require PIN authorizations on all EMV debit card transactions. Although many debit card transactions already require a PIN to authorize purchases or withdrawals on that card, Visa makes its merchants give Visa card holders the option to authorize with a signature. Walmart is arguing that this puts its customers at risk for fraud.

Visa, Mastercard, and other card networks set an October 2015 deadline for merchants and card issuers in the US to shift to the chip-based EMV standard (which is eponymous for Europay, Mastercard, and Visa, the three groups that developed the standard). The transition was meant to replace the magnetic stripe cards that persisted for years in the US, even after other countries quickly made the transition to the more secure chip-based cards. Walmart made the transition early last year, becoming one of the first national retailers to buy new terminals that accepted EMV cards, the Wall Street Journal reports.
#755 Corruption, code execution vulnerabilities patched in open source archiver 7-Zip
Several vulnerabilities were fixed this week in the file archiver 7-Zip that could have led to arbitrary code execution and file corruption.

The developer behind the tool-which is open source and can be used with any compression, conversion, or encryption method-is urging users to update to the most recent patched version, 16.00, as soon as possible to mitigate the issues.

Igor Pavlov, a Russian programmer who maintains the tool, announced the update on Tuesday, in a blog post on the software’s SourceForge forum.
#754 Five vulnerabilities fixed in Chrome browser, Google pays $20K to bug hunters
Google is urging Windows, Mac and Linux users to update their Chrome browser to fix five security holes – two which rate as high severity. Google warned users of the vulnerabilities Wednesday as it released a new version, 50.0.2661.102, of the browser.

The Chrome security holes were found by four bug bounty hunters as part of Google’s Chromium Project and its bug bounty program. One of those bug bounty hunters was noted Polish security researcher Mariusz Mlynski who earned a total of $15,500 for identifying two Chrome browser security vulnerabilities.
#753 Emergency Flash update patches public zero-day
As promised earlier this week, Adobe today released an updated version of Flash Player that includes a patch for a zero-day vulnerability.

Adobe said it is aware of the existence of a public exploit for CVE-2016-4117, but said the flaw has not been publicly attacked.

The vulnerability affects Flash Player versions and earlier on Windows, Mac OS X, Linux and Chrome OS.

“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said Tuesday in an advisory.
#752 Chinese ARM vendor left developer backdoor in kernel for Android and other devices
Allwinner, a Chinese system-on-a-chip company that makes the processor used in many low-cost Android tablets, set-top boxes, ARM-based PCs, and other devices, apparently shipped a version of its Linux kernel with a ridiculously easy-to-use backdoor built in. All any code needs to do to gain root access is send the text "rootmydevice" to an undocumented debugging process.

The backdoor code may have inadvertently been left in the kernel after developers completed debugging. But the company has been less than transparent about it: information about the backdoor was released and then apparently deleted through Allwinner's own Github account. The kernel, linux-3.4-sunxi, which was originally developed to support Android on Allwinner's ARM processors for tablets, has also been used to develop a community version. The kernel was also the basis for porting over various versions of Linux to Allwinner's processors, which are used in the Orange Pi and Banana Pi micro-PCs (developer boards compatible with Raspberry Pi) along with a number of other devices.
#751 Spam and phishing in Q1 2016
The first quarter of 2016 saw a dramatic increase in the number of unsolicited emails containing malicious attachments. Over the last two years the number of email antivirus detections on computers with a Kaspersky Lab product installed fluctuated between 3 and 6 million. At the end of 2015 this number began to grow and in early 2016 there was a sharp upturn.
#750 Opera adds power-saving mode, offers “up to 50%” longer battery life
After baking in an ad blocker and VPN client, Norwegian browser maker Opera Software has added a power saving mode to its desktop Web browser. The feature is currently only available in the latest "developer" version of the desktop browser—which should be available on Thursday morning.

Opera's SVP of engineering Krystian Kolondra said that the new feature "can increase the battery life by as much as 50 percent." The company claimed that such huge gains are possible through a number of additional optimisations, including "reducing activity from background tabs, adapting page-redrawing frequency, and tuning video-playback parameters."
#749 Attackers targeting critical SAP flaw since 2013
Three dozen global enterprises have been breached by attackers who exploited a single, mitigated vulnerability in SAP business applications.

The attacks were carried out between 2013 and are ongoing against large organizations owned by corporations in the United States, United Kingdom, Germany, China, India, Japan, and South Korea, spanning 15 critical industries, researchers at Onapsis said today.

The DHS-sponsored CERT at the Software Engineering Institute at Carnegie Mellon University also published an alert this morning, the first in its history for SAP applications.

The severity of these attacks is high and should put other organizations on notice that are running critical business processes and data through SAP Java apps.
#748 Viking horde malware co-ops Android devices for ad fraud
The latest Android malware campaign to wend its way through Google’s Play marketplace can leverage victims’ phones for ad fraud, carry out DDoS attacks, send spam, and more, researchers warn.

Dubbed Viking Horde, the campaign ropes Android devices into a botnet without their owners being any the wiser. A handful of apps that spread the malware family have managed to sneak into Play under Google’s watch – the most popular being a game named Viking Jump, according to researchers at Check Point, who discovered the family of malware and described it in detail earlier this week.

The malware has also reportedly spread through apps named Memory Booster, Parrot Copter, Simple 2048, and WiFi Plus. Before it was removed, Viking Jump was the most popular of the apps, garnering 50,000 to 100,000 downloads. The app even became a “top free app” in some markets.
#747 Microsoft zero-day exposes 100 companies to PoS attack
More than 100 North American companies were attacked by crooks exploiting a Windows zero day vulnerability. The attacks began in early March and involved the zero day vulnerability (CVE-2016-0167) reported and partially fixed in April’s Patch Tuesday security bulletins by Microsoft. The zero day was found by researchers at FireEye, who on Tuesday disclosed details.

FireEye said the flaw is a local elevation of privilege flaw in the win32k Windows Graphics subsystem. Attackers are able to exploit the flaw once they are able to remotely execute code on the targeted PC. Microsoft patched the vulnerability on April 12 and released a subsequent update (MS16-062) on Tuesday.
#746 Malware parasites feed on gossip fans
The gossip news site has exposed recent visitors to malware, according to a cybersecurity alert.

California-based Cyphort Labs said that it had detected ads placed on the site being used to spread harmful code on two separate visits during one week.

The celebrity scandal site has not yet commented but was known to have suffered a similar problem last year.

Experts suggested users install ad-blocking plug-ins to defend themselves.

The phenomenon is known as "malvertising", and users do not have to click on the ads to find their device infected. is far from being the only publisher to have hosted the threat.

Cyphort identified 1,654 unique domains that had fallen victim to the parasitical attack in 2015, and said it believed it was on course to see more than 2,000 instances this year.

The New York Times, AOL and are among other popular sites thought to have been hijacked in this way. since January.
#745 Wendy’s: Credit cards breach affected 5% of restaurants
Wendy’s said today that an investigation into a credit card breach at the nationwide fast-food chain uncovered malicious software on point-of-sale systems at fewer than 300 of the company’s 5,500 franchised stores. The company says the investigation into the breach is continuing, but that the malware has been removed from all affected locations.

wendysky“Based on the preliminary findings of the investigation and other information, the Company believes that malware, installed through the use of compromised third-party vendor credentials, affected one particular point of sale system at fewer than 300 of approximately 5,500 franchised North America Wendy’s restaurants, starting in the fall of 2015,” Wendy’s disclosed in their first quarter financial statement today.
#744 Mozilla launches Test Pilot, a Firefox add-on for trying experimental new features
Mozilla today launched Test Pilot, a program for trying out experimental Firefox features. To try the new functionality Mozilla is offering for its browser, you have to download a Firefox add-on from and enable an experiment. The main caveat is that experiments are currently only available in English (though Mozilla promises to add more languages “later this year”).

Test Pilot is supposed to help Mozilla figure out which features should ship and how they should work, by letting users provide feedback and suggestions to the teams behind each one. You can turn each experiment on and off at any time (there will be bugs, so this will naturally come in handy), and the add-on explains what information you’re sharing with Mozilla to help the team understand how the feature is used.
#743 Backdoor as a software suite: How TinyLoader distributes and upgrades PoS threats (PDF)
The tandem of TinyLoader backdoor and a point-of-sale (PoS) threat, AbaddonPOS was first reportedly seen in November 2015. When we noticed a sudden spike in AbaddonPOS detections just this January, TinyPOS, another PoS malware strain, has also reared its ugly head that time. This prompted us to probe further on these threats and check if they are in any way related to one another.

Our analysis reveals that TinyLoader, a backdoor used for secondary malware infection, is distributing and managing the upgrades of AbaddonPOS. Likewise, TinyLoader is also spreading TinyPOS variants. This leads us to conclude that the operators behind TinyPOS and AbaddonPOS are one and the same.

In this technical brief, we’ll discuss the ties that bind TinyLoader with two notorious PoS threats—AbaddonPOS and TinyPOS, including how the perpetrators behind this operation deployed their arsenals
#742 Microsoft Patch Tuesday 2016-05-10
Microsoft's browsers need a lot of work – Internet Explorer gets five fixes and the new Edge code has four. Both applications' patches have been named as critical by Redmond. There's also a five-fix bundle for Microsoft's graphics component and seven flaws found in Windows kernel drivers, mainly for 32-bit versions of the operating system.
#741 Software security suffers as startups lose access to Google’s virus data
(Reuters) – A number of young technology security companies are losing access to the largest collection of industry analysis of computer viruses, a setback industry experts say will increase exposure to hackers.

The policy change at the information-sharing pioneer VirusTotal takes aim mainly at a new generation of security companies, some with valuations of $1 billion or more, that haven’t been contributing their analysis. Older companies, some with market valuations much smaller than the upstart rivals, had pressed for the shift.

Alphabet’s Google runs the VirusTotal database so security professionals can share new examples of suspected malicious software and opinions on the danger they pose. On Wednesday, the 12-year-old service quietly said it would cut off unlimited ratings access to companies that do not share their own evaluations of submitted samples.

Analysts and executives at several companies said the changes will leave some services more likely to mistakenly classify legitimate software as malicious and less able to protect their customers from real threats, at least in the short term.

“If they no longer have access to VirusTotal, their detection scores will drop,” said Andreas Marx, chief executive of security software evaluation firm AV-TEST. With detection rates down, hackers will find easier entry.
#740 Adobe warns of Flash zero-day, patches Acrobat
Adobe rolled out security updates for three of its products on Tuesday, including 95 fixes it pushed for Acrobat, Reader, and ColdFusion.

Users will have to wait until later this week, however, to patch a critical vulnerability that exists in Flash Player. It may only be a matter of time until the vulnerability is publicly exploited; Adobe claims that it isn’t aware of any active exploits for the issue but is aware of a report that an exploit for the vulnerability, CVE-2016-4117, exists in the wild.

The zero day, dug up by Genwei Jiang, a researcher at FireEye, exists in Flash and earlier versions for Windows, Mac, Linux, and Chrome OS, Adobe warned Tuesday. If exploited, the vulnerability could cause a crash and let an attacker take control of the system. A fix for the issue was not ready in time to ship with this week’s Patch Tuesday patches but the company claims it is planning to address the issue later in the week, potentially as early as Thursday.

As far as today’s patches go, 92 of the 95 issues that were fixed, address vulnerabilities in either Acrobat and Reader, the bulk of which were use-after-free vulnerabilities or memory corruption vulnerabilities that could lead to code execution, Adobe warns.
#739 Microsoft patches JScript, VBScript flaw under attack
Microsoft released a hefty load of security bulletins today, which included a patch for a JScript and VBScript scripting engine vulnerability being publicly exploited.

The flaw is addressed in its own bulletin, MS16-053, but users need to pay attention to, and apply MS16-051 as well since the attack vector is through Internet Explorer.

MS16-051 addresses the issue in IE 9, 10 and 11; MS16-053 patches the flaw in IE 7 and earlier supported versions of the browser.

The flaw, CVE-2016-0189, is one of two memory corruption vulnerabilities in the scripting engines. Both enable arbitrary code execution if a victim, via IE, lands on an attacker’s site hosting the exploit; CVE-2016-0187 is the other flaw in the scripting engines patched today. Microsoft said the flaws exist because of how JScript and VBScript handle objects in memory in IE. VBScript 5.7 is vulnerable on Windows Vista, Windows Server 2008 and the Server Core installation option, while JScript 5.8 and VBScript 5.8 are vulnerable on Windows Server 2008 R2 for x64 Systems Service Pack 1 are vulnerable on the Server Core installation only.
#738 Internet Explorer zero-day exploit used in targeted attacks in South Korea
Attackers have exploited an Internet Explorer zero-day vulnerability in limited targeted attacks that affected South Korea. The exploit for the Microsoft Internet Explorer Scripting Engine Remote Memory Corruption Vulnerability (CVE-2016-0189) appears to have been hosted on a web page, which suggests that attackers used spear-phishing emails or watering hole attacks to compromise users.

Microsoft fixed the zero-day vulnerability in its latest Patch Tuesday release.
#737 Checking in with spear phishing, criminals check out with hotel credit card data
Hotel chains focus on hospitality, but their security practices have made them entirely too hospitable a target for data theft. Hotels have been brutalized over the past year by a wave of point-of-sale system breaches that have exposed hundreds of thousands of guests' credit card accounts. And those attacks, as a recent episode described by Panda Security's Luis Corrons demonstrates, have become increasingly targeted—in some cases using "spear-phishing" e-mails and malware crafted specifically for the target to gain access to hotels' networks.

In one incident that was uncovered recently, the target "was a small luxury hotel chain," Corrons told Ars. "We discovered the attack, and it was really customized for the specific hotel. This was 100 percent tailored to the specific target."

The attackers used a Word document from the hotel itself—one frequently used by the hotel to allow customers to authorize credit card charges in advance of a stay. The document was actually enclosed as part of a self-extracting file, which also installed two other files on the target machine—one of them an installer for backdoor malware named "adobeUpd.dll" to disguise it and the other a Windows .cmd batch script that both opens the Word document and launches the backdoor.
#736 IBM’s Watson supercomputer takes on security
IBM is leveraging the power of its Watson supercomputer to thwart viruses, ransomware and DDoS attacks. On Tuesday it unveiled an ambitious plan to feed Watson billions of data points from security sources daily so that Watson can spot anomalies as they happen and stop them dead in their tracks before they can cause any harm.

Called Watson for Cyber Security, IBM says the service is about year off from being rolled out in beta form to select customers. It will be cloud-based and leverage Watson’s “cognitive technology.” But first, IBM says, it will need to be trained to better understand structured and unstructured security data.

“Watson, like anyone new to security, needs to learn what the differences between malware, ransomware, Trojans, viruses, scripting vulnerabilities and so much more are,” said Caleb Barlow, vice president, IBM Security.
#735 WordPress patches SOME, XSS flaws in version 4.5.2
WordPress vulnerabilities continue to be a magnet for hackers laden with exploit kits, and as recently as February, crippling ransomware attacks. As a result,

WordPress has already released three security updates this year, the latest for the content management system coming last Friday, bringing current users to version 4.5.2. WordPress also in April turned on free encryption for custom domains hosted on the platform.

The latest update is a security release affecting all versions including 4.5.1.

In an advisory published late last week, WordPress said the Plupload third-party file-upload library was plagued by a SOME vulnerability. SOME flaws are Same Origin Method Execution bugs where JSON callbacks are abused and lead to similar problems as cross-site scripting attacks. Researcher Ben Hayak presented on SOME flaws at Black Hat Europe two years ago and he provides some technical details in a blog post.
#734 NCA's bid to get Lauri Love US hack case passwords thrown out
A bid by the National Crime Agency to force an alleged cyber hacker to hand over encrypted computer passwords has been thrown out by a judge.

The US is attempting to extradite Lauri Love, 31, on charges of hacking into the US Army, Nasa and US Federal Reserve networks.

The agency (NCA) seized the computers during a raid at Mr Love's home in Stradishall, Suffolk, in October 2013.

A call to hand over passwords was rejected by a district judge.
#733 Locky ransomware gets clever!
Locky ransomware rise to fame in recent months. Locky is aggressively distributed via a JavaScript-based downloader sent as an attachment in spam emails, and may have overshadowed the Dridex banking Trojan as the top spam contributor.

FireEye Labs recently observed a new development in the way this ransomware communicates with its control server. Recent samples of Locky are once again being delivered via “Invoice”-related email campaigns, as seen in Figure 1. When the user runs the attached JavaScript, the JavaScript will attempt to download and execute the Locky ransomware payload from hxxp://

This new Locky variant was observed to be highly evasive in its network communication. It uses both symmetric and asymmetric encryption – unlike previous versions that use custom encoding – to communicate with its control server.
#732 This unusual botnet targets scientists, engineers and academics
A botnet and cyberattack campaign is infecting victims across the globe and appears to be tracking the actions of specially selected targets in sectors ranging from government to engineering.

Researchers from Forcepoint Security Labs have warned that the campaign it has dubbed 'Jaku' -- after a planet in the Star Wars universe because of references to the sci-fi saga in the malware code -- is different to and more sophisticated than many botnet campaigns.

Rather than indiscriminately infecting victims, this campaign is capable of performing "a separate, highly targeted operation" used to monitor members of international non-governmental organisations, engineering companies, academics, scientists and government employees, the researchers said.
#731 FTC orders Apple, Google, Microsoft, Blackberry, Samsung to divulge mobile security practices
The Federal Trade Commission today said it issued a 10-page letter to eight leading players in the mobile communications arena requiring them to tell the agency how they issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices.

The FTC has been critical of mobile communications vendors’ security practices in the past. In one report the FTC stated that companies, whose apps promise consumer safeguards for their data, follow through on those promises. “Specifically, the report recognizes that technology advances found in smartphones can offer the potential for increased data security and encourages all companies to provide strong protections for the data they collect.”
#730 Opera launches 'free and unlimited' VPN app for iOS
Opera is on a bit of a privacy tear at the moment. Last month, the company integrated a free and unlimited VPN (virtual private network) into the developer version of its web browser, and last week, it added built-in ad blocking to its desktop and mobile software. Now, Opera has launched a new VPN app for iOS, and, again, it's free to use with unlimited data.

Like Opera's previous VPN integrations, the app uses the US-based SurfEasy VPN service acquired by Opera last March. SurfEasy offers its own standalone apps for Android and iOS, as well as desktop software, but charges a subscription fee after a trial period. Other third-party VPN apps have a similar set-up, or insert ads to pay for their server time. Opera, by comparison, is promising that its mobile VPN is free for life, with no subscription needed. The company said it had no plans to serve users ads "for now."
#729 GoDaddy addresses blind XSS vulnerability affecting online support
Domain registrar GoDaddy fixed a vulnerability affecting systems used by its customer support agents that could have been abused to take over, modify or delete accounts.

Researcher Matthew Bryant said that a riff on a cross-site scripting attack called a blind XSS was to blame. A GoDaddy customer, Bryant wrote on Sunday on his blog that Name fields on a particular GoDaddy page accepted and stored a cross-site scripting payload. He left a generic payload behind, akin to leaving a mine that isn’t triggered until someone steps on it.

As it turns out, no one stepped on the mine until Bryant needed to make a legitimate support call to GoDaddy. The rep on the phone could not access his account, and at the same time Bryant was getting email alerts that his almost-forgotten payloads had fired.
#728 Police allege SWIFT technicians left Bangladesh bank vulnerable
Bangladeshi police this week alleged that technicians associated with the financial network SWIFT introduced vulnerabilities that made it easier for hackers to infiltrate the systems of Bangladesh Bank and carry out a massive heist.

Earlier this year hackers used stolen credentials to inject malware into the bank’s SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, network and made off with $81 million.

According to a report from Reuters on Monday, officials with the country’s law enforcement agency are blaming technicians with the network for introducing weaknesses into the network when it was first connected to Bangladesh’s first real-time gross settlement (RTGS) system last year.
#727 Researcher arrested after reporting pwnage hole in elections site
Vanguard Cybersecurity man David Levin was arrested after disclosing SQL injection vulnerabilities that revealed admin credentials in the Lee County state elections web site.

The Florida Department of Law Enforcement says the 31-year-old Estero man hacked into Lee County state elections website 19 December.

Levin (@realdavidlevin) faced three third-degree felony counts of property crime.

Levin was released under a US$15,000 bond.
#726 Bucbi ransomware gets a big makeover
Two-year-old Bucbi ransomware is making a comeback, with new targeted attacks and a new brute force technique.

Researchers at Palo Alto Networks said they spotted the ransomware recently infecting a Windows Server demanding a 5 bitcoins (or $2,320) ransom. Researchers report the ransomware is no longer randomly seeking victims, as it did two years ago, but instead is targeting attacks.

“In the past this ransomware has found victims indiscriminately via large campaigns employing email attachments and malicious websites,” said Ryan Olson, researcher at Palo Alto in an interview with Threatpost. “Attackers have shifted to using brute-force password attacks.”
#725 How was this Windows Store app able to download adware to a Windows 10 PC?
One of the biggest selling points of the Windows Store is its promise of safety. Apps have to be approved to make it into the store, and the sandbox in which apps run should prevent them from causing any damage or installing malware or unwanted software.

That doesn't mean developers can't try shady tricks. But their options are extremely limited, which is why I was surprised to find an app in the Windows Store last week that actually succeeded in downloading adware to a Windows 10 PC.

An unsophisticated user might have been fooled into going one step further and running that software, resulting in the installation of an annoying piece of adware and potentially much worse.
#724 ImageMagick vulnerability allows for remote code execution, now patched
ImageMagick is a popular software suite that is used to display, convert, and edit images. On May 3, security researchers publicly disclosed multiple vulnerabilities in the open-source image processing tool in this suite, one of which could potentially allow remote attackers to take over websites.

This suite can read and write images in over 200 formats including PNG, JPEG-2000, GIF, TIFF, DPX, EXR, WebP, Postscript, PDF, and SVG. Content management systems frequently use it to process any images before they are shown to the user.

The developers of ImageMagick have released updated versions of their software to fix these vulnerabilities. One vulnerability, CVE-2016-3714, allows for remote code execution on the server. This could be used to compromise Web servers and take over websites. Reports indicate that this vulnerability is already being exploited in the wild. Other reported vulnerabilities allow for HTTP/GET requests to be made from the server and for files to be read, moved, or deleted. Proof of concept code for these vulnerabilities is made available by the researchers.
#723 On the monetization of crypto-ransomware
Over the last few years, technologies and infrastructure, in the form of crypto-currencies, the dark web and well-organized criminal affiliate programs have aligned to create the perfect storm. And from that storm, the crypto-ransomware beast has arisen.

There’s a reason why crypto-ransomware is making the news almost daily – it’s unique compared to every other threat we’ve seen in the last few years in that it offers a tangible service to the victim – pay the ransom and you get your files back. And, as we’ve seen in an increasing number of high-profile cases, this is exactly what people are doing. There’s no need to remind you of a recent case where a hospital shelled out a considerable sum of Bitcoin to recover their infrastructure. It has been estimated that the crypto-ransomware industry makes as much as 100,000,000 EUR per year.

Crypto-ransomware continues be a lucrative money-making vehicle for criminals, and it’s possible it will continue displace alternative malware models such as banking trojans as time goes on. As with all business, focus must invariably shift into models that optimize and improve return on investment. We liken the business models of today’s ransomware campaigns to those of the early Internet era – still very simple in nature and largely unfocused. The bottom line is there’s still a great deal of room for creativity and innovation. The business models behind crypto-ransomware are slowly maturing and recently we’ve started to notice some attempts at innovation.
#722 Lego-driven robot programmed to hack gesture-based security
Among the many clever post-password authentication schemes currently under development is multi-touch gesture analysis. The basic idea is to observe a user's movements on a touchscreen device for some period of time and to come up with a gestural profile unique to that individual. Then, based on this profile, the system can verify a user's identity continuously as they use the device.

The idea sounds fishy, yes. Couldn't some hacker just observe those same gestures and then mimic them to gain access to a system? The answer should be no because the gestures read by the system are interpreted in such a way as to compile biometric profiles of the user's hand/wrist/etc, resulting in a model that can be used to interpret/verify new/different gestures down the line.

While gestural ID systems are getting a lot of research play these days thanks to error rates trending toward the low single-digits, they also tend to take a rosy view of the security world in which hackers attempt to breach such defenses via crude impersonation, e.g. when one hacker-user attempts to mirror some target-user. This is called a zero-effort attack and it stands in contrast to an attack-by-forgery, in which an attempt is made to recreate (rather than mimic) the user-target.

A DARPA-funded report titled "Robotic Robbery on the Touch Screen" published recently in the journal ACM Transactions on Information and System Security looks at gestural authentication through the eyes of a more sophisticated hacker. It presents two Lego-driven robotic attacks on a touch-based authentication system—one is based on gestural statistics collected over time from a large population of users and the other is based on stealing gestural data directly from a user. Both were pretty effective.
#721 Qatar National Bank suffers massive breach
A massive collection of documents from Qatar National Bank, based in Doha, was leaked and posted online to the whistleblower site Cryptome on April 26. The leaked data, which totals 1.4 GBs, apparently includes internal corporate files and sensitive financial data for QNB's customers.

Cryptome reports that the leak comprises 15,460 files, containing details, including passwords, PINs and payment card data, for hundreds of thousands of the bank customers' accounts. Multiple experts have also examined the data, and likewise report that it appears to be legitimate. But Cryptome offered no insights into how the data was obtained, for example, if it was via an external hack attack, or an inside job.
#720 Cyber attacks: Two-thirds of big UK businesses targeted
Two-thirds of big UK businesses have been hit by a cyber attack in the past year, according to government research.

Most of the attacks involved viruses, spyware or malware, the Cyber Security Breaches Survey says. A quarter of large firms experiencing a cyber breach did so at least once a month.

Digital Economy Minister Ed Vaizey said it was "absolutely crucial businesses are secure and can protect data".

In some cases the internet-linked attacks cost millions of pounds.

The survey's results have been released alongside the government's Cyber Governance Health Check, launched following the TalkTalk cyber attack in October last year.

The phone and broadband provider, which has over four million UK customers, said some of their banking details and personal information could have been accessed in the breach.

In light of these surveys, businesses are now being urged to protect themselves better.
#719 Pirate Bay blocked in Chrome, Firefox and Safari due to phishing site error
Google Chrome, Firefox, and Safari are blocking access to The Pirate Bay torrent portal showing the classical "Deceptive site ahead" error usually seen on dangerous sites that may attempt to collect user credentials with fake login pages, show deceptive ads, or push unwanted downloads.

The exact same thing happened to Kickass Torrents almost a month ago, when the same three browsers displayed the same error for at least three days to their users.

The Kickass Torrents staff said it happened because of the intermediary confirmation screen that appeared every time users navigated away from the site. The Pirate Bay does not use this type of external link confirmation system and has not used one for years.

The warnings seen in these browsers are generic, to say the least. Despite claiming that The Pirate Bay is a phishing site, the cause is probably not actual "phishing," but the presence of links that lead to phishing websites or malicious ads that use forbidden redirection tricks.

Two weeks ago, The Pirate Bay was in the midst of another security alert, when security firm Malwarebytes discovered malicious ads on its portal, redirecting users to exploit kits that were delivering the Cerber ransomware.

Read more:
#718 Microsoft sees over 10 million cyberattacks per day on its online infrastructure
According to a Microsoft security report, the company is seeing over 13 billion authentications per day for these two services (1.3 billion for AAD), of which, the company says over 10 million (per day) are cyber-attacks.

Microsoft says that there are two systems that help it catch and prevent most of the attackers from taking over accounts, even if they're using valid login credentials.

First off, Microsoft uses an incorrect password lockout system successfully prevents brute-force attacks, and then a location-based blocking feature doesn't allow attackers from accessing accounts from other parts of the world.

Additionally, for Azure Active Directory, administrators can also use the Identity Protection feature to create extra policies that require more authentication from incoming users, or they can decide to block any login attempt outright, based on a risk score assigned to each login operation.
#717 'Recommended' Windows 7 update KB3133977 is breaking PCs with ASUS motherboards
As Microsoft explains:

After you install update 3133977 on a Windows 7 x64-based system that includes an ASUS-based main board, the system does not start, and it generates a Secure Boot error on the ASUS BIOS screen. This problem occurs because ASUS allowed the main board to enable the Secure Boot process even though Windows 7 does not support this feature.

Microsoft also has a solution:

The Secure Boot feature is supported in Windows 10. To learn more about the security advantages of this feature and about the upgrade path from Windows 7 to Windows 10, go to the following Windows website:

To be fair, this problem is the fault of ASUS rather than Microsoft, but switching the update from optional to recommended is going to be what causes people trouble.
#716 Lenovo patches serious flaw in pre-installed support tool
Lenovo has fixed a vulnerability in its Lenovo Solution Center support tool that could allow attackers to execute code with system privileges and take over computers.

The Lenovo Solution Center (LSC) is an application that comes pre-installed on many Lenovo laptops and desktops. It allows users to check their system’s virus and firewall status, update their software, perform backups, check battery health, get registration and warranty information and run hardware tests.

The tool has two components: a graphical user interface and a service called LSCTaskService that runs in the background at all times even if the user interface is not started.
#715 Symantec: Latest Intelligence for April 2016
The Latest Intelligence page has been refreshed through April 2016, providing the most up-to-date analysis of cybersecurity threats, trends, and insights concerning malware, spam, and other potentially harmful business risks. Here are some key takeaways from this latest batch of intelligence.

The Nuclear toolkit jumped to the top of web attack toolkits in April, comprising 42 percent of all web attacks. This toolkit has proved popular with ransomware peddlers who use it to spread their wares. The Spartan toolkit, which has topped the list of web attack toolkits for the last few months, dropped out of the top five this month. The Angler toolkit remained in second place, while RIG moved up into the top five this month.
#714 New security flaw found in Lenovo Solution Center software
A new vulnerability has been discovered in Lenovo’s much-maligned Lenovo Solution Center (LSC) software. The vulnerability allows attackers with local network access to a PC to execute arbitrary code, said researchers at Trustwave SpiderLabs.

The flaw allows an attacker to elevate privileges and is tied to the LSC application’s backend. It opens the door for a malicious attacker to start the LSC service and trick it in to executing arbitrary code in the local system context, said Karl Sigler, a SpiderLabs researcher at Trustwave.

LSC comes preloaded on nearly all Lenovo business and consumer desktops and laptop PCs. The software acts as a dashboard monitoring system health and security – from battery life, driver updates and firewall status. Lenovo has issued a fix for the security flaw last week. This is the second time the computer maker has had to patch LSC – the first being December 2015.
#713 Qualcomm software flaw exposes Android user data
FireEye has disclosed the details of a serious information disclosure vulnerability affecting a Qualcomm software package found in hundreds of Android device models.

Google announced this week that it released an Android update to patch tens of vulnerabilities. The search giant’s security advisory also mentioned an information disclosure vulnerability in the Qualcomm tethering controller (CVE-2016-2060) that allows a malicious application to access user information.

The vulnerability, discovered by researchers at FireEye-owned Mandiant, has been rated “high severity,” but Google noted that it does not affect Nexus devices. The patch for the issue is not in the Android Open Source Project (AOSP) repository — instead, it should be included in the latest driver updates for affected devices.

FireEye said its researchers informed Qualcomm about the vulnerability in January and the vendor developed a fix by early March, when it started reaching out to OEMs to let them know about the issue. Now it’s up to the device manufacturers to push out the patch to customers.

The flaw exists in an open source software package maintained by Qualcomm and is related to the Android network daemon (netd).
#712 Diary of a ransomware victim
For online casinos, business begins to peak as gamblers punch out of work and belly-up to virtual blackjack tables. But on this Tuesday in February at 5p.m., the odds were not in the house’s favor. That’s when this virtual casino—with tens of millions of dollars in virtual transaction data, thousands of user profiles and millions invested in computer infrastructure—was hit with ransomware that risked turning a thriving business into an encrypted crime scene.

The criminals behind this attack couldn’t have picked a better target. This legal online casino, located outside the US, is one of the largest operators in the gambling and entertainment business. On the condition Threatpost would not identify the casino, we were given rare insight into a high-stakes ransomware attack that serves as a cautionary tale for any company.
#711 Petya: the two-in-one trojan
Infecting the Master Boot Record (MBR) and encrypting files is nothing new in the world of malicious programs. Back in 1994, the virus OneHalf emerged that infected MBRs and encrypted the disk contents. However, that virus did not extort money. In 2011, MBR blocker Trojans began spreading (Trojan-Ransom.Win32.Mbro) that infected the MBR and prevented the operating system from loading further. The victim was prompted to pay a ransom to get rid of the problem. It was easy to treat a system infected by these blocker Trojans because, apart from the MBR, they usually didn’t encrypt any data on the disk.

Today, we have encountered a new threat that’s a blast from the past. The Petya Trojan (detected by Kaspersky Lab products as Trojan-Ransom.Win32.Petr) infects the MBR preventing normal system loading, and encrypts the Master File Table (MFT), an important part of the NT file system (NTFS), thus preventing normal access to files on the hard drive.
#710 Kaspersky: IT threat evolution in Q1 2016 report (PDF)
2016 has only just got underway, but the first three months have already seen the same amount of cybersecurity events that just a few years ago would have seemed normal for a whole year. The main underlying trends remained the same, while there was significant growth in trends related to traditional cybercrime, especially mobile threats and global
ransomware epidemics.

Ransomware became the main theme of the quarter after knocking targeted attacks from the top of the most popular threat rating. Unfortunately, this is a situation that will continue to evolve, and those behind the extortion could well end up being named "problem of the year".
#709 Malware may abuse Android’s accessibility service to bypass security enhancements
Android’s recent API modifications have hampered some malware’s ability to determine which application is currently running in the foreground of a device at any given point of time. As Android begins to successfully block this attack method, attackers may adopt a trick used by adware so that their threats can work again. Though we have previously seen mobile potentially unwanted applications (PUAs) abuse accessibility services to install arbitrary applications, we believe financial malware could use the same technique to circumvent a significant security improvement specifically created to thwart this kind of threat.
#708 IBM just made a powerful research tool available to everyone for free
New quantum computing project is available to play with online.

IBM has a powerful new research project that anyone can use for free.

The business technology company’s research arm said on Wednesday that it’s giving everyone access to one of its quantum computing processors, an experimental technology that has the potential to quickly crunch huge amounts of data.

Anyone from university researchers to tech savvy teenagers can apply through IBM Research’s website to test the processor. IBM will determine how much access people receive to the processor depending on their technology background and how well versed they are in quantum technology, explained Jerry Chow, the manager of IBM’s experimental quantum computing group.

Generally speaking, in traditional computing, data is encoded in one of two states, as represented by the tiny transistors embedded on silicon chips being turned on or off. Quantum computing, however, uses particles called quantum bits, or qubits to handle the heavy duty processing.
#707 Big data breaches found at major email services - expert
Hundreds of millions of hacked user names and passwords for email accounts and other websites are being traded in Russia's criminal underworld, a security expert told Reuters.

The discovery of 272.3 million stolen accounts included a majority of users of (MAILRq.L), Russia's most popular email service, and smaller fractions of Google (GOOGL.O), Yahoo (YHOO.O) and Microsoft (MSFT.O) email users, said Alex Holden, founder and chief information security officer of Hold Security.
#706 Public exploits available for ImageMagick vulnerabilities
Within hours of the disclosure of serious vulnerabilities in ImageMagick, public exploits were available increasing the risk to thousands of websites that make use of the open source image-processing software.

Attackers can append malicious code to an image file that ImageMagick will process without question, leading to, in the case of one of the vulnerabilities, remote code execution. The scope of the issue is severe since image-processing plugins such as PHP imagick, Ruby rmagick and Ruby paperclip, and nodeJS imagemagick among others are built on top of the ImageMagick library.

Researcher Ryan Huber was among the first on Tuesday to publicly disclose that ImageMagick had a problem. A researcher from the team in Russia who goes by the handle Stewie found the flaw, while Nikolay Ermishkin, also of the team, found the remote code execution issue.

“We have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them,” Huber wrote on the ImageTragick website, a landing page complete with FAQ on the bugs. “An unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software.”
#705 Identity thieves used leaked PII to steal ADP payroll Info
Cybercriminals accessed a W-2 portal maintained by payroll company ADP recently to glean sensitive information about employees at a handful of companies.

The company is stressing that the company itself wasn’t hacked, but that it appears identity thieves may have been able to create ADP accounts in the names of victims using previously leaked personally identifiable information.

The problem ADP claims was a self-service registration portal that allowed attackers to set up fraudulent accounts in the names of employees at those undisclosed companies.

An investigation carried out by the company determined that attackers likely pieced together information on victims using other information published about them online. Any individuals who had their W-2 information compromised, likely had their information compromised previously, ADP claims.
#704 Apple updates Xcode’s Git implementation
Apple has updated its Xcode development environment, patching two vulnerabilities in its implementation of git.

Git is a version control system, and in March its handlers patched two flaws that exposed the software to remote code execution.

The new version of Xcode, 7.3.1, is available for El Capitain v 10.11 and later.

Apple said it updated git to version 2.7.4, patching a heap-based buffer overflow that occurred in the way it handled filenames. Belgian researcher Mattias Geniar wrote about the git flaws in March, saying that the bug had the potential to be huge because it enabled server and client side remote cod execution.
#703 Cisco patches critical TelePresence vulnerability
isco Systems said it has patched a critical flaw tied to its TelePresence hardware that allowed unauthorized third-parties to access the system via an API bug. The networking behemoth also alerted customers to a duo of denial of service attack vulnerabilities that represent a high risk for its FirePOWER firewall hardware.

The United States Computer Emergency Readiness Team (US-CERT) issued an alert on Wednesday and said Cisco has provided patches for the affected products.

The most serious of the flaws is tied to Cisco’s TelePresence XML application programming interface and allows hackers to bypass the authentication process for its TelePresence EX, MX, SX and VX hardware. Hackers with knowledge of the vulnerability are able to perform unauthorized configuration changes or issue control commands to TelePresence hardware running affected software.

Cisco issued a patch (CVE-2016-1387) for the TelePresence bug. Cisco wrote: “The vulnerability is due to improper implementation of authentication mechanisms for the XML API of the affected software. An attacker could exploit this vulnerability by sending a crafted HTTP request to the XML API.”
#702 Microsoft unveils new effort to make its developer, IT documentation great again
Microsoft's developer documentation used to be the model that all others should follow. The documentation itself was thorough, combining reference material with usage guides and sample code. Its use of, at the time, novel JavaScript and XML techniques (known in those days as dynamic HTML, or DHTML) made it easy to browse through the documentation and quickly switch between related portions. But successive "updates" to MSDN Library have made it harder and harder to use, obscuring the consistent structure and organization and becoming much less useful to developers as a result. These updates had other side effects, often breaking URLs, so that both internal and external links to the documentation broke or bounced you through numerous redirects.

After years of ad hoc changes to its documentation system, Microsoft has announced a new plan to overhaul both its TechNet and MSDN documentation to make it fit for the purpose. Documentation will have a new site,, with a new consistent look and features.
#701 How the Pwnedlist got pwned
Last week, I learned about a vulnerability that exposed all 866 million account credentials harvested by, a service designed to help companies track public password breaches that may create security problems for their users. The vulnerability has since been fixed, but this simple security flaw may have inadvertently exacerbated countless breaches by preserving the data lost in them and then providing free access to one of the Internet’s largest collections of compromised credentials.

Pwnedlist is run by Scottsdale, Ariz. based InfoArmor, and is marketed as a repository of usernames and passwords that have been publicly leaked online for any period of time at Pastebin, online chat channels and other free data dump sites.

The service until quite recently was free to all comers, but it makes money by allowing companies to get a live feed of usernames and passwords exposed in third-party breaches which might create security problems going forward for the subscriber organization and its employees.
#700 An analysis of overlapping technologies used by cybercriminals and terrorist organizations
Cybercriminal activities have always involved the abuse of legitimate online tools and services. Examples of these activities come in many forms and can be found everywhere—from using vulnerabilities in software, websites, and web applications as attack vectors, hosting malicious components in cloud services, to leveraging clickbait posts and links on social networking sites to lure hapless users into falling for their schemes. No matter what technology or service rolls out in the future, there will always be room for abuse.

During the course of our research on cybercrime, we found that one particular group appears to share the same level of proficiency as cybercriminals in abusing legitimate services: terrorist groups who can be considered as cybercriminals in their own right, as their online activities also run afoul of the law. The two groups have different motives though, as cybercriminals are motivated by financial gain, while terrorists aim to spread propaganda instead of malware.

This research is about how cybercriminals and terrorists overlap in their abuse of technology and online platforms to benefit their cause. We will focus on their methodologies, the services they abuse, and the tools they’ve homebrewed to streamline said abuse so that their followers can facilitate their activities much more easily.
#699 Huge number of sites imperiled by critical image-processing vulnerability
A large number of websites are vulnerable to a simple attack that allows hackers to execute malicious code hidden inside booby-trapped images.

The vulnerability resides in ImageMagick, a widely used image-processing library that's supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users.

According to developer and security researcher Ryan Huber, ImageMagick suffers from a vulnerability that allows malformed images to force a Web server to execute code of an attacker's choosing. Websites that use ImageMagick and allow users to upload images are at risk of attacks that could completely compromise their security.

"The exploit is trivial, so we expect it to be available within hours of this post," Huber wrote in a blog post published Tuesday. He went on to say: "We have collectively determined that these vulnerabilities are available to individuals other than the person(s) who discovered them. An unknowable number of people having access to these vulnerabilities makes this a critical issue for everyone using this software."
#698 Google expands default HTTPS to Blogspot
Google today flipped the switch on default HTTPS support for its free domain service provider Blogspot, upping the security ante for the millions of users of the popular platform.

Google had previously introduced HTTPS support for Blogspot domains as an option in September 2015. Starting Tuesday, Google said, the browser-to-website encryption technology would be automatically added to every Blogspot domain blog.

“Any time you add encryption to a transport layer it’s a good thing,” said Rick Doten, chief of cyber and information security at Arlington, Va.-based consultancy Crumpton Group. He said, Google is just the most recent company to add encryption to their platform following high-profile encryption moves by WhatsApp and Viber.
#697 Linux foundation badge program to boost open source security
The Linux Foundation says a new Core Infrastructure Initiative (CII) Best Practices Badge program launched Tuesday will help companies interested in adopting open source technologies evaluate projects based on security, quality and stability.

The CII Best Practices Badge does not issue certificates nor validate open source projects. Instead, CII is a platform for open source projects such as OpenSSL, Node.js, and GitLab to self-disclose critical aspects of their projects.
#696 Microsoft SHA-1 deprecation final countdown begins
The home stretch of Microsoft’s planned SHA-1 deprecation schedule has arrived. This summer, with the planned release of the Windows 10 Anniversary Update, users should see signs that the weak cryptographic hash function is being phased out.

Microsoft said that once the anniversary update is rolled out, Microsoft Edge and Internet Explorer will no longer display the lock icon in the address bar for any site signed with a SHA-1 certificate.

Developers should see this happening soon in the Windows Insider Preview build, Microsoft said.

Last November, Microsoft hinted that it would starting blocking SHA-1 signed TLS certificates this June, moving up its scheduled deprecation of SHA-1 by more than six months. By February 2017, Microsoft said last week, Edge and IE will block SHA-1 certs outright.
#695 Ubuntu founder pledges no back doors in Linux
Ubuntu developers are gathering this week for the Ubuntu Online Summit (UOS), which runs from May 3-5, to discuss development plans for the upcoming Ubuntu 16.10 Linux distribution release, code-named "Yakkety Yak."

In a video interview with Mark Shuttleworth, founder of Ubuntu Linux and Canonical, he discusses Ubuntu 16.10, including the Mir display server and his views on security including the use of encryption.

Ubuntu 16.10 is set to debut in October and follows the Ubuntu 16.04 update, which was released on April 21. While it's not yet entirely clear what exact features will land in Ubuntu 16.10, one candidate is the Mir display server. The Ubuntu community--and Shuttleworth in particular--has been talking about migrating to Mir since at least 2013. The promise of Mir is a unified display technology that will work across desktops, mobile devices and even TVs. While there is some controversy among members of the Linux community over the transition to Mir, Shuttleworth emphasized that few people will ever know the difference.

"I can't say when Mir will drop into Ubuntu as the default display system, but I can say when it does, no one should notice it," Shuttleworth told eWEEK. "That's our commitment: The set of experiences that people enjoy about Ubuntu--they can count on."
#694 OpenSSL patches two high-severity vulnerabilities
The latest batch of OpenSSL security patches were released today, with a pair of high-severity flaws and four low-severity issues addressed in OpenSSL 1.0.1t and OpenSSL 1.0.2h.

One of the high-severity flaws, CVE-2016-2107, opens the door to a padding oracle attack that can allow for the decryption of traffic if the connection uses an AES CBC cipher and the server supports AES-NI.

“The AES issue is interesting. If you can [man-in-the-middle] then you can inject packets, look at the error codes, and then eventually figure out the AES key,” said Rich Salz, a member of the OpenSSL development team and an engineer at Akamai. “So it’s for national-scale attackers who can force DNS or BGP routes, or small hackers who can hack Wi-Fi in Starbucks.”
#693 FBI reaffirms stance not to pay ransomware attackers
The FBI has issued a warning to businesses about the relentless wave of ransomware. The bulletin includes preventative tips, and an affirmation of the bureau’s stance that companies affected by cryptoransomware attacks in particular should not succumb to temptation and pay their attackers off.

The warning comes at the same time as a Michigan utility continues to recover from an attack disclosed one week ago. Lansing Board of Water and Light posted a statement on its Facebook page this afternoon that it continues to investigate the attack, and that it has hired an incident response firm to handle recovery of its IT systems.
#692 LG's new fingerprint sensor doesn't need a button
LG Innotek has developed a fingerprint sensor that's placed under a glass surface instead of in a physical button, the company announced Sunday.

The new sensor could lead to smartphones that you can unlock by placing your finger on the phone screen.
#691 Samsung Smart Home flaws let hackers make keys to front door
Computer scientists have discovered vulnerabilities in Samsung's Smart Home automation system that allowed them to carry out a host of remote attacks, including digitally picking connected door locks from anywhere in the world.

The attack, one of several proof-of-concept exploits devised by researchers from the University of Michigan, worked against Samsung's SmartThings, one of the leading Internet of Things (IoT) platforms for connecting electronic locks, thermostats, ovens, and security systems in homes. The researchers said the attacks were made possible by two intrinsic design flaws in the SmartThings framework that aren't easily fixed. They went on to say that consumers should think twice before using the system to connect door locks and other security-critical components.

"All of the above attacks expose a household to significant harm—break-ins, theft, misinformation, and vandalism," the researchers wrote in a paper scheduled to be presented later this month at the 2016 IEEE Symposium on Security and Privacy. "The attack vectors are not specific to a particular device and are broadly applicable."
#690 Chrome overtakes Internet Explorer for most popular desktop browser
At the end of every month, using public data sources, we can take a look at trends in the desktop and browser markets and the day has finally arrived where Chrome is now a more popular browser than Internet Explorer.

According to Net Marketshare, they state, according to their data from 40,000 websites for the month of April, that Chrome has 41.66% of the browser market share while Internet Explorer has 41.35% which is a small margin of victory for Google and its Chrome browser. Because this is such a small margin, I originally titled this post as “Google Ties Microsoft For Most Popular Browser” as it is sampling and the margin of error surely outweighs the point differential between these two browsers but that’s not the entire picture once I dug a bit further into the data.
#689 Secret US spy court approved every surveillance request in 2015
The Foreign Intelligence Surveillance Court, the one that NSA whistleblower Edward Snowden revealed is allowing the government to obtain the metadata of every phone call to and from the United States, approved every surveillance request from US authorities in 2015.

Reuters news service, which reviewed a secret document outlining the figures, reported that the FISA Court granted every one of the 1,457 surveillance applications last year. The scope of the surveillance is unknown but vast. A single application is all it takes for the FISA Court to require the nation's telcos to scoop up and retain the telephone metadata on all phone calls. The court, based in the District of Columbia and whose members are appointed by the Supreme Court's chief justice, approved every one of the 1,379 applications for the year 2014 as well, according to the memo.
#688 Google patches more trouble in Mediaserver
Google has re-branded its monthly patch release, bringing a new name and new scope to the newly renamed Android Security Bulletin. While that may be new, the content is definitely familiar.

Once again, critical remote code execution Mediaserver vulnerabilities dominate this month’s patches. Mediaserver has been a front and center security issue since last summer’s Stagefright disclosures. The software serves up media content and interacts with the kernel, making it a tasty target for attacks. Researchers, meanwhile, have called it an “over-privileged” application since it’s granted system access on some devices.
#687 Breaking Steam client cryptography
Older versions of Steam allow an attacker who observes a client connecting to Steam to read sensitive information sent over the network. This allows the attacker to take over the account, bypass SteamGuard, and sometimes view plain-text passwords.

But how? Steam encrypts its entire network connection (at least the Steam-specific parts; there are some suspicious plaintext HTTP requests going around) with AES-256-CBC. And the AES key used (hereafter “session key”) is generated securely on the client, encrypted with RSA-1024 and a hardcoded public key, and sent to Steam; an eavesdropper can’t get at the session key.

RSA and AES aren’t broken- but Steam was.
#686 Verizon's 2016 Data Breach Investigations Report
For the ninth time, the 2016 Data Breach Investigations Report (DBIR) lifts the lid on what's really happening in cybersecurity. The 2016 dataset is bigger than ever, examining over 100,000 incidents, including 2,260 confirmed data breaches across 82 countries. With data provided by 67 contributors including security service providers, law enforcement and government agencies, this year's report offers unparalleled insight into the cybersecurity threats you face.
#685 Eurocops get new cyber powers to hunt down terrorists, criminals
Europe’s police agency Europol has been given enhanced cyber powers to track down terrorists and other criminals.

The new governance rules were approved by the European Parliament’s civil liberties committee on Thursday by a massive majority. MEPs claimed that the new powers come with strong data protection safeguards and democratic oversight.

Last November, the draft rules were given the green light by the European Union's 28 member states. Now the panel's politicos have overwhelmingly thrown their weight behind the measures, by 40 votes to three, with two abstentions.

It means that Europol will be able to more easily set up specialised units to respond immediately to emerging threats, in particular cross-border crimes and terrorist threats
#684 Australian Government agency: consumers not breaching copyright by circumventing with VPN
Australian consumers should be able to legally circumvent geoblocking restrictions that prevent them from using foreign online streaming services like US Netflix, according to the Productivity Commission.

In a draft report that urges a major overhaul of intellectual property laws, the commission found that geoblocking technology is "pervasive" and means Australians are offered a lower level of digital services at a higher price.

The report concluded that Australian consumers should be able to access overseas streaming services like Netflix without the fear of infringing copyright laws, and that the answer to piracy is not "big brother enforcement".
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12