Security Alerts & News
by Tymoteusz A. Góral

History
#1840 The 10 biggest security incidents of 2016
2016 has been a challenging year for politics, public sanity and celebrity longevity, but also, for individuals and companies, a testing time in terms of online security. Pitted against increasingly sophisticated and targeted cybercriminals, it’s not been easy going, as these notable security incidents from the past 12 months reveal.
#1839 Updated Sundown exploit kit uses steganography
This year has seen a big shift in the exploit kit landscape, with many of the bigger players unexpectedly dropping out of action. The Nuclear exploit kit operations started dwindling in May, Angler disappeared around the same time Russia’s Federal Security Service made nearly 50 arrests last June, and then in September Neutrino reportedly went private and shifted focus to select clientele only. Now, the most prominent exploit kits in circulation are RIG and Sundown. Both gained prominence shortly after Neutrino dropped out of active circulation.

Sundown is something of an outlier from typical exploit kits. It tends to reuse old exploits and doesn’t make an effort to disguise their activity. The URLs for Sundown requests for Flash files end in .swf, while Silverlight requests end in .xap. These are the normal extensions for these file types. Typically, other exploit kits make an effort to hide their exploits. In addition, Sundown doesn’t have the anti-crawling feature used by other exploit kits.
#1838 Android ransomware infects LG SmartTV
Security firms have been warning us for more than a year about the possibility of Android malware jumping from phones and tablets to other Android-powered devices, such smart TVs.

The latest incident involving ransomware on a smart TV involves software engineer Darren Cauthon, who revealed that the LG smart TV of one of his family members was infected with ransomware right on Christmas day.

Based on a screenshot Cauthon posted online, the smart TV appears to be infected with a version of the Cyber.Police ransomware, also known as FLocker, Frantic Locker, or Dogspectus.
#1837 Ransomworm: the next level of cybersecurity nastiness
As if holding your data hostage and seeking cash payment weren’t harsh enough, security experts foresee the next stage of ransomware to be even worse.

Scott Millis, CTO at mobile security company Cyber adAPT, expects ransomware to spin out of control in the year ahead. That is an astounding statement when you consider that there were more than 4,000 ransomware attacks daily in 2016, according to Symantec’s Security Response group.

Corey Nachreiner, CTO at WatchGuard Technologies, predicts that 2017 will see the first ever ransomworm, causing ransomware to spread even faster.
#1836 Chrome will soon mark some HTTP pages as 'non-secure'
Beginning next month, the company will tag web pages that include login or credit card fields with the message "Not Secure" if the page is not served using HTTPS, the secure version of the internet protocol.

The company on Tuesday began sending messages through its Google Search Console, a tool for webmasters, warning them of the changes that take place starting in January 2017.

The changes are supported in version 56 or later of the Chrome browser.
#1835 Switcher: Android joins the ‘attack-the-router’ club
Recently, in our never-ending quest to protect the world from malware, we found a misbehaving Android trojan. Although malware targeting the Android OS stopped being a novelty quite some time ago, this trojan is quite unique. Instead of attacking a user, it attacks the Wi-Fi network the user is connected to, or, to be precise, the wireless router that serves the network. The trojan, dubbed Trojan.AndroidOS.Switcher, performs a brute-force password guessing attack on the router’s admin web interface. If the attack succeeds, the malware changes the addresses of the DNS servers in the router’s settings, thereby rerouting all DNS queries from devices in the attacked Wi-Fi network to the servers of the cybercriminals (such an attack is also known as DNS-hijacking). So, let us explain in detail how Switcher performs its brute-force attacks, gets into the routers and undertakes its DNS-hijack.
#1834 This low-cost device may be the world’s best hope against account takeovers
The past five years have witnessed a seemingly unending series of high-profile account take-overs. A growing consensus has emerged among security practitioners: even long, randomly generated passwords aren't sufficient for locking down e-mail and other types of online assets. According to the consensus, these assets need to be augmented with a second factor of authentication.

Now, a two-year study of more than 50,000 Google employees concludes that cryptographically based Security Keys beat out smartphones and most other forms of two-factor verification.

The Security Keys are based on Universal Second Factor, an open standard that's easy for end users to use and straightforward for engineers to stitch into hardware and websites. When plugged into a standard USB port, the keys provide a "cryptographic assertion" that's just about impossible for attackers to guess or phish. Accounts can require that cryptographic key in addition to a normal user password when users log in. Google, Dropbox, GitHub, and other sites have already implemented the standard into their platforms.
#1833 YubiKey for Windows Hello brings hardware-based 2FA to Windows 10
Yubico announced its plans to support Microsoft's Windows Hello platform back in September at the Ignite conference, with the goal of bringing strong, hardware-based authentication to Windows 10.

Finally, after nearly two months of waiting, the YubiKey for Windows Hello app has landed in the Windows Store. It's a strong solution for retrofitting the additional protection of Windows Hello on systems that don't have built-in support for facial recognition or fingerprint-based sign-in.

The new app requires a YubiKey, Yubico's USB-based device that generates an encrypted, one-time password. Enterprise admins have been using hardware-based authentication for years, making it impossible for phishing attacks and password database breaches to succeed. Even if someone successfully steals your credentials, they can't sign in without proving that they also have the physical device as a second form of identification.
#1832 Security Keys: practical cryptographic second factors for the modern web (PDF)
Security Keys" are second-factor devices that protect users against phishing and man-in-the-middle attacks. Users carry a single device and can self-register it with any online service that supports the protocol. The devices are simple to implement and deploy, simple to use, privacy preserving, and secure against strong attackers. We have shipped support for Security Keys in the Chrome web browser and in Google's online services. We show that Security Keys lead to both an increased level of security and user satisfaction by analyzing a two year deployment which began within Google and has extended to our consumer-facing web applications. The Security Key design has been standardized by the FIDO Alliance, an organization with more than 250 member companies spanning the industry. Currently, Security Keys have been deployed by Google, Dropbox, and GitHub.
#1831 Is Mirai really as black as it’s being painted?
The Mirai botnet, which is made up of IoT devices and which was involved in DDoS attacks whose scale broke all possible records, causing denial of service across an entire region, has been extensively covered by the mass media. Given that the botnet’s source code has been made publicly available and that the Internet of Things trend is on the rise, no decline in IoT botnet activity should be expected in the near future.

To put this in perspective, recall the year 2012, when the source code of the Zeus banker Trojan was made publicly available. A huge number of modifications of the Trojan appeared as a result of this, many of which are still active and rank among the most widespread financial malware. Similarly, the recent leak is likely to result in the emergence of Mirai modifications, created by cybercriminals and based on the source code that was made public.

The botnet remains active. We carried out an analysis of its activity to find out how Mirai operates, what objectives its owners are pursuing and, most importantly, what needs to be done to avoid becoming part of the botnet in the future.
#1830 The most dangerous people on the internet in 2016
Not so long ago, the internet represented a force for subversion, and WIRED’s list of the most dangerous people on the internet mostly consisted of rebellious individuals using the online world’s disruptive potential to take on the world’s power structures. But as the internet has entered every facet of our lives, and governments and political figures have learned to exploit it, the most dangerous people on the internet today often are the most powerful people.

A Russian dictator has evolved his tactics from suppressing internet dissent to using online media for strategic leaks and disinformation. A media mogul who rose to prominence on a wave of hateful bile now sits at the right hand of the president. And a man who a year ago was a reality television star and Twitter troll is now the leader of the free world.
#1829 Encrypted messaging app Signal uses Google to bypass censorship
Developers of the popular Signal secure messaging app have started to use Google's domain as a front to hide traffic to their service and to sidestep blocking attempts.

Bypassing online censorship in countries where internet access is controlled by the government can be very hard for users. It typically requires the use of virtual private networking (VPN) services or complex solutions like Tor, which can be banned too.

Open Whisper Systems, the company that develops Signal -- a free, open-source app -- faced this problem recently when access to its service started being censored in Egypt and the United Arab Emirates. Some users reported that VPNs, Apple's FaceTime and other voice-over-IP apps were also being blocked.
#1828 Disclosing the primary email address for each Facebook user
This post is going to be discussing how I was able to get the primary/hidden email address for any Facebook user. This also happens to be my first accepted bug to the Facebook Bug Bounty Program.
#1827 Danger close: Fancy Bear tracking of Ukrainian field artillery units
In June CrowdStrike identified and attributed a series of targeted intrusions at the Democratic National Committee (DNC), and other political organizations that utilized a well known implant commonly called X-Agent. X-Agent is a cross platform remote access toolkit, variants have been identified for various Windows operating systems, Apple’s iOS, and likely the MacOS. Also known as Sofacy, X-Agent has been tracked by the security community for almost a decade, CrowdStrike associates the use of X-Agent with an actor we call FANCY BEAR. This actor to date is the exclusive operator of the malware, and has continuously developed the platform for ongoing operations which CrowdStrike assesses is likely tied to Russian Military Intelligence (GRU). The source code to this malware has not been observed in the public domain and appears to have been developed uniquely by FANCY BEAR.
#1826 New French law bars work email after hours
A new French law establishing workers’ “right to disconnect” goes into effect today. The law requires companies with more than 50 employees to establish hours when staff should not send or answer emails. The goals of the law include making sure employees are fairly paid for work, and preventing burnout by protecting private time.

French legislator Benoit Hamon, speaking to the BBC, described the law as an answer to the travails of employees who “leave the office, but they do not leave their work. They remain attached by a kind of electronic leash—like a dog.”
#1825 Changing other people's flight bookings is too easy
The travel booking systems used by millions of people every day are woefully insecure and lack modern authentication methods. This allows attackers to easily modify other people's reservations, cancel their flights and even use the refunds to book tickets for themselves, according a team of researchers who analyzed this online ecosystem.

Karsten Nohl and Nemanja Nikodijevic from Berlin-based consultancy Security Research Labs have spent months investigating the security employed by the Global Distribution Systems (GDSs) that are used by travel agencies, airlines, hotels and car rental companies. They presented their findings Tuesday at the 33rd Chaos Communications Congress in Hamburg
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12