Security Alerts & News
by Tymoteusz A. Góral

History
#1922 Ransomware app hosted in Google Play infects unsuspecting Android user
Google Play, the official market for Android apps, was caught hosting a ransomware app that infected at least one real-world handset, security researchers said Tuesday.

The ransomware was dubbed Charger and was hidden inside an app called EnergyRescue, according to a blog post published by security firm Check Point Software. Once installed, Charger stole SMS contacts and prompted unsuspecting users to grant it all-powerful administrator rights.
#1921 Breach notification website LeakedSource allegedly raided
LeakedSource, a breach notification service that exposed some of 2016’s largest data breaches, might be facing a permanent shutdown.

According to a forum post on a well-known marketplace, the owner of LeakedSource was raided earlier this week, although the exact details of any potential law enforcement action remains a mystery.

At the start of the new year, LeakedSource indexed more than 3 billion records. Their collection is the result of information sharing between a number of sources, including those who hacked the data themselves. Access to the full archive requires a membership fee.
#1920 Now there’s a better way to prevent Facebook account takeovers
Facebook is enhancing its existing protection against account takeovers with cryptographically based security keys that can be used as a second factor of authentication, the social network is announcing today.

A handful of online services—including Google, Dropbox, GitHub, and Salesforce—already support security keys based on the open Universal 2nd Factor, or U2F, standard, created by the Fido Alliance. Now Facebook is offering them, too. The inexpensive devices, which plug into users' USB port, were recently shown to beat out smartphones and most other forms of two-factor verification in a two-year study of more than 50,000 Google employees. That assessment was based on the ease of using and deploying keys, the security they provided against phishing and other types of account-takeover attacks, and the lack of privacy trade-offs that accompany some other forms of two-factor authentication.
#1919 Gmail will block JS attachments for security reasons starting February 13
Gmail user's accounts are about to become safer, as on February 13th Google will begin blocking JS attachments in emails. Currently there are 31 attachments that are being blocked in in Gmail, which include .exe, .bat, .hta, and .vbs files, but JS files are still allowed through. As this attachment is commonly used to distribute malware, the blocking of JS files will only increase the security of user's Gmail account.

Starting on February 13th 2017, when a user tries to attach a JS file they will block the attachment and warn the user that this attachment is no longer allowed. If a user receives a JS attachment in Gmail, access to the file will be blocked as well and the user will be shown a warning stating that the file was blocked for security reasons.
#1918 XSS on WebEx domains undoes previous fixes to Cisco WebEx Chrome extension
At the start of this week, Google Project Zero security researcher Tavis Ormandy made public his discovery of a remote code execution vulnerability within Cisco's WebEx extension for Chrome.

In his comments on Cisco's patches, which whitelisted code execution on the webex.com domain and prompted the user on other domains, Ormandy sagely warned of the situation the networking giant had to address later in the week.

"I think we will consider this issue fixed now. Hopefully, webex.com is well maintained and not full of XSS," he said.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12