Security Alerts & News
by Tymoteusz A. Góral

#1963 Dozens of popular iOS apps vulnerable to intercept of TLS-protected data
While developing a tool for evaluating mobile application security, researchers at Sudo Security Group Inc. found out something unexpected. Seventy-six popular applications in Apple's iOS App Store, they discovered, had implemented encrypted communications with their back-end services in such a way that user information could be intercepted by a man-in-the-middle attack. The applications could be fooled by a forged certificate sent back by a proxy, allowing their Transport Layer Security to be unencrypted and examined as it is passed over the Internet.

The discovery was initially the result of bulk analysis done by Sudo's, a service that performs bulk static analysis of application binaries from Apple's App Store. Will Strafach, president of Sudo, verified the applications discovered by the system were vulnerable in the lab, using a network proxy configured with its own Secure Socket Layer certificate.
#1962 Microsoft hosts the Windows source in a monstrous 300GB Git repository
Git, the open source distributed version control system created by Linus Torvalds to handle Linux's decentralized development model, is being used for a rather surprising project: Windows.

Traditionally, Microsoft's software has used a version control system called Source Depot. This is proprietary and internal to Microsoft; it's believed to be a customized version of the commercial Perforce version control system, tailored for Microsoft's larger-than-average size. Over the years, Redmond has also developed its own version control products. Long ago, the company had a thing called SourceSafe, which was reputationally the moral equivalent to tossing all your precious source code in a trash can and then setting it on fire thanks to the system's propensity to corrupt its database. In the modern era, the Team Foundation Server (TFS) application lifecycle management (ALM) system offered Team Foundation Version Control (TFVC), a much more robust, scalable version control system built around a centralized model.
#1961 InterContinental confirms breach at 12 hotels
InterContinental Hotels Group (IHG), the parent company for thousands of hotels worldwide including Holiday Inn, acknowledged Friday that a credit card breach impacted at least a dozen properties. News of the breach was first reported by KrebsOnSecurity more than a month ago.

In a statement issued late Friday, IHG said it found malicious software installed on point of sale servers at restaurants and bars of 12 IHG-managed properties between August and December 2016. The stolen data included information stored on the magnetic stripe on the backs of customer credit and debit cards — the cardholder name, card number, expiration date, and internal verification code.

A list of the known breached locations is here. IHG said cards used at the front desk of these properties were not affected.
#1960 Darknet follows Google's bug bounty lead: But this cash is for flaws that expose shady traders
To keep its customers out of trouble, Hansa, a popular darknet marketplace for selling illicit goods, is following legitimate businesses by paying researchers for reporting security flaws.

It is one of many darknet marketplaces seeking to meet demand for anonymous trading once offered by fallen drugs bazaar Silk Road. With its buyers and sellers likely to be of interest to law-enforcement agencies as well as hackers, Hansa announced on Reddit last week that it had launched a bitcoin bug bounty to keep clients safe.

Bug bounties are gaining in popularity in the world of legitimate business as a means of improving product security.
#1959 Polish banks infected with malware hosted on their own government's site
Several Polish banks said they suffered malware infections after their employees visited the site of the Polish Financial Supervision Authority (KNF), which had been previously infected to host a malicious JavaScript file.

Zaufana Trzecia Strona, a local Polish news site, first reported the attacks late Friday, last week. The news site said that during the past week, the security teams at several, yet unnamed, Polish banks detected downloads of suspicious files and encrypted traffic going to uncommon IPs situated in many foreign countries.

As employees at different banks started looking into their systems, they found malware installed on numerous workstations and even some servers.
#1958 Vizio: The spy in your TV
Vizio, with its Smart Interactivity feature, had gathered data from more than 11 million smart TVs. This Smart Interactivity "feature" worked by watching what you watch. It didn't matter where your content was coming from -- cable, streaming, DVD players, or over-the-air (OTA) broadcasts -- Vizio got it all.

Vizio began snooping on your TV watching in 2014. The company even allegedly retrofitted older models by installing its tracking software remotely. All of this, the FTC said, was done without telling consumers or getting their consent.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12