Security Alerts & News
by Tymoteusz A. Góral

History
#2119 US-CERT warns HTTPS inspection may degrade TLS security
Recent academic work looking at the degradation of security occurring when HTTPS inspection tools are sitting in TLS traffic streams has been escalated by an alert published Thursday by the Department of Homeland Security.

DHS’ US-CERT warned enterprises that running standalone inspection appliances or other security products with this capability often has a negative effect on secure communication between clients and servers.

“All systems behind a hypertext transfer protocol secure (HTTPS) interception product are potentially affected,” US-CERT said in its alert.

HTTPS inspection boxes sit between clients and servers, decrypting and inspecting encrypted traffic before re-encrypting it and forwarding it to the destination server. A network administrator can only verify the security between the client and the HTTP inspection tool, which essentially acts as a man-in-the-middle proxy. The client cannot verify how the inspection tool is validating certificates, or whether there is an attacker positioned between the proxy and the target server.
#2118 Another years-old flaw fixed in the Linux kernel
The Linux team has patched a "dangerous" vulnerability in the Linux kernel that allowed attackers to elevate their access rights and crash affected systems.

The security issue, tracked as CVE-2017-2636, existed in the Linux kernel for the past seven years, after being introduced in the code in 2009.

This is the fourth "years-old" security flaw discovered in the Linux kernel after similar flaws came to light last fall and winter.
#2117 Intel, Microsoft launch new bug bounty programs
Intel and Microsoft have launched new bug bounty programs with thousands of dollars on offer for the most dangerous bugs.

Intel revealed the new bug bounty program will be hosted on HackerOne at the CanSecWest security conference on Wednesday. While old hat for companies including Microsoft, Facebook, and Google, the scheme is the first of its kind for the tech giant.

"We want to encourage researchers to identify issues and bring them to us directly so that we can take prompt steps to evaluate and correct them, and we want to recognize researchers for the work that they put in when researching a vulnerability," Intel said. "By partnering constructively with the security research community, we believe we will be better able to protect our customers."
#2116 MajikPOS combines PoS malware and RATs to pull off its malicious tricks
We’ve uncovered a new breed of point-of-sale (PoS) malware currently affecting businesses across North America and Canada: MajikPOS (detected by Trend Micro as TSPY_MAJIKPOS.A). Like a lot of other PoS malware, MajikPOS is designed to steal information, but its modular approach in execution makes it distinct. We estimate that MajikPOS’s initial infection started around January 28, 2017.

While other PoS malware FastPOS (its updated version), Gorynych and ModPOS also feature multiple components with entirely different functions like keylogging, MajikPOS’s modular tack is different. MajikPOS needs only another component from the server to conduct its RAM scraping routine.

MajikPOS is named after its command and control (C&C) panel that receives commands and sends exfiltrated data. MajikPOS’s operators use a combination of PoS malware and remote access Trojan (RAT) to attack their targets, to daunting effects. MajikPOS is a reflection of the increasing complexity that bad guys are predicted to employ in their malware to neuter traditional defenses.
#2115 Revenge ransomware, a CryptoMix variant, being distributed by RIG exploit kit
A new CryptoMix, or CryptFile2, variant called Revenge has been discovered by Broad Analysis that is being distributed via the RIG exploit kit. This variant contains many similarities to its predecessor CryptoShield, which is another CryptoMix variant, but includes some minor changes that are described below.

As a note, in this article I will be referring to this infection as the Revenge Ransomware as that will most likely be how the victim's refer to it. It is important to remember, though, that this ransomware is not a brand new infection, but rather a new version of the CryptoMix ransomware family.
#2114 This laptop-bricking USB stick just got even more dangerous
Remember that USB stick that would destroy almost anything in its path, from laptops, photo booths, kiosks, to even cars?

Now there's a new version, and it's even more dangerous than before.

In case you missed it the first time around, a Hong Kong-based company built a weaponized pocket-sized USB stick, which when plugged into a device, will rapidly charge its capacitors from the USB power supply and then discharge, frying the affected device's circuits.

Dubbed the USB Kill stick, it fries almost any device with a USB port, though modern Apple hardware is apparently not affected.
#2113 New smartphone threat: Now attackers can use sound to hack your device
Researchers have shown that a malicious music file can trick an accelerometer into giving false readings.

Researchers from the University of Michigan and the University of South Carolina have revealed a handful of sonic hacks on sensors that might not seem dangerous today, but do show one more way that hackers could use the Internet of Things to cause physical harm.

The researchers demonstrated that acoustic signals at the right frequency can apply enough pressure on an accelerometer's sensing mechanism, a mass buoyed on springs, that it can spoof acceleration signals.
#2112 Hack brief: High-profile Twitter accounts overrun with swastikas
Last night, a swath of Twitter accounts with large followings—including Duke University, BBC North America, Forbes, and Amnesty International—tweeted out the same message, in Turkish, that included a swastika and hashtags that translate to “Nazi Germany, Nazi Holland.”

The hacked accounts, which apparently stem from increasing vitriol between Turkey and Holland, appear to have all been restored. They’re an unfortunate reminder, though, any Twitter account is only as safe as the apps you let access it.
#2111 Check Point discloses vulnerability that allowed hackers to take over hundreds of millions of WhatsApp & Telegram accounts
One of the most concerning revelations arising from the recent WikiLeaks publication is the possibility that government organizations can compromise WhatsApp, Telegram and other end-to-end encrypted chat applications. While this has yet to be proven, many end-users are concerned as WhatsApp and Telegram use end-to-end encryption to guarantee user privacy. This encryption is designed to ensure that only the people communicating can read the messages and nobody else in between.

Nevertheless, this same mechanism has also been the origin of a new severe vulnerability we have discovered in both messaging services’ online platform – WhatsApp Web and Telegram Web. The online version of these platforms mirror all messages sent and received by the user, and are fully synced with the users’ device.
#2110 Russian hacker "Kolypto" who worked on Citadel trojan extradited to the US
Yesterday, a Russian national accused of helping develop the Citadel banking trojan was arraigned in front of a US judge for the first time, after being extradited from Fredrikstad, Norway.

The man's name is Mark Vartanyan, 28, known online as Kolypto. According to US authorities, Vartanyan allegedly developed, improved and maintained the Citadel malware, a banking trojan made available via a Malware-as-a-Service offering.
#2109 US charges two Russian agents with ordering hack of 500m Yahoo accounts
Federal prosecutors charged two Russian intelligence agents with orchestrating a 2014 hack that compromised 500 million Yahoo accounts in a brazen campaign to access the e-mails of thousands of journalists, government officials, and technology company employees.

In a 38-page indictment unsealed Wednesday, the prosecutors said Dmitry Aleksandrovich Dokuchaev, 33, and Igor Anatolyevich Sushchin, 43—both officers of the Russian Federal Security Service—worked with two other men—Alexsey Alexseyevich Belan, 29, and Karim Baratov, 22—who were also indicted. The men gained initial access to Yahoo in early 2014 and began their reconnaissance, the indictment alleged. By November or December, Belan used the file transfer protocol to download part or all of a Yahoo database that contained user names, recovery e-mail accounts, and phone numbers. The user database (UDB) also contained the cryptographic nonces needed to generate the account-authentication browser cookies for more than 500 million accounts.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12