Security Alerts & News
by Tymoteusz A. Góral

History
#2155 Massive uproar on alleged Windows 10 built-in ‘keylogger’ feature
There is currently massive uproar on Reddit about a privacy setting of Windows 10. The privacy setting “Send Microsoft info about how I write to help us improve typing and writing in the future” is reportedly enabled by default and users now fear Windows 10 is one big keylogger.
#2154 Strengthening the Microsoft Edge sandbox
In a recent post, we outlined the layered strategy that the Microsoft Edge security team employs to protect you from vulnerabilities that could be used to compromise your device or personal data. In particular, we showed how Microsoft Edge is leveraging technologies like Code Integrity Guard (CIG) and Arbitrary Code Guard (ACG) to break some of the techniques that hackers rely on when exploiting vulnerabilities to obtain Remote Code Execution (RCE). This is where the attacker seeks to escape from web code (JS and HTML) in the browser to run native CPU code of the attacker’s choosing. This lets the attacker violate all of the browser’s rules for the web, such as same-origin policy, and so it is important to web users that we try as hard as possible to block RCE attacks.

However, despite our best efforts, sometimes attackers get RCE anyway. In this post, we’ll explore some of the significant improvements we’ve made in the Windows 10 Creators Update to strengthen our next line of defense: the Microsoft Edge sandbox.
#2153 SmartTV hacking - Oneconsult talk at EBU Media Cyber Security seminar (VIDEO)
In a presentation to the European Broadcasting Union (EBU), Rafael Scheel (Senior Penetration Tester & Security Researcher at Oneconsult AG) gives an introduction to IoT cyber security and shows in a live hacking demo an attack which allows to remotely takeover bulks of smart TVs over the TV stream signal. About 90% of the TVs sold in the last years are potential victims of similar attacks.
#2152 GiftGhostBot attacks ecommerce gift card systems across major online retailers
Distil Networks has detected a sophisticated bot attack on its network affecting nearly 1,000 customer websites around the world and is recommending consumers check their gift card balances in case of fraud. The advanced persistent bot, named GiftGhostBot, automatically checks millions of gift card numbers to determine which have balances, and was detected on February 26, 2017 and is still attacking websites.
#2151 New attack XSSJacking combines clickjacking, pastejacking, and SelfXSS
Security researcher Dylan Ayrey detailed last week a new web-based attack named XSSJacking that combines three other techniques — Clickjacking, Pastejacking, and Self-XSS — to steal data from careless users.

Ayrey says XSSJacking can help attackers reach sensitive information for which they would normally need a more complex security flaw, such as a stored XSS (Cross-Site Scripting) or CSRF (Cross-Site Request Forgery), issues which most websites tend to fix when reported.

The attack is not fully-automated, as it still relies on social engineering, a reason why many of today's security bug bounty programs won't even consider it as a security flaw, Ayrey told Bleeping Computer in an email.
#2150 Symantec backs its CA
At Symantec, we are proud to be one of the world’s leading certificate authorities. We strongly object to the action Google has taken to target Symantec SSL/TLS certificates in the Chrome browser. This action was unexpected, and we believe the blog post was irresponsible. We hope it was not calculated to create uncertainty and doubt within the Internet community about our SSL/TLS certificates.

Google’s statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading. For example, Google’s claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm. We have taken extensive remediation measures to correct this situation, immediately terminated the involved partner’s appointment as a registration authority (RA), and in a move to strengthen the trust of Symantec-issued SSL/TLS certificates, announced the discontinuation of our RA program. This control enhancement is an important move that other public certificate authorities (CAs) have not yet followed.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12