Security Alerts & News
by Tymoteusz A. Góral

History
#1929 Exploiting a misused C++ shared pointer on Windows 10
In this post I describe a detailed solution to my “winworld” challenge from Insomni’hack CTF Teaser 2017. winworld was a x64 windows binary coded in C++11 and with most of Windows 10 built-in protections enabled, notably AppContainer (through the awesome AppJailLauncher), Control Flow Guard and the recent mitigation policies.

These can quickly be verified using Process Hacker (note also the reserved 2TB of CFGBitmap!)
#1928 PayPal users targeted in sophisticated new phishing campaign
Recent phishing scams targeted both Gmail and Yahoo, and now attackers have their sights set on PayPal with some very convincing bait. With fake websites and email campaigns that look real, it’s easy to be fooled, and potentially have your identity and money stolen by scammers. Here’s how it happens.

First, there’s an email with logos and verbiage that sounds great (that is, “look and sound authentic”). Notice, however, errors in grammar and syntax that suggest the author isn’t a native English speaker.
#1927 Netflix scam delivers ransomware
Netflix has a 93 million-strong subscriber base in more than 190 countries, so it’s unsurprising that cybercriminals want a piece of the pie. Among their modus operandi: stealing user credentials that can be monetized in the underground, exploiting vulnerabilities, and more recently infecting systems with Trojans capable of pilfering the user’s financial and personal information.

What other purposes can stolen Netflix credential serve? Offer them up as bargaining chip to fellow cybercriminals, for instance. Or more nefariously, use them as lure to trick certain users into installing malware (and turn a profit in the process). If you’re planning to free ride your way into binge-watching your favorite shows on Netflix, think again. Your computer’s files may end up getting held hostage instead.
#1926 SMS-exploitable bug in Samsung Galaxy phones can be used for ransomware attacks
Samsung has patched a combo of four security flaws that affected Galaxy handsets that an attacker could have combined and used to put devices in endless reboot loops or hijack handsets for ransomware.

Discovered by mobile security researchers from Context Information Security, these four bugs are exploitable via the ancient 17-years-old WAP protocol, still supported in modern-day smartphones.

Developed in 1999 and used to grant customers access to the Internet in the early days of mobile networks, the protocol also includes various other functions, such as the ability to send configuration files to the user's phone, in the form of SMS text messages.
#1925 WordPress 4.7.2 update fixes XSS, SQL injection bugs
Developers with WordPress fixed three security issues this week, including a cross-site scripting and a SQL injection vulnerability, with the latest version of the CMS.

The update, 4.7.2, was pushed Thursday, only two weeks after developers released the previous version.

Aaron Campbell, a WordPress core contributor, announced the update – a security release – on WordPress’ blog.

One of the issues, the SQL injection, affected WordPress’ WP_Query, a class used to access variables, checks and functions coded into the WordPress core. Mohammad Jangda, a web developer at Automattic – WordPress’ parent company – discovered the class is vulnerable when passing unsafe data. While the issue didn’t affect the WordPress core, Campbell writes that WordPress added hardening to prevent plugins and themes from causing further vulnerabilities.
#1924 Cisco warns of critical flaw in teleconferencing gear
Cisco Systems is warning customers of a critical vulnerability affecting three of its TelePresence MCU platform models. The flaw could give attackers the ability to remotely execute code on impacted systems or create conditions favorable to a denial-of-service (DoS) attack.

According to an advisory issued this week, the vulnerability (CVE-2017-3792) is tied to a proprietary device driver in the kernel of the Cisco TelePresence Multipoint Control Unit (MCU) Software used in platform models 4500, MSE 8510 and 5300 Series.

“The vulnerability is due to improper size validation when reassembling fragmented IPv4 or IPv6 packets,” wrote Cisco in its bulletin. Affected systems are those running software version 4.3(1.68) or later configured for “Passthrough” content mode.
#1923 Majority of Android VPNs can’t be trusted to make users more secure
Over the past half-decade, a growing number of ordinary people have come to regard virtual private networking software as an essential protection against all-too-easy attacks that intercept sensitive data or inject malicious code into incoming traffic. Now, a comprehensive study of almost 300 VPN apps downloaded by millions of Android users from Google's official Play Market finds that the vast majority of them can't be fully trusted. Some of them don't work at all.
#1922 Ransomware app hosted in Google Play infects unsuspecting Android user
Google Play, the official market for Android apps, was caught hosting a ransomware app that infected at least one real-world handset, security researchers said Tuesday.

The ransomware was dubbed Charger and was hidden inside an app called EnergyRescue, according to a blog post published by security firm Check Point Software. Once installed, Charger stole SMS contacts and prompted unsuspecting users to grant it all-powerful administrator rights.
#1921 Breach notification website LeakedSource allegedly raided
LeakedSource, a breach notification service that exposed some of 2016’s largest data breaches, might be facing a permanent shutdown.

According to a forum post on a well-known marketplace, the owner of LeakedSource was raided earlier this week, although the exact details of any potential law enforcement action remains a mystery.

At the start of the new year, LeakedSource indexed more than 3 billion records. Their collection is the result of information sharing between a number of sources, including those who hacked the data themselves. Access to the full archive requires a membership fee.
#1920 Now there’s a better way to prevent Facebook account takeovers
Facebook is enhancing its existing protection against account takeovers with cryptographically based security keys that can be used as a second factor of authentication, the social network is announcing today.

A handful of online services—including Google, Dropbox, GitHub, and Salesforce—already support security keys based on the open Universal 2nd Factor, or U2F, standard, created by the Fido Alliance. Now Facebook is offering them, too. The inexpensive devices, which plug into users' USB port, were recently shown to beat out smartphones and most other forms of two-factor verification in a two-year study of more than 50,000 Google employees. That assessment was based on the ease of using and deploying keys, the security they provided against phishing and other types of account-takeover attacks, and the lack of privacy trade-offs that accompany some other forms of two-factor authentication.
#1919 Gmail will block JS attachments for security reasons starting February 13
Gmail user's accounts are about to become safer, as on February 13th Google will begin blocking JS attachments in emails. Currently there are 31 attachments that are being blocked in in Gmail, which include .exe, .bat, .hta, and .vbs files, but JS files are still allowed through. As this attachment is commonly used to distribute malware, the blocking of JS files will only increase the security of user's Gmail account.

Starting on February 13th 2017, when a user tries to attach a JS file they will block the attachment and warn the user that this attachment is no longer allowed. If a user receives a JS attachment in Gmail, access to the file will be blocked as well and the user will be shown a warning stating that the file was blocked for security reasons.
#1918 XSS on WebEx domains undoes previous fixes to Cisco WebEx Chrome extension
At the start of this week, Google Project Zero security researcher Tavis Ormandy made public his discovery of a remote code execution vulnerability within Cisco's WebEx extension for Chrome.

In his comments on Cisco's patches, which whitelisted code execution on the webex.com domain and prompted the user on other domains, Ormandy sagely warned of the situation the networking giant had to address later in the week.

"I think we will consider this issue fixed now. Hopefully, webex.com is well maintained and not full of XSS," he said.
#1917 Kaspersky Lab’s top investigator reportedly arrested in treason probe
In a move that stunned some security researchers, a top investigator at Russia's largest antivirus provider, Kaspersky Lab, has been arrested in an investigation into treason, a crime that upon conviction can carry severe sentences.

Ruslan Stoyanov, the head of Kaspersky Lab's investigations unit, was arrested in December, Russian newspaper Kommersant reported Wednesday. The paper said that Sergei Mikhailov, a division head of the Russian intelligence service FSB, was also arrested in the same probe. Stoyanov joined the Moscow-based AV company in 2012 and was chiefly involved in investigating and responding to hacking-related crimes carried out in Russia. His LinkedIn profile shows he served as a major in the cybercrime unit of Russia's Ministry of Interior from 2000 to 2006.
#1916 Heartbleed bug still affects thousands of sites
Close to 200,000 websites and servers remain vulnerable to a nasty bug found in a widely-used encryption library, almost three years after the bug was first discovered.

At the time of the Shodan Report's release this week, a total of 199,594 servers were vulnerable to the bug, with more vulnerable servers in the US than any other country.

South Korea, China, Germany, and France followed behind.

At time of writing, the overall number had dropped to 192,069 vulnerable servers, according to Shodan's live search engine, which looks for and logs open, unsecured internet-connected databases and devices.
#1915 Symantec: Latest intelligence for December 2016
Some of the key takeaways from December’s Latest Intelligence, and the threat landscape in general, include an increase in the number of web attacks blocked by Symantec, the return of a particularly nasty disk-wiping threat, and how Symantec played a vital role in two law enforcement operations.
#1914 CSIRO: VPNs are not as private as the name suggests
The Commonwealth Scientific and Industrial Research Organisation (CSIRO) has warned users of virtual private networks (VPN) that they may not be as secure as the name suggests.

The CSIRO recently looked at 283 Android VPN apps, investigating a wide range of security and privacy features to compile its report [PDF], An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps.

The research organisation found that 18 percent of the apps probed fail to encrypt users' traffic, with 38 percent injecting malware or malvertising straight into the user's device, and over 80 percent requesting access to sensitive data such as user accounts and text messages.
#1913 Firefox 51 arrives with warning for HTTP websites that collect passwords, WebGL 2 and FLAC support
Mozilla today launched Firefox 51 for Windows, Mac, Linux, and Android. The new version includes a new warning for websites that collect passwords but don’t use HTTPS; WebGL 2 support for better 3D graphics; and FLAC (Free Lossless Audio Codec) playback.

Firefox 51 for the desktop is available for download now on Firefox.com, and all existing users should be able to upgrade to it automatically. As always, the Android version is trickling out slowly on Google Play.

Mozilla doesn’t break out the exact numbers for Firefox, though the company does say “half a billion people around the world” use the browser. In other words, it’s a major platform that web developers target — even in a world increasingly dominated by mobile apps.
#1912 Don't use Android pattern lock to protect secrets, researchers warn
Researchers have demonstrated an attack that can crack 95 percent of Android pattern locks within the five attempts allowed.

The side-channel attack, devised by researchers from China and the UK, uses video footage from a smartphone's camera and a computer vision algorithm to crack Android's geometric lock patterns. Lock patterns are an alternative to PINs and passwords.

As noted by the researchers, the attack doesn't require footage of the screen itself, only a line of sight to the user's hand movements. The algorithm tracks fingertip motions and reconstructs the lock pattern. The researchers tested the attack on 120 unique patterns from 215 users and report that the method can crack 95 percent of patterns within five attempts.

Additionally, they found that more complex patterns are easier to crack, with 97.5 percent falling within the first attempt, compared with 60 percent of simple patterns and 87 percent of median complex patterns.
#1911 Cisco patches critical flaw in WebEx Chrome plugin
A vulnerability in the Cisco WebEx Chrome Plugin, used by tens of millions for web conferencing in business environments, exposed computers to remote code execution.

Cisco has patched the flaw, details of which were disclosed Monday by Google Project Zero researcher Tavis Ormandy, who has made a number of high-profile discoveries and disclosures in popular enterprise and security software.

The core issue is what Ormandy calls a “magic URL” used by the extension during WebEx sessions. The researcher said attacks could be carried out so long as a URL request contains the string cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html; attackers could use this in an iframe, leaving users unaware of an active exploit.
#1910 Online security 101: Tips for protecting your privacy from hackers and spies
Got nothing to hide? Think again.

Privacy is what sets us apart from the animals. It's also what sets many countries and citizens apart from dictatorships and despots. People often don't think about their rights until they need them -- whether it's when they're arrested at a protest or pulled over for a routine traffic stop.

Surveillance is also a part of life, and it's getting progressively more invasive. Government eavesdropping is increasing, carried out in wider secrecy, and it's becoming far more localized. In fact, the last three presidents have pushed for greater surveillance: Clinton introduced mandated wiretapping laws, Bush expanded mass domestic surveillance, and Obama expanded the intelligence service's reach -- just in time for Trump.
#1909 Apple patches critical kernel vulnerabilities
Apple today released new versions of iOS and macOS Sierra and addressed some overlapping code execution vulnerabilities in both its mobile and desktop operating systems.

The updates were part of a bigger release of security updates from Apple that also included Safari, iCloud for Windows, and watchOS.

The most critical of the bugs were a pair of kernel vulnerabilities, CVE-2017-2370 and CVE-2017-2360, which could allow a malicious application to execute code with the highest kernel privileges. The two bugs, a buffer overflow and use-after-free vulnerability, were reported by Google Project Zero’s Ian Beer and were patched in iOS 10.2.1 and macOS Sierra 10.12.3.
#1908 Virulent Android malware returns, gets >2 million downloads on Google Play
A virulent family of malware that infected more than 10 million Android devices last year has made a comeback, this time hiding inside Google Play apps that have been downloaded by as many as 12 million unsuspecting users.

HummingWhale, as the professionally developed malware has been dubbed, is a variant of HummingBad, the name given to a family of malicious apps researchers documented in July invading non-Google app markets. HummingBad attempted to override security protections by exploiting unpatched vulnerabilities that gave the malware root privileges in older versions of Android. Before Google shut it down, it installed more than 50,000 fraudulent apps each day, displayed 20 million malicious advertisements, and generated more than $300,000 per month in revenue. Of the 10 million people who downloaded HummingBad-contaminated apps, an estimated 286,000 of them were located in the US.
#1907 Widely used WebEx plugin for Chrome will execute attack code—patch now!
The Chrome browser extension for Cisco Systems WebEx communications and collaboration service was just updated to fix a vulnerability that leaves all 20 million users susceptible to drive-by attacks that can be carried out by just about any website they visit.

A combination of factors makes the vulnerabilities among the most severe in recent memory. First, WebEx is largely used in enterprise environments, which typically have the most to lose. Second, once a vulnerable user visits a site, it's trivial for anyone with control of it to execute malicious code with little sign anything is amiss. The vulnerability and the resulting patch were disclosed in a blog post published Monday by Tavis Ormandy, a researcher with Google's Project Zero security disclosure service.

Martijn Grooten, a security researcher for Virus Bulletin, told Ars:

"If someone with malicious intentions (Tavis, as per Google's policy, disclosed this responsibly) had discovered this, it could have been a goldmine for exploit kits. Not only is 20 million users a large enough number to make it worthwhile in opportunistic attacks, I assume people running WebEx are more likely to be corporate users. Imagine combining this with ransomware!"
#1906 China announces mass shutdown of VPNs that bypass Great Firewall
China’s Ministry of Industry and Information Technology yesterday announced a major crackdown on VPN (virtual private network) services that encrypt Internet traffic and let residents access websites blocked by the country's so-called Great Firewall. The ministry "said that all special cable and VPN services on the mainland needed to obtain prior government approval—a move making most VPN service providers in the country of 730 million Internet users illegal," reported the South China Morning Post, a major newspaper in Hong Kong.
#1905 Galileo satellites experiencing multiple clock failures
The onboard atomic clocks that drive the satellite-navigation signals on Europe's Galileo network have been failing at an alarming rate.

Across the 18 satellites now in orbit, nine clocks have stopped operating.

Three are traditional rubidium devices; six are the more precise hydrogen maser instruments that were designed to give Galileo superior performance to the American GPS network.
#1904 Carbanak group uses Google for malware command-and-control
Forcepoint Security Labs™ recently investigated a trojanized RTF document which we tied to the Carbank criminal gang. The document contains an encoded Visual Basic Script (VBScript) typical of previous Carbanak malware. Recent samples of the malware have now included the ability to use Google services for command-and-control (C&C) communication. We have notified Google of the abuse and are working with them to share additional information.

Carbanak (also known as Anunak) are a group of financially motivated criminals first exposed in 2015. The actors typically steal from financial institutions using targeted malware. Recently a new Carbanak attack campaign dubbed "Digital Plagiarist" was exposed where the group used weaponized office documents hosted on mirrored domains, in order to distribute malware.
#1903 Encrypted email service ProtonMail opens door for Tor users
ProtonMail now has a home on the dark web.

The encrypted email provider announced Thursday it will allow its users to access the site through the Tor anonymity service.

The aim is to allow its more than 2 million users access the provider by taking "active measures to defend against state-sponsored censorship," such as government-mandated blocks at the internet provider level.
#1902 Dutch developer added backdoor to websites he built, phished over 20,000 users
A Dutch developer illegally accessed the accounts of over 20,000 users after he allegedly collected their login information via backdoors installed on websites he built.

According to an official statement, Dutch police officials are now in the process of notifying these victims about the crook's actions.

The hacker, yet to be named by Dutch authorities, was arrested on July 11, 2016, at a hotel in Zwolle, the Netherlands, and police proceeded to raid two houses the crook owned, in Leeuwarden and Sneek.
#1901 Ukraine's power outage was a cyber attack: Ukrenergo
A power blackout in Ukraine's capital Kiev last month was caused by a cyber attack and investigators are trying to trace other potentially infected computers and establish the source of the breach, utility Ukrenergo told Reuters on Wednesday.

When the lights went out in northern Kiev on Dec. 17-18, power supplier Ukrenergo suspected a cyber attack and hired investigators to help it determine the cause following a series of breaches across Ukraine.

Preliminary findings indicate that workstations and Supervisory Control and Data Acquisition (SCADA) systems, linked to the 330 kilowatt sub-station "North", were influenced by external sources outside normal parameters, Ukrenergo said in comments emailed to Reuters.

"The analysis of the impact of symptoms on the initial data of these systems indicates a premeditated and multi-level invasion," Ukrenergo said.
#1900 GCHQ encourages teenage girls to become cybersecurity professionals of the future
Government surveillance agency GCHQ is running a tech skills competition for teenage girls as part of an initiative designed to encourage more women to join the fight to protect the UK from cyberattacks and hackers.

Reflecting a gender balance issue in the technology sector as a whole, women make up just ten percent of the global cybersecurity workforce. GCHQ is looking to change that with the launch of the CyberFirst Girls Competition.

Orchestrated by GCHQ's National Cyber Security Centre, the competition looks to knock down barriers to entry into the profession by inviting girls between the ages of 13 and 15 to enter in teams of four. They will have their cybersecurity skills tested against other schoolgirls from across the UK in a series of online challenges.
#1899 Project Zero finds XSS bug in auto-installed Adobe Acrobat Chrome extension
Last week Adobe released an update to Acrobat that had a potentially unwanted passenger along for the ride, an automatically installed Chrome extension that prompted the user to allow it to view and manipulate web pages visited, and manage downloads on the next time Chrome was loaded.

Upon its release, Project Zero security researcher Tavis Ormandy found it left users vulnerable to cross-site scripting attacks.

"I think CSP [Content Security Policy] might make it impossible to jump straight to script execution, but you can iframe non web_accessible_resources, and easily pivot that to code execution, or change privacy options via options.html, etc," Ormandy wrote in the Project Zero issue tracker.
#1898 Uncovering the inner workings of EyePyramid
Two Italians referred to as the “Occhionero brothers” have been arrested and accused of using malware and a carefully-prepared spear-phishing scheme to spy on high-profile politicians and businessmen. This case has been called “EyePyramid”, which we first discussed last week. (Conspiracy theories aside, the name came from a domain name and directory path that was found during the research.)

The court order was published by AGI, an Italian news agency, around noon on January 11. It (surprisingly) contains multiple technical details which we used to bootstrap our initial analysis. This post builds on the details of the case to provide a more complete and in-depth view of the activities of this campaign.
#1897 Oracle's monster security update: 270 fixes and over 100 remotely exploitable flaws
Oracle has released its first quarterly critical patch update of the year, urging customers to immediately apply the bundle's 270 fixes to a number of its products.

Product families fixed in this update include Oracle Database Server, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Industry Applications, Oracle Fusion Middleware, Oracle Sun Products, Oracle Java SE, and Oracle MySQL.

Oracle's updates are typically large but the 270 fixes in this advisory are just short of Oracle's record critical update last July, which contained 276 fixes.
#1896 Newly discovered Mac malware found in the wild also works well on Linux
A newly discovered family of Mac malware has been conducting detailed surveillance on targeted networks, possibly for more than two years, a researcher reported Wednesday.

The malware, which a recent Mac OS update released by Apple is detecting as Fruitfly, contains code that captures screenshots and webcam images, collects information about each device connected to the same network as the infected Mac, and can then connect to those devices, according to a blog post published by anti-malware provider Malwarebytes. It was discovered only this month, despite being painfully easy to detect and despite indications that it may have been circulating since the release of the Yosemite release of OS X in October 2014. It's still unclear how machines get infected.
#1895 EITest nabbing Chrome ssers with a “Chrome Font” social engineering scheme
“EITest” is a well-documented infection chain that generally relies on compromised websites to direct users to exploit kit (EK) landing pages. EITest has been involved in the delivery of a variety of ransomware, information stealers, and other malware, with clear evidence of its use dating back to 2014. Elements of EITest may be much older, though, with hints pointing to EITest being an evolution of the “Glazunov” infection chain from 2011 [1]. The first server side documentation of this evolution came from Sucuri in July 2014 [2] associated with waves of Wordpress exploitation via the MailPoet plugin vulnerability. KahuSecurity recently analyzed the server side script in October 2016 [3].
#1894 Facebook’s ImageTragick story
"I want to believe that all of you know about ImageMagick and its Tragick. This issue was found in the end of the April, 2016 and due to many processing plugins depends on the ImageMagick library this issue has a huge impact. Since there were evidences that information about this issue was available not only for researchers, who discovered it and ImageMagick’s development team, but also for others, on the 3rd of May, 2016 the information (without PoC) was disclosed. Many of researchers got this low-hanging fruit while discovering applications which were not updated in time. But for some unknowable reason i was not among them. "
#1893 Router vulnerabilities disclosed in July remain unpatched
Details on serious vulnerabilities in a number of routers freely distributed by a major Thai ISP were published on Monday after private disclosures made to the vendors in July went unanswered.

Researcher Pedro Ribeiro of Agile Information Security found accessible admin accounts and command injection vulnerabilities in ZyXel and Billion routers distributed by TrueOnline, Thailand’s largest broadband company.

Ribeiro said he disclosed the vulnerabilities through Beyond Security’s SecuriTeam Secure Disclosure Program, which contacted the affected vendors last July. Ribeiro published a proof of concept exploit yesterday as well.
#1892 Secret tokens found hard-coded in hundreds of Android apps
A security research firm has found hundreds of Android apps that are leaking sensitive secret keys and tokens, which could be used and abused by hackers.

Fallible, a Delaware-based security firm, spent the past few months reverse engineering thousands of apps to discover security issues, such as leaky secret keys. These keys often belong to third-party services to help app integration, but if leaked could be used to manipulate or abuse the services.
#1891 Vulnerabilities leave iTunes, App Store open to script injection
Apple is reportedly aware of and is in the middle of fixing a pair of vulnerabilities that exist in iTunes and the App Store. If exploited, researchers claim an attacker could inject malicious script into the application side of the vulnerable module or function.

Vulnerability Lab’s Benjamin Kunz Mejri disclosed the vulnerabilities on Monday, explaining the issues can be jointly exploited via iTunes and the App Store’s iOS “Notify” function.

Apple implemented the function in September, in the weeks leading up to the release of the game Super Mario Run. The function takes information from the device, such iCloud credentials or devicename values, to alert users when a soon-to-launch application debuts.
#1890 It’s shockingly easy to hijack a Samsung SmartCam camera
Smart cameras marketed under the Samsung brand name are vulnerable to attacks that allow hackers to gain full control, a status that allows the viewing of what are supposed to be private video feeds, researchers said.

The remote code-execution vulnerability has been confirmed in the Samsung SmartCam SNH-1011, but the researchers said they suspect other models in the same product line are also susceptible. The flaw allows attackers to inject commands into a Web interface built into the devices. The bug resides in PHP code responsible for updating a video monitoring system known as iWatch. It stems from the failure to properly filter malicious input included in the name of uploaded files. As a result, attackers who know the IP address of a vulnerable camera can exploit the vulnerability to inject commands that are executed with unfettered root privileges.
#1889 Bug 'exposes' WhatsApp message secrets
Some messages sent through WhatsApp can be intercepted and read thanks to a bug in the app, suggests research.

The bug arises because of the way WhatsApp encrypts the messages sent via its service.

Security expert Thomas Boelter found that eavesdropping was possible when circumstances called for encryption keys to be reissued.

Mr Boelter told WhatsApp owner Facebook about the issue in April 2016 but it said it was not working on a fix.

The response he received said that what he had discovered was expected behaviour.
#1888 This phishing email uses an unexpected trick to infect PCs with keylogger malware
Cybercriminals are targeting a US major financial services provider with malicious emails containing the tools required to install information collecting keylogging software onto the infected systems.

Keylogging enables hackers to see everything that's typed using the keyboard of an infected machine, something which can be exploited to steal information, personal information, and login credentials.

Cybersecurity researchers at Proofpoint note that the attack is very narrow in scope, targeting users in just a single US-based financial services and insurance organisation with malicious emails. Naturally, banks are a high-profile target for cybercriminals who not only see money as a lucrative target, but also view financial institutions as a treasure trove of data to exploit.
#1887 The worst passwords of 2016 are as lazy as ever
It seems that password security simply doesn't work.

Many of us rely on simple, easy-to-remember strings of characters and letters, including strings found on your keyboard such as "1234567" or "qwertyu."

While these strings are easy for you to remember, they are also no trouble at all for attackers to brute-force hacking techniques -- or little more than a guess or two -- to compromise your online accounts and take over your digital identity.
#1886 Wide impact: Highly effective Gmail phishing technique being exploited
A new highly effective phishing technique targeting Gmail and other services has been gaining popularity during the past year among attackers. Over the past few weeks there have been reports of experienced technical users being hit by this.

This attack is currently being used to target Gmail customers and is also targeting other services.

The way the attack works is that an attacker will send an email to your Gmail account. That email may come from someone you know who has had their account hacked using this technique. It may also include something that looks like an image of an attachment you recognize from the sender.
#1885 WordPress 4.7.1 fixes CSRF, XSS, PHPMailer vulnerabilities
One of the XSS vulnerabilities could be triggered via the plugin name or version header on update-core.php, another could be exploited via theme name fallback, according to the release notes.

One of the CSRF bugs, identified by Abdullah Hussam, an Iraqi security researcher who’s previously found bugs in Vine, Twitter, and Vimeo, could lead to a bypass if a specific Flash file was uploaded. Another CSRF bug, discovered by Danish developer Ronni Skansing, was tied to how WordPress handled accessibility mode in widget editing. Skansing has found several bugs in WordPress over the years. Last February he found a server side request forgery (SSRF) vulnerability in WordPress 4.4.1. An attacker could have exploited the bug by making it appear that the server was sending certain requests, possibly bypassing access controls.

Another issue in WordPress’ REST API could have exposed user data for any users who “authored a post of a public post type.” The issue, jointly uncovered by Brian Krogsgard, who runs the WordPress news site Post Status, and Chris Jean, a WordPress developer for iThemes, was fixed by limiting which posts are seen within the API.
#1884 Spora ransomware works offline, has the most sophisticated payment site as of yet
A new ransomware family made its presence felt today, named Spora, the Russian word for "spore." This new ransomware's most notable features are its solid encryption routine, ability to work offline, and a very well put together ransom payment site, which is the most sophisticated we've seen from ransomware authors as of yet.

First infections with Spora ransomware were spotted on the Bleeping Computer and Kaspersky forums. Below is an analysis of the Spora ransomware mode of operation provided by Bleeping Computer's Lawrence Abrams, with some information via MalwareHunterTeam and Fabian Wosar of Emsisoft.
#1883 Post-holiday spam campaign delivers Neutrino bot
During the Christmas season and early into the new year, we noticed a sharp decrease in spam volume, perhaps as online criminals took a break from their malicious activities and popped the champagne to celebrate. It could also have been a time to regroup and plan new strategies for the upcoming year.

In any case, over the weekend we observed a large new campaign purporting to be an email from ‘Microsoft Security Office’ with a link to a full security report (Microsoft.report.doc). This was somewhat unexpected, as typically the malicious Office files are directly attached to the email. Instead, the files are hosted on various servers with a short time to live window.
#1882 A look at EyePyramid, the malware supposedly used in high-profile hacks in Italy
Two Italian citizens were arrested last Tuesday by Italian authorities (in cooperation with the FBI) for exfiltrating sensitive data from high-profile Italian targets. Private and public Italian citizens, including those holding key positions in the state, were the subject of a spear-phishing campaign that reportedly served a malware, codenamed EyePyramid, as a malicious attachment. This malware was used to successfully exfiltrate over 87 gigabytes worth of data including usernames, passwords, browsing data, and filesystem content.
#1881 Adobe Acrobat Reader DC update installs Chrome browser extension
An Adobe Acrobat extension comes with anonymous usage data collection turned on by default, which might scare some users.
#1880 Hacker steals 900 GB of Cellebrite data
The hackers have been hacked. Motherboard has obtained 900 GB of data related to Cellebrite, one of the most popular companies in the mobile phone hacking industry. The cache includes customer information, databases, and a vast amount of technical data regarding Cellebrite's products.

The breach is the latest chapter in a growing trend of hackers taking matters into their own hands, and stealing information from companies that specialize in surveillance or hacking technologies.

Cellebrite is an Israeli company whose main product, a typically laptop-sized device called the Universal Forensic Extraction Device (UFED), can rip data from thousands of different models of mobile phones. That data can include SMS messages, emails, call logs, and much more, as long as the UFED user is in physical possession of the phone.
#1879 New variant of ploutus ATM malware observed in the wild in Latin America
Ploutus is one of the most advanced ATM malware families we’ve seen in the last few years. Discovered for the first time in Mexico back in 2013, Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message, a technique that had never been seen before.

FireEye Labs recently identified a previously unobserved version of Ploutus, dubbed Ploutus-D, that interacts with KAL’s Kalignite multivendor ATM platform. The samples we identified target the ATM vendor Diebold. However, minimal code change to Ploutus-D would greatly expand its ATM vendor targets since Kalignite Platform runs on 40 different ATM vendors in 80 countries.

Once deployed to an ATM, Ploutus-D makes it possible for a money mule to obtain thousands of dollars in minutes. A money mule must have a master key to open the top portion of the ATM (or be able to pick it), a physical keyboard to connect to the machine, and an activation code (provided by the boss in charge of the operation) in order to dispense money from the ATM. While there are some risks of the money mule being caught by cameras, the speed in which the operation is carried out minimizes the mule’s risk.

This blog covers the changes, improvements, and Indicators of Compromise (IOC) of Ploutus-D in order to help financial organizations identify and defend against this threat.
#1878 Beware new WhatsApp scam offering “free internet without Wi-Fi”
It seems that the number of scams spreading through the messaging app WhatsApp keeps on increasing, with deceptive campaigns coming up with with novel ways of luring in victims. Today we will show you a new example of this.

This particular WhatsApp scam promises users a free internet service, without needing to use Wi-Fi. Despite being complete nonsense from a technical point of view, the offer may nevertheless appear tempting to those unaware of the realities. And it’s also selling something pretty amazing …

Imagine being able to navigate with your smartphone wherever you are, without mobile data from your carrier or a Wi-Fi network. Who wouldn’t like that while on holiday abroad? It’s like magic … because it’s not real. Clicking on this scam won’t change that.
#1877 APT28: At the center of the storm
On Jan. 6, 2017, the U.S. Director of National Intelligence released its Intelligence Community Assessment: Assessing Russian Activities and Intentions in Recent US Elections. Still, questions persist about Russian involvement. Did the Russian government direct the group responsible for the breaches and related data leaks? If so, is this simply a matter of accepted state espionage, or did it cross a line? Was the breach at the Democratic National Committee part of a concerted effort by the Russian government to interfere with the U.S. presidential election?

The most consequential question remains unasked: How will Russia continue to employ a variety of methods – including hacks and leaks – to undermine the institutions, policies and actors that the Russian government perceives as constricting and condemning its forceful pursuit of its state aims?

FireEye’s visibility into the operations of APT28 – a group we believe the Russian government sponsors – has given us insight into some of the government’s targets, as well as its objectives and the activities designed to further them.

We have tracked and profiled this group through multiple investigations, endpoint and network detections, and continuous monitoring. Our visibility into APT28’s operations, which date to at least 2007, has allowed us to understand the group’s malware, operational changes and motivations. This intelligence has been critical to protecting and informing our clients, exposing this threat and strengthening our confidence in attributing APT28 to the Russian government.
#1876 Security scare over hackable heart implants
A US government probe into claims that certain heart implants are vulnerable to hacking attacks, has resulted in emergency security patches being issued for devices that cardiac patients have in their homes.

The medical devices under the microscope come from St Jude Medical, recently acquired by Abbott Laboratories, who were informed by researchers last year that their devices could be forced to malfunction by administering a mild electric shock, pacing at a potentially dangerous rate, or tricked into suffering a high-risk battery drain.

Controversially, research company MedSec Holdings and hedge fund Muddy Waters reportedly profited by short selling stock in St Jude Medical, before telling the manufacturer about the serious vulnerabilities.
#1875 US college pays $28,000 to get files back after ransomware attack
Los Angeles Valley College (LAVC) has paid a public record of $28,000 (£22,500) in Bitcoins to extortionists after ransomware encrypted hundreds of thousands of files held on its servers.

In a public statement that shares the College’s homepage with upbeat messages about visiting its campus Lion Cafeteria, LAVC said the unnamed ransomware got inside the organisation on December 30.

It was detected within hours but too late to stop IT staff being locked out of critical files held on multiple servers. In addition to losing data access, important services went down, including the College’s network, email and phone system, bringing the College to a standstill.
#1874 Shamoon disk-wiping attackers can now destroy virtual desktops, too
There's a new variant of the Shamoon disk-wiping malware that was originally unleashed on Saudi Arabia's state-owned oil company in 2012, and it has a newly added ability to destroy virtual desktops, researchers said.

The new strain is at least the second Shamoon variant to be discovered since late November, when researchers detected the return of disk-wiping malware after taking a more than four-year hiatus. The variant was almost identical to the original one except for the image that was left behind on sabotaged computers. Whereas the old one showed a burning American flag, the new one displayed the iconic photo of the body of Alan Kurdi, the three-year-old Syrian refugee boy who drowned as his family tried to cross from Turkey to Greece. Like the original Shamoon, which permanently destroyed data on more than 30,000 work stations belonging to Saudi Aramco, the updates also hit one or more Saudi targets that researchers have yet to name.
#1873 Security updates available for Adobe Flash Player
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.
#1872 Security updates available for Adobe Acrobat and Reader
Adobe has released security updates for Adobe Acrobat and Reader for Windows and Macintosh. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.
#1871 Our continuing commitment to your privacy with Windows 10
Microsoft: At Microsoft, we are deeply committed to protecting our customers’ privacy. This includes providing clear choices and easy-to-use tools that put you in control of how your information is collected and used. Trust is a core pillar of our More Personal Computing vision, and we are working hard to make sure Windows 10 is the most secure Windows ever and a product you love and trust.
#1870 Microsoft Security Bulletin Summary for January 2017
This bulletin summary lists security bulletins released for January 2017.

For information about how to receive automatic notifications whenever Microsoft security bulletins are issued, visit Microsoft Technical Security Notifications.

Microsoft also provides information to help customers prioritize monthly security updates with any non-security updates that are being released on the same day as the monthly security updates.
#1869 Credit card data and other information targeted in Netflix phishing campaign
Through FireEye’s Email Threat Prevention (ETP) solution, FireEye Labs discovered a phishing campaign in the wild targeting the credit card data and other personal information of Netflix users primarily based in the United States.

This campaign is interesting because of the evasion techniques that were used by the attackers: The phishing pages were hosted on legitimate, but compromised web servers; Client-side HTML code was obfuscated with AES encryption to evade text-based detection; Phishing pages were not displayed to users from certain IP addresses if its DNS resolved to companies such as Google or PhishTank.

At the time of posting, the phishing websites we observed were no longer active.
#1868 Android banking Trojan malware disguises itself as Super Mario Run
Cybercriminals are taking advantage of Android users who are desperate to play Nintendo's wildly popular Super Mario Run mobile game, in order to spread the notorious Marcher banking Trojan malware.

Nintendo's iconic plumber made his much anticipated debut on mobile devices in December and is currently exclusive to Apple iOS users, who can download the game via the App Store.

But some desperate users are looking for ways to gain access to it on Android by attempting to download versions from third-party websites. And, much like they did when Android users wanted to download Pokemon Go before it was available, attackers are actively looking to exploit that demand by tricking users into downloading the bank information stealing Marcher Trojan.
#1867 Google plugs severe Android vulnerability that exposed devices to spying
Google has shut down a "high-severity" exploit in its Nexus 6 and 6P phones which gave attackers with USB access the opportunity to take over the onboard modem during boot-up—allowing them to listen in on phonecalls, or intercept mobile data packets.

The vulnerability was part of a cluster of security holes found by security researchers at IBM's X-Force all related to a flaw—tagged CVE-2016-8467—in the phones' bootmode, which uses malware-infected PCs and malicious power chargers to access hidden USB interfaces. Patches were rolled out before the vulnerabilities were made public, in November for the Nexus 6, and January for the 6P.
#1866 The official Tor browser for iOS is free to use
When Mike Tigas first created the Onion Browser app for iOS in 2012, he never expected it to become popular. He was working as a newsroom Web developer at The Spokesman-Review in Spokane, Washington, at the time, and wanted a Tor browser app for himself and his colleagues. Expecting little interest, he then put Onion Browser on the Apple App Store at just $0.99/£0.69, the lowest non-zero price that Apple allows.

Fast forward to 2016, and Tigas found himself living in New York City, working as a developer and investigative journalist at ProPublica, while earning upwards of $2,000 a month from the app—and worrying that charging for it was keeping anonymous browsing out of the hands of people who needed it.
#1865 This ransomware scheme is targeting schools, colleges and head teachers, warn police
Cybercriminals are pretending to be government officials as part of a ransomware scheme which is targeting schools and demanding payments of up to £8,000 to unencrypt the locked files.

Action Fraud, the UK's fraud and cybercrime centre, and the City of London police, have issued a warning over the activity, which begins with criminals contacting the targeted schools with a phone call.

Claiming to be from 'The Department of Education', the caller asks for the email address of the head teacher which they claim they need in order to send them sensitive information which is unsuitable for the school's general email address.
#1864 Unsecure routers, webcams prompt feds to sue DLink
The Federal Trade Commission on Thursday sued Taiwan-based D-link in federal court. The FTC alleges that D-link routers and webcams left "thousands of consumers at risk" to hacking attacks.

"Defendants have failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access, including by failing to protect against flaws which the Open Web Application Security Project has ranked among the most critical and widespread web application vulnerabilities since at least 2007," the FTC said in a complaint (PDF) filed in San Francisco federal court.
#1863 MongoDB attacks jump from hundreds to 28,000 in just days
Security researchers report a massive uptick in the number of MongoDB databases hijacked and held for ransom. On Monday, researcher Niall Merrigan reported 28,000 misconfigured MongoDB were attacked by more than a dozen hacker groups. That’s sharp increase from last week when 2,000 MongoDB had been hijacked by two or three criminals.

A wave attacks was first spotted on Dec. 27 by Victor Gevers, an ethical hacker and founder of GDI Foundation. That’s when he said a hacker going by the handle “Harak1r1” was compromising open MongoDB installations, deleting their contents, and leaving behind a ransom note demanding 0.2 BTC (about $220).
#1862 Experts warn of novel PDF-based phishing scam
The SANS Internet Storm Center published a warning on Wednesday about an active phishing campaign that utilizes PDF attachments in a novel ploy to harvest email credentials from victims.

According to the SANS bulletin, the email has the subject line “Assessment document” and the body contains a single PDF attachment that claims to be locked. A message reads: “PDF Secure File UNLOCK to Access File Content.”
#1861 Hit by Globe3 ransomware? This free tool could help you decrypt your files
Victims of the latest strain of Globe ransomware can now unlock their files without paying out money to cybercriminal extortionists, thanks to a newly released and free-to-use decryption tool.

As its name suggests, Globe3 is the third incarnation of Globe ransomware, which first appeared in summer 2016.

Globe and Globe2 have successfully infected numerous targets with high profile victims including a group of UK hospitals which were forced offline by a Globe2 ransomware infection and had to cancel 2,800 patient appointments as a result.
#1860 KillDisk now targeting Linux: Demands $250K ransom, but can’t decrypt
ESET researchers have discovered a Linux variant of the KillDisk malware that was used in Ukraine in attacks against the country’s critical infrastructure in late 2015 and against a number of targets within its financial sector in December 2016. This new variant renders Linux machines unbootable, after encrypting files and requesting a large ransom. But even if victims do reach deep into their pockets, the probability that the attackers will decrypt the files is small.
#1859 Tech support scam page triggers DoS attack on Macs
Tech support scammers have been using various themes to push fake alerts to scare users into calling for assistance. These fall into the ‘browlock’ category if they are via the browser and into the screen lockers category if they are actual malware that runs on the system.

Recently, there has been a trend for scammers to cause denial-of-service attacks against people’s computers. We documented it in early November with a specific HTML5 API (history.pushState) which caused the browser to freeze. Today we take a quick look at yet another technique that targets Mac OS users running Safari.

A newly registered scam website targeting Mac users was making the rounds late last year. Simply visiting the malicious site on an older version of MacOS would start creating a series of email drafts, which eventually cause the machine to run out of memory and freeze.
#1858 Google patches severe Android boot mode vulnerability
Google has resolved a dangerous Android vulnerability which allowed attackers to reboot Nexus devices into custom boot modes, leading to spying and remote attacks.

Patched as part of Google's January Android security bulletin, the flaw, CVE-2016-8467, grants cyberattackers the ability to use PC malware or malicious chargers to reboot a Nexus 6 or 6P device and implement a special boot configuration, or boot mode, which instructs Android to turn on various extra USB interfaces.

According to IBM X-Force Application Security Research Team researchers Roee Hay and Michael Goberman, who revealed further details of the vulnerability in a blog post, the flaw gives attackers access to interfaces which offer additional control over a compromised device.
#1857 Web security and the OWASP top 10: The big picture
OWASP Top 10 "The Big Picture" is all about understanding the top 10 web security risks we face on the web today in an easily consumable, well-structured fashion that aligns to the number one industry standard on the topic today.
#1856 HTTPS scanning in Kaspersky antivirus exposed users to MITM attacks
Security vendor Kaspersky Lab has updated its antivirus products to fix an issue that exposed users to traffic interception attacks.

The problem was found by Google vulnerability researcher Tavis Ormandy in the SSL/TLS traffic inspection feature that Kaspersky Anti-Virus uses to detect potential threats hidden inside encrypted connections.

Like other endpoint security products, Kaspersky Anti-Virus installs a self-signed root CA certificate on computers and uses it to issue "leaf," or interception, certificates for all HTTPS-enabled websites accessed by users. This allows the product to decrypt and then re-encrypt connections between local browsers and remote servers.
#1855 Designer launches fabric to bamboozle facial recognition
Adam Harvey, the facial-recognition thwarting artist/technologist who brought us neon-blue hair hanging in our eyes and graphic black smears of makeup, admits that it can be, shall we say, aesthetically challenging to conceal a face.

Tell it to the Privacy Visor guys from Tokyo’s National Institute of Informatics (NII) who came out with the Privacy Visor. That nose/eye concealing face gadget was about as aesthetically pleasing as bug eyes with segmented antennae.

Harvey’s latest project is far more wearable. It’s called HyperFace, and it involves printing patterns of pixels on to clothing or textiles that look, to computers, like they could be faces, with eyes, noses, mouths and ears.
#1854 The FTC’s Internet of Things (IoT) challenge
One of the biggest cybersecurity stories of 2016 was the surge in online attacks caused by poorly-secured “Internet of Things” (IoT) devices such as Internet routers, security cameras, digital video recorders (DVRs) and smart appliances. Many readers here have commented with ideas about how to counter vulnerabilities caused by out-of-date software in IoT devices, so why not pitch your idea for money? Who knows, you could win up to $25,000 in a new contest put on by the U.S. Federal Trade Commission (FTC).

The FTC’s IoT Home Inspector Challenge is seeking ideas for a tool of some sort that would address the burgeoning IoT mess. The agency says it’s offering a cash prize of up to $25,000 for the best technical solution, with up to $3,000 available for as many as three honorable mention winner(s).
#1853 Android was 2016's most vulnerable product and Oracle with the most security bugs
With 2016 officially over, we can crown Android as 2016's product with most vulnerabilities, and Oracle as the vendor with the most security bugs.

This statistic is based on the number of vulnerabilities reported by security researchers in the past year, bugs which have received a CVE identifier.

According to CVE Details, a website that aggregates historical data on security bugs that have received a CVE identifier, during 2016, security researchers have discovered and reported 523 security bugs in Google's Android OS, winner by far of this "award."

Second place in this ranking went to Debian Linux with 319 vulnerabilities, while third place went to Ubuntu Linux with 278 CVEs.

The rest of the top 10 is made up by Adobe Flash Player (266 bugs), openSUSE Leap (259 bugs), openSUSE (228 bugs), Adobe Acrobat DC (227 bugs), Adobe Acrobat Reader DC (227 bugs), Adobe Acrobat (224 bugs), and the Linux Kernel (216 bugs).
#1852 California law makes ransomware use illegal
It was nice to see the calendar turn over to 2017, for a lot of reasons, not the least of which is that on Jan. 1 a new law went into effect in California that outlaws the use of ransomware.

The idea of needing a new law to make a form of hacking illegal may seem counterintuitive, but ransomware is a case of criminals outflanking the existing laws. Ransomware emerged in a big way a few years ago and the law enforcement community was not prepared for the explosion of infections. While there have been takedowns of ransomware gangs, they often involve charges of money laundering or other crimes, not the installation of the ransomware itself.

In September, California Gov. Jerry Brown signed into law a bill that made the use of ransomware a crime, essentially a form of extortion. The law went into effect on Jan. 1.
#1851 Google patches 29 critical Android vulnerabilities including holes in Mediaserver, Qualcomm
Google has patched ten critical vulnerabilities tied to problem-plagued Android components like Mediaserver, NVIDIA’s GPU driver, and Qualcomm’s driver. The most serious bug, according to Google’s January Android Security Bulletin, is the Mediaserver vulnerability.

“The most severe of these issues is a critical security vulnerability (CVE-2017-0381) that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files,” according to the bulletin.
#1850 This ransomware targets HR departments with fake job applications
Cybercriminals are posing as job applicants as part of a new campaign to infect victims in corporate human resources departments with GoldenEye ransomware -- and they're even providing covering letters in an effort to lull targets into a false sense of security.

A variant of the Petya ransomware, GoldenEye targets human resources departments in an effort to exploit the fact that HR employees must often open emails and attachments from unknown sources.

Cybersecurity researchers at Check Point have been monitoring the campaign, which attempts to deliver ransomware to German targets using emails and attachments claiming to be from job applicants. The initial email contains a short message from the fake applicant, directing the victim to two attachments.
#1849 Exposed MongoDB installs being erased, held for ransom
Security researcher Victor Gevers, co-founder of the GDI Foundation, a non-profit dedicated to making the internet safer, is urging administrators to check their MongoDB installations, after finding nearly two hundred of them wiped and being held for ransom.

Currently, as of Monday morning, Gevers says he’s discovered 196 instances of a MongoDB installation exposed to the public that's been erased and held for ransom. UPDATE: The count has reached nearly 2,000 databases as of 4:00 p.m.

The person behind the attacks is demanding 0.2 BTC ($202.89 USD) as payment, and requiring system administrators email proof of ownership before the files are restored. Those without backups are left in a bind.
#1848 State of the web 2016 (PDF)
In the last State of the Web report published in 2015, we uncovered two key findings: 1 in 3 domains in the Alexa top 1M are risky, and 1 in 5 domains run vulnerable software. In this report, we again focus on the Alexa top 1 million sites, but also factor in the risks associated with the 25 million requests to background sites that a browser makes when visiting these primary 1M sites. These background sites feed active content to the browser for the purposes of content delivery, trackers, beacons and ad-delivery.
#1847 Koolova ransomware decrypts for free if you read two articles about ransomware
There have been a lot of strange twists and turns when it comes to ransomware this month. First, we had Popcorn Time that gave you the option of screwing over people by infecting them to possibly get a free decryption key. Now, we have a new in-development variant of the Koolova Ransomware that will decrypt your files for free if you educate yourself about ransomware by reading two articles.

Discovered by security researcher Michael Gillespie, this in-development ransomware is not ready for prime time. In fact, I had to mess with it a bit and setup a local http server to even get it to display the ransom screen.

In its functional state, Koolova will encrypt a victim's files and then display a screen similar to the Jigsaw Ransomware where the text is slowly shown on the screen. This text will tell the victim that they must read two articles before they can get a decryption key, It then tells you that if you are too lazy to read two articles before the countdown gets to zero, like Jigsaw, it will delete the encrypted files. This is not an idle threat as actually does delete the files.
#1846 IoT in 2017: Why usage is going to grow, despite the security risks
Organisations are set to push ahead with increased adoption of Internet of Things devices during 2017, despite widespread concerns about the security of the products and their ability to protect the extra data they're capable of collecting.

While interest in the IoT continues to grow, concerns remain about the inherent lack of security within IoT devices vendors who continue to release products with little or no defence against cyberattacks, hacking, or being hijacked.

The figures, detailed in 451 Research's study, Voice of the Enterprise: Internet of Things (IoT) Organisational Dynamics, suggests that 71 percent of organisations are already gathering IoT data, with many set to increase their spending in the area.
#1845 This Android-infecting Trojan malware uses your phone to attack your router
A new form of Android Trojan malware is capable of attacking the routers controlling the wireless networks of its victims, thus leaving them vulnerable to further cyberattacks, fraud and data theft.

Dubbed Switcher Trojan, the malware uses unsuspecting Android device users as tools to redirect all traffic from Wi-Fi connected devices on the network into the hands of cybercriminal attackers.

The researchers at Kaspersky Lab said this is the first time Android malware has been used to attack routers like this. The malware attempts to infiltrate the router's admin interface by using a long, predefined list of password and login combinations - a task which is made easy if the router still uses easily crackable default credentials.
#1844 CNN uses screenshot from ‘Fallout 4’ to show how Russians hack things
The thing about computer hacking is that it’s such a general, far-reaching term that it’s almost impossible to explain to someone who isn’t already familiar with it. So, news networks who need b-roll footage to show while they’re talking about hacking usually just show keyboards or random strings of letters and numbers, while the audience stares blindly at the screen, assuming that whatever they’re looking at is somehow related to the topic. Or, if you’re CNN, you steal footage from one of the most popular video games of the year and hope that nobody watching will recognize it.
#1843 The biggest security threats coming in 2017
Whether it was a billion compromised Yahoo accounts or state-sponsored Russian hackers muscling in on the US election, this past year saw hacks of unprecedented scale and temerity. And if history is any guide, next year should yield more of the same.

It’s hard to know for certain what lies ahead, but some themes began to present themselves toward the end of 2016 that will almost certainly continue well into next year. And the more we can anticipate them, the better we can prepare. Here’s what we think 2017 will hold.
#1842 Buffer overflow explained
Ever heard of a buffalo overflow? Me neither. An information security officer (ISO) mentioned it to me once, and frankly I had to Google it. Apparently it’s related to an ancient Indian technique where hunters herded bison and drove them over a cliff, breaking their legs and rendering them immobile. Tribe members waiting below closed in with spears and bows to finish the kills. That's kinda cruel to be talking about. I think the ISO meant a buffer overflow though . That I can tell a thing or two about, so in this blog I will explain how a basic buffer overflow exploitation works.

A buffer overflow is an anomaly where a program, while writing data to a buffer, overruns the buffers boundary and overwrites adjacent memory locations. Writing data outside the allocated memory space boundaries may lead to a program crash and in some cases could even give an attacker the ability to change the program application flow. In this blog I will show how a mini-application, written in C, can run arbitrary code by making use of a buffer overflow. I will use Microsoft Visual Studio 2013 to debug the application and I'll use Windows 8 as a host operation system. Please note that this blog only serves to give a basic explanation, therefore some modern protection mechanisms against buffer overflow exploitations will be disabled. This makes it somewhat easier to illustrate the basic mechanisms.
#1841 Critical flaw in PHPMailer library puts millions of websites at risk
A critical remote code execution vulnerability in PHPMailer, one of the most widely used PHP email sending libraries, could put millions of websites at risk of hacking.

The flaw was found by a security researcher named Dawid Golunski and an initial fix was included in PHPMailer 5.2.18, which was released Saturday. However, it turns out that the patch was incomplete and can be bypassed.

The PHPMailer library is used directly or indirectly by many content management systems (CMSs) including WordPress, Joomla and Drupal. Where the library is not included in their core code, it is likely available as a separate module or can be bundled with third-party add-ons.
#1840 The 10 biggest security incidents of 2016
2016 has been a challenging year for politics, public sanity and celebrity longevity, but also, for individuals and companies, a testing time in terms of online security. Pitted against increasingly sophisticated and targeted cybercriminals, it’s not been easy going, as these notable security incidents from the past 12 months reveal.
#1839 Updated Sundown exploit kit uses steganography
This year has seen a big shift in the exploit kit landscape, with many of the bigger players unexpectedly dropping out of action. The Nuclear exploit kit operations started dwindling in May, Angler disappeared around the same time Russia’s Federal Security Service made nearly 50 arrests last June, and then in September Neutrino reportedly went private and shifted focus to select clientele only. Now, the most prominent exploit kits in circulation are RIG and Sundown. Both gained prominence shortly after Neutrino dropped out of active circulation.

Sundown is something of an outlier from typical exploit kits. It tends to reuse old exploits and doesn’t make an effort to disguise their activity. The URLs for Sundown requests for Flash files end in .swf, while Silverlight requests end in .xap. These are the normal extensions for these file types. Typically, other exploit kits make an effort to hide their exploits. In addition, Sundown doesn’t have the anti-crawling feature used by other exploit kits.
#1838 Android ransomware infects LG SmartTV
Security firms have been warning us for more than a year about the possibility of Android malware jumping from phones and tablets to other Android-powered devices, such smart TVs.

The latest incident involving ransomware on a smart TV involves software engineer Darren Cauthon, who revealed that the LG smart TV of one of his family members was infected with ransomware right on Christmas day.

Based on a screenshot Cauthon posted online, the smart TV appears to be infected with a version of the Cyber.Police ransomware, also known as FLocker, Frantic Locker, or Dogspectus.
#1837 Ransomworm: the next level of cybersecurity nastiness
As if holding your data hostage and seeking cash payment weren’t harsh enough, security experts foresee the next stage of ransomware to be even worse.

Scott Millis, CTO at mobile security company Cyber adAPT, expects ransomware to spin out of control in the year ahead. That is an astounding statement when you consider that there were more than 4,000 ransomware attacks daily in 2016, according to Symantec’s Security Response group.

Corey Nachreiner, CTO at WatchGuard Technologies, predicts that 2017 will see the first ever ransomworm, causing ransomware to spread even faster.
#1836 Chrome will soon mark some HTTP pages as 'non-secure'
Beginning next month, the company will tag web pages that include login or credit card fields with the message "Not Secure" if the page is not served using HTTPS, the secure version of the internet protocol.

The company on Tuesday began sending messages through its Google Search Console, a tool for webmasters, warning them of the changes that take place starting in January 2017.

The changes are supported in version 56 or later of the Chrome browser.
#1835 Switcher: Android joins the ‘attack-the-router’ club
Recently, in our never-ending quest to protect the world from malware, we found a misbehaving Android trojan. Although malware targeting the Android OS stopped being a novelty quite some time ago, this trojan is quite unique. Instead of attacking a user, it attacks the Wi-Fi network the user is connected to, or, to be precise, the wireless router that serves the network. The trojan, dubbed Trojan.AndroidOS.Switcher, performs a brute-force password guessing attack on the router’s admin web interface. If the attack succeeds, the malware changes the addresses of the DNS servers in the router’s settings, thereby rerouting all DNS queries from devices in the attacked Wi-Fi network to the servers of the cybercriminals (such an attack is also known as DNS-hijacking). So, let us explain in detail how Switcher performs its brute-force attacks, gets into the routers and undertakes its DNS-hijack.
#1834 This low-cost device may be the world’s best hope against account takeovers
The past five years have witnessed a seemingly unending series of high-profile account take-overs. A growing consensus has emerged among security practitioners: even long, randomly generated passwords aren't sufficient for locking down e-mail and other types of online assets. According to the consensus, these assets need to be augmented with a second factor of authentication.

Now, a two-year study of more than 50,000 Google employees concludes that cryptographically based Security Keys beat out smartphones and most other forms of two-factor verification.

The Security Keys are based on Universal Second Factor, an open standard that's easy for end users to use and straightforward for engineers to stitch into hardware and websites. When plugged into a standard USB port, the keys provide a "cryptographic assertion" that's just about impossible for attackers to guess or phish. Accounts can require that cryptographic key in addition to a normal user password when users log in. Google, Dropbox, GitHub, and other sites have already implemented the standard into their platforms.
#1833 YubiKey for Windows Hello brings hardware-based 2FA to Windows 10
Yubico announced its plans to support Microsoft's Windows Hello platform back in September at the Ignite conference, with the goal of bringing strong, hardware-based authentication to Windows 10.

Finally, after nearly two months of waiting, the YubiKey for Windows Hello app has landed in the Windows Store. It's a strong solution for retrofitting the additional protection of Windows Hello on systems that don't have built-in support for facial recognition or fingerprint-based sign-in.

The new app requires a YubiKey, Yubico's USB-based device that generates an encrypted, one-time password. Enterprise admins have been using hardware-based authentication for years, making it impossible for phishing attacks and password database breaches to succeed. Even if someone successfully steals your credentials, they can't sign in without proving that they also have the physical device as a second form of identification.
#1832 Security Keys: practical cryptographic second factors for the modern web (PDF)
Security Keys" are second-factor devices that protect users against phishing and man-in-the-middle attacks. Users carry a single device and can self-register it with any online service that supports the protocol. The devices are simple to implement and deploy, simple to use, privacy preserving, and secure against strong attackers. We have shipped support for Security Keys in the Chrome web browser and in Google's online services. We show that Security Keys lead to both an increased level of security and user satisfaction by analyzing a two year deployment which began within Google and has extended to our consumer-facing web applications. The Security Key design has been standardized by the FIDO Alliance, an organization with more than 250 member companies spanning the industry. Currently, Security Keys have been deployed by Google, Dropbox, and GitHub.
#1831 Is Mirai really as black as it’s being painted?
The Mirai botnet, which is made up of IoT devices and which was involved in DDoS attacks whose scale broke all possible records, causing denial of service across an entire region, has been extensively covered by the mass media. Given that the botnet’s source code has been made publicly available and that the Internet of Things trend is on the rise, no decline in IoT botnet activity should be expected in the near future.

To put this in perspective, recall the year 2012, when the source code of the Zeus banker Trojan was made publicly available. A huge number of modifications of the Trojan appeared as a result of this, many of which are still active and rank among the most widespread financial malware. Similarly, the recent leak is likely to result in the emergence of Mirai modifications, created by cybercriminals and based on the source code that was made public.

The botnet remains active. We carried out an analysis of its activity to find out how Mirai operates, what objectives its owners are pursuing and, most importantly, what needs to be done to avoid becoming part of the botnet in the future.
#1830 The most dangerous people on the internet in 2016
Not so long ago, the internet represented a force for subversion, and WIRED’s list of the most dangerous people on the internet mostly consisted of rebellious individuals using the online world’s disruptive potential to take on the world’s power structures. But as the internet has entered every facet of our lives, and governments and political figures have learned to exploit it, the most dangerous people on the internet today often are the most powerful people.

A Russian dictator has evolved his tactics from suppressing internet dissent to using online media for strategic leaks and disinformation. A media mogul who rose to prominence on a wave of hateful bile now sits at the right hand of the president. And a man who a year ago was a reality television star and Twitter troll is now the leader of the free world.
#1829 Encrypted messaging app Signal uses Google to bypass censorship
Developers of the popular Signal secure messaging app have started to use Google's domain as a front to hide traffic to their service and to sidestep blocking attempts.

Bypassing online censorship in countries where internet access is controlled by the government can be very hard for users. It typically requires the use of virtual private networking (VPN) services or complex solutions like Tor, which can be banned too.

Open Whisper Systems, the company that develops Signal -- a free, open-source app -- faced this problem recently when access to its service started being censored in Egypt and the United Arab Emirates. Some users reported that VPNs, Apple's FaceTime and other voice-over-IP apps were also being blocked.
#1828 Disclosing the primary email address for each Facebook user
This post is going to be discussing how I was able to get the primary/hidden email address for any Facebook user. This also happens to be my first accepted bug to the Facebook Bug Bounty Program.
#1827 Danger close: Fancy Bear tracking of Ukrainian field artillery units
In June CrowdStrike identified and attributed a series of targeted intrusions at the Democratic National Committee (DNC), and other political organizations that utilized a well known implant commonly called X-Agent. X-Agent is a cross platform remote access toolkit, variants have been identified for various Windows operating systems, Apple’s iOS, and likely the MacOS. Also known as Sofacy, X-Agent has been tracked by the security community for almost a decade, CrowdStrike associates the use of X-Agent with an actor we call FANCY BEAR. This actor to date is the exclusive operator of the malware, and has continuously developed the platform for ongoing operations which CrowdStrike assesses is likely tied to Russian Military Intelligence (GRU). The source code to this malware has not been observed in the public domain and appears to have been developed uniquely by FANCY BEAR.
#1826 New French law bars work email after hours
A new French law establishing workers’ “right to disconnect” goes into effect today. The law requires companies with more than 50 employees to establish hours when staff should not send or answer emails. The goals of the law include making sure employees are fairly paid for work, and preventing burnout by protecting private time.

French legislator Benoit Hamon, speaking to the BBC, described the law as an answer to the travails of employees who “leave the office, but they do not leave their work. They remain attached by a kind of electronic leash—like a dog.”
#1825 Changing other people's flight bookings is too easy
The travel booking systems used by millions of people every day are woefully insecure and lack modern authentication methods. This allows attackers to easily modify other people's reservations, cancel their flights and even use the refunds to book tickets for themselves, according a team of researchers who analyzed this online ecosystem.

Karsten Nohl and Nemanja Nikodijevic from Berlin-based consultancy Security Research Labs have spent months investigating the security employed by the Global Distribution Systems (GDSs) that are used by travel agencies, airlines, hotels and car rental companies. They presented their findings Tuesday at the 33rd Chaos Communications Congress in Hamburg
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12