Security Alerts & News
by Tymoteusz A. Góral

History
#2041 Security lapse exposed New York airport's critical servers for a year
NEW YORK -- A security lapse at a New York international airport left its server backups exposed on the open internet for almost a year, ZDNet has found.

The internet-connected storage drive contained several backup images of servers used by Stewart International Airport, but neither the backup drive nor the disk images were password protected, allowing anyone to access their contents.

The airport, about 60 miles north of Manhattan, serves hundreds of thousands of passengers each year, and is regularly used by the military. The airport is known for accommodating charter flights of high-profile guests, including foreign dignitaries.
#2040 Watershed SHA1 collision just broke the WebKit repository, others may follow
Thursday's watershed attack on the widely used SHA1 hashing function has claimed its first casualty: the version control system used by the WebKit browser engine, which became completely corrupted after someone uploaded two proof-of-concept PDF files that have identical message digests.

The bug resides in Apache SVN, an open source version control system that WebKit and other large software development organizations use to keep track of code submitted by individual members. Often abbreviated as SVN, Subversion uses SHA1 to track and merge duplicate files. Somehow, SVN systems can experience a severe glitch when they encounter the two PDF files published Thursday, proving that real-world collisions on SHA1 are now practical.
#2039 Linus Torvalds on SHA1 and Git: 'The sky isn't falling'
The real worry about Google showing SHA-1 encryption is crackable, as pointed out by Peter Gutmann, a cryptography expert at the at the University of Auckland, New Zealand, is "with long-term document signing and certificates". But, what about the distributed version control system Git code repositories? Linus Torvalds, Linux and Git's inventor, doesn't see any real security headaches ahead for you.

Torvalds and other Linux kernel developers created Git in 2005 as Linux's distributed version control system. It's also used by multiple major companies including Facebook, Google, and Twitter, to manage their code-bases. Git is also used in GitHub, the world's most popular source code-management site. Even Microsoft uses GitHub. Indeed, Microsoft has more open-source developers than any other company on GitHub.
#2038 SHA1 collider
Quick-and-dirty PDF maker using the collision from the SHAttered paper.
#2037 Removing user admin rights mitigates 94% of all critical Microsoft vulnerabilities
Just by preventing access to admin accounts, a system administrator could safeguard all the computers under his watch and prevent attackers from exploiting 94% of all the critical vulnerabilities Microsoft patched during the past year.

This is the conclusion of a study carried out by cyber-security firm Avecto for the second year in a row, after, at the same time last year, it discovered that a sysadmin could mitigate 86% of all critical vulnerabilities Microsoft patched in 2015, just by taking the same action and disabling admin rights.

What this growth from 86% to 94% means is that the security of Microsoft products is getting better, if users would only start following industry best practices and stop using admin accounts for daily work.
#2036 List of sites possibly affected by Cloudflare's Cloudbleed HTTPS traffic leak
Between 2016-09-22 - 2017-02-18 session tokens, passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters. Data was cached by search engines, and may have been collected by random adversaries over the past few months.

Requests to sites with the HTML rewrite features enabled triggered a pointer math bug. Once the bug was triggered the response would include data from ANY other Cloudflare proxy customer that happened to be in memory at the time. Meaning a request for a page with one of those features could include data from Uber or one of the many other customers that didn't use those features. So the potential impact is every single one of the sites using Cloudflare's proxy services (including HTTP & HTTPS proxy).

"The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests), potential of 100k-200k paged with private data leaked every day"
#2035 How security products are tested – part 1
The demand for tests appeared almost simultaneously with the development of the first antivirus programs – in the mid-to-late 1990s. Demand created supply: test labs at computer magazines started to measure the effectiveness of security solutions with the help of self-made methodologies, and later an industry of specialized companies emerged with a more comprehensive approach to testing methods.

The first primitive tests scanning huge collections of malicious and supposedly malicious files taken from everywhere were rightfully criticized first and foremost by the vendors. Such tests were characterized by inconsistent and unreliable results, and few people trusted them.
#2034 The real cost of ransomware: Attacks take most victims offline for at least a week
It only takes seconds for ransomware to block access to an entire network, but the vast majority of businesses remain locked out of crucial files and systems for a week or more, with the impact causing severe financial and reputational damage.

Data gathered from over a thousand businesses which have been victims of ransomware within the last year suggests that 85 percent of those infected by the malicious file encrypting software had their systems forced offline for at least a week, while a third of cases resulted in data being inaccessible for a month or more.

Worryingly, 15 percent of those targeted with ransomware found that their data was completely unrecoverable.
#2033 Google has demonstrated a successful practical attack against SHA1
Cryptographic hash functions like SHA-1 are a cryptographer’s swiss army knife. You’ll find that hashes play a role in browser security, managing code repositories, or even just detecting duplicate files in storage. Hash functions compress large amounts of data into a small message digest. As a cryptographic requirement for wide-spread use, finding two messages that lead to the same digest should be computationally infeasible. Over time however, this requirement can fail due to attacks on the mathematical underpinnings of hash functions or to increases in computational power.

Today, more than 20 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision. This represents the culmination of two years of research that sprung from a collaboration between the CWI Institute in Amsterdam and Google. We’ve summarized how we went about generating a collision below. As a proof of the attack, we are releasing two PDFs that have identical SHA-1 hashes but different content.
#2032 State of cyber security 2017 (PDF)
A big part of cyber security is being prepared. You want to do as much as you can to prevent attackers from breaching your network. Defenders have all kinds of ways to make this work. They have firewalls. They have endpoint protection. They have password managers. They have security training and information resources. And they have all of these right at their fingertips. What defenders need more of, however, are solutions for when plans fail. Plans fail because what defenders keep ignoring is that there are people behind every cyber threat. Those people are 100% focused on getting around prevention mechanisms to hit their targets. And one of them will always find a way through.
#2031 UK police arrest suspect behind Mirai malware attacks on Deutsche Telekom
German police announced today that fellow UK police officers have arrested a suspect behind a serious cyber-attack that crippled German ISP Deutsche Telekom at the end of November 2016.

The attack in question, first reported by Bleeping Computer, caused over 900,000 routers of various makes and models to go offline after a mysterious attacker attempted to hijack the devices through a series of vulnerabilities.

Deutsche Telekom experts countered the attack on the same day by releasing a firmware update and asking customers to reboot devices so they could receive the new hardened firmware.
#2030 Released Android malware source code used to run a banking botnet
The new Android banking malware ESET recently discovered on Google Play was spotted in the wild again, targeting more banks. Further investigation of this resurfacing threat has uncovered its code was built using source code that was made public a couple of months ago.

The previous version was detected by ESET as Trojan.Android/Spy.Banker.HU (version 1.1 – as marked by its author in the source code) and reported on February 6th. The malware was distributed via Google Play as a trojanized version of a legitimate weather forecast application Good Weather. The trojan targeted 22 Turkish mobile banking apps, attempting to harvest credentials using phony login forms. Moreover, it could lock and unlock infected devices remotely, as well as intercept text messages.
#2029 Eleven-year-old root flaw found and patched in the Linux kernel
Linux system administrators should be on the watch for kernel updates because they fix a local privilege escalation flaw that could lead to a full system compromise.

The vulnerability, tracked as CVE-2017-6074, is over 11 years old and was likely introduced in 2005 when the Linux kernel gained support for the Datagram Congestion Control Protocol (DCCP). It was discovered last week and was patched by the kernel developers on Friday.

The flaw can be exploited locally by using heap spraying techniques to execute arbitrary code inside the kernel, the most privileged part of the OS. Andrey Konovalov, the Google researcher who found the vulnerability, plans to publish an exploit for it a few days.
#2028 Serious Cloudflare bug exposed a potpourri of secret customer data
Cloudflare, a service that helps optimize the security and performance of more than 5.5 million websites, warned customers today that a recently fixed software bug exposed a range of sensitive information that could have included passwords, and cookies and tokens used to authenticate users.

A combination of factors made the bug particularly severe. First, the leakage may have been active since September 22, nearly five months before it was discovered, although the greatest period of impact was from February 13 and February 18. Second, some of the highly sensitive data that was leaked was cached by Google and other search engines. The result was that for the entire time the bug was active, hackers had the ability to access the data in real-time, by making Web requests to affected websites, and to access some of the leaked data later by crafting queries on search engines.
#2027 Criminals monetizing attacks against unpatched WordPress sites
Criminals have inevitably begun to attempt to monetize attacks against WordPress sites still vulnerable to a severe REST API endpoint vulnerability silently patched in the recent 4.7.2 security update.

While more than one million websites have been defaced, researchers are now beginning to see some defacements leave behind links to rogue pharmaceutical websites trying to spam users into buying drugs or lure them into phishing scams for their payment card information.
#2026 Android ransomware requires victim to speak unlock code
Being a good listener is normally considered an admirable quality in a person; however, it isn’t a quality you necessarily want to find in a piece of malware. The latest variant of the Android ransomware threat Android.Lockdroid.E is a great listener. In fact, if you say the right things it might even give you back access to your phone. The threat uses speech recognition APIs and requires its victims to speak an unlock code instead of the traditional method of typing it in.

Once Android.Lockdroid.E infects a device it locks the user out using a SYSTEM type window and then displays a ransom note. The ransom note is written in Chinese and gives instructions on how to unlock the device. The note provides a QQ instant messaging ID to contact in order to receive further instructions on how to pay the ransom and receive an unlock code. Since the user’s device is locked, another device must be used to contact the cybercriminals behind the threat.
#2025 Cybercrime and other threats faced by the healthcare industry (PDF)
The healthcare sector has been the industry with the highest number of data breaches, followed by the government and retail sectors. In 2015, a total of 113.2 million healthcare-related records were stolen, which remains the highest number of stolen data from a breach in the healthcare industry so far. That year, however, was not the only time healthcare institutions were targeted. As early as 2012, healthcare institutions became victims of cyber attacks. The most common kind of attack is related to cybercrime in the form of data breaches. But there are other possible pathways for malicious actors to do harm to this poorly protected industry.

The biggest impact of health care record theft is noticeable in countries where most citizens have health insurance. In 2016, 91% of the U.S. population had health insurance. Therefore, any major breach in a healthcare organization in the U.S. could affect a great number of citizens.

One way that individuals are affected by a breach is when stolen personal data are used by cybercriminals to procure drugs, commit tax fraud, steal identities and commit other fraudulent acts. Victims of a data breach may not even be aware that their personal data has been stolen, or perhaps is being used in criminal acts.

The Internet of Things (IoT) simplifies a lot of processes and is celebrated as a great connector. However, this increased connectivity also has some pitfalls. With the help of Shodan, a search engine that lets you search for internet-connected devices, we explored what healthcare-related devices and networks are visible to practically anyone.

In this paper, we discuss several aspects of the healthcare threat surface. In the first part, we look at how the healthcare sector has evolved as a preferred target for cybercriminals. We try to understand how stolen medical records are monetized after a breach, what types of data are stolen, how much they are sold for on the underground markets, and how cybercriminals make use of them. The second part of this paper is dedicated to the analysis of Shodan scan data which reveals what healthcare-related devices and networks are connected to the internet and are visible to everyone, including cybercriminals.

Exposure on the internet, however, does not mean that these devices have been compromised or are even actually vulnerable to exploitation. In this research we purely show that certain devices are exposed online, which makes it easier to exploit if a vulnerability in the device software is found.
#2024 Read The Manual - a guide to the RTM banking trojan (PDF)
There are several groups actively and profitably targeting businesses in Russia. A trend that we have seen unfold before our eyes lately is these cybercriminals’ use of simple backdoors to gain a foothold in their targets’ networks. Once they have this access, a lot of the work is done manually, slowly getting to understand the network layout and deploying custom tools the criminals can use to steal funds from these entities. Some of the groups that best exemplify these trends are Buhtrap, Cobalt and Corkow.

The group discussed in this white paper is part of this new trend. We call this new group RTM it uses custom malware, written in Delphi, that we cover in detail in later sections. The first trace of this tool in our telemetry data dates back to late 2015. The group also makes use of several different modules that they deploy where appropriate to their targets. They are interested in users of remote banking systems (RBS), mainly in Russia and neighboring countries.

In this paper, we cover the details of their tools, whom they target, and offer a rare glimpse into the type of operation they are carrying out.
#2023 Malware lets a drone steal data by watching a computer’s blinking LED
A few hours after dark one evening earlier this month, a small quadcopter drone lifted off from the parking lot of Ben-Gurion University in Beersheba, Israel. It soon trained its built-in camera on its target, a desktop computer’s tiny blinking light inside a third-floor office nearby. The pinpoint flickers, emitting from the LED hard drive indicator that lights up intermittently on practically every modern Windows machine, would hardly arouse the suspicions of anyone working in the office after hours. But in fact, that LED was silently winking out an optical stream of the computer’s secrets to the camera floating outside.

That data-stealing drone, shown in the video below, works as a Mr. Robot-style demonstration of a very real espionage technique. A group of researchers at Ben-Gurion’s cybersecurity lab has devised a method to defeat the security protection known as an “air gap,” the safeguard of separating highly sensitive computer systems from the internet to quarantine them from hackers. If an attacker can plant malware on one of those systems—say, by paying an insider to infect it via USB or SD card—this approach offers a new way to rapidly pull secrets out of that isolated machine. Every blink of its hard drive LED indicator can spill sensitive information to any spy with a line of sight to the target computer, whether from a drone outside the window or a telescopic lens from the next roof over.
#2022 Bitcoin trader hit by "severe DDoS attack" as bitcoin price nears all-time high
Top Bitcoin trading platform Bitfinex was hit yesterday late night by what its experts categorized as a "severe DDoS attack."

The attack hit around 21:30 UTC and lasted for about an hour before the Bitfinex crew managed to get everything under control.

While the DDoS attack didn't affect the Bitfinex API in the beginning, it was affected later on when Bitfinex turned security protections to the max to mitigate the DDoS attack. All services, the trading platform and the API, are now functional.
#2021 Blizzard ends support for Windows XP and Vista
If you took all the remaining Windows XP and Vista users in the world—a surprisingly robust 10 percent—and placed them in a Venn diagram with those that play Blizzard games, the intersection would likely be very, very small.

And yet, despite Microsoft ending mainstream support for XP and Vista in 2009 and 2012 (Windows XP limped on with security updates until 2014), Blizzard has continued to support World of Warcraft, StarCraft 2, Diablo 3, Hearthstone, and even Heroes of the Storm under the decrepit operating systems.
#2020 Rogue Chrome extension pushes tech support scam
Given Google Chrome’s popularity, it is no surprise to see it being more and more targeted these days. In particular, less than reputable ad networks are contributing to the distribution of malicious Chrome extensions via very deceptive means.

In this post we look at a forced installation of such an extension that eventually leads to more adverts being force fed into Chrome. And once you spin the malvertising roulette, anything can happen.
#2019 New crypto-ransomware hits macOS
Crypto-ransomware has been very popular lately amongst cybercriminals. While most of it targets the Windows desktop, we’ve also seen machines running Linux or macOS being compromised by ransomware in 2016 with, for example, KillDisk affecting Linux and KeRanger attacking OS X.

Early last week, we have seen a new ransomware campaign for Mac. This new ransomware, written in Swift, is distributed via BitTorrent distribution sites and calls itself “Patcher”, ostensibly an application for pirating popular software.
#2018 OpenSSL update fixes high-severity DoS vulnerability
The OpenSSL Software Foundation released an update to the OpenSSL crypto library that patches a vulnerability rated high severity that could allow a remote attacker to cause a denial-of-service condition.

OpenSSL released the version 1.1.0e update that fixes flaws found in OpenSSL 1.1.0, according to the OpenSSL Security Advisory issued last week. The United States Computer Emergency Response Team also alerted system admins of the issue last week.

According to OpenSSL, the vulnerability occurs during a renegotiation handshake procedure. “If the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers are affected,” according to the advisory.
#2017 Firefox users fingerprinted via cached intermediate HTTPS certificates
The way in which Firefox caches intermediate CA certificates allows a third-party to deduce various details about website visitors and also link advertising profiles to private browsing sessions.

Before we go on, it is important that non-technical users understand what is an intermediate CA certificate.

At the top of the entire HTTPS infrastructure we have root CAs (Certificate Authorities), which are companies such as Comodo, Symantec, DigiSign, and others.

For security reasons, root CAs generate intermediate certificates, instead of using the main root certificate. This way, when an intermediate CA certificate gets compromised, the root CA continues to operate and doesn't have to revoke and replace certificates for all its clients, but only a few.
#2016 The attack of the alerts and the zombie script
In our previous post we found a way to UXSS (bypass the SOP policy) using the htmlFile/ActiveXObject, however, I mentioned that there were other interesting things to do using that same object. Have you tried anything? If yes, congratulations. The only way to find bugs is by trying, and today we are going to explore another interesting thing that can be done with the same ActiveXObject.
#2015 Hacks all the time. Engineers recently found Yahoo systems remained compromised
Some five months after Yahoo disclosed a security breach that exposed sensitive data for 500 million accounts, some of its systems remained compromised, according to a report published Tuesday. The report said that in light of the hacks, Verizon would knock $350 million off the price it would pay to acquire Yahoo's Internet business.

"A recent meeting between technical staff of the two companies revealed that some of Yahoo’s systems were compromised and might be difficult to integrate with Verizon’s AOL unit," The Wall Street Journal reported, citing unnamed people. Verizon remains concerned that the breaches may hamper user engagement and in the process make the assets less valuable. Yahoo responded by cutting $350 million from the original $4.83 billion price tag, bringing the deal value to about $4.48 billion. It wasn't clear precisely when the meeting occurred.
#2014 CryptoMix: Avast adds a new free decryption tool to its collection
Avast now provides a decryption tool for ransomware CryptoMix (offline only)

In cooperation with researchers from CERT.PL, we are happy to announce the release of another decryptor tool, for the ransomware,CryptoMix. CryptoMix has multiple aliases, including CryptFile2, Zeta, or the most recent alias CryptoShield.
#2013 Microsoft Security Bulletin MS17-005 - Critical
This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.

This security update is rated Critical. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10, Internet Explorer 11, and Microsoft Edge. For more information, see the Affected Software section.
#2012 Java and Python FTP attacks can punch holes through firewalls
The Java and Python runtimes fail to properly validate FTP URLs, which can potentially allow attackers to punch holes through firewalls to access local networks.

On Saturday, security researcher Alexander Klink disclosed an interesting attack where exploiting an XXE (XML External Entity) vulnerability in a Java application can be used to send emails.

XXE vulnerabilities can be exploited by tricking applications to parse specially crafted XML files that would force the XML parser to disclose sensitive information such as files, directory listings, or even information about processes running on the server.
#2011 IoT botnet bogs down college campus network
Verizon’s annual Data Breach Investigations Report is scheduled to come out soon, but the team released an incident involving a college campus being hit by an internet of things (IoT) botnet — a botnet that took control of 5,000 systems.

The Verizon RISK Team performs cyber investigations for hundreds of commercial enterprises and government agencies annually. In 2015, Verizon's team was retained to investigate more than 500 cybersecurity incidents occurring in over 40 countries. (See last year's cases.) As a sneak peek of its latest report, Verizon released a case of an unnamed university attacked by a botnet.

Senior members of the university’s help desk had been receiving an increasing number of complaints from students across campus about slow or inaccessible network connectivity. Even with limited access, the help desk had found a number of concerns. The name servers, responsible for Domain Name Service (DNS) lookups, were producing high-volume alerts and showed an abnormal number of sub-domains related to seafood, according to the Verizon report.
#2010 A glimpse into how much Google knows about Russian government hackers
A 2014 leaked private report from Google shows how much the internet giant knows about government hacking groups.

In October of 2014 an American security company revealed that a group of hackers affiliated with the Russian government, dubbed APT28, had targeted Georgia and other Eastern European countries in a wide-ranging espionage campaign. Two and a half years later, APT28—also known as "Fancy Bear" or "Sofacy"—is a household name not just in the cybersecurity industry, but in the mainstream too, thanks to its attack on the US Democratic party and the ensuing leaks of documents and emails.
#2009 Researchers discover self-healing malware that targets Magento stores
Dutch malware experts have found a new malware strain that targets online shops running on the Magento platform, which can self-heal using code hidden in the website's database.

While this is not the first web malware that hides code in the website's database, this is the first one that's written in SQL, as a stored procedure, in this case, a Mangeto database trigger operation.
#2008 Android phone hacks could unlock millions of cars
In the era of the connected car, automakers and third-party developers compete to turn smartphones into vehicular remote controls, allowing drivers to locate, lock, and unlock their rides with a screen tap. Some apps even summon cars and trucks in Knight Rider fashion. But phones can be hacked. And when they are, those car-connected features can fall into the hands of hackers, too.

That’s the troubling result of a test of nine different connected-car Android apps from seven companies. A pair of researchers from the Russian security firm Kaspersky found that most of the apps, several of which have been downloaded hundreds of thousands or over a million times, lacked even basic software defenses that drivers might expect to protect one of their most valuable possessions. By either rooting the target phone or tricking a user into installing malicious code, the researchers say, hackers could use any of the apps Kaspersky tested to locate a car, unlock it, and in some cases start its ignition.
#2007 Penetration testing tools cheat sheet
Penetration testing tools cheat sheet, a quick reference high level overview for typical penetration testing engagements. Designed as a quick reference cheat sheet providing a high level overview of the typical commands you would run when performing a penetration test. For more in depth information I’d recommend the man file for the tool or a more specific pen testing cheat sheet from the menu on the right.

The focus of this cheat sheet is infrastructure / network penetration testing, web application penetration testing is not covered here apart from a few sqlmap commands at the end and some web server enumeration.
#2006 A corporate inbox receives 4.3 times more malware than a regular inbox
Corporate email addresses are 4.3 more likely to receive malware compared to personal accounts, 6.2 times more likely to receive phishing lures, and 0.4 times less likely to receive spam.

These are statistics gathered by the Google Research team from analyzing over one billion emails that passed through Gmail, results that were presented yesterday at the RSA security conference in San Francisco.

The results of the study aren't that surprising, as corporate inboxes tend to contain more valuable information, which can be much more easily monetized on the Dark Web.
#2005 German parents told to destroy Cayla dolls over hacking fears
An official watchdog in Germany has told parents to destroy a talking doll called Cayla because its smart technology can reveal personal data.

The warning was issued by the Federal Network Agency (Bundesnetzagentur), which oversees telecommunications.

Researchers say hackers can use an unsecure bluetooth device embedded in the toy to listen and talk to the child playing with it.

But the UK Toy Retailers Association said Cayla "offers no special risk".

In a statement sent to the BBC, the TRA also said "there is no reason for alarm".
#2004 USB Killer now lets you fry most Lightning and USB-C devices for $55
Remember the USB Killer stick that indiscriminately and immediately fries about 95 percent of devices? Well, now the company has released a new version that is even more lethal! And you can also buy an adaptor pack, which lets you kill/test devices with USB-C, Micro USB, and Lightning ports.
#2003 Google discloses another unpatched Windows vulnerability
Google Project Zero member Mateusz Jurczyk disclosed a gdi32.dll vulnerability in the Windows operating system to Microsoft on November 16, 2016.

The report itself is quite technical and it would go too far to go into details here on the site. The following describes the turn of events however.

Jurczyk disclosed issues with gdi32.dll to Microsoft back in March, 2016. He described methods back then that would allow attackers to exploit an issue in the dynamic link library. The issue was that records failed to perform exhaustive sanitization.
#2002 Permadelete: remove files securely on Windows PCs
Permadelete is a new open source program for Microsoft Windows devices that you may use to remove files securely from the PC.

The delete operation on Windows does not really do what the majority of users expects it to do. Instead of removing the contents of a file and its reference from the system, delete simply removes the reference but leaves the contents on the disk.

The parts of the disk are set to write again, so that data may overwrite the deleted file eventually. Until that is the case though, file recovery tools may recover the deleted files completely or partially.
#2001 Mongoaudit helps you secure MongoDB databases
A new tool developed by engineers at Stampery can help database administrators audit the security features of their current MongoDB installations, and take precautionary measures to prevent future exploitation.

The tool, named mongoaudit, was launched two weeks ago and works on Mac, Linux, and Windows 10, through the Bash for Windows 10 feature.

Mongoaudit is a CLI tool, so you'll have to be comfortable using console terminals in order to install and launch the application.
#2000 CyberX discovers large-scale cyber-reconnaissance operation targeting Ukrainian organizations
CyberX has discovered a new, large-scale cyber-reconnaissance operation targeting a broad range of targets in the Ukraine. Because it eavesdrops on sensitive conversations by remotely controlling PC microphones – in order to surreptitiously “bug” its targets – and uses Dropbox to store exfiltrated data, CyberX has named it “Operation BugDrop.”
#1999 PHP becomes first programming language to add modern cryptography library in its core
The PHP team has unanimously voted to integrate the Libsodium library in the PHP core, and by doing so, becoming the first programming language to support a modern cryptography library by default.

The proposal to embed Libsodium (also known as Sodium) into the PHP standard library came from Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprises, a man that has campaigned for stronger cryptography in PHP CMSes in the past.
#1998 Trends in Android ransomware (PDF)
2016 brought some interesting developments to the Android ransomware scene Ransomware is currently one of the most pressing cybersecurity issues across all platforms, including the most popular mobile one.

Authors of lock-screen types as well as file-encrypting “crypto-ransomware” have used the past 12 months to copycat effective techniques from desktop malware, as well as develop their own sophisticated methods specialized for targets running Android devices.

In addition to the most prevalent scare tactics used by lock-screen “police ransomware”, cybercriminals have been putting an increased effort into keeping a low profile, by encrypting and burying the malicious payload deeper into the infected apps.

In 2015, ESET observed that the focus of Android ransomware operators shifted from Eastern European to US mobile users However, last year demonstrated a growing interest by the attackers in the Asian market, as evidenced by the Jisut lock-screen, which began using a localized Chinese ransom message This increased activity can also be seen in the growing prevalence of this now notorious malware family, doubling in the previous 12 months.

In the first part of this paper, we provide a definition of ransomware, take a look at ESET’s detection telemetry to see the current trend for this cyber threat, and analyze malware specifics that apply to ransomware on Android The main section details the most noteworthy Android ransomware examples since 2014 The final chapter offers advice to Android users
#1997 EU privacy watchdogs say Windows 10 settings still raise concerns
European Union data protection watchdogs said on Monday they were still concerned about the privacy settings of Microsoft's Windows 10 operating system despite the U.S. company announcing changes to the installation process.

The watchdogs, a group made up of the EU's 28 authorities responsible for enforcing data protection law, wrote to Microsoft last year expressing concerns about the default installation settings of Windows 10 and users' apparent lack of control over the company's processing of their data.

The group - referred to as the Article 29 Working Party -asked for more explanation of Microsoft's processing of personal data for various purposes, including advertising.
#1996 Lazarus’ false flag malware
We continue to investigate the recent wave of attacks on banks using watering-holes on at least two financial regulator websites as well as others. Our initial analysis of malware disclosed in the BadCyber blog hinted at the involvement of the 'Lazarus' threat actor. Since the release of our report, more samples have come to light, most notably those described in the Polish language niebezpiecznik.pl blog on 7 February 2017.
#1995 New ASLR-busting JavaScript is about to make drive-by exploits much nastier
For a decade, every major operating system has relied on a technique known as address space layout randomization to provide a first line of defense against malware attacks. By randomizing the computer memory locations where application code and data are loaded, ASLR makes it hard for attackers to execute malicious payloads when exploiting buffer overflows and similar vulnerabilities. As a result, exploits cause a simple crash rather than a potentially catastrophic system compromise.

Now, researchers have devised an attack that could spell the end of ASLR as the world knows it now. The attack uses simple JavaScript code to identify the memory addresses where system and application components are loaded. When combined with attack code that exploits vulnerabilities in browsers or operating systems, the JavaScript can reliably eliminate virtually all of the protection ASLR provides. The technique, which exploits what's known as a side channel in the memory cache of all widely used modern CPUs, is described in a research paper published on Wednesday. The researchers have dubbed the technique ASLR Cache or AnC for short.
#1994 Security updates available for Adobe Flash Player
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.
#1993 Windows 10 mobile bug exposes personal photos on locked devices
A Brazilian man named Wallace Da Paula has discovered a bug in Windows 10 Mobile OS that lets anyone with access to your phone bypass your lockscreen passcode and access the device's image gallery.

The bug requires no technical skills, and anyone can reproduce it in a few easy steps. All is needed is physical access to a device, and around 30 seconds to go through the steps.
#1992 Microsoft shelves all February security updates
Microsoft today took the unprecedented step of postponing an entire month's slate of security updates for Windows and its other products just hours before the patches were to begin rolling out to customers.

"We discovered a last-minute issue that could impact some customers and was not resolved in time for our planned updates today," Microsoft said in a post to the MSRC (Microsoft Security Research Center) blog. "After considering all options, we made the decision to delay this month's updates."

Today was set as Patch Tuesday, the monthly release of security fixes from Microsoft. Normally, Microsoft issues the updates around 10 a.m. PT (1 p.m. ET). Although Microsoft did not time stamp its blog post, the SAN Institute's Internet Storm Center (ISC) pointed out the delay at 8:22 a.m. PT (11:22 ET).
#1991 Researchers create new ransomware to target industrial systems
Ransomware is already a concern for the enterprise, educational facilities, and healthcare providers, and now cybersecurity researchers have demonstrated that it is no challenge for the malware family to take down the core infrastructure our cities need to operate.

On Monday, cybersecurity researchers from the Georgia Institute of Technology revealed the development of a new, custom form of ransomware which was created specifically with industrial systems in mind.

The malware and subsequent attack on a simulated water treatment plant were designed to highlight how cyberattackers could disrupt key services which cater to our critical needs, such as energy providers, water management utilities, heating, ventilation and air conditioning (HVAC) systems, or escalator controllers.
#1990 Security and privacy guidelines for the Internet of Things (IoT)
"Lately, I have been collecting IoT security and privacy guidelines. Here's everything I've found"
#1989 Mirai widens distribution with new Trojan that scans more ports
Late last year, in several high-profile and potent DDoS attacks, Linux-targeting Mirai (identified by Trend Micro as ELF_MIRAI family) revealed just how broken the Internet of Things ecosystem is. The malware is now making headlines again, thanks to a new Windows Trojan that drastically increases its distribution capabilities.

We predicted last year that the propagation of Mirai-like malware for DDoS attacks is set to increase—but this new Trojan focuses on spreading Mirai itself and not any mimic. In 2015 and 2016, Mirai relied on a type of brute-force attack, with bots constantly pinging IP addresses to pinpoint more potential victims. This newly-identified Windows Trojan (detected by Trend Micro as BKDR_MIRAI.A) helps find potential Mirai victims, and amplifies the Mirai bots distribution.
#1988 Marcher - Android banking Trojan on the rise
The past months many different banking Trojans for the Android platform have received media attention. One of these, called Marcher, seems to be especially active with different samples appearing on a daily basis. This malware variant also appears to be technically superior to many other banking Trojans being able to use its overlay attack even on Android 6, which has technical improvements compared to the previous Android versions to prevent such attacks.

The main infection vector is a phishing attack using SMS/MMS. The social engineering message includes a link that leads to a fake version of a popular app, using names like Runtastic, WhatsApp or Netflix. On installation, the app requests the user to provide SMS storage access and high Android privileges such as Device Admin. Other infection vectors include pornographic websites serving apps called Adobe Flash or YouPorn.
#1987 IBM integrates Watson into its security operations platform
IBM said Watson will be at the core of its cognitive platform for cybersecurity operations. In a nutshell, Watson will aim to ride shot gun with security analysts to defend against attacks.

Big Blue announced general availability of Watson for Cyber Security, an offering that has been tested with more than 40 customers over the last year. In that time, Watson has ingested more than 1 million security documents.

The aim is to help security analysts go through Watson's knowledge base with natural language. IBM is also integrating its X-Force Command Center network, which tracks security events.
#1986 Sage 2.0 ransomware delivered by Pandex spambot, mimics Cerber routines
Symantec Security Response has recently discovered the Sage 2.0 ransomware (Ransom.Cry) being delivered by the Trojan.Pandex spambot, which we have previously seen sending JS downloaders with spambots, banking Trojans, and ransomware as payloads. We have also recently observed Sage 2.0 sharing similar routines with the Cerber ransomware (Ransom.Cerber), although no link between the two malware families could be fully established.

Sage 2.0 evolved from Crylocker (Ransom.Cry), which emerged in September 2016, and continues to be used today. Sage was previously delivered through the Rig exploit kit (EK), but is now mostly delivered through spam. We have also seen Sage 2.0 being downloaded by the Trik botnet, which uses the Trojan.Wortrik malware to compromise computers.
#1985 New wave of cyberattacks against global banks linked to Lazarus cybercrime group
An aggressive campaign of malware attacks against dozens of banks across the globe has been linked to the notorious cybercriminal group known as Lazarus.

The hacking gang, active since 2009, has been involved in a number of aggressive cyberattacks against financial institutions, including the theft of $81m from the Bangladesh Bank's US Federal Reserve.

Now the group continues to be a thorn in the side of organisations across the globe as banks in 31 countries have been targeted in a new wave of attacks by Lazarus that began in October last year.

This latest wave of attacks came to light when a Polish bank discovered previously unknown malware on its network and shared indicators of compromise with other institutions, a number of which also found they'd fallen victim to the malware.
#1984 Now sites can fingerprint you online even when you use multiple browsers
Researchers have recently developed the first reliable technique for websites to track visitors even when they use two or more different browsers. This shatters a key defense against sites that identify visitors based on the digital fingerprint their browsers leave behind.

State-of-the-art fingerprinting techniques are highly effective at identifying users when they use browsers with default or commonly used settings. For instance, the Electronic Frontier Foundation's privacy tool, known as Panopticlick, found that only one in about 77,691 browsers had the same characteristics as the one commonly used by this reporter. Such fingerprints are the result of specific settings and customizations found in a specific browser installation, including the list of plugins, the selected time zone, whether a "do not track" option is turned on, and whether an adblocker is being used.
#1983 Ultranationalist developer behind SerbRansom ransomware
An ultranationalist developer from Serbia is behind a series of malware strains, including a new ransomware family named SerbRansom, discovered yesterday by security researcher MalwareHunter.

The ransomware itself is not a big threat at the moment, as it doesn't appear to be part of a mass distribution campaign. Additionally, the quality of its source code is also inferior to most ransomware families we've seen in the past.
#1982 Firefox Focus privacy scandal
Firefox Focus: the privacy browser, is a free mobile browser for iOS devices by Mozilla designed to protect user privacy while browsing the web.

The app "improves the privacy and performance" of a user's mobile browsing experience by "blocking analytics, social, and advertising trackers" according to the product description on Apple's iTunes website. It furthermore enables you to erase the browsing history, passwords and cookies easily.

A content blocker by Mozilla, makers of Firefox and known proponents of user rights and privacy? That's got to be good, right?

What you may not expect from the app, especially since it is designed to block analytic trackers, is that it is collecting data itself, and transfers the data it collects to third-party company Adjust.
#1981 Attackers target dozens of global banks with new malware
Organizations in 31 countries have been targeted in a new wave of attacks which has been underway since at least October 2016. The attackers used compromised websites or “watering holes” to infect pre-selected targets with previously unknown malware. There has been no evidence found yet that funds have been stolen from any infected banks.

The attacks came to light when a bank in Poland discovered previously unknown malware running on a number of its computers. The bank then shared indicators of compromise (IOCs) with other institutions and a number of other institutions confirmed that they too had been compromised.

As reported, the source of the attack appears to have been the website of the Polish financial regulator. The attackers compromised the website to redirect visitors to an exploit kit which attempted to install malware on selected targets.

Symantec has blocked attempts to infect customers in Poland, Mexico and Uruguay by the same exploit kit that infected the Polish banks. Since October, 14 attacks against computers in Mexico were blocked, 11 against computers in Uruguay, and two against computers in Poland.
#1980 ElcomSoft extracts deleted Safari browsing history from iCloud
Your browsing history represents your habits. You are what you read, and your browsing history reflects that. Your Google searches, visits to news sites, activities in blogs and forums, shopping, banking, communications in social networks and other Web-based activities can picture your daily activities. It could be that the browsing history is the most intimate part of what they call “online privacy”. You wouldn’t want your browsing history become public, would you?
#1979 Virally growing attacks on unpatched WordPress sites affect ~2m pages
Attacks on websites running an outdated version of WordPress are increasing at a viral rate. Almost 2 million pages have been defaced since a serious vulnerability in the content management system came to light nine days ago. The figure represents a 26 percent spike in the past 24 hours.

A rogues' gallery of sites have been hit by the defacements. They include conservative commentator Glenn Beck's glennbeck.com, Linux distributor Suse's news.opensuse.org, the US Department of Energy-supported jcesr.org, the Utah Office of Tourism's travel.utah.gov, and many more. At least 19 separate campaigns are participating and, in many cases, competing against each other in the defacements. Virtually all of the vandalism is being carried out by exploiting a severe vulnerability WordPress fixed in WordPress version 4.7.2, which was released on January 26. In an attempt to curb attacks before automatic updates installed the patch, the severity of the bug—which resides in a programming interface known as REST—wasn't disclosed until February 1.
#1978 Google Project Zero: How we cracked Samsung's DoD and NSA-certified Knox
Google's Project Zero hackers have detailed several high-severity flaws that undermined a core defense in Samsung's Knox platform that protects Galaxy handsets in the enterprise.

Since launching Knox in 2013, the platform has been certified for internal use by UK and US government departments, including the US DoD and NSA. Given these certifications, defense-in-depth mechanisms should be rock solid.

But according to Project Zero's Gal Beniamini, who last year tore apart Android's full disk encryption, a Knox hypervisor designed to protect the Linux kernel during runtime can be subverted multiple ways.
#1977 AthenaGo RAT uses Tor2Web proxy system to hide C&C server
Compared to other RATs, Cisco researchers say that AthenaGo has a few features that stand out on its own. First and foremost, Athena Go is the first RAT written in the Go programming language, albeit not the first malware.

Go malware is a little bit rarer, especially on Windows, but it's as effective as malware written in other programming languages.

The only downside, as Cisco researchers explained in a technical analysis of AthenaGo, is that Go binaries include a little bit more details that helps out researchers in detecting the malware's capabilities much easier.
#1976 DynA-Crypt not only encrypts your files, but also steals your info
A new ransomware called DynA-Crypt was discovered by GData malware analyst Karsten Hahn that not only encrypts your data, but also tries to steal a ton of information from a victim's computer. Ransomware and information stealing infections have become all-to-common, but when you combine the two into the complete mess that DynA-Crypt is, you are just left with a big pile of steaming **** that just makes a mess of a victim's programs and data.

The problem is that this ransomware is composed of numerous standalone executables and PowerShell scripts that just do not make sense in some of the actions they perform. It not only encrypts your files while stealing your passwords and contacts, but it also deletes files without backing them up anywhere.
#1975 Newly discovered flaw undermines HTTPS connections for almost 1,000 sites
Encrypted connections established by at least 949 of the top 1 million websites are leaking potentially sensitive data because of a recently discovered software vulnerability in appliances that stabilize and secure Internet traffic, a security researcher said Thursday.

The bug resides in a wide range of firewalls and load balancers marketed under the F5 BIG-IP name. By sending specially crafted packets to vulnerable sites, an attacker can obtain small chunks of data residing in the memory of connected Web servers. The risk is that by stringing together enough requests, an attacker could obtain cryptographic keys or other secrets used to secure HTTPS sessions end users have established with the sites, security researcher Filippo Valsorda told Ars.
#1974 Finding Ticketbleed
Ticketbleed (CVE-2016-9244) is a software vulnerability in the TLS stack of certain F5 products that allows a remote attacker to extract up to 31 bytes of uninitialized memory at a time, which can contain any kind of random sensitive information, like in Heartbleed.

If you suspect you might be affected by this vulnerability, you can find details and mitigation instructions at ticketbleed.com (including an online test) or in the F5 K05121675 article.
#1973 Google let scammers post a perfectly spoofed Amazon ad in its search results
Anyone who used Google search to look for Amazon, the internet retail giant, on Wednesday was likely served a malicious ad -- and didn't even realize it.

The good news is that unlike other rogue ads, your machine wasn't infected or served malware in any way.

But anyone who clicked on it would not have been sent to Amazon.com as they would have hoped, but instead, they were pointed to a fake Windows support scam posing as Microsoft.
#1972 The startup paying people to legally hack Uber, Nintendo, and Starbucks just got another $40 million to keep growing
HackerOne, a marketplace where companies can pay hackers to spot and fix security flaws in their software, has raised another $40 million in venture capital funding in a round led by Dragoneer Investment Group.

The technical term for what HackerOne does is offer "bug bounties." Google, Apple, Microsoft, and even less tech-y companies like United Airlines pay out millions to amateur and professional hackers every year — it's cheaper than the massive damages caused when an undiagnosed flaw turns into a malicious hacker's entry point.
#1971 Fileless attacks against enterprise networks
During incident response, a team of security specialists needs to follow the artefacts that attackers have left in the network. Artefacts are stored in logs, memories and hard drives. Unfortunately, each of these storage media has a limited timeframe when the required data is available. One reboot of an attacked computer will make memory acquisition useless. Several months after an attack the analysis of logs becomes a gamble because they are rotated over time. Hard drives store a lot of needed data and, depending on its activity, forensic specialists may extract data up to a year after an incident. That’s why attackers are using anti-forensic techniques (or simply SDELETE) and memory-based malware to hide their activity during data acquisition. A good example of the implementation of such techniques is Duqu2. After dropping on the hard drive and starting its malicious MSI package it removes the package from the hard drive with file renaming and leaves part of itself in the memory with a payload. That’s why memory forensics is critical to the analysis of malware and its functions. Another important part of an attack are the tunnels that are going to be installed in the network by attackers. Cybercriminals (like Carbanak or GCMAN) may use PLINK for that. Duqu2 used a special driver for that. Now you may understand why we were very excited and impressed when, during an incident response, we found that memory-based malware and tunnelling were implemented by attackers using Windows standard utilities like “SC” and “NETSH“.
#1970 Mirai gets a Windows version to boost distribution efforts
Security researchers have stumbled upon a Windows trojan that hackers are using to help with the distribution of the infamous Mirai Linux malware, used to infect IoT devices and carry out massive DDoS attacks.

The Mirai malware was initially developed in late 2015 and early 2016, and only became a massive threat in the summer and autumn of 2016, when it spread to hundreds of thousands of routers and DVRs (deployed with smart cameras and CCTV systems).

After crooks used a botnet of Mirai-infected devices to launch DDoS attacks on the KrebsOnSecurity blog, increased attention from law enforcement forced the malware's author to dump the Mirai source code online.

This move resulted in tens of Mirai variants popping up everywhere, which in turn helped hide the author's tracks, or so the author thought, until this Brian Krebs exposé.
#1969 This modular backdoor malware is now the most common threat to Android smartphones
It's taken a whole year for it to be dislodged, but Hummingbad has finally been overtaken as the leading form of mobile malware.

The Hummingbad Android malware is still likely making its creators hundreds of thousands of dollars a month, and continues to infect millions of devices, but the Triada malware has taken the top spot in the first month of the year, Check Point's Threat Impact Index for January has revealed.

Triada is a modular backdoor for Android which grants the malicious actor super-user privileges on the infected device, allowing them to download additional malware and spoof URLs. It's been the second most prolific malware behind Hummingbad for some time, but now crooks have been able to make it the most prolific form of mobile malicious software.
#1968 Mac malware, possibly made in Iran, targets US defense industry
Just because you’re using a Mac doesn’t mean you’re safe from hackers. That’s what two security researchers are warning, after finding a Mac-based malware that may be an attempt by Iranian hackers to target the U.S. defense industry.

The malware, called MacDownloader, was found on a website impersonating the U.S. aerospace firm United Technologies, according to a report from Claudio Guarnieri and Collin Anderson, who are researching Iranian cyberespionage threats.

The fake site was previously used in a spear phishing email attack to spread Windows malware and is believed to be maintained by Iranian hackers, the researchers claimed.

Visitors to the site are greeted with a page about free programs and courses for employees of U.S. defense companies Lockheed Martin, Raytheon, and Boeing.
#1967 100,000+ WordPress webpages defaced as recently patched vulnerability is exploited
Two weeks ago WordPress 4.7.2 was released, and website administrators running self-hosted versions of the hugely popular CMS and blogging platform were advised to update their systems as a matter of urgency.

What we didn’t know at the time was just how important that WordPress update was.

Last week, WordPress revealed that 4.7.2 had secretly included a fix for an undisclosed critical vulnerability.

If left unpatched, the vulnerability could allow a malicious attacker to modify the content of any post or page on a WordPress site.

The reason the vulnerability wasn’t made public at the time of WordPress 4.7.2’s release was the very real worry that malicious hackers might race to exploit the flaw, attacking millions of blogs and company websites.
#1966 Russians engineer a brilliant slot machine cheat and casinos have no fix
In early June 2014, accountants at the Lumiere Place Casino in St. Louis noticed that several of their slot machines had—just for a couple of days—gone haywire. The government-approved software that powers such machines gives the house a fixed mathematical edge, so that casinos can be certain of how much they’ll earn over the long haul—say, 7.129 cents for every dollar played. But on June 2 and 3, a number of Lumiere’s machines had spit out far more money than they’d consumed, despite not awarding any major jackpots, an aberration known in industry parlance as a negative hold. Since code isn’t prone to sudden fits of madness, the only plausible explanation was that someone was cheating.

Casino security pulled up the surveillance tapes and eventually spotted the culprit, a black-haired man in his thirties who wore a Polo zip-up and carried a square brown purse. Unlike most slots cheats, he didn’t appear to tinker with any of the machines he targeted, all of which were older models manufactured by Aristocrat Leisure of Australia. Instead he’d simply play, pushing the buttons on a game like Star Drifter or Pelican Pete while furtively holding his iPhone close to the screen.
#1965 As Valve eradicates serious bug in Steam, here’s what you need to know
Steam, an online game platform with more than 125 million active accounts, is in the process of fixing a serious security hole that opens users to hacks that could redirect them to attack sites, spend their market funds, or possibly make malicious changes to their user profiles.

As this post was going live, employees with Valve, the company that develops Steam, were reportedly in the process of fixing the bug. Unconfirmed posts such as this one reported that the cross-site scripting hole had been patched on the initial activity feed pages but not on subsequent pages. Valve representatives didn't respond to e-mails seeking comment for this post.
#1964 How to stop your SmartTV from spying on you
This week, Vizio, which makes popular, high-quality, affordable TV sets, agreed to pay a $2.2 million fine to the FTC. As it turns out, those same TVs were also busily tracking what their owners were watching, and shuttling that data back to the company’s servers, where it would be sold to eager advertisers.

That’s every bit as gross as it sounds, but Vizio’s offense was one of degree, not of kind. While other smart TV platforms don’t sell your viewing data at the IP level to the highest bidder without consent, like Vizio did, many do track your habits on at least some level. And even the companies that have moved on from ACR—like LG when it embraced webOS—have older models that liberally snoop.

But good news! There are ways to keep your smart TV from the prying eyes of the company that made it. In fact, there’s one absurdly easy way that will work for any television you can buy. Let’s start there.
#1963 Dozens of popular iOS apps vulnerable to intercept of TLS-protected data
While developing a tool for evaluating mobile application security, researchers at Sudo Security Group Inc. found out something unexpected. Seventy-six popular applications in Apple's iOS App Store, they discovered, had implemented encrypted communications with their back-end services in such a way that user information could be intercepted by a man-in-the-middle attack. The applications could be fooled by a forged certificate sent back by a proxy, allowing their Transport Layer Security to be unencrypted and examined as it is passed over the Internet.

The discovery was initially the result of bulk analysis done by Sudo's verify.ly, a service that performs bulk static analysis of application binaries from Apple's App Store. Will Strafach, president of Sudo, verified the applications discovered by the system were vulnerable in the lab, using a network proxy configured with its own Secure Socket Layer certificate.
#1962 Microsoft hosts the Windows source in a monstrous 300GB Git repository
Git, the open source distributed version control system created by Linus Torvalds to handle Linux's decentralized development model, is being used for a rather surprising project: Windows.

Traditionally, Microsoft's software has used a version control system called Source Depot. This is proprietary and internal to Microsoft; it's believed to be a customized version of the commercial Perforce version control system, tailored for Microsoft's larger-than-average size. Over the years, Redmond has also developed its own version control products. Long ago, the company had a thing called SourceSafe, which was reputationally the moral equivalent to tossing all your precious source code in a trash can and then setting it on fire thanks to the system's propensity to corrupt its database. In the modern era, the Team Foundation Server (TFS) application lifecycle management (ALM) system offered Team Foundation Version Control (TFVC), a much more robust, scalable version control system built around a centralized model.
#1961 InterContinental confirms breach at 12 hotels
InterContinental Hotels Group (IHG), the parent company for thousands of hotels worldwide including Holiday Inn, acknowledged Friday that a credit card breach impacted at least a dozen properties. News of the breach was first reported by KrebsOnSecurity more than a month ago.

In a statement issued late Friday, IHG said it found malicious software installed on point of sale servers at restaurants and bars of 12 IHG-managed properties between August and December 2016. The stolen data included information stored on the magnetic stripe on the backs of customer credit and debit cards — the cardholder name, card number, expiration date, and internal verification code.

A list of the known breached locations is here. IHG said cards used at the front desk of these properties were not affected.
#1960 Darknet follows Google's bug bounty lead: But this cash is for flaws that expose shady traders
To keep its customers out of trouble, Hansa, a popular darknet marketplace for selling illicit goods, is following legitimate businesses by paying researchers for reporting security flaws.

It is one of many darknet marketplaces seeking to meet demand for anonymous trading once offered by fallen drugs bazaar Silk Road. With its buyers and sellers likely to be of interest to law-enforcement agencies as well as hackers, Hansa announced on Reddit last week that it had launched a bitcoin bug bounty to keep clients safe.

Bug bounties are gaining in popularity in the world of legitimate business as a means of improving product security.
#1959 Polish banks infected with malware hosted on their own government's site
Several Polish banks said they suffered malware infections after their employees visited the site of the Polish Financial Supervision Authority (KNF), which had been previously infected to host a malicious JavaScript file.

Zaufana Trzecia Strona, a local Polish news site, first reported the attacks late Friday, last week. The news site said that during the past week, the security teams at several, yet unnamed, Polish banks detected downloads of suspicious files and encrypted traffic going to uncommon IPs situated in many foreign countries.

As employees at different banks started looking into their systems, they found malware installed on numerous workstations and even some servers.
#1958 Vizio: The spy in your TV
Vizio, with its Smart Interactivity feature, had gathered data from more than 11 million smart TVs. This Smart Interactivity "feature" worked by watching what you watch. It didn't matter where your content was coming from -- cable, streaming, DVD players, or over-the-air (OTA) broadcasts -- Vizio got it all.

Vizio began snooping on your TV watching in 2014. The company even allegedly retrofitted older models by installing its tracking software remotely. All of this, the FTC said, was done without telling consumers or getting their consent.
#1957 A hacker just pwned over 150,000 printers left exposed online
A grey-hat hacker going by the name of Stackoverflowin says he's pwned over 150,000 printers that have been left accessible online.

Speaking to Bleeping Computer, the hacker says he wanted to raise everyone's awareness towards the dangers of leaving printers exposed online without a firewall or other security settings enabled.
#1956 SQL Slammer comeback
SQL Slammer is a computer worm that first appeared in the wild in January 2003, and caused a denial of service condition on tens of thousands of servers around the world. It did so by overloading Internet objects such as servers and routers with a massive number of network packets within 10 minutes of its first emergence.

The worm exploits a buffer overflow vulnerability in Microsoft SQL Server 2000 or MSDE 2000 by sending a formatted request to UDP port 1434. After the server is infected, it attempts to spread rapidly by sending the same payload to random IP addresses, causing a denial of service condition on its targets. This vulnerability was discovered by David Litchfield several months before Slammer first launched. Accordingly, Microsoft released a patch, but many installations had not been patched before Slammer’s first appearance.
#1955 Op-ed: Windows 10 0day exploit goes wild, and so do Microsoft marketers
There's a zero-day exploit in the wild that exploits a key file-sharing protocol in most supported versions of Windows, including Windows 10, the latest and most secure version of the Microsoft operating system. The exploit is probably not worth worrying about, but you'd never know that based on the statement Microsoft officials issued on Thursday when asked what kind of threat the exploit poses:

"Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible," an unnamed spokesperson replied in an e-mail. "We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection."
#1954 Metasploit security kit now hacks IoT devices, hardware
The popular Metasploit hacking kit has been upgraded to tackle today's Internet of Things (IoT) devices, granting researchers the opportunity to scour for bugs in modern vehicles.

Rapid7 Research director of transportation security Craig Smith announced on February 2 that the Metasploit framework can now link directly to hardware, permitting users to develop exploits to test their hardware and conduct penetration testing with less time wasted.

It is hoped that researchers will no longer have to build multiple tools to test today's modern devices and overcome previous network limitations.

"Metasploit condensed a slew of independent software exploits and tools into one framework and now we want to do the same for hardware," Smith says.
#1953 Gmail no longer supporting Chrome Browser version 53 and below
Starting February 8, 2017, we will show a banner at the top of the Gmail interface for users who are still on Google Chrome Browser v53 and below to encourage upgrading to the latest version of Chrome, currently on version 55. Chrome Browser v55 contains several important security updates.

Gmail users that are still on Windows XP and Windows Vista are the most likely to be affected, because v49 was the last released version which supported those operating systems. As previously announced in April 2015 and November 2015, these systems are no longer maintained by Microsoft, and we strongly encourage you to migrate to more secure and supported systems.
#1952 Free ransomware decryption tools
"Our free ransomware decryption tools can help decrypt files encrypted by the following forms of ransomware. Just click a name to see the signs of infection and get our free fix."
#1951 Hacker dumps iOS cracking tools allegedly stolen from Cellebrite
The hacker says this demonstrates that when organizations make hacking tools, those techniques will eventually find their way to the public.

In January, Motherboard reported that a hacker had stolen 900GB of data from mobile phone forensics company Cellebrite. The data suggested that Cellebrite had sold its phone cracking technology to oppressive regimes such as Turkey, the United Arab Emirates, and Russia.

Now the hacker responsible has publicly released a cache of files allegedly stolen from Cellebrite relating to Android and BlackBerry devices, and older iPhones, some of which may have been copied from publicly available phone cracking tools.
#1950 DDoS attacks in Q4 2016
Without doubt, 2016 was the year of Distributed Denial of Service (DDoS) with major disruptions in terms of technology, attack scale and impact on our daily life. In fact, the year ended with massive DDoS attacks unseen before, leveraging Mirai botnet technology, whose first appearance was covered in our last DDoS Intelligence Report.

Since then, we have published several other detailed reports dedicated to major attacks on Dyn’s Domain Name System (DNS) infrastructure, on Deutsche Telekom, which knocked 900K Germans offline in November. Additionally, we tracked similar attacks on Internet service providers (ISPs) in Ireland, the United Kingdom and Liberia all leveraging IoT devices controlled by Mirai technology and partly targeting home routers in an attempt to create new botnets.
#1949 Windows DRM files used to decloak Tor browser users
Downloading and trying to open Windows DRM-protected files can deanonymize Tor Browser users and reveal their real IP addresses, security researchers from Hacker House have warned.

Attacks using DRM-protected multimedia files in Windows have been known since 2005, but until recently, they've only been used to spread malware.

Past attacks tried to lure users into opening and playing DRM-protected files. In default scenarios, these files would open in the Windows Media Player, and users would see a popup that asked them to visit a URL to validate the file's license.

Users who agreed were redirected to an "authorization URL." Unknown to users is that malware authors could modify these links and point users to exploit kits or malware-laced files.
#1948 Cisco Prime Home authentication bypass vulnerability
A vulnerability in the web-based GUI of Cisco Prime Home could allow an unauthenticated, remote attacker to bypass authentication and execute actions with administrator privileges.

The vulnerability is due to a processing error in the role-based access control (RBAC) of URLs. An attacker could exploit this vulnerability by sending API commands via HTTP to a particular URL without prior authentication. An exploit could allow the attacker to perform any actions in Cisco Prime Home with administrator privileges.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
#1947 Ransomware completely shuts down Ohio town government
In another interesting example of what happens when you don’t manage your backups correctly, the Licking County government offices, including the police force, have been shut down by ransomware. Although details are sparse, it’s clear that someone in the office caught a bug in a phishing scam or by downloading it and now their servers are locked up.

Wrote Kent Mallett of the Newark Advocate:

"The virus, accompanied by a financial demand, is labeled ransomware, which has hit several local governments in Ohio and was the subject of a warning from the state auditor last summer.

All county offices remain open, but online access and landline telephones are not available for those on the county system. The shutdown is expected to continue at least the rest of the week."
#1946 Identity theft, credit card fraud cost US consumers $16 billion in 2016
Instances of identity theft and credit card fraud climbed to record levels last year, according to a new study from research firm Javelin Strategy & Research.

The study found that the number of identify fraud cases rose 16 percent in 2016, costing victims a record-setting $16 billion in loses. The firm estimates that around 15.4 million US consumers were affected by fraud -- nearly 2 million more than in 2015.
#1945 HTTPS adoption has reached the tipping point
Troy Hunt: That's it - I'm calling it - HTTPS adoption has now reached the moment of critical mass where it's gathering enough momentum that it will very shortly become "the norm" rather than the exception it so frequently was in the past. In just the last few months, there's been some really significant things happen that have caused me to make this call, here's why I think we're now at that tipping point.
#1944 Google Chrome engineer says Windows Defender “the only well behaved AV”
Some engineers from Google are actually saying some nice things about Microsoft for a change. The comments are contained in and around a thread started by “Anti-virus, malware and infosec expert” @VessOnSecurity, regarding an ex-Mozilla employee’s rant a few days ago imploring people to “Disable Your Antivirus Software (Except Microsoft’s).”

Apparently the disdain for 3rd party AV solutions runs deep amongst browser developers, as in response to the threads a Google engineer, Justin Schuh, had this to say:

"Browser makers don't complain about Microsoft Defender because we have tons of empirical data showing that it's the only well behaved AV."
#1943 Misconfigured firewall blamed for hospital ransomware infection
A ransomware attack which took a hospital offline for four days and resulted in the cancellation of 2,800 patient appointments has been blamed on a misconfigured firewall.

The Northern Lincolnshire and Goole NHS Foundation Trust declared a "major incident" after a "computer virus" infected its systems on Sunday, 30 October, and full service didn't resume until Wednesday, 2 November.

Clinical systems across the Trust's three hospitals were shut down as staff attempted to contain the incident, which was later revealed to have been caused by a Globe2 ransomware infection. Northern Lincolnshire said it didn't pay cybercriminals a ransom in order to restore its systems.
#1942 How to succeed in online investigations and digital forensics
Maltego, the tool best known for deep data mining and link analysis, has helped law enforcement and intelligence agencies, banking organizations, financial institutions and others in security-related work since it was released in 2008.

To benefit from using Maltego, come to SAS 2017 for intensive Digital Intelligence Gathering training from the experts who created the tool from scratch: there won’t be any questions that they can’t answer. The course runs for two days, from April 1st and 2nd 2017 on St. Maarten. Book a seat now — the class is limited to 15 people maximum!
#1941 Apple takes down iCloud activation lock page after disclosure of security flaw
Following the public disclosure of a security flaw in the iCloud Activation Lock web page that allowed phone thieves to reactivate devices to other Apple user accounts, the company has decided to shut down the page for the time being.

For years, the iCloud Activation Lock web page has allowed users looking to buy a new Apple device to check and see if the device has been locked by its previous owner, a clear sign that the device has been stolen.

Users only had to enter the device's IMEI code or serial number and get a result within seconds.
#1940 Microsoft: Windows 10 will stop a ransomware epidemic when antivirus fails
When your antivirus fails to block ransomware, Windows 10 still can stop it becoming a major outbreak on the corporate network, according to Microsoft.

It argues that ransomware is one more reason organizations need to move to Windows 10 enterprise, whose built-in Windows Defender Advanced Threat Protection (ATP) can nip ransomware breaches in the bud before they become a nightmare, even if desktop antimalware happens to miss a single instance.

The company has presented new research into the Cerber family of file-encryptors, which dominated ransomware encounters on enterprise end-points between December 16 and January 15, and how Windows Defender ATP countered the threat.
#1939 Securing your home routers - understanding attacks and defense strategies (PDF)
When Mirai first came into the picture last year, it dispelled the notion that the attack scenarios on Internet of Things (IoT) devices were merely a proof of concept (PoC). After all, Mirai’s widespread attacks on organizations and users revealed how vulnerable IoT devices, like home routers and IP cameras, can be abused for cybercriminal activities. On top of that, those attacks showed how users unknowingly became accomplices to these crimes. Since then, new strains of Mirai variants continued to make waves. Some of the unique features for each strain include domain generation algorithm (DGA) capabilities, which would make this IoT botnet almost impenetrable for takedowns by law enforcement. A security flaw in Simple Object Access Protocol (SOAP) was also exploited, possibly affecting at least 5 million home routers (as of November 30, 2016) with Mirai.
#1938 Witcher 3 dev forums hacked, 1.8 million accounts stolen
Usernames, passwords and email addresses stolen from the CD Projekt RED forum

Polish game development studio CD Projekt RED has had more than 1.8 million user credentials stolen from its online forum, according to data breach notification website 'Have I Been Pwned?'.

The studio, which is famous for developing the highly successful Witcher franchise, was breached in March 2016 when hackers targeted its online forum, leading to a leak of usernames, passwords and email addresses.

Those signed up to notifications through Have I Been Pwned? were alerted to the breach by email this morning, with users recommended to change their passwords "immediately".
#1937 Security flaws in Pentagon systems "easily" exploited by hackers
Several misconfigured servers run by the US Dept. of Defense could allow hackers easy access to internal government systems, a security researcher has warned.

The vulnerable systems could allow hackers or foreign actors to launch cyberattacks through the department's systems to make it look as though it originated from US networks.

Dan Tentler, founder of cybersecurity firm Phobos Group, who discovered the vulnerable hosts, warned that they are so easy to find that he believes he was likely not the first person to find them.
#1936 Cisco updates Tetration analytics platform, aims to automate security policies
Cisco is rolling out a new version of its Tetration Analytics platform to better automate security policies and move companies to so-called blacklist approaches to ones that are white list.

A blacklist approach means an enterprise allows entry into networks by default. A white list approach refers to blocking all network traffic unless approved via a security policy. Most companies are somewhere in the middle as they try and balance agility and security.

Yogesh Kaushik, senior director of product management for Tetration, said the industry is moving more toward a white list approach. "There's a shift happening in the industry toward a better security posture," said Kaushik. The catch is these security policies need to be automated.
#1935 GitLab.com melts down after wrong directory deleted, backups fail
Source-code hub Gitlab.com is in meltdown after experiencing data loss as a result of what it has suddenly discovered are ineffectual backups.

On Tuesday evening, Pacific Time, the startup issued the sobering series of tweets listed below. Behind the scenes, a tired sysadmin, working late at night in the Netherlands, had accidentally deleted a directory on the wrong server during a frustrating database replication process: he wiped a folder containing 300GB of live production data that was due to be replicated.

Just 4.5GB remained by the time he canceled the rm -rf command. The last potentially viable backup was taken six hours beforehand.
#1934 EyePyramid and a lesson on the perils of attribution
In the past weeks, information-stealing malware EyePyramid made headlines after it was used to steal 87GB of sensitive data from government offices, private companies and public organizations. More than 100 email domains and 18,000 email accounts were targeted, including those of high-profile victims in Italy, the U.S., Japan and Europe.

The natural assumption for many would be that EyePyramid was a state-sponsored cyberespionage campaign. It wasn’t. It was ultimately attributed to a brother-sister team who used the malware for profit.
#1933 Ransomware disrupts Washington DC's CCTV system
About 70 percent of the cameras hooked up to the police's closed-circuit TV (CCTV) system in Washington, D.C., were reportedly unable to record footage for several days before President Trump's inauguration due to a ransomware attack.

The attack affected 123 of the 187 network video recorders that form the city's CCTV system, the Washington Post reported Saturday. Each of these devices is used to store video footage captured by up to four cameras installed in public spaces.
#1932 Many Android VPN apps breaking privacy promises
An alarming number of Android VPNs are providing a decidedly false sense of security to users, especially those living in areas where communication is censored or technology is crucial to the privacy and physical security.

A study published recently identified a number of shortcomings common to high percentages of 238 mobile VPN apps analyzed by a handful of researchers. Users downloading and installing these apps expecting secure communication and connections to private networks are instead using apps that lack encryption, are infected with malware, intercept TLS traffic, track user activity, and manipulate HTTP traffic.
#1931 Netgear exploit found in 31 models lets hackers turn your router into a botnet
You might want to upgrade the firmware of your router if it happens to sport the Netgear brand. Researchers have discovered a severe security hole that potentially puts hundreds of thousands of Netgear devices at risk.

Disclosed by cybersecurity firm Trustwave, the vulnerability essentially allows attackers to exploit the router’s password recovery system to bypass authentication and hijack admin credentials, giving them full access to the device and its settings.
#1930 Nicolas Brulez on malware reverse engineering tips and tricks (audio)
Kaspersky Lab Principal Security Researcher Nico Brulez talks with Ryan Naraine about his upcoming SAS 2017 training on the ins and outs of malware reverse engineering and how attendees can benefit for a wide range of tips and tricks.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12