US: Rule 41 'mass hacking' change goes into effect
On December 1, the controversial law known as 'Rule 41' took effect, effectively giving US law enforcement authorities the ability to hack thousands of devices with a single warrant. A bipartisan effort by senators to take a vote and delay the implementation of the law was rebuffed by Senate leaders.
Rule 41 is promoted by its backers as being a practical, efficient response to modern online crimes, particularly botnets or mass infections which may involve multiple devices in multiple jurisdictions. Privacy and civil rights advocates however have highlighted that law enforcement authorities do not themselves have spotless track records in handling privacy or security concerns, and the new law does not clarify the legal framework around what is essentially government hacking.
Grizzly Steppe report released on US election hacking
The US Department of Homeland Security and Federal Bureau of Investigations (FBI) jointly released a report entitled Grizzly Steppe, which details the hacking of the Democratic National Convention (DNC) and other recent attacks thought to be the work of Russian-backed hacking groups.
While the report was produced in response to President Obama's request for a full review of intelligence related to the recent US election hacks, security researchers expressed disappointment over the report itself, highlighting a lack of supporting evidence to strongly link the attacks to Russian agents, as well as a lack of any data that could be useful for system administrators trying to harden their networks against attacks.
US expels Russian diplomats over election hacking
35 Russian diplomats have been expelled from the United States in retaliation for what US intelligence believes to be Russian efforts to meddle in the nation's recent presidential elections.
The expulsion are part of a package of punitive actions announced by President Obama, which include sanctions on a number of individuals and entities, in particular the two Russian state intelligence services. Also as part of the retaliatory measures, Russian officials are to be denied access to two recreational compounds located in Maryland and New York that are said to have been used for intelligence-gathering purposes.
In a surprise move, Russian President Vladimir Putin has announced that US diplomats will not be expelled from Russia in the usual reciprocal diplomatic action. He went on to say that he would wait until president-elect Trump takes office on January 20 to see what the new administration would do.
China: stringent cybersecurity law passed
China has passed new regulations that impose stringent data storage, surveillance, content and identity requirements on digital technoloy services operating in the country, causing unease among foreign companies concerned about potential conflicts over data security and privacy.
The new legislation, which will go into effect in June 2017, will among other things require that users sign up for services using their real name and personal information; that companies store data related to Chinese users on servers in the country; and that the companies will render both access to data and any necessary assistance to authorities for national security and criminal investigations.
- Bloomberg: China Adopts Cybersecurity Law Despite Foreign Opposition
- Wall Street Journal: China's New Cybersecurity Law Rattles Foreign Tech Firms
- Techcrunch: China's new cybersecurity law is bad news for business
Thailand: plans to tighten cybersecurity
The military government in Thailand is moving ahead with legislation that introduces new measures which critics say would give the state agencies increased powers to monitor the behavior of Thai citizens online.
The proposed amendments to the country's Computer Crimes Act are would reportedly allow officials to obtain user data from service providers without court approval, seize computer equipment and remove or suspend sites that is thought to contravene social or moral norms. Opponents of the amendments have expressed concerns that the legislation would be used to crack down on anti-government sentiment, among other forms of online speech.
US: Rule 41 'mass hacking' bill delayed
Lawmakers in the United States have made a bipartisan effort to delay proposed amendments to Rule 41 of the Federal Rules of Criminal Procedure legislation, a procedural rule change that would allow judges to give warrants to law enforcement officers permitting them to hack devices in any jurisdiction.
If not blocked by Congress, the amendment will automatically go into effect on 1 Dec 2016, though a bill known as the Review the Rule Act is currently being proposed to delay the change until July 2017.
- SC Magazine: Tech groups petition lawmakers to delay Rule 41 changes
- Naked Security: Campaigners bid to delay Rule 41 'legal hacking' bill
- ZDNet: As Rule 41 deadline looms, an "expansion" of FBI hacking powers looks likely
- Motherboard: The FBI Hacked Over 8,000 Computers In 120 Countries Based on One Warrant
UK: 'Snoopers' charter' mass surveillance bill passed
The Investigatory Powers Act 2016 has been passed in the UK, providing government authorities in the country with the power to access data about the online activities of UK citizens in the last one year.
According to reports, the new law will require Internet Service Providers (ISPs) to record all their customer's web history for a year and allow the data to be accessed by the authorities; it will also require that companies decrypt data when required to do so and give intelligence agencies the power to hack into citizen's devices.
The bill is due to come into effect at the end of 2016, and has been characterized by opponents as "the most extreme surveillance law ever passed in a democracy". While some safeguards are included in the legislation, it has been roundly criticized by privacy advocates, technology companies, and the United Nations.
Mozilla, Apple distrust certs from WoSign, StartCom
Mozilla and Apple separately announced their decisions to distrust new SSL certificates from the WoSign and StartCom certificate authorities (CAs) that are issued after October 21 2016. The move would mean that any websites signed by such certificates would no longer be accessible to users on the companies' respective web browsers.
The dual decisions follow a report on poor technical practices by the CAs, which were said to have created new SHA1-signed certificates and then back-dated them to December 2015 in order to circumvent an industry-wide move to phase out such certificates after a January 1, 2016 deadline. WoSign also raised transparency concerns for failing to inform browser vendors about its purchase of the StartCom CA.
The bans are expected to come into effect with the next version of the Firefox browser (due early next year), and in upcoming security releases for Apple's iOS and OS X platforms.
US FCC: New privacy regulations for ISPs
The US Federal Communications Commission (FCC) approved new rules that regulate how Internet Service Providers (ISPs) handle their customer's information. The rules would require ISPs to explicitly obtain their customer's permission before the companies can share their sensitive data, which would include details such as geo-location, web browsing and app history and so on.
The new rules have won praise from privacy advocates for improving user control over their data, and criticisms from industry officials for introducing additional complexity.
Europe: 'serious concerns' over Whatsapp - Facebook data sharing
US DMCA: Now legal to hack your own devices
An exemption to the Digital Millenium Copyright Act (DMCA) came into affect in October, allowing Americans the right to hack their own devices without fear of the device manufacturer suing them for copyright infringement.
The exemption is valid for a two-year trial period, and must be renewed at the end of that period. In addition, the user would still need to comply with the Computer Fraud and Abuse Act, in that any attempt to hack the product must be done in a "controlled controlled environment designed to avoid any harm to individuals or the public."
US: FBI use of malware for investigations is a 'search'
A US federal judge overseeing a case between the Federal Bureau of Investigations (FBI) and a defendant accused of involvement in distiributing child pornography has ruled that the investigator's actions in remotely compromising the accused's computer is considered a 'search' under the Fourth Amendment.
While previous rulings on the matter have been in line with the Department of Justice's view that hacking a computer does not 'constitute a search', Judge Ezra ruled that when considered in light of the Fourth Amendment of the US Constition, which grants citizens protection against 'unreasonable searches or seizures', such hacking is "unquestionably a 'search'".
The latest decision could mean that investigators would need to obtain a warrant in order to use malware to perform investigations of digital assets, though the judge's ruling also noted that 'Congressional clarification' would be needed to delineate a judge's authority in issuing such a warrant.
NY: cyber security regulations for banks, insurers
The Governor of New York has issued cyber security regulations for banks and insurers in the state, the first of its kind in the country that would require companies to, among other measures, set up cybersecurity programs amd appoint a Chief Information Officer to oversee cyber security matters.
The regulations had been under negotiation such 2014, following a series of embarrassing data breaches and hacks that hit multiple high-profile companies in the country.
UK: Watchdog censures gov't over personal data security breaches
The United Kingdom's National Audit Office (NAO) released a scathing report on the government's cyber security processes, which reportedly lead to multiple breaches of personal data security in the 2014 to 2015 period.
According to the report, government departments currently maintain individual procedures for identifying and reporting failures in data security, creating a fragmented and chaotic reporting process. In addition, as departments are only required to self-report breaches, only 14 incidents were reported to the Information Commissioner during the period covered by the investigation, despite thousands more 'minor' ones being logged.
- The Guardian: Government breached personal data security 9,000 times in a year
- Info Security Magazine: Watchdog Slams UK Government Cybersecurity
Germany: Facebook ordered to stop collecting Whatsapp user data
Germany's national data protection authority has ordered Facebook to stop collecting user data from its subsidiary Whatsapp, and delete any details already gathered, after the parent company began collecting the information following a change in the terms and conditions for use of the popular messaging app. The instruction was given on grounds that the company had not requested for permission to collect such data in advance from the affected users.
Facebook's recent move to collect user data from Whatsapp users had already sparked concern earlier in the month, given its earlier assurances that such information would remain untouched when the messaging app was bought over by the social media giant a couple years previously. According to media reports, multiple countries are currently investigating the legality of the data collection.
Pakistan National Assembly approves controversial cyber crime law
Pakistan's National Assembly has given its approval to the Prevention of Electronic Crimes Bill (PECB) 2015. The legislation, which was drafted and submitted in response to growing concerns about online crimes, has come under fire from human rights and pro-democracy activists who are concerned that the vague language used in it can also lead to cases of misuse.
The PECB Bill allows authorities to force Internet providers to remove or block access to any content related to a range of online offenses, including electronic fraud, harassment, stalking, blackmailing, terrorism support or recruitment, and more. The bill also grants the authorities a wide range of powers and penalties, including jail time, fines and the legal backing to compel individuals questioned during an investigation to unlock private devices.
The bill must now be approved by the Senate before it can be formally signed into law.
France, Germany ponder encrypted message access after terror attacks
Interior ministers in France and Germany have publicly said that they would ask the EU to allow state intelligence agencies more powers to compel encrypted messaging services to grant access to user data in the course of criminal investigations.
The comments come in a year when both countries have suffered multiple terror-related attacks. While both countries grapple with the issue of identifying and countering terrorist threats, and the effect that encrypted communications have on those efforts, European privacy and data security laws have been increasingly strengthening, with support growing for the use of end-to-end encryption on messaging services.
EU: Bloc-wide NIS Directive on cyber security adopted
Members of the European Parliament (MEPs) have formally voted to adopt the Network and Information Security (NIS) Directive, which is considered to be the first EU-wide cyber security ruling.
The Directive requires that technology companies offering 'essential services' in the member states improve their security and reporting practices to deal with the threat of cyber attacks.
Following its approval, member states have two years to bring individual national laws into line with the Directive, as well as identify the companies that would be considered as 'essential service' providers. The new rulings would affect companies in the finance, energy, transport and health sectors, as well as the more obvious technology sector.
- Security Affairs: The EU passed the NIS directive, its first ever cyber security rules
- European Parliament: Cybersecurity: MEPs back rules to help vital services resist online threats
- The Register: The Network and Information Security Directive – who is in and who is out?
US: 'Federal Deposit Insurance Corporation (FDIC) hack cover-up'
A recently released report from the United State's House of Representative's Science, Space and Technology Committee announced that the Federal Deposit Insurance Corporation (FDIC) had been repeatedly hacked by external attackers from 2011 and 2013. The institution, which is charge of monitoring banks that do not fall under the purview of the Federal Reserve, has access to sensitive data related to thousands of banks operating in the United States.
The Committee's report noted that hacks involved compromise of 12 workstations and 10 servers, and affected machines used by high-ranking executives in the organization. In addition, the report highlighted attempts by the Corporation's executives to obscure the extent of the hack when faced with enquiries by congressional investigators.
News reports covering the story highlighted claims that the breaches were perpetrated to Chinese hackers, though no mention of specific evidence to back the attribution has been confirmed. The Chinese government has refuted the claims, pointing out the lack of evidence.
- Reuters: Likely hack of U.S. banking regulator by China covered up: probe
- Bloomberg: FDIC Faulted Over Data Breaches That Included Computer Hacks
- International Business Times: US officials accused of covering up Chinese state-sponsored hack of FDIC computers
US pushes to allow allies access to US-held data
The United States is said to be working on an agreement that would grant allies the right to serve warrants for data or wiretap requests directly to American technology companies, in return for similar access to data held in the reciprocating country.
Under current data-sharing agreements, foreign nations are required to contact local law enforcement authorities to pursue such data requests, rather than directly approaching the companies themselves.
The new agreement would have to be approved by Congress before it can take effect, with the United Kingdom said to be the first in line for participation.
Estonia considering overseas citizen data backups
The Estonian government is reportedly in talks with the United Kingdom and Luxembourg to explore the idea of creating a backup copy of official data on the country's citizens, to be held in so-called 'data embassies' based outside the nation. The impetus for the arrangement is saif to be as a safeguard against possible theft or destruction by other nation states.
Estonia is considered to have one of the most technologically connected governments in the world, with many of its services being routinely accessed online. Its vulnerability to attack was underscored however by a cyberattack in 2007 that blocked access to many of these services for weeks.
The talks with the UK and Luxembourg governments are reportedly in the early stages, with the impact from the UK's referendum to leave the EU likely still to be taken into account.
US: 'FBI to lead cyber crime incident response'
Following closely on the heels of the Federal Bureau of Investigations' (FBI) probe into the hack of the Democratic National Committee (DNC), President Obama has announced a policy change to formally make the FBI the lead agency in responding to cyber incidents in the US. The FBI would have the responsibility of coordinating the nations' response during an investigation, regardless of where the attack is thought to originate.
Under the new policy, the Department of Justice has been assigned to handle threat response activities under the direction of the FBI, while the Department of Homeland Security wouold cover 'asset respnse' and the Office of the Director of National Intelligence would direct 'intelligence support' activities.
Scope of US DNC hack expands, fallout continues
The scope of the Democratic National Committee (DNC) hack has widened, with reports of suspicions that a consultant's personal email account had been infiltrated. In addition, reports have confirmed that a fund-raising website and a data analysis system used as part of the campaign for the party's presidential candidate, Hillary Clinton, were also compromised.
The public fallout from the hack includes the resignation of multiple officials related to the organization and controversy over statements made by Republican presidential nominee Donald Trump that appeared to incite Russia to conduct attacks against the rival party's candidate.
- Arstechnica: DNC Breach extended to systems used by Clinton campaign
- Yahoo! News: Exclusive: Suspected Russian hack of DNC widens — includes personal email of staffer researching Manafort
- Forbes: Ex-FBI Cyber Sleuth: DNC And Clinton Campaign Hack Part Of A Pattern
- The Guardian: Donald Trump to Russia: hack and publish Hillary Clinton's 'missing' emails
US & China hold talks over cybersecurity issues
The governments of the US and China met in Beijing to discuss their continued efforts to end state support for commercial cyberespionage attacks.
The talks are seen as an outgrowth of the 'anti-hacking' accord that was signed by both presidents in September last year. In recent years, a series of high profile cyber espionage-related cases involving both government and commercial entities in the US have strained ties between the nations. China has denied that it supported the attacks on US institutions, and has said that it has itself been affected by such attacks in turn.
Officials from both governments have said that their respective administrations are committed to building on last year's agreement to rebuild trust between the two countries and improve cooperation in when dealing with cyberespionage attacks.
Report: 'Chinese cyberespionage against US dropped sharply'
A report from security researchers at FireEye has stated that the 'almost daily' barrage of attacks against US-based firms said to be perpetrated by hackers supported by China have dropped sharply in the last year.
According to news reports, the rate of attacks had started to drop even before the Sept 2015 cybersecurity talks between the US and China, which had lead to a pledge by the President Xi Jinping to halt cyberespionage targeting US companies. The report from FireEye, as well as other security firms, have suggested that the hackers responsible for the cybersespionage attacks against the US have simply shifted focus to targets in other countries of interest.
US government officials have not officially confirmed if they believe that the Chinese government is abiding by their committment, or whether they will pursue action for the intellectual property or personal data theft that was committed in earlier hacks.
- Reuters: Chinese economic cyber-espionage plummets in U.S.: experts
- International New York Times: Chinese Curb Cyberattacks on U.S. Interests, Report Finds
US Senate rejects proposal to give FBI access to browser histories
The US Senate has rejected a proposed amendment to the Commerce, Justice, Science, and Related Agencies Appropriations Act (2016) that would increase the FBI's warrantless surveillance powers. The amendment was put forward in the wake of the Orlando mass shooting.
The '4787' amendment was promoted as a way to 'track lone wolves', and would have allowed the FBI to use its controversial national security letters to secure access to a suspect's Internet web browser history without requiring court approval. Opponents of the proposal have pointed out that the practice of using the national security letters to obtain data from tech companies and other parties of interest have already drawn transparency and privacy concerns.
The Senate requires a minimum of 60 votes on an amendment before it can be advanced; the proposal fell short of that threshold by two votes.
Privacy Shield: US, EU come to terms about spying
The US and the EU have reached on an accord regarding the bulk collection of data in transmissions sent from the EU to the US, a key area of contention that had lead to the cancellation of the previous Safe Harbour pact.
Following extended negotiations, the Privacy Shield agreement that is to replace the defunct pact would include provisions that would allow for "highly targeted" data collection, only under "specific preconditions".
The latest changes to the agreement also include clarifications on the role of an independent ombudsman to handle data-related complaints from EU citizens, and stricter data retention rules.
If the current form of the agreement is approved by the remaining members of the EU, it is likely to go into effect from July 2016.
Snowden: Russia's 'Big Brother' bill 'unworkable, unjustifiable'
Whistleblower Edward Snowden took to Twitter to denounce an anti-terrorism bill recently passed by the Russian Duma that would require the country's ISPs and telecommunications providers to archive six months' worth of user communications and make them available for law enforcement. According to news reports, the bill would also criminalize any expression of approval for any terrorism-related activities on social media. The bill also criminalizes failure to report 'reliable' information related to potential terrorism incidents.
While the bill was ostensibly drafted in response to he bombing of a Russian jet over Egypt in October 2015, international human rights activists have expressed concern over the broad reach of the bill and its potential use for silencing opposition to the state, while at least some of the major telecommunications providers in the country have stated that the bill's requirements would impose massive infrastructure outlays.
EU: More powers to Europol to hunt terrorists, cyber-criminals
The European Union has approved new governence rules for its law enforcement agency Europol, which would improve its ability to track terrorists and cybercriminals. The changes, which were approved by the overwhelming majority of EU MPs, would also provide greater oversight of the agency.
The expanded mandate will make it easier for Europol to set up specialised units to deal with cross-border crimes, including terrorist threats. To encourage the data sharing that would underpin such efforts, the new rules require EU member states to share the information needed. It also sets guidelines for how the body can share its own data with private entities, such as social media networks, that would allow them to counter online terrorism propaganda more effectively.
Given the expanded powers granted to Europol, the update also includes requirements for stronger data protection and government oversight. It also establishes a clear channel for complaints for EU citizens.
The new rules are slated to go into effect on 1 May 2017.
- Arstechnica: Eurocops get new cyber powers to hunt down terrorists, criminals
- European Parliament / News: Police cooperation: MEPs approve new powers for Europol to fight terrorism
US FTC & FCC probe security patching processes
The United State's Federal Trade Commission (FTC) and Federal Communications Communication (FCC) have both launched investigations into how security updates are being distributed to smartphone end users. In separate enquiries, major smartphone manufacturers and telecommunications providers have both have been asked to provide details of how security updates are issued to their customers.
While most of the smartphone manufacturers identified in the investigations provide devices for the Android platform, the FTC also contacted Microsoft, Blackberry and Apple to request further details of how they distribute security patches for the customers of their own mobile operating systems.
- The Register: Android's security patch quagmire probed by US watchdogs
- Tom's guide: U.S. Gov't: Where Are Android's Security Updates?
Privacy Int'l challenges UK gov't 'right to hack' ruling
Non-government organization (NGO) Privacy International has filed a Judicial Review with the UK High Court, challenging the decision made by the Investigatory Powers Tribunal (IPT) that the government has the right to issue 'general hacking warrants'.
Under current laws, the UK goverment is permitted to issue general warrants that allow organizations, such as the spy agency, to hack the devices of both UK and non-UK residents, without needing a judge to validate the warrant first.
Among other objections to the decision, Privacy International has characterized it as an "unprecedented expansion of state surveillance capabilities", alleging that the warrants could be used to target broad swathes of the population.
Judge refuses Mozilla request to force FBI to disclose flaw
A US federal court judge has denied Mozilla's request that the Federal Bureau of Investigations (FBI) provide the browser provider with information about a zero-day vulnerability the agency had used to track down anonymous users of a child pornography website. According to news reports, the enforcement agency had used an undisclosed vulnerability in the Tor browser to install a monitoring program on the computers of users who visited the website. The Tor browser is built on code from the Firefox web browser, but is configured to keep its users anonymous.
Mozilla's request was filed during a separate court case involving the FBI and one of the website users identified during their operation, who had demanded that the agency disclose to his lawyers how he had been tracked. Mozilla filed a request asking that the FBI provide such information to the company first, before revealing it to the defense lawyers in the trial. The request reportedly stemmed from the browser vendor's concern that the vulnerability used in the case may also exist in its more popular Firefox web browser, potentially putting many more users at risk.
The judge's decision to reject the request reportedly came after a plea from the US Justice Department that cited "national security" concerns. The judge determined that the FBI did not need to reveal details of the vulnerability to the defense team at all, essentially negating Mozilla's request to be first informed. Mozilla has insisted that the vulnerability should still be fixed in order to improve security for all users.
China reviewing products from foreign tech firms
China is reportedly quietly conducting reviews of tech products sold in the country by foreign companies. The inspections are said to be scrutizing the encryption and data storage mechanisms used in the products.
According to news reports, the reviews have not been officially disclosed by the government, but are said to have been ongoing since early last year, and are apparently conducted by a committee associated with the country's Internet control bureau, the Cyberspace Administration of China. Executives and employees from the foreign firms whose products are being reviewed are reportedly being required to disclose product or project details to the investigating committee.
Other countries, such as Britain and the United States, have previously conducted technology reviews for foreign technology products being used by military or government personnel. This is however believed to be the first instance in which a government has conducted such a review of foreign products intended for general consumer use.
- New York Times: China Quietly Targets U.S. Tech Companies in Security Reviews
- Business Finance News: Apple Inc and Other Tech Firms Face Increased Scrutiny From Chinese Government
EU approves 'Network and Information Security Directive'
The European Union has adopted new legislation that would require "essential services" operators and "digital service" providers to take or improve measures for managing the risks to their services and networks.
Under the new Network and Information Security Directive, companies that provide services which are essential to critical social or economic activities (ranging from general utilities to search engines or online marketplaces) would be required to come up with appropriate risk management practices, as well as establishing processes for reporting major incidents to designated national authorities.
Following the adoption of the legislation, each member state in the EU will have two years to make any necessary changes to their respective national laws in order to comply with the directive.
- Computer Weekly: What to expect from Europe's NIS Directive
- Arstechnica: Cybersecurity law given thumbs up by European Union's ministers
- European Commission: Network and Information Security (NIS) Directive
Washington Post: 'FBI bought iPhone exploit from hackers'
The Washington Post newspaper published a report alleging that the US Federal Bureau of Investigations (FBI) were able to break into the iPhone that had been at the center of their contentious court case against Apple after the agency purchased an exploit from 'professional hackers'. According to the report, the exploit had been uncovered by 'gray hat' hackers, so called because they find such flaws in order to sell them to governments and other entities, rather than disclosing them to vendors.
Draft of US 'encryption' bill heavily criticized
A few days after a copy was leaked online, the draft text of the proposed "Compliance with Court Orders Act of 2016" bill has been released. Written by Democratic Senator Diane Feinstein and Republican Senator Richard Burr, the legislation seeks to enforce the compliance of technology companies with court-issued demands for access to data. If the data requested is encrypted, the bill would require that it be rendered 'intelligible', effectively negating the encryption.
Reaction to the draft has been swift and largely negative, not just from tech giants who would be most directly affected by the legislation but also from privacy and cybersecurity advocates. Commentators have been particularly critical of the overly-broad language used, and inherent conflicts between privacy and security concerns that are not adequately addressed. A group of tech coalitions subsequently published an open letter to the bill authors expressing their concerns over the potential impact on user's privacy and security if the legislation were to be passed.
The proposed legislation is currently considered a 'discussion draft', with the text open to revision.
- Wired: The Senate's Draft Encryption Bill Is 'Ludicrous, Dangerous, Technically Illiterate'
- CNN Money: Senate bill would force Apple to put a back door on iPhones
- Reuters: Leak of Senate encryption bill prompts swift backlash
- Techcrunch: Tech coalitions pen open letter to Burr and Feinstein over bill banning encryption
Microsoft sues US Justice Dept over data gag orders
Tech giant Microsoft has filed a suit against the US Justice Department over the use of gag orders that prevent the company from informing users when access to their personal data has been requested by a goverment agency. Microsoft contends that the government's use of gag orders is "unconstitutional", especially in light of the number of 'secrecy orders' the company received in an 18-month period.
According to news reports, law enforcement authorities have said that the demand to keep data access requests secret from the owners of the affected data is necessary, for example to prevent possible suspects from deleting potential evidence if they become aware that their data is under scrutiny.
GDPR data protection law ratified by EU Parliament
The European Parliament has ratified a broad set of data-protection laws, which would allow companies to be held more responsible for protecting customer data in their care, as well as providing EU citizens with more control over the kind of information companies can keep about them. The legislation provides a uniform set of laws for all member states, potentially making it easier and simpler to businesses to legally operate in all countries within the bloc.
The General Data Protection Regulation (GDPR) would require companies to ensure that their services and products are private and secure 'by default', rather than requiring users to opt-in for greater security. The legislation also mandated, among other things, 'clear and plain language' in explaining how the data would be protected or used, and fines for those who fail to comply.
Though the GDPR is now in force, companies have until 4 May 2018 to make the necessary changes to comply with the new regulations.
EFF sues US Justice Dept over secret decryption orders
China blocks access to Medium website
Popular independent publishing website Medium is now inaccessible to users in mainland China, since at least the second week of April, according to the company. No reason for the block has been given by the country's Internet regulator. Medium now joins other global content and social media services, including most notably Facebook, Google and WordPress, which are not available to normal citizens in the strictly regulated country.
The timing of the block has spurred comment, coming as it does only a few days after the Panama Papers leak, in which prominent Chinese citizens were named. Medium had also recently announced that major news sites (which are already blocked in China) would start publishing content with Medium.
Facebook exec detained as Brazil court demands whatsapp data
A Facebook executive was detained and questioned, then subsequently released, as part of an ongoing investigation into a drug-trafficking operation in Brazil. The detention was related to a court order demanding access to data transmitted over the company's encrypted WhatsApp messaging service, which the Brazilian authorities believed would help in their investigation. Facebook has stated that it has no access to the data, making compliance to the court order impossible.
The executive, Vice-President for Brazil Diego Dzodan, was released after an appeals judge overturned the order order used to detain him. The arrest comes on top of a reported fine of "1 million reais ($250,000)" imposed on the company for failing to comply with the order. In December 2015, a judge ordered a 48-hour suspension of the Whatsapp service after the company refused to comply with requests to share information; as in the more recent case, at the time the company said they were simply unable to provide the requested data. The suspension was later overturned by an appeals judge; while in force, it affected millions of users in the country.
China building 'precrime' program to identify potential terrorists
China is reportedly working on creating a program, based on data collected from monitoring on its own citizens, that would help the government "predict terrorist acts before they occur". Once a concept restricted to science fantasy, the so-called 'pre-crime' system is reportedly being actively pursued in the interests of maintaining domestic stability and security.
The nation has had a long history of aggressively investing in a vast array of surveillance technologies, as well as using more old-fashioned networks of informants to gather information about suspected security threats in its population. Defense contractor China Electronics Technology has been tasked developing the software needed to make effective use of gathered data. Privacy advocates and security experts outside the country have raised concerns about both the intrusiveness and effectiveness of such a program.
- Bloomberg: China Tries Its Hand at Pre-Crime
- Arstechnica: China is building a big data platform for "precrime"
US senators propose fines for refusal to decrypt data
Reuters news agency reports that a bipartisan bill is to be announced that, if passed, would impose civil penalties on technology companies that refuse to comply with court orders demanding assistance in gaining access to encrypted data stored on their products. The bill is expected to call for contempt of court charges and fines to be brought into play if a company balks at obeying a court order.
The sucess of the proposal is currently uncertain, given the political gridlock currently affecting the US Congress and the more supportive attitude in the US House of Representatives towards digital privacy. It is also likely to be strongly opposed by Silicon Valley.
FBI unexpectly postpones hearing in Apple case
The intensely watched court case between the United State's Federal Bureau of Investigations (FBI) and tech giant Apple took and unexpected twist when the agency filed a motion to postpone an upcoming hearing. The announcement was accompanied by a statement that "an outside party" had demonstrated a way of unlocking the iPhone at the heart of the case (belonging to one of the San Bernardino attackers) without technical assistance from Apple. The FBI are said to be "cautiously optimistic" that the method is plausible, and are investigating further.
The statement comes as a surprise following repeated claims from the FBI that Apple were the only ones with the capability to unlock the device without potentially damaging any data stored on it. The announcement has also raised further questions regarding the mysterious method, and whether the FBI will inform Apple of its details.
FBI: 'We didn't say you should pay ransom demands"
On December 15th 2015, US Senator Ron Wyden sent a letter to FBI Director James Comey regarding crypto-ransomware. The letter contained a list of questions, including: "FBI officials have been quoted as saying the Bureau often advises people "just to pay the ransom." Is this an accurate description of FBI policy with respect to ransomware?".
The FBI recently responded to the Senator's letter, and note in it that the agency does "does not advise victims on whether or not to pay the ransom". It does however advise them that the use of regular backups, from which they can recover any data that is compromised, is "an effective way to minimize the impact of ransomware". It also noted that in the event that sufficient precautions have not been taken (or have failed), "and the individual or business still wants to recover their files, the victim's remaining alternative is to pay the ransom".
FBI cracks terrorist's iPhone without help from Apple
The FBI have announced that they were able to successfully retrieve data stored on the iPhone belonging to one of the San Bernardino terror attackers, without requiring the assistance it had been demanding from Apple. This follows weeks of repeated insistence that the company behind the iPhone were the only ones who could unlock the encrypted device without affecting the stored data.
The official announcement gave no further details of how the agency was able to retrieve the data, or what they found. The government has also filed a request to withdraw the original court order requiring Apple to provide technical assistance. Apple had appealed the order, on privacy grounds.
Speculation remains about how the FBI were able to finally access the device, and whether the agency would share details of how they did so with Apple.
Documentary: 'US planned cyberattack if Iran talks failed'
A documentary that premiered at the Berlin film festival claims that the United States had created a contingency plan for a cyberattack on Iran in the event of a military conflict if diplomatic efforts to limit the country's nuclear program were unsuccessful. The contingency planned, code-named Nitro Zeus, would have involved infiltrating and disabling Iran's air, power and communciations grids.
Nitro Zeus was reportedly a followup to the "Olympic Games" attack in 2010 , in which the Stuxnet worm was used to infiltrate and compromise operations at an Iranian nuclear enrichment facility. The contingency plan was shelved after negotiations finally produced an agreement.
The claims made in the documentary were independently investigated by the New York Times and Buzzfeed; no official confirmation of the allegations was provided by US agencies.
FBI v. Apple iPhone 'unlock' case draws comments
Following Apple's appeal against an order from a California judge to assist the FBI in 'unlocking' the iPhone of one of the December 2015 San Bernardino terror attackers, multiple parties have issued statements weighing in on either side of the debate. The first response came from the White House, which denied claims that the Justice Department were asking for a 'backdoor' to be created for all iPhones, and instead only wanted help with one device. Various other figures from the tech and IT security industries later published statements supporting Apple's stand and announcing that they would also fight against moves that may impact the security of their offerings.
To complicate matters, a New York judge subsequently ruled against the governement in a separate case involving a request to compel Apple to provide data from an iPhone. In this case, the judge found that the government had used a overly "expansive" reading of the All Writs Act to support the request. The All Writs Act is the same act being used by the FBI to justify their request in the California case.
- ZDNet: Apple vs. FBI: Here's everything you need to know (FAQ)
- Techcrunch: Apple Vs. The FBI: Everything You Need To Know
- Krebs on Security: The Lowdown on the Apple-FBI Showdown
France mulls fine for refusing requests to decrypt data
In the wake of the November 2015 Paris terror attacks, French politicians are considering legislative changes that would "overhaul legal procedures and fight organized crime". Included in the bill under review is a proposal to impose penalties on technology companies that refuse to cooperate and provide access to encrypted data to facilitate terrorist investigations.
The proposal would force companies such as Google and Apple (which is currently fighting a court order in the United States to 'unlock' the phone of one of the December 2015 San Bernardino terror attackers), to comply with security services in France if they demand such cooperation. Failure to comply could result in the company facing a EUR350,000 fine, as well as jail time of up to 5 years.
The bill was passed by the lower chamber of parliament on first reading. It will proceed to be reviewed by the French Senate and then must pass final voting before it becomes law.
New "Privacy Shield" pact to replace Safe Harbor
The United States and the European Union have agreed to a new legal framework (referred to as the "EU-US Privacy Shield") that would allow the commercial transfer of user data between the two regions. This agreement would replace the previous Safe Harbor pact, which was revoked in October last year by the European Court of Justice over concerns about the United State's unwillingness to meet data privacy requirements for European user data.
The details of the new pact still require political approval on both sides of the Atlantic, meaning that it could be months before the agreement goes into full effect.
Facebook ordered to stop tracking non-users in France
France's data protection authority CNIL has issued a formal notice to the social media company to comply with European data protection laws within three months or face the possibility of a sanction. The main concern revolved around the company's practice of silently tracking non-user's web activity, as well as the transfer of personal data to the United States.
This is the firs significant legal challenge to be filed over data privacy concerns following the dismantling of the Safe Harbor trans-Atlantic pact between Europe and the United States. A subsequent three-month interim period (during which alternative arrangements were expected to be made) has also ended, allowing European data protection agencies to file legal action against companies that are still using the defunct agreement to justify data transfers.
A new legal framework (dubbed the "EU-US Privacy Shield") to allow the continuation of such data transfers was agreed on last week but has not yet gone into affect.
US Judicial Redress Act gives EU citizens right to sue
The United States Senate has passed the Judicial Redress Act, which would give European citizens the right to sue American agencies that intentionally violate the US Privacy Act when handling their personal data. The Act also allows Europeans the right to sue an agency if it refuses to provide an opportunity to review or amend incorrect records.
The Judicial Redress Act is not part of the revoked Safe Harbor pact, or its successor, the Privacy Shield pact. Instead, it is part of an umbrella agreement that is designed to give Europeans equal footing to American citizens in enforcing their data protection rights in US courts, and is viewed as a way of rebuilding trust between the US and the EU following the Snowden revelations. The Act still requires approval from US President Obama before it can go into effect.
UK IPT tribunal: GCHQ hacking not illegal
The Investigatory Powers Tribunal set up to hear legal challenges to the United Kingdoms' intelligence services have ruled that it is legal for GCHQ to hack into and install malware on systems both in the UK and abroad. The decision ends a case filed by Privacy International and associated claimants who alleged that the spy agency's actions violated human rights law.
The judgement found that the Equipment Interference Code of Practice (a set of guidelines published by the Home Office to define actions the intelligence services can take when performing such surveillance) provided sufficient framework to allow the agencies to operate in a "lawful and proportionate" manner. An Investigatory Powers Bill that is due to become law later this year would provide further legal footing for the Code of Practice.
1 billion Yahoo! accounts compromised
Following its September disclosure of a 2013 hack affecting more than 500 million accounts, Yahoo! was once again announced that its user accounts had been compromised in a separate hack that also took place in 2013, this time affecting over 1 billion accounts. The latest reported incident affects sensitive data such as names, dates of birth, encrypted passwords and telephone numbers. The company has said it will alert all affected users and require them to change their passwords.
Yahoo! also announced that some of its proprietary code had been accessed by a hacker, allowing to forge cookies that would allow the intruders to access accounts without needing a password. The company said they have identified the accounts for which the cookies were used to gain access, and notified the account holders.
Hackers claim Kremlin office email leak
Hackers from a Ukrainian group calling themselves the Cyber Alliance claim to have hacked into the email account belonging to an aid of Vladislav Surkov, a shadowy Russian government minister said to be close to President Putin. Emails leaked from the account purport to show Russia's interest and support of separatist movements in eastern Ukraine.
News reports covering the incident have speculated that the technical sophistication and timing of the hack could tie it to a retaliatory effort by US intelligence agencies following suspected Russian hacking attempts related to the US elections. The Kremlin for its part has denied allegations of political maneuvering revealed in the leaks as well as speculation that the breach was a counterattack by foreign intelligence forces.
Yahoo!: Some employees knew about breach in 2014
Yahoo revealed in a filing with the US Securities and Exchange Commision that some employees had discovered that the breach in its email accounts service as early as 2014.
The revelation raises questions about why the company only confirmed the breach in 2016, though some reports suggest that it took a prolonged investigation to uncover the full scope of the breach.
AdulFriendFinder hack exposes 400 million accounts
LeakedSource reported that 339 million accounts on the Adult FriendFinder website were exposed in a recent breach, as well as over 60 million accounts on the Cams.com sister site. The leaked data included emails and passwords, with the data reportedly stretching back 20 years.
FriendFinder Networks, the owner of the breached services, did not initially confirm or deny breach, though it did release a statement saying an investigation was underway following reports of "potential security vulnerabilities". The company began alerting its members to the security lapse a week after it was publicly reported in the news reports.
Backdoor on Blu Android phones found sending data to China
Security researchers reported that low-cost Android phones from Blu Products contain a preinstalled software in their firmware which sent data from the devices to servers located in mainland China. The transmitted data included all text messages and phone call data, as well as location and app usage. the devices are sold in the United Sates, ans some 120,000 users in the country are said to be affected by the secret data collection.
The software, which was characterized as a backdoor, was provided by the Shanghai Adups Technology company, which reportedly collects the data from the devices for advertising purposes. According to a company spokesman, the software was not intended for American consumers, and a software update will be issued to stop the devices from sending the collected data. Blu Products have said they were unaware of the preinstalled software, and that all data collected through it had been destroyed.
UK's Three Mobile hit by data breach
The Three Mobile telecommunications service in the United Kingdom confirmed a data breach in its customer upgrade database. The incident was initially reported to have put the personal data of almost 6 million customers at risk, though later reports clarified that only about 134,000 customers had had their account details accessed.
The amount of personal information that could have been taken from each account is said to vary depending on the type of contract the customer had, but at most would have included such details as address, date of birth, marital status and employment status. No bank details or credit/debit card information were affected.
The breach is reported to have involved use of an employee login, and was discovered following complaints of scam callers targeting Three Mobile customers and attempting to get access to their bank accounts. Three individuals were arrested shortly after the news broke.
Second Android phone backdoor firmware reported
Less than a week after a backdoor was reported in low-end Android phones from Blu Products comes news of another security issue involving insecure firmware developed in China and installed on Android devices.
The second incident centers on firmware developed by the Chinese company Ragentek Group, which is used on some low-end Android devices to handle Over-the-Air (OTA) updates. Security researchers reported that the firmware uses an insecure mechanism to create unprotected, unencrypted connections to remote servers during the updating process. The unsecured connection essentially leaves an opening that attackers could use to intercept the OTA transmission and gain total control of the device.
The devices containing the insecure firmware are sold by multiple manufacturers, and in multiple countries including the United States.
Guccifer 2.0 claims release of files from Clinton Foundation
The hacker known as Guccifer 2.0 published another batch of files, this time allegedly from the Clinton Foundation's servers. Media reports have noted that despite the claims, the leaked data appears to be mostly content from previous hacks into the Democratic Committee and Democratic Congressional Campaign Committee.
Amazon resets passwords on some accounts after reported leak
Amazon announced that it was proactively resetting the passwords on some customer accounts following news that credentials for the online retail giant had been leaked. While the company did not mention the number of accounts affected, news reported highlighted that a disgruntled customer had claimed to have released 80,000 login details in July this year.
Clinton campaign official's email account hacked, leaked
Hillary Clinton's campaign manager John Podesta became the latest US official to have his email account hacked and data from it publicly released. Though officials have not named a likely perpetrator, at least one security researcher has attributed the attack to Russian espionage group Fancy Bear.
The compromise reportedly used spear-phishing emails designed to look like login verifications emails from Google, making it more likely for the user to click on the link provided. The hackers apparently monitored the email account for months before stealing content and releasing it via WikiLeaks.
India: 3.2 million credit and debit card details leaked
India suffered its worst data breach to date, as over 3.2 million credit and debit card details were reportedly compromised by a malware-based attack on the Hitachi Payment Services platform, which the country uses for ATM, POS and other financial transacitons.
Following reports of unauthorized withdrawals and the affected cards being used in other countries, banks have urged users to change their PIN numbers and/or replace their cards entirely as a precautionary measure, while investigations were launched into the attack.
Australia Red Cross apologizes for donor data exposure
The Australian Red Cross has apologized to its users after news reports that the data of hundreds of thousands of blood donors in the nation had been found publicly accessible online.
The data was reportedly from an associated site that handled registrations for blood donations, and was stored in a database backup that had been left exposed to the Internet. The issue was brought to the attention of a security researcher, who alerted AusCERT to the matter.
Yahoo! confirms massive email data breach
Following media reports that the user credentials for Yahoo! mail accounts had been leaked online, the web giant has confirmed that it had been subjected to a massive data breach that involved data from at least 500 million user accounts. The number of accounts affected would make this the largest currently known data breach.
The breach is reported to have occurred in 2014, and involved the loss of information such as names, email addresses, telephone numbers, dates of birth and hashed passwords, though not payment card data, or bank account details.
Yahoo! also claimed that the hack was the work of a 'state-sponsored' actor. Following the revelation, the company has been hit by a class-action lawsuit, as well as multiple questions regarding the timing of the announcement and other aspects of the breach.
- Yahoo!:An Important Message About Yahoo User Security
- Arstechnica: Yahoo says half a billion accounts breached by nation-sponsored hackers
- Forbes:Yahoo Admits 500 Million Hit In 2014 Breach -- UPDATED
- International Business Times:Massive Yahoo breach was carried out by criminals, not state-sponsored hackers, security firm says
WADA confirms athlete data stolen, leaked
The World Anti-Doping Agency (WADA) announced that a confidential database containing the medical records of athletes tested for performance-enhancing drugs had been hacked by a Russian cyber-espionage group. Data related to several prominent international athletes, including gymnast Simone Biles, tennis stars Venus and Serena Williams and Rafael Nadal, and runner Mo Farah, was subsequently publicly posted online.
The hack is alleged to have been committed by the 'Fancy Bear' espionage group and is widely considered to be a retaliatory attack motivated by WADA's condemnation of Russia's state-sponsored cover-up of doping among its athletes.
White House staffer's personal email hacked, data published
The White House announced an investigation into the breach of the personal email account of one of its staffers which resulted in the exposure of confidential information, including what appears to be an image of First Lady Michelle Obama's passport.
News reports on the incident took pains to clarify that the staffer affected by the attack was a contractor who had worked on Hillary Clinton's campaign. Other details found in the leaked information revolved around logistics of the campaign.
The leak itself is reportedly the work of a group calling themselves DCLeaks, who also claimed responsibility for an earlier release of emails stolen from the personal email account of former Secretary of State Colin Powell.
- Reuters:Image purported to be Michelle Obama's passport posted online
- International Business Times:Michelle Obama's passport scan leaked as part of White House email hack
Louisiana public databases found exposed online
A database containing the details of 2.9 million voters in the US state of Louisiana was found publicly exposed and accessible online. The database reportedly included such details as names, home addresses, phone numbers and political party affiliations.
According to reports, the researchers who discovered the voter database also noted another database available on the same server that appeared to contain details from the state's Department of Public Safety. Following the reports, both databases have been taken offline.
While the information contained in the databases are available as public records, the fact that such material is so accessible online without any form of protection is of concern to data security and privacy advocates, as the easy availability of such details makes identity fraud and other crimes much easier to perpetrate
Infected POS systems at multiple hotels steal credit card data
Payment systems at 20 hotels owned by the hotel chain HEI have reportedly been found to be infected with malware, which could steal credit card numbers and corresponding customer names.
The HEI chain owns the Starwood, Marriott, Hyatt and Intercontinental hotels. The Point-of-Sale (POS) terminals that were infected by malware were used onsite, meaning that online transactions were not compromised.
Reports said that the malware had apparently been active since early December 2015. While there are no confirmed count of the number of customers affected, estimates generally range from thousands to the tens of thousands, depending on the property.
'Guccifer 2.0' hacker dumps data on US House Democrats
The hacker who claimed to be behind the recent hack of the Democratic National Committee has also claimed responsibility for a breach of the Democratic Congressional Campaign Committee, and published a trove of information about the representatives to prove his claim.
The data dump included personal information such as home and email addresses and contact numbers for some of the representatives.
Massive data leak on Indian Scorpene submarine project
The Australian media broke the news that over 22,000 pages of information had been leaked about a submarine construction project being undertaken by the French manufacturing firm DCNS for the Indian government. The highly sensitive information about the Scorpene-class vessels included details about the weapons, combat management, communication and navigation systems.
In response to the the news, India opened an investigation into how the confidential data could have been leaked. The security breach has been called 'economic warfare' by the manufacturing firm.
Whatsapp to share users' phone number & statistics with Facebook
The popular Whatsapp messaging service announced that it would be changing its terms of service to allow it to share the phone numbers of its users with its parent company Facebook, along with some statistical and analytical data. This is the first change made to the service's terms since it was first bought over by the social media giant two years ago.
Users motivated by privacy concerns have 30 days to opt out of the data sharing, which can be done once a prompt is displayed asking the user to agree to the new terms and conditions.
2012 Dropbox hack included 68 million user login details
Cloud storage service Dropbox confirmed that an attack which took place in 2012 not only resulted in the loss of some user's email addresses, but also the compromise of over 68 million user login credentials, both email addresses and passwords.
The news follows a recent move by the service pushing users who had not reset their passwords since 2012 to do so. While a company spokesman has said there is no evidence that user accounts had been improperly accessed, users are urged to reset their passwords as soon as possible. This includes ensuring that the new password used is not reused on another web service.
WikiLeaks publishes H. Clinton's Iraq War emails
Whistleblowing website WikiLeaks has published a trove of over 1,000 emails from Hillary Clinton's private email server related to the Iraq War.
The release of the emails was apparently timed to coincide with the release of the Chilcot Report, a public inquiry investigating Britain's entry into the Iraq War.
- Fortune: WikiLeaks Published Over 1,200 of Hillary Clinton's Iraq War Emails
- International Business Times: WikiLeaks publishes over 1,000 Clinton Iraq War emails
- The Guardian: Chilcot report: key points from the Iraq inquiry
Microsoft wins appeal against US warrant for data stored overseas
Microsoft has won its appeal against a search warrant that would have given the US government access to customer emails that are stored on servers located outside the United States.
The decision by the federal appeals court was made on the grounds that the US domestic search warrant, which was issued on the basis of the Stored Communications Act, could not be extended extraterritorially to encompass servers based in a foreign nation.
The decision has been hailed as a victory by privacy advocates and other observers concerned about the increasing breadth of governmental access to user data.
WikiLeaks publishes 300k emails allegedly from Turkey gov't
WikiLeaks has published almost 300,000 emails said to be from Turkey's ruling Justice and Development (AKP) political party. The leak follows on the heels of an aborted military coup in the nation, and a swift crackdown on military, government, police and education personnel accused of being involved or associated with the coup plotters.
Following the release of the emails, the site has been criticized for including databases that held the personally identifiable information of millions of Turkish citizens. In additon, reports have noted that the leaked material does not appear to contain emails of significance from the AKP party or from Turkish president Recep Tayyip Erdogan.
France: Microsoft Windows 10's data collection 'excessive'
France's data protection commission CNIL has issued a report saying that Microsoft's Windows 10 operating system 'excessively' collected information from the user, as well as engaged in intrusive browser activity tracking intended to support personalized advertising.
The commission gave the company three months to find a way to end the highlighted behavior, failing which sanctions may be issued.
WikiLeaks publishes 20,000 enails leaked from US DNC
WikiLeaks published almost 20,000 emails from the Democratic National Committee (DNC), reportedly leaked from the email accounts of seven DNC officials.
The leaked emails are said to contradict the DNC's public stance of neutrality in the contest between Hillary Clinton and Bernie Sanders to be the Democratic Party's nominee for the presidential race.
While the leak has impacted on the DNC itself with the resignation of at least one official from the organization, the WikiLeaks website has also come under criticism for publishing the personally identifiable information of party members and other individuals contacted by the committee.
TeamViewer account hijackings reported, hack disputed
Popular remote control software TeamViewer has come under fire recently, as multiple reports have surfaced of user accounts being 'hijacked' and used to steal money from the affected users.
Affected users have taken to social media to highlight their issues, and while some claim that the hijacks were the result of a hack of the TeamViewer software or network, the company itself has countered that it is more likely to be due to unsafe user practices such as reusing passwords.
'Anti- hacking' measures have nevertheless been announced, including alerts when new logins from an unknown device or location are made to an account.
Twitter, VerticalScope account details posted online, hack disputed
The LeakedSource website claims that 32 million passwords for the Twitter social network have been uploaded to the site for sale. In the same period, the VeticalScope media company, which runs dozens of online sites such as motorcycle.com and autoguide.com, said that they were investigating reports that over 45 million account records related to their online properties had been stolen and uploaded to the same website.
When asked about the allegations, Twitter reported that it had investigated the data available, and was 'confident that its systems had not been breached'. According to reports, the data found in the trove may instead stem from passwords gathered by malware infecting web browsers on user's machines, rather than directly from the social network itself. Security researchers have also questioned the authenticity of the material uploaded to the LeakedSource site, suggesting that it may instead have been compiled from older leaks.
In the case of the VerticalScope data leak, according to the LeakedSource website, the records contained details including the account name, password and IP address. While there has been no confirmation of how the details were obtained, news reports have noted that many of the VerticalScope-run websites used forum software that was outdated and included vulnerabilities that would have been easily exploitable by hackers.
The LeakedSource website itself has also highlighted the possibility that VerticalScope had "stored all of their data on interconnected or even the same servers as there is no other way to explain a theft on such a large scale."; other security experts have commented that such an arrangement seems unlikely.
- Techcrunch: Passwords for 32M Twitter accounts may have been hacked and leaked
- The Verge: Twitter locks some accounts after 32 million passwords appear on dark web
- ZDNet: Hacker steals 45 million accounts from hundreds of car, tech, sports forums
- Securityweek: 45 Million Potentially Impacted by VerticalScope Hack
xDedic online market for hacked servers reported
Security researchers announced the discovery of an underground online market offering hacked servers for sale. The hacked servers, which are located around the world, are reportedly 'pre-infected' with a variety of malware, allowing the 'buyers' to use them to launch attacks and perform other malicious actions.
According to news reports, the XDedic market lists over 70,000 compromised servers, belonging to organization such as universities, businesses and even government organizations.
DNC hack: Russian state-backed hackers or 'Guccifer 2.0'?
The Democratic National Committee (DNC) announced that hackers had been able to access its network and steal research related to the Democratic Party's current opponent, presidential candidate Donald Trump. According to news reports, after finding suspicious activity in the network, the DNC called in security experts and discovered that the hackers penetrated enough to be able to read all emails and chat traffic being transmitted over the network. No personal data or financial information however was stolen during the course of the intrusion.
In the announcement, the DNC also explicitly identified the attack as being the work of Russian government-backed hackers. For its part, Russia has denied any involvement in the hack, claiming that it is more likely to have been the result of someone 'forgetting the password' rather than an orchestrated attack.
The security experts investigating the hack noted that in fact two separate hacking groups had been able to hack the network, with one gaining a foothold last year and the other in April of this year, with the latter's intrusion being the one that triggered the discovery. The two groups, dubbed Cozy Bear and Fancy Bear respectively, are not thought to have been working together.
Following the flurry of news reports covering the DNC hack, a hacker using the moniker 'Guccifer 2.0' claimed responsibility for the hack, and that there was no link to the Russians. As proof, the hacker posted a number of the documents online and sent them to media outlets as well. There has been a certain amount of skepticism over the hacker's claims however, as there is no way to verify their identity and the DNC has not publicly authenticated the documents posted.
GitHub, Gotomypc hit by 'password reuse' attacks
Code repository service GitHub and remote computer access service GoToMyPC were both affected by attacks that used login credentials previously exposed in the recent passwords dumps to try and gain access to accounts.
Following what is referred to as 'password re-use' attacks, both services moved to reset account passwords, either for those that had been directly compromised or for all accounts. Neither service confirmed the number of accounts that had been compromised during the attacks.
- Krebs on Security: Citing Attack, GoToMyPC Resets All Passwords
- Arstechnica: GitHub attacker launched massive login campaign using stolen passwords
Global terrorism database exposed online
A database containing information on people with suspected links to, among other things, terrorism and organized crime, has reportedly been found exposed online.
According to reports, what is known as the World-Check risk intelligence database contains 2.2 million records identifying individuals (and organizations) and the suspicions against them, including such sensitive information as alleged criminal histories. The database is used by financial institutions, as well as government and intelligence agencies, and access to it is meant to be highly restricted. The security researcher who reported the discovery noted that the database was found on an unsecured server with no protection.
Following a report highlighting the issue to Thomson Reuters, which owns the database, the 'leaked' copy was reportedly removed. The version that was found was said to be from 2012 and out-of-date. In the past, there has been controversy over the incorrect listing of individuals in the World-Check database as having terrorist links, and lack of redress available to customers whose bank accounts were unduly affected by a secretive assessment based on use of the database.
Database of 'Panama Papers' documents now available online
A huge database containing the documents leaked from Panama-based law firm Mossack Fonseca has become available online, giving interested parties full access to some 11.5 million documents related to more than 200,000 offshore accounts.
The database, which is operated by the International Consortium of Investigative Journalists (ICJ), contained details about the hidden wealth of prominent figures from countries around the world, ranging from politicans to movie stars. ICJ has said that documents made available do not include records of bank accounts, passwords or other such potentially compromising details.
While the offshore funds detailed in the leaked documents are not illegal, their potential for use in avoiding tax payments have led to the launch of investigations in multiple countries. The law firm at the center of the leak has denied any suggestions of wrongdoing.
More bank data allegedly leaked by Bozkurtlar hackers
Turkish hacking group Bozkurtlar (translated as Grey Wolves) announced that they posted data from 5 South Asian banks online. The latest announcement follows their hack of Qatar National Bank, as well as a (disputed) hack of InvestBank in the United Arab Emirates.
Despite the hacking group's claims, security researchers reviewing the leaked data have raised doubts about whether the material came from a recent hack, or were simply gathered from older breaches. Nevertheless, as reports indicate that data included account details (such as full name, addresses and family information), the leaks are of concern to banks' customers.
As no further demands have been made by the hackers, commentators have speculated that the data breach was done either because of political motivations, or to use the ensuing publicity to damage the reputations of the affected banks.
- International Business Times: Hackers behind Qatar National Bank set to leak data from 'another big bank'
- Softpedia: Six More Banks Supposedly Hacked by Turkish Hackers
- Bank Info Security: Hackers Leak Data of 5 South Asian Banks
- The Register: UAE InvestBank 'hack' looks like stale, recycled data from last year
- PC World: Qatar National Bank claims customer data released by hackers is authentic
Personal data of prominent Chinese figures leaked online
A Twitter account was for a short time posting personal information related to prominent Chinese citizens, ranging from politicians to industry leaders and celebrities. The account ("shenfenzheng", which translates as "personal id") was used to show photographs and screenshots of everything from official identification numbers to home addresses and educational records.
The account has since been closed for violating Twitter's own policy forbidding the publication of personal data. No reports have identified the account's operator, who was apparently able to circumvent the notorious Great Firewall of China, which prevents the country's citizens from accessing some foreign services (including Twitter itself).
Based on comments posted by the operator, the intended purpose of the account was to highlight the easy accessibility of such confidential data in China. According to reports, none of the persons whose data was exposed by the account, nor the public security ministry, have publicly commented on the incident.
- New York Times: Personal Data of Prominent Chinese Posted on Twitter
- Bloomberg: Chinese Tycoons, Party Officials' Data Leaked on Twitter
Hacker site Nulled.io hacked, user data leaked
In an ironic twist of fate, an underground forum used by hackers to buy or sell leaked content has itself been hacked, and data about the forum users posted online. The leaked data reportedly contains information about over 500,000 accounts, including personal messages, transactions, IP addresses and other details.
There has been thus far been no public confirmation of how the breach was executed, though news reports have noted that the forum software in use contained multiple critical vulnerabilities.
LinkedIn resets passwords for 117M accounts affected by breach
Social network site LinkedIn has begun invalidating and resetting passwords for about 117 million accounts which were found to be affected by a data breach that occurred in 2012. The move was made after security researcher noted that a hacker had offered the account login credentials for sale on The Real Deal undeground online market for USD2200.
At the time of the breach, researchers believed only 6.5 million accounts had been compromised. In addition to resetting the passwords on affected accounts, LinkedIn has recommended that users ensure that they do not reuse the same password on more than one site and enable two-factor authentication.
Password leaks: 427M for MySpace, 65M for Tumbler, 40M for Fling
Just a few days after the LinkedIn password leak, reports have emerged of a hacker (using the pseudonym 'peace_of_mind') offering to sell 427 million MySpace passwords. The social network giant has so far not commented on reports about the leak.
Earlier this month, the same hacker who claimed responsibility for the MySpace leak was also reportedly behind the leak of 40 million passwords for accounts on the adult personal ads site Fling.
In related news, a security researcher also reported receiving a data dump from an anonymous source containing passwords for Tumblr accounts. Unlike the recent leaks from MySpace and LinkedIn, in which the passwords had only been encrypted with the SHA-1 hash and had been comparatively easier to break, the Tumblr passwords had reportedly been salted and hashed, making them more difficult to crack.
- Motherboard: Hacker Tries To Sell 427 Milllion Stolen MySpace Passwords For $2,800
- Computerworld: Pwned: 65 million Tumblr accounts, 40 million from Fling, 360 million from MySpace
- Softpedia: Tumblr Mega Breach Affects 65.4 Million Users, Passwords Secure for Now
- International Business Times: Fling.com breach: Passwords and sexual preferences of 40 million users up for sale on dark web
Panama Papers leak causes international furore
A secretive law firm based in Panama has sufferred what is being called the biggest data leak in history, after 11 million internal documents were leaked to an international coalition of investigative journalists. The firm in question, Mossack Fonseca, specialized in facilitating offshore companies; such entities are often used by wealthy individuals as a means to (legally) maintain funds outside of a country's tax jurisdiction, but could also be used for less reputable purposes.
Reports published based on information revealed in the leaked documents have identified prominent individuals as Mossack Fonseca clients, including politicians, celebrities and business figures. Such revelations have also lead to questions regarding the named individual's use of offshore banking.
The scandal has already claimed at least one political casualty, as the Icelandic Prime Minister resigned amid allegations that he had concealed millions in an offshore company. Police investigations have also been launched in various countries based on information uncovered in the leaked papers.
Speculation has also been rife about the identity of the mysterious whistleblower responsible for releasing the massive trove of documents to the media, with one prominent whistleblower alleging that the leak was the work of a US intelligence service.
50M Turkish citizen's identity database posted online
A file containing what appears to be authentic identity data of some 50 million Turkish citizens was recently leaked online, prompting privacy concerns. The database contains sensitive information such as full names, addresses, birth dates and parents names, though it does not include finance-related information such as credit card details. The amount of personally-identifying content exposed by the leak has however raised fears of potential identity fraud and other such misuse of the now-public information.
The Turkish government has launched an investigation into how the database could have been obtained, and has publicly downplayed the significance of the breach. The leak was also accompanied by messages directed at the Turkish government, prompting speculation that it had been politically motivated.
At the time of the leak, it was considered the biggest of its kind, though it was eclipsed only a few days later by the leak of voter details in the Philippines, which affected 55 million citizens.
'Freaking huge' Philippines voter info leak
The entire database of the Philippines' Commission on Elections (COMELEC) has reportedly been posted online, in what has been called the largest government-data related data breach in history. According to news reports, the leak is attributed to LulzSec Philippines, and follows an attack only days prior in which Anonymous Philippines defaced the COMELEC website.
The leaked database contained personal details of 55 million citizens, including such sensitive information as passport information and fingerprint data. The exposure of so much personally-identifiable information has raise fears of identity theft.
Filipino authorities are investigating how the data was stolen.
Researchers: URL shortening hackable to view private content
Researchers at Cornell Tech have published their research on how "brute-forcing" shortened links allowed them to view private shared content stored on cloud storage services. The research focused on the Microsoft OneDrive and Google Maps services, which allows users to share private content with other users using links that are shortened (reduced to a domain name and up to 6 random characters) with the Bit.ly shortening service.
According to the researchers, the 6-character length of the shortened links would make it feasible for a determined attacker to randomly generate and test millions of shortened links, until they find a link that gives them access to privately-shared content. The researchers demonstrated the viability of their "brute-forcing" method to Google and Microsoft before publication of their work, and both subsequently made changes to how users could share their content.
Seagate employee data lost in phishing scam
Data storage company Seagate reported that it had sufferred a phishing attack which resulted in the loss of thousands of tax documents from its employees, both past and present. As in the recently-reported case involving Snapchat, an email message impersonating the firm's CEO was sent to the company's finance and human resources deparments openly requesting the documents.
According to the company, federal authorities were notified of the loss. Though no reports have confirmed the number of employees thought to be affected by the breach, there are fears that the stolen data would be used to perpetrate income tax fraud.
- International Business Times: Seagate Technology: Phishing cyberattack leaves thousands of employee tax records exposed
- Krebs on Security: Seagate Phish Exposes All Employee W-2's
Verizon Enterprise Solutions hit by data breach
Verizon Enterprise Solutions, a unit of the telecommunications company that handles data breaches at Fortune 500 companies, has reported that an attacker was able to exploit a security vulnerability on its enterprise client portal to steal the contact details of 1.5 million enterprise customers (consumer customers were reportedly not affected).
The stolen data was reportedly later offered for sale on an underground forum. Affected customers are currently being notified of the breach.
Judge: CMU provided FBI with cracked Tor info
An ongoing criminal case against Brian Farrell, allegedly one of the administrators of the Silk Road 2.0 drugs bazaar, unexpectedly lead to the issuance of a court order that revealed more details of the suspected relationship between Carnegie Mellon University's Software Engineering Institute (SEI) and the FBI.
According to news reports covering the revelation, SEI had been pursuing Department of Defense (DoD) research that involved using a vulnerability in Tor software to reveal the true IP addresses of its anonymized users. The researchers were able to carry out a month-long attack that gathered details of the user's IP addresses; this data was subsequently subpoenaed and handed over to the FBI after the agency learned of the successful attack.
Phishing scam leads to Snapchat employee data leak
Snapchat has announced that some of its employee data was compromised, after an attacker used an email message pretending to be from Snapchat CEO Evan Spiegel to successfully trick an employee into forwarding the information.
The company responded swiftly, taking action "within 4 hours" and reporting it to the FBI. It also made clear that the leaked data was purely internal, as user data was unaffected by the leak. News coverage of the incident has been quick to point out that even presumably tech-savvy individuals are not immune to phishing, the low-tech social engineering tactic used in this instance and which typically involves impersonating a legitimate contact in order to gain trust.
Hardcoded password reported in Fortinet software
Security researchers announced the discovery of suspicious code in older versions of the FortiOS software used in some network products from Fortinet. According to news reports, the code involved an authentication routine which included a 'secret' hardcoded SSH login password. A Python script that could exploit this secret was made public, essentially allowing anyone who uses the script on affected devices to gain administrator-level access.
Publicly described by researchers as a 'backdoor', Fortinet has disputed such categorization, calling it instead a 'management authentication issue', and saying that it has been addressed and resolved in a patch made available in July 2014.
The revelation comes only a month after Juniper Network revealed the existance of an unauthorized backdoor on some of its products.
US Intelligence director's email, phone hacked
News site Motherboard has reported that the personal email account and home phone of James Clapper, the Director of US National Intelligence, has been hacked.
The incident follows a similar attack on the personal account of CIA director John Brennan a couple months earlier, and is attributed to the same hackers, called "Crackas with Attitude". According to reports, the hackers also hacked the director's wife's personal email account, and forwarded calls to the director's home phone to the Free Palestine Movement.
The Office of the Director of National Intelligence confirmed the incident, saying that they were aware of it and had "reported it to the appropriate authorities".
More Fortinet products found with 'secret backdoor'
Following the identification of what was described as a 'secret backdoor' on older versions of its FortiOS software, Fortinet officials have announced that a review of its products lead to the discovery of the same issue on several other current products. The company has issued updates for the affected devices, and urge customers to update their systems with the highest priority.
Irish gov't sites, lottery, hit by DDoS attacks
Irish goverment sites were the latest targets of a wave of Distributed Denial of Service (DDoS) attacks to hit Irish services in the space of a week. Irish media reported that websites for the Central Statistics Office, the Department of Justice and the Court Services were briefly unavailable; this follows similar incidents involves discussion boards and the National Lottery.
Though speculation has abounded about the perpetrators and intent behind the attacks, no confirmed attribution has been made so far.
ThyssenKrupp trade secrets stolen in targeted attack
Major steel manufacturer ThyssenKrupp AG announced that technical trade secrets had been stolen from their steel production and manufacturering plant design divisions in cyber attacks earlier this year.
The attacks, which the company characterized as "organized, highly professional hacker activities" were said to have been launched from South East Asia and was able to exfiltrate data from a number of sites around the world until the activity was detected. The company was able to remove the infection and implement new safeguards. ThyssenKrupp AG has since filed a criminal complaint with German authorities and are working with law enforcement to further investigate the attacks.
Leet DDoS botnet hits Incapsula CDN with 650Gbps traffic
Content Delivery Network (CDN) Imperva Incapsula reported being hit by a Distributed Denial of Service (DDoS) attack on December 21 that peaked at 650Gbps, making it one of the largest of such attacks on record so far.
According to the reports of the incident, the traffic came from spoofed IP addresses, making it impossible to identify the geolocation of the actual devices sending the traffic or their nature. Analysis of the traffic packets however indicates that the attack came from a botnet, which the researchers named the 'Leet' botnet after a signature found in the code.
- Incapsula: Massive Attack from New "Leet Botnet" Reaches 650 Gbps
- Security Week: 650Gbps DDoS Attack from the Leet Botnet
Windows, Flash flaws under active attack by Fancy Bear
Microsoft took the unusual step of announcing that Russian hackers are using a newly discovered flaw in Windows for hacks targeted against US government bodies. The hackers, identified in the bulletin as Fancy Bear, are thought to be linked to the Russian government.
The attacks were said to have leveraged both a flaw in Adobe Flash software and one in Windows; both flaws were reported to the respective companies by security researchers from Google. Adobe released an emergency patch for the Flash vulnerability within days. Microsoft said that a patch to fix the flaw would be released on Nov 8, election day in the US.
Tesco Bank affected by 'cyber attack'
Tesco Bank in the United Kingdom have restricted some operations of its current accounts, pending investigation of some 40,000 current accounts which saw suspicious activity (with 20,000 of them reportedly affected by fraudulent withdrawals).
The activity was attributed to a 'sophisticated cyber attack', though future details are being withheld during the investigation. The bank has promised to refund the missing money from the affected accounts.
Google blocks Android trojan attack spreading over Adsense
Google has taken action to patch a zero-day vulnerability in Chrome for Android which attackers were able to exploit using malicious ads distributed in the Adsense network to silently download the Svpeng trojan onto users' devices.
According to the security researchers who spotted the campaign, attackers were able to silently download the malware onto over 318,000 mobile devices, primarily in Russia, over a two-month period. While the downloaded files were not immediately executed, the researchers noted that the silent 'auto-download' nature of the attack made it a very appealing vector for attackers looking to reach as many unsuspecting users as possible.
Russian banks report DDoS attacks
5 banks in Russia announced that they had been the targets of massive DDoS attacks over a period of two days, which resulted in disruptions to their web portals.
The attacks were reportedly similar to the recent attack on the Dyn web service, and a DDoS-for-hire service has already claimed credit for the attacks.
Low-bandwidth 'BlackNurse' DDoS attack technique reported
Security researchers reported seeing a new attack technique which can be used to successfully launch distributed denial-of-service (DDoS) attacks using 'low-volume' traffic, even against companies usiing major enterprise firewalls and large Internet uplinks.
The researchers have notified major firewall vendors of their findings, as well as posted advice on how to mitigate or better configure company defenses to avoid disruption.
- Arstechnica: New attack reportedly lets 1 modest laptop knock big servers offline
- Security Week: Low-Bandwidth "BlackNurse" DDoS Attacks Can Disrupt Firewalls
- International Business Times: New DDoS attack method called BlackNurse lets hackers take down firewalls and servers from a single laptop
Wave of ATM hacks reported across Europe
A series of hacks remotely targeting bank ATMs in several countries across Europe is being attributed to a hacking group known as Cobalt. The hacks are said to be tied to earlier reports of similar ATM-targeted attacks in other countries, including Malaysia and Taiwan.
According to reports, the attackers were able to use malware to force the machines to spit out money, which was then immediately collected by confederates physically stationed at the targeted terminals. Reports have also suggested that the attacks are part of a wider shift in organized crime operations.
BBC: France TV5 Monde hack 'work of Russian hackers'
BBC News reported that the 2015 attack on France's TV5 Monde news station, which lead to the prominent broadcaster going dark for several hours, had been the work of Russian hackers, rather than pro-IS hackers as originally reported.
The report highlighted the extensive reconnaissance that had to have been done to create specialized malware tailored to disrupt the station's broadcasts, and that the aim of the malware was clearly destructive. The malware is reportedly linked to the known cyber espionage group APT 28 (also known as Fancy Bear, Sofancy and Pawn Storm) and most recently accredited with the WADA medical data leak.
UN nuclear watchdogs says nuclear plant targeted by cyber attack
The director of the International Atomic Energy Agency (IAEA), the United Nations' nuclear watchdog, announced that a nuclear plant had been the target of a cyber attack two or three years ago. The director gave few other details of the attack other than to state that the aim appeared to be to smuggle out nuclear materials, possibly for bomb-making.
DDoS attack on Dyn DNS downs numerous sites
A massive DDoS attack exploited accessible web-connected devices to generate sufficient traffic to disrupt the Dyn DNS service, which is used by a number of major websites to handle their web traffic. The attack lead to outages or slowness on sites such as Twitter, Soundcloud, Spotify, GitHub, PayPal and Reddit, mainly affecting users in the East Coast of the US and parts of Europe.
The attack was reportedly coordinated using the Mirai botnet, the same malware/collective that was involved in the earlier attack on security researcher Brian Kreb's website.
The incident underlines rising concerns among that DDoS attacks are becoming far larger and more disruptive than in the past. This may be the first DDoS attack that has also resulted in the significant recall of products used to perpetrate the attack, as Chinese manufacturer Xiaomai made the move after acknowledging that the factory-default configuration of its webcams had allowed hackers to gain control of the products for their own use.
- KrebsOnSecurity: DDoS on Dyn Impacts Twitter, Spotify, Reddit
- PCWorld: Major DDoS attack on Dyn DNS knocks Spotify, Twitter, Github, PayPal, and more offline
- Network World: How the Dyn DDoS attack unfolded
- The Guardian: Chinese webcam maker recalls devices after cyberattack link
KrebsOnSecurity, Blizzard, OVH hit by DDoS attacks
Distributed Denial of Service (DDoS) attacks made headlines during september as multiple notable sites or services reported coming under attack during the September. this week.
Popular cybersecurity researcher Brian Kreb's KrebsonSecurity website, the Blizzard gaming platform and Frenching hosting firm OVH all reported being subjected to DDoS attacks. Especially notable was the fact that attacks on KrebsOnSecurity and OVH reportedly recorded data volumes far in excess of what has been previously seen in such attacks.
Reports on the incidents have underlined the fact that the attack volumes were amplified to such high levels by the availability of poorly-secured, Internet-connected devices (eg, webcams or routers) that could be hijacked by the attackers to gain greater firepower.
MH17 crash journalists targeted by Fancy Bear
Security researchers published a report detailing their investigations of targeted attacks against journalists covering the downing of Malaysian Airlines Flight MH17, by what is believed to be a missile fired by pro-Russian rebels in the Ukraine. According to the researchers, the attacks on the journalists showed strong similarities to similar attacks carried out by Fancy Bear (also known as Pawn Storm or Sofancy).
The report also indicated that another group of pro-Russian hackers - identified as CyberBerkut - were also involved in defacement of the journalists' website. Both groups of hackers are thought to have ties to the Russian government, which would have an interest in monitoring the progress of international investigations into the MH17 crash, as many have blamed on Russian-provided missile
- Threatconnect: Belling the BEAR
- Security Week: Russian Hackers Target Journalists Investigating MH17 Crash
- Fortune: Researchers Think the Same People Hacked the DNC and MH17 Journalists
Encrypted messaging service Telegram 'hacked' in Iran
Security researchers claimed that hackers had compromised over a dozen accounts on the Telegram encrypted messaging service. The attack reportedly involves a complicit phone company intercepting the SMS verification messages sent when a user first registers an account and sharing it with the hacker(s), allowing them subsequent access to the account.
Telegram has denied the reports, saying that it comprised of 'publicly available' information about whether phone numbers were registered to the service. It also noted the possibility that the 'interception of SMS messages' method highlighted by the report was something which they recommended countering using two-step verification.
Australia online census hit by DoS attack
Politicians and bureacrats have been left scrambling after Australia's controversial online census website was briefly disrupted by a denial of service attack.
News reports covering the census had previously expressed concern about data security and privacy, mainly in relation to how long the website was intended to hold the submitted data. Following the attack however, further questions have been raised about how well the site was designed to sustain a fairly common type of attack.
Shadow brokers: NSA hacked, exploits exposed
An anonymous group going by the name Shadow Brokers claim that they have hacked the Equation Group, a team of hackers believed to be tied to the US National Security Agency (NSA). In support of the extraordinary claim, the Shadow Brokers have posted a set of exploits they claim to be used by the Equation Group.
Security researchers investigating the exploits released have stated that the material appears to be in line with previously published research about the mysterious Equation Group's work.
Network device manufacturing firms Cisco and Juniper have also confirmed that some of the exploits would also work against specific (and in some cases, older or defunct) network components produced by the companies.
FBI: Breaches in electoral database in 2 states
The US Federal Bureau of Investigation has issued an alert to all election officials to improve the security of their electoral systems, after the confirmed that suspected foreign hackers had breached the voter registration databases of two states. Though the alert did not name the states in question, they are thought to be Arizona and Illinois, which has earlier announced that they had been hacked.
The alert comes with only two months left to go before the next presidential election.
SWIFT: More banks hit by attacks since June
In a private letter to its member banks, SWIFT noted that they were aware of additional attacks being carried out since the spate of bank 'cyber heists' widely reported in the media earlier this year. No specific details were available about the attacks mentioned.
SWIFT, which manages the self-named critical global financial messaging system, came under heavy fire earlier this year when attacks targeted against member banks - most notably the Bangladesh Bank - successfully transmitted fraudulent instructions to perform funds transfers. It has since been taking steps to push its member banks into improving security, though the efforts are hampered by their lack of enforcement or regulation authority.
Hackers steals 'millions' from ATMs in Taiwan
Authorities in Taiwan are investigating how the equivalent of USD2 million in Taiwan dollars was withdrawn from ATMs in the country in the space of a few minutes without the use of bank cards.
According to reports, video footage of the ATMs showed that several individuals wearing masks made the withdrawals using a "connected device". The ATMs targeted by the attack were apparently infected with malicious programs, which were able to force the machines to directly dispense funds without linking the withdrawals to any customer accounts.
Police in Taiwan suspect two Russian nationals are involved in the incident. The suspects reportedly left the country immediately after the attack. Coincidentally, the incident occurred while Taiwan was also dealing with the impact of a typhoon.
- CNN Money: Hackers steal millions from ATMs without using a card
- Security Affairs: Hackers used malware to steal $2 million from ATMs in Taiwan
WikiLeaks 'under sustained attack' following Turkey emails release
Whistleblowing website WikiLeaks says it came 'under sustained attack', following its publication of almost 300,000 emails allegedly from Turkey's ruling Justice and Development (AKP) political party.
The service has since recovered from the attack; in tweets providing updates of the situation, WikiLeaks stated that while they "are unsure of the true origin of the attack. The timing suggests a Turkish state power faction or its allies".
WikiLeaks subsequently noted that access to its site had been blocked in Turkey, a claim that was later confirmed by the nations' Telecommunications Communications Board.
Uni of Calgary pays CA$20K ransomware demand
The University of Calgary reported it had paid 20,000 Canadian dollar's worth of Bitcoins as a ransom in order to restore files that had been encrypted by ransomware on more than a hundred of its computers in the previous month.
According to reports, the university had elected to pay the ransom demanded as they did not want to "exhaust the option" as a possibility for getting the affected data back. The university is evaluating the decryption keys that were provided following the payment, though reports have stated that there is no guarantee that all affected data would be recovered.
Local law enforcement authorities were also notified of the incident and are investigating.
S. Korea: 'N. Korea hacked thousands of computers'
Seoul's police cyber investigation unit announced that North Korea was thought to be responsible for the hacking of over 140,000 computers in over 160 South Korean companies and government bodies.
According to news reports, the hacks were noticed in February of this year, following investigations into the theft of defense-related material, but had begun in 2014. During the intrusions, the police said the hackers had also planted malicious code on the compromised machines, "laying groundwork for a massive cyber attack" on the nation.
Following the discovery, the police reportedly worked with the affected companies to "neutralize the malicious code" .
Angler exploit kit falls, Neutrino ascends
Security researchers have noted a recent and precipitous fall in detections for the notorious Angler exploit kit, which had previously been one of the most dominant exploit kits in the threat landscape.
The last time an exploit kit suffered a similar fate was the collapse of the BlackHole kit after the arrest of Dmitry Fedorov (also known as Paunch), its Russian author. While there has been no confirmation of any similar arrest taking place that would affect Angler, the recen arrest of 50 hackers in Russia for banking fraud using the Lurk trojan has raise speculations about possible links.
The drop in Angler detections have been accompanied by a rise in detections for the Neutrino exploit kit, which is also now reportedly also spreading ransomware that was previously only handled by Angler. As also happened with BlackHole, once one exploit kit falls, another quickly moves in to take its place.
- Securityweek: Did Angler Exploit Kit Die With Russian Lurk Arrests?
- Naked Security: Is the Angler exploit kit dead?
Attackers hit Indonesia, S. Korea central banks
The central banks of Indonesia and South Korea announced that their websites had suffered Distributed Denial of Service (DDoS) attacks, following last month's announcement by the Anonymous hacking collective of the launch of Operation Icarus.
The collective had stated their intention to target banks around the world, following which the banks of Cyprus and Greece had shortly afterwards reported attacks on their websites.
In the latest attacks, both banks reported no harm was done. Bank Indonesia noted that it had blocked access to its site from 149 regions that did not normally access it, as a countermeasure against the flood of connections being used to overwhelm the site.
Necurs botnet ramps up after period of silence
Following a period of surprising inactivity in the beginning of June, security researchers have noted that the Necurs botnet has resumed operations, heralding its return with the launch of a new spam email campaign to spread Locky ransowmare.
The unexpected silence earlier it the month have prompted security researchers to speculate that the group operating the botnet had been affected by a recent spate of arrests in Russia, which involved hackers said to be using the Lurk trojan for banking fraud. As no concrete link established between the two events and researchers have few other clues about why the botnet suffered its sudden outage, the incident remains something of a mystery at the moment.
During the recent period of inactivity for the Necurs botnet, Locky and Dridex ransomware distribution fell precipitously, underscoring the relationship between the botnet and the email campaigns used to spread the ransomware.
Vietnam bank attacked after Bangladesh bank heist
Vietnam's Tien Phong Bank announced that it was the subject of an attempted attack similar to the hack that resulted in the $81million heist at the Bangladesh Bank.
The announcement follows a letter sent by the Society for Worldwide Interbank Financial Telecommunication consortium (known as SWIFT and responsible for a private network connecting banks around the world) to its member banks that mentioned a second attack had been reported, but did not name the bank.
The Vietnamese bank reported that the attack it faced had involved about 1.1 million and was stopped before the funds could be taken. The attack did not involve a direct compromise of the SWIFT network, but had targeted a PDF reader in the bank that was used to record money transfers.
- New York Times: Once Again, Thieves Enter Swift Financial Network and Steal
- CNBC: Vietnam's Tien Phong Bank says it was second bank hit by SWIFT cyberattack
- International Business Times: Vietnam cyberheist hackers attempted to transfer funds to Slovenian bank
- Wired: That Insane, $81M Bangladesh Bank Heist? Here's What We Know
Iranian Infy cyber espionage campaign reported
Security researchers reported their discovery of a cyber espionage campaign that had been running for almost a decade. The campaign was attributed to an Iranian hacking group that went after goverment bodies and other 'high-value' targets around the world in that timespan.
According to reports, the group used a malware, referred to as Infy, to conduct their attacks on government officials, company employees and even private citizens. The malware was reportedly distributed in email file attachments, which when executed would plant the malware on a target's computer. The malware would spy on activity on the affected machine, and steal data that would be forwarded to remote command and control servers, which were reportedly based in Iran.
Over the many years the Infy malware was in use, its technical capabilities were refined and improved, with the attackers behind the malware taking care to keep their work as low-profile as possible in a bid to remain undetected.
Anon's 'Operation Oplcarus' targeting banking industry
The Anonymous hacking group launched their #OpIcarus campaign against the international banking industry with calls for a wave of Distributed Denial of Service (DDoS) attacks against the websites of major banks and other related institutions.
In early May, there were reports of a series of DDoS attacks against the sites for the Bank of Greece and the Central Bank of Cyprus. The attacks were reported to last from a few minutes to several hours.
The Anonymous collective have also released lists of financial institutions to be targeted by their members, which range from major national banks to global bodies such as the International Monetary Fund (IMF).
Germany: 'Russia behind Bundestag hack'
Germany's domestic intelligence agency have publicly attributed the 2015 hack of the country's parliament to a hacker group as known as Sofacy/APT 28 and thought to be working for the Russian government.
According to reports, the head of Germany's Federal Office for the Protection of the Constitution (known in English as BfV) said that the attack on the Budestag had been for intelligence gathering purposes. The hacking group behind the attack was also said to be attacking other German state organizations.
Russia has thus far not commented on the accusation.
SWIFT attacks: 3rd & 4th attacks reported, links to Sony hack
A lawsuit filed by Ecuadorian bank Banco del Austro SA against Well Fargo over a 2015 heist that resulted in a loss of over $12 million was the third reported attack to involve the SWIFT banking network.
A week later, security researchers announced that a fourth bank, this one in the Philippines, also suffered an attack in October 2015 that shared the same hallmarks as the three previous SWIFT-related attacks.
The researchers also uncovered links to the notorious 2014 Sony Pictures hack, based on similarities in the code of the malware used in both attacks. At the time of the Sony hack incident, the attack had been tentatively attributed to North Korea.
- Bloomberg: Ecuador Bank Says It Lost $12 Million in Swift 2015 Cyber Hack
- Fortune: Hackers Use 23 Hong Kong Firms to Hide Millions Lifted From Ecuador Bank
- CNN Money: SWIFT hackers nicknamed 'Lazarus' hit a fourth bank in Philippines
- Reuters: Symantec says SWIFT heist linked to Philippines attack, Sony hack
SWIFT attacks: 12 more banks being investigated
Investigators looking into the Bangladesh bank heist have expanded their investigations to search for evidence of possible breaches at 12 more banks tied into the SWIFT payment network.
According to reports, the banks had themselves approached the investigators, after discovering signs that pointed to possible intrusions. At the time of writing, no funds were said to have been taken from the banks, which are based mainly in Southeast Asia.
SWIFT, the private network used by the banks to transfer funds, has been under pressure to improve their authentication and security measures, following the recent series of reported attacks.
FBI issues warning over 'CEO scam' phishing emails
The FBI has issued a warning to businesses in the US about ongoing phishing attacks, in which emails designed to look like they originate from a company's Chief Executive Officer (CEO), or other high-ranking executives, are used to pressure Finance or Human Resource staff into unwittingly transferring funds to the attackers.
The agency states that it has seen a '270 percent increase' in such attacks, which it describes as 'Business E-Mail Compromise Scams'. They also note that the attackers usually perform extensive research or social engineering on the company employees and processes in order to make the email appear more legitimate.
According to the FBI, for the period from October 2013 through February 2016, companies who reported being affected by such attacks have seen more than $2.3 billion in losses.
Goznym hybrid malware steal $4M from banks
Security researchers have reported that a new malware was responsible for stealing a total of 4 million dollars from various banks in the US and Canada in the first few days of April.
According to the published report, the attackers combined code from the Nymain and Gozi malware families to create a hybrid malware that they named Goznym. The malware is distributed to customers of the banks in emails with either malicious links or file attachments. If the user unwittingly clicks the link or opens the attached file, the malware is installed on their computer, where it waits until the user logs into their online bank account and then monitors the web activity to find and steal the account login credentials.
The malware appears to mainly, but not exclusively, target business banking and credit unions.
"Phineas Fisher": How I hacked Hacking Team
The hacker behind the July 2015 breach of the Hacking Team surveillance software company
Bangladesh's central bank loses $80M to cyberheist
Bangladesh's Central Bank announced that more than $80 million had been siphoned from its account at the Federal Reserve Bank of New York.
According to news reports, bank officials said that investigations into the incident indicate that hackers had installed malware into the bank's computer systems and monitored the regular day-to-day operations for a period of time before launching their heist.
The hackers appeared to have stolen the bank's credentials for the SWIFT messaging system, which banks use to secure financial transactions. They then used the credentials to impersonate the bank in order to make a series of withdrawals from its US-based federal reserve account, with some of the transfers going to the Philippines and others sent to Sri Lanka. The withdrawals only came under suspicion when a typo in a transaction directed to a (fake) non-profit organization in Sri Lanka contained a typo that prompted an inquiry to the Bangladesh bank, leading to the heist's discovery. Subsequent transactions were cancelled, leaving the central bank with a loss of 80 million.
The perpetrators of the attack are currently unknown. The Governor of the bank has resigned in the wake of the incident.
Major sites affected by malvertising pushing ransomware
Over the first weekend of March, major websites including the New York Times, BBC, AOL and a range of other news and entertainment portals inadvertently displayed advertising content that would redirect unsuspecting users malicious sites hosting exploit kits such as Angler. These kits probe the redirected user's computer for any vulnerabilities, and if found, exploit them to install ransomware onto the machine.
This type of attack (known as malvertising involved the attackers inserting adds containing malicious hidden code to legitimate online ad networks, which then distribute the content to the client websites. In this attack, the malicious content was being distributed by multiple ad networks, and the buried code targeted bulnerabilities in Microsoft Silverlight, Adobe Flash and other software.
Pawn Storm cyberthreat group targets Turkey
Security researchers have reported that the cyberespionage group known as Pawn Storm (or variously APT28, Fancy Bear, Sofacy, Sednit, or Strontium) has shifted focus to include several departments in the Turkish government, including the Prime Minister's office, the Director General of Press and Information, the National Assembly and others.
According to the report, the group uses a variety of social engineering scheme to trick government employees into either revealing their credentials or unwittingly installing malware onto their computers. The attackers then silently install surveillance programs to monitor their targets.
The Pawn Storm cyberespionage group has been linked to the Russian state, as the targets selected by the attackers have been closely aligned with Russian foreign policy.
- Infosecurity Magazine: Pawn Storm Takes Aim at Turkish Government
- ZDNet: Russian cyberspies Pawn Storm add Turkey to the target list
Kentucky hospital affected by Locky ransomware
Methodist Hospital in Henderson, Kentucky, USA announced that some of the computers in its internal network have been locked by the Locky ransomware. In a public statement, the hospital reassured patients that though some files were encrypted, the hospital still had clean, accessible and up-to-date backups, and that patient care remains unaffected.
According to reports, the hospital noticed the infection after a handful of computers were affected, and shut down all computers as a precaution. The systems were brought back online one at a time, after each was scanned for infection. Operations reverted to processing everything by paper while the systems were being checked.
The attackers apparently demanded a ransom of 4 Bitcoins in exchange for the decryption key. The hospital has not ruled out paying the ransom, but said it would only do so if absolutely necessary. The incident was reported to the federal authorities and an investigation has been launched.
Bangladesh bank cyberheist investigator 'abducted'
An investigator looking into the theft of USD80 million from the Bangladesh central bank's foreign reserve account has reportedly disappeared shortly after informing the policd that he "knew three user IDs used for the heist".
According to news reports, researcher Tanveer Hassan Zoha had expressed concerns to the local media about the cybersecurity protections in use for the bank's computers at the time. He was later bundled into a vehicle and has since not reappeared.
In related news, the Bangladesh bank called for "technical and human" assistance from the FBI, and has apparently uncovered evidence that the attackers "hail from six different countries".
- International Business Times: Bangladesh bank heist: Cybersecurity investigator abducted during probe into $81m theft
- Reuters: Bangladesh gets FBI help on bank heist, cyber expert missing
Report: Water treatment plant, shipping company hacked
Security researchers at Verizon Enterprise published a report of case studies that included, among other interesting investigations: a shipping company that was hacked by pirates looking to pinpoint only the containers holding the most valuable merchandise on cargo ships; and a water treatment plant that had the chemical treatment of its water tweaked by curious hackers.
In both cases, the company's internal networks were breached when the attackers were able to find and exploit a vulnerability in a web-accessible portal or application in order to get onto the web server. They then were able to traverse the network undetected until they reached more critical internal systems.
WordPress hacks lead to ransomware
Security researchers have warned of an ongoing campaign using hacked WordPress sites to redirect users to malicious webpages hosting the Nuclear exploit kit.
Researchers advised the WordPress site administrators update their software, ensure their administrator passwords are strong and unique, and switch on two-factor authentication if available. Users are urged to update all their installed programs to prevent ransomware infection.
Malvertising via Skype delivers Angler
Security researchers at F-Secure noted a malicious advertising campaign that saw the popular Skype messaging platform being used (in addition to more traditional, browser-based methods) to direct users to a malicious webpage hosting the Angler exploit kit. Users exposed to the exploit kit may be infected with ransomware.
This particular campaign ended shortly afterwards; malvertising on a non-browser platform however remains a viable attack vector.
- F-Secure Weblog: Malvertising Via Skype Delivers Angler
- Graham Cluley: Skype users hit by ads spreading malicious Angler exploit kit
Hospital pays for ransomware decrypt key
Hollywood Presbyterian Medical Center announced that it had paid USD17,000 to hackers in order to obtain the decryption key needed to restore access to computer files that had been encrypted by ransomware and effectively crippled the hospital's services.
The attack on the hospital's electronic medical records and other computer systems was first noticed on February 5. Patient care was reportedly not effected, but administrative work was forced to moved back to paper records while investigations were underway.
Executives eventually decided to pay the ransom in the interest of quickly restoring normal operations. The ransom payment was paid in the Bitcoin digital cryptocurrency.
German hospitals reportedly hit by ransomware
German news provider Deutsche Welle reported that at least three hospitals in Germany had been affected by ransomware. According to the news reports, the affected hospitals reported the attacks to the authorities, and have refused to pay the ransoms demanded. In the meantime, the staff at affected facilities were forced to resort to paper records, while their computer systems were being investigated and disinfected. No significant medical devices were reportedly affected by the attack, allowing patient care to continue.
Reports say hack caused Ukraine power outage
The US Department of Homeland Security has issued a report stating that the power outages which affected the Ukrainian Ivano-Frankivsk region were the result of a cyber attack on the country's power network. The report follows earlier published analyses of the incident from various security researchers.
According to the various reports, remote attackers were able to remotely disconnect the breakers at multiple power substations belonging to at least two major energy providers. Research suggests that the attackers used a known malware, BlackEnergy, to gain access to the company's networks, and moved through that environment until they found the production networks that allowed them to control the breakers.
News reports have credited this incident as the first hacker-caused power outage. News reports in the Ukraine have publicly pointed to Russia as the culprits behind the attack, though no further evidence has been found to support the claim.
Ransomware hits India banks, pharmaceutical
The Economic Times has reported that three banks and a pharmaceutical company in India were attacked by hackers recently. According to the report, the attackers were able to infiltrate the companies' network and encrypt saved files; they then demanded a ransom payment (payable in the Bitcoin digital cryptocurrency) in order to restore normal access to the affected data.
The attackers reportedly used the LeChiffre ransomware to perform the attack. Security researchers at Emisisoft were able to create a free decryption tool for this particular ransomware after discovering flaws in the way the malware encrypts files.
- Economic Times: Hospital pays $17k for ransomware crypto key
- Security Week: LeChiffre Ransomware Hits Indian Banks, Pharma Company
Israel Electricity Authority hit by ransomware
Israel's Electricity Authority, a goverment department that oversees utility services in the country, was briefly affected by ransomware, leading the department to taking some of its computers offline. Contrary to some media reports of the incident, Israel's power network remained unaffected by the attack, which was confined to the department's internal network.
- Computerworld: No, Israel's power grid wasn't hacked, but ransomware hit Israel's Electric Authority
- International Business Times: Israel: Electricity board crippled by ransomware cyberattack causing widespread panic
Hackers try to access millions of Taobao accounts
Chinese online shopping giant Alibaba announced that hackers had attempted to access millions of accounts associated with its popular Toabao online marketplace.
According to news reports, the hackers were able to gain a database containing 99 million usernames and passwords used on other websites. They then used Alibaba's own cloud computing platform to input the stolen login details on the Taobao site. Out of all the attempts, about 20 million were successful, indicating that the account holders had reused the same login details on multiple sites.
According to reports, Alibaba's systems discovered and blocked most of the attempted forced entries; accounts that were compromised were used to create fake orders on the online marketplace. The hackers responsible for the attack have reportedly been caught.
Popcorn Time ransomware entices victims to infect others
A new family of ransomware known as Popcorn Time has been discovered that offers an infected user a particularly insidious way of gaining the decryption key needed to retrieve their affected contents - share a link to their friends, and if two are successfully infected and pay up, the key is provided.
As always with such malware, the most pertinent advice is to ensure that you have clean backups stored in an inaccessible location to avoid needing to pay the ransom.
Flocker Android ransomware infects smart TV
Over the Christmas holiday, a smart TV was reportedly infected by a variant of the Flocker ransomware. The infection was possible as the device used Google TV, a smart TV platform that was a joint effort by Google, Intel, Sony and Logitech but was later shelved in 2014.
According to reports, the infection occurred after relatives downloaded an app promising free movies, which subsequently caused the TV to freeze and then display the ransom demand. The incident was finally resolved after the TV manufacturer LG provided the TV owner with undocumented factory reset instructions.
Switcher Android trojan changes router DNS settings
Security researchers announced the discovery of a new Android trojan that attempts to change the DNS settings on a router.
Dubbed Switcher, when the malware is installed on an Android device, it silently opens the web interface for the connected Wi-Fi router and attempts to brute-force the login credentials with commonly used or default passwords. If it gains access, the malware then changes the router settings to use a DNS server under the attacker's control, which can then subsequently redirect any traffic to unsolicited or malicious sites..
The two variants of the Switcher malware currently known appear to be targeted to Chinese Android users, as they are designed to look like apps for a Chinese search engine or for sharing Wi-Fi location information (a popular service among business travelers in the country).
Ransoc extorts users for torrenting, 'child abuse' materials
A new form of ransomware is using extortion rather than encryption to pressure users into paying the ransom demanded. Dubbed Ransoc, the new malware displays a 'Penalty Notice' (really the ransom demand) if it discovers media files downloaded via torrents on the infected machine. Reports also indicate that the notice is displayed if there is "potential evidence" of child abuse material found on the machine.
Ransoc also scrapes the user's Skype and social media profiles for personal information, which is then used to personalize the ransom demand by essentially threatening to expose the collected 'evidence' publicly unless payment is made. Also unusual is the fact that Ransoc authors allow use of credit card payments rather than anonymous digital crypto-currency payments.
Locky ransomware reported spreading in decoy image files
Security researchers reported that Locky ransomware is being spread over Facebook Messenger and the LinkedIn social media networks in specially-crafted image files.
According to reports, the spam campaigns being used to distribute the malware involve exploiting a 'misconfiguration' in the social media network's infrastructure to automatically download what appears to be an image file (typically in uncommon file formats such as SVG, JS or HTA) onto the user's device. The image file is in fact the Locky ransomware. After download the user would still need to manually click and launch the image file in order to be infected. In at least some reports, the user would also need to visit a decoy website and download a codec file or browser plugin, for the infection to succeed.
Malvertising affects Spotify Free service
Users took to social media to complain about malicious ads being shown on local installations of the Spotify Free service. The ads were automatically opened in the user's browser, and were serving sites with malicious content - mostly adware, fake anti-virus programs and other potentially unwanted applications (PUA). Spotify was able to quickly identify the source of the rogue ads and shut it down.
- InfoSecurity Magazine: Spotify Free is Serving Up Malware
- Softpedia: Spotify Free Users Affected by Malvertising Campaign
Source code of Mirai bot malware released
Hackers published the source code for the Mirai Internet of Things (IoT) bot malware, which gained recent notoriety for being used in massive Distributed Denial of Service (DDoS) attacks. The Mirai botnet is thought to be at least in part reponsible for the biggest recorded attacks so far - a 620 Gbps wave on popular security researcher Brian Kreb's website and the 1.1 Tbps attack on French hosting firm OVH a few days later
Thus far, Mirai infectons have involved web-accessible CCTV cameras, and total number of infections are estimated to lie between 120 000 - 1,5 million. With the release of the source code however, there are fears that other malware authors would modify the malware for use on other web-accessible devices.
- KrebsonSecurity: Source Code for IoT Botnet 'Mirai' Released
- Motherboard: Here's a Live Map of the Mirai Malware Infecting the World
- Wired: Your DVR Didn't Take Down the Internet—Yet
DXXD ransomware displays ransom demand before Windows account login
A new ransomware family named DXXD has been reported using the Windows Legal Notice screen to show a ransom demand before the user logs into their account.
A security researcher was able to create a decryption tool for the first version of the DXXD ransomware. The malware author subsequently released version 2.0 of the ransomware, which fixed the flaw that had enabled the decryption tool to work.
Odinaff malware targets machines connected to SWIFT banking network
Security researchers have discovered more banking malware that specifically targets and infects machines that connect to the Society for Worldwide Interbank Financial Telecommunication (SWIFT) banking network.
Named Odinaff, the trojan is designed to edit the local logs created on the machines by SWIFT-related software, allowing the attackers to send and then hide fraudulent banking instructions over the network. The researchers suspect the latest malware to be the work of a criminal group.
- Reuters: Second hacker group targets SWIFT users, Symantec warns
- Bank InfoSecurity: Hackers Target SWIFT-Using Banks With Odinaff Malware
- Graham Cluley:Odinaff trojan targets SWIFT users, financial organisations
GovRAT reportedly targeting gov't bodies
Security researchers reported the discovery of a updated version of the GovRAT (aka version 2.0) malware being sold online.
The previous version of GovRAT had been found in Novmber 2015 being used in cyber espionage campaigns targeted at banks and defense contractors. GovRAT version 2.0 has since been updated to include new features, such as customized encryption, keylogging capabilities and remote code execution.
- International Business Times: How hackers used this Trojan malware to spy on a territorial dispute
- Security Affairs: GovRAT 2.0 continues to target US companies and Government
Fancy Bear hacking group linked to OSX Komplex trojan
Security researchers have linked the Fancy Bear hacking group (also known as Sofancy or Pawn Storm) to a malware that targets machines in the aerospace industry that use the OS X platform.
The malware, identified as Komplex, uses social engineering tactics to gain entry to the targeted machine. Once installed, the malware contacts its remote command and control server for instructions and to download additional files onto the affected machine.
- Threat Post: Sofacy APT Targeting OS X Machines with Komplex Trojan
- Security Week: Russian Cyberspies Use "Komplex" Trojan to Target OS X Systems
Qadars targets UK banks, Dridex spam runs resume
A new distribution campaign of a banking-trojan family has been reported targeting banks in the United Kingdom, as well as financial institutions on the continent. The Qadars malware family uses exploit kits, botnets and driveby downloads to install itself onto a devices, then steals banking-related data from the infected victims. It is also capable of monitoring and hijacking text messages sent to a mobile device.
Meanwhile, spam email campaigns used to distribute the Dridex banking-trojan have resumed after a 4-month absence. The latest run distributes the malware in attachments that are password-protected encrypted Office documents, presumably as a tactic to defeat security programs that are unable to handle file extraction or decryption.
- ZDNet: Data-stealing Qadars Trojan malware takes aim at 18 UK banks
- Computer Weekly: Qadars Trojan gears up to target UK banks
- Malware Tech: Dridex Returns to the UK With Updated TTPs
Ransomware news: MarsJoke, Mamba, Cerber and more
September saw multiple ransomware families make the news. F-Secure Labs reported that an email spam run which typically distributes Cerber ransomware was found to delivering Locky ransomware instead, marking an unusual conflation between two usually separate malware distribution schemes.
A new ransomware family named MarsJoke was reported targeting government and educational bodies using emails that appear to be offering cheap flights for government employees; if successfully installed on a machine, the ransomware gives the user 96 hours to pay 0.7 Bitcoins before it permanently encrypts all files on the machine.
Another new ransomware family named Mamba was also reported that encrypts the entire hard disk, rather than individual files stored on it. The Mamba ransomware was discovered in Brazil, the United States and India. Unlike the Petya ransomware, which also encrypts hard disks, Mamba uses an open-source encryption tool to overwrite the Master Boot Record and subsequently, the hard drive. It then demands a ransom payable in Bitcoins for the decryption key.
Yet another new family, RAA, was found targeting corporate entities in Russia. Unlike most ransomware, the RAA malware is able to perform offline encryption, rather than needing to fetch an encryption key from its command and control server.
Finally, the Virlock ransomware family has seen incremental changes to its code that now allows it to infect files as well as encrypting them. Theoretically, this means that a user who runs an infected file that has been shared (for example, via email, or through a network share) would then launch the encryption routine, causing all other files on their machine to be infected and encrypted.
- F-Secure Weblog: Definitely not Cerber
- Hackread: The Nastiest of all Ransomware Mamba Encrypts Entire Hard Drive
- ZDNet: That's not funny: MarsJoke ransomware threatens to wipe data if a ransom is not paid within 96 hours
- InfoSecurity Magazine: Virlock Ransomware Spreads User-to-User for Massive Viral Infection
- SC Magazine:New RAA ransomware variant performs own encryption, attacks businesses
NanHaiShu cyber espionage trojan reported
Researchers at F-Secure Labs reported their analysis of a data-stealing trojan that targeted parties involved in the international arbitration case focused on the South China Sea.
Named NanHaiShu by the researchers, the trojan targeted institutions involved in the dispute between China and the Philippines, which was resolved by an international tribunal earlier this year.
Project Sauron aka Remsec malware reported
Security researchers reported their analysis of a sophisticated malware platform that has been active since 2011. The malware, known variously as Project Sauron or Remsec depending on the research group, is thought to have been developed and operated by a nation state, and used to infiltrate and gather data from a wide range of targets.
Once installed on a targeted computer, the malware essentially gives total control of it to the remote operator, allowing them to track activity and steal data from the affected machine. The published research reports that the malware targeted 30 organizations in various countries, including Russia and Iran, as well as specific individuals.
Iran: malware found in petrochemical plants
Iran announced that it found and removed malware from two petrochemical complexes. The announcement follows an investigation into whether recent fires that took place at other petrochemical facilities were caused by cyber attacks, though officials also noted that the malware removed were 'inactive' and not related to the fires.
Android 'HummingBad' uses root access for clickfraud
Security researchers reported their discovery of an Android app that gains root privileges in order to display advertisements. In addition, the app can manipulate the way it displays the ads to trick users into clicking on them in order to falsely create advertising revenue, a practice known as 'clickfraud'. Because the app has root privileges, it is also able to silently install additional apps onto the device without the user's knowledge or consent.
According to reports, the HummingBad app is the product of a Chinese advertising company and is primarily distributed on third-party app stores. The app is also reportedly being distributed as a driveby download, when a compromised website pushes the app when the users visit the website.
While the clickfraud-related behavior of the app is not new, the fact that the app is able to trick users into granting it root privileges on the devices means that it can, theoretically, be used for more malicious actions than just displaying unsolicited ads.
Mac Keydnap malware steals passwords, installs backdoor
Security researchers announced the discovery of a new Mac malware, named Keydnap, that attempts to steal the contents of the Mac OS X keychain, as well as installing a backdoor on the infected system that could be used by remote attackers for further attacks.
The Keydnap malware has a number of unusual features. According to reports, it is distributed in an executable file that appears to be an image file; when the file is launched, it downloads and installs the backdoor. The malware also uses a component (taken from a publicly available GitHub project) to search for password data stored by OS X's keychain. This sensitive information is then exfiltrated via the Tor anonymizing network to the attacker's command and control (C&C) server.
In recent days, security researchers also noted the appearance of another Mac malware, named Eleanor, which also installs a backdoor on an infected Mac machine - though the malware is sophisticated enough to avoid installing the backdoor if the machine is running the Little Snitch security program.
Ranscam poses as ransomware, deletes files
Security researcher reported they have identified a new strain of malware that poses as ransomware to essentially scam users into paying a 'ransom', but deletes files rather than performing the more technically demanding action of encrypting them.
According to reports, the malware known as Ranscam displays a notification message that appears very similar to messages displayed by crypto-ransomware, and demands payment of a 'ransom', supposedly to restore files that it had encrypted. Unlike actual crypto-ransomware however, the affected files are simply deleted, so that even if users pay the money demanded, the files cannot be restored.
- Dark Reading: New 'Ranscam' Ransomware Lowers The Bar But Raises The Stakes
- Threat Post: Ranscam Ransomware Deletes Victims' Files Outright
Locky ransomware spikes after summer slowdown
Following an unusual slowdown in email spam campaigns distributing Locky ransomware in the first weeks of June, researchers have noted an abrupt pickup in the amount of spam being delivered.
Researchers at F-Secure Labs reported seeing multiple campaigns being launched, resulting in "more than 120,000 spam hits per hour", or four times the amount of activity seen in the previous week. The emails sent typically included a ZIP file attachment, while the email content is designed to make it appear as though the attachment contained requested invoices or receipts. If a recipient unwittingly opens the attachment, the Locky ransomware is downloaded and executed.
- F-Secure Weblog: A New High For Locky
Neutrino exploit kit updates to use researcher's IE exploit
Security researchers reported that the notorious Neutrino exploit kit has incorporated a recently published exploit for the CVE-2016-0189 vulnerability in Microsoft's Internet Explorer web browser.
The exploit code was published by an independent security researcher after Microsoft had released a patch for the vulnerability. According to reports, the researcher was able to reverse-engineer the patch in order to work out how to create code that would exploit the flaw.
Shortly after the publication of the exploit, researchers noted that the Neutrino exploit kit had been updated to include code that was almost identical. While a patch for the vulnerability is already available, users who have not yet applied the patch remain vulnerable to exploit-based attacks that target the flaw.
Microsoft warns of 'worm-like' ransomware
Microsoft's Malware Protection Center reported a new type of ransomware that displays worm-like behavior and targets machines running Windows operating systems below Windows 10.
Dubbed Ransom:Win32/ZCryptor.A, the malware is distributed via spam email, disguised as fake Flash Player installers, or as part of the payload of other malware. If the malware is unwittingly installed, it encrypts targeted files on the system, then displays a ransom demand.
Unlike most ransomware, ZCryptor will also save a copy of itself onto any accessible removable drives, potentially gaining new victims if the removable drive is used on another, clean machine.
- The Register: Microsoft warns of worm ransomware, finds fix in Windows 10 upgrade
- Microsoft Malware Protection Center: Link (.lnk) to Ransom
Researcher: Qarallax RAT spying on US visa applicants
Security researchers at F-Secure Labs reported the discovery of a malware, identified as Qarallax RAT, being used to harvest information from applicants for US visas in Switzerland.
According to the report, the malware is distributed in a file designed to look like information sheets related to the visa application process; the malicious file was distributed via a Skype account using the name 'ustravelidocs-switzerland' (note the 'i'), which is one easily-missed letter away from a legitimate information service. Similar accounts also appear for visa application services intended for applicants from different countries, indicating that the operators of the malware are targeting various nationalities.
If the unsuspecting user downloads and runs the file, it is able to capture user input from the mouse and keyboard. It is also able to use the webcam to take photos or videos.
- F-Secure Weblog: Qarallax RAT: Spying On US Visa Applicants
FLocker Android ransomware targeting TVs
Security researchers reported a new strain of the FLocker Android ransomware that is capable of infecting smart TVs that use the Android operating system.
According to news reports, the malware will lock the TV screen to display a localized ransom demand that purports to be from a local law enforcement authority (making it a form of 'police-themed' ransomware). The malware then demands a sum in iTunes gift cards in order to release the lock on the screen.
The malware, which is able to infect smartphones as well as TVs, reportedly avoids infecting devices in certain regions, such as Russia and the Ukraine. On devices that it does infect, it does not encrypt stored files, but may harvest data such as contacts, system information and location.
Also unlike most ransomware, RAA will install another malware - a password stealer (Fareit).
Ransomware targeting Zimbra email software reported
Following user reports of a ransomware targeting emails sent via the Zimbra enterprise software, the company has published a blogpost providing more details of the ransomware infections and urging any affected users to contact their Support team for assistance.
According to reports, the ransomware specifically looks for the Zimbra email message store folder and encrypts all files stored in it, adding the file extension .crypto to each affected file. The ransomware than adds a text file to the machine containing the ransom demand and instructions for paying it. The sum demanded is 3 bitcoins.
The ransomware is written in Python, and reportedly requires a couple Python dependencies to be installed before the malware can run on a server and affect the files.
'Godless' Android malware using framework to root devices
Security researchers reported discovering a family of Android malware that uses multiple rooting exploits, allowing it to work on virtually any device running Android version 5.1 or earlier, which accounts for an estimated 90% of all devices on the operating system.
Variants in the Godless malware family have been reported available in various app stores, including on the Google Play Store. The variants are either packaged as utility programs or repackaged copies of popular games. Once installed, the malware uses a rooting framework containing multiple exploits, which allow it to gain root privilege on the device.
Once it has rooted the device, the malware installs another app that automatically downloads and installs apps. It may also inflate the rankings for certain apps on Google Play. The malware is reportedly installed on over 850,000 devices worldwide, most notably in India, Indonesia and Thailand.
Locky ransomware network hacked by grey hats
In two separate incidents, unidentified 'grey hat' hackers were able to breach the command and control network used to distribute Locky ransomware.
According to reports, the hacks of the Locky network would only have affected one or a handful of the control servers used to distribute the ransomware, so other servers in the network would still be serving the actual malicious file.
- The Register: Suck on this: White hats replace Locky malware payload with dummy
- Labs Weblog: PSA Payload Via Hacked Locky Host
Viking Horde malware reported on Play Store, removed
Security researchers have reported discovering malware on Google's Play Store that ropes infected Android devices into a botnet, which can be used for advertising fraud, spam distribution and Distributed Denial of Service (DDoS) attacks, among other malicious actions.
The malware family was dubbed Viking Horde based on the name of the most popular trojanized variant, Viking Jump, though a handful of other similarly-affected apps were found. The apps were reportedly able to perform malicious actions on both rooted and unrooted devices. As the apps gain root access to the device during installation, uninstalling them from a device can be problematic.
At the time of writing, the apps have been removed from the Play Store.
Redirector.Paco click-fraud botnet reported
Security researchers reported the discovery of a botnet of almost 1 million machines infected with a malware they identify as Redirector.Paco, a trojan that intercepts search queries to major search engines and redirects the unsuspecting users to search results that have been altered by the botnet operators to include ad links that generate payments for the fraudsters.
The redirection attack (also referred to as 'clickjacking') is used by the botnet operators to abuse the Google AdSense advertising program, which would pay (in good faith) for web traffic to advertisements. Meanwhile, users infected by the trojan may notice a longer loading time for the search results, or other minor telltale signs of the infection.
- Security Affairs: Redirector.Paco, a Million-Machine Clickfraud Botnet
- Tom's Guide: Clickjack Attack Infects Nearly One Million Computers
TeslaCrypt shuts down, releases decryption key
The operators of the TeslaCrypt ransomware have posted a notice announcing the shutdown of their operation. The announcement also said they were 'sorry' for the disruption they had caused, and included the master decryption key used by their malware to encrypt files on victim machines.
The unexpected move allowed security researchers to create a decryption tool for users affected by the ransomware and unable to make the ransom payment to the now defunct operators.
- International Business Times: TeslaCrypt ransomware shut down by developers 'sorry' for ruthless extortion campaign
- TechCrunch: Ransomware maker TeslaCrypt shuts down after releasing master key
Decryption tool released for Petya ransomware
A flaw in the way the Petya crypto-ransomware performs its encryption has been used by security researchers to create a tool that can generate the password used by the malware to decrypt the master boot file, potentially allowing affected users to recover their systems without paying the ransom demand.
While freely available, the decryption tool requires some technical knowledge to use, though other sources have also published a step-by-step tutorial to provide assistance.
Jigsaw ransomware deletes files for slow payments
A particularly nasty strain of ransomware has emerged, which deletes files on a victim's computer if the ransom demand is not paid in time, or if the user reboots the computer.
Known as Jigsaw (a reference to the infamous character from the Saw movie series), the malware threatens to delete files stored on the computer every hour; if the machine is rebooted, the ransomware reportedly deletes 1,000 files.
Fortunately for affected users, researchers have quickly created a tool to decrypt the files locked by the ransomware without needing to pay the ransom demand.
First Mac OS X ransomware reported
Security researchers reported the discovery of a copy of the Transmission torrenting software that was tainted with malicious code. The altered program, dubbed KeRanger, runs on Apple's OS X operating system and if installed, functions as ransomware, locking data on the user's machine, and then demanding a ransom of 1 Bitcoin to restore access.
According to news reports, attackers had managed to compromise the legitimate Transmission website in order to plant the rogue copy of the torrenting software (version 2.90) on it. The substitution was quickly noticed, with file being downloaded about 6,5000 times before the issue was corrected with the 2.92 version.
DRM flaw exploited to install apps on iOS devices
Security researchers have reported the existence of malware that can be installed on a non-jailbroken iOS device. According to news reports, the researchers found three apps on the official App Store in China that appeared to offer wallpapers but instead steal Apple IDs and passwords.
Of particular interest was how these apps were installed on the victim devices - the attackers first created what appeared to be a utility program for iOS devices (named Aisi Helper) and distributed this to users via a third-party site. When the helper program was installed on a (Windows) computer and an iOS device connected to it, the attackers could remotely direct the device to download and install the apps from the Store, using an authorization code that was had been previously stolen. The method effectively bypassed normal app digital rights management (DRM) checks.
Though the existence this attack vector is of technical interest, other news reports have pointed out that it is unlikely to affect any users outside China. In addition, a user would need to have a Windows machine with the malicious helper program installed, and connect an iOS device to it, before they can be compromised.
USB Thief malware targets air-gapped systems
Security researchers have announced the discovery of malware specifically designed to target computers that do not connect to the Internet (known as 'air-gapped' computers). Dubbed USB Thief, the malware selectively infects USB drives that already hold installers for portable versions of popular programs such as Firefox or Notepadd++. These portable versions run off the USB drive itself without installing any files on a connected computer. The malware then inserts itself into the installations of these programs as a DLL, so that it is also executed each time the programs are run.
USB Thief is also notable for taking steps to confound attempts to copy it or even examine it in further detail. The malware uses AES encryption and generates the names of its files from specific details of the host USB device so that it can only run on that specific device, making reproduction of the malware on a researcher's test system effectively impossible.
When successfully installed and run, USB Thief steals data from the victim machine. The data is saved on the USB device and encrypted, leaving no trace of its presence once the USB device is removed.
Petya ransomware encrypts the MBR
A particularly nasty strain of ransomware known as Petya has been reported targeting companies in Germany. Like most ransomware today, it is delivered by phishing email, which appears to be a legitimate business communication from an applicant for a job opening. The email contains a link to what appears to be a resume on a cloud storage service. If the link is clicked, the file is downloaded and turns out to be an executable program that downloads and executes the Petya ransomware.
Unlike most of its crypto-ransomware brethren, Petya encrypts the computer's Master Boot Record (MBR), a special section of the computer hard drive that loads (boots) the operating system. When run, the ransomware first causes a system crash by triggering a 'blue screen of death' (BSOD). When the system is restarted, the malware encrypts the MBR, then displays a red screen with its ransom demand.
- SC Magazine: UPDATE: Petya ransomware leverages Dropbox and overwrites hard drives
- PCWorld: This nasty ransomware overwrites your PC's master boot record
- F-Secure Labs Weblog: Debugging Petya
- F-Secure Labs Weblog: Petya: Disk Encrypting Ransomware
'Malware museum' launched
An archive of old computer malware has been set up by Mikko Hypponen, F-Secure's Chief Research Officer. Containing a selection of malware that date from the 1980s and 1990s, the collection mostly features programs that are "mischievous" in nature, rather than outrightly harmful. All malware in the museum were altered to remove their malicious capabilities.
T9000 malware steals Skype data, avoids security products
Security researchers at Palo Alto Networks have reported on a malware, dubbed T9000, that can take recordings and screenshots of Skype calls, as well as steal data from the affected system. According to the report, the T9000 malware is distributed in an RTF file; if the user unwittingly opens the file, it launches exploits against the CVE-2012-1856 and CVE-2015-1641 vulnerabilities in various versions of Microsoft Office programs; if the exploit is successful, the malware can install itself on the system.
Of particular interest to security researchers are the methods the malware uses to avoid detection by security programs. T9000 identifies 24 security products and modifies its own installation mechanism in order to avoid detection by these products.
Enabling macros in Word docs leads to Locky ransomware
One of the biggest threats to emerge in 2016 so far has been the Locky ransomware. This malware is distributed in a Microsoft Word document that typically claims to be an invoice. If the user opens the document, if macros are enabled in Microsoft Office, the ransomware is able to run immediately and encrypt files stored on the computer. If macros are not enabled (as is the default setting for later versions of Microsoft Office), the document appears to be scrambled and displays a message asking the user to enable macros in order to view it correctly. If the user chooses to do so, the Locky ransomware is again able to run and encrypt files.
Once the files are encrypted, Locky changes the desktop background to display a ransom note pointing to a location (hidden in the Tor anonymizing network) where the victim can make payment in order to restore access to their affected files.
- F-Secure Labs Weblog: Locky: Clearly Bad Behavior
- Arstechnica: "Locky" crypto-ransomware rides in on malicious Word document macro
ATMZombie Trojan strikes Israeli banks
Security researchers at Kaspersky Labs have reported on a malware, dubbed ATMZombie, that has been targeting banks in Isreal. The malware is reportedly distributed in phishing email messages to the victims and if successfully installed on a machine, can use a number of techniques to steal the victim's online banking credentials.
Once the credentials are obtains, the criminal gang behind the malware reportedly use 'money mules', or accomplices who provide physical assistance for bank transfers, in order to withdraw money from the victim's account.
According to the reports, the banks have compensated the victims for their losses, leaving the financial instutions to bear the brunt of the malware's actions.
Ransom32 is sold as a service, offered on a web server hidden by the Tor anonymizing network. The malware itself is delivered in a compressed RAR file that auto-extracts itself, then encrypts files on the affected system.
- F-Secure Labs Threat Description: Trojan: W32/NomadSnore
- The Register: Happy 2016, and here's the year's first ransomware story
250 Hyatt hotels affected by POS malware in 2015
Hyatt Hotels announced that in 2015, 250 of its hotels (almost half of its 627 properties) in over 50 countries had been affected by point-of-sale (POS) malware that stole credit card details, including cardholder names, card numbers, expiration dates and internal verification codes. The chain has not provided a figure for how many customers are likely to have been compromised, but said they were offering a year of credit monitoring to potential data theft victims.
Given the number of properties affected, Hyatt appears to have been the hotel chain most widely affected by malware, though other chains have also been similarly troubled in recent months, including Trump Hotels, Starwood Hotels and Resorts, and Hilton Hotels.
0-day flaw in Netgear routers reported
Netgear announced that routers in their R6400, R7000, and R8000 product series were vulnerable to the VU#582384(CVE-2016-6277) vulnerability that was recently publicly reported. The vulnerability is said to be trivially easy to exploit, as it only requires an attacker to lure the user onto a specially-crafted webpage that abuses the flaw.
Following the news that exploit code for the vulnerability had been publicly released online, both security researchers and US-CERT have urged users to either disable their router's web server feature or cease using the routers entirely until a fix is published. Netgear in turn has announced that they were working on a firmware update to address the flaw.
Linux zero-day exploits released
A security researcher made public an exploit for a zero-day drive-by download against Fedora 25 + Google Chrome and Ubuntu 16.04 LTS. The exploit targets a memory-corruption vulnerability in the GStreamer media framework shipped in many Linux distributions, and requires the user to be lured to a specially crafted webpage.
This is the second exploit targeting Linux systems to have been released in recent weeks by security researcher Chris Evans, though the previously reported exploit is only effective against much older versions of Linux distributions.
- Arstechnica: 0-days hitting Fedora and Ubuntu open desktops to a world of hurt
- Security Week: 0-Day Exploits Could Wreak Havoc on Linux Desktops
Google to patch Dirty Cow flaw in Dec Android patch
Google has released a supplemental patch for the CVE-2016-5195 'Dirty Cow' vulnerability, which affects Linux systems and can also be used to gain root privileges on Android devices.
The patch for the Pixel and Nexus devices is expected to be followed by a full patch in the December Android Security Bulletin. In the meantime, Samsung has released a patch for the vulnerability in its November update for selected Galaxy devices.
Major, easily-exploitable flaw in Linux reported
Security researchers reported a notable vulnerability in the Linux Unified Key Setup-on-disk-format (LUKS) mechanism found in almost all Linux distributions, which could be exploited to allow an attacker to launch a shell with root privileges. The CVE-2016-4484 flaw, which only affects machines that have encrypted system partitions, can be exploited by holding the 'Enter' key down for 70 seconds while the system is booting.
Instructions for fixing systems to close the flaw have been released by the researchers.
New iOS Siri lockscreen bypass reported
Security researchers reported the discovery of a lockscreen bypass attack that affects any iOS device which can receive Facetime or phone calls. The hack, which is demonstrated in videos posted online, involves using Siri to activate the VoiceOver feature on a target phone in the attacker's possession, then hijacking it to gain access to the device's contacts, photos and messages.
Users can avoid exposure to this attack by disabling Siri on the lockscreen, until an iOS update is released to address the issue.
- Bitdefender: Once again, Siri helps attackers bypass your iPhone's passcode
- Naked Security: iPhones vulnerable to yet another lockscreen bypass
Old InPage 0-day used in attacks on Asian banks
Security researchers reported observing targeted attacks against banks in Asia that leveraged an old zero-day flaw in the InPage word processor, which is popularly used in the region to deal with documents in languages such as Urdu, Persian, Pashto and Arabic.
- The Register: Attackers use ancient zero-day to pop Asian banks, govts
- Threatpost: InPage Zero Day Used in Attacks Against Banks
Linux flaw being actively targeted, patch released
Researchers announced that the CVE-2016-5195 flaw in all versions of the Linux operating system is under active exploitation. The flaw was reportedly first identified by Linus Torvalds 11 years ago and can be exploited by a local user to gain more privileges, eventually leading to total control of the system.
The Linux kernel maintainers have released a patch for the bug (also known as Dirty Cow) and users are urged to patch their systems as soon as possible.
Drammer attack exploits Rowhammer hardware flaw in Android devices
Security researchers have confirmed that Android can be successfully compromised using a specially crafted app to exploit a hardware vulnerability present in RAM memory chips in order to gain root privileges. The Drammer attack used by the researchers targets the known Rowhammer flaw to gain unauthorized memory access.
Google has confirmed that they are releasing a software patch which would mitigate against the Drammer attack, but would not solve the underlying hardware flaw.
New AtomBombing code injection technique for Windows reported
Security researchers announced the discovery of a new code injection technique named AtomBombing which could be used to target Windows systems and inject malicious code.
Unlike other code injection techniques, AtomBombing does not exploit a vulnerability in the Windows operating system and instead takes advantage of a built-in component in the OS known as atom tables, which stores certain types of data from applications on the system. By injecting code into the tables, the researchers were able to force applications to run the inserted code.
As the technique uses a normal process in the operating system, it is overlooked by security programs. Researchers have noted the difficulty of separating malicious use of the atom tables from legitimate use, which would make it extremely difficult to create a patch against this technique.
3 flaws reported in LibTIFF library, 2 patched
Three vulnerabilities have been reported in the LibTIFF library, which is used to support TIFF image files. The CVE-2016-5652, and CVE-2016-5875 and CVE-2016-8331 flaws could all reportedly lead to remote code execution if successfully exploited. Patches for two of the three vulnerabilities have been released by the LibTIFF CVS repository and users are urged to apply the patches promptly.
Emergency patch for actively targeted Flash Player flaw
Adobe has issued an emergency patch for a vulnerability in Flash Player that Google reported was being actively targeted in-the-wild to compromise some users running Windows 7, Windows 8.1, and Windows 10.
The CVE-2016-7855 bug is patched in version 126.96.36.199 for Windows and Mac users, and 188.8.131.523 for Linux. Users are urged to update their Flash Player installations as soon as possible.
Google: 0-day flaw in Windows being actively exploited
Security researchers at Google announced the discovery of a zero-day vulnerability in the Windows operating system, which they say is being actively exploited in-the-wild. The vulnerability, which was reported privately to Microsoft on Oct 21, involved "a local privilege escalation in the Windows kernel that can be used as a security sandbox escape".
According to reports, the researchers made the announcement in accordance with Google's policy of disclosing vulnerabilities within 7 days if they are under active exploitation. Microsoft has so far not announced a fix for the flaw.
The disclosure of the Windows vulnerability comes within the same time span as a similar incident involving Flash Player, in which Google privately reported an actively-exploited flaw in the popular media player. In that case, Adobe responded within days with an emergency patch.
0-day flaw in MySQL reported
A critical vulnerability was announced in all versions of the popular MySQL database program which, if successfully exploited, could allow remote code execution. The CVE-2016-6662 flaw also affects software linked to MySQL, such as MariaDB and PerconaDB.
According to the researcher who discovered the flaw, he had privately reported the vulnerability to Oracle, but decided to publicly announce its existence (together with a limited proof-of-concept exploit) when the vendor failed to properly patch the flaw within 40 days of reporting. The other affected vendors have issued patches for their own products.
Tesla issues patch for remote hack flaw
Tesla quickly released a patch for the flaw that allowed a team of security researchers to remotely hack into and control one of its Model S cars.
In a video demonstration of the hack, the researchers were able to control the car's brakes, and open its boot, among other actions. The attack involved connecting the car to a malicious WiFi hotspot and then attacking an electronic control unit to gain access to the internal systems.
While the attack has been characterized as 'low-risk', Tesla has been commended for its prompt action in investigating and fixing the vulnerability
Drupal releases update to patch 3 flaws, 2 critical
Drupal announced the release of an update for its content management system to address three reported flaws, two of which are rated critical. The first critical flaw involves a cross-site scripting flaw in HTTP exceptions, while the second would allow a full config report to be downloaded without permission.
The vulnerabilities, collectively identified as SA-CORE-2016-004, affect versions 8.x, with the fixes for them being released in version 8.1.10.
iOS 10 backup flaw reported
Apple confirmed news reports that a security flaw in the way iOS 10 handles locally stored encrypted backup files allows them to be cracked far more easily than on previous versions of the popular mobile platform. The tech giant has also confirmed that they are working on a fix for the issue.
Volkswagen keyless entry systems exposed to remote hack
Security researchers reported their discovery of a flaw in the keyless entry systems used on certain vehicles that could allow a nearby attacker to eavesdrop and clone the 'key' being transmitted when the lock/unlock buttons on a key fob are pressed.
According to the security researchers, some models of Audi, Volkwagen, Seat and Skoda vehicles that have been produced since 1995 would be exposed to an attack targeting the flaw, which requires only readily-available equipment to execute. News reports have estimated that the number of cars that could be exposed to the attack number in the millions.
Researchers: Android inherited Linux 'traffic hijacking' flaw
Security researchers have concluded that a flaw in the Linux operating system that was reported earlier this year would also affect Android devices, as the popular mobile operating system uses code that is based on Linux.
The side channel vulnerability (CVE-2016-5696), which was reportedly introduced in the 4.4 (KitKat) version of Android, could allow an attacker to hijack Internet traffic in order to snoop on the transmitted communications. The flaw has since remained present in all subsequent OS versions.
While attacks targeting the flaw are thought to be 'impractical' for mass deployment, it is considered at least 'feasible' for more targeted attacks. The flaw has been patched in the Linux kernel, but is still in the process of being addressed on the Android platform.
Windows flaw allows printers to install malware, patch released
Microsoft's Patch Tuesday updates include a fix for a vulnerability in the Print Spooler service in Windows that could allow a networked printer server to inject malware onto all connected computers.
According to the security researchers who discovered the vulnerability, the flaw dates back all the way to Windows 95. Microsoft rates the vulnerability as Critical on all supported versions.
Critical flaws reported in 3 third-party Drupal modules
Website content management system (CMS) Drupal reported critical vulnerabilities in three of the third-party modules used with its platform that could be exploited to allow remote code execution.
The flaws affect the RESTWS, Coder or Webform Multiple File Upload modules, which are used in numerous websites run on the CMS. Of particular concern is the Coder module, which only needs to be present on the file system (that is, not even enabled) to introduce the vulnerability.
Users are urged to update their Drupal installations to use the latest versions of the affected modules.
- The Register: Critical remote code execution holes reported in Drupal modules
- Computerworld: Three popular Drupal modules patch site-takeover flaws
Cryptography flaw reported, patched in Juniper OS
Juniper announced that it has released a patch for a vulnerability in its Junos operating system that could have allowed attackers to snoop on trafffic travelling over the customer's secure networks.
The CVE-2016-1280 flaw could allow attackers to use specially-crafted self-signed certificates to impersonate trusted parties, essentially enabling man-in-the-middle attacks.
The patch for the vulnerability was released together with fixes for five other vulnerabilities in its product line.
'HTTPoxy' website CGI app/server flaw reported
The Apache Software Foundation, Red Hat, Ngnix and a number of other companies have announced a vulnerability found in various server-side web applications that can be exploited to access data on the affected web server.
The flaw affects applications that run in CGI (or 'CGI-like') environments, and require a number of other factors to be in place before it can be exploited. The various product vendors known to be affected by the vulnerability have issued patches to address the issue, as well as offering mitigation strategies to implement while the patches are being deployed.
Administrators and/or developers are recommended to promptly install the relevant security patches for their affected applications.
iMessage flaw that allows iOS, Mac compromise reported
Security researchers reported that almost all versions of iOS and OS X include a vulnerability that could allow unauthorized access to the device using a specially crafted iMesaage.
Only the latest versions of both operating systems are free of the flaw, which allows an attacker to use an image file encoded in the TIF format to run code on the device when it is viewed.
Users are advised to either update to the latest versions of their respective operating systems, or disable iMessage.
'High severity' vuln in Chrome PDF Reader reported
Securty researchers reported discovering a vulnerability in the built-in PDF reader used by the Chrome web browser that could be exploited by an attacker to run arbitrary code on the user's system.
The flaw (CVE-2016-1681) in the PDFium reader used by Chrome can be triggered if the user unwittingly opens a specially-crafted PDF document containing a malicious image, which would trigger a heap buffer overflow.
Google has since fixed the flaw in the 51.0.2704.63 version of the browser; as Chrome automatically updates to the latest version by default, most users will already be using the version with the fix. If the Chrome browser is set to prevent auto-updating, the user will need to manually update it to receive the latest fixed version.
Flash Player zero-day vuln actively targeted, patch now
Adobe has released an update that fixes 36 security issues for their popular Flash Player program, including a fix for the CVE-2016-4171 zero-day flaw being attacked to install malware on user's computers.
Users are urged to update their Flash Player to the latest version as soon as possible.
Apple keep mum on patched Airport router flaw
Apple released a patch for the CVE-2015-7029 flaw reported in its Apple AirPort router, which if successfully exploited could allow an attacker to remotely execute code on the affected device.
While the release of the fix is welcome news for an issue that was reported nine months ago, few other details about the vulnerability have been released by the company other than that it involves a DNS parsing flaw. Commentary from security researchers on the update have speculated about how the router could be exploited. Apple AirPort users are urged to update the firmware of their device with the security patch.
Libarchive flaws reported, new version released
The Libarchive library (a popular programming library used in many archiving tools, file browsers and other utility programs) has released a new version to address a number of reported vulnerabilities.
The new version fixes the CVE-2016-4300, CVE-2016-4301 and CVE-2016-4302 vulnerabilities reported by security researchers, each of which could allow arbitrary code execution if successfully exploited.
While the Libarchive version 3.2.1 closes these flaws, software developers who have used the library in their products will still need to update their products to use the latest version.
- Securityweek: Several Vulnerabilities Patched in Libarchive Library
- Threat Post: Patched libarchive Vulnerabilities Have Big Reach
ImageMagick flaw affects websites, patch now
A vulnerability has been reported in the popular ImageMagick software used by websites to process images, which can be easily exploited using specially-crafted image files.
The image processing software is used on many websites and content managing systems to resize and edit images uploaded by users. The CVE-2016-3714 vulnerability, if exploited, would allow an attacker to force the web server to execute remote code.
According to reports, the vulnerability is being actively attacked in-the-wild. Mitigation measures and at least partial patches have been made available by ImageMagick developers, though security researchers have noted that the patches are "incomplete".
Android Qualcomm chip API bug reported
Security researchers announced the discovery of a flaw in Android devices using certain chips that could, if successfully exploited, allow a malicious app to steal data from the affected device.
The issue only affects Android handsets that use chips manufacturered by Qualcommm. The flaw, identified as CVE-2016-2060, is found in the APIs used to communicate between the chip and the device's operating system. According to reports, a vulnerability in the API could be silently exploited by specially crafted apps to access many of the device's settings without raising suspicions in the user. At the time of writing, there have been no reports of an attack targeting the flaw.
Qualcomm was notified of the flaw and a fix was created before the news was announced. Due to the complex nature of device patching in the Android ecosystem however, which involves multiple manufacturers and models, users would need to check with their device manufacturer to verify when - or if - their device will be receiving the patch.
OpenSSL project releases update to patch multiple flaws
The OpenSSL project has released updates for various versions of its software that address a number of security flaws, includiing two (CVE-2016-2108 and CVE-2016-2107) that are considered "high" severity.
OpenSSL is critical software used by countless organizations to secure their online communications. Prior to the release of the new versions, the OpenSSL project made a relatively low-key announcement informing its users that an update would be provided within a few days, but offerred no further details to stave off possible attacks before the update was released.
- Krebs on Security: OpenSSL Patch to Plug Severe Security Holes
- The Register: Yay! It's International Patch Your Scary OpenSSL Bugs Day!
Companies with unpatched SAP flaw still vulnerable
Security researchers reported that a vulnerability in SAP software that was fixed in 2010 was still unpatched in numerous companies surveyed in 2016, leaving them vulnerable to an attack that could allow attackers to gain complete control of the affected organization's business applications.
Following the initial report, the US-CERT issued an advisory highlighting the security implications of leaving the bug unpatched. Subsequently, a second report was published that noted over 500 companies were still vulnerable to the issues, rather than the dozens found in the original study.
Adobe patches zero-day flaw under active attack
Adobe has released patches for 25 vulnerabilities in its popular Flash Player software, including for the critical CVE-2016-4117 flaw which is already being actively exploited in-the-wild.
According to security researchers, attackers targeted the CVE-2016-4117 vulnerability using exploit code embedded in a Microsoft Office document. Victims are either emailed the file directly as an email attachment, or are given a link to download it. Once the file is opened and the exploit run, the system could crash and subsequently allow the attacker to take control of the system.
Soon after the release of the patch, the exploit for the CVE-2016-4117 vulnerability was found included in major exploit kits. Users are strongly recommended to update their Flash Player installations with the latest patches.
7-Zip tool releases 16.00 version to fix 2 flaws
7-Zip announced the release of the 16.00 version of their product, which addresses a couple of serious vulnerabilities (CVE-2016-2334 and CVE-2016-2335) related to improper data input validation.
The flaws in the popular archiver tool were privately reported by security researchers from Cisco's Talos group. As the tool is used by numerous utilities and business applications, the announcement of the flaws has had a knock-on effect, with software developers checking to determine if their own products are affected.
As older versions of the 7-Zip tool still have the flaws, users are strongly recommended to update to the latest version.
Apple squashes Siri 'lockscreen bypass' bug
Apple has quickly fixed a bug in its Siri voice search program that could allow an attacker to bypass the lockscreen on certain iOS models, allowing access to the device's contacts or photos.
First demoed in a YouTube video, the flaw is only exploitable on an iPhone 6 or 6S Plus, as it relies on being able to access the 3D Touch menu. The bug was promptly fixed by the company in two days without needing to push an update to users (Siri is server-based, so changes only needed to be made to the servers). Users are now prompted to first unlock the device before Siri will complete a action from the lockscreen.
MagnitudeEK targets 0-day Flash Player flaw
Exploit code for a zero-day vulnerability in the Flash Player program was found being used by the popular Magnitude exploit kit, prompting Adobe to release an emergency update to address the flaw.
The vulnerability, identified as CVE-2016-1019, affects Flash Player versions 184.108.40.2066 and earlier. If successfully exploited, the vulnerability could allow remote code execution. A security advisory was published on 5th April with advise on mitigation measures, while a full update was released later on 7th April.
- F-Secure Labs Weblog: Magnitude EK Spikes with Latest Flash Vulnerability: CVE-2016-1019
- Security Week: Adobe Patches Flash Zero-Day Exploited by Magnitude EK
Badlock flaw underwhelms; patches released
Following the month-long hype leading up to the release of information about the vulnerability known as Badlock (CVE-2016-0128), security researchers were largely underwhelmed once the full details were finally made public.
The Badlock flaw, which affects Windows servers running Samba software, could potentially allow man-in-the-middle (MitM) or denial-of-service attacks. Both Samba and Microsoft have released advisories that address the issue, and have urged users to install the latest updates in a timely manner.
Despite the potential impact of a successful attack against the Badlock vulnerability, there have been disagreements in the security research community about whether the flaw warranted as much attention as it gained, particularly because exploitation would require an attacker to already be inside the targeted local network. Microsoft rated the vulnerability as 'important', rather than the highest ranked 'critical'.
- F-Secure Labs Weblog: Badlock: A Lateral Concern
- ZDNet : Badlock flaw is patched, but failed to live up to the security hype
Apple: QuickTime not supported, flaws won't be patched
Tech giant Apple has confirmed that it is no longer supporting its QuickTime media player. The confirmation follows an announcement from the Zero-Day Initiative of two vulnerabilities, ZDI-16-241 and ZDI-16-242, found in QuickTime for Windows.
News of the vulnerabilities had prompted a recommendation from the US Department of Homeland Security urging users to uninstall the program from their computers, as Apple was apparently no longer developing the product and had stopped issuing security updates.
Apple's abrupt announcement took a number of vendors by surprise, including Adobe, whose Creative Cloud products use QuickTime as an integral part of their software suite. Users who are not dependant on the player for business or productivity are urged to proactively uninstall it from their machines to remove a potential entry point for attackers.
DROWN attack flaw in TLS protocol announced
A team of security researchers have announced the existence of a flaw in the popular TLS secure communication protocol that could be used by attackers to break the encryption that underpins it and allow them to read and steal data being transmitted using the protocol. The attack scenario was given the media-friendly name Drown, for "Decrypting RSA with Obsolete and Weakened eNcryption".
An attack would involve exploiting a vulnerability (CVE-2016-0800) in the old, retired SSL v2 protocol (which is supported by TLS) to decrypt TLS sessions, and would be effective against any server that uses TLS and still supports the obsolete SSLv2.
A partial patch was included for the flaw at the time of the announcement. OpenSSL has also released a security advisory addressing the issue.
Researcher urges users, admin to update flawed git clients, severs
A security researcher has urged users and system administrators who use the Git repository service to update their clients and servers in order to patch two vulnerabilities, CVE-2016-2324 and CVE-2016-2315.
The flaws, which were discovered by the same researcher, are present in versions below 2.8.0. If successfully exploited, the vulnerabilities could allow attackers to execute code on affected servers or clients.
The vulnerabilities were reported to GitHub in November 2015 as part of its bug bounty program, and was awarded 5,200 points under their scheme.
Faulty patch for 2013 Java flaw left users vulnerable
A patch for the CVE-2013-5838 flaw in Java, which was discovered in and patched in October 2013, was recently discovered to be faulty and easily bypassed. The issue was discovered this year by the same security researchers who had found the original vulnerability. The researchers also noted that the vulnerability had been "improperly evaluated" by Oracle in terms of its security impact.
Oracle has since issued an emergency patch for the vulnerability.
Flaw in iMessage encryption reported
Researchers at John Hopkins University have reported a flaw in Apple's iMessage service. The researchers were able to intercept encrypted messages trasmitted between an device and Apple's servers by setting up a server that emulated the legitimate ones.
As the messages were encrypted with relatively weak 64-bit encryption and there was no limit on how many attempts could be made to decrypt them, the researchers were able to brute-force decrypt the captured messages.
Apple has since announced that the flaw will be fixed in the iOS 9.3 update.
- The Washington Post: Johns Hopkins researchers poke a hole in Apple's encryption
- Endgadget: Apple fixing iMessage flaw that lets hackers steal photos
Study: 24 car models open to keyless entry hack
Researchers in Germany have demonstrated that it is possible to amplify the signal from a car's key fob - the device that provides keyless entry to most modern cars - so that it can unlock the car at a greater distance. According to news reports, as many as 24 car models, from multiple manufacturers including BMW, Ford and Toyota, were vulnerable.
The attack involves two hackers using specially crafted radios; one radio gathers the signals from a targeted car's key fob and relays it to the second radio, which is used by the second attacker to open the car's doors (and in some cases, start the engine). The attackers would need to be within several meters of the target to be able to gather the signals.
Linux Glibc 'mega-bug' reported
A critical bug has been reported in the GNU C Library (glibc) component found in many Linux applications and devices. Researchers at Google and Red Hat, who reported the discovery and worked together to deliver a patch for the issue, have warned that the bug could be remotely exploit to allow an attacker to take total control of a vulnerable system, particularly in devices that are connected to the Internet.
Administrators of affected devices or programs are urged to apply the patch as soon as possible.
AV products reported vulnerable to attack
Google security researcher Tavis Ormandy has published research in recent months documenting flaws in popular commercial security programs that leave them vulnerable to attack, and publicly urging the software vendors to address the issues. As part of Google's Project Zero, the companies are privately informed of the research and given 90 days to fix them before the researchers make their findings public.
Recent reports have uncovered issues with products from Trend Micro, Comodo and MalwareBytes. In each case, the flaws were fixed within days of their report or public disclosure. MalwareBytes also subsequently launched a bug bounty program to encourage responsible disclosure of vulnerabilities in their products.
Nissan Leaf car 'hackable'
Security researchers have announced that the NissanConnectEV phone app, which connects to the Nissan Leaf electric car and allows its owner to control the vehicle's heating and cooling, can also be hacked by a remote attacker. According to the researchers, as no user authentication is required when an app transmits a command to Nissan's servers and onwards to the car, an attacker who is able to identify the car's vehicle identification number (VIN) can also send commands to the car as through they are the owner.
At least one news report covering the research highlighted the fact that control of the car's heating/cooling system may have a measurable impact on its fuel consumption. The original research acknowledges that remote control of the affected system does not otherwise affect driving controls of the vehicle.
Angler exploit kit exploit Microsoft Silverlight
Security researcher have noted that the notorious Angler exploit kit has been updated to include exploit code for the CVE-2016-0034 vulnerability in Microsoft's Silverlight media viewing application. The vulnerability, which was patched in the previous month's regular Patch Tuesday update, could allow remote attackers to hijack a vulnerable system if the user is logged in as an administrator. Silverlight vulnerabilities have been relatively rare, especially in comparison to flaws in its popular rival Adobe Flash Player, making the inclusion of this exploit in a major exploit kit a notable development.
Magento bug puts websites at risk of takeover
A critical cross-site scripting (XSS) bug was reported in versions 1 and 2 of the popular Magento ecommerce platform that, if exploited, could allow an attacker to take control of a vulnerable website. Administrators of Magento-powered websites are urged to install the latest patches for their websites.
- Sucuri blog: Security Advisory: Stored XSS in Magento
- Naked Security: Bug in Magento puts hundreds of thousands of sites at risk of takeover
'Avalanche' malware network dismantled
A global collaborative effort by over 40 law enforcement agencies around the world, as well as private sector partners, succeeded in dismantling the network of highly secured servers known as Avalanche, which were used by online criminals to distribute malware and organize money mule operations, among other criminal activities.
The recent effort was the culmination of an investigation that began four years ago, and resulted in 5 individuals arrested, 37 premises searched, 39 servers seized, over 220 servers taken offline through abuse notifications sent to hosting providers and over 800,000 domains seized, blocked or sinkholed.
Global sting targets 'DDoS for hire' services users
In a joint collaborative effort, the FBI, Europol and law enforcement authorities in multiple countries have arrested 38 individuals for purchasing 'DDoS for hire' services, as well as interviewing 100 other associated individuals.
According to news reports, many of those arrested in what was dubbed Operation Tarpit were young, in some cases under 20 years old.
US: Police request Amazon Echo data in murder case
US police have served a warrant to Amazon for data from an Amazon Echo unit that was found streaming music at a November 2015 murder scene, in hope that the voice-activated unit might have captured audio clips that could help in the investigation.
The Amazon Echo unit monitors audio recorded by a microphone in order to pick up audio cues that act as commands for the unit. While in normal use, such audio cues are routinely deleted from the cloud servers where they are processed, in some cases they may be forensically recoverable from the devices themselves. While Amazon has reportedly refused to release a history of voice recordings associated with the device, they have declined to give any further specific details about the case.
'Operation Hyperion' targets Tor marketplace vendors, users
A global collaborative effort by law enforcement agencies connected to Europol and what is known as the Five Eyes Law Enforcement Group (Australia, Canada, New Zealand, the United Kingdom and the United States) saw a week-long 'enforcement excercise' in late Ocotber that targeted the vendors and users of illicit online marketplaces hidden in what is known as the dark web.
The reportedly effort involved 'contact' being made with some users suspected of patronizing the online markets, which are used to trade drugs and other contraband. Other reports indicate that some suspected vendors were arrested, and that the usernames and aliases of other persons of interest were also publicly listed.
- Motherboard: 'Operation Hyperion' Targets Suspected Dark Web Users Around the World
- Naked Security: Tor marketplaces shut down by Operation Hyperion
- U.S. Immigration and Customs Enforcement: Law enforcement agencies around the world collaborate on international Darknet marketplace enforcement operation
- US Federal Bureau of Investigations: A Primer on DarkNet Marketplaces: What They are and What Law Enforcement is Doing to Combat Them
Arrests in UK, EU over malware-assisted monetary fraud
14 individuals in the United Kingdom were arrested early in November under suspicion of involvement in using Dridex and Dyre malware to launder $11 million.
In a separate incident a few weeks later, a pan-European law enforcement effort saw 178 individuals arrested under suspicion of being 'money mules' for organized crime syndicates that use online phishing scams to steal user login credentials and siphon funds from bank accounts.
- Bleeping Computer: Dridex and Dyre Malware Gang Members Arrested in the UK
- The Register: 178 arrested in pan-European money mule crackdown
US: Adobe fined USD1M for 2013 breach
Adobe has been ordered to pay USD1 million to settle a lawsuit over a 2013 data breach that exposed the payment records of up to 38 million users in the United States (as well as the source code of some of the company's most popular software).
Philippines: Bankers charged over cyber heists
Five bank officers in the Philippines, as well as a treasury officer, have been charged by the country's Anti-Money Laundering Council for 'willfulling ignoring' suspicious activity that lead to the loss of tens of millions of dollars in fraudulent bank transfers from Bangladesh's central bank.
'Celebgate' hacker sentenced to 18 months jail
Ryan Collins has been sentenced to 18 months in a United States federal prison for stealing the login details of over 600 email accounts. The hack was known in the media as 'Celebgate', as it affected a number of leading Hollywood actresses.
Collins reportedly tricked the account holders into divulging their passwords by sending them emails crafted to look like legitimate communications from Google or Apple. When the recipients unwittingly provided the login details, the hacker was able to access their accounts, including the saved photos.
vDos 'cyberattack' operators arrested
A popular 'paid attack platform' was disrupted after Israeli police arrested two teenagers thought to be the operators behind a service that was essentially a 'Distributed Denial of Service (DDoS) for hire' operation.
The arrest was in connection to an investigation by the US Federal Bureau of Investigations (FBI). The incident was also highlighted by the popular cybersecurity researcher Brian Krebs, and may have been the instigation for a massive DDoS attack that hit the researcher's website days after the duo were released on bail and placed under house arrest.
- Engadget: Major cyberattack seller knocked offline as it faces arrests
- Softpedia: Israeli Police Arrest Owners of vDos DDoS-for-Hire Service
- Krebs on Security: Alleged vDOS Proprietors Arrested in Israel
NY: toy firms fined for tracking kids online
The New York Attorney General's office issued fines to several prominent toy companies in a crackdown on websites that track the browsing behavior of children under 13, in violation of the Children's Online Privacy Protection Act (COPPA).
The COPPA requires websites to request parental permission before collecting personal information from Internet users under the age of 13, as well as limiting marketing to such an audience. The investigation by the Attorney-General's office found that though Viacom, Mattel, JumpStart, and Hasbro did not intentionally design their websites to violate federal law, they included third-party advertising on the sites, which performed persistent tracking in order to serve targeted ads.
In response, the four companies agreed to pay a combined total of USD835,000 in fines, as well as modify their websites and arrangements with third-party advertisers to stay in line with federal guidelines.
IS supporter who gathered US military 'kill list' jailed 20 years
Kosovan hacker Ardit Ferizi was sentenced to 20 years in prison by the United States for hacking into the databases of a company hosting sensitive data on US military personnel in order to compile a list of over 1,300 customers with a .mil or .gov address. The compiled data was then forwarded to a contact in the IS terrorist organization for use as a 'kill list'.
Trump Hotels fined for data security failure
Trump Hotel Collection, the hotel chain owned by US presidential candidate Donald Trump, has been fined by .
According to reports Roman Seleznev had hacked into and infected the Point of Sale (PoS) systems at various stores and restaurants in the United States in order to gather the details from credit cards swiped in the affected machines. At the time of his arrest, Seleznev reportedly had more than 1.7 million card numbers on his laptop, most of them from businesses located in western Washington state.
- International Business Times: Donald Trump's luxury hotel chain fined for cybersecurity failure
- Computerworld: Trump hotel chain fined over data breaches
US: Guilty pleas in iCloud hacker and Syrian Electronic Army cases
A US federal jury found Roman Seleznev, the son of Russian Parliament Member Valery Seleznev, guilty of stealing millions of credit card numbers and selling them online to cyber criminals.
According to reports Roman Seleznev had hacked into and infected the Point of Sale (PoS) systems at various stores and restaurants in the United States in order to gather the details from credit cards swiped in the affected machines. At the time of his arrest, Seleznev reportedly had more than 1.7 million card numbers on his laptop, most of them from businesses located in western Washington state.
- International Business Times: Pro-Assad Syrian Electronic Army hacker pleads guilty in US court
- International Business Times: iCloud 'Celebgate' hacker pleads guilty to breaking into emails of celebrities including Jennifer Lawrence
Ashley Madison violated privacy laws, say watchdogs
The Office of the Privacy Commissioner of Canada reported that Avid Life Media, the parent company of dating service Ashley Madison, had inadequate privacy and data security measures in place at the time of their hack in mid-2015. The inadequate protections left the company in violation of privacy laws in Canada.
Following the leak of personal details from millions of Ashley Madison user accounts last year, Canada (and Australia) had launched investigations into the data breach, with the company agreeing to comply with recommendations made based on the investigations. News report indicate that company is required to complete a review by the end of this year of the protections it has implemented to protect private user information.
US: Woman jailed for 'attempting to spy' for China
The US sentenced Wenxia Man, a US citizen, to 50 months in prison for attempting to provide classified military data and equipment to China.
Man, who was born in China and emigrated to the US, was caught during a sting operation by the US Department of Homeland Security, following a tipoff that she had attempted to buy and export military equipment (notably, parts of the engines used in fighter jets). Over a period spanning from 2011 to 2013, Man had reportedly attempted to purchase and provide the equipment and related data to a contact she believed to be working with the Chinese government.
- The Register: Californian gets 50 months in prison for Chinese 'technology spy' work
- South China Morning Post: Chinese-American woman jailed in US for trying to sell advanced military equipment
US: Russian MP's son convicted of credit card theft and fraud
A US federal jury found Roman Seleznev, the son of Russian Parliament Member Valery Seleznev, guilty of stealing millions of credit card numbers and selling them online to cyber criminals.
FBI: 'Charges not warranted over Clinton's email mishandling'
The US Federal Bureau of Investigations (FBI) announced that former Secretary of State Hillary Clinton's use of a private email server while dealing with sensitive State Department communications did not warrant the pressing of criminal charges.
The FBI's investigation was prompted by allegations that the former state official had mishandled the confidential correspondence, in disregard of strict guidelines that dictate how such material is meant to be handled.
While the FBI did not recommend formal charges against the officials and support staff responsible for setting up and using the email server, the agency did publicly castigate the behavior of those involved as "extremely careless".
US jails Chinese hacker 4 years for fighter jet data theft
Chinese businessman Su Bin has been sentenced to almost 4 years in jail by the United States for collaborating with hackers to steal data from US defense companies between 2008 and 2014.
According to reports, the businessman had provided information to the hackers about the best personnel to target for their attacks, as well as what files to steal and the significance of the information they contained. The files reportedly contained details of military jets and transport vehicles.
China has denied reports that the hackers who worked with the businessman were involved in the Chinese military.
Brazil: Whatsapp blocked again, then unblocked - over encryption
Whatsapp endured yet another temporary shutdown in Brazil in July, after a judge ordered the service blocked for 'failing to provide information' that would assist an investigation. Following the court order, Whatsapp filed an injunction to lift the block, which was subsequently granted by the country's Supreme Court.
Whatsapp has been under pressure in the country in recent months in relation to the encryption used on the messages transmitted by its app. According to the company, they are unable to comply with requests for assistance as the encryption is designed to prevent even their own staff from being able to view the messages being sent.
This was the fourth time the service had been temporarily blocked by a court order in the last year.
In the same month, another court also froze 19.5 million brazilian reals (approx. USD6 million) in the account of Whatsapp's parent company, Facebook, over failure to hand over data demanded by federal police in relation to an international drugs investigation.
Torrent site founder arrested in Poland, faces charges in US
Popular file-sharing site Kickass Torrents was briefly downed after Ukrainian Artem Vaulin, its alleged founder, was arrested in Poland. In the days after the arrest, the site has reportedly been revived, with proxy sites also cropping up.
US prosecutors are said to be preparing to extradite him to the United States, as well as filing charges for one count of conspiracy to commit criminal copyright infringement, one count of conspiracy to commit money laundering, and two counts of criminal copyright infringement.
According to reports, federal investigators were able to trace the founder after they noted the use of a particular online name, which eventually linked to an Apple email account and Facebook account. Both tech firms provided the investigators with information from the accounts of interest in compliance with a search warrant.
Russia: 50 hackers arrested for Lurk trojan bank fraud
Russia's Federal Security Service (usually identified by its Russian acronym, FSB) have arrrested 50 individuals suspected of being part of a cyber criminal group responsible for stealing over 3 billion rubles (or 45 million dollars) from financial institutes in Russia over the course of five years.
According to reports, the arrests were the biggest ever operation conducted in Russia against a cyber criminal group. The hackers infected users by compromising popular sites and silently installing the Lurk banking-trojan on the machines of site visitors. Once the malware was installed, it gathered banking credentials and forwarded the details to the hackers, who were then able to use them to steal money from the compromised bank accounts.
The Lurk trojan, which has been mostly used to target banking institutions in Russia and Eastern Europe, is considered particularly difficult to detect as it runs in-memory. The group also reportedly used compromised VPN connections to hide their trail, making detection harder. The FSB's investigation into the group were assisted by Kaspersky Labs, who provided technical details of the group's operations, and the Russian Interior Ministry, which prevented the group from moving some of its ill-gotten gains.
- Security Week: 50 Hackers Using Lurk Banking Trojan Arrested in Russia
- Threatpost: Arrests Made In $45M Russian Bank Hack
Hacker pleads guilty to stealing data on US military personnel
Kosovo citizen Ardit Ferizi pleaded guilty in a US court for stealing the personal information of over 1,300 US military personnel, with the intention of passing the data onto the so-called Islamic State (IS).
According to reports, Ferizi had gained the information by hacking into the server of a retail store and stealing their customer data. He then filtered the data for details identifying military members and compiled the information into a document, which was then forwarded to a hacker tied to the extremist group.
Ferizi was arrested by the Malaysian police and extradited to the states, where he was charged with providing material support to terrorism as well as for hacking.
Facebook 'Spam King' jailed 30 months for spamming
Sanford Wallace has been sentenced to 30 months in jail for using 500,000 compromised Facebook accounts to send over 27 million spam messages through the social network's server between 2008 and 2009.
To gather the contacts needed for the spam operation, Wallace had reportedly used fake websites with links that when clicked, would steal the friends lists from Facebook users' accounts. A script would then send spam messages to all contacts on the lists.
This is the third time Wallace has been sued for spam-related offences. On a previous occasion, a lawsuit brought against him by Facebook had lead to a ban on logging into his Facebook account, which he disobeyed as well. Wallace will also be required to undergo a psychiatric evaluation, and is forbidden from owning or using a computer without court approval for the duration of a five-year probation period following his jail term.
Gozi trojan mastermind sentenced
Nikita Kuzmin, the Russian hacker who pleaded guilty to developing and distributing the Gozi malware, was sentenced in New York to 37 months in prison, and a file for just under $7 million.
The Gozi trojan created by the hacker had been used to steal tens of thousands of bank account details and other sensitive information from infected machines, which were then used to steal funds from the compromised accounts. In addition, the malware was sold to other hackers, in a 'malware-as-a-service' scheme.
According to reports, the hacker was able to escape a harsher sentence after providing 'substantial assistance' to federal prosecutors, leading to the Department of Justice requesting that the judge provide a more lenient sentence. As a result, Kuzmin's jail time was limited to the period that he had already served.
- Bank Info Security: Gozi Creator Sentenced for Bank Attacks
- ZDNet: Gozi banking malware mastermind ordered to pay $7 million in damages
Hacker that 'gamed' stock market pleads guilty
Ukranian hacker Vadym Iermolovych pleaded guilty to charges of hacking into corporate press release distribution services in order to steal information and conduct insider trading.
According to news reports, the hacker stole unpublished copies of press releases filed with news networks, such as Marketwired and PR Newswire. The information was then used to make trades on the stock market, essentially 'gaming' the system to gain millions of dollars in profit.
Iermolovych is the first person to be criminally charged in the case; ten other defendants also face criminal charges over involvement in the scheme.
- Fortune: Hacker Pleads Guilty Over Press Release Insider Scheme
- International Business Times: Hacking the stock market: Ukrainian man pleads guilty to $30m insider trading scheme
Researchers take down Linux Mumblehard botnet
A joint effort by security researchers at ESET, the CyS Centrum LLC and the Cyber Police of Ukraine has shut down the main command and control (C&C) server of the Mumblehard botnet.
First described in April 2015, the botnet had been used by a cybercriminal group to send out massive quantities of spam. The botnet was also notable for being made up of thousands of infected Linux machines, rather than the more commonly targeted Windows machines.
Following the takedown of the C&C server, the researchers and authorities have been contacting administrators of infected machines to prompt them to disinfect their systems and harden their defenses to prevent a recurrence.
Journalist jailed 2 yrs for aiding Anonymous news site vandalism
A journalist convicted in October 2015 under the Computer Fraud and Abuse Act has been sentenced to 2 years in jail in the United States for providing assistance to the Anonymous group that allowed them to deface a news website.
Matthew Keys was convicted of sharing the login credentials for the content management system of the LA Times' website with the hacktivist group. The credentials were subsequently used by a hacker (with the pseudonym Sharpie) to digitally vandalize an article on the site.
Blackhole author jailed 7 years in Russia for online bank thefts
Seven hackers were convicted and sentenced in Moscow of stealing from online bank accounts. Among the defendants was Dmitry 'Paunch' Fedotov, best known for being the author of the infamous Blackhole exploit kit. The malware delivery toolkit was one of the most active threats online just a few short years ago, though it was quickly usurped by other similar products after Paunch was arrested in 2013.
The Blackhole exploit kit was used to perpetrate a range of cybercrimes, most notably the theft of online banking credentials, which were subsequently used to steal money from the compromised online bank acocunts. While estimates of the amount of monetary damage attributable to use of the exploit kit varies wildly, most estimates are in the region of tens of millions of dollars.
- Krebs on Security: 'Blackhole' Exploit Kit Author Gets 7 Years
- Softpedia: Blackhole Exploit Kit Author Sentenced to Seven Years in Russian Gulag Camp
UK arrests suspected 'Cracka' hacker for CIA, FBI breaches
Law enforcement authorities in the UK have arrested a 16-year old believed to be the hacker known as 'Cracka' and said to be behind the recent hacks into the private email accounts of CIA Director John Brennan and US Director of National Intelligence James Clapper. News reports have said that the teenager was subsequently released on bail and denied that he was the hacker in question.
Turkish ATM skimming gang leader pleads guilty
The ringleader of a cybertheft gang who was accused of running a hacking and ATM fraud operation has pleaded guilty in a US court.
According to news reports, Ercan Findikoglu was one of the main perpetrators of a series of hacks targeting credit card and payment processing companies. The attacks involved stealing data about credit and debit cards, in particular the PINs associated with the cards, which were then passed on to associates who would make fraudulent ATM withdrawals. The operation was able to withdraw almost USD50 million over a period of two years (2011 to 2013), with withdrawals being done in multiple countries.
Findikoglu was finally apprehended in Germany in 2013, then extradited to the US.
- ZDNet: Turkish mastermind of $55m ATM card hacking spree pleads guilty
- Infoseucrity Magazine: Turkish Hacker Pleads Guilty to $55m ATM Cyber Heist
Romanian 'Guccifer' hacker to be extradited to US
The Romanian hacker Marcel Lehel Lazar is due to be extradited to the United States on charges of breaking into the email and social media accounts of US government officials, as well as those belonging to relatives of former US president George Bush.
Referred to in his 2014 indictment as 'Guccifer' - the name used when passing documents and pictures stolen from hacked accounts to the media - Lazar was already a convicted hacker at the time, having received a three-year suspended prison sentence in 2012 for attacking the email accounts of Romanian celebrities.
'Celebgate' hacker pleads guilty
The man behind the 'Celebgate' hacks, in which photos and videos were stolen from over 100 hacked email accounts, including some belonging to celebrities, has pleaded guilty to the charges.
According to news reports, Ryan Collins had sent emails pretending to be from Apple or Google to the account holders requesting their login credentials; the stolen passwords were then used to log into the accounts and search for compromising photos and videos. This finding countered rumours circulating at the time that the hacks had been due to a flaw in Apple's iCloud service.
Ex US State Dep employee sentenced for 'sextortion'
A former employee of the US State Department has been sentenced to 57 months in prison after being found guilty of a widespread phishing, hacking and cyberstalking scheme that affected hundreds of victims.
Michael Ford pleaded guilty to stealing account login credentials via phishing scams, then using them to access the accounts to search for incriminating material such as sexually explicit photos. He then used the content as blackmail material to force his victims, preferentially young females, to provide personal information, and other compromising images or videos.
US charges Iranians for hacks of companies, dam
The US Department of Justice has revealed charges against seven Iranians for a series of hacks targeting US-based financial companies, as well as the Bowman Damn in New York state.
The hacks, which reportedly took place from 2011 to 2013 and were said to have cost the targeted companies "tens of millions of dollars", are also notable for being directly linked to the Iranian government.
Europol: ATM malware gang arrested
Eight alleged members of a cybercriminal gang have been arrested in Romania and Moldovia. According to news reports, the operation (coordinated with assistance from Europol) targeted individuals suspected of using Tyupkin malware to attack and empty ATMs across Europe.
Turkey: 334 years for data theft hacker
A hacker in Turkey has received a record sentence of 334 years for engaging in data theft. The 26-year old Onur Kopçak had been charged for stealing credit card details using phishing banking sites, as well as selling the stolen data to other criminals. Prior to this, the longest sentence for hacking-related activities was the 20 years handed down by a United States court to Albert Gonzalez for the TJX data breach.
Europol: Bitcoin extortion gang DD4BC arrested
A coordinated international operation between law enforcement authorities in Europe, the UK and the US saw the arrests of two suspects linked to a hacking group that extorted Bitcoins from companies. The group, known as DD4BC, reportedly used the threat of launching crippling Distributed Denial of Service (DDoS) attacks against targeted companies to pressure them into paying.
- Bank Infosecurity: Analysis: Impact of DD4BC Arrests
- ZDNet: Suspected members of Bitcoin extortion group DD4BC arrested
Google patches 'Dirty Cow' Linux / Android flaw
The latest Android security patch fixes 50 security issues on the popular mobile platform, 11 of them deemed critical. The latest update also patches the CVE-2016-5195 'Dirty Cow' vulnerability, which was reportedly being actively exploited in-the-wild. If successfully exploited, the Dirty Cow flaw could allow attackers to gain root privileges on the affected device.
The same update also saw a patch for the CVE-2016-4794 flaw, which could also be targeted by attackers to gain root privileges.
Yahoo! Mail cross-site scripting flaw fixed
This is the second time in 2016 that researcher Jouko Pynnönen found and reported a cross-site scripting flaw in the tech giant's webmail service, having done just that at the beginning of the year. For each effort, the researcher was awarded $10,000 under the company's bug bounty program.
- We Live Security: Yahoo flaw, now fixed, allowed hackers to access any user's email
- Threatpost: Yahoo Mail XSS Bug Worth Another $10K to Researcher
Filmmakers, journalists call for encrypted cameras
150 filmmakers and photojournalists have sent an open letter to multiple camera manufacturers, including Nikon and Canon and Olympus, to produce encrypted cameras, as a protective measure against repressive governments, criminals and other entities seeking to seize their materials.
The call for encryption of camera contents comes at a time when data protection is an increasing consumer concern, following revelations of widespread government monitoring of their own citizens as well as increasingly organized online crime.
Joomla zero-day flaws patched
Joomla released its 3.6.5 security update to addresses three vulnerabilities, including CVE-2016-9838 which was categorized as high severity. An attacker can take advantage of this particular vulnerability to modify existing user accounts, reset username and passwords, as well as user group assignments, which may provide them access to admin accounts.
- Joomla: Joomla! 3.6.5 Released
Netgear releases router firmware update
Netgear released a firmware update to address the recently reported CVE-2016-6277 vulnerability affecting multiple routers in its product lines.
Netgear router users are urged to check if their devices are included in the list of vulnerable equipment and if so, to update their router's firmware as soon as possible.
Google to tag recently unblocked sites as 'Repeat Offenders' for 30 days
Google announced that it would tag websites that have only just been unblocked by its Safe Browsing service as 'Repeat Offenders', a label intended to alert users to sites with a history of malicious behavior. Webmasters of sites tagged with the label will not be able to request a review of the rating for 30 days, as a countermeasure against attempts to game the security verification system.
The label is not intended for use on sites that were hacked or compromised, but on sites that deliberately post malicious content.
Whatsapp encrypts video calls
Popular messaging app Whatsapp announced that it was adding encryption to its video-chatting functionality. The change, which is expected to be rolled out to all 180 countries where the service is available, is expected to provide over 1 billion users with a secure communication method in a era when government eavesdropping is a growing concern.
Qualcom, US Army launch bug bounty programs
The US Army launched its biggest bug bountry program, with a call for independent security researchers to report issues with its 'digital recruitment architecture'. The invite-only program focuses on both recruitment sites and databases holding information on prospective and current military personnel.
In the same month, noted manufacturer Qualcomm announced the launch of a bug bounty program for vulnerabilities in its hardware, in particular its popular Snapdragon processors. According to reports, researchers who have previously approached the company with vulnerability-related research will be invited first to join the program, before it is opened to a wider audience.
Microsoft: 'monthly rollup' model for Patch Tuesday updates
Microsoft issued its regular Patch Tuesday release using the new 'monthly rollup' model, an all-or-nothing update that remove administrator's abilities to pick and choose the updates they want to apply to their systems. The model has raised concerns over the difficulties it may cause administrators who may be unable to implement the entire update due to technical conflicts with any aspect of it.
Included in the October update were patches for five zero-day vulnerabilities in Windows, Internet Explorer, Edge and Office.
Apple: releases iOS 10.1 version, patches JPEG image file flaw
Apple released the 10.1 update for its popular iOS operating system. Included in the latest version are a number of patches for vulnerabilities, most critically for the CVE-2016-4673 vulnerability that could allow a booby-trapped JPEG image file to perform arbitrary code execution.
Microsoft: Office 2013 gets 'anti-macro malware' feature
Microsoft announced that it had ported the popular 'anti-macro malware' feature from its Office 2016 product to the earlier 2013 version following numerous customer requests.
The feature blocks macro scripts in Office documents that try to download content from outside the company network, and is widely seen as a useful proactive measure against booby-trapped documents sent out via spam or phishing emails. While not entirely foolproof against malicious macro scripts, the feature is still considered a helpful security measure.
US: DMCA exemptions now allow legal hacking of own car, smart tv
A new exemption the to Digital Millenium Copyright Act (DMCA) has gone into effect, allowing Americans the right to perform security research on the devices they own - for example, cars or smart televisions, which previously had copyright protections in place that made such hacking attempts illegal.
The exemptions are currently limited to a two-year trial period, and the hacking is also required to meet certain conditions ("good-faith testing") to avoid causing harm to individuals or the public. The exemptions are however expected to encourage researchers in examining and finding vulnerabilities in device software that could ultimately improve the product and consumer confidence in them.
OS X patch released for Trident 0-day flaws
Apple released a patch for its OS X operating system that closes the three security flaws uncovered during a recent investigation into an attempted targeted attack on a political dissident in the Middle East.
Referred to as 'Trident', the flaws were originally reported in Apple's iOS mobile platform, and were swiftly patched on that OS. Users are urged to install the patches at their earliest convenience.
Android update fixes two flaws, cleans up Play Store
Google announced an update to the Android mobile platform that patches two security vulnerabilities, one of which was described as being similar to the the Stagefright exploit that was the last major security issue to bedevil the operating system. Much like the previous flaw, the latest vulnerability could be exploited using a specially crafted image file. The latest update also removes malware that had been reported in the Play Store.
Users are urged to install the update, if their devices are in line to receive it from their manufacturers.
Microsoft's Edge browser to be contained in VM
Microsoft announced that an upcoming version of its web browser would be contained in a virtual machine (VM) as a proactive measure against malware that is delivered through the browser, for example via driveby downloads or exploit kits.
The Windows Defender Application Guard, as it is currently known, is slated to be available in 2017 and at least in its first release, only for Windows 10 enterprise customers.
- International Business Times: IPhone Users Urged to Update Software After Security Flaws Are Found
- Arstechnica: Windows 10 will soon run Edge in a virtual machine to keep you safe
Apple, Panasonic launch bug bounty programs
Apple has announced it will be launching an invite-only bug bountry program in September. The cautious announcement is seen as a welcome, if long-awaited move from a company that has historically been doubtful about the value of such programs.
At the same time, consumer technology giant Panasonic also announced that it will be launching a bug bounty program, this one with a focus on avionics, particularly the in-flight entertainment systems developed by the company.
Microsoft accidentally leaks Secure Boot 'golden keys'
Microsoft sufferred an embarrassing leak this month when researchers announced that the company had accidentally publicly exposed a 'backdoor' (also referred to by the researchers as 'golden keys') or a way to digitally bypass the Secure Boot security component used in Windows devices to ensure that only authorized software is run on the device.
According to reports, an attacker with either adminstrator rights or physical access to a Windows device could use the bypass mechanism to load any desired operating system on it. An attacker would also be able to install malware such as rootkits or backdoors, allowing them total control of the device.
The researchers who discovered the exposed bypass mechanism had claimed they reported the vulnerability privately to Microsoft, who subsequently issued the MS16-094 and MS16-100 patches to address the issue. Both patches have however been criticized as 'inadequate', with a third updated expected in September to completely fix the problem.
Apple emergency patch for iOS flaws exposed in hack attempt
iOS users have been urged to update their operating systems to take an emergency patch into use, after news broke of a spyware tool in-the-wild that was capable of exploiting three previously unknown iOS vulnerabilities (CVE-2016-4655, CVE-2016-4656 and CVE-2016-4657).
Security researchers have dubbed the iOS-specific exploit code as 'Trident', and were alerted to its existence after a human rights activist in the United Arab Emirates contacted them about a suspicious SMS message he had received with a suspect URL (though he wisely refrained from clicking on the link) The researchers discovered that the link led to a spyware package known as Pegasus which would have used the Trident code to infect and monitor the activist's mobile device.
The Pegasus spyware package is reportedly the work of a secretive Israeli technology company known as NSO, which is thought to be associated with state-backed monitoring efforts.
Microsoft: guidance for Group Policy issue caused by Jun update
Microsoft released a guidance this month related to the Group Policy issue that had been caused by a security update published in June, which had caused much consternation and ire among system administrators who suddenly found that their existing user environments had been thoroughly disrupted.
The June MS16-072 bulletin had included a patch changed the way Group Policy was implemented in order to prevent a man-in-the-middle attack between computers and the domain server. This change resulted in unexpected knock-on effects to other environmental aspects that were also controlled by the Policy.
The issued guidance provides options for fixing the affected Policies.
Facebook adds opt-in encryption for Messenger
Social media giant Facebook announced that it would be adding an opt-in feature in its Messenger app that would allow 'Secret Conversations'.
The new feature would use end-to-end encryption, meaning that the messages sent over the app would only be readable by the sender and the recipient. With the encryption enabled, even Facebook itself would be unable to decrypt the messages, if they were ordered to do so by a government warrant.
Unlike on the rival app WhatsApp, Messenger users must actively enable the 'Secret Conversations' feature to use it. The addition of a more secure mode of communication is however likely to increase the frustrations of law enforcement officials around the world, who are already grappling with ways to access encrypted data in their investigations.
Chrysler to offer bug bounty for private reports
Fiat Chrysler has announced what is considered to be the first bug bounty program by a mainstream American automotive manufacturer that provides a financial payout to independent researchers who privately report issues with their products.
The announcement follows the establishment of vulnerability reward programs by Tesla and GM, and is generally seen as a welcome move in an industry that has had difficulty acknowledging and addressing the issues created as vehicles become more technologically connected.
Pokemon Go to remove full access to Google account
The developers of the phenomenally popular Pokemon Go app have said that that the full access their app has to an iOS user's Google account is an error, and that they are working on a fix for the issue.
Following the release and skyrocketing popularity of the 'augmented reality' game, security researchers noted that the app is granted full access to a user's Google account when installed on an iOS device, a privilege normally provided to trusted apps rather than gaming apps. With full access, the app developers would be able to see extensive user information such as browser history, calendar entries, photos and so on.
According to reports, Google verified that the game did not in fact access anything other than basic information such as the Google profile details. Nevertheless, the developers have said that they will be removing the full access in an upcoming fix. In the meantime, multiple news sources have provided instructions for manually revoking the access as a temporary measure.
Europol, security firms set up anti-ransomware tools service
Europol, national European police forces and a group of IT security firms announced that they have partnered on the No More Ransom project in a collaborative effort to assist users in the region who have been affected by ransomware.
The collaborative effort is intended to allow victims and police to connect via a website that also provides advice on data recovery, as well as decryption tools created by the security firms to address specific ransomware families.
Facebook bins in-app chats, pushes users to Messenger app
Facebook has confirmed that it is moving forward with a push to remove native messaging in the mobile version of its website, and will be pushing user to use its Messenger app for that purpose. With the move, the Messages box in the website interface will direct the user automatically to the Messenger app, if it is installed, or a prompt if it is not.
The move from native messaging to the separate Messenger app already took place in 2014 for users of the iOS and Android versions of the Facebook app, but the mobile version of the site had until now maintained its native messaging functionality. This last standout however will also be removed, with Facebook displaying a prompt urging users to install the Messenger app as the only remaining option if they want to continue being able to chat via the social network service.
Facebook has said that the move to the Messenger app allows them to offer 'the best experience possible' for users, as the app provides more features and functions. News coverage of the move has so far been more mixed, with many questioning the necessity for such a move.
Researchers remotely disable Mitsubishi Outlander hybrid alarm
Security researchers announced that they were able to remotely disable the alarm system on Mitsubishi's Outlander hybrid model, as well as lock and unlock its doors, by exploiting a flaw in the automobile's onboard Wi-Fi network.
The Outlander hybrid provides an onbaord Wi-Fi network for its passengers, allowing connectivity that is limited to the vicinity of the car. An associated app is also available, that allows users to control some functions in the vehicle. Researchers were however able to intercept transmissions between the app user and the vehicle in order to remotely flash the car lights, unlock the doors and disable the alarm system.
Mitsubishi was notified of the flaw in the system and is said to be investigating the issue. The company has reportedly urged owners to deactivate their onboard Wi-Fi while the investigation is underway, until new firmware can be released to address the issue.
Safari browser to insist Flash Player 'is not installed'
The upcoming version 10 of Apple's Safari web browser will move to using HTML5 by default, essentially deprecating the use of Flash Player, QuickTIme, Java and Silverlight to render content.
Websites being loaded by the browser will not be able to identify that the user has Flash, or other non-HTML5 plugins, installed on their browser, essentially forcing them to display HTML5 content if available. on sites that do not offer a HTML5 option, users will be shown a message allowing them to enable Flash temporarily, or permanently for the single site.
The change in browser behavior is attributed to improving performance, power efficiency and security. The move away from Flash Player also falls in line with advice from security researchers to lower use of the program, which has become a popular target for attackers.
Microsoft MS16-072 patch breaks Group Policy
Microsoft has acknowledged that its June 2016 MS16-072 patch has caused problems with the Group Policy settings on some machines, ranging from Windows 7 to Windows 10.
After applying the patch, some users have reported that previously-hidden drives are now accessible, while others noted that shared drives have now become inaccessible.
Some reports have indicated that uninstalling the patch remedied the current situation, but left them still vulnerable to the CVE-2016-3223 flaw which the patch was meant to address. Microsoft has not yet provided details of any upcoming changes to the patch that would address the reported issue.
Google 2FA to allow prompts instead of passnumber entry
Google's current two-factor authentication (2FA) approach now includes a feature that allows users to change from using a passcode to simply responding to a prompt.
Like most 2FA models, Google currently requires uses to manually entering a passcode (provided either by an SMS message sent to a mobile device, or generated by the Authenticator app) to verify the their authenticity. Users may however opt to simplify the process further by changing to use of a 'Yes/No' prompt, which is generated on the associated mobile device whenever the user wants to log into a 2FA-enabled account.
iOS and Android implementations of the new feature differ slightly, though one requirement both platforms have in common is that the user must have a lockscreen enabled before the prompt feature can be used. Security researchers recommend that users enable 2FA on any services that provide it as a security option.
Apple: 'IOS 10 beta kernel intentionally unencrypted'
Apple has confirmed that the operating system kernel in the iOS 10 betas made publicly available at the WWDC conference this month were intentionally left unencrypted.
The move by the usually secretive company took security researchers by surprise, as previous versions of the OS kernel were kept encrypted. Apple has however explicitly stated that the condition of the kernel was deliberate, in order to "optimize the operating system's performance without compromising security", most likely by allowing greater scrutiny of the system by independent security researchers looking for vulnerabilities and other flaws. User data remains encrypted in order to ensure privacy.
Microsoft to 'untrust' websites using SHA-1 certs
Microsoft has announced accelerated plans to deprecate support for TLS certificates signed by the SHA-1 hashing algorithm.
The software giant announced that websites using such certificates will be considered untrusted on their web browsers (Edge and Internet Explorer) starting in summer 2016. Websites that do not update their certificates will be blocked outright starting in February 2017, one month earlier than previously scheduled.
The plans to deprecate SHA-1 signed certificates were based on research indicating that the encryption provided by the cryptographic algorithm was getting increasingly easier to break.
- Arstechnica: Microsoft to retire support for SHA1 certificates in the next 4 months
- Windows Edge Deb blog: An update to our SHA-1 deprecation roadmap
Google security update fixes 40 Android flaws
Google released its May 2016 Security Update, which includes fixes for 40 vulnerabilities, including 6 critically-rated flaws.
Of the critically-rated vulnerabilities, two of them (CVE-2016-2428 and CVE-2016-2429) would allow remote code execution if successfully exploited, while the others would allow either an elevation of privilege or code execution in the context of the kernel.
While there have been no reports of active attacks against any of the vulnerabilities fixed, users are urged to apply the security update as and when it becomes available for their Android device.
- SC Magazine: Google patches 40 Android security flaws
- TechRepublic: Android Security Update May 2016: What you need to know
Google to phase out support for Flash Player in Chrome
Google announced that it will be removing support for the Adobe Flash Player in its Chrome web browser by end 2016. Instead, the browser will default to using the alternate HTML5 technology.
The software will still be enabled by default on 10 selected websites, including Amazon, Facebook and YouTube, but will be disabled by default on all others - users would need to manually enable Flash on the website before it runs.
While Flash has been popular with users for many years for viewing multimedia content, it has also been a favorite target of attackers for vulnerability exploitation. Its popularity as an infection vector has lead to numerous security researchers recommending that users disable Flash when not in use, or removing it entirely unless or until needed.
- F-Secure Labs Weblog: Bye Bye, Flash! Google Chrome Plans To Go HTML5 By Default
- BBC: Google to phase out full support for Flash on Chrome
May bug bounty payouts and launches
Popular adult website Pornhub announced the launch of their own bug bounty program, in conjunction with the popular HackerOne vulnerability reporting platform. In its present incarnation, the program excludes malvertising attacks, which have troubled the website in the past but are due to weaknesses in the advertising stucture rather than the site itself.
In the same month, Google released a patch for 5 vulnerabilities in its popular Chrome web browser. Under their bug bounty program, the security researchers who found the bugs also received payouts totally $20,000.
Finally, in May 2016 Facebook paid a $10,000 reward under its bug bounty program to a 10-year-old user who reported a vulnerability in Instagram, which the social media giant also owns. If successfully exploited, the vulnerability (which has since been fixed) could have allowed a user to delete comments on any account.
SWIFT to improve security after multiple attacks
The CEO of embattle financial communication network SWIFT has announced a 5-part plan to improve security after its service became the focus of a series of high-profile attacks in the last few weeks.
Following the spectacular $81 million dollar heist from the Bangladesh Bank in April, as well as reported attacks on other similar bodies, SWIFT had been coming under sustained pressure from its member banks, as well as the general public, to do more to improve its security.
In addition to the improvement plans from SWIFT itself, various countries have ordered their national banks to launch audits of their information security practices, in a bit to secure their own financial systems and increase consumer confidence in the institutions.
- Bank Info Security: Banks, Regulators React to SWIFT Hack
- ZDNet: SWIFT to unveil new security plan in the wake of Bangladesh heist
- The Register: SWIFT CEO promises security improvements
Microsoft moves to tighten password security
Microsoft announced the addition of a new "Dynamically Banned Passwords" feature which is designed to prevent users from choosing a password that has been included on a blacklist of banned passwords. The feature would allow administrators to add commonly passwords (for example, those exposed in data breaches or in the media) to the blacklist, ensuring users would need to create a password that is not already compromised.
The feature is currently available on its Account Service platform, which is used to log into services such as Xbox Live, and is also slated to be included in the Azure Active Directory (AD) for enterprise customers.
The announcement follows the recent LinkedIn data leak, which saw credentials for over 117 million accounts compromised.
WordPress enables default SSL encryption for hosted sites
WordPress announced that they will be enabling SSL encryption by default for all custom domains hosted on WordPress.com. The move to add encryption to the hosted sites is intended to improve security, with minimal disruption to the site administrators.
Hosted sites will be provided with certificates from the Let's Encrypt project, and the rollout should be automatic, requiring no action from the site administrators.
- The Register:
- WordPress: HTTPS Everywhere: Encryption for All WordPress.com Sites
Whatsapp and Viber enable end-to-end encryption
Popular messaging program Whatsapp made a surprise announcement that it had successfully rolled out end-to-end encryption by default for all its estimated 1 billion users.
Simply put, end-to-end encryption means that all messages, phone calls, photos and videos transmitted from sender to recipient(s) via the app can no longer be read by others during transmission, not even Whatsapp employees.
Whatsapp's surprise move comes in the wake of a major battle between the FBI and Apple over demands that the tech giant provide assistance in unlocking an encrypted iPhone. Though heralded by privacy-conscious users and civil advocates, the company's unexpected action is likely to rile numerous governments who have already expressed concerns about the conflict between law enforcement and encryption.
Shortly after Whatsapp enabled end-to-end encryption, rival messaging app Viver also announced they would be adding end-to-end encryption as a well.
Amazon removes, reinstates FireOS encryption
Online retail giant Amazon came in for criticism over a recent update to its Fire operating system that removed disk encryption "because customers weren't using" it. The dropped feature had involved encrypting data stored on a device running the Fire OS, and meant that users would have to enter a password in order to view the data.
Following a backlash from its device users, who demanded that the feature be reinstated, Amazon reversed its stance and has since announced that disk encryption will be restored in an upcoming update.
Google releases emergency patch for critical kernel flaw
Google has released an emergency patch for the critical CVE-2015-1805 vulnerability affecting all Android devices running Linux kernel versions below 3.18. If successfully exploited, the flaw could allow remote attackers to execute malicious code and essentially take over the device's functions.
The number of devices affected by the flaw is thought to number in the millions. Google officials noted that they had discovered at least one app in the official Play Store that was able to exploit the vulnerability, and the company has already updated its Verify Apps security feature to prevent the installation of software that would trigger the flaw.
Google makes BinDiff file comparison tool available for free
Google has removed the USD200 price tag from its popular binary comparison BinDiff tool. No available for free, the program allows users to compare related binary files and is a popular tool with security researchers for reverse engineering code.
The move has been applauded by the security research community for making it easier for both amateur and professional researchers to engage in analysis work.
Uber launches bug bounty program
Ride-sharing app Uber has launched a bug bounty program for its software, in partnership with the vulnerability reporting portal HackerOne.
In addition to the usual cash rewards for reported flaws, the scheme also includes a loyalty program for researchers who report five or more vulnerabilities in the first 90 days, increasing their potential payout.
Uber also created a 'treasure map' of the various architectures used by the company, and the kinds of flaws they are particularly interested in. At the moment, only the company's apps (and not cars associated with it) are within the scope of the program.
Microsoft Office 2016 adds macro-blocking feature
Following the resurgence of macro malware in recent years, Microsoft has introduced a new feature in Office 2016 that allows administrators to prevent macros in document files downloaded from the Internet from running entirely. The new feature is an extension of previous Group Policy rules that displayed a warning notification if users attempted to enable macros in a document, but still allowed them to proceed if they clicked 'Enable macros' on the notification.
In recent years, a surge of malware-embedded Office document files that trick users into clicking and enabling macros (and thus allowing the malware to run) have underlined the fact that most users can be lead into disregarding the warnings against exactly this behavior.
- PC World: Microsoft adds macros lockdown feature in Office 2016 in response to increasing attacks
- Microsoft Malware Protection Center: New feature in Office 2016 can block macros and help prevent infection
Nissan disable Leaf's 'hackable' app
Vehicle manufacturer Nissan has apologized and temporarily disabled the NissanConnectEV app, after security researchers publicly disclosed that the service was accessible to unauthorized users, potentially allowing remote attackers to control a vehicle's heating or cooling system. The company further disclosed that its eNV200 electric vans were also vulnerable. According to a public statement, Nissan expects to launch updated versions of the app "very soon".
Dell intros cloud-based BIOS check
Computer manufacturer Dell has introduced a cloud-based way of checking a PC's BIOS to ensure the machine is free from malware before it starts up.
Malware that infects a machine's BIOS is rare, but is usually difficult to detect and eradicate because the BIOS executes before the operating sytem and other installed programs (including security products) have a change to run. Dell's BIOS verification measure moves the security check to the cloud and involves comparing the BIOS image to an official hash stored on Dell's servers.
The check does not stop the machine from booting up as normal and instead, sends a notice to the administrators for further action.
Instagram to roll out two-factor authentication
Popular photo-sharing service Instagram said that it will be adding two-factor authentication (2FA) as an optional additional security measure. Users who choose to adopt 2FA would be asked to enter a passcode that is sent by the service to a selected device each time they log in, making it much harder for a hacker to gain access to an account without having both the login credentials and the device.
Details of the 2FA feature's availability to most users have not yet been published, as Instagram is reportedly rolling it out "slowly".
Firefox drops ban on SHA-1
Mozilla has temporarily reinstated support for SHA-1 certificates in the latest version of its Firefox web browser after it received complaints that some users were unable to access encrypted HTTPS websites without browser support for the aging cryptographic algorithm.
The browser vendor noted that the access problems were due to "man-in-the-middle devices, such as security scanners and antivirus products" that do not yet use the newer SHA-2 certificates; users would still need to update the devices or programs in question to ensure that they worked with subsequent versions of the Firefox browser, which is expected to again drop support for SHA-1 certificates at a later date.
GM starts bug bounty program
American automobile manufacturer GM has launched a bug bounty program, in partnership with the public disclosure portal provider HackerOne. GM has announced that security researchers are safe from legal action as long as they follow a set of eight simple rules while conducting research.
GM's bug bounty program is the first to be established by a vehicle manufacturer of its size and complexity, though it follows a public disclosure program launched by startup company Tesla a few months earlier.
Play Store drops root-seeking Android apps
The Google Play Store has removed 13 apps after security researchers reported that they contained malware known as Brain Test. If installed, the apps attempted to root the device, download additional program and post glowing reviews of other apps in the same malware family.
- Threat Post: 13 Brain Test Malicous Apps Booted From Google Play
- International Business Times: Google removes 13 Android apps from Play Store infected with Brain Test malware
Juniper to remove 'unauthorized backdoor' from products
Following its announcement that it had discovered unauthorized code in its products, Juniper Networks has reported that it will be shipping product releases in the first half of 2016 that will remove the suspect code. News reports covering the issue have raised questions regarding how the code could have been introduced in the first place, and the likely repercussions of the incident.
- Juniper Security Incident Response: Advancing the Security of Juniper Products
- Arstechnica: Juniper drops NSA-developed code following new backdoor revelations
- Tech Republic: Juniper Networks to rip out NSA-developed code amid new backdoor security concerns
- Wired: New Discovery Around Juniper Backdoor Raises More Questions About the Company
Microsoft: IE versions 8, 9 and 10 reach End-of-Life
Versions 8, 9 and 10 of Microsoft's Internet Explorer web browser will receive their final security updates and reach their End-of-Life (EOL) on Jan 12, with some exceptions. The move, while expected, is likely to affect millions of users and companies who still rely on older versions of the popular web browser, particularly for business-specific applications. Users will be urged to update their browsers to the latest available versions.
Critical Yahoo Mail flaw patched
Security researcher Jouko Pynnonen was recently awarded USD10,000 for privately reporting a critical vulnerability in Yahoo Mail that could have allowed attackers to hijack accounts. The vulnerability was reported to the company via its HackerOne bug bounty program, and was quietly fixed in early January.
- CNet: Yahoo Mail flaw gets fixed, and a researcher nets $10K
- Infosecurity Magazine: Yahoo Mail Patches Severe XSS Flaw Affecting 300M Users
Java browser plugin to be deprecated in JDK 9
Oracle announced that the next JDK 9 version of its Java software will deprecate its much-abused web browser plugin component. Security experts have applauded the move, which would remove a popular target used by exploit kits and other malware to infect users. In recent years, many security experts had repeatedly called for users to either totally remove the problematic browser plugin, or only enable it when necessary.
- The Register: Oracle to kill off Java browser plugins with JDK 9
- Krebs on Security: Good Riddance to Oracle's Java Plugin
Items listed in the Calendar were reported in various technology news portals, security research publications, law enforcement sites, major newspapers and our own F-Secure Weblog.
See our Threat Reports for previous editions of the Incidents Calendar.