On How Trump Will Affect Crypto and Security, SHA-1, WhatsApp, and More

Mike Mimoso, Tom Spring, and Chris Brook discuss security-wise what they hope will and won’t change under a Trump presidency, then discuss the news of the week, including SHA-1 deprecation, Carbanak’s return, and the WhatsApp “backdoor” debacle. Download: ThreatpostNewsWrapJanuary202017.mp3 Music...

The Changing Face of Carbanak

Months of ramped up Carbanak activity that includes a new host of targets and new command and control strategy has reinvigorated attention on a criminal outfit that may have at one time stolen up to $1 billion from banks worldwide. Carbanak has moved on from an almost exclusive focus on financial...

ProtonMail Gets Own Tor-Accessible .Onion Hidden Service

Users of the encrypted email service ProtonMail looking for an extra layer of security now have the option of accessing their inbox directly through the Tor network. ProtonMail, originally developed by CERN and MIT scientists, announced Thursday it had added its own Tor hidden service. According ...

Necurs Botnet Limps Back into Action After Lull

Researchers say Locky spam volumes are limping back into action with two new and tiny campaigns that could reveal telltale signs of a future full-scale attack. Cisco Talos said since late December, Necurs botnet activity has been silent. So too have campaigns tied to Locky ransomware; chiefly...

Facebook, Researcher at Odds Over Messenger Issue

Facebook is dismissing claims by a researcher who says multimedia content such as audio-based messages sent via its Facebook Messenger service can be intercepted by a third-party under certain conditions. On Tuesday, Mohamed Baset, a security analyst at ecommerce firm Linio México, published a...

Android Scoring System Roots out Malicious, Harmful Apps

Google’s crusade against malicious and potentially harmful apps PHA in the Android ecosystem is a complex endeavor anchored by its Verify Apps malware scanner and a scoring system that flags potential problems before they multiply. The system, called Dead or Insecure DOI, has been effective in...

Justine Bone on St. Jude Vulnerabilities and Medical Device Security

MedSec CEO Justine Bone talks to Mike Mimoso about the St. Jude Medical vulnerabilities, the considerations her company and Muddy Waters made in short selling St. Jude stock, and the current state of medical device security. Download: JustineBoneonSt.JudeVulnerabilitiesandMedicalDeviceSecurity.mp...

Carbanak Using Google Services for Command and Control

Carbanak certainly has not sat idly by after years of advanced criminal campaigns targeting primarily financial institutions. The outfit, alleged to have stolen from more than 100 banks worldwide, has popped up again with a new means of managing command and control over its malware and implants...

Docker Patches Privilege Escalation Vulnerability

Docker has patched a privilege escalation vulnerability CVE-2016-9962 that could lead to container escapes, allowing a hacker to affect operations of a host from inside a container. The vulnerability is rated high severity by some Linux distributions such as Arch Linux, which traces the problem t...

Oracle Patches 270 Vulnerabilities With First CPU of 2017

Oracle patched 270 vulnerabilities on Tuesday, many remotely exploitable, across 45 different products–including its E-Business Suite, Financial Services software, and MySQL database–as part of its quarterly Critical Patch Update CPU. The massive update comes close breaking Oracle’s record-settin...

Spora Ransomware Offers Unique Payment Options

Researchers are keeping close tabs on a new ransomware strain called Spora that offers victims unique payment options and comes with top-notch encryption. Spora was spotted last week by ransomware experts at BleepingComputer, who said after Spora encrypts files on your computer, it offers four...

New RCE Flaws Found in Samsung Smartcam

UPDATE At DEFCON 22 in 2014, researchers demonstrated hacks against the Samsung Smartcam that allowed an attacker to remotely take over the device. Samsung’s reaction at the time was to remove the web interface enabling the attack rather than patch the code in question. The Exploitee.rs, formerly...

Vulnerabilities Leave iTunes, Apple's App Store Open to Script Injection

Apple is reportedly aware of and is in the middle of fixing a pair of vulnerabilities that exist in iTunes and the App Store. If exploited, researchers claim an attacker could inject malicious script into the application side of the vulnerable module or function. Vulnerability Lab’s Benjamin Kunz...

Router Vulnerabilities Disclosed in July Remain Unpatched

Details on serious vulnerabilities in a number of routers freely distributed by a major Thai ISP were published on Monday after private disclosures made to the vendors in July went unanswered. Researcher Pedro Ribeiro of Agile Information Security found accessible admin accounts and command...

SHA-1 End Times Have Arrived

For the past couple of years, browser makers have raced to migrate from SHA-1 to SHA-2 as researchers have intensified warnings about collision attacks moving from theoretical to practical. In just weeks, a transition deadline set by Google, Mozilla and Microsoft for the deprecation of SHA-1 is u...

Why WhatsApp's 'Backdoor' Isn't a Backdoor

Accusations that WhatsApp has a backdoor intended for eavesdropping on user messages is being loudly rebuked by Facebook-owned WhatsApp and Open Whisper Systems, the company that developed the underlying encryption technology for the platform. Dismissal of the published claims by The Guardian are...

Andrew Macpherson on Intelligence Gathering with Maltego

Ryan Naraine talks with Operations Manager at Paterva Andrew Macpherson who outlines the details of the “Digital Intelligence Gathering using Maltego” course being offered at the SAS 2017 and talks about the benefits for data mining by pen testers, malware analysts and law enforcement agencies...

White House Approves New Rules for Sharing of Raw Intelligence Data

President Obama last week approved a change in the way the National Security Agency shares raw signals intelligence data with the rest of the U.S. intelligence community, a shift that privacy experts worry will erode the civil liberties of Americans. An unclassified document released by the Offic...

WhatsApp Says 'Backdoor' Claim Bogus

Claims of a backdoor in WhatsApp that could be used for third-party snooping were shot down by WhatsApp, which called the allegations false. On Friday, news outlet The Guardian reported that a cryptography researcher had discovered a backdoor in WhatsApp’s messaging service that could “allow...

Google's Key Transparency Simplifies Public Key Lookups

Google has taken a big step toward simplifying public key lookups at Internet scale with the release to open source on Thursday of Key Transparency. Key Transparency is admittedly a prototype, Google said, but it could provide significant relief for secure messaging systems suffering from...

Saying Goodbye to the ShadowBrokers, GoDaddy's Domain Validation Issue, and More

Mike Mimoso and Chris Brook discuss the news of the week, including the ShadowBrokers’ farewell, GoDaddy’s buggy domain validation issue, MongoDB ransoms, and the latest with St. Jude Medical. Show notes: ShadowBrokers Bid Farewell, Close Doors ShadowBrokers Selling Windows Exploits, Attack Tools...

Marie Moe on Medical Device Security

Marie Moe, a research scientist at SINTEF of Norway, talks to Mike Mimoso about her personal and emotional connection to medical device security given that she has a pacemaker implanted in her that regulates her heart. Moe, who is in her 30s, has been active in spurring research into the security...

ShadowBrokers Bid Farewell, Close Doors

The ShadowBrokers are no more. The group or individual responsible for multiple leaks of exploits and attack tools believed to belong to the NSA said today they have closed up shop and deleted all of their online accounts. “Despite theories, it always being about bitcoins for TheShadowBrokers. Fr...

WordPress 4.7.1 Fixes CSRF, XSS, PHPMailer Vulnerabilities

WordPress developers are encouraging users of the content management system to apply a new update, pushed this week, to resolve eight security issues, including a handful of cross-site scripting XSS and cross-site request forgery CSRF bugs. Aaron D. Campbell, a WordPress core contributor announce...

Buggy Domain Validation Forces GoDaddy to Revoke Certs

GoDaddy has revoked, and begun the process of re-issuing, new SSL certificates for more than 6,000 customers after a bug was discovered in the registrar’s domain validation process. The bug was introduced July 29 and impacted fewer than two percent of the certificates GoDaddy issued from that dat...

Cloudflare Shares National Security Letter It Received in 2013

Thanks to the lifting of a gag order, on Tuesday security firm Cloudflare was finally able to post a National Security Letter it received from the Federal Bureau of Investigation back in 2013. Cloudflare’s counsel Kenneth R. Carter acknowledged the lifting of the order and said the letter is part...

ShadowBrokers Selling Windows Exploits, Attack Tools

The latest Shadowbrokers dump of alleged NSA tools—a cache of Windows exploits—surfaced over the weekend. And for the first time since these unannounced releases started last summer, analysts don’t have the luxury of a free set of files to dig in to. The group is selling the database for 750...

Second Try at LSASS Patch Addresses Vulnerability

Microsoft’s second try at patching a vulnerability in a critical Windows process apparently is more successful than its first attempt. Yesterday, as part of its monthly Patch Tuesday release of security bulletins, Microsoft sent out an update that fixed a denial-of-service vulnerability in the...

Spammers Revive Hancitor Downloader Campaigns

A recent lull in the distribution of spam spreading information-stealing malware via the Hancitor downloader has been snapped. Researchers at the SANS Internet Storm Center are currently tracking an increase in spam purporting to be a forwarded parking ticket notification. The message prompts the...

Microsoft Issues Record Low Number of Patch Tuesday Bulletins

Microsoft’s first Patch Tuesday update of 2017 is one of the smallest in the history of the program with four bulletins released today, including three rated important along with Adobe’s monthly Flash Player update for Internet Explorer and Edge, which was rated critical by the vendor. The...

Netflix Phishing Campaign Targeted User Information, Credit Card Data

Researchers recently identified a phishing campaign set up to lure unsuspecting Netflix users into giving up their credentials and credit card data. The campaign – now defunct – started with an email informing users they needed to update their account details. From there, victims were brought to ...

January 2017 Adobe Flash, Reader, Acrobat Security Patches

Adobe today released its first patches of the year, a familiar refrain of Flash Player and Reader fixes, none of which are under attack. The Flash update addresses 13 vulnerabilities, all but one of which trigger remote code execution attacks. Meanwhile, 29 bugs were patched in Reader and Acrobat...

Lawmakers Reintroduce Popular Email Privacy Act

A group of bipartisan lawmakers reintroduced the Email Privacy Act, a bill that would require law enforcement to get a warrant before searching email, Facebook messages and files stored on cloud services no matter how old the archives. The Email Privacy Act is an attempt to reform the decade-old...

Two New Edge Exploits Integrated into Sundown Exploit Kit

Six months of relative quiet around exploit kits recently changed when a public proof-of-concept attack disclosed by a Texas startup was integrated into the Sundown Exploit Kit. The proof-of-concept exploit was developed by Theori, a research and development firm in Austin, which opened its doors...

MongoDB Attacks Jump From Hundreds to 28,000 In Just Days

Security researchers report a massive uptick in the number of MongoDB databases hijacked and held for ransom. On Monday, researcher Niall Merrigan reported 28,000 misconfigured MongoDB were attacked by more than a dozen hacker groups. That’s sharp increase from last week when 2,000 MongoDB had be...

St. Jude Medical Patches Vulnerable Cardiac Devices

St. Jude Medical today released an update for the Merlin@home Transmitter medical device that includes a patch for vulnerabilities made public last year in a controversial disclosure by research company MedSec Holdings and hedge fund Muddy Waters. In a paper published last August, Muddy Waters sa...

Hello Kitty Database of 3.3 Million Users Surfaces

A cache of data including 3.3 million user credentials belonging to Hello Kitty parent company Sanrio surfaced over the weekend. The breach was originally reported in December 2015, but at the time Sanrio denied any data was stolen as part of the breach. The breach was tied to a misconfigured...

Gaming Network ESEA Breached, 1.5M Profiles Leaked

Following an extortion attempt, information from a recent breach of a competitive video gaming community surfaced over the weekend online. Data purportedly belonging to 1.5 million members of video gaming community ESEA, the E-Sports Entertainment Association League, was added to LeakedSource’s...

US Voting Systems Deemed Critical Infrastructure

The Department of Homeland Security has designated the U.S. voting infrastructure, including voting machines and registration databases, as critical infrastructure. On Friday, Secretary Jeh Johnson elevated the voting infrastructure to a critical infrastructure subsector under the existing...

Google Patches Android 'Custom Boot Mode' Vulnerability

A high-risk Android custom boot mode vulnerability was one of many bugs patched by Google as part of its January Android Security Bulletin released earlier this week. On Thursday, the IBM security team that discovered the vulnerability disclosed details about the flaw which leaves Nexus 6 and 6P...

On Russia's Involvement in the US Election, Burlington Electric, Firecrypt, and More

Mike Mimoso and Chris Brook discuss the news of the week, including on this week’s U.S. Senate Committee on Armed Services hearing, the Burlington Electric ‘Hack’ and attribution, FireCrypt, and Security Without Borders. Download: ThreatpostNewsWrapJanuary62017.mp3 Music by Chris Gonsalves...

Experts Warn of Novel PDF-based Phishing Scam

The SANS Internet Storm Center published a warning on Wednesday about an active phishing campaign that utilizes PDF attachments in a novel ploy to harvest email credentials from victims. According to the SANS bulletin, the email has the subject line “Assessment document” and the body contains a...

FTC: D-Link Failed to Secure Routers, IP Cameras

The Federal Trade Commission acknowledged on Thursday that it takes the security of the so-called internet of things seriously when it leveraged a complaint against one of the more popular router manufacturers. The lawsuit, filed at the U.S. District Court for the Northern District of California,...

Attacks On MongoDB Rise As Hijackings Continue

The number of insecure MongoDB databases being hijacked by criminals is growing according to experts who say attacks that began last week are now targeting more valuable assets. Since identifying attacks against MongoDB installations on Dec. 27, Victor Gevers, an ethical hacker and founder of GDI...

U.S. Intelligence Report Due Next Week on Election Hack

The various branches of the U.S. intelligence community said they will next week deliver a joint report that corroborates claims that Russian intelligence attempted to influence the 2016 presidential election. Outgoing Director of National Intelligence James R. Clapper also confirmed to a U.S...

FireCrypt Ransomware Contains DDoS Functionality

In addition to encrypting files, a new strain of ransomware also attempts to carry out a DDoS attack, albeit a weak one. The ransomware, FireCrypt, was uncovered by forensic experts at MalwareHunterTeam and analyzed by Bleeping Computer’s Lawrence Abrams on Wednesday. The malware technically come...

Claudio Guarnieri on Security Without Borders

Security researcher and activist Claudio Guarnieri talks to Mike Mimoso about a new project announced last week at the Chaos Communication Congress called Security Without Borders. The project aims to form a collective of researchers and security practitioners who volunteer to provide pen-testing...

FTC Issues Public Challenge to Improve IoT Patching

Admittedly, patching existing connected devices in the wild is easier said than done. But that’s not deterring the Federal Trade Commission from soliciting help in finding a solution. The U.S. government agency today announced the kickoff of the FTC IoT Home Inspector Challenge, a prize contest...

What Hack? Burlington Electric Speaks Out

Two days before the start of the New Year’s holiday weekend, the Department of Homeland Security shared technical details and indicators of compromise related to tools used by Russian intelligence services in attacks allegedly attempting to influence the U.S. presidential election. Dutifully, IT...

Google Patches 29 Critical Android Vulnerabilities Including Holes in Mediaserver, Qualcomm

Google has patched ten critical vulnerabilities tied to problem-plagued Android components like Mediaserver, NVIDIA’s GPU driver, and Qualcomm’s driver. The most serious bug, according to Google’s January Android Security Bulletin, is the Mediaserver vulnerability. “The most severe of these issue...