Inside | Real news, curated by real humans
Inside Security

Inside Security (Oct 27th, 2016)

David’s Take
You need to carefully read and act on our top story today. A single script kiddie can delete your entire online world with just a single call to your cell provider. Lyft needs to spend a little more time on its security for expired cellphone numbers. And many Android phones can be rooted with flipping a single memory bit.

-- David Strom, editor of Inside Security
Top story: Phone impersonation attack
In keeping with Halloween, the scariest tale this week has to do with this online personality who had all his Internet content deleted by a script kiddie.  The story of “Boogie2988” is a chilling one about how a determined teen managed to delete all videos on his target’s YouTube channel, raid his PayPal account, and lock him out of all of his accounts. Even though the target practiced solid security with using multiple and complex passwords and SMS-based multi-factor authentication, it was still possible. Like Deray McKesson and other popular posters, the hacker impersonated him and got Verizon to change his phone number that was the basis of his SMS security. The moral of the story: don’t use a public recovery email address and if you do use SMS as your additional authentication factor, use either Google Authenticator or a non-public phone number.-- MEDIUM
Threats and attacks
Version 3.6.4 fixes two critical bugs in the popular content management system Joomla, and you should definitely update your servers if they are running anything since v3.4.4. The bugs could allow existing users to re-register, even if their accounts have been disabled, and elevate their privileges. Another error had to do with two-factor authentication libraries. -- THREATPOST

A security research team has uncovered a new way to leverage mechanisms of the underlying Windows operating system in order to inject malicious code. Threat actors can use this technique, which is enabled because of the design of Windows OS, to bypass current security solutions that attempt to prevent infection. It is called AtomBombing based on the name of the underlying Windows mechanism (atoms tables) that this technique exploits. The exploit doesn’t rely on broken or flawed code; rather it’s a flaw in how these operating system mechanisms are designed. The post also has some great links to earlier code injection hacks. -- ENSILO BLOG

A new way to gain root access to certain Android phones has been discovered, called Rowhammer. The attack exploits the ability to alter small bits of data in 12 of the 15 different Nexus model 5 phones. Why the inconsistency? It could be caused by the condition of particular memory bits of the phone or different chip versions. You can download this app to test for the vulnerability. Researchers received a $4k bug bounty back in July for their discovery and is working on a fix. – ARS TECHNICA

The latest malware arrives just in time for the November elections. Called CIA Election Anti-Cheat Control, it pretends to be a notice from the spy agency that requires people to send $50 if they want their vote to count. Yeah, right. What is nice is that after you send in your payment, the malware actually deletes itself from your PC. There are some good suggestions from Boy Genius Report on staying safe.  – BLEEPING COMPUTER

If you a Lyft ride-hailing customer, someone could take over your account with an old cell number and charge new rides. Cell companies recycle old numbers all the time, and if these older numbers are still tied to your Lyft account, they can be compromised. Others have reported this in the past. Make sure if you change phones to call Lyft customer support to cancel your account. – ITWORLD
Notable conference
There is still time to attend the O’Reilly Security Conference in New York next week. Speakers include Cory Doctorow, Heather Adkins from Google, Dan Kaminsky, and other notables. Sunday and Monday you can attend training classes in AWS security, web app essentials and other topics. Pricing starts at $1645.
Just for fun

There have been many post-mortems on the Dyn Mirai attack. As our colleague Ron Miller has Tweeted, “This just in. Security company you never heard of has really important opinion on Dyn attack.” Here is something more useful, an analysis of the numerous DDoS floods coming from 50k unique IP addresses spread around 164 countries. The malware contains a list of IP addresses not to use, such as the address of the US Postal Service and GE, indicating not a professional cyber criminal. – INCAPSULA BLOG 
How likely are you to recommend Inside Security to a friend or colleague?



Did you know we have a whole stable of newsletters, and plans to launch many more? Here are a few you might like:

Inside VR & AR – ReadThisThing
Inside Electric Vehicles – Inside Drones – Inside Daily Brief 
Inside San Francisco

Copyright © 2016 Inside, All rights reserved.

You're receiving this email because you are subscribed to Inside Security. If you don't want to receive it anymore, go ahead and unsubscribe – or just hit reply and tell us how to make it better.

Subscribe to Inside Security