Inside | Real news, curated by real humans
Inside Security

Inside Security (Jan 12th, 2018)

David’s take

If you aren't yet a Premium subscriber, you missed yesterday's analysis about a potential flaw in several secure messaging group chats, and what you should do about it. Go to our Premium page and sign up, subscription plans start at $10/month with multiple newsletters and corporate plans available. Premium subscribers get an additional Thursday newsletter, usually with a single analysis topic.

Another person associated with the SecureDrop service has died. James Dolan, who worked on the program with Aaron Swartz, was 36. Dolan's cause of death was suicide. SecureDrop is an offering from the Freedom of the Press Foundation and used by many journalists all over the world for secure communication with their sources. Dolan was the foundation’s first full-time staffer. Dolan left the foundation two years ago to work on a San Diego startup. The foundation’s website has more details.

I am a big supporter and user of password managers, but here is a new twist on how they can be exploited. Technically, it isn’t the managers’ fault. Third-party scripts can inject invisible login forms that can capture a username and password, which the attacker uses for credential theft. While this vulnerability has been long known, this is the first time that such abuse has been documented. Take a closer look at the attack on the link and understand how you and your users can avoid it.

-- David Strom, Editor of Inside Security

  • Email gray
  • Permalink gray

Top Story:  Malware found in numerous SCADA Android apps

Researchers took a closer look at 34 vendors of SCADA apps and identified 147 security issues in the applications and their backend programs. These vulnerabilities including unauthorized physical access to the device or its data, compromised communications channels and application flaws. – IOACTIVE BLOG

  • Email gray
  • Permalink gray

Telepresence robots are out. The Meeting Owl is in.

Inside CEO Jason Calacanis: “The Meeting Owl is a game changer. It’s a 360 degree camera that focuses on people as they speak. When you run your next meeting with the Meeting Owl you’re going to have your mind blown.”

Check out the Meeting Owl and see what the fuss is all about.

Attacks and vulnerabilities

Researchers have found malicious code hiding inside 60 different Android gaming apps. Some of the apps are targeted at kids. Across this portfolio, the apps have been downloaded at least three million times. The code can display ads for porn sites, trick users into installing fake security apps, or register a user for a premium service without their permission. – CHECKPOINT BLOG

  • Email gray
  • Permalink gray

A sneaky new injection technique called Flokibot delivers LockPoS malware straight into the kernel of Windows-based POS machines according to new research. Given that Windows 10 kernel functions aren’t easily monitored by security tools, this could be hard to detect. – CYBERBIT BLOG

  • Email gray
  • Permalink gray

Google Drive had a vulnerability that allows attackers to automatically download malware to a victim’s computer, and researchers demonstrated a proof of concept script. Google has fixed the flaw since being notified However, they warn that “it is likely that threat actors will attempt to abuse and exploit these platforms more often as we become more adept at protecting against macro-based threats.”  – PROOFPOINT BLOG  

  • Email gray
  • Permalink gray

D̵̛̗̗͈̝̠͈͕͕̱̑͌̏̕͢a̝̻͇̬̘̼͓̿́̾̔́͋̎v̷̢̻̯̟̬̪̗̍̌͒̈́͑͑͊́̚ͅì̸̢̮̠̥̦̹̆͛̓͆͜͠ͅď̸̨̛̯̦̜̓̐̀̀̈́͜ S̸̩͉̘̼̬͗̒͛̊̓̈́̕̚t̺͉̱̰͐͒́̆͋̈͢͠ȑ̛̞̘̲̲̞͆̃̍͊͋́̇̈́͢ͅồ̭̬͖̪̥̤̎̏͗͌͡͡m͉̙̺͇͕̜͑̒̀̉͘̕͘͡ Į̸̧̙͉̟̘͗̆͆̆̍͘̕͘n̷̞̱͔͉̥̞̫͐̈̍͌̌͒͟͜͜ś͓̠̬͓̿̍̈̚̚̕̚͢ȉ̛̜̠͙̠͚̞̳́̃̈̒̿̿͟͜d̸̰͓̥̮̬̥͆́̽̉͠ȇ̸̦͇̻̺̪͍͎̋̾͌̄̓̈̚͠ Ș̷̭̯̳͈̬̆͗̽́͛͝͡͝e̸̡̮̫̹̊͆̃͆̂̃͗͘̚͜͜͢͡ͅc̖̝͓̪͕̞̐͌̓̌͐͜ũ̷̘̗̫̘͉͗̌͐̇̇͆͟ř̶͙̜̲͓̗̐̐̅̅͌̂̃̏͜͠ì̧̡̩͕̦̮͍͑̎̑͂͆͜t̡̨̪̳̭̹̱͗͊̍̍̒̌͟͞ỹ̶̧͕̹̝̺͎͎͊͆̀̒̒̅̒̂͂͟ͅ

Researchers have found a way to cause Gmail servers to crash after a user retrieves a specially-encoded email called a Zalgo text (shown above). The text makes extensive use of Unicode and other special character sets. Google has a fix. -- SECURITY AFFAIRS

  • Email gray
  • Permalink gray

Let's Encrypt has disabled TLS-SNI-01 validation after the discovery of an attack able to hijack certificates using the protocol. It was possible to exploit a number of servers in order to obtain certs for someone else’s domains. This post has the details. -- ZDNET

  • Email gray
  • Permalink gray

Tools

My colleague Lori MacVittie explains why the Facebook “security questions” aren’t really effective, and makes the argument for multi-factor authentication. And yes, her favorite color is black. – DARK READING

  • Email gray
  • Permalink gray

Reports

Spamhaus reports a 37 percent increase in botnet listings last year, and that the majority of botnet controllers were hosted on servers maintained by bad actors. The report has lots of additional insight into these networks. -- SPAMHAUS

  • Email gray
  • Permalink gray

Krebs reports on a serious vulnerability between Coinbase and Overstock.com that allowed customers to buy items using bitcoin and reap the benefits when items were returned. A dishonest customer could have used this bug to make ridiculous sums of bitcoin in a very short period of time.” Overstock has fixed the problem. – KREBS ON SECURITY

  • Email gray
  • Permalink gray

Incident response teams need to get ahead of the next possible attack by letting employees know what to expect and what to do when they are faced with an interruption. This post provides some tips on formulating your strategy for a breach before the next one happens to you. – SECURITY INTELLIGENCE BLOG

  • Email gray
  • Permalink gray

The Docket

Phillip R. Durachinsky has been indicted in an Ohio U.S. District Court. He allegedly masterminded a scheme by which he accessed protected computers without their owners’ permission for more than 13 years using Mac-based malware. -- TRIPWIRE

  • Email gray
  • Permalink gray

The U.S. Customs and Border Patrol announced new restrictions on when agents can copy data from digital devices at border crossing points. The directive states circumstances when travelers may be asked to provide passcodes to unlock a device. If the border agent is unable to inspect the device because it is passcode or encryption-protected, the agent may detain the device for up to five days. -- THREATPOST

  • Email gray
  • Permalink gray

Mexico’s attorney general’s office is investigating an attempt to hack and rob Bancomext, the government-run export bank. The hackers weren’t successful at stealing any funds and the bank suspended operations on Tuesday while they investigated the attack. -- REUTERS

  • Email gray
  • Permalink gray

Cheesy, I know. -- DEVHUMOR

  • Email gray
  • Permalink gray

Many thanks to Inside Security's corporate supporters.  Please go check them out!

 

Endgame

Endgame's endpoint security platform protects the world’s largest organizations from targeted attacks, eliminating the time & cost associated with incident response. Learn more

 

Nok Nok Labs has the ambition to transform authentication, by unifying it into one standard protocol, giving business the control they need. Learn more

 

[YOUR LOGO HERE – click for details]
 
   

Invest in Ring4, the 2nd phone number startup that was voted best product on ProductHunt. 

 

HackerOne is the #1 hacker-powered security platform for finding critical vulnerabilities.

Subscribe to Inside Security

MORE NEWSLETTERS

A concise presentation of the world's most important, interesting news

Inside Daily Brief

A concise presentation of the world's most important, interesting news

DAILY
A concise presentation of the world's most important, interesting news

Inside Daily Brief

DAILY

SUBSCRIBED!

Share via

Everything you need to know about the resurgence of the spoken word

Inside Podcasting

Everything you need to know about the resurgence of the spoken word

TWICE WEEKLY
Everything you need to know about the resurgence of the spoken word

Inside Podcasting

TWICE WEEKLY

SUBSCRIBED!

Share via

The present and future of virtual/augmented reality news and technology

Inside VR & AR

The present and future of virtual/augmented reality news and technology

DAILY
The present and future of virtual/augmented reality news and technology

Inside VR & AR

DAILY

SUBSCRIBED!

Share via

Essays and musings from Inside.com founder Jason Calacanis

The Jason Calacanis Newsletter

Essays and musings from Inside.com founder Jason Calacanis

WEEKLY
Essays and musings from Inside.com founder Jason Calacanis

The Jason Calacanis Newsletter

WEEKLY

SUBSCRIBED!

Share via