David’s take

If you aren't yet a Premium subscriber, you missed yesterday's analysis about a potential flaw in several secure messaging group chats, and what you should do about it. Go to our Premium page and sign up, subscription plans start at $10/month with multiple newsletters and corporate plans available. Premium subscribers get an additional Thursday newsletter, usually with a single analysis topic.

Another person associated with the SecureDrop service has died. James Dolan, who worked on the program with Aaron Swartz, was 36. Dolan's cause of death was suicide. SecureDrop is an offering from the Freedom of the Press Foundation and used by many journalists all over the world for secure communication with their sources. Dolan was the foundation’s first full-time staffer. Dolan left the foundation two years ago to work on a San Diego startup. The foundation’s website has more details.

I am a big supporter and user of password managers, but here is a new twist on how they can be exploited. Technically, it isn’t the managers’ fault. Third-party scripts can inject invisible login forms that can capture a username and password, which the attacker uses for credential theft. While this vulnerability has been long known, this is the first time that such abuse has been documented. Take a closer look at the attack on the link and understand how you and your users can avoid it.

-- David Strom, Editor of Inside Security

Top Story:  Malware found in numerous SCADA Android apps

Researchers took a closer look at 34 vendors of SCADA apps and identified 147 security issues in the applications and their backend programs. These vulnerabilities including unauthorized physical access to the device or its data, compromised communications channels and application flaws. – IOACTIVE BLOG

Attacks and vulnerabilities

Researchers have found malicious code hiding inside 60 different Android gaming apps. Some of the apps are targeted at kids. Across this portfolio, the apps have been downloaded at least three million times. The code can display ads for porn sites, trick users into installing fake security apps, or register a user for a premium service without their permission. – CHECKPOINT BLOG

A sneaky new injection technique called Flokibot delivers LockPoS malware straight into the kernel of Windows-based POS machines according to new research. Given that Windows 10 kernel functions aren’t easily monitored by security tools, this could be hard to detect. – CYBERBIT BLOG

Google Drive had a vulnerability that allows attackers to automatically download malware to a victim’s computer, and researchers demonstrated a proof of concept script. Google has fixed the flaw since being notified However, they warn that “it is likely that threat actors will attempt to abuse and exploit these platforms more often as we become more adept at protecting against macro-based threats.”  – PROOFPOINT BLOG  

D̵̛̗̗͈̝̠͈͕͕̱̑͌̏̕͢a̝̻͇̬̘̼͓̿́̾̔́͋̎v̷̢̻̯̟̬̪̗̍̌͒̈́͑͑͊́̚ͅì̸̢̮̠̥̦̹̆͛̓͆͜͠ͅď̸̨̛̯̦̜̓̐̀̀̈́͜ S̸̩͉̘̼̬͗̒͛̊̓̈́̕̚t̺͉̱̰͐͒́̆͋̈͢͠ȑ̛̞̘̲̲̞͆̃̍͊͋́̇̈́͢ͅồ̭̬͖̪̥̤̎̏͗͌͡͡m͉̙̺͇͕̜͑̒̀̉͘̕͘͡ Į̸̧̙͉̟̘͗̆͆̆̍͘̕͘n̷̞̱͔͉̥̞̫͐̈̍͌̌͒͟͜͜ś͓̠̬͓̿̍̈̚̚̕̚͢ȉ̛̜̠͙̠͚̞̳́̃̈̒̿̿͟͜d̸̰͓̥̮̬̥͆́̽̉͠ȇ̸̦͇̻̺̪͍͎̋̾͌̄̓̈̚͠ Ș̷̭̯̳͈̬̆͗̽́͛͝͡͝e̸̡̮̫̹̊͆̃͆̂̃͗͘̚͜͜͢͡ͅc̖̝͓̪͕̞̐͌̓̌͐͜ũ̷̘̗̫̘͉͗̌͐̇̇͆͟ř̶͙̜̲͓̗̐̐̅̅͌̂̃̏͜͠ì̧̡̩͕̦̮͍͑̎̑͂͆͜t̡̨̪̳̭̹̱͗͊̍̍̒̌͟͞ỹ̶̧͕̹̝̺͎͎͊͆̀̒̒̅̒̂͂͟ͅ

Researchers have found a way to cause Gmail servers to crash after a user retrieves a specially-encoded email called a Zalgo text (shown above). The text makes extensive use of Unicode and other special character sets. Google has a fix. -- SECURITY AFFAIRS

Let's Encrypt has disabled TLS-SNI-01 validation after the discovery of an attack able to hijack certificates using the protocol. It was possible to exploit a number of servers in order to obtain certs for someone else’s domains. This post has the details. -- ZDNET

Tools

My colleague Lori MacVittie explains why the Facebook “security questions” aren’t really effective, and makes the argument for multi-factor authentication. And yes, her favorite color is black. – DARK READING

Reports

Spamhaus reports a 37 percent increase in botnet listings last year, and that the majority of botnet controllers were hosted on servers maintained by bad actors. The report has lots of additional insight into these networks. -- SPAMHAUS

Krebs reports on a serious vulnerability between Coinbase and Overstock.com that allowed customers to buy items using bitcoin and reap the benefits when items were returned. A dishonest customer could have used this bug to make ridiculous sums of bitcoin in a very short period of time.” Overstock has fixed the problem. – KREBS ON SECURITY

Incident response teams need to get ahead of the next possible attack by letting employees know what to expect and what to do when they are faced with an interruption. This post provides some tips on formulating your strategy for a breach before the next one happens to you. – SECURITY INTELLIGENCE BLOG

The Docket

Phillip R. Durachinsky has been indicted in an Ohio U.S. District Court. He allegedly masterminded a scheme by which he accessed protected computers without their owners’ permission for more than 13 years using Mac-based malware. -- TRIPWIRE

The U.S. Customs and Border Patrol announced new restrictions on when agents can copy data from digital devices at border crossing points. The directive states circumstances when travelers may be asked to provide passcodes to unlock a device. If the border agent is unable to inspect the device because it is passcode or encryption-protected, the agent may detain the device for up to five days. -- THREATPOST

Mexico’s attorney general’s office is investigating an attempt to hack and rob Bancomext, the government-run export bank. The hackers weren’t successful at stealing any funds and the bank suspended operations on Tuesday while they investigated the attack. -- REUTERS

Cheesy, I know. -- DEVHUMOR