Video of Hillary Clinton meeting ISIS leader? Nah, it’s a malware attack

Symantec writes:

Cybercriminals are using clickbait, promising a video showing Democratic Party presidential nominee Hillary Clinton exchanging money with an ISIS leader, in order to distribute malicious spam emails.

The email’s subject announces “Clinton Deal ISIS Leader caught on Video,” however there is no video contained in the email, just malware. Adding to the enticement, the email body also discusses voting, asking recipients to “decide on who to vote [for]” after watching the non-existent clip.

Attached to the email is a ZIP archive, containing a Java file. Make the mistake of opening the Java file (in the mistaken belief that you are going to see a controversial video) and you will be infecting your computer with the Adwind backdoor Trojan horse.

It’s not unusual for criminals to use these kind of disguises to make their malicious emails more tempting to click on, and we’ve seen attacks like this during previous presidential election campaigns. Expect more of the same, and be on your guard.

Continue reading Video of Hillary Clinton meeting ISIS leader? Nah, it’s a malware attack

IT security girl hits back at sexist trolls on LinkedIn

UK IT security firm Foursys writes:

Should we police or dictate how our employees dress? Should we only allow them to represent our brand if they have a specific body type or sense of style?

What about internet commenters or trolls? Is it ok for them to bombard our employees with abuse?

The reason they are asking is after Jayde, one of their sales executives, appeared in a harmless social media post on LinkedIn – celebrating that the firm now had 500 followers on the professional social network.

The response on LinkedIn was ghastly, with many offensive, derogatory and often sexual comments made towards Jayde.

Jayde, however, has stood up to the bullies – making her own brave video response where she details some of the abuse she received.

“For all of those who say that I know nothing about IT security: Shame on you. I know more than 99% of people you’d meet on the street. I can tell you what a denial-of-service attack is, how SQL injection works, and how to your protect against ransomware. To be perfectly clear: Bullying and shaming people because of the way that they look or how they choose to dress is nasty, and I am not just going to take it — and neither should you.”

Hear hear.

I find it extraordinary that some people would make such hurtful and mean remarks… and particularly dumb that so many did so on LinkedIn, which details their real names, jobs and places of employment.

Seriously, the IT security world needs to grow up and stop thinking that women can be treated in such an appalling way.

Watch Jayde’s video response to the cyber-bullies on YouTube, and read more in Foursys’s blog post.

Continue reading IT security girl hits back at sexist trolls on LinkedIn

A simple way to kill off Twitter trolls

@th3j35t3r writes on his blog:

Simply put. If Jim is blocked by John, Jim can no longer even utter Johns handle/twittername in a tweet. If he attempts to the tweet simply doesn’t process or gets sinkholed. Period. The end. Forever, or until John unblocks him. This approach would not infringe on Jim’s ‘freedom of speech’, he can still say whatever he likes, but he can’t include John. This approach would be self-policing essentially allowing users to decide if they are being abused or harassed and allowing them to take immediate actions without relying on Twitter to minimize the problem effectively. This approach would not be an overhead on Twitters current infrastructure and would require NOTHING by way of extra storage capacity.

Trolls are the ugly side of Twitter, but @th3j35t3r’s proposal seems very elegant to me.

So how about it Twitter?

Find out more, and check out his amusing flowchart, by reading @th3j35t3r’s blog post.

Continue reading A simple way to kill off Twitter trolls

Tor users in the States were hacked by Australian authorities

Joseph Cox at Motherboard writes:

Australian authorities hacked Tor users in the US as part of a child pornography investigation, Motherboard has learned.

The contours of this previously-unreported hacking operation have come to light through recently-filed US court documents. The case highlights how law enforcement around the world are increasingly pursuing targets overseas using hacking tools, raising legal questions around agencies’ reach.

In one case, Australian authorities remotely hacked a computer in Michigan to obtain the suspect’s IP address.

While I’m sure that the vast majority of us are keen for child abuse websites to be shut down, and their users brought to justice, we are not all comfortable with intelligence agencies breaking the law themselves to achieve this.

Legal processes need to be put in place to not only prevent criminals from hacking into systems they shouldn’t and stealing private information, but also to prevent over-zealous law enforcement agents from stepping over the line.

Just because something can be done doesn’t mean it should be done.

Also, we need to stop thinking that state-sponsored hacking is something done by the Russians and Chinese against the Americans and the Brits. Or it’s something that the Americans and Brits do against the Russians and Chinese.

The true story is that just about everyone is up to it.

I would be shocked if any even semi-sophisticated intelligence agency anywhere in the world wasn’t using the internet, and methods used by criminal hackers, to spy upon the governments, businesses and citizens of other countries.

Continue reading Tor users in the States were hacked by Australian authorities

Blogger turns tables on cyber-scammer by infecting them with ransomware

BBC News reports:
A French security researcher says he managed to turn the tables on a cyber-scammer by sending him malware.
Technical support scams try to convince people to buy expensive software to fix imaginary problems.
But Ivan Kwiatkowski played… Continue reading Blogger turns tables on cyber-scammer by infecting them with ransomware

Sage suffers data breach, putting details of UK and Irish businesses at risk

Online accounting software company Sage has suffered a data breach, putting the details of a “small number” of its UK and Irish business customers at risk.
As the company briefly noted on its website:
We believe there has been some unauthorised access … Continue reading Sage suffers data breach, putting details of UK and Irish businesses at risk

Almost all cars sold by VW Group since 1995 at risk from unlock hack

Wired writes:

Later this week at the Usenix security conference in Austin, a team of researchers from the University of Birmingham and the German engineering firm Kasper & Oswald plan to reveal two distinct vulnerabilities they say affect the keyless entry systems of an estimated nearly 100 million cars. One of the attacks would allow resourceful thieves to wirelessly unlock practically every vehicle the Volkswagen group has sold for the last two decades, including makes like Audi and Skoda. The second attack affects millions more vehicles, including Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot.

The researchers are led by University of Birmingham computer scientist Flavio Garcia, who was previously blocked by a British court, at the behest of Volkswagen, from giving a talk about weaknesses in car immobilisers.

At the time Volkswagen argued that the research could “allow someone, especially a sophisticated criminal gang with the right tools, to break the security and steal a car.” That researchers finally got to present their paper a year ago, detailing how the Megamos Crypto system – an RFID transponder that uses a Thales-developed algorithm to verify the identity of the ignition key used to start motors – could be subverted.

The team’s latest research doesn’t detail a flaw that in itself could be exploited by car thieves to steal a vehicle, but does describe how criminals located within 300 feet of the targeted car might use cheap hardware to intercept radio signals that allow them to clone an owner’s key fob.

The researchers found that with some “tedious reverse engineering” of one component inside a Volkswagen’s internal network, they were able to extract a single cryptographic key value shared among millions of Volkswagen vehicles. By then using their radio hardware to intercept another value that’s unique to the target vehicle and included in the signal sent every time a driver presses the key fob’s buttons, they can combine the two supposedly secret numbers to clone the key fob and access to the car. “You only need to eavesdrop once,” says Birmingham researcher David Oswald. “From that point on you can make a clone of the original remote control that locks and unlocks a vehicle as many times as you want.”

Sounds to me like it’s time to turn to the car manufacturers to ask what on earth they are going to do to fix the millions of potentially vulnerable vehicles they have sold in the last couple of decades.

Read more, including the researcher’s paper, on Wired.

Continue reading Almost all cars sold by VW Group since 1995 at risk from unlock hack

19-year-old wins one million airmiles after finding United Airlines bugs

Vulnerability researcher Olivier Beg from Amsterdam has been handsomely rewarded with one million airmiles by United Airlines, after finding some 20 security holes in the company’s software.
As the Dutch Broadcast Foundation reports, the 19-year-old ha… Continue reading 19-year-old wins one million airmiles after finding United Airlines bugs

Almost a billion devices may be at risk from QuadRooter Android flaw

Uh-oh.
Check Point researchers have warned of a security hole in the microchips used in almost a billion Android devices that – if exploited – could give hackers complete access:

An attacker can exploit these vulnerabilities using a malicious app. Suc… Continue reading Almost a billion devices may be at risk from QuadRooter Android flaw

Earn up to $200,000 as Apple *finally* launches a bug bounty

The Verge writes:

Apple is planning a new bug bounty program that will offer cash in exchange for undiscovered vulnerabilities in its products, the company announced onstage at the Black Hat conference today. Launching in September, the program will offer cash rewards for working exploits that target the latest version of iOS or the most recent generation of hardware. It’s the first time Apple has explicitly offered cash in exchange for those vulnerabilities, although the company has long maintained a tip line for disclosing security issues.

Ivan Krstic, Apple’s head of security engineering and architecture, made the announcement during a presentation at Black Hat on Thursday.

The top reward comes for finding flaws in vulnerabilities in Apple’s “secure boot” process, which if broken could seriously compromise security.

As Hacker News reports, for now Apple’s bug bounty program is invite-only – meaning that the only people likely to be ushered in are those who have a track record in finding exploitable flaws in the company’s code. Hopefully things will loosen up over time, and from the sound of things they are open to adding others who come forward after finding critical vulnerabilities in key areas.

Frankly, an Apple bug bounty is long overdue.

Apple was looking incongruous in not offering a reward for security researchers who uncovered critical vulnerabilities in its products. After all, if you were a vendor you would rather have those who find security vulnerabilities in your products work with you rather than selling off their exploits to a third-party, wouldn’t you?

With a bug bounty in place, serious exploitable vulnerabilities are more likely to be responsibly disclosed to Apple, and users are more likely to be protected in a timely fashion.

Good.

Continue reading Earn up to $200,000 as Apple *finally* launches a bug bounty