Apache Tomcat Patches Important Security Vulnerabilities

The Apache Software Foundation (ASF) has released security updates to address several vulnerabilities in its Tomcat application server, one of which could allow a remote attacker to obtain sensitive information.

Apache Tomcat is an open source web server and servlet system, which uses several Java EE specifications like Java Servlet, JavaServer Pages (JSP), Expression Language, and WebSocket, and provides a "pure Java" HTTP web server environment for Java concept to run in.

Unlike Apache Struts2 vulnerabilities exploited to breach the systems of America credit reporting  agency Equifax late last year, new Apache Tomcat vulnerabilities are less likely to be exploited in the wild.

Apache Tomcat — Information Disclosure Vulnerability

The more critical flaw (CVE-2018-8037) of all in Apache Tomcat is an information disclosure vulnerability caused due to a bug in the tracking of connection closures which can lead to reuse of user sessions in a new connection.

The vulnerability, marked as important, was reported to the Apache Tomcat Security Team by Dmitry Treskunov on 16 June 2018 and made public on 22 July 2018.

The flaw affects Tomcat versions 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31, and it has been fixed in Tomcat 9.0.10 and 8.5.32.

Apache Tomcat — Denial of Service (DoS) Vulnerability

Another important vulnerability, tracked as CVE-2018-1336, in Apache Tomcat resides in the UTF-8 decoder that can lead to a denial-of-service (DoS) condition.

"An improper handling of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service," the Apache Software Foundation says in its advisory.

Apache Tomcat Server Software Updates (Patches)

The vulnerability affects Tomcat versions 7.0.x, 8.0.x, 8.5.x and 9.0.x, and has been addressed in Tomcat versions 9.0.7, 8.5.32, 8.0.52 and 7.0.90.

The Apache Software Foundation also included a security patch in the latest Tomcat versions to address a low severity security constraints bypass bug (CVE-2018-8034), which occurs due to missing of the hostname verification when using TLS with the WebSocket client.

Administrators are strongly recommended to apply the software updates as soon as possible and are advised to allow only trusted users to have network access as well as monitor affected systems.

The Apache Software Foundation says it has not detected any incident of the exploitation of one of these Apache Tomcat vulnerabilities in the wild.

A remote attacker could exploit one of these vulnerabilities to obtain sensitive information.

Source: TheHackerNews

Google launches 'Data Transfer Project' to make it easier to switch services

A lot of new online services are cropping up every day, making our life a lot easier.

But it is always harder for users to switch to another product or service, which they think is better because the process usually involves downloading everything from one service and then re-uploading it all again to another.

Thanks to GDPR—stands for General Data Protection Regulation, a legal regulation by European Union that sets guidelines for the collection and processing of users' personal information by companies—many online services have started providing tools that allow their users to download their data in just one click.

But that doesn't completely simplify and streamline the process of securely transferring your data around services.

To make this easier for users, four big tech companies—Google, Facebook, Microsoft, and Twitter—have teamed up to launch a new open-source, service-to-service data portability platform, called the Data Transfer Project.

For more information head over to the source link TheHackerNews

New Bluetooth Hack Affects Millions of Devices from Major Vendors

Yet another bluetooth hacking technique has been uncovered.

A highly critical cryptographic vulnerability has been found affecting some Bluetooth implementations that could allow an unauthenticated, remote attacker in physical proximity of targeted devices to intercept, monitor or manipulate the traffic they exchange.

The Bluetooth hacking vulnerability, tracked as CVE-2018-5383, affects firmware or operating system software drivers from some major vendors including Apple, Broadcom, Intel, and Qualcomm, while the implication of the bug on Google, Android and Linux are still unknown.

The security vulnerability is related to two Bluetooth features—Bluetooth low energy (LE) implementations of Secure Connections Pairing in operating system software, and BR/EDR implementations of Secure Simple Pairing in device firmware.

How the Bluetooth Hack Works?

Researchers from the Israel Institute of Technology discovered that the Bluetooth specification recommends, but does not mandate devices supporting the two features to validate the public encryption key received over-the-air during secure pairing.

Since this specification is optional, some vendors' Bluetooth products supporting the two features do not sufficiently validate elliptic curve parameters used to generate public keys during the Diffie-Hellman key exchange.

In this case, an unauthenticated, remote attacker within the range of targeted devices during the pairing process can launch a man-in-the-middle attack to obtain the cryptographic key used by the device, allowing them to potentially snoop on supposedly encrypted device communication to steal data going over-the-air, and inject malware.

Here's what the Bluetooth Special Interest Group (SIG), the maintainers of the technology, says  about the flaw:

"For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure."
"The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgment to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful."

On Monday, CERT/CC also released a security advisory, which includes additional technical details about the Bluetooth vulnerability and attack method.

According to the CERT/CC, Bluetooth makes use of a device pairing mechanism based on elliptic-curve Diffie-Hellman (ECDH) key exchange to allow encrypted communication between devices.

The ECDH key exchange involves a private and a public key, and the public keys are exchanged to produce a shared pairing key.

The devices must also agree on the elliptic curve parameters being used, but in some implementations, these parameters are not sufficiently validated, allowing remote attackers within wireless range "to inject an invalid public key to determine the session key with high probability."

Stop Bluetooth Hacking—Install Patches from Vendors

To fix the issue, the Bluetooth SIG has now updated the Bluetooth specification to require products to validate public keys received as part of public key-based security procedures.

Moreover, the organization has also added testing for this vulnerability within its Bluetooth Qualification Process.

The CERT/CC says patches are needed both in firmware or operating system software drivers, which should be obtained from vendors and developers of the affected products, and installed—if at all possible.

Apple, Broadcom, Intel, and Qualcomm Found Affected

So far, Apple, Broadcom, Intel, and Qualcomm have been found including affected Bluetooth chipsets in their devices, while Google, Android, and Linux have yet to confirm the existence of the vulnerability in their respective products. Microsoft products are not vulnerable.

Apple and Intel have already released patches for this security vulnerability. Apple fixed the bug with the release of macOS High Sierra 10.13.5, iOS 11.4, watchOS 4.3.1, and tvOS 11.4.

Intel released both software and firmware updates to patch the Bluetooth bug on Monday, informing users that the high severity flaw impacts the company's Dual Band Wireless-AC, Tri-Band Wireless-AC, and Wireless-AC product families.

According to Broadcom, some of its products supporting Bluetooth 2.1 or newer technology may be affected by the reported issue, but the chip maker claims to have already made fixes available to its OEM customers, who are now responsible for providing them to the end-users.

Qualcomm has not released any statement regarding the vulnerability.

The Bluetooth SIG says that there is no evidence of the bug being exploited maliciously and that it is not aware of "any devices implementing the attack having been developed, including by the researchers who identified the vulnerability."

Have something to say about this article? Comment below!

Source: TheHackerNews

Ecuador to Withdraw Asylum for Wikileaks Founder Julian Assange

After protecting WikiLeaks founder Julian Assange for almost six years, Ecuador is now planning to withdraw its political asylum, probably next week, and eject him from its London embassy—eventually would turn him over to the British authorities.

Lenín Moreno, the newly-elected President of Ecuador, has arrived in London this Friday to give a speech at Global Disability Summit on 24 July 2018.

However, media reports suggest the actual purpose of the President's visit is to finalize a deal with UK government to withdraw its asylum protection of Assange.

According to RT editor-in-chief Margarita Simonyan and the Intercept's Glenn Greenwald, multiple sources close to the Ecuadorian Foreign Ministry and the President’s office have confirmed that Julian Assange will be handed over to Britain in the coming weeks or even days.

Julian Assange, 47, has been living in Ecuador's London embassy since June 2012, when he was granted asylum by the Ecuador government after a British court ordered his extradition to Sweden to face questioning sexual assault and rape.

Although Sweden dropped its preliminary investigation into the rape accusation against Julian Assange just last year, Assange chose not to leave the embassy due to fears that he would eventually be extradited to the US, where he is facing federal charges for his role in publishing classified information leaked by Chelsea Manning in 2010.

Founder of the whistleblowing website WikiLeaks, Julian Assange, has not been online since last three months after Ecuador cut his communications with the outside world from its London embassy.

The Ecuadorian government took this decision in order to save its good relation with Spain after Assange tweeted in support of Catalan independence movement and blasted the Spanish government over alleged human rights violations.

According to Ecuador, Assange had breached an agreement to refrain from interfering in other states' affairs.

"Sources close to Assange said he himself was not aware of the talks but believed that America was putting 'significant pressure' on Ecuador, including threatening to block a loan from the International Monetary Fund (IMF) if he continues to stay at the embassy," RT said.

Assange is currently facing an arrest warrant from the British government for a minor charge of "failure to surrender," which carries a prison term of three months and a fine.

Now, what will be the future of Assange?

Source: TheHackerNews

Qualcomm unveils 5G antennas for the X50 modem: up to four in a phone with MIMO

The Qualcomm X50 modem promises stunning speeds of 5Gbps, but it will need the right antennas to get there. The company just unveiled its first antennas for millimeter wave and for sub-6GHz communication.

What’s the difference? Millimeter wave operates at very high frequencies – the QTM052 antenna works above 26GHz and even in the 37-40GHz range and it can receive up to 800MHz of bandwidth. That’s how you get to 5Gbps transfer speeds.

The antenna itself is tiny and it needs to be. Qualcomm envisions up to 4 of them inside smartphones. Together with the X50 modem, they support beam forming, beam steering and beam tracking technologies that are necessary to get a stable connection at a decent range.

But these high-gigahertz connections are high-bandwidth, low-range – good for densely populated cities (or even indoor use), but not outside them. This is where the sub-6GHz tech comes in.

The QPM56xx family is also designed to work with the XZ50. They will work in several bands from 3.3GHz to 5.0GHz and support MIMO for improved reception.

Qualcomm is offering these antennas to phone makers for testing, so 5G handsets are getting closer to reality (but we still won't see them this year).

Source: GSMarena

5G Technology- How 5G makes use of millimeter waves

It took a while, but the first ever 5G spec was finally approved late last year. 5G NR, as it's called, will bring about super fast mobile internet by tapping into new spectrum. We're expecting to see the first 5G-ready phones in the first half of 2019, although most people likely won't experience the full benefits of the new technology until about a year later. Still, 5G NR promises to dramatically improve cellular internet speeds and enable experiences like always connected laptops or livestreaming from VR headsets. The entire mobile industry is excited as hell for it, so here's a little guide to help you make sense of the hype.

5G refers to the fifth generation of mobile networking standards determined by the 3GPP, the organization that sets the guidelines for every company operating in cellular communications. The official name, 5G NR, stands for New Radio, and doesn't really mean anything. It'll be used the way "LTE" is today, to differentiate it from previous versions.

Where 3G brought the internet everywhere and 4G LTE made it faster, 5G NR is meant to vastly boost both the capacity and speed of networks, bringing you your high-res cat videos and 4K VR livestreams without delay.

One of the ways 5G will enable this is by tapping into new, unused bands at the top of the radio spectrum. These high bands are known as millimeter waves (mmwaves), and have been recently been opened up by regulators for licensing. They've largely been untouched by the public, since the equipment required to use them effectively has typically been expensive and inaccessible.

But technology has improved to the point where the industry collectively believes we can start tapping them for consumer electronics. And since they haven't been used for much, compared to lower bands, they're far less congested and can therefore enable super fast transfers. Qualcomm said you can expect "typical speeds" of 1.4 Gbps -- that's twenty times faster than the average US home broadband connection. At peak rates, think 5 Gbps, it's enough to stream more than 50 4K movies from Netflix at the same time.

Millimeter waves tend to be susceptible to interference and generally need to maintain line-of-sight for transmission to work. At the most basic level, mmwave transmissions usually go in a straight line between point A and point B. But something as simple as a person walking in between the receiver and transmitter can block the signal altogether.

So companies have to figure out how to make sure the signal gets from base stations to mobile devices, and with 5G NR, part of the solution are two processes called beamforming and beamtracking.

In the most simple scenario for beamforming, where the biggest challenge is that the receiver isn't facing the transmitter, the solution is as simple as bouncing the beam off a surface at a precise angle. The receiving device uses beam tracking to determine which signal is the strongest and picks it up.

That sounds straightforward, until you consider the challenges when implementing this in the real world -- like in an office building. Even when you have base stations set up on your floor, there are many variables to consider. For instance, metals bounce beams, while concrete absorbs them. So if you're inside a conference room, a base station from outside could potentially shoot a beam in through a hollow wall, hit a metal lamp and bounce off to your phone. To get this to work reliably enough for public use, there have to be a ton of beams for your phone to track.

Not only that, your phone's antenna array has to be built in a way that your hand doesn't completely cover up the receiver at any time. Qualcomm's solution is to stash tiny antenna arrays in various corners of your phone, and is working with many major smartphone brands on where to place them.

If you're not convinced that mmwaves will be stable enough when 5G first rolls out, don't fret. Just as your phone falls back to 3G when LTE isn't available, 4G will stick around to make sure you remain connected to the internet even if you're not using mmwaves. Most people won't have access to 5G immediately anyway -- the rollout is likely to begin in cities and spread out to rural areas, and you may need an expensive, high-end device to tap the new technology at first. Later versions of 5G will also allow things like IoT devices to connect to mmwaves, as well as allow for use of unlicensed spectrum to increase speeds some more. But eventually, it should become as prevalent as 4G is today. When that happens, what a world it will be.

Source: Engadget

Why buying an iPhone X knockoff can be a security nightmare

A couple of years ago, a friend of mine travelling through China sent me an email and asked if I’d be interested in a knockoff iPhone 5. “How much is it?” I asked. “About $50,” my friend answered. I decided to pass. Though I was intrigued about what it was like to use a mythical iPhone knockoff, $50 seemed a little steep to satiate what was nothing more than mild curiosity.

My friend ended up picking up an iPhone knockoff for himself, and when I used it briefly, it was entertaining though clearly not a bonafide Apple product from both a hardware and software perspective. Years later, iPhone knockoffs have gotten markedly better at mimicking iOS. More worrisome, though, is that some iPhone knockoffs can be downright dangerous. While a cheap iPhone knockoff can be fun to play around with for a few mins, Jason Koebler of Motherboard recently discovered that such knockoffs can be brimming with malware.

After a colleague of Koebler’s picked up an alleged iPhone X for $100, Koebler was immediately struck by how sophisticated the software looked. While a deeper dive revealed some glaring holes and obvious references to Android, the device at first glance was rather remarkable. It even boasts a working Lightning port! As far as impostor devices are concerned, this one certainly seems top-notch.

So what’s the problem here? Why not have a little bit of fun with an Android posing an iPhone? Well, Koebler eventually sent the device to security researcher Chris Evans who quickly discovered that the device was nothing short of a security nightmare, complete with backdoors and apps designed to spy on user behavior and run code remotely.

“If it isn’t outright malicious its overall security is pretty much non-existent,” Evans told us.

…

Several of the stock fake Apple apps such as Compass, Stocks, Clock ask for “invasive permissions,” such as reading text messages. It’s unclear if this is a sign that the developers were mediocre or malicious, Evans wrote.

“The mismash of default apps preinstalled on the phone I was given are horribly insecure (if not outright malware),” Evans said.

Put simply, if you’re ever inclined to pick up a knockoff iPhone just for kicks, you’d be well advised to err on the side of caution. And if you simply can’t help yourself, the last thing you want to do is actually enter in any of your credentials for services like email and iCloud.

Source: BGR

Microsoft Releases PowerShell Core for Linux as a Snap Package

Microsoft has released its command-line shell and scripting language PowerShell Core for Linux operating system as a Snap package, making it easier for Linux users to install Microsoft PowerShell on their system.

Yes, you heard me right.

Microsoft has made PowerShell Core available to the Ubuntu Snap Store as a Snap application.

PowerShell Core is a cross-platform version of Windows PowerShell that is already available for Windows, macOS, and Linux OS and has been designed for sysadmins who manage assets in hybrid clouds and heterogeneous environments.

Snap is a universal Linux packaging system, built by Canonical for the Ubuntu operating system, which makes an application compatible for all major Linux distributions without requiring any modification.

A Snap package is basically an application compressed together with its dependencies and also includes instructions on how to run and interact with other software on various Linux systems.

"Snaps are great because they provide a single package format that works across many Linux distributions, much like how PowerShell acts as a single automation platform across operating systems," explains  Joey Aiello, Program Manager of PowerShell at Microsoft.

"We hope our users enjoy the simplified installation and update experience of Snaps as much as we do."

"PowerShell Core from Microsoft is now available for Linux as a Snap. Built on the .NET Framework, PowerShell is an open source task-based command-line shell and scripting language with the goal of being the ubiquitous language for managing hybrid cloud assets," says Canonical.

"It is designed specifically for system administrators and power-users to rapidly automate the administration of multiple operating systems and the processes related to the applications that run on those operating systems."

How to Install PowerShell Core on Linux

To install Microsoft PowerShell Core as a snap package on a Linux-based OS, you first need to install snapd and then run the following command.

snap install powershell --classic

Once installed, open a terminal and run the command pwsh.

Alternatively, you can directly head on to this web page, and install PowerShell Core snap app on your system.

If you want to try out beta software, you also can install the official preview/beta version of PowerShell found here, or run the below command from the terminal.

snap install powershell-preview --classic

The arrival of PowerShell Core on the Snap store is definitely a big deal.

Earlier this year, Microsoft even released a Skype Snap app. All these are a continued sign of Microsoft’s support for open source community.

And one should not forget, Microsoft now owns GitHub!

Source:TheHackerNews

Singapore's Largest Healthcare Group Hacked, 1.5 Million Patient Records Stolen

Singapore's largest healthcare group, SingHealth, has suffered a massive data breach that allowed hackers to snatch personal information on 1.5 million patients who visited SingHealth clinics between May 2015 and July 2018.

SingHealth is the largest healthcare group in Singapore with 2 tertiary hospitals, 5 national specialty , and eight polyclinics.

According to an advisory released by Singapore's Ministry of Health (MOH), along with the personal data, hackers also managed to stole 'information on the outpatient dispensed medicines' of about 160,000 patients, including Singapore's Prime Minister Lee Hsien Loong, and few ministers.

"On 4 July 2018, IHiS' database administrators detected unusual activity on one of SingHealth’s IT databases. They acted immediately to halt the activity," MOH said.

The stolen data includes the patient's name, address, gender, race, date of birth, and National Registration Identity Card (NRIC) numbers.

The Ministry of Health said the hackers "specifically and repeatedly" targeted the PM's "personal particulars and information on his outpatient dispensed medicine."

So far there's no evidence of who was behind the attack, but the MOH stated that the cyber attack was "not the work of casual hackers or criminal gangs." The local media is also speculating that the hack could be a work of state-sponsored hackers.

Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS) also confirmed that "this was a deliberate, targeted, and well-planned cyberattack."

PM Comments On SingHealth Healthcare Data Breach

Commenting on the cyber attack through a Facebook post published today, Singapore's Prime Minister said he believes that the attackers are "extremely skilled and determined" and they have "huge resources" to conduct such cyber attacks repeatedly.

"I don’t know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret or at least something to embarrass me. If so, they would have been disappointed," Singapore PM said. "My medication data is not something I would ordinarily tell people about, but nothing is alarming in it."

The Singapore government has assured its citizens that no medical records were tampered, or deleted and that no diagnoses, test results, or doctors' notes were stolen in the attack.

All affected patients will be contacted by the healthcare institution over the next five days.

Since the healthcare sector is part of the critical nation's infrastructure, alongside water, electricity, and transport, it has increasingly become an attractive target for hackers.

In the past few years, we have reported several hacks and data breaches, targeting the healthcare sector. Just last month, it was revealed that DNA registries of more than 92 million MyHeritage customers were stolen in the previous year by some unknown hackers.

Earlier this year, it was reported that more than half of Norway's population exposed its healthcare data in a massive data breach that targeted the country's major healthcare organization.

The foremost thing to protect against any data breach is to stay vigilant, as nobody knows when or where your stolen identities will be used. So, affected consumers will just have to remain mindful.

Source: TheHackerNews

Microsoft Offers $100,000 Bounty for Finding Bugs in Its Identity Services

Microsoft today launched a new bug bounty program for bug hunters and researchers finding security vulnerabilities in its "identity services."

Hacking into networks and stealing data have become common and easier than ever but not all data holds the same business value or carries the same risk.

Since new security today depends on the collaborative communication of identities and identity data within, and across domains, digital identities of customers are usually the key to accessing services and interacting across the Internet.

Microsoft said the company has heavily invested in the "creation, implementation, and improvement of identity-related specifications" that encourage "strong authentication, secure sign-on, sessions, API security, and other critical infrastructure tasks."

Therefore, to further bolster its customers' security, the tech giant has launched an all-new, and independent bug bounty program.

Dubbed Microsoft Identity Bounty Program, the newly-launched bug bounty program covers Microsoft Account and Azure Active Directory identity solutions, as well as some implementations of the OpenID specifications.

The payouts for the new Microsoft Identity Bounty Program range from $500 to $100,000, depending upon the impact of security researchers and bug hunters find.

"If you are a security researcher and have discovered a security vulnerability in the Identity services, we appreciate your help in disclosing it to us privately and giving us an opportunity to fix it before publishing technical details," wrote Phillip Misner, Principal Security Group Manager.

"Submissions for standards protocol or implementation bounties need to be with a fully ratified identity standard in the scope of this bounty and have discovered a security vulnerability with the protocol implemented in our certified products, services, or libraries."

Microsoft's Identity Bounty Program

If you want to take part in the Microsoft Identity Bounty program, you'll need to offer high-quality submissions that reflect the research that you put into your finding, and share your knowledge and expertise with Microsoft developers and engineers, so they can quickly reproduce, understand, and fix the issue.

Visit the source link for more info.

Source: TheHackerNews

21-Year-Old Woman Charged With Hacking Selena Gomez's Email Account

A 21-year-old New Jersey woman has been charged with hacking into the email accounts of pop star and actress Selena Gomez, stealing her personal photos, and then leaked them to the Internet.

Susan Atrach of Ridgefield Park was charged Thursday with 11 felony counts—five counts of identity theft, five counts of accessing and using computer data to commit fraud or illegally obtain money, property or data, and one count of accessing computer data without permission.

According to the prosecutors, Atrach allegedly hacked into email accounts belonging to Gomez and one of her associates several times between June 2015 and February 2016, the Los Angeles County District Attorney's office said in a press release.

She then obtained images and other media stored there and shared them with her friends and posted them online.

Gomez, who has more than 138 million followers on Instagram, was the victim of a hacking attack in August 2017, when nude photographs of her ex-boyfriend Justin Bieber were posted to her Instagram account.

However, it is not immediately clear if those photos were also the subject of the criminal charges against Atrach.

According to LA Times, Atrach believed to have broken into Apple iCloud and Yahoo email accounts used by Gomez and her personal assistant, by using the publicly-available information to answer the singer's "secret questions."

She then reportedly stole digital information, including nude photos of Justin Bieber that were taken as Gomez and Bieber vacationed in Bora Bora in 2015, and made them online.

Atrach is scheduled to be arraigned in Los Angeles Superior Court by August 27. If convicted, Atrach could face up to nine years and eight months in prison.

Neither Gomez nor any of her representatives have made a comment on the case.

It seems like celebrities are not taking the security of their online accounts seriously, as anyone could find the answers to celebrities’ security questions among hundreds of pieces of information about the celebrities readily available on the Internet.

In past, hackers managed to breach the iCloud accounts of a hundreds of singers and actresses, including Jennifer Lawrence, Kate Upton, Miley Cyrus, and Kim Kardashian, extract nude photos and videos and then post them online—the incident very well known the Fappening.

So, lesson learned—always choose strong and unique passwords for all your online accounts and enable two-factor authentication, if available, so that even if the hackers know your password, they can not get into your account.

Moreover, do not keep easy-to-guess answers to your security questions, use one that only you knows, and nobody else.

Since such hacks are usually conducted using social engineering tricks, you are advised to avoid clicking on any suspicious link or attachment you receive via an email or message and avoid providing your personal or financial information without verifying the source properly.

Have something to say about this?. You can make your comment below.

Source: TheHackerNews

Google Cloud Platform fixes issues that took down Spotify, Snapchat and other popular sites

• Issues with Google Cloud Platform and Domains hit several major websites and apps on Tuesday.
• Users reported issues with websites with Google domains, like Breitbart and Drudge Report, as well as apps hosted on the Google Cloud Platform, including Snapchat, Discord and Spotify.

Issues with Google Cloud Platform hit several major websites and apps on Tuesday. Users reported issues with websites with Google domains, like Breitbart and Drudge Report, as well as apps hosted on the Google Cloud Platform, including Snapchat, Discord and Spotify.

Other apps affected include Agile CRM, Instapage, Pivotal Tracker, Sourcegraph and PokemonGo.

Google's Cloud Status Dashboard showed disruptions in its App Engine, Cloud Networking and Stackdriver.

"We are aware of issues affecting some of our GCP services and the team is actively investigating," Google said in a statement.

The Drudge Report and Breitbart were back up and running within about a half hour. Around that same time, Google said issues with Stackdriver, which provides performance and diagnostics data to public cloud users, were resolved for "some users," with a full resolution forthcoming. The company said issues with Google Cloud Platform services should have been resolved for all users by about 3:45 p.m. EST.

Source: CNBC

Malware Campaign Targets Samsung Service Centre In Italy

Security researchers have discovered ongoing malware campaigns targeting Samsung service centers in Italy, campaigns that appear to be the counterparts of attacks that have previously targeted similar electronics service centers in Russia this year.

These malware campaigns are nothing out of the extraordinary, and the only thing that remains a mystery is their purpose and end goal.

Mundane malware distribution effort

The attacks usually start with the delivery of spoofed spear-phishing emails to Samsung Italy service center workers.

These emails carry attached Excel documents that when opened leverage the CVE-2017-11882 Office Equation Editor vulnerability to infect users with malware.

The entire malware delivery system and exploit chain is described in a detailed reportpublished by Italian cyber-security firm TG Soft and is near identical to the attacks targeting electronics service centers in Russia, as described in a previous Fortinet report.

Both attack waves, targeting Italy and Russia, started at the end of March, according to the two reports. But while Russian service centers were targeted with the Imminent Monitor RAT, the attacks on Samsung Italy service centers also leveraged other RATs, such Netwire and njRAT.

Both companies also noted that the spear-phishing emails are very well put together, and appear to have been written by a native in Italian and Russian, respectively.

Nobody knows the purpose of these attacks

But despite all the data gathered by TG Soft and Fortinet, the two companies have not been able to determine why the hackers are trying to infect electronics service centers, to begin with.

Such service centers hold very little customer data that a threat actor could steal, and an attacker having many other more attractive companies he could target and gain more useful data from.

One explanation may be that attackers are trying to taint the tools used in these service centers so that they could infect the repaired devices with malware. But this is only a theory, as no evidence has been unearthed to support this scenario, and this entire malware distribution campaign remains shrouded in a fog of mystery.

Source: bleepingcomputer

HTML5: a devil in disguise

In today’s digital age, online users have become much more demanding about the quality of the websites or applications they are using. They have come to expect an optimized user experience as a basic requirement and HTML5 has played a key role in enabling developers to improve user experience, without the security risks associated with plugins like Flash. Indeed, after the series of reported Adobe Flash vulnerabilities in recent years, browser vendors, publishers and developers have turned to HTML5, which seemed to promise greater security and more advanced features. As a result, the percentage of websites that use HTML5 has grown to 70 percent.

However, despite HTML5 being universally supported on various devices as well as web and mobile platforms, it has a security issue of its own. Over the last couple of months, The Media Trust Digital & Security Operations team discovered numerous malware incidents that calls into question HTML5’s security reputation.

Hiding in plain sight

The malware uses JavaScript commands to hide within HTML5 creative to avoid detection and is designed to lure victims to enter their information in response to a pop-up ad. Their information will then be stored and used for malicious purposes.

What makes this malware unique is that it breaks into chunks, making it hard to detect, and reassembles when certain conditions are met. This malware is quickly coursing through the digital marketing and media world and is responsible for over 20 separate incidents affecting online media publishers across the globe and at least 15 ad networks.

This attack vector is one of the latest examples of how malware developers are constantly on the lookout for new, creative ways of exploiting the open standards’ basic functionality to launch their attack.

However, this is not the first encounter of HTML5 malware. In 2015, as the retreat from Adobe Flash began, security researchers discovered several techniques attackers could use to take advantage of HTML5 code. Those techniques involved the use of APIs, which in turn employed the same obfuscation-de-obfuscation JavaScript commands in delivering drive-by malware. The following year, the malware was used to freeze computers and secretly obtain user’s personal information, including phone numbers. This year’s incidents are different as they require no interaction with the victim and are designed with a higher level of coordination compared to earlier versions.

Indeed, the campaign reflects the hacker’s knowledge and understanding of the display advertising supply chain and their ability to recognize potential victims. The result is quicker, more successful attacks with a much wider scale of infection.

Throughout the years, no version of the HTML5 malware has been stopped by antivirus solutions. For more information head over to the source link

Source: CSO

Hackers update Upatre malware downloader with new detection evasion techniques

Upatre has been active since 2013 and linked with the Dyre banking trojan

Cybercriminals have previously used Upatre as a downloader for various malware like Locky, Dridex, Zeus, GameOver and others.

Security researchers have discovered that Upatre, a popular malware downloader that was first discovered in 2013, has been upgraded by cybercriminals with new detection evasion techniques. Upatre is known for it links with the Dyre banking malware. In July 2015, Upatre’s Dyre infections peaked with over 250,000 infections per month.

However, since the cybercriminals behind Dyre were apprehended by authorities in November 2015, Upatre is no longer used among cybercriminals.

Despite this, security researchers at Palo Alto Networks discovered an unknown variant of Upatre which they believe was compiled back in December 2016.

“This previously undocumented variant features significant code flow obscuration, a pro re nata means of decryption for network communications, and of particular interest, the method in which this variant evades virtual machine detection,” Palo Alto researchers wrote in a blog.

Old tool, new tricks

Upatre was once quite a popular tool amongst cybercriminals, serving as a downloader for various malware variants including, Zeus, GameOver, Dridex, Locky, Kegotip and Dyre, among others. The downloader is generally delivered to targeted systems either as an email attachment or via a compromised website.

The new variant was found to be written in Visual C++ and is capable of detecting whether it is running within a virtual machine.

“Although virtual machine detection is anything but new, in this variant, it is handled a bit differently than other samples previously analyzed by Unit 42,” Palo Alto researchers added. “To evade detection, the newly observed variant enumerates the running processes on the host, generates a CRC32 hash of the process name, performs an XOR with a hard-coded key of 0x0F27DC411, and finally compares the newly computed value against a list of values stored in an array within the code.”

The new Upatre version is also capable of loading code in-memory and can disable several Windows services including Windows Firewall, Defender, Security Center, connection sharing and more. The malware can also disable Internet Explorer’s phishing filter and remove security notifications on Windows 7 and later versions.

Researchers found that the new Upatre variant uses the same dot-bit domains used by other malware variants such as Necurs, GandCrab, Vobfus, Tofsee, Floxif, Ramnit and others.

“This version of Upatre contains significantly obfuscated code to increase the difficulty of analysis,” Palo Alto researchers said. “Due to the C2 domains being down at the time of our analysis, which was unsurprising given the potential age of the sample, we were never able to capture the ultimate payload for this new Upatre variant.”

Source: cyware

A team of cybersecurity researchers at Ben-Gurion University of the Negev (BGU) has demonstrated that valuable user information can be exfiltrated by tracking smartphone touch movements to impersonate a user on compromised, third party touchscreens while sending emails, conducting financial transactions or even playing games.

Broken smartphone touchscreens are often replaced with aftermarket components produced by third-party manufacturers that have been found to have malicious code embedded in its circuitry.

"Our research objective was to use machine learning to determine the amount of high-level context information the attacker can derive by observing and predicting the user’s touchscreen interactions," says Dr. Yossi Oren, a researcher in the BGU Department of Software and Information Systems Engineering. "If an attacker can understand the context of certain events, he can use the information to create a more effective customized attack.”

For example, a hacker can learn when to steal user information or how to hijack the phone by inserting malicious touches. The researchers recorded 160 touch interaction sessions from users running many different applications to quantify the amount of high level context information. Using a series of questions and games, the researchers employed machine learning to determine stroke velocity, duration and stroke intervals on specially modified LG Nexus Android phones.

According to the researchers, the machine learning results demonstrated an accuracy rate of 92 percent.

"Now that we have validated the ability to obtain high level context information based on touch events alone, we recognize that touch injection attacks are a more significant potential threat," Dr. Oren says. "Using this analysis defensively, we can also stop attacks by identifying anomalies in a user's typical phone use and deter unauthorized or malicious phone use."

Dr. Oren presented the findings at the Second International Symposium on Cybersecurity, Cryptography and Machine Learning (CSCML) June 21-22 in Beer-Sheva, Israel. The findings were published by Springer in the Lecture Notes on Computer Science. The team of researchers includes BGU undergraduate students Moran Azaran, Niv Ben-Shabat, and Tal Shkonik.

Source: security magazine

Antivirus isn't good enough: how to stop ransomware (Download)

If you’ve got an antivirus on your PC, you might assume you’re covered against anything the web can throw at you. But protection against ransomware isn’t always built into antivirus software, and even if it is, the protection may be insufficient. Here’s why you should have anti-ransomware software in addition to your antivirus.

PC security is the last thing many of us want to think about, but you can’t just enable auto-updates for Windows, install an antivirus and forget about it forever. If you do, you could end up paying the price, quite literally. Ransomware is a type of malware that holds your files or your whole hard disk hostage until you pay up. Your computer can become infected through Trojans, seemingly innocent files you download that secretly contain malware. Ransomware can also spread without any user action at all, as in the case of WannaCry, a devastating attack which affected hundreds of thousands of PCs worldwide in 2017. According to statistics from Acronis, a data protection company, ransomware strikes another computer somewhere in the world every 10 seconds, and the average ransom demanded was $1,100 in 2017. Make sure you’re not next!

It’s tough to keep up with what your antivirus claims to protect against. Even if it says it protects against ransomware, you have to find out how the protection works to understand to what extent you’re covered.

Here’s what you should be asking about your level of ransomware coverage:

• Does it just protect against known threats, or can it also recognize zero-day attacks (never-before-seen threats)?
• Does it provide real-time system behavior monitoring?
• Does it protect against encryption, alteration or deletion of selected folders or files?
• Does it only provide vaccination against certain families of ransomware?
• In the event of an attack, can it restore your files from a local cache?
• If your whole disk is encrypted, can it restore your files from the cloud?

That’s a lot to wrap your head around. What’s worse is that there’s no single, perfect solution that does it all.

What’s our recommendation?

It’s getting more and more critical to have specialized protection against ransomware that goes beyond your antivirus, as new strains of ransomware are proliferating at an alarming rate. There is a new company i came about during my search for the perfect anti-ransomware windows application. It is called "Acronis". Though it's a free software but it provides the perfect solution to your anti-ransomware and pc protection. 

Acronis Ransomware Protection was designed to work alongside your antivirus as an extra layer of protection. It works by monitoring your PC in real time, flagging suspicious processes, stopping zero-day attacks and backing up your files (locally and to the cloud). It’s free, easy to install and simple to use. It also includes 5 GB of cloud storage to protect your data.

Download Acronis Ransomware Protection here for free

Don’t let yourself be at risk of losing your most precious files or having to pay a huge ransom. Getting extra protection against ransomware is free.

Source: Androidpit

Hacker Sold Stolen U.S. Military Drone Documents On Dark Web For Just $200

You never know what you will find on the hidden Internet 'Dark Web.'

Just about an hour ago we reported about someone selling remote access linked to security systems at a major International airport for $10.

It has been reported that a hacker was found selling sensitive US Air Force documents on the dark web for between $150 and $200.

Cybercrime tracker Recorded Future today reported that it discovered a hacker attempting to sell secret documents about the MQ-9 Reaper drone used across federal government agencies for only a few hundred dollars on a Dark Web forum last month.

First introduced in 2001, the MQ-9 Reaper drone is currently used by the U.S. Air Force, the U.S. Navy, U.S. Customs and Border Protection, NASA, the CIA, and the militaries of several other countries.

The tech intelligence's Insikt Group analysts found the hacker during their regular monitoring of the dark web for criminal activities. They posed as potential buyers and engaged the newly registered hacker before confirming the validity of the compromised documents.

Default FTP Credential Allowed Hacker to Steal Sensitive Data

Insikt Group analysts learned that the hacker managed to obtain the sensitive documents by gaining access to a Netgear router located at the Creech Air Force Base that was using the default FTP login settings for file sharing.

The authentication vulnerability in Netgear routers that hacker exploits to access the sensitive military data was initially discovered two years ago, and according to Recorded Future, more than 4,000 routers still haven't updated their firmware, and are susceptible to attack.

Source: TheHackerNews

USB Accessory Can Defeat iOS's New "USB Restricted Mode" Security Feature

With the release of iOS 11.4.1, Apple has finally rolled out a new security feature designed to protect your devices against USB accessories that connect to the data port, making it harder for law enforcement and hackers to break into your iPhone or iPad without your permission.

Dubbed USB Restricted Mode, the feature automatically disables data connection capabilities of the Lightning port on your iPhone or iPad if the device has been locked for an hour or longer, while the port can still be used for device charging.

In other words, every time you lock your iPhone, a countdown timer of an hour gets activated in the background, which if completed, enables the USB restricted mode to prevent unauthorized access to the data port.

Once the USB Restricted Mode gets activated, there's no way left for breaking into an iPhone or iPad without the user's permission.

The feature would, no doubt, defeat law enforcement's use of special unlocking hardware made by Cellebrite and Grayshift from attempting multiple passcode guesses via the iPhone's Lightning port.

Defeating Apple's New "USB Restricted Mode" Security Feature

However, security researchers from ElcomSoft have found a simple way that could allow anyone to reset the countdown timer of USB Restricted Mode to effectively defeat the purpose of the new security feature.

According to the researchers, by directly connecting a USB accessory—such as Apple's $39 Lightning to USB 3 Camera adapter—to a targeted iOS device within an hour after it was last unlocked would reset the 1-hour countdown.

Activation of USB Restricted Mode can also be prevented even by using untrusted Lightning accessories, or those that have not been paired with the iPhone before.

"In other words, once the police officer seizes an iPhone, he or she would need to immediately connect that iPhone to a compatible USB accessory to prevent USB Restricted Mode lock after one hour," Afonin explains.

"Importantly, this only helps if the iPhone has still not entered USB Restricted Mode."

ElcomSoft researchers are also experimenting with unofficial and cheap Lightning to USB adapters to see whether they, too, can extend the one-hour time limit.

The issue doesn't seem to be a severe vulnerability and looks like just a mistake on Apple's part—"probably nothing more than an oversight," and we hope that Apple would patch it shortly.

In case you feel the need to immediately activate this USB Restricted Mode feature on their iOS devices before the countdown timer ends, just press the Power button five times.

Source: TheHackerNews

Iranian Hackers Tried to Impersonate Israeli Cyber-security Company

Last month, the Israeli cybersecurity firm ClearSky discovered an Iranian hacker group called Charming Kitten running an operation it called Ayatollah BBC.

The Israeli cybersecurity firm ClearSky has exposed several cases in which Iranian  hackers impersonated legitimate websites. In February, for instance, it revealed an operation it called Ayatollah BBC – a series of Iranian-run websites impersonating foreign or even Iranian media outlets. 

But earlier this month, it reported that it, too, has joined the list of victims of these Iranian “copy and paste” operations.

Last month, the company discovered that a hacker group called Charming Kitten, which had perpetrated previous attacks, was still operating. The group is connected to the Iranian government and is deemed an “advanced persistent threat,” meaning it comprises sophisticated hackers.

It has occasionally hit the headlines, once when one of its members was involved in breaking into the HBO television network and stealing videos and other files, including scripts for the hit series “Game of Thrones.”

The group often uses “watering hole” attacks, which utilize either legitimate sites or seemingly innocent but malicious sites to infect users with malware that the hackers can then use to spy on them. For instance, ClearSky researchers discovered the group had created a website which impersonated the German paper Deutsche Welle’s site. 

The hackers also managed to insert a malicious page into the website of a Los Angeles Jewish community paper, the Jewish Journal. The page invited users to a webinar and included a link that activated a program called BeEF, which stands for Browser Exploitation Framework. BeEF was originally created for security researchers who look for security breaches, particularly in browsers, in order to improve their defenses. But it has proven a double-edged sword that attackers can use for less benign ends.

ClearSky’s most entertaining discovery so far, however, relates directly to the company. As the website Bleeping Computer reported last week, the Charming Kitten group impersonated ClearSky itself by creating a website almost identical to that of the Israeli firm, with a slightly different address; the imposter site ended in “.net” rather than “.com.”

ClearSky researchers found some broken links in the fake site, leading them to think it is still under development.

The obvious question is what the Iranian hackers hoped to achieve with this impersonation. The answer lies in one very significant difference between the two sites: Unlike the original site, the Iranian version allows users to register. This would enable the hackers to steal information from ClearSky’s customers, who would think they were merely registering to receive site updates. The moment a user clicked on the registration link, the hackers would be able to steal his or her personal information, including passwords for service providers.

Source: Haaretz

Stolen D-Link Certificate Used to Digitally Sign Spying Malware

Digitally signed malware has become much more common in recent years to mask malicious intentions.

                   

Security researchers have discovered a new malware campaign misusing stolen valid digital certificates from Taiwanese tech-companies, including D-Link, to sign their malware and making them look like legitimate applications.

As you may know, digital certificates issued by a trusted certificate authority (CA) are used to cryptographically sign computer applications and software and are trusted by your computer for execution of those programs without any warning messages.

However, malware author and hackers who are always in search of advanced techniques to bypass security solutions have seen been abusing trusted digital certificates in recent years.

Hackers use compromised code signing certificates associated with trusted software vendors in order to sign their malicious code, reducing the possibility of their malware being detected on targeted enterprise networks and consumer devices.

Security researchers from ESET have recently identified two malware families, previously associated with cyberespionage group BlackTech, that have been signed using valid digital certificates belonging to D-Link networking equipment manufacturer and another Taiwanese security company called Changing Information Technology.

The first malware, dubbed Plead, is a remotely controlled backdoor designed to steal confidential documents and spy on users.

The second malware is also a related password stealer designed to collect saved passwords from Google Chrome, Microsoft Internet Explorer, Microsoft Outlook, and Mozilla Firefox.

Researchers notified both D-link and Changing Information Technology about the issue, and the companies revoked the compromised digital certificates on July 3 and July 4, 2018, respectively.

Since most antivirus software fails to check the certificate's validity even when companies revoke the signatures of their certificates, the BlackTech hackers are still using the same certificates to sign their malicious tools.

"The ability to compromise several Taiwan-based technology companies and reuse their code-signing certificates in future attacks shows that this group is highly skilled and focused on that region," the researchers said.

It is not the first time when hackers have used valid certificates to sign their malware. The infamous Stuxnet worm that targeted Iranian nuclear processing facilities in 2003 also used valid digital certificates.

Also, the 2017 CCleaner hack, wherein hackers replaced the original CCleaner software with the tainted downloads, was made possible due to digitally-signed software update.

Source: TheHackerNews

DomainFactory Hacked—Hosting Provider Asks All Users to Change Passwords

Besides Timehop, another data breach was discovered last week that affects users of one of the largest web hosting companies in Germany, DomainFactory, owned by GoDaddy.

The breach initially happened back in last January this year and just emerged last Tuesday when an unknown attacker himself posted a breach note on the DomainFactory support forum.

It turns out that the attacker breached company servers to obtain the data of one of its customers who apparently owes him a seven-figure amount, according to Heise.

Later the attacker tried to report DomainFactory about the potential vulnerability using which he broke into its servers, but the hosting provider did not respond, and neither disclosed the breach to its customers.

In that situation, the attacker head on to the company's support forum and broke the news with sample data of a few customers as proof, which forced DomainFactory to immediately shut down the forum website and initiate an investigation.

Attacker Gains Access to a Large Number of Data

DomainFactory finally confirmed the breach last weekend, revealing that following personal data belonging to an unspecified number of its customers has been compromised.

Customer name

Company name

Customer account ID

Physical address

E-mail addresses

Telephone number

DomainFactory Phone password

Date of birth

Bank name and account number (e.g. IBAN or BIC)

Schufa score (German credit score)

Well, that's a whole lot of information, which can be used by cybercriminals for targeted social engineering attacks against the customers.

The forum has since been temporarily down, and DomainFactory said that a data feed of certain customer information, accessed by the attacker, was left open to external third parties after a system transition on January 29, 2018.

"We have notified the data protection authority and commissioned external experts with the investigation. The protection of the data of our customers is paramount, and we regret the inconvenience this incident causes, very much," the company said.

Change All of Your Passwords

DomainFactory is now advising its users to change passwords for all of the following services and applications "as a precautionary measure," and also change passwords for other online services where you use the same password.

Customer password

Phone password

Email passwords

FTP / Live disk passwords

SSH passwords

MySQL database passwords

Since the compromised data can be used for identity theft and to create direct debits for customers' bank account, users are also recommended to monitor their bank statements for any unauthorized transaction.

So far it is unclear how the attacker got into the Domainfactory servers, but the German publication said the attacker did not give an impression of selling the captured data or leaking it online.

Source:  TheHackerNews