News & Updates

Millions of people visiting mainstream websites over the past two months have been exposed to a novel form of malicious ads that embed attack code in individual pixels of the banners.

Researchers from antivirus provider Eset said “Stegano,” as they’ve dubbed the campaign, dates back to 2014. Beginning in early October, its unusually stealthy operators scored a major coup by getting the ads displayed on a variety of unnamed reputable news sites, each with millions of daily visitors. Borrowing from the word steganography—the practice of concealing secret messages inside a larger document that dates back to at least 440 BC—Stegano hides parts of its malicious code in parameters controlling the transparency of pixels used to display banner ads. While the attack code alters the tone or color of the images, the changes are almost invisible to the untrained eye.

The malicious script is concealed in the alpha channel that defines the transparency of pixels, making it extremely difficult for even sharp-eyed ad networks to detect. After verifying that the targeted browser isn’t running in a virtual machine or connected to other types of security software often used to detect attacks, the script redirects the browser to a site that hosts three exploits for now-patched Adobe Flash vulnerabilities.

Read 6 remaining paragraphs | Comments


Enlarge / This slide deck got pulled from the Defense Business Board website after DOD leaders allegedly moved to suppress the data behind it.

In January of 2015, as the US Department of Defense was chafing under the sequestration of its budget, the Pentagon leadership got some great news. A study prepared by the Defense Business Board (DBB) and a team from the global management consulting giant McKinsey and Company found that even with “moderate” changes to business practices, the DOD could save $125 billion over five years.

That would be enough to fully fund operations for 50 Army brigades, 10 Navy carrier strike group deployments, or 83 wings of F-35 fighter aircraft (one wing being about 36 aircraft—purchase price not included) for each of those five years. And all that savings could be had simply by fixing the military’s bureaucratic back-office, according to the study—a force of more than one million uniformed government, civilian, and contractor employees. DOD’s bureaucratic force is now almost as large as the military’s active duty force itself, which stands at 1.3 million soldiers, sailors, Marines, and airmen.

That good news, however, did not fall upon welcoming ears. DOD officials had no real idea how much bureaucratic overhead was costing them, as the costs were never accurately measured. When they saw the numbers from the DBB, the Washington Post reports, some of the Pentagon’s leadership was afraid of a legislative backlash. After DOD officials had complained for years about not having enough money to Congress, the department feared findings would trigger further cuts to the DOD’s budget. So the data for the study was designated as sensitive, and an overview of the report that had already been published to the Defense Business Board website was pulled.

Read 9 remaining paragraphs | Comments


Experts from the firm Recorded Future published a report on the most common vulnerabilities used by threat actors in the exploit kits.

Recorded Future published an interesting report on the most common vulnerabilities used by threat actors in the exploit kits.

The experts observed that Adobe Flash Player and Microsoft products (Internet Explorer, Silverlight, Windows) continue to be privileged targets of threat actors. Hacking campaigns conducted by nation-state actors have dominated the threat landscape in 2016, while crooks used exploit kits to deliver several families of malware, including ransomware and banking trojans.

The experts noticed that hackers have used new exploit kits targeting new vulnerabilities.

The researchers highlighted that the Adobe Flash Player comprised six of the top 10 vulnerabilities triggered by the exploit kits in a period from November 16, 2015 to November 15, 2016.

exploit kits flaws

RecordedFuture analyzed 141 exploit kits, experts noticed that the Internet Explorer flaw tracked as CVE-2016-0189 was the most referenced on security blogs, deep web forum postings and dark web sites.

This vulnerability was widely exploited by hackers behind the CNACOM campaign and its had been exploited in targeted attacks against Windows users in South Korea before Microsoft fixed it.

Experts from startup Theori have made a reverse engineering of the MS16-053 that fixed the CVE-2016-0189 flaw and published a PoC exploit for the vulnerability.

The PoC code works on Internet Explorer 11 running on Windows 10, a great gift for fraudsters that included it in the Neutrino EK and Magnitude, and many other exploit kits such as Angler, RIG, Nuclear, Spartan and Hunter.

Exploit kits and top-vulnerabilities-2016


The above list of vulnerabilities used by exploit kits also includes the Adobe Flash flaw tracked as CVE-2016-1019, CVE-2016-4117, CVE-2016-1010, and CVE-2015-8651.

The list includes also Microsoft Silverlight flaw tracked as CVE-2016-0034 and Microsoft Windows flaw tracked as CVE-2014-4113

According to Recorded Future after the Angler and Nuclear EKs disappeared from the threat landscape RIG became the most used EK, while the popularity of the Sundown EK rapidly increased.

Let me close with the Key Takeaways published by Recorded Future.

  • Adobe Flash Player provided six of the top 10 vulnerabilities used by exploit kits in 2016. Since our 2015 ranking, Flash Player’s popularity with cyber criminals remains after increased Adobe security issue mitigation efforts.
  • Vulnerabilities in Microsoft’s Internet Explorer, Windows, and Silverlight rounded out the top 10 vulnerabilities used by exploit kits. None of the vulnerabilities identified in last year’s report carried over to this year’s top 10.
  • A 2016 Internet Explorer vulnerability (CVE-2016-0189) saw the most linkage to exploit kits, notably Sundown EK which quickly adopted an exploit in July 2016.
  • Sundown, RIG, and Neutrino exploit kits filled the void created by Angler Exploit Kit’s June 2016 demise. This crimeware can be used for anywhere from $200 a week (RIG) to $1,500 a week (Neutrino).
  • Adobe Flash Player’s CVE-2015-7645 has been incorporated into seven exploit kits, the highest penetration level of our analyzed vulnerabilities likely because it was the first zero-day discovered after significant Adobe security changes.
  • Identifying frequently exploited vulnerabilities can drive action by vulnerability assessment teams.
medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – hacking, Top 10 vulnerabilities)

The post Adobe Flash Player flaws remain the most used by Exploit Kits appeared first on Security Affairs.

Source: Security affairs

From the toilet to the tank–biofuels from sewage. Credit: PNNL

Researchers at Pacific Northwest National Labs (PNNL) have developed a new method for treating human sewage to create a biocrude oil product that can be refined into a fuel akin to gasoline, diesel, or jet fuels.

The process is called hydrothermal liquefaction (HTL), and it has been described as a sped-up version of the way the Earth naturally creates crude oil. Researchers apply a considerable amount of heat and pressure to wastewater, breaking down its chemical components into biocrude and an aqueous liquid in minutes.

PNNL says that wastewater treatment plants handle approximately 34 billion gallons of sewage every day. In a Reddit AMA held last week, Justin Billing, one of the scientists on the project, noted that sewage traditionally has three destinations—being turned into fertilizer or soil additive, going in a landfill, or being incinerated. Some wastewater treatment plants (though not all) will also use anaerobic digestion, which “reduce[s] the volume of solids and mitigates the toxic load while also producing methane that can be used for heat and power at the plant,” Billings says. But anaerobic digestion alone can’t solve the whole equation. “From a capital intensity perspective it is reasonable to consider a hydrothermal process like HTL when designing, upgrading, or expanding existing facilities,” he suggested.

Read 7 remaining paragraphs | Comments


Enlarge (credit: Valentina Palladino)

A new report from IDC shows Apple Watch sales have slumped since last year. The report estimates that Apple has sold 1.1 million Watch units in the third quarter of 2016, down 71 percent from a year ago. However, Apple CEO Tim Cook reportedly told Reuters that sell-through, or the number of Apple Watches that reach consumers rather than the number on store shelves, reached a new high.

“Sales growth is off the charts,” Cook said. “In fact, during the first week of holiday shopping, our sell-through of Apple Watch was greater than any week in the product’s history. And as we expected, we’re on track for the best quarter ever for Apple Watch.”

Apple also expects the holiday shopping season to be big for the Watch. This could prove to be true, since it is arguably the most complementary device in Apple’s lineup and more suited as a gift than an iPhone. Apple generally doesn’t talk about Apple Watch sales on its earnings calls, nor does it reveal exact sales numbers for the device. The Watch remains in an “other products” category (along with the iPod and Apple TV), rather than standing on its own in the company’s sales figures.

Read 2 remaining paragraphs | Comments


(credit: Servizi Multimediali)

A Guardian investigation has prompted Google to change some of its autocomplete suggestions. For instance, no more will “evil” be suggested when Web surfers type “are Jews.” The search engine no longer recommends “evil” when “are women” is typed, either.

Google said it made the changeover after a Guardian story called out the search giant. However, the company said it didn’t fix everything the Guardian found, like eliminating “bad” when somebody typed in the search field “are Muslims.”

“Our search results are a reflection of the content across the Web. This means that sometimes unpleasant portrayals of sensitive subject matter online can affect what search results appear for a given query,” the company told the Guardian. “These results don’t reflect Google’s own opinions or beliefs—as a company, we strongly value a diversity of perspectives, ideas, and cultures.”

Read 3 remaining paragraphs | Comments


Enlarge (credit: DAMIEN MEYER/AFP/GettyImages)

For the first time in a century, the US Supreme Court has weighed in on how much design patents are worth. The answer: not nearly as much as Apple thinks.

The 8-0 opinion (PDF) is a rebuke to the US Court of Appeals for the Federal Circuit, which held that the relevant “article of manufacture” for calculating damages was—in fact, had to be—the entire smartphone. That meant even though Apple’s patents covered only certain design elements, it was entitled to $399 million in lost profits damages.

In an opinion authored by Justice Sonia Sotomayor, the Supreme Court rejected that approach, finding that the statutory term “article of manufacture” could mean either a whole product or just one component of a product.

Read 6 remaining paragraphs | Comments


Enlarge / The iPhone 6S. (credit: Andrew Cunningham)

Late last month, Apple announced a repair program for the batteries in early iPhone 6S models manufactured in September and October of 2015 (the 6S Plus is apparently not affected). The batteries could cause the phones to shutdown without warning, an issue that Apple now says was caused by overexposure to “controlled ambient air” (in other words, they sat out in the open in some warehouse for longer than they should have).

The same press release—issued only in China so far, but available in English if you scroll down—says that some owners of later iPhone 6S models are also reporting problems with unexpected shutdowns. Apple isn’t replacing those batteries just yet, but the company says that an iOS update “available next week” will add “additional diagnostic capability” that will allow Apple to better track down and diagnose the causes of these shutdowns. It “may potentially help [Apple] improve the algorithms used to manage battery performance and shutdown,” as well. Those improvements will be included in future iOS updates.

Apple says that the battery problem “is not a safety issue,” an important thing to note given the way the Galaxy Note 7 blew up in Samsung’s face.

Read 1 remaining paragraphs | Comments


By Carolina

A website on the Dark Web, internet’s underworld where all sorts of illegal content can be shared or bought easily and anonymously, is urging users to help it raise money to assassinate President-elect Donald Trump and Vice-President-elect Mike Pence. CSO reports that this particular website went live the previous week and allegedly is seeking assistance […]

This is a post from Read the original post: DarkWeb Website Asking for Funds to Assassinate Donald Trump and Mike Pence


Enlarge (credit: T-Mobile USA)

T-Mobile USA is looking forward to fewer regulations and more mergers in the telecom market under President-elect Donald Trump. With net neutrality rules possibly being overturned, the company says mobile Internet providers will have a lot more leeway for “innovation and differentiation.”

The election results will lead to a regulatory environment that is “more positive for my industry,” T-Mobile CFO Braxton Carter said in a Q&A session at a UBS investors conference yesterday. “You look at some of the earlier decisions that Trump has already made [in choosing advisors], I think it’s very clear there is going to be less regulation, and regulation often destroys innovation and value creation in bringing benefits to the consumer. And the trick is bringing a benefit to the consumer while you’re also benefiting your shareholders.”

Under President Obama, the Federal Communications Commission reclassified fixed and mobile ISPs as common carriers and imposed net neutrality rules that forbid blocking, throttling, and paid prioritization. Carter seems confident the Title II decision will be reversed.

Read 8 remaining paragraphs | Comments