News & Updates

(credit: Tony Young)

The Federal Communications Commission has decided not to step up its oversight of contract disputes that sometimes take free, over-the-air channels off cable systems.

Broadcast stations can demand carriage fees from cable TV operators even if the channels are otherwise available for free to consumers with an antenna. When cable TV companies and broadcasters don’t agree on a price, customers are sometimes deprived of channels.

The FCC can already intervene in contract disputes when it deems it necessary, but a lobby group for small and medium-sized cable TV providers wanted the commission to do a lot more. When FCC Chairman Tom Wheeler announced the decision to maintain the status quo last week, the American Cable Association (ACA) lobby group said it was “appalled.”

Read 15 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Matthias Müller became VW Group’s CEO when Martin Winterkorn left, but both men are implicated in the most recent lawsuits from US states. (credit: Volkswagen AG)

On Tuesday, the attorneys general of Massachusetts, New York, and Maryland launched fresh lawsuits at Volkswagen Group and its affiliates Audi and Porsche, naming more than two dozen engineers and managers in an apparent scheme to install illegal software on diesel VWs, Audis, and Porsches that were sold in the US.

The civil lawsuits allege that prior to the Environmental Protection Agency’s (EPA) public announcement in September that it had discovered defeat devices to circumvent emissions control systems in VW Group’s diesel cars, the German automaker engaged in a year and a half of cover ups and deception with the knowledge of VW Group’s former CEO, Martin Winterkorn. The company “only confessed to the defeat devices when they knew the regulators had them pinned to the facts,” according to the New York attorney general’s press release.

The lawsuits also allege that VW Group has not cooperated with investigators. “When the investigation was getting under way in late 2015, numerous employees, tipped off by a senior in-house lawyer in Germany, allegedly destroyed incriminating documents,” the press release added.

Read 25 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

A newly strain of ransomware dubbed cuteRansomware leverages on a Google Doc to host the decryption key and command-and-control features.

A recently discovered strain of ransomware, dubbed cuteRansomware, shows that your enterprise isn’t the only one thinking about cloud transition. Modern day hackers are loving the Cloud too. The cuteRansomware was discovered by Netskope security firm which observes an increase in the number of malware leveraging on cloud apps as a delivery mechanism.

Most ransomware has a Command and Control (C&C) structure and a location for hosting the decryption key. Google Docs became precisely this location for this Chinese modified malware.

“Netskope has detected and reported on an increase in cloud apps as a delivery mechanism for ransomware, particularly in obfuscated JavaScript as well as Microsoft Word documents using macros functions.” states Netskope.

A few months ago, experts from Netskope noticed that a user with a GitHub account “aaaddress1” published source code for a ransomware module based on C# called “my-Little-Ransomware.” The malware became popular and others began using it. A security researcher at AVG spotted a malicious modified Chinese version of my-Little-Ransomware, that it dubbed “cuteRansomware” because of the mutex name used by the original author.

Though basic in nature it proves to be hard to track because Google Docs uses HTTPS to transfer data and is hard to detect by basic End Point security and Perimeter guards like firewall, intrusion detection systems, intrusion prevention systems and even the Next Gen firewall.

“Moreover, the use of a popular cloud app like Google Docs presents another challenge. For organizations using Google Docs as a productivity tool, it’s virtually impossible to block it outright. To prevent this ransomware from using Google Docs, you need to be able to selectively block the specific app instance associated with this ransomware while allowing your sanctioned instance of Google Docs to continue working.” continues Netskope

cuteransomware

Let’s state why the cuteRansomware represents a problem :

  • Lack of visibility in SSL cryptographic protocol.
  • Highly used tools in many organizations like Google Docs could be  hard to stop. Thus productivity would get affected. 
  • Cloud service providers will need to monitoring of their products.
  • Today it’s Google Docs, tomorrow it could be Office 365. Microsoft’s Office 365 is a more preferred tool to use when it comes to SaaS by companies.
  • Cyber actors will now transition to cloud for C&C and hosting other attacks.

Tough days ahead

In June, Martin Lee, the technical lead of Cisco’s Talos Security Intelligence and Research Group commented that malware is “taking kidnap and moving it to the 21st century” An apt analogy considering that the threat landscape is truly evolving.

About the Author: Joshua Bahirvani

Joshua Bahirvani 2Cyber Security Enthusiast and believer of Privacy in this Digital Age.

LinkedIn : https://in.linkedin.com/in/jbahirvani15

Peerlyst: https://www.peerlyst.com/users/joshua-bahirvani

Twitter : @B15joshua

Medium : @jbahirvani15

 

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – cuteRansomware, cybercrime)

The post cuteRansomware leverages Google Docs to avoid detection appeared first on Security Affairs.

Source: Security affairs

WWE wrestler Chavo Guerrero, Jr (right) is among the 53 plaintiffs in a proposed class-action lawsuit filed in Connecticut on Monday. (credit: Getty Images / Ethan Miller )

Dozens of former professional wrestlers have filed a proposed class-action civil suit against World Wrestling Entertainment (WWE), alleging that the organization should be held accountable for “long-term neurological injuries” that the performers suffered while body-slamming and pile-driving each other throughout the decades.

The 214-page suit, filed in United States District Court in Connecticut on Monday, includes among its 53 plaintiffs the famous-wrestler likes of Chavo Guerrero Jr, Joseph “Road Warrior Animal” Laurinaitis, James “Kamala” Harris, Paul “Mr Wonderful” Orndorff, and Jimmy “Supafly” Snuka. The lengthy suit attempts to hold the WWE responsible for its performers’ issues with concussions and chronic traumatic encephalopathy (CTE), the brain-ravaging disease that figured largely in recent class-action suits filed by players’ associations for the NFL and NHL American sports leagues.

CTE, a degenerative disease linked to repeated concussions that leads to memory loss, dementia, and suicidality, has been connected to injuries in many professional sports leagues, and the WWE is no exception. Among the more notorious examples is that of former WWE wrestler Chris Benoit, whose issues with CTE were confirmed after his murder-suicide case in 2007.

Read 6 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

OK Pikachu, get in the ball. Just get in the ball. GET IN THE DAMN BALL YOU FREAKING ELECTRIC RAT!

At the early levels, it’s relatively easy to advance in Pokémon Go without spending any money. Provided you’re not in a Pokémon-light rural area (or, er, a black neighborhood), it’s pretty simple to just keep farming Pidgeys and nearby Pokéstops and gyms for the resources you need to watch your in-game numbers go up.

Now that the game has been out for more than a week in many regions, though, some of the first players to hit the game’s higher levels are running into a wall that’s halting that easy advancement. In a detailed Reddit thread discussing his “late game” progress in Pokémon Go, user Riggnaros discusses a few ways the game grinds progress to a halt once players hit level 25 or so.

For instance, Riggnaros says, once you reach a level in the “mid 20s,” low-powered Pokémon you encounter in the game start to “have an abnormally high chance to evade capture.” That means players will need to start wasting a lot more Pokéballs to capture the most abundant monsters, which are key to gaining the experience points needed for that next level. Getting enough Pokéballs to keep up with all those escaping Pokémon means spending real money or spending inordinate amounts of time farming free Pokéballs from those slowly refilling Pokéstops.

Read 8 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

(credit: Andrew Cunningham)

UPDATE 6:45pm ET: Reuters reports that Brazil’s Federal Supreme Court has now suspended the ruling by the lower court judge, which ordered mobile phone carriers to block access to WhatsApp.

“We’re pleased that people can access WhatsApp again in Brazil,” Matt Steinfeld, a WhatsApp spokesman, e-mailed Ars in a statement.

Our original story follows:

Read 9 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

A security expert revealed a number of flaws in the big player’s two-factor authentication methods that could allow crooks to steal money.

Social media bug bounty hunter, Arne Swinnen, has revealed a number of flaws in the big player’s 2 factor authentication (2FA) methods that could enable a malicious user to illicit large sums of money from their phone-based verification services.

Two-factor authentication is often offered to social media users as an added layer of security in ensuring user verification.

Swinnen has reported that an attacker could abuse the security system with the purchase of a number of premium rate telephone numbers which would then be called by the authentication system on login.

The security researcher registered a premium UK number which charged at a rate of £0.06 and managed to make £1 in 17 minutes via Instagram’s two-factor authentication service.

two-factor authentication flaws hacking

The pay-out screen for Swinnen’s premium rate UK number

Instagram allows users to link a mobile phone number to your account, once activated, the 2 factor authentication system sends a 6 digit pin to your number, if this is not used in 3 minutes of sending, a call is placed to the number saved, in Swinnen’s case, his UK premium rate number.

two-factor authentication flaws hacking 2

Instagram’s 6 digit pin code (left) and the activation call appearing on the saved phone number (right)

By itself this method could reportedly earn up to £17,000 per year. Each call lasts around 17 seconds and the system limits its rate monitoring to one call every 30 seconds, however, a dedicated attacker with 100 accounts and premium rate numbers could potentially earn £1 Million in a year.

Facebook awarded Swinnen $2000 for the discovery of this method however initially reported that they will not be looking to make any changes to their rate limiting and monitoring technologies as a result.

The social media giant’s first response was “This is intentional behavior in our product. We do not consider it a security vulnerability, but we do have controls in place to monitor and mitigate abuse.”

When the discussion was raised regarding an attacker using an increased number of accounts Facebook commented “Thanks for following up — because these requests are routed through a dedicated service for monitoring and blocking abuse, “intentional behavior” in this case is considered “accepted risk”. Generally speaking, attacks that depend on multiple accounts under attacker control fall under the “spam or social engineering techniques” category of ineligible reports for the whitehat program.”

They later went on to concede “Hello again! We’ll be doing some fine-tuning of our rate limits and work on the service used for outbound calls in response to this submission, so this issue will be eligible for a whitehat bounty. You can expect an update from us again when the changes have been made. Thanks!

(…)
We have looked into this issue and believe that the vulnerability has been patched (rate limits adjusted and some additional monitoring in place).”

Google also allow users to receive their two-factor token codes in a voice call, each call in this case lasts approximately 35 seconds and the rate is limited to 10 per hour.

In two hours, the research earned €1, calculated over a year with 100 unique accounts and matching numbers, this has the potential to net a not insignificant €400,000.

Although the find merited Swinnen to be listed in their hall of fame, the search engine giant ruled that the discovery did not warrant a monetary reward. Google stated that they had a contingency in place for mitigating fraudulent transactions such as these and deemed it impossible to totally eradicate the threat of malicious players exploiting their authentication systems in this manner.

Google also stated charitably that money is less important to them than user security.

The research also covered Microsoft’s 365 trial accounts which allows users to verify themselves via a voice call. Microsoft paid the researcher $500 for discovering that although a user could enter a premium number, the number was later blocked following 7 failed registration attempts.

This was circumvented by entering a premium number with up to 18 zeros in front of the actual number itself. Zero pairs could also be replaced with international dial prefixes and the call would still go through. It was also discovered that up to 4 random digits could be appended to the number and that Microsoft wouldn’t notice that the number had been dialed many times before.

This attempt earned €1 in less than a minute, Microsoft addressed the vulnerability by amending the service to prevent uses from adding addition digits to an actual phone number.

Written by: Steven Boyd

Steven BoydSteven is a security consultant, researcher, ethical hacker and freelance writer with over 16 years of experience in the industry. He has provided security consultancy to some of the world’s biggest banks, the private sector as well as public services and defense. He is the owner and creator of security blog www.CybrViews.com.

Twitter: @CybrViews

 

 

 

 

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Two-factor authentication, cybercrime)

The post Abusing Two-factor authentication to steal money from Instagram, Google and Microsoft appeared first on Security Affairs.

Source: Security affairs

© 2016 The Charles Tendell Show