A Week in Security (Apr 05 - 11)

A Week in Security (Jul 26 – Aug 01)

Last week, Malwarebytes announced that our line of security products now support Windows 10, Microsoft’s latest operating system to date. If you have up grated to the new OS, feel free to visit our download portal to get your anti-malware and/or anti-exploit software of choice.

Jérôme Segura, one of our senior security researchers, also documented several of his findings, which are about potentially malicious advertising redirects from a legitimate and popular discussion forum within USA TODAY. These redirects led to either PUPs and scams, or to a Nuclear exploit kit page. Another finding Segura shared was a fake iOS crash report, which is actually a tech support scam.

Finally, Thomas Reed, our Mac security expert, whom we welcomed into the Malwarebytes family not long ago, published a post about an installer that disguised itself as a fake Apple Safari update. Once installed, it downloads and installs two programs: MacKeeper and ZipCloud. Not only that, browser settings were altered, as well. Reed advised that affected users of the fake Safari update, MacKeeper and ZipCloud to remove them from the system and also reinstall their OS X.

Notable news stories and security related happenings:

  • HP: 100% of Smartwatches have Security Flaws. “In a recent security assessment of ten smartwatches and their iOS and Android companion applications, every single watch had at least one significant security flaw, according to a new report from HP Fortify. One common problem was that the data that smartwatches collected was typically sent to numerous places — up to ten locations, in some cases.” (Source: CSO Online)
  • Steam Hit by Major Security Breach, Many Accounts Hacked! “Reports are still blurry and information keeps coming out – Valve themselves are yet to make an official statement on the issue – but according to a demonstration that was posted on YouTube, a hacker could abuse the “forgotten password” feature in Steam’s log-in service, completely bypassing the stage where they have to enter a security code, and being granted access to reset the password of the account.” (Source: Master Herald)
  • Nasty Bug Lets Hackers Into Nearly Any Android Phone Using Nothing But A Message. “The good news: the bug can be fixed with an over-the-air update, and Google already has a patch ready to go. The bad news: It’s up to device manufacturers to send out the patch, and… well, that can take a while. If you’ve got an older phone that hasn’t been updated in ages — as is the case for nearly 11 percent of active Android phones (those still running Froyo, Gingerbread, or Ice Cream Sandwich) — it’s feasible that it won’t get a patch at all.” (Source: TechCrunch)
  • CISO Role Undefined in Many Organizations, Survey Says. “C-suite executives want a cybersecurity voice in the boardroom, but the chief information security officer (CISO) may not belong on the leadership team, says a recent survey from cybersecurity solutions company ThreatTrack Security. ThreatTrack Security reveals in its “CISO Role Still in Flux” whitepaper that CISOs have made moderate gains in commanding corporate respect, there still remains hurdles for them to overcome.” (Source: LegalTech News)
  • Apple Puts a Stop to Invoice Poisoning Bug. “A serious remote vulnerability has been uncovered in Apple’s AppStore and iTunes web applications that posed ‘a significant risk to buyers, sellers or Apple website managers/developers’.” (Source: Sophos’s Naked Security Blog)
  • Over 10 million Web Surfers Possibly Exposed to Malvertising. “The malicious ads redirected people to websites that were rigged with the Angler exploit kit. An exploit kit is a software package that probes a computer for software vulnerabilities in order to deliver malware.” (Source: Network World)
  • Why Cybersecurity Is So Difficult to Get Right. “It seems like hardly a week goes by without news of a data breach at yet another company. And it seems more and more common for breaches to break records in the amount of information stolen. If you’re a company trying to secure your data, where do you start? What should you think about?” (Source: Harvard Business Review)
  • Most Employees Don’t Understand the Value of Data. “New research from Fujitsu has revealed that only 7% of employees rate their business data higher than their personal information. The results highlight how employees don’t understand the value of data with over half (52%) of employees admitting that they value their own data more than their work data. In addition, 43% of employees either somewhat or completely agree that they have no idea of the value of business data.” (Source: Help Net Security)
  • Researchers Steal Door Badge Credentials Using Smartphone Bluetooth. “Next week at Black Hat USA a pair of researchers will be demonstrating a new tool they developed that can easily be placed on just about any commercial door reader device to siphon away key card credential information and send it via Bluetooth to a smartphone so that an attacker could easily clone cards and circumvent facility security measures.” (Source: Dark Reading)
  • Google Lets You Bring Your Encryption Keys to Its Cloud. “Companies like the idea of the flexibility the cloud computing model, but many remain unconvinced that cloud—especially public cloud—is a secure place for their important data. So Google says it will now enable customers to bring their own encryption keys to the Google Compute Engine, the computing portion of Google Cloud Platform.” (Source: Fortune)
  • Planned Parenthood Reports Second Website Hack in a Week. “Planned Parenthood said electronic traffic to its websites was snarled by computer hackers on Wednesday in the second cyber attack mounted against the healthcare organization this week amid a controversy over alleged sales of aborted fetal tissue.” (Source: Reuters)
  • Google Appealing French Order to Apply ‘Right to be Forgotten’ Worldwide. “‘We believe that no one country should have the authority to control what content someone in a second country can access,’ says Peter Fleischer, Google’s global privacy counsel.” (Source: LegalTech News)
  • New Research Reveals More Than a Third of Employees Willing to Sell Private Company Data and Proprietary Information. “The latest data reveals that 35 percent of employees would sell information on company patents, financial records and customer credit card details if the price was right, illustrating the growing importance for organizations to deploy data loss prevention strategies and technology to safeguard data from both the malicious and inadvertent insider threats.” (Source: Business Wire)
  • Yes, Adobe Flash is a mess, but don’t forget to patch Reader. “Security flaws in Adobe Flash have been reported on a lot lately, but unpatched vulnerabilities in Adobe Reader are also a major security concern for IT departments, according to a report by vulnerability intelligence firm Secunia. In fact, 75 percent of PCs examined by Secunia have unpatched versions of Adobe Reader 10 or 11, according to its second quarter report on the state of PC security in 15 countries.” (Source: Fierce IT Security)
  • FBI Warns of Increase in DDoS Extortion Scams. “Online scammers constantly are looking for new ways to reach into the pockets of potential victims, and the FBI says it is seeing an increase in the number of companies being targeted by scammers threatening to launch DDoS attacks if they don’t pay a ransom.” (Source: ThreatPost)

Safe surfing, everyone!

The Malwarebytes Labs Team

ABOUT THE AUTHOR