=============== Rob VandenBrink Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Enlarge (credit: Malwarebytes)

The website belonging to Maisto International, a popular maker of remote-controlled toy vehicles, has been caught pushing ransomware that holds visitors' files hostage until they pay a hefty fee.

Malicious files provided by the Angler exploit kit were hosted directly on the homepage of Maisto[.]com, according to antivirus provider Malwarebytes. The attack code exploits vulnerabilities in older versions of applications such as Adobe Flash, Oracle Java, Silverlight, and Internet Explorer. People who visit Maisto[.]com with machines that haven't received the latest updates are surreptitiously infected with the CryptXXX ransomware. Fortunately for victims in this case, researchers from Kaspersky Lab recently uncovered a weakness in the app that allows users to recover their files without paying the extortion demand. People infected with ransomware in other drive-by attacks haven't been so lucky.

After discovering the infection of the Maisto homepage, Malwarebytes Senior Security Researcher Jerome Segura used this tool from website security firm Sucuri. It detected that Maisto was running an out-of-date version of the Joomla content management system, which is presumed to be the way attackers were able to load the malicious payloads on the homepage.

Read 4 remaining paragraphs | Comments


A surprisingly large number of developers are posting their Slack login credentials to GitHub and other public websites, a practice that in many cases allows anyone to surreptitiously eavesdrop on their conversations and download proprietary data exchanged over the chat service.

According to a blog post published Thursday, company researchers recently estimated that about 1,500 access tokens were publicly available, some belonging to people who worked for Fortune 500 companies, payment providers, Internet service providers, and health care providers. The researchers privately reported their findings to Slack, and the chat service said it regularly monitors public sites for posts that publish the sensitive tokens.

Still, a current search on GitHub returned more than 7,400 pages containing "xoxp." That's the prefix contained in tokens that in many cases allow automated scripts to access a Slack account, even when it's protected by two-factor authentication. A separate search uncovered more than 4,100 Slack tokens with the prefix "xoxb." Not all results contained the remainder of the token that's required for logging in, but many appeared to do just that. By including valid tokens in code that's made available to the world, developers make it possible for unscrupulous people to access the private conversations between the developers and the companies they work for and to download files and private Web links they exchange.

Read 6 remaining paragraphs | Comments


SANS to Host Summer Information Security Training in Denver, Colorado
PR Newswire (press release)
BETHESDA, Md., April 28, 2016 /PRNewswire-USNewswire/ -- In response to increased demand for local information security training, SANS Institute today announced its return to Colorado. SANS Rocky Mountain 2016, taking place July 11 – 16 in downtown ...


Secure cloud hosting: Why taking ownership is crucial
Cunningham, who previously served in the U.S. Navy and National Security Agency in information security roles, spoke with SearchCloudSecurity about his company's approach to secure cloud hosting, the most pressing threats and obstacles facing ...


Artist's rendition of the horde of DDoS requests coming at your router.

Rainbow Six: Siege players are complaining that the game continues to make their global IP address available to other players, putting those players at risk for DDoS attacks from bitter opponents.

The problem seems to stem from the way the game implements voice chat between players. Back in September, Ubisoft confirmed that while the game uses dedicated servers to host matches, it still uses direct, peer-to-peer connections "strictly to support voice and chat comms for a team." Beta players began noticing almost immediately that this infrastructure decision presents a pretty big security hole when playing with strangers on the Internet. This netcode analysis from January shows how a simple packet sniffer like NetLimiter could easily reveal the IP addresses of all other players in the match, even though voice chat is only available between teammates during a match.

Armed with these IP addresses, unscrupulous players could easily use any number of services to initiate a DDoS attack to remove opposing players from the game. There's a decent amount of evidence that many players were doing just that to gain a leg up in ranked matches, with some managing to climb the in-game ranking ladder despite awful play statistics.

Read 5 remaining paragraphs | Comments


The flaw that left .AS websites and owners exposed for at least 16 years
Naked Security
A security researcher by the name of Infosec Guy has discovered a flaw in the website of the AS (American Samoa) domain registry nic.as that, in the registry's own words, “pre-dates the century”. According to Infosec Guy the flaw allowed anyone to ...

and more »
If an exotic quantum computer is invented that couldbreak the codes we depend on to protect confidential electronic information,what will we do to maintain our security and privacy? Thataposs the overarching questionposed by a new report ...


InfoSec Career Advice for Women
How can other women follow in her footsteps? In an interview with Information Security Media Group, she stresses the importance of networking and building relationships with female role models. "The great news is there are so many amazing programs out ...

CVE-2016-3078: php: integer overflow in ZipArchive::getFrom*

The new, "improved" United Cyber Caliphate—the power of four jihadi hacktivist cells fused together like some sort of cyber-Voltron.

The Islamic State has been deft in its use of the Internet as a communications tool. ISIS has long leveraged social media to spread propaganda and even coordinate targets for attacks, using an ever-shifting collection of social media accounts for recruitment and even to call for attacks on individuals ISIS leaders have designated as enemies. But the organization's efforts to build a sophisticated internal “cyber army” to conduct information warfare against the US and other powers opposing it have thus far been fragmented and limited in their effectiveness—and more often than not they've been more propaganda than substance.

Now, ISIS is taking another crack at building a more credible cyber force. As analysts from Flashpoint note in a report being published today (entitled "Hacking for ISIS: The Emergent Cyber Threat Landscape"), ISIS earlier this month apparently merged four separate pro-ISIS “cyber” teams into a single group called the United Cyber Caliphate.

"Until recently, our analysis of the group's overall capabilities indicated that they were neither advanced nor did they demonstrate sophisticated targeting," said Laith Alkhouri, director of Research & Analysis for the Middle East and North Africa and a cofounder of Flashpoint. “With the latest unification of multiple pro-ISIS cyber groups under one umbrella, there now appears to be a higher interest and willingness amongst ISIS supporters in coordinating and elevating cyber attacks against governments and companies.”

Read 8 remaining paragraphs | Comments

CVE-2015-5207 - Bypass of Access Restrictions in Apache Cordova iOS
[SECURITY] [DSA 3560-1] php5 security update
Re: [ERPSCAN-16-005] SAP HANA hdbxsengine JSON â?? DoS vulnerability
CVE-2015-5207 - Bypass of Access Restrictions in Apache Cordova iOS
Internet Storm Center Infocon Status