Information Security News
Developers with both Mozilla and Tor have published browser updates that patch a critical Firefox vulnerability being actively exploited to deanonymize people using the privacy service.
"The security flaw responsible for this urgent release is already actively exploited on Windows systems," a Tor official wrote in an advisory published Wednesday afternoon. "Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available, the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately."
The Tor browser is based on the open-source Firefox browser developed by the Mozilla Foundation. Shortly after this post went live, Mozilla security official Daniel Veditz published a blog post that said the vulnerability has also been fixed in a just-released version of Firefox for mainstream users. On early Wednesday, Veditz said, his team received a copy of the attack code that exploited a previously unknown vulnerability in Firefox.
Update: Mozilla now released Firefox 50.0.2 to fix this issue, and the tor project released the corresponding tor browser 6.0.7.
Mozillais working on a patch. And Tor Browser 6.0.7 which will hopefully be released later today is scheduled to include the fix.
Until then: Best not to use Firefox if you can help it. The current version of Firefox, 50.0.1, which was released on Monday, is still vulnerable. While the exploit hasnt been spotted yet outside of Tor, expect it to show up by the time you read this.
An analysis of the shell code used in the exploit by Wack0 concluded that the code is very similar to an exploit used by law enforcement in 2013 against an older version of Firefox/Tor Browser. 
Got a couple of reports recently about an increase in port 1434 scanning for the infamous Slammer (aka Saphire) MS-SQL Server vulnerability. Sad to say: It looks like it never went away... There appears to be still a background of about 50 source IPs/day that scan for port 1434. Now this is way down from the numbers we had in 2003/2004 (20-30,000 sources per day). But to put it in perspective: This was still about an order of magnitude lower than what we see for Mirai now. So let" />
If you want a list of yesterdays sources, check here:https://isc.sans.edu/dailysources.html?mintargetport=1434maxtargetport=1434
After removing some of the research scanners (Shodan, Shadowserver, Quadmetrics), I am left with this list:
ASN | IP Address | CT | Network Name278 | 188.8.131.52 | MX | Universidad Nacional Autonoma de Mexico, MX3462 | 184.108.40.206 | TW | HINET Data Communication Business Group, TW3786 | 220.127.116.11 | KR | LGDACOM LG DACOM Corporation, KR4134 | 18.104.22.168 | CN | CHINANET-BACKBONE No.31,Jin-rong Street, CN4816 | 22.214.171.124 | CN | CHINANET-IDC-GD China Telecom (Group), CN4837 | 126.96.36.199 | CN | CHINA169-BACKBONE CNCGROUP China169 Backbone, CN5650 | 188.8.131.52 | US | FRONTIER-FRTR - Frontier Communications of America, Inc., US6739 | 184.108.40.206 | ES | ONO-AS Cableuropa - ONO, ES7018 | 220.127.116.11 | US | ATT-INTERNET4 - ATT Services, Inc., US7029 | 18.104.22.168 | US | WINDSTREAM - Windstream Communications Inc, US7162 | 22.214.171.124 | BR | Universo Online S.A., BR7418 | 126.96.36.199 | CL | TELEFNICA CHILE S.A., CL7470 | 188.8.131.52 | TH | TRUEINTERNET-AS-AP TRUE INTERNET Co.,Ltd., TH7643 | 184.108.40.206 | VN | VNPT-AS-VN Vietnam Posts and Telecommunications (VNPT), VN7922 | 220.127.116.11 | US | COMCAST-7922 - Comcast Cable Communications, LLC, US8342 | 18.104.22.168 | RU | RTCOMM-AS , RU8560 | 22.214.171.124 | US | ONEANDONE-AS Brauerstrasse 48, DE9808 | 126.96.36.199 | CN | CMNET-GD Guangdong Mobile Communication Co.Ltd., CN11014 | 188.8.131.52 | AR | CPS, AR11650 | 184.108.40.206 | US | PLDI - Pioneer Long Distance Inc., US15311 | 220.127.116.11 | CL | Telefonica Empresas, CL16276 | 18.104.22.168 | FR | OVH , FR16509 | 22.214.171.124 | US | AMAZON-02 - Amazon.com, Inc., US17676 | 126.96.36.199 | JP | GIGAINFRA Softbank BB Corp., JP19108 | 188.8.131.52 | US | SUDDENLINK-COMMUNICATIONS - Suddenlink Communications, US27892 | 184.108.40.206 | VE | Universidad del Zulia, VE29073 | 220.127.116.11 | NL | QUASINETWORKS , NL60781 | 18.104.22.168 | NL | LEASEWEB-NL Netherlands, NL
No idea if these are actually infected systems, or if these systems are just scanning for various research projects as well. Right now, none of the systems appears up.
Researchers say they've uncovered a family of Android-based malware that has compromised more than 1 million Google accounts, hundreds of them associated with enterprise users.
Gooligan, as researchers from security firm Check Point Software Technologies have dubbed the malware, has been found in at least 86 apps available in third-party marketplaces. Once installed, it uses a process known as rooting to gain highly privileged system access to devices running version 4 (Ice Cream Sandwich, Jelly Bean, and KitKat) and version 5 (Lollipop) of Google's Android operating system. Together, the vulnerable versions account for about 74 percent of users.
The rooted devices then download and install software that steals the authentication tokens that allow the phones to access the owner's Google-related accounts without having to enter a password. The tokens work for a variety of Google properties, including Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite. In a blog post published Wednesday morning, Check Point researchers wrote:
by Sebastian Anthony
The number of reported webcam blackmail cases has more than doubled in the past year, and at least four suicides in the UK have been connected to this form of sextortion, says the National Crime Agency.
The NCA's Anti-Kidnap and Extortion unit has seen 864 cases of financially motivated webcam blackmail so far this year, up from 385 for the whole of 2015. The NCA believes the true number is a lot higher, though, due to significant under-reporting. Most victims (95 percent) were men or boys; men between 21 and 30 represent the largest group, but boys between 11 and 20 were also a "substantial portion."
The four sextortion-linked suicides have all been men and boys—and again, that figure could be under-reported.