July 27, Softpedia – (International) Two vulnerabilities affect LastPass, both allow full password compromise. Researchers with Google Project Zero and Detectify discovered a vulnerability affecting LastPass through its JavaScript code that parsed the Uniform Resource Locator (URL) of the page LastPass was working on, potentially allowing an attacker to gain a user’s credentials by tricking the user into accessing a URL in the form of “attacker-site.com/@twitter.com/@script.php.” The vulnerability was patched; however a second vulnerability that could lead to a complete LastPass compromise was reported and is currently being evaluated by the service. Source
July 27, Help Net Security – (International) DDoS attacks increase 83%, Russia top victim. Nexusguard released a report showing that distributed denial-of-service (DDoS) attacks increased 83 percent to more than 182,900 attacks in the second quarter of 2016, with Russia as the top victim country. The U.S. and China were part of the top three targeted countries as the company also reported increases in routing information protocol (RIP) and multicast domain name service (mDNS) threats. Source
July 27, SecurityWeek – (International) Siemens patches flaws in industrial automation products. Siemens released software updates addressing several vulnerabilities found in SIMATIC and SINEMA products including a cross-site scripting (XSS) vulnerability in the integrated Web server of SINEMA Remote Connect Server which can be exploited by a remote attacker by tricking the user into clicking on a specially crafted link, as well as two high severity improper input validation bugs that were discovered in SIMATIC WinCC SCADA systems and PCS7 distributed control systems (DCS), among other vulnerabilities. Source
July 27, Help Net Security – (International) Osram’s intelligent home lighting system in riddled with flaws. A researcher from Rapid7 discovered nine vulnerabilities affecting the Home and Pro versions of Osram’s Lightify intelligent home lighting system running on Apple iOS7 or above and Android 4.1 or above that could allow attackers to discover the Wi-Fi Protected Access (WPA) pre-shared key of the user’s home Wi-Fi and the network’s password, to launch browser-based attacks against the user’s workstation, control the light installations, and access confidential data. The vendor addressed nearly all problems in its latest patch set, with the exception of Secure Sockets Layer (SSL) pinning and issues related to ZigBee rekeying. Source
July 26, Help Net Security – (International) Low-cost wireless keyboards open to keystroke sniffing and injection attacks. Bastille Networks researchers reported that a set of security flaws exploited via KeySniffer in low-cost wireless keyboards that are produced by at least 8 different vendors, can be exploited to collect passwords, security questions, and other sensitive financial and personal information due to a lack of encryption on keystroke data before it is transmitted wirelessly to the Universal Serial Bus (USB) dongle. Researchers noted that Bluetooth keyboards, wired keyboards, and higher-end wireless keyboards are not susceptible to KeySniffer. Source
July 26, Softpedia – (International) Patchwork cyber-espionage group evolves to target enterprises. Researchers from Cymmetria and Symantec reported that the Patchwork advanced persistent threat (APT), also known as Dropping Elephant, cyber-espionage group has begun targeting aviation, energy, financial, pharmaceutical, and software companies, among others, with malicious Microsoft PowerPoint and Word files in order to install Enfourks and Steladok backdoor trojans to obtain sensitive information from infected computers. Source
July 26, Help Net Security – (International) Amazon Silk browser removes Google’s default encryption. Amazon released version v51.2.1 of its Silk browser, patching a vulnerability that allows Google searches to be conducted without Secure Sockets Layer (SSL) protection, potentially allowing the flaw to be exploited in man-in-the-middle (MitM) attacks. Source
July 25, Softpedia – (International) Windows 10 disk cleanup utility abused to bypass UAC. Security researchers advised Microsoft Windows 10 users to disable or uncheck the “Run with the highest privileges” option in the Disk Cleanup utility following the discovery of a method to bypass the Windows User Access Control (UAC) security system, potentially allowing malicious files to be executed without alerting users. Once the Disk Cleanup app is executed, it copies DismHost.exe and Dynamic Link Libraries (DLL) files, and loads the LogProvider.dll as the last DLL file, allowing time for an attacker to launch an attack. Source
Above Reprinted from the USDHS Daily Open Source Infrastructure Report
July 26, Dark Reading -Obama Issues Federal Government Policy For Cyberattack Response. New Presidential Policy Directive, PPD-41, solidifies just how key federal agencies coordinate, respond to cyberattacks on federal and private networks. President Obama today issued a key directive formalizing just how federal agencies operate, coordinate, and respond to major cyberattacks and cyber incidents considered a danger to national security, the government, the economy, and critical infrastructure. The new Presidential Policy Directive, PPD-41, specifies the FBI and the National Cyber Investigative Task Force of the US Department of Justice as the lead agencies for threat response, while the US Department of Homeland Security is the lead agency for “asset” response, via the National Cybersecurity and Communications Integration Center, aka the NCCIC. The Office of the Director of National Intelligence – via the Cyber Threat Intelligence Integration Center -- is the lead agency for intelligence support and related efforts, the directive states. Source