April 28, SecurityWeek – (International) Critical, high severity flaws patched in Firefox. Mozilla released its web browser, Firefox 46 that patched a total of 14 vulnerabilities including 4 critical vulnerabilities affecting the browser engine, which could cause crashes and potential arbitrary code execution, as well as a high severity vulnerability that could be exploited via specially crafted Web content and cause an exploitable crash, among other flaws. Source
April 28, The Register – (International) Time for a patch: Six vulns fixed in NTP daemon. Security researchers from Cisco’s Talos Security Intelligence and Researcher Group discovered five vulnerabilities in Network Time Protocol daemon (ntpd) after its ongoing ntpd evaluation revealed attackers could craft User Datagram Protocol (UDP) packets to cause a denial-of-service (DoS) condition or prevent the correct time from being set, among other actions. The vulnerabilities were patched in Network Time Protocol (NTP) version 4.2.8p7. Source
April 28, SecurityWeek – (International) Cisco finds backdoor installed on 12 million PCs. Cisco’s Talos Security Intelligence and Research Group reported that a Tuto4PC’s OneSoftPerDay application was discovered to install potentially unwanted programs (PUPs), harvest users’ personal information, and was considered to be a backdoor for 12 million personal computers (PCs) after an analysis revealed that an increase in generic trojans were found when about 7,00 unique samples displayed names including “Wizz” in some of the domains. Source
April 27, SC Magazine – (International) Over 7M Minecraft mobile credentials exposed after Lifeboat data breach. Lifeboat Networks reported April 27 that its network was compromised in January, exposing its users’ login names, passwords, and email addresses in the Minecraft Pocket Edition mobile game after a security researcher found over 7 million user credentials were available online. Lifeboat forced its customers to reset their passwords discretely and stated they started using stronger algorithms to guard user data. Source
April 27, Softpedia – (International) Waze drivers can be tracked, network flooded with fake traffic. Six researchers from the University of California, University of Santa Barbara, and the Tsinghua University discovered that they could create fake traffic jams and track the movements of any Waze user by reverse engineering the Waze app communications protocol and creating Sybil attacks to insert thousands of malicious users inside the Waze networks. The attacks could manipulate the app’s behavior and allow attackers to pose as Waze users when communicating with the app’s Google server. Source
April 27, SecurityWeek – (International) Attackers increasingly abuse open source security tools. Security researchers from Kaspersky Lab reported that the open source security tool, Browser Exploitation Framework (BeEF) was being leveraged by an advanced persistent threat (APT) group named NewsBeef to track and steal users’ browsing history from compromised Web sites through flaws in content management systems. In addition, researchers reported that other APT actors were using open source tools in their operations to execute malware across the globe. Source
April 27, SecurityWeek – (International) Verizon 2016 DBIR: What you need to know. Verizon released its 2016 Data Breach Investigations Report (DBIR) which revealed current information technology (IT) trends and the overall cyberattack landscape after conducting an analysis on over 100,000 security incidents, which confirmed 2,260 data breaches occurred across 82 different countries in 2015, with the majority of breaches occurring due to human nature via phishing campaigns. Source
Reprinted from the USDHS Daily Open Source Infrastructure Report