Week in review: Android ransomware multiplies, FireEye censors researcher

Here’s an overview of some of last week’s most interesting news and articles:


Hacker had access to sensitive info about Firefox bugs for over a year
Mozilla has announced that an attacker managed to access security-sensitive information about a considerable number of (at the time) unpatched Firefox vulnerabilities, and that there is evidence that at least one of them has been exploited in attacks in the wild.

Android ransomware masquerades as Adult Player app, takes photo of victim
A new mobile ransomware variant uses a clever new technique to push affected users to pay the asked-for ransom: it takes a photo of the user with the phone’s front-facing camera, and inserts that photo in the ransom message.

End-to-end encryption is key for securing the Internet of Things
Every IoT device is an endpoint, like a PC or smartphone, which means every one is a potential back door for hackers. Worse, many IoT devices are connected to mission-critical equipment, such as switches at electric utility substations, or telemedicine monitors in patients’ homes.

Encryptr: Open source cloud-based password manager
Encryptr is based on the Crypton JavaScript framework. The whole idea behind the Crypton concept is to enable developers to store data on the remote server in such way that the server doesn’t know what that data is.

Vulnerabilities in WhatsApp Web affect 200 million users globally
Significant vulnerabilities can exploit WhatsApp Web, the web-based extension of the popular WhatsApp application for phones.

Ashley Madison developers not big on security
Just a ten minutes long browsing session of the leaked Ashley Madison source code revealed to infosec consultant Gabor Szathmari a number of security mistakes that have likely helped the attackers move within the company’s networks.

Zero-day bugs in Kaspersky and FireEye products found, exploits disclosed
A slew of vulnerabilities – some already patched and some still not – have been revealed to affect several security offerings by some of the most trusted names in the security market.

New Android malware could inflict $250,000 of losses
Bitdefender has uncovered CAPTCHA-bypassing Android malware, purposefully left in Google Play apps by unscrupulous developers, with the aim of subscribing thousands of users to premium-rate services.

Security pros acknowledge risks from untrusted certificates but take no action
A Venafi survey of 300 Black Hat USA 2015 attendees reveals that most IT security professionals understand and acknowledge the risks associated with untrustworthy certificates and keys, but take no action. The survey also reveals that some information security pros don’t understand what security services CAs do and do not provide.

Cyberespionage group exploits satellites for ultimate anonymity
While investigating the infamous Russian-speaking cyberespionage actor Turla, Kaspersky Lab researchers have discovered that the group is evading detection of its activity and physical location of its Command and Control servers (C&C) by using security weaknesses in global satellite networks.

How talking to recognition technologies will change us
Ernest Hemmingway once said, “I have learned a great deal from listening carefully. Most people never listen.” Perhaps, like most of the things we do, technology will absolve us of that requirement too – it will listen for us. In fact, it seems that soon, technology will be listening to us all the time, everywhere.

PIN-changing, screen-locking Android ransomware
A sophisticated new piece of ransomware targeting Android users and locking them out of their devices by changing the PIN has been discovered by ESET researchers.

Aggressive tactics from DD4BC extortionist group revealed
Akamai shared details of an increase in DDoS attacks from the Bitcoin extortionist group DD4BC, based on observation of attack traffic targeted at customers from September 2014 through August 2015. Since April 2015, they identified 114 DD4BC attacks, including more aggressive measures that target brand reputation through social media.

Attack code for critical Android Stagefright flaw published
After having graciously waited for quite a while to publish the exploit for the Android Stagefright vulnerability (CVE-2015-1538) so that Google, mobile carriers and device manufacturers might push out a patch and protect users, Zimperium researchers have released the code on Wednesday.

US Energy Department’s systems breached 159 times in four years
The US DOE is responsible, among other things, of the nation’s nuclear weapons program, energy conservation, radioactive waste disposal, and domestic energy production.

The White House sprints to lock down data
US government Chief Information Officer (CIO) Tony Scott has been working with federal agencies to complete 30-day “cyber sprints” to patch gaping holes in US Government security after a second breach at the Office of Personnel Management (OPM) exposed personal details of millions of federal workers, leaving them open to blackmail and spear phishing attacks by cybercriminals.

Internet of Things: Security misconceptions, expectations, and the future
Nitesh Dhanjani is a well-known security researcher, writer, and speaker. He recently released his latest book, Abusing the Internet of Things: Blackouts, Freakouts, and Stakeouts, so it was the perfect time to have a conversation about IoT security.

63% in favor of encryption backdoors to respond to national security threats
Vormetric did a survey on how Americans view “backdoor” access by government entities to the encrypted data of private businesses.

FireEye legally censors crucial parts of a researcher’s talk at 44CON
Felix Wilhelm, a researcher with German security firm ERNW, was scheduled to give a talk at 44CON on Thursday about the critical vulnerabilities he and his colleagues found in a FireEye NX device running the webMPS operating system. And he did – but unfortunately part of his talk was ultimately censored by FireEye.

Apple complicates app sideloading in iOS 9 for increased security
Making things easier for users is generally a good idea, but sometimes complicating a process could lead to increased security, and should be the preferred option.

The cost of EMV compliance
Credit card companies are making the final call for US merchants to switch over to EMV chip technology in anticipation of the looming deadline. Merchants now have less than one month to update their point-of sale (POS) terminals to accommodate the new payment technology.