Slashdot Mirror

Scientists published a paper Friday detailing a new Spectre-class CPU attack that can be carried out via network connections and does not require the attacker to host code on a targeted machine. From a report: This new attack --codenamed NetSpectre -- is a major evolution for Spectre attacks, which until now have required the attacker to trick a victim into downloading and running malicious code on his machine, or at least accessing a website that runs malicious JavaScript in the user's browser. But with NetSpectre, an attacker can simply bombard a computer's network ports and achieve the same results. Although the attack is innovative, NetSpectre also has its downsides (or positive side, depending on what part of the academics/users barricade you are). The biggest is the attack's woefully slow exfiltration speed, which is 15 bits/hour for attacks carried out via a network connection and targeting data stored in the CPU's cache.

The Google Play Store is no longer welcoming apps that mine cryptocurrencies on users' devices. The new policy plainly states: "We don't allow apps that mine cryptocurrency on devices." As a result, Google will start to remove any app from the Play Store that violates these terms. It will however still allow mining apps that are used to control cryptocurrency mining operations on remote devices -- such as servers or desktops. Bleeping Computer reports: Preventing cryptocurrency mining on Android is crucial because untethered mining operations can easily overheat or destroy batteries -- or even devices if the battery case deforms, leaks, or catches fire. Such scenarios have already happened. Android malware strains like Loapi and HiddenMalware have been known to cause physical damage to infected smartphones. Google didn't publicly announce the policy change, but developers who had apps removed complained on Reddit. Other policy changes were also made, such as the decision to ban apps with repetitive content. You can read the new "Restricted Content" section of the Play Store Policy Center here, and compare it to an earlier version here.

Microsoft said today that hackers compromised a font package installed by a PDF editor app and used it to deploy a cryptocurrency miner on users' computers. From a report: The OS maker discovered the incident after its staff received alerts via the Windows Defender ATP, the commercial version of the Windows Defender antivirus. Microsoft employees say they investigated the alerts and determined that hackers breached the cloud server infrastructure of a software company providing font packages as MSI files. These MSI files were offered to other software companies. One of these downstream companies was using these font packages for its PDF editor app, which would download the MSI files from the original company's cloud servers during the editor's installation routine.

An anonymous reader shares a report: Mozilla engineers are preparing to remove one of the Firefox browser's oldest features -- its built-in support for RSS and Atom feeds, and inherently, the "Live Bookmarks" feature. All Firefox users are probably well accustomed to this feature, albeit not many have ever used it. This feature powers the browser's ability to detect when users are accessing an RSS/Atom feed and then show a special page that lets them subscribe to the feed with a custom feed reader or the browser's built-in "Live Bookmarks" feature. [...] In a recent discussion on the company's bug tracker, Mozilla engineers said they plan to remove feed support sometime later this year, with the release of Firefox 63 or Firefox 64 --scheduled for October and December, respectively.

Catalin Cimpanu, writing for Bleeping Computer: An investigation by AdGuard has revealed a common link between several Chrome and Firefox extensions and Android and iOS apps that were caught collecting highly personal user data through various shady tactics. The common link between all extensions and mobile apps is a company named Big Star Labs. AdGuard estimates these apps had been installed on around 11 million devices.

An anonymous reader writes: In a letter sent today, Oregon Senator Ron Wyden asked officials from three government agencies (NIST, NSA, DHS) to come up with solutions and procedures that mandate the removal of Adobe Flash content from all US government websites by August 1, 2019. The Senator is urging US government officials to act in light of Adobe's Flash end-of-life date scheduled for the end of 2020, after which Adobe announced it would cease to provide any technical support for the software.

Senator Wyden is hoping to avoid a situation like the one of Windows XP, which US government agencies still use, despite Microsoft retiring the operating system back in 2014. Besides removing Flash from its websites, the Senator would also want Flash removed from computer of employees by the same August 1, 2019 deadline.

An anonymous reader writes: "Scientists from the University of California, Riverside (UCR) have published details last week about a new Spectre-class attack that they call SpectreRSB," reports Bleeping Computer. "Just like all 'Spectre-class' attacks, SpectreRSB takes advantage of the process of speculative execution -- a feature found in all modern CPUs that has the role of improving performance by computing operations in advance and later discarding unneeded data. The difference from previous Spectre-like attacks is that SpectreRSB recovers data from the speculative execution process by attacking a different CPU component involved in this 'speculation' routine, namely the Return Stack Buffer (RSB)." In a research paper, academics say they've used SpectreRSB attacks to recover data belonging to other processes, and have even tricked the RSB into spilling SGX secrets. The attack works on Intel, AMD, and ARM processors, known to use RSB. The attack can also bypass all the mitigations put in place for the original Spectre/Meltdown flaws.

Catalin Cimpanu, writing for BleepingComputer: Academics from multiple universities have announced fixes for two severe security flaws known as Spectre and Rowhammer. Both these fixes are at the software level, meaning they don't require CPU or RAM vendors to alter products, and could, in theory, be applied as basic software patches.

The first of these new mitigation mechanisms was announced on Thursday, last week. A research team from Dartmouth College in New Hampshire says it created a fix for Spectre Variant 1 (CVE-2017-5753), a vulnerability discovered at the start of the year affecting modern CPUs. Their fix uses ELFbac, an in-house-developed Linux kernel patch that brings access control policies to runtime virtual memory accesses of Linux processes, at the level of ELF binary executables.

[...] The second fix for a major flaw announced last week came on Saturday from the Systems and Network Security Group at VU Amsterdam. Researchers announced a new technique called ZebRAM that they said is a comprehensive software protection against Rowhammer attacks.

Catalin Cimpanu, writing for BleepingComputer: Academics from multiple universities have announced fixes for two severe security flaws known as Spectre and Rowhammer. Both these fixes are at the software level, meaning they don't require CPU or RAM vendors to alter products, and could, in theory, be applied as basic software patches.

The first of these new mitigation mechanisms was announced on Thursday, last week. A research team from Dartmouth College in New Hampshire says it created a fix for Spectre Variant 1 (CVE-2017-5753), a vulnerability discovered at the start of the year affecting modern CPUs. Their fix uses ELFbac, an in-house-developed Linux kernel patch that brings access control policies to runtime virtual memory accesses of Linux processes, at the level of ELF binary executables.

[...] The second fix for a major flaw announced last week came on Saturday from the Systems and Network Security Group at VU Amsterdam. Researchers announced a new technique called ZebRAM that they said is a comprehensive software protection against Rowhammer attacks.

Cisco released 25 security updates Wednesday, including a critical patch removing an undocumented password for "root" accounts of Cisco Policy Suite (sold to ISPs and large corporate clients). "The vulnerability received a rare severity score of 9.8 out of a maximum of 10 on the CVSSv3 scale," reports Bleeping Computer.

An anonymous reader quotes Tom's Hardware: Over the past few months, not one, not two, but five different backdoors joined the list of security flaws in Cisco routers.... In March, a hardcoded account with the username "cisco" was revealed. The backdoor would have allowed attackers to access over 8.5 million Cisco routers and switches remotely. That same month, another hardcoded password was found for Cisco's Prime Collaboration Provisioning software, which is used for remote installation of Cisco's video and voice products. Later this May, Cisco found another undocumented backdoor account in Cisco's Digital Network Architecture Center, used by enterprises for the provisioning of devices across a network. In June, yet another backdoor account was found in Cisco's Wide Area Application Services, a software tool for Wide Area Network traffic optimization...

Whether or not the backdoor accounts were created in error, Cisco will need to put an end to them before this lack of care for security starts to affect its business.

Catalin Cimpanu, writing for BleepingComputer: For the past year, Android malware authors have been increasingly relying on a solid trick for bypassing Google's security scans and sneaking malicious apps into the official Play Store. The trick relies on the use of a technique that's quite common in desktop-based malware, but which in the last year is also becoming popular on the Android market. The technique involves the usage of "droppers," a term denoting a dual or multiple-stage infection process in which the first stage malware is often a simplistic threat with limited capabilities, and its main role is to gain a foothold on a device in order to download more potent threats. But while on desktop environments droppers aren't particularly efficient, as the widespread use of antivirus software detects them and their second-stage payloads, the technique is quite effective on the mobile scene.

Catalin Cimpanu, reporting for BleepingComputer: A notorious hacker group known as MoneyTaker has stolen roughly $1 million from a Russian bank after breaching its network via an outdated router. The victim of the hack is PIR Bank, which lost at least $920,000 in money it had stored in a corresponding account at the Bank of Russia. Group-IB, a Russian cyber-security firm that was called in to investigate the incident, says that after studying infected workstations and servers at PIR Bank, they collected "irrefutable digital evidence implicating MoneyTaker in the theft." Group-IB are experts in MoneyTaker tactics because they unmasked the group's existence and operations last December when they published a report on their past attacks.

An anonymous reader shares a report: RoboCent, a Virginia Beach-based political robocall firm, has exposed the personal details of hundreds of thousands of US voters, according to the findings of a security researcher who stumbled upon the company's database online. The researcher, Bob Diachenko of Kromtech Security, says he discovered the data using a recently launched online service called GrayhatWarfare that allows users to search publicly exposed Amazon Web Services data storage buckets. Such buckets should never be left exposed to public access, as they could hold sensitive data.

Speaking on the sidelines of the Surface Go launch, Microsoft's Panos Panay, who heads the Surface division, once again very much reiterated that the company has moved past its smartphone ambitions. From a report: In an interview with Wired, Microsoft's Surface head Panos Panay confirmed that the company is working on new form factors. When questioned about whether this would include a new Surface Phone, Panay stated that the Surface Phone was not one that they are thinking about at this time. "I wouldn't say that it includes a Surface Phone," Panos answered in the interview. "I think you have to think about where is that unmet need when you're thinking about your product road-map," he replied. "Of course, we're always inventing, of course, we're thinking about new form factors," Panos added. "The way people will communicate in the future will change. The form factors will wrap around that. And so when you say the phone form factor changes, I would flip it a little bit and say that communication changes."

An anonymous reader writes: "Login passwords for tens of thousands of Dahua devices have been cached inside search results returned by ZoomEye, a search engine for discovering Internet-connected devices (also called an IoT search engine)," reports Bleeping Computer. A security researcher has recently discovered that instead of just indexing IoT devices, ZoomEye is also sending an exploitation package to devices and caching the results, which also include cleartext DDNS passwords that allow an attacker remote access to these devices. Searching for the devices is trivial and simple queries can unearth tens of thousands of vulnerable Dahua DVRs. According to the security researcher who spotted these devices, the trick has been used in the past year by the author of the BrickerBot IoT malware, the one who was on a crusade last year, bricking unsecured devices in an attempt to have them go offline instead of being added to IoT botnets.

An anonymous reader shares a report: A hacker gained access to a developer's npm account earlier this week and injected malicious code into a popular JavaScript library, code that was designed to steal the npm credentials of users who utilize the poisoned package inside their projects. The JavaScript (npm) package that got compromised is called eslint-scope, a sub-module of the more famous ESLint, a JavaScript code analysis toolkit. The hack took place on the night between July 11 and 12, according to the results of a preliminary investigation posted on GitHub a few hours ago. "One of our maintainers did observe that a new npm token was generated overnight (said maintainer was asleep)," said Kevin Partington, ESLint project member. Partington believes the hacker used the newly-generated npm token to authenticate and push a new version of the eslint-scope library on the npm repository of JavaScript packages.

Two security researchers have revealed details about two new Spectre-class vulnerabilities, which they've named Spectre 1.1 and Spectre 1.2. From a report: Just like all the previous Meltdown and Spectre CPU bugs variations, these two take advantage of the process of speculative execution -- a feature found in all modern CPUs that has the role of improving performance by computing operations in advance and later discarding unneeded data. According to researchers, a Spectre 1.1 attack uses speculative execution to deliver code that overflows CPU store cache buffers in order to write and run malicious code that retrieves data from previously-secured CPU memory sections. Spectre 1.1 is very similar to the Spectre variant 1 and 4, but the two researchers who discovered the bug say that "currently, no effective static analysis or compiler instrumentation is available to generically detect or mitigate Spectre 1.1." As for Spectre 1.2, researchers say this bug can be exploited to write to CPU memory sectors that are normally protected by read-only flags.

Google has quietly enabled a security feature called Site Isolation for 99% of its desktop users on Windows, Mac, Linux, and Chrome OS. This happened in Chrome 67, released at the end of May. From a report: Site Isolation isn't a new feature per-se, being first added in Chrome 63, in December 2017. Back then, it was only available if users changed a Chrome flag and manually enabled it in each of their browsers. The feature is an architectural shift in Chrome's modus operandi because when Site Isolation is enabled, Chrome runs a different browser process for each Internet domain. Initially, Google described Site Isolation as an "additional security boundary between websites," and as a way to prevent malicious sites from messing with the code of legitimate sites.

New submitter secwatcher shares a report: A hacker is selling sensitive military documents on online hacking forums, a security firm has discovered. Some of the sensitive documents put up for sale include maintenance course books for servicing MQ-9 Reaper drones, and various training manuals describing comment deployment tactics for improvised explosive device (IED), an M1 ABRAMS tank operation manual, a crewman training and survival manual, and a document detailing tank platoon tactics. US-based threat intelligence firm Recorded Future discovered the documents for sale online. They say the hacker was selling the data for a price between $150 and $200, a very low asking price for such data. Recorded Future says it engaged the hacker online and discovered that he used Shodan to hunt down specific types of Netgear routers that use a known default FTP password. The hacker used this FTP password to gain access to some of these routers, some of which were located in military facilities, he said.

An anonymous reader shares a report: Malware has been discovered in at least three Arch Linux packages available on AUR (Arch User Repository), the official Arch Linux repository of user-submitted packages. The malicious code has been removed thanks to the quick intervention of the AUR team. The incident happened because AUR allows anyone to take over "orphaned" repositories that have been abandoned by their original authors. On Saturday, a user going by the pseudonym of "xeactor" took over one such orphaned package named "acroread" that allows Arch Linux users to view PDF files. According to a Git commit to the packag's source code, xeactor added malicious code that would download a file named "~x" from ptpb [dot] pw, a lightweight site mimicking Pastebin that allows users to share small pieces of texts.

Catalin Cimpanu, reporting for BleepingComputer: A hacker has breached a Hola VPN developer account and has replaced the official Chrome extension with one that redirected users of the MyEtherWallet.com website to a phishing page controlled by the attacker. The compromise took place yesterday and only lasted for five hours the MyEtherWallet (MEW) team said in a tweet. The Hola VPN team admitted to the hack. "The attack was programmed to inject a JavaScript tag in to the MEW site to 'phish' information about MEW accounts that are logging in without being in 'incognito mode', by re-directing the MEW users to the hacker's website," the Hola VPN team said.

Security researchers have discovered a new malicious campaign that utilizes stolen D-Link certificates to sign malware. From a report: A lesser-known cyber-espionage group known as BlackTech was caught earlier this month using a stolen D-Link certificate to sign malware deployed in a recent campaign. "The exact same certificate had been used to sign [official] D-Link software; therefore, the certificate was likely stolen," says Anton Cherepanov, a security researcher for Slovak antivirus company ESET, and the one who discovered the stolen cert. Cherepanov says BlackTech operators used the stolen cert to sign two malware payloads -- the first is the PLEAD backdoor, while the second is a nondescript password stealer. According to a 2017 Trend Micro report, the BlackTech group has used the PLEAD malware in the past. Just like in previous attacks, the group's targets for these most recent attacks were again located in East Asia, particularly in Taiwan. The password stealer isn't anything special, being capable of extracting passwords from only four apps -- Internet Explorer, Google Chrome, Mozilla Firefox, and Microsoft Outlook.

Catalin Cimpanu, writing for BleepingComputer: A cyber-espionage group that has targeted Palestinian law enforcement last year is now back in action targeting Palestinian government officials. These recent attacks started in March 2018, according to evidence surfaced by Israel-based cyber-security firm Check Point. The new attacks seem to fit the same modus operandi of a group detailed in two reports from Cisco Talos and Palo Alto Networks last year.

Those reports detailed a spear-phishing campaign aimed at Palestinian law enforcement. The malicious emails tried to infect victims with the Micropsia infostealer, a Delphi-based malware that contained many strings referencing characters from the Big Bang Theory and Game Of Thrones TV shows. Now, the same group appears to be back, and the only thing they've changed is the malware, which is now coded in C++. The TV shows references are still there, this time with mentions to the Big Bang Theory, but also a Turkish TV series named "Resurrection: Ertugrul."

Public exploit code has been published for a severe vulnerability which last year affected Hewlett Packard Integrated Lights-Out 4 (HP iLO 4), a tool for remotely managing the company's servers.

HPE "silently released" patches last August, an anonymous reader reports, adding "details only emerged this spring after researchers started presenting their work at security conferences." The vulnerability is an authentication bypass that allows attackers access to HP iLO consoles. Researchers say this access can later be used to extract cleartext passwords, execute malicious code, and even replace iLO firmware. But besides being a remotely exploitable flaw, this vulnerability is also as easy as it gets when it comes to exploitation, requiring a cURL request and 29 letter "A" characters, as below:

curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

Because of its simplicity and remote exploitation factor, the vulnerability — tracked as CVE-2017-12542 — received a severity score of 9.8 out of 10.

Catalin Cimpanu, writing for BleepingComputer: A recent study conducted by academics from the University of Hertfordshire in the UK has revealed that almost two-thirds of second-hand memory cards still contain remnants of personal data from previous owners. For their study, researchers analyzed 100 second-hand SD and micro SD memory cards purchased from eBay, conventional auctions, second-hand shops, and other sources over a four-month period. All in all, researchers say the memory cards they recovered were previously used in smartphones and tablets, but some cards were also used cameras, SatNav systems, and even drones. The research team says the analysis process consisted of creating a bit-by-bit image of the card and then using freely available software to see if they could recover any data from the card. Their efforts were successful and worrisome at the same time, as the team says it managed to recover data from the memory cards, including intimate photos, selfies, passport copies, contact lists, navigation files, pornography, resumes, browsing history, identification numbers, and other personal documents.

Catalin Cimpanu, writing for BleepingComputer: Two privacy-focused organizations have this week accused German police of carrying out raids at their offices and members' private homes on some pretty shoddy reasoning that makes no sense and hints at the police's abuse of power. The first of these organizations is Zwiebelfreunde, a non-profit group based in Dresden that runs Tor relay servers and supports privacy and anonymity projects by providing legal and financial help. One of the ways it helps these projects includes collecting donations from European users into its bank account and then relaying the raised money to overseas projects. Today, members of the Zwiebelfreunde project revealed that German police had raided their Dresden office and the homes of three members located in the cities of Augsburg, Jena, and Berlin. The raids took place on June 20, and police told Zwiebelfreunde members they were in relation to the RiseUp project, a provider of anonymous XMPP and email services.

sombragris writes: Stylish, a popular extension available for Chrome and Firefox which allows for easy customization of any website, now phones home and shares its users' browser history with its corporate parent, according to blogger Robert Heaton. This prompted Firefox to ban the extension from its addons site and prompt all users to disable it. The discussion can be seen in the relevant bug report. In Heaton's words:

Stylish is no longer a well-meaning product with your best interests at heart. If you use and like Stylish, please uninstall it and switch to an alternative like Stylus, an offshoot from the good old version of Stylish that works in much the same way, minus the spyware.

Google too has pulled the extension from its extension store. This is not the first time Stylish is at the centre of a privacy debacle

An anonymous reader shares a report: Malware authors are frantically trying to weaponize a new infection vector that was revealed at the start of June. The trick relies on using Windows Settings (.SettingContent-ms) shortcut files in order to achieve code execution on Windows 10 PCs. Ever since SpecterOps security researcher Matt Nelson published his research on the matter three weeks ago, malware authors have been playing around with proof-of-concept code in attempts of crafting an exploit that can deploy weaponized malware on a victim's system. With each passing day, more and more exploits are being uploaded on VirusTotal.

An anonymous reader shares a report: Malware authors are frantically trying to weaponize a new infection vector that was revealed at the start of June. The trick relies on using Windows Settings (.SettingContent-ms) shortcut files in order to achieve code execution on Windows 10 PCs. Ever since SpecterOps security researcher Matt Nelson published his research on the matter three weeks ago, malware authors have been playing around with proof-of-concept code in attempts of crafting an exploit that can deploy weaponized malware on a victim's system. With each passing day, more and more exploits are being uploaded on VirusTotal.

Catalin Cimpanu, writing for BleepingComputer: The release of Google Chrome 67 has reopened a "download bomb" bug that was exploited by tech support scammers last winter, and which had been fixed with the release of Chrome 65 in March 2018. Furthermore, the issue also appears to affect other browsers as well, such as Firefox, Vilvadi, Opera, and Brave, according to tests carried out by Bleeping Computer. The "download bomb" trick is a technique that involves initiating hundreds or thousands of downloads to freeze a browser on a specific page. Across the years, there have been multiple variations of download bombs, and they have often been used by tech support scammers to trap users on shady sites that tried to lure victims into calling a tech support number to have their browser unlocked. Over the winter, security researchers from Malwarebytes noticed a tech support scam campaign that employed a new "download bomb" technique to trap users on its shady sites.

An anonymous reader writes: Security researchers say the Diameter protocol used with today's 4G (LTE) telephony and data transfer standard is vulnerable to the same types of vulnerabilities as the older SS7 standard used with older telephony standards such as 3G, 2G, and earlier. The vulnerabilities are happening because 4G operators are misconfiguring the Diameter protocol (a SS7 replacement) and using it in the same way as SS7.

The incorrect use of Diameter leads to the presence of several vulnerabilities in 4G networks that resemble the ones found in older networks that use SS7, and which Diameter was supposed to prevent. Researchers say that the Diameter misconfigurations they've spotted inside 4G networks are in many cases unique per each network but they usually repeat themselves to have them organized in five classes of attacks: (1) subscriber information disclosure, (2) network information disclosure, (3) subscriber traffic interception, (4) fraud, and (5) denial of service. Researchers warn that not fixing these vulnerabilities "could lead to sudden failure of ATMs, payment terminals, utility meters, car alarms, and video surveillance." This is because these types of devices often use 4G SIM card modules to connect to their servers when located in a remote area where classic Internet connections are not possible. Old SS7 attacks such as tracking users' location and intercepting SMS and phone calls are also possible via Diameter as well.

A team of academics has published research this week that describes three attacks against the mobile communication standard LTE (Long-Term Evolution), also known as 4G. From a report: Two of the three attacks are passive, meaning an attacker can watch LTE traffic and determine various details about the target, while the third is an active attack that lets the attacker manipulate data sent to the user's LTE device. According to researchers, the passive attacks allow an attacker to collect meta-information about the user's traffic (an identity mapping attack), while the second allows the attacker to determine what websites a user might be visiting through his LTE device (a website fingerprinting attack).

Exploit broker Zerodium is offering rewards of up to $500,000 for zero-days in UNIX-based operating systems like OpenBSD, FreeBSD, NetBSD, but also for Linux distros such as Ubuntu, CentOS, Debian, and Tails. From a report: The offer, first advertised via Twitter earlier this week, is available as part of the company's latest zero-day acquisition drive. Zerodium is known for buying zero-days and selling them to government agencies and law enforcement. The company runs a regular zero-day acquisition program through its website, but it often holds special drives with more substantial rewards when it needs zero-days of a specific category. The US-based company held a previous drive with increased rewards for Linux zero-days in February, with rewards going as high as $45,000. In another zero-day acquisition drive announced on Twitter this week, the company said it was looking again for Linux zero-days, but also for exploits targeting BSD systems. This time around, rewards can go up to $500,000, for the right exploit.

CaptainDork shares a report from Bleeping Computer: Starting yesterday, there have been numerous reports of people's Windows computers being infected with something called "All-Radio 4.27 Portable." After researching this heavily today, it has been determined that seeing this program is a symptom of a much bigger problem on your computer. If your computer is suddenly displaying the above program, then your computer is infected with malware that installs rootkits, miners, information-stealing Trojans, and a program that is using your computer to send send out spam.

Unfortunately, while some security programs are able to remove parts of the infection, the rootkit component needs manual removal help. Due to this, if you are infected with this malware, I strongly suggest that you create a malware removal help topic in our Virus Removal forum in order to receive one-on-one help in cleaning your computer. Some of the VirusTotal scans associated with this infection have also indicated that an information stealing Trojan could have been installed by this malware bundle as well. Therefore, it is strongly suggested that you change your passwords using a clean machine if you had logged into any accounts while infected. 6/29/18: The story has been updated to specify that this malware campaign is targeting Windows computers.

CaptainDork shares a report from Bleeping Computer: Starting yesterday, there have been numerous reports of people's Windows computers being infected with something called "All-Radio 4.27 Portable." After researching this heavily today, it has been determined that seeing this program is a symptom of a much bigger problem on your computer. If your computer is suddenly displaying the above program, then your computer is infected with malware that installs rootkits, miners, information-stealing Trojans, and a program that is using your computer to send send out spam.

Unfortunately, while some security programs are able to remove parts of the infection, the rootkit component needs manual removal help. Due to this, if you are infected with this malware, I strongly suggest that you create a malware removal help topic in our Virus Removal forum in order to receive one-on-one help in cleaning your computer. Some of the VirusTotal scans associated with this infection have also indicated that an information stealing Trojan could have been installed by this malware bundle as well. Therefore, it is strongly suggested that you change your passwords using a clean machine if you had logged into any accounts while infected. 6/29/18: The story has been updated to specify that this malware campaign is targeting Windows computers.

CaptainDork shares a report from Bleeping Computer: Starting yesterday, there have been numerous reports of people's Windows computers being infected with something called "All-Radio 4.27 Portable." After researching this heavily today, it has been determined that seeing this program is a symptom of a much bigger problem on your computer. If your computer is suddenly displaying the above program, then your computer is infected with malware that installs rootkits, miners, information-stealing Trojans, and a program that is using your computer to send send out spam.

Unfortunately, while some security programs are able to remove parts of the infection, the rootkit component needs manual removal help. Due to this, if you are infected with this malware, I strongly suggest that you create a malware removal help topic in our Virus Removal forum in order to receive one-on-one help in cleaning your computer. Some of the VirusTotal scans associated with this infection have also indicated that an information stealing Trojan could have been installed by this malware bundle as well. Therefore, it is strongly suggested that you change your passwords using a clean machine if you had logged into any accounts while infected. 6/29/18: The story has been updated to specify that this malware campaign is targeting Windows computers.

Almost all Android devices released since 2012 are vulnerable to RAMpage bug, an international team of academics has revealed today. From a report: The vulnerability, tracked as CVE-2018-9442, is a variation of the Rowhammer attack. Rowhammer is a hardware bug in modern memory cards. A few years back researchers discovered that when someone would send repeated write/read requests to the same row of memory cells, the write/read operations would create an electrical field that would alter data stored on nearby memory. In the following years, researchers discovered that Rowhammer-like attacks affected personal computers, virtual machines, and Android devices. Through further researcher, they also found they could execute Rowhammer attacks via JavaScript code, GPU cards, and network packets.

ProtonMail, a secure email service provider used by more than two million users and references of which has been made in shows like Mr. Robot, has been facing outages for the last two days as it fights numerous DDoS attacks. "The attacks went on for several hours, although the outages were far more brief, usually several minutes at a time with the longest outage on the order of 10 minutes," a ProtonMail spokesperson told BleepingComputer, adding that it has tracked the attack to a group that claims to have ties to Russia. But things are more complicated than that, and it appears ProtonMail users, who are already annoyed at the frequent outages over the last few days, are up for more such downtimes in the coming days. BleepingComputer: But in reality, the DDoS attacks have no ties to Russia, weren't even planned to in the first place, and the group behind the attacks denounced being Russian, to begin with. Responsible for the attacks is a hacker group named Apophis Squad. In a private conversation with Bleeping Computer today, one of the group's members detailed yesterday's chain of events. The Apophis member says they targeted ProtonMail at random while testing a beta version of a DDoS booter service the group is developing and preparing to launch.

The group didn't cite any reason outside "testing" for the initial and uncalled for attack on ProtonMail, which they later revealed to have been a 200 Gbps SSDP flood, according to one of their tweets. "After we sent the first attack, we downed it for 60 seconds," an Apophis Squad member told us. He said the group didn't intend to harass ProtonMail all day yesterday or today but decided to do so after ProtonMail's CTO, Bart Butler, responded to one of their tweets calling the group "clowns."

This was a questionable response on the part of the ProtonMail CTO, as it set the hackers against his company even more. "So we then downed them for a few hours," the Apophis Squad said. Subsequent attacks included a whopping TCP-SYN flood estimated at 500 Gbps, as claimed by the group.

ProtonMail, a secure email service provider used by more than two million users and references of which has been made in shows like Mr. Robot, has been facing outages for the last two days as it fights numerous DDoS attacks. "The attacks went on for several hours, although the outages were far more brief, usually several minutes at a time with the longest outage on the order of 10 minutes," a ProtonMail spokesperson told BleepingComputer, adding that it has tracked the attack to a group that claims to have ties to Russia. But things are more complicated than that, and it appears ProtonMail users, who are already annoyed at the frequent outages over the last few days, are up for more such downtimes in the coming days. BleepingComputer: But in reality, the DDoS attacks have no ties to Russia, weren't even planned to in the first place, and the group behind the attacks denounced being Russian, to begin with. Responsible for the attacks is a hacker group named Apophis Squad. In a private conversation with Bleeping Computer today, one of the group's members detailed yesterday's chain of events. The Apophis member says they targeted ProtonMail at random while testing a beta version of a DDoS booter service the group is developing and preparing to launch.

The group didn't cite any reason outside "testing" for the initial and uncalled for attack on ProtonMail, which they later revealed to have been a 200 Gbps SSDP flood, according to one of their tweets. "After we sent the first attack, we downed it for 60 seconds," an Apophis Squad member told us. He said the group didn't intend to harass ProtonMail all day yesterday or today but decided to do so after ProtonMail's CTO, Bart Butler, responded to one of their tweets calling the group "clowns."

This was a questionable response on the part of the ProtonMail CTO, as it set the hackers against his company even more. "So we then downed them for a few hours," the Apophis Squad said. Subsequent attacks included a whopping TCP-SYN flood estimated at 500 Gbps, as claimed by the group.

Catalin Cimpanu, reporting for BleepingComputer: The personal details and payment card data of guests from hundreds of hotels, if not more, have been stolen this month by an unknown attacker, Bleeping Computer has learned. The data was taken from FastBooking, a Paris-based company that sells hotel booking software to more than 4,000 hotels in 100 countries -- as it claims on its website.

In emails the company sent out to affected hotels today, FastBooking revealed the breach took place on June 14, when an attacker used a vulnerability in an application hosted on its server to install a malicious tool (malware). This tool allowed the intruder remote access to the server, which he used to exfiltrate data. The incident came to light when FastBooking employees discovered this malicious tool on its server.

An anonymous reader writes: A survey conducted among the tech workers, including many employees of Silicon Valley's elite tech companies, has revealed that over 57% of respondents are suffering from job burnout. The survey was carried out by the makers of an app that allows employees to review workplaces and have anonymous conversations at work, behind their employers' backs. Over 11K employees answered one question -- if they suffer from job burnout, and 57.16% said "Yes."

The company with the highest employee burnout rate was Credit Karma, with a whopping 70.73%, followed by Twitch (68.75%), Nvidia (65.38%), Expedia (65.00%), and Oath (63.03% -- Oath being the former Yahoo company Verizon bought in July 2017). On the other end of the spectrum, Netflix ranked with the lowest burnout rate of only 38.89%, followed by PayPal (41.82%), Twitter (43.90%), Facebook (48.97%), and Uber (49.52%).

An anonymous reader quotes a report from Bleeping Computer: Security researchers have found, on average, five security flaws in each cryptocurrency ICO held last year. Only one ICO held in 2017 did not contain any critical flaws. According to Positive.com, a security firm specialized in ICO security audits, most of the vulnerabilities they found, they discovered in the smart contracts at the base of the ICO itself.

"71% of tested projects contained vulnerabilities in smart contracts, the heart and soul of an ICO," the company said. "Once an ICO starts, the contract cannot be changed and is open to everyone, meaning anyone can view it and look for flaws. Typically, these would consist of non compliance with the ERC20 standard (the token interface for digital wallets and cryptocurrency exchanges), incorrect random number generation and incorrect scoping amongst others," Positive.com experts say. "Generally, these vulnerabilities occur due to lack of programmer expertise and insufficient source code testing." According to the researchers, all the mobile apps ICO organizers have launched in 2017 contained security flaws. "The most common flaws in mobile apps are the use of insecure data transfer methods, storage of user data in phone backups, and disclosure of session IDs that an attacker could capture and use against the user," reports Bleeping Computer. Security bugs were also found in the web apps.

Catalin Cimpanu, reporting for BleepingComputer: Upcoming additions to the WebAssembly standard may render useless some of the mitigations put up at the browser level against Meltdown and Spectre attacks, according to John Bergbom, a security researcher at Forcepoint. WebAssembly (WA or Wasm) is a new technology that shipped last year and is currently supported within all major browsers, such as Chrome, Edge, Firefox, and Safari.

The technology is a compact binary language that a browser will convert into machine code and run it directly on the CPU. Browser makers created WebAssembly to improve the speed of delivery and performance of JavaScript code, but as a side effect, they also created a way for developers to port code from other high-level languages (such as C, C++, and others) into Wasm, and then run it inside a browser. All in all, the WebAssembly standard is viewed as a success in the web dev community, and there've been praises for it all around.

Exploit kits, once a preferred choice of attackers to invade a victim's browser and find way to their computer, are increasingly diminishing in their effectiveness. If you have an updated browser, chances are it packs adequate resources to fight such attacks. Catalin Cimpanu, writing for BleepingComputer: Exploit kits (EK) have been around on the criminal underground for more than a decade and were once pretty advanced, often being a place where researchers found zero-days on a regular basis. But as browsers got more secure in recent years, exploit kits started to die out in 2016-2017. Most operators were arrested, moved to other things, and nobody developed new exploits to add to the arsenal of EK left on the market, which slowly began falling behind when it came to their effectiveness to infect new victims.

A Palo Alto Networks report published yesterday details statistics about the vulnerabilities used by current exploit kits in the first three months of the year (Q1 2018). According to the gathered data, researchers found 1,583 malicious URLs across 496 different domains, leading to landing pages (URLs) where an EK attempted to run exploits only for only a meager eight vulnerabilities. All eight were old and known bugs, with the newest dating back to 2016. Seven of the eight vulnerabilities targeted Internet Explorer, meaning that using a more modern browser like Chrome and Firefox is a simple, yet effective way of avoiding falling victim to exploit kits.

As security webcams, security cameras, and pet and baby monitors become part of our lives, their underlying technology is increasingly receiving scrutiny from researchers. Many of these devices are woefully insecure, and an attacker could -- and in some cases, has -- take over these devices to perform internet scans, among other things. BleepingComputer's Catalin Cimpanu dives into the subject: In the last nine months, two security firms have published research on the matter. Both pieces of research detail how the camera vendor lets customers use a mobile app to control their device from remote locations and view its video stream. The mobile app requires the user to enter a device ID, and a password found on the device's box or the device itself. Under the hood, the mobile app connects to the vendor's backend cloud server, and this server establishes connections to each of the user's device in turn, based on the device ID and the last IP address the device has reported from.

The developer teams from Google Home, Roku TV, and Sonos, are preparing security patches to prevent DNS rebinding attacks on their devices. From a report: Roku has already started deploying updates, while Google and Sonos are expected to deploy patches next month. DNS rebinding is not a new attack vector by any stretch of the imagination. Researchers have known about it since 2007 when it was first detailed in a Stanford research paper. The purpose of a DNS rebinding attack is to make a device bind to a malicious DNS server and then make the device access unintended domains.

The OpenBSD project announced today plans to disable support for Intel CPU hyper-threading due to security concerns regarding the theoretical threat of more "Spectre-class bugs." Bleeping Computer reports: Hyper-threading (HT) is Intel's proprietary implementation of Simultaneous Multithreading (SMT), a technology that allows processors to run parallel operations on different cores of the same multi-core CPU. The feature has been added to all Intel CPUs released since 2002 and has come enabled by default, with Intel citing its performance boost as the main reason for its inclusion.

But today, Mark Kettenis of the OpenBSD project, said the OpenBSD team was removing support for Intel HT because, by design, this technology just opens the door for more timing attacks. Timing attacks are a class of cryptographic attacks through which a third-party observer can deduce the content of encrypted data by recording and analyzing the time taken to execute cryptographic algorithms. The OpenBSD team is now stepping in to provide a new setting to disable HT support because "many modern machines no longer provide the ability to disable hyper-threading in the BIOS setup."

An anonymous reader writes: "A hacker once considered 'the Internet's most inept criminal' received on Monday a prison sentence of 20 months in prison for launching DDoS attacks against the city of Madison, Wisconsin -- attacks which caused delays and outages to various municipality services, including its 911 emergency call center," reports Bleeping Computer. He was sentenced for this attack in particular, part of a plea deal, but his attacks span over two years.

The hacker, Randall Charles Tucker, 23, known as Bitcoin Baron, never bothered hiding his attacks, advertised them on Twitter, and used public chats and Skype to brag about his deeds. According to a timeline of events, Tucker carried out all of these hacks -- most of which were downright silly -- as a way to boost his reputation before going to jail for stabbing his father with a prison knife. The plan backfired when authorities linked him to the hacks and received another 20 months in prison on top of the original 18 months.

Catalin Cimpanu, writing for BleepingComputer: Three-quarters of malware samples uploaded to "no-distribute scanners" are never shared on "multiscanners" like VirusTotal, and hence, they remain unknown, US-based security firm Recorded Future reports, to security firms and researchers for longer periods of time. Although some antivirus products will eventually detect this malware at runtime or at one point or another later in time, this leaves a gap in terms of operational insight for security firms hunting down up-and-coming malware campaigns.

Apple's macOS surreptitiously creates and caches thumbnails for images and other file types stored on password-protected / encrypted containers (hard drives, partitions), according to macOS security experts Wojciech Regula and Patrick Wardle. From a report: The problem is that these cached thumbnails are stored on non-encrypted hard drives, in a known location and can be easily retrieved by malware or forensics tools, revealing some of the content stored on encrypted containers. On macOS, these thumbnails are created by Finder and QuickLook. Finder is the default macOS file explorer app, similar to Windows Explorer. Whenever a user navigates to a new folder, Finder automatically loads icons for the files located in those folders. For images, these icons are gradually replaced by thumbnails that show a preview of the image at a small scale.