Memory Safe Languages in Android 13 (Google Online Security Blog)

Actualités, Sécurité
Posted by Jeffrey Vander Stoep For more than a decade, memory safety vulnerabilities have consistently represented more than 65% of vulnerabilities across products, and across the industry. On Android, we’re now seeing something different - a significant drop in memory safety vulnerabilities and an associated drop in the severity of our vulnerabilities. Looking at vulnerabilities reported in the Android security bulletin, which includes critical/high severity vulnerabilities reported through our vulnerability rewards program (VRP) and vulnerabilities reported internally, we see that the number of memory safety vulnerabilities have dropped considerably over the past few years/releases. From 2019 to 2022 the annual number of memory safety vulnerabilities dropped from 223 down to 85. This drop coincides with a shift in programming language usage away from memory unsafe languages. Android 13 is the…
Read More

U.S. Govt. Apps Bundled Russian Code With Ties to Mobile Malware Developer (Krebs on Security)

Actualités, Sécurité
A recent scoop by Reuters revealed that mobile apps for the U.S. Army and the Centers for Disease Control and Prevention (CDC) were integrating software that sends visitor data to a Russian company called Pushwoosh, which claims to be based in the United States. But that story omitted an important historical detail about Pushwoosh: In 2013, one of its developers admitted to authoring the Pincer Trojan, malware designed to surreptitiously intercept and forward text messages from Android mobile devices. Pushwoosh says it is a U.S. based company that provides code for software developers to profile smartphone app users based on their online activity, allowing them to send tailor-made notifications. But a recent investigation by Reuters raised questions about the company’s real location and truthfulness. The Army told Reuters it removed an app containing Pushwoosh…
Read More

Researchers Quietly Cracked Zeppelin Ransomware Keys (Krebs on Security)

Actualités, Sécurité
Peter is an IT manager for a technology manufacturer that got hit with a Russian ransomware strain called “Zeppelin” in May 2020. He’d been on the job less than six months, and because of the way his predecessor architected things, the company’s data backups also were encrypted by Zeppelin. After two weeks of stalling their extortionists, Peter’s bosses were ready to capitulate and pay the ransom demand. Then came the unlikely call from an FBI agent. “Don’t pay,” the agent said. “We’ve found someone who can crack the encryption.” Peter, who spoke candidly about the attack on condition of anonymity, said the FBI told him to contact a cybersecurity consulting firm in New Jersey called Unit 221B, and specifically its founder — Lance James. Zeppelin sprang onto the crimeware scene…
Read More

Disneyland Malware Team: It’s a Puny World After All (Krebs on Security)

Actualités, Sécurité
A financial cybercrime group calling itself the Disneyland Team has been making liberal use of visually confusing phishing domains that spoof popular bank brands using Punycode, an Internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic and Ukrainian. The Disneyland Team’s Web interface, which allows them to interact with malware victims in real time to phish their login credentials using phony bank websites. The Disneyland Team uses common misspellings for top bank brands in its domains. For example, one domain the gang has used since March 2022 is ushank[.]com — which was created to phish U.S. Bank customers. But this group also usually makes use of Punycode to make their phony bank domains look more legit. The U.S. financial services firm Ameriprise uses the…
Read More

Top Zeus Botnet Suspect “Tank” Arrested in Geneva (Krebs on Security)

Actualités, Sécurité
Vyacheslav “Tank” Penchukov, the accused 40-year-old Ukrainian leader of a prolific cybercriminal group that stole tens of millions of dollars from small to mid-sized businesses in the United States and Europe, has been arrested in Switzerland, according to multiple sources. Wanted Ukrainian cybercrime suspect Vyacheslav “Tank” Penchukov (right) was arrested in Geneva, Switzerland. Tank was the day-to-day manager of a cybercriminal group that stole tens of millions of dollars from small to mid-sized businesses. Penchukov was named in a 2014 indictment by the U.S. Department of Justice as a top figure in the JabberZeus Crew, a small but potent cybercriminal collective from Ukraine and Russia that attacked victim companies with a powerful, custom-made version of the Zeus banking trojan. The U.S. Federal Bureau of Investigation (FBI) declined to comment for…
Read More

Our Principles for IoT Security Labeling (Google Online Security Blog)

Actualités, Sécurité
Posted by Dave Kleidermacher, Eugene Liderman, and Android and Made by Google security teams We believe that security and transparency are paramount pillars for electronic products connected to the Internet. Over the past year, we’ve been excited to see more focused activity across policymakers, industry partners, developers, and public interest advocates around raising the security and transparency bar for IoT products. That said, the details of IoT product labeling - the definition of labeling, what labeling needs to convey in terms of security and privacy, where the label should reside, and how to achieve consumer acceptance, are still open for debate. Google has also been considering these core questions for a long time. As an operating system, IoT product provider, and the maintainer of multiple large ecosystems, we see firsthand…
Read More

Lawsuit Seeks Food Benefits Stolen By Skimmers (Krebs on Security)

Actualités, Sécurité
A nonprofit organization is suing the state of Massachusetts on behalf of thousands of low-income families who were collectively robbed of more than a $1 million in food assistance benefits by card skimming devices secretly installed at cash machines and grocery store checkout lanes across the state. Federal law bars states from replacing these benefits using federal funds, and a recent rash of skimming incidents nationwide has disproportionately affected those receiving food assistance via state-issued prepaid debit cards. The Massachusetts SNAP benefits card looks more like a library card than a payment card. On Nov. 4, The Massachusetts Law Reform Institute (MLRI) filed a class action lawsuit on behalf of low-income families whose Supplemental Nutrition and Assistance Program (SNAP) benefits were stolen from their accounts. The SNAP program serves over…
Read More

On ne parle pas aux inconnus !

Actualités
C'est ce que mes parents me disaient quand j'étais petit (lors de la dernière glaciation, donc 😁)... Mais je constate aujourd'hui que cet ancien conseil n'est plus vraiment au goût du jour ! Nous (et je m'inclus dans ce pronom collectif) avons cédé aux sirènes de la facilité et de la "user experience" en parlant à toutes sortes d'objets prétendument inanimés. Nous avons ainsi pris l'habitude de parler à nos téléphones (Dis, Siri ou OK Google), à nos véhicules (Hey Mercedes pour les plus chanceux), à nos réfrigérateurs ou nos poubelles et bien sûr à nos enceintes connectées. Et c'est bien un problème car savons-nous ce que deviennent nos échantillons vocaux ainsi collectés ? Sommes-nous sûrs que ces équipements respectent les règles de protection des données personnelles ? Qui a…
Read More

Patch Tuesday, November 2022 Election Edition (Krebs on Security)

Actualités, Sécurité
Let’s face it: Having “2022 election” in the headline above is probably the only reason anyone might read this story today. Still, while most of us here in the United States are anxiously awaiting the results of how well we’ve patched our Democracy, it seems fitting that Microsoft Corp. today released gobs of security patches for its ubiquitous Windows operating systems. November’s patch batch includes fixes for a whopping six zero-day security vulnerabilities that miscreants and malware are already exploiting in the wild. Probably the scariest of the zero-day flaws is CVE-2022-41128, a “critical” weakness in the Windows scripting languages that could be used to foist malicious software on vulnerable users who do nothing more than browse to a hacked or malicious site that exploits the weakness. Microsoft credits Google…
Read More

LinkedIn Adds Verified Emails, Profile Creation Dates (Krebs on Security)

Actualités, Sécurité
Responding to a recent surge in AI-generated bot accounts, LinkedIn is rolling out new features that it hopes will help users make more informed decisions about with whom they choose to connect. Many LinkedIn profiles now display a creation date, and the company is expanding its domain validation offering, which allows users to publicly confirm that they can reply to emails at the domain of their stated current employer. LinkedIn’s new “About This Profile” section — which is visible by clicking the “More” button at the top of a profile — includes the year the account was created, the last time the profile information was updated, and an indication of how and whether an account has been verified. LinkedIn also said it is adding a warning to some LinkedIn messages…
Read More