Security Briefing – 11.21.2017
Amazon and Google have quietly patched flaws in these devices to protect them against BlueBorne, a haul of eight Bluetooth security vulnerabilities reported by Armis Labs in September. Nobody knew Amazon and Google’s products were affected until Armis announced the following issues, which mercifully should already have been automatically patched for the Echo’s 15 million, and the Google Home’s five million users, respectively.
The FCC on Thursday unanimously passed (PDF) a resolution that lets phone carriers block illegal robocalls. The new rules enable voice service providers to block certain calls before they get to our phones, the FCC said in its ruling. Specifically, providers now have the go-ahead to block calls from phone numbers on a Do-Not-Originate (DNO) list and spoofed calls: those numbers that show up in Caller ID that are “invalid, unallocated, or unused numbers.”
A security expert found a way to work around Microsoft’s Address Space Randomization Layer, which protects the OS from memory-based attacks. The vulnerability affects Windows 8, Windows 8.1, and Windows 10 systems with system-wide ASLR enabled via Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) or Windows Defender Exploit Guard. CERT/CC is currently unaware of a practical solution to the problem, Dormann says, adding a workaround for administrators in his blog post on the discovery. He advises enabling both bottom-up and mandatory ASLR system-wide for all systems running Windows 8 or later, using a certain registry value. Businesses should also use defense-in-depth strategies to protect networks, users, and data from unauthorized access, he adds.
Organizations encounter an average of eight DDoS attack attempts per day, up from four attempts a day at the start of the year, according to a newly published Corero Network Security report that tracks DDoS trends from Q2-Q3 2017. A rise in DDoS hire-for services and unsecured IoT devices is driving a sharp increase in the average number of daily DDoS attack attempts.
A team of researchers from several security firms has uncovered two new malware campaigns targeting Google Play Store users, of which one spreads a new version of BankBot, a persistent family of banking Trojan that imitates real banking applications in efforts to steal users’ login details. BankBot has been designed to display fake overlays on legitimate bank apps from major banks around the world, including Citibank, WellsFargo, Chase, and DiBa, to steal sensitive information, including logins and credit card details.
A Vietnamese security company called Bkav claims it has successfully bypassed Face ID authentication on Apple’s flagship iPhone X using – wait for it – a mask. Before studying the claim and how Face ID works let’s state that, if true, this would be a big technical hiccup, and not just for Apple.