This week’s security briefing, Vulnerability Lab security researcher Benjamin Kunz Mejri revealed in the zero-day vulnerability in a public security disclosure, saying the Stack Buffer Overflow flaw, CVE-2017-9948, impacts Skype versions 7.2, 7.35, and 7.36. Granted a CVSS score of 7.2, the stack buffer overflow flaw is considered dangerous as it permits attackers to remotely crash the application with an unexpected exception error, to overwrite the active process registers, and to execute malicious code. Vulnerability Lab first notified Microsoft of the bug on 16 May. After Microsoft’s team acknowledged the problem and developed a fix, a patch was deployed on 8 June, leading to public disclosure on 26 June.

Google has announced that Gmail is going to stop reading your emails. From “later this year” its consumer email product will no longer target ads based on what you read and write. The ads aren’t going anywhere, they’re just going to rely on your user settings instead.

Hackers used a “brute-force attack” against the UK Parliament’s email system over the weekend, apparently gaining access to 90 accounts used by Parliamentary workers and members. Rob Greig, director of the Parliamentary Digital Service, described the attack as “sustained and determined.” Security services blocked network access to anyone outside Westminster, leaving all 650 MPs and their staff unable to access email until the next morning.

A couple of weeks ago we reported that Microsoft was trumpeting it’s new operating system, Windows 10 S, with the slogan “No known ransomware works against Windows 10 S”. Can you guess what comes in malicious Word macros these days?

The FBI has published its Internet Crime Report 2016 based on information received by the Internet Crime Complaint Center (IC3). It shows that 298,728 complaints were received by the IC3 during 2016 (up from 288,012 in 2015); and that reported losses to internet crime totaled more than $1.45 billion (up from $1.07 billion in 2015).

A wave of “computational propaganda,” largely driven by Russia, is impacting politics around the world by spreading misinformation designed to manipulate public opinion, researchers said Tuesday.

Cybercriminals managed to steal payment card data from nearly 40 Shoney’s restaurants after planting malware on their point-of-sale (PoS) systems. The malware is believed to have stolen data between September 29 and December 29, 2016. However, the company only received confirmation that the threat had been neutralized in February and March. Affected properties are investigated at this time.

Last week, Canada’s Mounties admitted for the first time that just like US police, they use stingrays.  Stingrays are suitcase-sized cell site simulators. This means that they mimic a cell tower and trick nearby phones (as in everybody’s phones, not just crooks’). It tricks them into connecting and giving up their identifying information and location.

Spammers are spreading Java-based remote access Trojans, known as jRATs, targeting tax filers with attachments named “IRS Updates.jar” and “Important_PDF.jar”. If executed, they give attackers access to compromised endpoints. Zscaler, which is tracking the jRATs, believes some of the campaigns could be related to the Loki Trojan,. This trojan was part of the attacks on android phones last month.

Hours after what was thought to be a damaging release of NSA hacking tools for Windows systems, Microsoft quelled some anxiety with a late-night statement on Friday. They said that most of the vulnerabilities disclosed by the ShadowBrokers had already been patched. This was the March security rollup.

A Tennessee man last Friday pleaded guilty to illegally hacking into his former employer’s computer networks. This went on for nearly a two-year period. In addition he pleaded to pilfering proprietary business information worth roughly $425,000, according to an announcement Friday by the Department of Justice. The man also started a new engineering firm and accessed his old employer’s network to get budgets and engineering diagrams. Not nice!

Cerber, one of the most active malware families over the past year, has increased its share of the ransomware market to 87% in the first quarter of 2017, Malwarebytes Labs reports. Also, over the past several months, Cerber’s operators used a broad range of available distribution methods, ranging from exploit kits to the recently patched Apache Struts 2 vulnerability.

The author of a new piece of ransomware is selling their creation on underground forums as source code, Forcepoint security researchers have discovered. The ransomware is provided as a C++ source code. This is also paired with the necessary PHP web server scripts and a payment panel. According to Forcepoint, the malware emerged on several Tor-based sites some two weeks ago. The malware is about 0.35 Bitcoin (around $400) but negotiable.

Vulnerabilities found by researchers in Bosch’s Drivelog Connect product can be exploited by hackers to inject malicious messages into a vehicle’s CAN bus. The vendor has implemented some fixes and is working on adding more attack protections. Drivelog Connect provides info about a vehicle via a USB Bluetooth dongle. The flaw in the software allows the hackers to remotely turn off the car within range.

Finally, while expected for some time, Microsoft this week ended support for its Windows Vista operating systems. The change entered into effect on April 11. This is the very same day Microsoft began rolling out Windows 10 Creators Update to its users. RIP.

There are roughly 25 sensors in a modern smartphone that measure anything from ambient light, magnetization, acceleration, proximity, thermometers, and air humidity, to name a few. Newcastle University theorized that these sensors used to record device orientation could be used to figure out specific touch actions, namely PIN’s. Finally, They setup a test to train a neural network to guess PIN’s based on this data and by the 5th attempt the network was 100% correct.

iOS test messages with ‘preview’ – think Amazon shipment text messages – can actually house malware, as a bizarre case in Mexico notes. Advocates of Mexico’s ‘soda tax’ were receiving strange text messages.  Things like funeral notifications, photo evidence of an affair, family members in horrific car accidents – all with the ‘preview’ in iOS messaging. Clicking that infected the device with spyware.

A recently discovered Microsoft Office loader uses malicious macros to drop multiple malware families, Palo Alto Networks security researchers warn. The loader was discovered in early December 2016 and has more than 650 unique samples of malware in it. This office loader comes in the form of email attachments, as always.

Researchers at the Georgia Institute of Technology have demonstrated the potential impact of ransomware on industrial control systems (ICS) by simulating an attack aimed at a water treatment plant. The attack simulation shows how an attacker with access to the PLCs can close valves, display false information to the operator, and increase the amount of chlorine added to the water.

The U.S. Border Patrol has forced a US citizen and NASA employee to unlock his NASA-owned company phone to re-enter the country. He left when Obama was in office and returned January 30th, when Trump was in office. The Jet Propulsion Lab at NASA wasn’t really thrilled about this, since the phone contained sensitive data. What a time to be alive.

Linux-based malware explicitly targeting the internet-of-things devices was on the rise in 2016 and has seen a spike in Q4 16/Q1 17 so far, according to Sophos. Large blocks of IP’s are being scanned and brute-forced via SSH at an alarming rate. Change the default passwords of your devices!

Here is a nice rundown of the group that ultimately helped the democrats lose the US election: Fancy Bear. So much for being covert.

Threat intelligence firm ThreatConnect announced this week the launch of a new suite of products designed to help organizations understand adversaries, automate their security operations, and accelerate threat mitigation. In addition, TC Complete, the company’s flagship product, is a security operations and analytics platform. It aims to enable companies to efficiently run their security operation center (SOC) by giving them the ability to orchestrate security processes, analyze data, respond to threats, and report progress from a single location.

Finally, Hewlett Packard Enterprise (HPE) announced on Tuesday the launch of a new threat investigation solution, ArcSight Investigate, and a new SecureData product for IoT and big data. ArcSight Investigate can be integrated with Hadoop and other ArcSight products, including Data Platform (ADP) and Enterprise Security Manager (ESM).

Efforts increasing on the dark web to secure itself as marketplace owner’s start bug bounty program. Rewards of up to 10 bitcoin ($10,224) for discovering and reporting a bug that could threaten the marketplace’s integrity, such as revealing the IP addresses or personal information of vendors or users. Non-critical bugs or vulnerabilities could earn a reward of 1BTC, while simple bugs are worth 0.5BTC.

British multinational hotel company InterContinental Hotels Group (IHG) confirmed on Friday that systems processing payments for some of its properties in the Americas region have been breached by cybercriminals, particularly ones operating under the Holiday Inn and Holiday Inn Express brands. A list of impacted hotels can be found here.

The critical vulnerability disclosed last week by WordPress developers has already been exploited to hack thousands of websites, security firm Sucuri warned on Monday. The security hole allows an attacker to modify the content of any post or page on a targeted site. It is a patched flaw as of 1/26, but most people don’t update their wordpress sites to the latest versions (4.7.2). UPDATE THINGS.

<technical> 76 iOS applications allow man-in-the-middle exploits to hijack data via silent interception of (normally) TLS-protected data while in use. A list of applications can be found here.

Kelihos, the malware behind one of the longest standing botnets out there, was recently observed spreading via infected thumb drives, researchers have discovered. Basic tricking the user into thinking a password has been compromised, infection happens, and then the malware is written to removable devices with an auto-run script. Kelihos is one of the largest spam-as-a-service botnets in the world.

The European Union Agency for Network and Information Security (ENISA) publishes “Communication Network Dependencies for ICS-SCADA Systems” report for critical infrastructure protection. (PDF, 80 pages) The report concentrates on two of the primary causes of security concern: network segmentation and communication between the segments; and the wider issue of communications with the outside world that often uses the Internet.

Did you know you can buy tax data and W-2’s on the dark web? Of course you did! You can get anything there! With Tax season in full swing, scammers and hackers (mostly scammers) are out in full force trying to steal data to sell in outlets like this. Remember, everything is worth something to someone.

US border agents are asking travelers to hand over their phones and access to their online accounts – be it Facebook, bank accounts, text messages and/or photos – according to a Houston immigration lawyer. This is based on the recent freeze of allowing non-green card holding immigrants back into the United States by President Trump.

A recently detected spam campaign uses phony bank transfer emails to distribute a piece of malware that can steal information stored in browsers, log keystrokes and steal Bitcoin from crypto-currency wallets. All spam messages include an attachment with the word ‘swift’ in it: swift copy_pdf.ace, swift copy.zip, swift_copy.pdf.gz, etc. The interesting thing is that the crypto-currency stealer targets at least 24 variations of cryptocurrency, not just Bitcoins.

If you’re ever asked to login to your Netflix account via email, you shouldn’t do that. It’s a popular target based on the subscriber base of 93 million users. A new piece of malware is being distributed via a Netflix login generator (sign up to get a free Netflix subscription or login to your account). Ransom is $100 worth of bitcoins to decrypt contents of c:\users on Windows 7 and 10 machines.

Upper level NATO members were targeted by a very elaborate hack; a RTF document that has no malicious code in it, but once opened, activates Flash and OLE objects that do various things. Interestingly, the person or group behind this realized that researchers were investigating this hack and changed the payload to distribute junk data. These advanced techniques are typically seen by the Russians.

A hotel in Austria has been repeatedly targeted for Ransomware on an interesting computer; the one that controls the electronic key cards. Once the ransomware is on the infected computer, the key card system is unable to issue any more cards and the cards issued will no longer work. Hackers demanded $1,600 in bitcoins and- out of options- the hotel management paid it.

The European Union has a law that requires those doing business in the EU to securely collect, store, and use personal information by 2018 (General Data Protection Regulation). Recent studies have shown that a scary number of EU businesses are nowhere near ready for this, which could lead to legal implications. The process for complying with the GDPR is fairly involved, requiring documentation and processes in addition to security compliance.

iOS Onion Browser, a browser which encrypts and sends traffic through the TOR network, is now free. The developer said that he believes that now more than ever it is more important to exercise free speech, digital security, and privacy rights by using this TOR network.

App stores in China must register with the state from Monday, a government statement said, as China tightens its control over the internet. Allegedly, App stores are “not strict” when they examine and approve apps, the China Cyberspace Administration, the country’s internet watchdog, said in a statement.

A researcher has disclosed a couple of unpatched vulnerabilities affecting the official McDonald’s website after the company ignored his attempts to responsibly report the issues. According to the researcher, the McDonald’s website decrypts the password client side using a cookie that is valid for an entire year. Since the same key and initialization vector are used for every customer, it’s easy to obtain a password in plain text. The important thing to remember is when you are registering for the McDonald’s Monopoly (or any other fast food/casual concept), use a fundamentally different password to all your others.

In a technical document, Google has released its infrastructure security design overview that protects its data centers that house both its existing services and its growing Google Cloud Platform (GCP). While many organizations are traditionally wary about giving out such information for fear of giving attackers an advantage, Google is not. There are two reasons — the first is to show potential GCP customers the extent of its data center security; while the second is that Google is confident in that security.

Adobe and Microsoft on Tuesday each released security updates for software installed on hundreds of millions of devices. Adobe issued an update for Flash Player and for Acrobat/Reader. Microsoft released just four updates to plug some 15 security holes in Windows and related software. This includes updates for Window’s, Office, and MS Edge.

Mentioned previously in security briefs, the MongoDB platform that tens of thousands of people used to store databases online had some gaping security holes. It appears they have all been compromised, wiped, and replaced with ransom notes demanding payment. In addition, it appears that none of the victims that have paid the ransom have actually received their databases back. MongoDB, by default, allows anyone read/write/modify/delete access. Not super secure.

A 21-year-old from Great Falls, Virginia, has admitted developing a piece of malware used by cybercriminals to infect thousands of computers, the U.S. Department of Justice announced last week. Zach Shames developed and sold a keylogger to more than 3,000 people who then used it to infect over 16,000 machines. He faces up to 10 years in prison.

Cybercriminals have been using specially crafted URLs to trick even tech-savvy people into entering their Gmail credentials on a phishing website. Once an account has been compromised, the attackers immediately access it and start targeting the victim’s contacts. This works through PDF’s that can be ‘previewed’ in Gmail, but it’s an embedded phishing page. The instant access part is the terrifying part.