Author: Dan Goodin

Much of the product line from security firm Symantec contains a raft of vulnerabilities that expose millions of consumers, small businesses, and large organizations to self-replicating attacks that take complete control of their computers, a researcher warned Tuesday.

"These vulnerabilities are as bad as it gets," Tavis Ormandy, a researcher with Google's Project Zero, wrote in a blog post. "They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption."

The post was published shortly after Symantec issued its own advisory, which listed 17 Symantec enterprise products and eight Norton consumer and small business products being affected. Ormandy warned that the vulnerability is unusually easy to exploit, allowing the exploits to spread virally from machine to machine over a targeted network, or potentially over the Internet at large. Ormandy continued:

The crypto ransomware racket is a booming business that generates lots of revenue, so it only makes sense that the scourge is growing. And with new titles entering the market on almost a weekly basis, how do the criminals behind them make their malware stand out?

In the case of Jigsaw, a ransomware package that was first spotted in April by researchers with the Bleeping Computer security site, the answer is to be as brazen and mean-spirited as possible while at the same time making the payment process as easy as possible. A case in point: Jigsaw not only threatens the permanent loss of personal data, it also holds out the fear that victims' dirty laundry will be published for all to see. And it uses a taunting tone when notifying people of their options. Witness the screenshot above from a recent version. It states:

Very bad news! I am a so-called ransomware/locker with following advanced functions: Encrypting all your data.
Collecting all logins, contacts, eMail, Passwords and Skype History .....Done!
Uploading all of it on a server .....................Done!
Sending a copy of those Datas to ALL of your contacts..............Pending

The doxing threat, which was added last week, is pure evil genius because it gives victims a strong incentive to pay the ransom even when the purloined data is available on a backup drive.

Researchers have encountered a denial-of-service botnet that's made up of more than 25,000 Internet-connected closed circuit TV devices.

The researchers with Security firm Sucuri came across the malicious network while defending a small brick-and-mortar jewelry shop against a distributed denial-of-service attack. The unnamed site was choking on an assault that delivered almost 35,000 HTTP requests per second, making it unreachable to legitimate users. When Sucuri used a network addressing and routing system known as Anycast to neutralize the attack, the assailants increased the number of HTTP requests to 50,000 per second.

The DDoS attack continued for days, causing the Sucuri researchers to become curious about the origins of the attack. They soon discovered the individual devices carrying out the attack were CCTV boxes that were connected to more than 25,500 different IP addresses. The IP addresses were located in no fewer than 105 countries around the world.

Whoever said crime doesn't pay didn't know about the booming ransomware market. A case in point, the latest version of the scourge known as CryptXXX, which raked in more than $45,000 in less than three weeks.

Over the past few months, CryptXXX developers have gone back and forth with security researchers. The whitehats from Kaspersky Lab provided a free tool that allowed victims to decrypt their precious data without paying the ransom, which typically reaches $500 or more. Then, CryptXXX developers would tweak their code to defeat the get-out-of-jail decryptor. The researchers would regain the upper hand by exploiting another weakness and so on.

Earlier this month, the developers released a new CryptXXX variant that to date still has no decryptor available. Between June 4 and June 21, according to a blog post published Monday by security firm SentinelOne, the Bitcoin address associated with the new version had received 70 bitcoins, which at current prices is valued at around $45,228. The figure doesn't include revenue generated from previous campaigns.

Comodo, the world's biggest issuer of browser-trusted digital certificates for websites, has come under fire for registering trademarks containing the words "let's encrypt," a phrase that just happens to be the name of a nonprofit project that provides certificates for free.

In a blog post, a Let's Encrypt senior official said Comodo has filed applications with the US Patent and Trademark Office for at least three such trademarks, including "Let's Encrypt," "Let's Encrypt with Comodo," and "Comodo Let's Encrypt." Over the past few months, the nonprofit has repeatedly asked Comodo to abandon the applications, and Comodo has declined. Let's Encrypt, which is the public face of the Internet Security Research Group, said it has been using the name since November 2014.

"We’ve forged relationships with millions of websites and users under the name Let’s Encrypt, furthering our mission to make encryption free, easy, and accessible to everyone," Josh Aas, ISRG executive director, wrote. "We’ve also worked hard to build our unique identity within the community and to make that identity a reliable indicator of quality. We take it very seriously when we see the potential for our users to be confused, or worse, the potential for a third party to damage the trust our users have placed in us by intentionally creating such confusion."

Researchers have detected a family of malicious apps, some that were available in Google Play, that contain malicious code capable of secretly rooting an estimated 90 percent of all Android phones.

In a recently published blog post, antivirus provider Trend Micro said that Godless, as the malware family has been dubbed, contains a collection of rooting exploits that works against virtually any device running Android 5.1 or earlier. That accounts for an estimated 90 percent of all Android devices. Members of the family have been found in a variety of app stores, including Google Play, and have been installed on more than 850,000 devices worldwide. Godless has struck hardest at users in India, Indonesia, and Thailand, but so far less than 2 percent of those infected are in the US.

Once an app with the malicious code is installed, it has the ability to pull from a vast repository of exploits to root the particular device it's running on. In that respect, the app functions something like the many available exploit kits that cause hacked websites to identify specific vulnerabilities in individual visitors' browsers and serve drive-by exploits. Trend Micro Mobile Threats Analyst Veo Zhang wrote:

A mobile advertising company that tracked the locations of hundreds of millions of consumers without consent has agreed to pay $950,000 in civil penalties and implement a privacy program to settle charges that it violated federal law.

The US Federal Trade Commission alleged in a complaint filed Wednesday that Singapore-based InMobi undermined phone users' ability to make informed decisions about the collection of their location information. While InMobi claimed that its software collected geographical whereabouts only when end users provided opt-in consent, the software in fact used nearby Wi-Fi signals to infer locations when permission wasn't given, FTC officials alleged. InMobi then archived the location information and used it to push targeted advertisements to individual phone users.

Specifically, the FTC alleged, InMobi collected nearby basic service set identification addresses, which act as unique serial numbers for wireless access points. The company, which thousands of Android and iOS app makers use to deliver ads to end users, then fed each BSSID into a "geocorder" database to infer the phone user's latitude and longitude, even when an end user hadn't provided permission for location to be tracked through the phone's dedicated location feature.

Imagine a $50 million diamond heist that isn't investigated by any police body, and more than four days later, the broken vault that made the whole thing possible remains unfixed and suffers follow-on attacks by a group of marauding copycats. In essence, that's what's happening to an elite group of investors holding Bitcoin rival Ethereum, and the events threaten the very survival of the fledgling cryptocurrency.

The ransacked jeweler in this parable is The DAO, a crowdfunded investment fund that relies on highly specialized computer code and Ethereum to automatically execute investment decisions made by its members. On Friday, thieves exploited a software bug that allowed them to transfer more than 3.6 million "ether"—the base unit of the Ethereum currency—out of The DAO's coffers. The digital loot made up more than a third of The DAO's 11.5 million ether endowment. The seized booty is valued at anywhere from $45 million (based on the plummeting value of ether following the attack) to as high as $77 million (based on pre-attack exchange rates).

In the days following the theft, there have been at least a half-dozen copycat attacks (for instance, as documented here and here) that combined have purloined more than 785 ether. While the smaller attacks don't pose the same devastating blow, they underscore a problem that's vexingly hard to fix. As long as the flaw remains active, The DAO and the Ethereum currency are at risk of additional attacks that could further sink its viability. (Note: as this story was close to going live, there were indications that at least some of the follow-on attacks were being carried out by whitehat hackers who in essence are attempting to save Ethereum from itself.)

We still don't know who he is or whether he works for the Russian government, but one thing is for sure: Guccifer 2.0—the nom de guerre of the person claiming he hacked the Democratic National Committee and published hundreds of pages that appeared to prove it—left behind fingerprints implicating a Russian-speaking person with a nostalgia for the country's lost Soviet era.

Exhibit A in the case is this document created and later edited in the ubiquitous Microsoft Word format. Metadata left inside the file shows it was last edited by someone using the computer name "Феликс Эдмундович." That means the computer was configured to use the Russian language and that it was connected to a Russian-language keyboard. More intriguing still, "Феликс Эдмундович" is the colloquial name that translates to Felix Dzerzhinsky, the 19th Century Russian statesman who is best known for founding the Soviet secret police. (The metadata also shows that the purported DNC strategy memo was originally created by someone named Warren Flood, which happens to be the name of a LinkedIn user claiming to provide strategy and data analytics services to Democratic candidates.)

In an intriguing follow-up to Tuesday's report that Russian hackers gained access to Democratic National Committee servers, an anonymous blogger has claimed he alone was responsible for the breach and backed up the claim by publishing what purport to be authentic DNC documents taken during the online heist.

In a blog post published Wednesday, someone with the handle Guccifer 2.0 published hundreds of pages of documents that the author claimed were taken during a lone-wolf hack of the DNC servers. One 231-page document purports to be opposition research into Donald Trump, the presumptive Republican nominee. Other files purport to be spreadsheets that included the names and dollar amounts of large DNC donors. Yet another document purportedly came from the computer of presumptive Democratic nominee Hillary Clinton while she was secretary of state.

"Worldwide known cyber security company CrowdStrike announced that the Democratic National Committee (DNC) servers had been hacked by 'sophisticated hacker groups," Wednesday's blog post stated. "I’m very pleased the company appreciated my skills so highly))) But in fact, it was easy, very easy."