Author: Dan Goodin

Earlier this week, mass panic ensued when a security firm reported the recovery of a whopping 272 million account credentials belonging to users of Gmail, Microsoft, Yahoo, and a variety of overseas services. "Big data breaches found at major email services" warned Reuters, the news service that broke the news. Within hours, other news services were running stories based on the report with headlines like "Tech experts: Change your email password now."

Since then, both Google and a Russia-based e-mail service unveiled analyses that call into question the validity of the security firm's entire report.

"More than 98% of the Google account credentials in this research turned out to be bogus," a Google representative wrote in an e-mail. "As we always do in this type of situation, we increased the level of login protection for users that may have been affected." According to the report, the compromised credential list included logins to almost 23 million Gmail accounts.

For the past five years, a vulnerability in many Android phones has left users' text messages, call histories, and possibly other sensitive data open to snooping, security researchers said Thursday.

The flaw, which is most severe in Android versions 4.3 and earlier, allows low-privileged apps to access sensitive data that's supposed to be off-limits, according to a blog post published by security firm FireEye. But instead, the data is available by invoking permissions that are already requested by millions of apps available in Google Play. Company researchers said the vulnerability can also be exploited by adversaries who gain physical access to an unlocked handset. Indexed as CVE-2016-2060, the bug was first introduced when mobile chipmaker Qualcomm released a set of programming interfaces for a system service known as the "network_manager" and later the "netd" daemon.

"CVE-2016-2060 has been present on devices since at least 2011 and likely affects hundreds of Android models around the world," FireEye researchers wrote. "This vulnerability allows a seemingly benign application to access sensitive user data including SMS and call history and the ability to perform potentially sensitive actions such as changing system settings or disabling the lock screen. Devices running Android 4.3 (“Jelly Bean MR2”) or older are the most affected by the vulnerability, and are likely to remain unpatched. Newer devices utilizing SEAndroid are still affected, but to a lesser extent."

Microsoft plans to retire support for TLS certificates signed by the SHA1 hashing algorithm in the next four months, an acceleration brought on by new research showing it was even more prone to cryptographic collisions than previously thought.

The software maker hinted at the expedited deprecation in November. Last week, it made those plans official. Sometime this summer (for those in the Northern Hemisphere, anyway) the general release versions of Microsoft's Edge and Internet Explorer browsers will stop displaying the address bar lock when visiting HTTPS sites protected by SHA1 certificates. The change will occur even sooner for upcoming Windows Insider Preview builds, which are mostly used by developers for testing purposes.

"This update will be delivered to Microsoft Edge on Windows 10 and Internet Explorer 11 on Windows 7, Windows 8.1 and Windows 10, and will only impact certificates that chain to a CA in the Microsoft Trusted Root Certificate program," officials in the Microsoft Edge Team wrote. "Both Microsoft Edge and Internet Explorer 11 will provide additional details in the F12 Developer Tools console to assist site administrators and developers."

A large number of websites are vulnerable to a simple attack that allows hackers to execute malicious code hidden inside booby-trapped images.

The vulnerability resides in ImageMagick, a widely used image-processing library that's supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users.

According to developer and security researcher Ryan Huber, ImageMagick suffers from a vulnerability that allows malformed images to force a Web server to execute code of an attacker's choosing. Websites that use ImageMagick and allow users to upload images are at risk of attacks that could completely compromise their security.

Maintainers of the OpenSSL cryptographic library have patched high-severity holes that could make it possible for attackers to decrypt login credentials or execute malicious code on Web servers.

The updates were released Tuesday morning for both versions 1.0.1 and 1.0.2 of OpenSSL, which a large portion of the Internet relies on to cryptographically protect sensitive Web and e-mail traffic using the transport layer security protocol. OpenSSL advisories labeled the severity of both vulnerabilities "high," meaning the updates fixing them should be installed as soon as possible. The fixes bring the latest supported versions to 1.0.1t and 1.0.2h.

The decryption vulnerability is the result of what cryptographers call a padding oracle weakness, which allows attackers to repeatedly probe an encrypted payload for clues about the plaintext content inside. According to TLS expert Filippo Valsorda, the bug allows for only 16 bytes of encrypted traffic to be recovered, and even then only when an end user sends it repeatedly. Still, the conditions might make it possible for an attacker with the ability to monitor the connection to obtain authentication cookies and other small chunks of encrypted text, Valsorda wrote. The vulnerability is indexed as CVE-2016-2107.

Computer scientists have discovered vulnerabilities in Samsung's Smart Home automation system that allowed them to carry out a host of remote attacks, including digitally picking connected door locks from anywhere in the world.

The attack, one of several proof-of-concept exploits devised by researchers from the University of Michigan, worked against Samsung's SmartThings, one of the leading Internet of Things (IoT) platforms for connecting electronic locks, thermostats, ovens, and security systems in homes. The researchers said the attacks were made possible by two intrinsic design flaws in the SmartThings framework that aren't easily fixed. They went on to say that consumers should think twice before using the system to connect door locks and other security-critical components.

"All of the above attacks expose a household to significant harm—break-ins, theft, misinformation, and vandalism," the researchers wrote in a paper scheduled to be presented later this month at the 2016 IEEE Symposium on Security and Privacy. "The attack vectors are not specific to a particular device and are broadly applicable."

The website belonging to Maisto International, a popular maker of remote-controlled toy vehicles, has been caught pushing ransomware that holds visitors' files hostage until they pay a hefty fee.

Malicious files provided by the Angler exploit kit were hosted directly on the homepage of Maisto[.]com, according to antivirus provider Malwarebytes. The attack code exploits vulnerabilities in older versions of applications such as Adobe Flash, Oracle Java, Silverlight, and Internet Explorer. People who visit Maisto[.]com with machines that haven't received the latest updates are surreptitiously infected with the CryptXXX ransomware. Fortunately for victims in this case, researchers from Kaspersky Lab recently uncovered a weakness in the app that allows users to recover their files without paying the extortion demand. People infected with ransomware in other drive-by attacks haven't been so lucky.

According to Malwarebytes Senior Security Researcher Jerome Segura, the infection on the Maisto homepage was discovered by fellow researchers at website security firm Sucuri. One of the company's tools has detected the site was running an out-of-date version of the Joomla content management system, which is presumed to be the way attackers were able to load the malicious payloads on the homepage.

A surprisingly large number of developers are posting their Slack login credentials to GitHub and other public websites, a practice that in many cases allows anyone to surreptitiously eavesdrop on their conversations and download proprietary data exchanged over the chat service.

According to a blog post published Thursday, company researchers recently estimated that about 1,500 access tokens were publicly available, some belonging to people who worked for Fortune 500 companies, payment providers, Internet service providers, and health care providers. The researchers privately reported their findings to Slack, and the chat service said it regularly monitors public sites for posts that publish the sensitive tokens.

Still, a current search on GitHub returned more than 7,400 pages containing "xoxp." That's the prefix contained in tokens that in many cases allow automated scripts to access a Slack account, even when it's protected by two-factor authentication. A separate search uncovered more than 4,100 Slack tokens with the prefix "xoxb." Not all results contained the remainder of the token that's required for logging in, but many appeared to do just that. By including valid tokens in code that's made available to the world, developers make it possible for unscrupulous people to access the private conversations between the developers and the companies they work for and to download files and private Web links they exchange.

As security breaches go, they don't get more vexing than this: 7 million compromised accounts that protected passwords using woefully weak unsalted MD5 hashes, and the outfit responsible, still hadn't disclosed the hack three months after it came to light. And as if that wasn't enough, the service recommended the use of short passwords. That's what Motherboard reported Tuesday about Lifeboat, a service that provides custom, multiplayer environments to gamers who use the Minecraft mobile app.

The data circulating online included the e-mail addresses and hashed passwords for 7 million Lifeboat accounts. The mass compromise was discovered by Troy Hunt, the security researcher behind the Have I been pwned? breach notification site. Hunt said he had acquired the data from someone actively involved in trading hacked login credentials who has provided similar data in the past.

Hunt reported that some of the plaintext passwords users had chosen were so weak that he was able to discover them simply by posting the corresponding MD5 hash into Google. As if many users' approach to passwords were lackadaisical itself, Lifeboat's own Getting started guide recommended "short, but difficult to guess passwords" because "This is not online banking."

In less than two months, online businesses have paid more than $100,000 to scammers who set up a fake distributed denial-of-service gang that has yet to launch a single attack.

The charlatans sent businesses around the globe extortion e-mails threatening debilitating DDoS attacks unless the recipients paid as much as $23,000 by Bitcoin in protection money, according to a blog post published Monday by CloudFlare, a service that helps protect businesses from such attacks. Stealing the name of an established gang that was well known for waging such extortion rackets, the scammers called themselves the Armada Collective.

"If you don't pay by [date], attack will start, yours service going down permanently price to stop will increase to increase to 20 BTC and will go up 10 BTC for every day of the attack," the typical demand stated. "This is not a joke."