SECURITY WARNINGS & Notices - Please post them here

[Dwarden]

SHA1 is dead now https://shattered.it/
https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html

[ehmen]

Protect yourself from "whaling" scams and "clickjacking" attacks
http://www.thewindowsclub.com/what-are-whaling-scams
http://www.thewindowsclub.com/clickjacking-attacks-prevention

[Dwarden]

https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
4.3 milion webs could be affected by random information leakage, time to change passwords and setup 2FA everywhere
https://github.com/pirate/sites-using-cloudflare

[polonus]

Hi Dwarden,

When will they finally admit the general infrastructure of bulk hosters as a rule is insecure by design.

We all and specially here on the old continent have been very naive to think our data were securely dealt with,
and could not leak to the highest bidders. To admit this pnewed holed status is one thing,
to do something about it is another.

One fails to meet standards anywhere. Small example when  that biggest name in ketchup (name starts with H.)could not meet up with the rabbinical prescribed amout of genuine tomato extract in their ketchup product for Jerusalem so it would loose the name ketchup for the product,  is a shame. Despite of that they still go around with tinker bells in Schul'.

In the meantime you can check on what websites you leaked private data here: http://www.doesitusecloudflare.com/

As a volunteer website security analyst here and website error-hunter I see the insecurity of the general infrastructure almost every day.
When are they gonna tackle the problems or are there some "vested interests"that would rather not see that day.

Damian

[polonus]

What many European website owners did now or will do as i assume?
I guess a lot of American websites follow their example.

Lots of websites in Europe did or will do the following.
Research the impact for their websites.
Research suspicious logins for accounts on their site, none detected probably.
CloudFlare reverse proxy functionality de-installed.
All password reset tokens been reset.
All existing (https-)sessions have been reset.
All passwords of accounts were reset.
Password reset-link to website, mailed to users.
Migrationplan started to halt the use of CloudFlare completely.

Bye, bye CloudFlare! Extra bonus, tor-users do not have to fill out captcha's all the time.
When you went here earlier, you could have known: http://www.crimeflare.com/

When you have lost "trust", you have a gigantic problem how to gain it back again.

Damian

[Pondus]

Beware of this new Chrome “font wasn’t found” hack!
https://neosmart.net/blog/2017/beware-of-this-new-chrome-font-wasnt-found-hack/

https://www.virustotal.com/en/file/7e62a5ca20cfb5da90fe7402f413321c9ede7e230e8b4fa2f1a4e516e8ae8e34/analysis/

[Asyn]

Microsoft Edge and IE: Type confusion in HandleColumnBreakOnColumnSpanningElement
https://bugs.chromium.org/p/project-zero/issues/detail?id=1011
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0037

[Be Secure]

Database Ransomware Attackers Migrate to MySQL
https://www.infosecurity-magazine.com/news/database-ransomware-attackers/

[polonus]

Gigantic data-breach in cloudbleed with CloudPets: https://twitter.com/troyhunt/status/836320506127101953
& https://motherboard.vice.com/en_us/article/internet-of-things-teddy-bear-leaked-2-million-parent-and-kids-message-recordings

Your iAAs is as secure as the connection it takes.

When you do no longer play with your kids and communicate through an insecure app, you are in for such a fiasco.

Hold the CEO of that firm liable and fine them into banktrupcy, that should set an end to it and also warn others to pay more attention where security is concerned.

polonus

[Be Secure]

The latest ransomware threat: Doxware
http://www.networkworld.com/article/3174678/security/the-latest-ransomware-threat-doxware.html

[Pondus]

Is your Teddy Bear hacked    

https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/

[Be Secure]

Dridex’s Cold War: Enter AtomBombing
The Dridex malware project continues to evolve, and 2017 is likely to be another year of change for this Trojan.
https://securityintelligence.com/dridexs-cold-war-enter-atombombing/

[polonus]

Open bug at Bluecoat has not been patched within one and a half year's time and now prevents Google from a TLS-update: https://bugs.chromium.org/p/chromium/issues/detail?id=694593

Sounds like a flagellant's race, one step forward and two steps back. A shame really obstructing a more secure infrastructure.

As rumours have it and the same Bluecoat bug existed inside TLS 1.2 Bluecoat left the bug there for nine years. In digital time that is almost a century and could be qualified as persistent hole.

polonus

[polonus]

Did you also experienced this on Febr. 24th last? We, the wife and I, experienced it on our Google Android accounts, but failed to get an explanation why it happened. Read about it here: https://www.theregister.co.uk/2017/03/01/google_still_silent_on_mass_logout/

The disappeared explanation by Google's:

Google posted and then deleted a message related to the deauthentication event on its Cloud Status Dashboard.

The disappeared message, cited in various online posts on the topic, reportedly said, "To summarize; [sic] some long-lived OAuth tokens have inadvertently been invalidated."

That makes sense: token invalidation would require anyone using a Google Account-related service to login again. It also may explain the wording some people saw when asked by Google to log back in: that a change had been made to their account, although no such change was visible in the security section of their account settings.

That said, the disappearance of the dashboard post is puzzling.

Anyone to speculate what it just was that Google had to hide from us all here?
What CloudPets more now will come out of the Google hat? 
Failing infrastructure all around, all hands on deck, friends!

polonus (volunteer website security analyst and website error-hunter)

[Pondus]

Yahoo says about 32 million accounts accessed using 'forged cookies'
http://www.reuters.com/article/us-yahoo-databreach-idUSKBN1685UY