SECURITY WARNINGS & Notices - Please post them here

[polonus]

Thank you, essex, for setting this out to us.
No reason to panic, but we must take care
and keep all hands on deck.

polonus

[Para-Noid]

A Look Back on Misleading Advertising

https://blog.malwarebytes.org/cybercrime/2016/03/a-look-back-on-misleading-advertising/?utm_source=gplus&utm_medium=social

Top Exploit Kits Round Up | March Edition

https://blog.malwarebytes.org/threat-analysis/exploits-threat-analysis/2016/03/top-exploit-kits-round-up-march-edition/?utm_source=gplus&utm_medium=social

[polonus]

Alert from my daily scanning experiences:
Loads of servers do not have this Public-Key-Pins set. Also CloudFlare has this insecurity! This we can establish from a Symantic Crypto URL Scan on the Certificate(s): 

Public-Key-Pins   HTTP Public Key Pinning protects your site from MiTM attacks using rogue X.509 certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised. Certificate is not in Google's EV whitelist.

polonus (volunteer website security analyst and website error-hunter)

[Secondmineboy]

https://twitter.com/PayloadSecurity/status/717088767396462592

https://www.hybrid-analysis.com/sample/ec08037187d4fad9476e7ee742d226f97ab2f0a7e82964e16a7716076675c350?environmentId=1

More info in Spanish: http://nyxbone.com/malware/russianRansom.html

[Pondus]

Are Exploit Kits Doomed? New F-Secure Threat Report Says Yes
https://www.f-secure.com/en/web/press_global/news/news-archive/-/journal_content/56/1075444/1551427?p_p_auth=Afyyx1oa&refererPlid=1081937

Exploits, which have become one of the most common vehicles for malware in the past decade, need out-of-date software in order to accomplish their goal of getting through security holes. But that software, Sullivan says, will be harder and harder to find. For example, with HTML 5's capability to "do it all", the need for third party browser plugins has mostly been eliminated. And today's browsers themselves are auto-updated, without the need for the user to intervene, so users always have the latest version.

[bob3160]

Are Exploit Kits Doomed? New F-Secure Threat Report Says Yes
https://www.f-secure.com/en/web/press_global/news/news-archive/-/journal_content/56/1075444/1551427?p_p_auth=Afyyx1oa&refererPlid=1081937

Exploits, which have become one of the most common vehicles for malware in the past decade, need out-of-date software in order to accomplish their goal of getting through security holes. But that software, Sullivan says, will be harder and harder to find. For example, with HTML 5's capability to "do it all", the need for third party browser plugins has mostly been eliminated. And today's browsers themselves are auto-updated, without the need for the user to intervene, so users always have the latest version.

As we can see here, auto-updates is a good thing.
Why isn't it also considered good when Avast decided to implement it with it's program "Program updates will now be set to Auto by default."

[polonus]

Firefox browser is in need of a new secure extension sandbox. Why? Read here: http://www.theregister.co.uk/2016/04/04/top_firefox_extensions_can_hide_silent_malware_using_easy_prefab_tool/

polonus

[bob3160]

Firefox browser is in need of a new secure extension sandbox. Why? Read here: http://www.theregister.co.uk/2016/04/04/top_firefox_extensions_can_hide_silent_malware_using_easy_prefab_tool/

polonus

By now, we should all have realized that the only way to be totally safe from all of the dangers of the internet,
is to totally avoid ever visiting it. Since that's impossible unless you want to become a total hermit, we simply need to accept
that using modern technology and browsing the internet also exposes us to certain dangers.
We can only learn to minimize these dangers. We can never totally avoid them with out avoiding the internet.

[Pondus]

One out of five businesses are infected by Malware through Social Media
http://www.pandasecurity.com/mediacenter/social-media/uh-oh-one-out-of-five-businesses-are-infected-by-malware-through-social-media/

[Pondus]

Internet giants join forces to reinforce email security with a new protocol
http://www.pandasecurity.com/mediacenter/security/internet-giants-join-forces-to-reinforce-the-email-with-a-new-protocol/

[bob3160]

FBI spills iPhone hacking secret to Senators
Now everyone will know.    The crooks already knew how.

[polonus]

Giorgio Maone, the developer of NoScript, in a reaction to the new extension insecurity found up for firefox extensions:
https://hackademix.net/2016/04/08/crossfud-an-analysis-of-inflated-research-and-sloppy-reporting/

It needs the eye of the experienced security researcher to smell out code with malicious intent right away.
And I can agree hearing a lot of script music will make that you could better discerns between real music and dissonants,
aka benevolent coding and code wrought by malcreants for malicious purposes.
A whitelisting of browser extensions however could be a good thing, I do not like mine to come with hidden crap like adware etc.

pol

[Pondus]

Various Malware Including Crypto Ransomware Now Used in Email Phishing Scams
http://www.trendmicro.no/vinfo/no/security/news/cybercrime-and-digital-threats/various-malware-including-crypto-ransomware-now-used-in-email-phishing-scams

[polonus]

What security admins are putting off but better should implement right away: http://www.theregister.co.uk/2016/04/08/weekend_reading_five_security_things_youre_not_doing_but_should/
Article by Darren Pauli on an advice by SANS' Johannes Ullrich.

polonus

[polonus]

End2end encryption may be on the line: http://www.theregister.co.uk/2016/04/08/draft_of_encryptionborking_bill_floated/

"For the first time in America, companies who want to provide their customers with stronger security would not have that choice – they would be required to decide how to weaken their products to make you less safe."

For one thing, it will kill end-to-end encryption.

polonus