{"id":9683,"date":"2015-08-31T10:50:09","date_gmt":"2015-08-31T14:50:09","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=9683"},"modified":"2019-11-15T07:02:21","modified_gmt":"2019-11-15T12:02:21","slug":"security-week-35","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/security-week-35\/9683\/","title":{"rendered":"Security Week 35: Nothing personal, just business"},"content":{"rendered":"<p>The industry of infosec news (if there is one, after all), while not that similar to cry-wolf Vanity Fair type of media, is constantly agitated and always looking for the scoop. For instance, one of the most popular pieces of news on Threatpost last year was quite a mediocre one, covering <a href=\"https:\/\/threatpost.com\/png-image-metadata-leading-to-iframe-injections\/104047\" target=\"_blank\" rel=\"noopener nofollow\">the PNG vulnerability<\/a>. It wasn\u2019t even a vulnerability as such, just a method of obscuring a malicious code in the image\u2019s metadata. Why did that happen? Someone (not us, obviously!) decided to announce the flaw as \u2018You can infect your PC by looking at cat pics!!111\u2019.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/08\/06024247\/security-week-35-burn.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-9686\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/08\/06024247\/security-week-35-burn.jpg\" alt=\"Infosec digest: exploit kit Neutrino in WordPress, yet another GitHub DDoS, Wyndham responsible for breach, while Target is not\" width=\"1280\" height=\"1050\"><\/a><\/p>\n<p>Of course, once some supermassive hole allowing culprits to infect millions of machines is discovered, I\u2019d be happy to write about it, but those are nowhere to be seen. Many years have passed since <a href=\"https:\/\/securelist.com\/blog\/29902\/benny-ratter-questioned\/\" target=\"_blank\" rel=\"noopener\">Slammer<\/a>: that sneaky little malware was able to infect a Windows XP PC in just 30 minutes and needed only connection to the Internet.<\/p>\n<p>As for current software, it is not such an easy target (yet). But what if something dreadful happened? Something that would leave everyone awed, heartbroken and thinking about next-level PC\/phone\/fridge security, or, otherwise, every device or appliance would turn into a useless piece of plastic\/metal\/whatever to some evil maniac\u2019s will. The world is on fire! Mamma mia! Porca Madonna! Ributtati all\u2019et\u00e0 della pietra con solo carta e penna per archiviare e condividere informazioni!<\/p>\n<p>Er. Epic fails in information security are plausible \u2014 take all those IoT things, for example \u2014 but are unlikely to happen. While we are waiting for some big kaboom, we might overlook some serious but down-to-Earth flaws, with which someone effectively wins and someone effectively loses. They are nothing but outstanding vulnerabilities \u2014 business as usual.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>#Security Week 35: vulns in @Wordpress, @GitHub #DDoS, @Wyndham responsible for #breach, while @Target is not<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2FwL3T&amp;text=%23Security+Week+35%3A+vulns+in+%40Wordpress%2C+%40GitHub+%23DDoS%2C+%40Wyndham+responsible+for+%23breach%2C+while+%40Target+is+not\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>In today\u2019s digest of information security news, we will cover three cases of routine vulnerabilities, which are massively and effectively exploited. Once again, the rules of the road: every week Threatpost\u2019s team handpicks three important news stories, which I would restlessly comment. All previously aired episodes can be found <a href=\"https:\/\/www.kaspersky.com\/blog\/tag\/security-week\/\" target=\"_blank\" rel=\"noopener nofollow\">here<\/a>.<\/p>\n<h3>Hacked WordPress websites are used to deliver the Neutrino exploit pack<\/h3>\n<p><a href=\"https:\/\/threatpost.com\/wordpress-compromises-behind-spike-in-neutrino-ek-traffic\/114380\" target=\"_blank\" rel=\"noopener nofollow\">News<\/a>. <a href=\"http:\/\/research.zscaler.com\/2015\/08\/neutrino-campaign-leveraging-wordpress.html\" target=\"_blank\" rel=\"noopener nofollow\">ZScaler<\/a> research.<\/p>\n<p>This news should be divided in two parts. The first parts would be about thousands blogs and websites based on the WordPress engine which is highly vulnerable. The second part would cover the methods used by hackers exploiting these vulnerabilities, the malware they use to infect users\u2019 PCs and, ultimately, the way they extract money from their hacking scheme.<\/p>\n<p>Now, WordPress. It\u2019s like a web-based Windows. It\u2019s a very popular web engine with an extensive plug-in system, which, by design, enjoys high level of attention from cybercriminals. Just look at this year\u2019s news coverage (and that\u2019s not all!):<\/p>\n<ul>\n<li>A Zero-day vulnerability, <a href=\"https:\/\/threatpost.com\/following-exploits-zero-day-in-wordpress-plugin-fancybox-patched\/110882\" target=\"_blank\" rel=\"noopener nofollow\">in a plug-in<\/a>.<\/li>\n<li>A flaw in random (not really) number generator, <a href=\"https:\/\/threatpost.com\/lack-of-csprng-threatens-wordpress-sites\/111016\" target=\"_blank\" rel=\"noopener nofollow\">which theoretically allows to figure out the token used during the password change procedure<\/a>.<\/li>\n<li>An <a href=\"https:\/\/threatpost.com\/more-than-1-million-wordpress-sites-open-to-sql-injection-attacks\/111267\" target=\"_blank\" rel=\"noopener nofollow\">SQL inject, in a plug-in<\/a>.<\/li>\n<li>Again, an <a href=\"https:\/\/threatpost.com\/sql-injection-bug-fixed-in-popular-wordpress-seo-plug-in\/111601\" target=\"_blank\" rel=\"noopener nofollow\">SQL inject<\/a>, in a plug-in.<\/li>\n<li>An <a href=\"https:\/\/threatpost.com\/peristent-xss-vulnerability-plagues-wordpress-plugin\/112057\" target=\"_blank\" rel=\"noopener nofollow\">XSS vuln<\/a>, in a plug-in.<\/li>\n<li>A <a href=\"https:\/\/threatpost.com\/wordpress-patches-zero-day-vulnerability\/112455\" target=\"_blank\" rel=\"noopener nofollow\">Zero-day in WordPress itself<\/a>, JavaScript injection via commentaries. The patch is available in v 4.2.1.<\/li>\n<li>Vulnerabilities in <a href=\"https:\/\/threatpost.com\/vulnerabilities-identified-in-two-wordpress-plugins\/112676\" target=\"_blank\" rel=\"noopener nofollow\">two plug-ins<\/a>.<\/li>\n<li>An <a href=\"https:\/\/threatpost.com\/peristent-xss-vulnerability-plagues-wordpress-plugin\/112057\" target=\"_blank\" rel=\"noopener nofollow\">XSS vuln<\/a> in WordPress itself, patched in v 4.2.3.<\/li>\n<li>Vulns in <a href=\"https:\/\/threatpost.com\/vulnerabilities-identified-in-several-wordpress-plugins\/114255\" target=\"_blank\" rel=\"noopener nofollow\">three plug-ins<\/a>.<\/li>\n<\/ul>\n<p>That\u2019s the picture. Zscaler researchers spotted a massive breach of exposed WordPress websites (v 4.2 and lower). V 4.2, by the way, was <a href=\"https:\/\/wordpress.org\/news\/2015\/04\/powell\/\" target=\"_blank\" rel=\"noopener nofollow\">launched<\/a> as a short time ago as in April this year, which makes one wonder how bad it is for those who have not updated their sites for at least over a year. After hacking the websites, culprits would inject an iframe, then set up the Neutrino exploit pack, and then infect PCs with malware. By now, there are over 2,500 affected websites, which is not much compared to the entire Internet, yet is enough to make the lives of tens of thousands users miserable.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">What are exploits and why they are so scary? <a href=\"https:\/\/t.co\/tulx05JN0q\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/tulx05JN0q<\/a> <a href=\"http:\/\/t.co\/Z5A4itfh7E\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/Z5A4itfh7E<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/627151591624306689?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">July 31, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Going further, the exploit pack uses a bug in Adobe Flash, <a href=\"https:\/\/threatpost.com\/apt-group-exploiting-hacking-team-flash-zero-day\/\" target=\"_blank\" rel=\"noopener nofollow\">which leaked<\/a> as a part of the notorious breach of <a href=\"https:\/\/threatpost.com\/hackers-release-hacking-team-internal-documents-after-breach\/113612\" target=\"_blank\" rel=\"noopener nofollow\">Hacking Team<\/a>. Thus obtaining a capability to execute a code on the victim\u2019s machine, attackers deploy the Cryptowall locker \u2013 a piece of the ransomware which has been in the wild for over a year and demands ransoms of over $500 for a decryption key.<\/p>\n<div id=\"attachment_9688\" style=\"width: 957px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/08\/06024243\/security-week-35-cryptowall.png\"><img decoding=\"async\" aria-describedby=\"caption-attachment-9688\" class=\"size-full wp-image-9688\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/08\/06024243\/security-week-35-cryptowall.png\" alt=\"Infosec digest: exploit kit Neutrino in WordPress, yet another GitHub DDoS, Wyndham responsible for breach, while Target is not\" width=\"947\" height=\"903\"><\/a><p id=\"caption-attachment-9688\" class=\"wp-caption-text\">All your files belong to us. To learn more about ransomware, <a href=\"https:\/\/www.kaspersky.com\/blog\/ransomware-protection-video\/\" target=\"_blank\" rel=\"noopener nofollow\">check here<\/a><\/p><\/div>\n<p>Imagine you own a small business and a couple of years ago you purchased a turnkey website from a third party supplier, so you have no idea about the type of engine your website runs on. Compared to some massive stuff like <a href=\"http:\/\/www.pcworld.com\/article\/2956272\/security\/yahoo-tackles-large-malvertising-campaign-in-its-ad-network.html\" target=\"_blank\" rel=\"noopener nofollow\">sneaking a malicious code through banners of, say Yahoo<\/a>, it\u2019s peanuts, but hundreds of infected sites like that can generate multi-million dollars in revenue (or losses, depending on the point of view).<\/p>\n<p>From the security standpoint, this attack is not extraordinary. It looks as a collection of small incidents: there are a number of vulnerabilities in just one website engine (or its plug-ins); someone will constantly hack those sites and deploy an exploit pack; someone will develop those exploit-packs, using the data obtained from the company running a questionable business of trading vulns and ultimately unable to guard its own secrets.<\/p>\n<p>Someone will use outdated Flash, and someone will collect money from desperate people who are not able to access their own files. Taken separately, each of the precedents is not a big deal, but collectively they form quite a dreadful picture.<\/p>\n<p>Curiously, <a href=\"https:\/\/threatpost.com\/uptick-in-neutrino-exploit-kit-traffic-doesnt-mean-angler-reign-over\/114362\" target=\"_blank\" rel=\"noopener nofollow\">researchers have previously noted the spike in Neutrino\u2019s traffic<\/a>, by expense of its rival \u2014 Angler, with no particular idea why at the moment. It seems that besides making money, people standing behind those cybercriminal operations had something of a fray finding out who\u2019s the boss.<\/p>\n<h3>GitHub is DDoS-ed. Again<\/h3>\n<p><a href=\"https:\/\/threatpost.com\/github-mitigates-ddos-attack\/114403\" target=\"_blank\" rel=\"noopener nofollow\">News<\/a>. Another <a href=\"https:\/\/threatpost.com\/github-hit-with-ddos-attack\/111850\" target=\"_blank\" rel=\"noopener nofollow\">news<\/a>.<\/p>\n<p>In reality, it\u2019s quite easy to bring down the number of software vulnerabilities. What you need to do is just prohibit coders from coding. Well, that\u2019s a disputable way, but someone, it appears, wanted to do that, disrupting GitHub\u2019s operations by executing a DDoS attack on one of the software industry\u2019s most renowned repository.<\/p>\n<p>The news is not breaking, anyway: The attack started early in the morning, was discovered and taken down three hours later, the culprit behind the attack remains unknown. *Yawn* Bo-ring. So, why did that news attract everyone\u2019s attention? The reason is that GitHub was heavily <a href=\"https:\/\/threatpost.com\/github-hit-with-ddos-attack\/111850\" target=\"_blank\" rel=\"noopener nofollow\">DDoSed for over a week back in March<\/a>, so no wonder everyone overreacted.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/08\/06024242\/security-week-35-notagain-en.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-9689\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/08\/06024242\/security-week-35-notagain-en.jpg\" alt=\"Infosec digest: exploit kit Neutrino in WordPress, yet another GitHub DDoS, Wyndham responsible for breach, while Target is not\" width=\"616\" height=\"388\"><\/a><\/p>\n<p>The March attack was curious. Experts were under a strong impression of malware traffic being somehow connected to China\u2019s Baidu search engine. It\u2019s like an iframe appeared on Google\u2019s main page and redirected the traffic to the victim\u2019s website.<\/p>\n<p>This helps to bring any website down, but it does not sound anything like possible. Or does it? Quite unlikely, and it seems in that March attack Baidu was not responsible for anything, and the \u2018bonus\u2019 was attached to Chinese users somewhere else and not on Baidu.<\/p>\n<p>Where exactly it did, remains an open question. Maybe it was a usual way of infecting users and then luring them into downloading a rogue script when they access popular website. Or, maybe, the swap happened somewhere else.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Google have provided detailed analysis of the recent Github attack \u2013 <a href=\"http:\/\/t.co\/F75hTyzp2s\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/F75hTyzp2s<\/a> <a href=\"http:\/\/t.co\/HJPMMg0InZ\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/HJPMMg0InZ<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/592597849029943296?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">April 27, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>For instance, it could happen <a href=\"http:\/\/www.netresec.com\/?page=Blog&amp;month=2015-03&amp;post=China%2527s-Man-on-the-Side-Attack-on-GitHub\" target=\"_blank\" rel=\"noopener nofollow\">somewhere between outside world\u2019s Internet and Chinese Internet<\/a>, where the Great Chinese Firewall resides. In this case, those who access Chinese websites outside China might unintendedly do attackers\u2019 bidding: the response from the server would bear a malicious script, which would be used against GitHub projects from the victim\u2019s PC.<\/p>\n<p>By the way, the affected GitHub projects seemed to be hand-picked: the targets were two projects which would allow bypass of the Great Firewall and access to the content banned in China. That type of attack even got its own name \u2013 \u2018Man-on-the-Side.\u2019 The aftermath of the story: HTTPS rules.<\/p>\n<h3>American hotel chain responsible for a data breach<\/h3>\n<p><a href=\"https:\/\/threatpost.com\/court-rules-ftc-has-authority-to-punish-wyndham-over-breaches\/114390\" target=\"_blank\" rel=\"noopener nofollow\">News<\/a>.<\/p>\n<p>The news is totally about law and order, but it\u2019s quite important. Seven years ago, the Wyndham hotel chain\u2019s IT infrastructure was hacked, with over 600,000 customer records stolen. Leaked credit card data allowed culprits to strip the card members of over $10 million. The breach was as simple as this: find one exposed computer in one of the hotels, get the admin password, get access to\u2026 well, to everything.<\/p>\n<p>From the technical point of view, the hack was an epic fail of the hotel\u2019s security team: let alone client data, why on Earth would one store credit cards numbers unencrypted? The US Federal Trade Commission was pretty upset with Wyndham, claiming the company did not comply with its own privacy policies.<\/p>\n<p>There was a promise to provide \u2018standard-based protection\u2019 (like deploying a firewall or encrypting data) which the hotels did not live up to. As it turned to be, there was no firewall and no encryption. There were default passwords on PCs, no security audit ever, and no plan B. The FTC tried to punish the company, with the very first legal case revolving, awkwardly, around whether the FTC has a right to do that or not. After a series of iterations, the parties came to a conclusion that the FTC is empowered to do that.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Court Rules FTC Has Authority to Punish Wyndham Over Breaches \u2013 <a href=\"http:\/\/t.co\/pmgYUjbGEe\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/pmgYUjbGEe<\/a><\/p>\n<p>\u2014 Threatpost (@threatpost) <a href=\"https:\/\/twitter.com\/threatpost\/status\/635884703812296704?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">August 24, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>That sounds interesting. Say, a company faced an APT attack, the one that presupposes the use of advanced hacking techniques and helps preserve unsolicited access for a long time. It\u2019s all clear: the company took all measures necessary, but they got bypassed, and nothing can help here.<\/p>\n<p>But it\u2019s another story when the attack was not advanced at all, but very persistent, just because the infrastructure was completely insecure to any threat. The ruling of the court adds a bit of headache to American companies in terms of compliance. Usually rules of compliance are applied to credit card processing systems, but it appears that now it would be applied to all aspects of protecting personal data.<\/p>\n<p>Maybe, it\u2019s for the best. However, technologies and methods of protection should be created anywhere but in courtrooms. Courts serve to fine-tune the definitions. And yet one more thing \u2013 Data should be encrypted. It sounds completely down-to-Earth like \u201cone should do backups.\u201d Still, data SHOULD be encrypted.<\/p>\n<p>By the way, Target, <a href=\"https:\/\/threatpost.com\/target-attackers-took-11-gb-of-data-researchers-say\/103691\" target=\"_blank\" rel=\"noopener nofollow\">which clients suffered a more impactful breach<\/a>, was not fined, as per the FTC\u2019s <a href=\"https:\/\/threatpost.com\/target-says-sec-wont-pursue-enforcement-action-as-a-result-of-data-breach\/114433\" target=\"_blank\" rel=\"noopener nofollow\">ruling<\/a>.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Target Says SEC Won\u2019t Pursue Enforcement Action as a Result of Data Breach \u2013 <a href=\"http:\/\/t.co\/OwsXc1ZBHK\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/OwsXc1ZBHK<\/a><\/p>\n<p>\u2014 Threatpost (@threatpost) <a href=\"https:\/\/twitter.com\/threatpost\/status\/636924617546928128?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">August 27, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<h3>What else happened:<\/h3>\n<p>American researchers <a href=\"https:\/\/threatpost.com\/scanner-finds-malicious-android-apps-at-scale\/114438\" target=\"_blank\" rel=\"noopener nofollow\">scanned over 400,000 apps on Google Play<\/a>, finding 7.6% of them potentially dangerous. It does not correspond to Google\u2019s own assessment: <a href=\"https:\/\/source.android.com\/security\/reports\/Google_Android_Security_2014_Report_Final.pdf\" target=\"_blank\" rel=\"noopener nofollow\">according to Google<\/a>, the chances of infection when downloading apps exclusively from Google Play are just 0.15%. At the same time, the approach used by the researchers is vague itself: they analyze the code, find non-standard deployment and automatically list the code as potentially dangerous.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Scanner Finds Malicious Android Apps at Scale: <a href=\"https:\/\/t.co\/53MoLU2nRz\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/53MoLU2nRz<\/a> via <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@Threatpost<\/a> <a href=\"http:\/\/t.co\/7HrpJdSoz9\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/7HrpJdSoz9<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/636984446583996416?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">August 27, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>In Russia, ransomware is distributed via email. That\u2019s not news. The news is that now the attackers use <a href=\"https:\/\/securelist.ru\/blog\/phishing-blog\/26651\/shifrovalshhik-v-kredit\/\" target=\"_blank\" rel=\"noopener\">fake<\/a> \u201cPayment overdue\u201d notifications from banks. These guys know how to use any situation to their advantage, including financial crisis.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">According to research, &gt;40% of CryptoLocker victims paid <a href=\"https:\/\/twitter.com\/hashtag\/ransomware?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#ransomware<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/infosec?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#infosec<\/a> <a href=\"http:\/\/t.co\/Lnb4Rq7foJ\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/Lnb4Rq7foJ<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/whitepaper?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#whitepaper<\/a> <a href=\"http:\/\/t.co\/wrxC9Rq1ZH\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/wrxC9Rq1ZH<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/635910810448056320?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">August 24, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Apple closed the <a href=\"https:\/\/threatpost.ru\/2015\/08\/27\/patched-ins0mnia-vulnerability-keeps-malicious-ios-apps-hidden\/\" target=\"_blank\" rel=\"noopener nofollow\">vulnerability which helped any app to track users<\/a> even with time limits set up in the system. It\u2019s funny that bootlegging such kind of bug through App Store moderation is a lot easier than in case of a purely malicious app.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Patched Ins0mnia Vulnerability Keeps Malicious <a href=\"https:\/\/twitter.com\/hashtag\/iOS?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#iOS<\/a> Apps Hidden: <a href=\"https:\/\/t.co\/LVLKMC8NcX\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/LVLKMC8NcX<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/apple?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#apple<\/a> via <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@threatpost<\/a> <a href=\"http:\/\/t.co\/jtZM9WXZYl\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/jtZM9WXZYl<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/636614141965434881?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">August 26, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<h3>Oldies:<\/h3>\n<p>Den-Zuk<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/08\/06024345\/infosec-digest-32-book1.jpg\"><img decoding=\"async\" class=\"alignright wp-image-9594 size-medium\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/08\/06024345\/infosec-digest-32-book1-234x300.jpg\" alt=\"Security Week: Doors without locks, invulnerable Microsoft, disassembler and pain\" width=\"234\" height=\"300\"><\/a><\/p>\n<p>A very dangerous virus, length of 9 sectors. It infects disk\u2019 s Boot sector when called (int 13h, ah = 2,3,4,5). If the second part of the virus is saved on the disk, no security checks are done, letting the virus destroy a part of the information on the disk (40th track).<\/p>\n<p>Hijacks int 9 and 13h. After the \u2018warm\u2019 reboot, it inputs its name (Den Zuk) on the screen. Changes the tag of the infected disk to \u201cYC1ERP\u201d. Does not possess destructive functions yet is very dangerous, since it can destroy data on the 40th track of the disk. Includes texts: \u201cWelcome to the C l u b \u2014 The HackerS \u2014 Hackin\u2019 All The Time\u201d, \u201cThe HackerS\u201d.<\/p>\n<p><em>Quoted from \u201cComputer viruses in MS-DOS\u201d by Eugene Kaspersky, 1992. Page 99.<\/em><\/p>\n<p><em>Disclaimer: this column reflects only the personal opinion of the author. It may coincide with Kaspersky Lab position, or it may not. Depends on luck.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Infosec digest: exploit kit Neutrino in Wordpress, yet another GitHub DDoS, Wyndham responsible for breach, while Target is not.<\/p>\n","protected":false},"author":53,"featured_media":9687,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[901,1058,1224,1057,961,1223,1203,1222,268,304,1221],"class_list":{"0":"post-9683","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"tag-breach","9":"tag-ddos","10":"tag-exploit-kit","11":"tag-github","12":"tag-leaks","13":"tag-neutrino","14":"tag-security-week","15":"tag-target","16":"tag-vulnerabilities","17":"tag-wordpress","18":"tag-wyndham"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/security-week-35\/9683\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/security-week-35\/5892\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/security-week-35\/6169\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/security-week-35\/6059\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/security-week-35\/6699\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/security-week-35\/6551\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/security-week-35\/8713\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/security-week-35\/6063\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/security-week-35\/8749\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/security-week-35\/8713\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/security-week-35\/9683\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/security-week-35\/9683\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/breach\/","name":"breach"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/9683","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/53"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=9683"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/9683\/revisions"}],"predecessor-version":[{"id":30417,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/9683\/revisions\/30417"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/9687"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=9683"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=9683"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=9683"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}