source: securityweek.com

Facebook on Friday said it disrupted an international fake account operation that was firing off inauthentic "likes" and bogus comments to win friends it would then pound with spam.

Facebook's security team spent six months fighting to neutralize what they saw as a coordinated campaign, according to Shabnam Shaik, a company security manager.

"Our systems were able to identify a large portion of this illegitimate activity -- and to remove a substantial number of inauthentic likes," Shaik said in a blog post.

"By disrupting the campaign now, we expect that we will prevent this network of spammers from reaching its end goal of sending inauthentic material to large numbers of people."

The ring used accounts in a number of countries including Bangladesh, Indonesia and Saudi Arabia.

The group tried to mask its activities with tactics like connecting with the social network through "proxy" servers to disguise where "likes," posts or other communications were originating, according to Shaik.

Facebook said the campaign aimed to trick people into connecting as friends they would later target with spam. The company said it had derailed the operation early enough to spare users that fate.

The leading social network this week said it has started weeding out bogus accounts by watching for suspicious behavior such as repetitive posts or torrents of messages.

The security improvement was described as being part of a broader effort to rid the leading social network of hoaxes, misinformation and fake news by verifying people's identities.

"We've found that when people represent themselves on Facebook the same way they do in real life, they act responsibly," Shaik said.

"Fake accounts don't follow this pattern, and are closely related to the creation and spread of spam."

Under pressure to stymie the spread of fake news, Facebook has taken a series of steps including making it easier to report such posts and harder to earn money from them.

source: darkreading.com

Akamai Networks since October has detected and mitigated at least 50 DDoS attacks using Connectionless LDAP.

 

Over the years, threat actors have abused a variety of services including DNS, SNMP, and NTP to enable and amplify distributed denial-of-service (DDoS) attacks against their targets.

A new method that appears to be gaining favor among attackers involves the abuse of Connectionless LDAP, a version of the Lightweight Directory Access Protocol that many organizations rely on for directory services such as accessing usernames and passwords from Microsoft's Windows Active Directory.

In an advisory Wednesday, content delivery network and cloud services provider Akamai Networks reported encountering and mitigating at least 50 CLDAP reflection-attacks against its customers since last October.

 

About 33% of those were single-vector attacks, meaning they relied solely on CLDAP reflection to try and disrupt or knock their targets offline.

What makes the new technique dangerous is the extent of the amplification that can be achieved by abusing Internet-exposed CLDAP services, says Jose Arteaga, a member of Akamai's security intelligence response team.

 

source: wired.com

Two years ago, Charlie Miller and Chris Valasek pulled off a demonstration that shook the auto industry, remotely hacking a Jeep Cherokee via its internet connection to paralyze it on a highway. Since then, the two security researchers have been quietly working for Uber, helping the startup secure its experimental self-driving cars against exactly the sort of attack they proved was possible on a traditional one. Now, Miller has moved on, and he’s ready to broadcast a message to the automotive industry: Securing autonomous cars from hackers is a very difficult problem. It’s time to get serious about solving it.

Last month, Miller left Uber for a position at Chinese competitor Didi, a startup that’s just now beginning its own autonomous ridesharing project. In his first post-Uber interview, Miller talked to WIRED about what he learned in those 19 months at the company—namely that driverless taxis pose a security challenge that goes well beyond even those faced by the rest of the connected car industry.

Miller couldn’t talk about any of the specifics of his research at Uber; he says he moved to Didi in part because the company has allowed him to speak more openly about car hacking. But he warns that before self-driving taxis can become a reality, the vehicles’ architects will need to consider everything from the vast array of automation in driverless cars that can be remotely hijacked, to the possibility that passengers themselves could use their physical access to sabotage an unmanned vehicle.

 

 

source: arstechnica.com

There’s currently no patch for the bug, which affects most or all versions of Word.

There's a new zeroday attack in the wild that's surreptitiously installing malware on fully-patched computers. It does so by exploiting a vulnerability in most or all versions of Microsoft Word.

The attack starts with an e-mail that attaches a malicious Word document, according to a blog post published Saturday by researchers from security firm FireEye. Once opened, exploit code concealed inside the document connects to an attacker-controlled server. It downloads a malicious HTML application file that's disguised to look like a document created in Microsoft's Rich Text Format. Behind the scenes, the .hta file downloads additional payloads from "different well-known malware families."

The attack is notable for several reasons. First, it bypasses most exploit mitigations: This capability allows it to work even against Windows 10, which security experts widely agree is Microsoft's most secure operating system to date. Second, unlike the vast majority of the Word exploits seen in the wild over the past few years, this new attack doesn't require targets to enable macros. Last, before terminating, the exploit opens a decoy Word document in an attempt to hide any sign of the attack that just happened.

The zeroday attacks were first reported Friday evening by researchers from security firm McAfee. In a blog post, they wrote:

The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file. Because .hta is executable, the attacker gains full code execution on the victim's machine. Thus, this is a logical bug [that] gives the attackers the power to bypass any memory-based mitigations developed by Microsoft. The following is a part of the communications we captured:

The successful exploit closes the bait Word document and pops up a fake one to show the victim. In the background, the malware has already been stealthily installed on the victim's system.

The root cause of the zeroday vulnerability is related to the Windows Object Linking and Embedding (OLE), an important feature of Office. (Check our Black Hat USA 2015 presentation in which we examine the attack surface of this feature.)

FireEye researchers said they have been communicating with Microsoft about the vulnerability for several weeks and had agreed not to publicly disclose it pending the release of a patch. FireEye later decided to publish Saturday's blog post after McAfee disclosed vulnerability details. McAfee, meanwhile, said the earliest attack its researchers are aware of dates back to January. Microsoft's next scheduled release of security updates is this Tuesday.

Zeroday attacks are typically served only on select individuals, such as those who work for a government contractor, a government agency, or a similar organization that's attractive to nation-sponsored hackers. Still, it's not uncommon for such attacks to be visited on larger populations once the underlying zeroday vulnerability becomes public knowledge.

People should be highly suspicious of any Word document that arrives in an e-mail, even if the sender is well known. The attacks observed by McAfee are unable to work when a booby-trapped document is viewed in an Office feature known as Protected View. Those who choose to open an attached Word document should exercise extreme caution before disabling Protected View. There's no word yet if use of Microsoft's Enhanced Mitigation Experience Toolkit prevents the exploit from working.