THERE’S A LOT going on in the world, but the slow march of cybersecurity research and incidents plods on no matter what else is happening. This week research showed that many mobile VPNs fall short on delivering security and privacy benefits. International law may be the best mechanism for addressing large-scale ransomware attackson Internet of Things devices (like hotel door locks). Attacks using a stealthy type of “fileless” malware that hides in computer RAM are on the rise. And it’s time to get real about strategies for keeping smart TV manufacturers from spying.

In the political sphere, the Email Privacy Act, which would reform dated and problematic aspects of the Electronic Communications Privacy Act, took a step in Congress toward becoming law. Trump’s Homeland Security Advisor Tom Bossert seems promising—he’s known as an effective and even-keeled dude. And links between Silicon Valley and the Pentagon remain strong in spite of recent political turmoil in the US. Oh, and there’s no easy fix for a clever and effective slot machine cheat developed by Russian criminals that has been plaguing casinos around the world for years. So have fun with that one.

But wait! There’s more. Each Saturday we round up the news stories that we didn’t break or cover in depth but that still deserve your attention. As always, click on the headlines to read the full story in each link posted. And stay safe out there.

Dozens of iOS Apps Are Vulnerable to Man-in-the-Middle Data Attacks

Seventy-six iOS apps are vulnerable to man-in-the-middle data interception attacks, thanks to sloppy configuration that could allow a forged certificate to be authenticated and decrypt data protected by the Transport Layer Security (TLS) protocol, thus exposing it. Will Strafach, CEO of mobile security company Sudo Security Group, found the compromised apps while the company was developing its mobile app analysis product. Problems with TLS validation have been around for a long time, and they’re particularly problematic for apps that handle sensitive data like health or financial information. Nineteen of the 76 apps Strafach found handle this type of “high risk” data. Apple has advocated that iOS developers use its App Transport Security protocol to ensure that every iOS app implements TLS, but ATS alone still doesn’t resolve certificate verification issues. Apple also indefinitely pushed back the deadline to implement ATS—the cutoff was originally supposed to be the end of 2016. Strafach says that hundreds of other apps he analyzed seemed to have the same flaw, but he only pursued analysis of those that he could confirm were jeopardized.

Arby’s Breach Affected Payment Systems at Hundreds of Corporate Locations

Arby’s has been working to address a breach of customer credit and debit card information since it learned of the situation in mid-January. Malware on payment systems at hundreds of restaurant locations around the US captured hundreds of thousands of card numbers throughout the fall. Arby’s says that only a portion of its 1,000 corporate-owned locations were impacted, and that franchise locations were not affected. It says that the malware has been eradicated from its networks. Arby’s Restaurant Group “immediately notified law enforcement and enlisted the expertise of leading security experts, including Mandiant,” the company told Krebs on Security. The investigation is ongoing.



Spoofed emails could easily land in user’s Gmail inboxes without even warning them of suspicious activity, security researchers have discovered.

While spam is normally used to deliver malicious documents or links to unsuspecting users, spoofed emails have a bigger chance of luring potential victims, because they are likely to click on a link or open a document coming from what they believe is a trusted contact. When it comes to spoofed messages, the sender is impersonated or changed to another, thus making messages appear legitimate.

Which users may expect Gmail to warn them of such suspicious activity, researchers at the Morphus Segurança da Informação recently discovered that this doesn’t always happen. According to them, users should revise the trust they have on Gmail blocking messages with spoofed senders, even when no alert is displayed regarding the legitimacy of that message.

“We realized that a message that appears in your Gmail inbox folder even with an important sign, coming from one of your Gmail contacts with no spoof or security alert, may have been forged and impersonated by a fraudster or cybercriminal,” Renato Marinho, Director at Morphus Segurança da Informação, explains.

Marinho explains that the Simple Mail Transfer Protocol (SMTP) defines the “mail envelop and its parameters, such as the message sender and recipient,” and not the message content and headers. Thus, a SMTP transaction includes Mail From (establishes the return address in case of failure), Rcpt to (the recipient address), and Data (a command for the SMTP server to receive the content of the message).

The value “From” displayed in the email is usually equivalent to the value used in the SMTP command “mail from” but, because it is part of the message content, “can be freely specified by the system or person issuing commands to the SMTP server.” Basically, an attacker simply needs to change the “From” to a desired value to spoof the sender, but that is almost certainly going to trigger anti-spam or anti-phishing mechanisms, Marinho explains.

However, attackers could also attempt to send spoofed messages on behalf of a certain domain by changing the “Mail from:” SMTP command as well, a practice that can be combated by applying spoofing protection mechanisms. Among them, SPF (Sender Policy Framework) allows admins to specify the IP addresses of the mail servers that are allowed to send e-mail messages on behalf of their domain.


The 2016 tax season is now in full swing in the United States, which means scammers are once again assembling vast dossiers of personal data and preparing to file fraudulent tax refund requests on behalf of millions of Americans. But for those lazy identity thieves who can’t be bothered to phish or steal the needed data, there is now another option: Buying stolen W-2 tax forms from other crooks who have phished the documents wholesale from corporation.A cybercriminal shop selling 2016 W-2 tax data.

Pictured in the screenshot above is a cybercriminal shop which sells the usual goods — stolen credit card data, PayPal account logins, and access to hacked computers. But hidden beneath the “other” category of goods for sale by this fraud bazaar is an option I’ve not previously encountered on these ubiquitous, cookie-cutter stores: A menu item advertising “W-2 2016.”

This particular shop — the name of which is being withheld so as not to provide it with free advertising — currently includes raw W-2 tax form data on more than 3,600 Americans, virtually all of whom apparently reside in Florida. The data in each record includes the taxpayer’s employer name, employer ID, address, taxpayer address, Social Security number and information about 2016 wages and taxes withheld.

Each W-2 record costs the Bitcoin equivalent of between $4 and $20. W-2 records for employees with higher-than-average wages in the 2016 tax year cost more, ostensibly because thieves stand to reap a higher tax refund from those W-2’s if they successfully trick the Internal Revenue Service and/or the states into approving a fraudulent refund in the victim’s nam


Recently, on a trip to visit potential customers in one of Europe’s smaller markets, I ran into a recurring theme.  When I speak to any audience about security, including potential customers of course, I tend to focus on concepts and ideas, rather than specific products and services.  Choosing the components of a solution is important, but can only be done once an approach is well understood.  This comes much later in the discussion.  Not surprisingly, most people prefer this approach, particularly when they are able to map between the concepts and ideas and the specific problems and challenges they face.

As you can imagine, one of the concepts I often discuss is the identification, prioritization, and mitigation of risk.  As I’ve discussed previously, this is one of the most critical components of a mature and successful security program.  This particular trip was no different from most others in that I broached this particular topic with nearly everyone I met with.  What was different on this trip, however, was one response I received repeatedly: “We are in a small market.  No one will attack us.”  This surprised me quite a bit.

Indeed, I have heard this line of reasoning many times in the past.  What surprised me was not that people would be inclined to think this way, but that they would be inclined to think this way in 2017.  It is surprising given how interconnected the world is, how we’ve repeatedly seen that no target is too small or too remote for the motivated attacker, and how organizations that do not come to terms with this reality ultimately pay for it, sometimes dearly.

Sadly, market size isn’t the only way in which people lure themselves into a false sense of security.  Let’s take a look at a few of the different ways in which people convince themselves that they do not need to understand the threat landscape they face and mitigate the risk it presents them with.

Organizational Size

Some people, organizations, and boards seem to think that if their organization is under a certain threshold (either employee-wise or revenue-wise), then the organization can simply fly under the attacker radar.  This line of reasoning is reminiscent of the old “security by obscurity” way of thinking.  As experienced security professionals know, this is a dangerous way of thinking that generally winds up producing disastrous results.