China ’ s largest Internet security company , Qihoo 360 , has found Vulnerability-related.DiscoverVulnerability several high-risk security vulnerabilities in EOS ’ s blockchain platform . These vulnerabilities would enable remote attacks on all EOS nodes , Qihoo 360 claimed Vulnerability-related.DiscoverVulnerability on Weibo Tuesday , May 29 . Qihoo 360 writes Vulnerability-related.DiscoverVulnerability that they reported Vulnerability-related.DiscoverVulnerability the vulnerability to the EOS team and that the EOS mainnet will not launch until the security problems are resolved Vulnerability-related.PatchVulnerability . Local news outlet Jinse , which noted that EOS asked 360 not to report Vulnerability-related.DiscoverVulnerability the vulnerability , claimed that the vulnerabilities have been fixed Vulnerability-related.PatchVulnerability on the same day , by around 2:00 pm China Standard Time . According to 360 ’ s Weibo post Vulnerability-related.DiscoverVulnerability , the vulnerability would allow an attacker to use a smart contract with malicious code to open a security hole , and then use the supernode to enter the malicious smart contract into a new block , thus putting all network nodes under the attacker ’ s control . Once this action has been completed , the attacker could then control the digital currency on the EOS network , obtain user ’ s private keys and data , launch a cyber attack , or begin mining for other cryptocurrencies . 360 describes Vulnerability-related.DiscoverVulnerability these vulnerabilities as a new “ series of unprecedented security risks ” that could affect other blockchain platforms besides EOS : “ 360 expressed [ hope ] that the discovery and disclosure Vulnerability-related.DiscoverVulnerability of this loophole will cause the blockchain industry and security peers to pay more attention to the security of such issues and jointly enhance the security of the blockchain network. ” EOS , whose mainnet is scheduled to launch on June 2 , is currently down by 2.76 percent over a 24 hour period , trading at around $ 11.70 by press time , according to Coinmarketcap data .

When it comes to fixing Vulnerability-related.PatchVulnerability security vulnerabilities , it should be clear by now that words only count when they ’ re swiftly followed by actions . Ask peripherals maker Logitech , which last week became the latest company to find itself on the receiving end of an embarrassing public flaw disclosure Vulnerability-related.DiscoverVulnerability by Google ’ s Project Zero team . In September , Project Zero researcher Tavis Ormandy installed Logitech ’ s Options application for Windows ( available separately for Mac ) , used to customise buttons on the company ’ s keyboards , mice , and touchpads . Pretty quickly , he noticed Vulnerability-related.DiscoverVulnerability some problems with the application ’ s design , starting with the fact that it… opens a websocket server on port 10134 that any website can connect to , and has no origin checking at all . Websockets simplify the communication between a client and a server and , unlike HTTP , make it possible for servers to send data to clients without first being asked to , which creates additional security risks . The only “ authentication ” is that you have to provide a pid [ process ID ] of a process owned by your user , but you get unlimited guesses so you can bruteforce it in microseconds . Ormandy claimed Vulnerability-related.DiscoverVulnerability this might offer attackers a way of executing keystroke injection to take control of a Windows PC running the software . Within days of contacting Logitech , Ormandy says he had a meeting to discuss Vulnerability-related.DiscoverVulnerability the vulnerability with its engineers on 18 September , who assured him they understood the problem . A new version of Options appeared Vulnerability-related.PatchVulnerability on 1 October without a fix , although in fairness to Logitech that was probably too soon for any patch for Ormandy ’ s vulnerability to be included Vulnerability-related.PatchVulnerability . As anyone who ’ s followed Google ’ s Project Zero will know , it operates a strict 90-day deadline for a company to fix Vulnerability-related.PatchVulnerability vulnerabilities disclosed Vulnerability-related.DiscoverVulnerability to it , after which they are made public Vulnerability-related.DiscoverVulnerability . I would recommend disabling Logitech Options until an update is available Vulnerability-related.PatchVulnerability . Clearly , the disclosure got things moving – on 13 December , Logitech suddenly updated Vulnerability-related.PatchVulnerability Options to version 7.00.564 ( 7.00.554 for Mac ) . The company also tweeted that the flaws had been fixed Vulnerability-related.PatchVulnerability , confirmed by Ormandy on the same day . Logitech aren ’ t the first to feel Project Zero ’ s guillotine on their neck . Earlier in 2018 , Microsoft ran into a similar issue over a vulnerability found Vulnerability-related.DiscoverVulnerability by Project Zero in the Edge browser . Times have changed – vendors have to move from learning about a bug to releasing Vulnerability-related.PatchVulnerability a fix much more rapidly than they used to .

After the publication of an article in Security Affairs called `` ClearEnergy ransomware aim to destroy process automation logics in critical infrastructure , SCADA and industrial control systems , '' security researchers used Twitter to bash the company for what they felt were lies about real world attacks , the company orchestrating a media stunt , and not releasing any research they could vet . Following this criticism , the company ended up apologizing , saying they forgot to mention it was only a proof-of-concept ransomware , and promised to release more details in the upcoming days . According to a blog post published a day later , CRITIFENCE experts only revealed Vulnerability-related.DiscoverVulnerability they discovered Vulnerability-related.DiscoverVulnerability two issues in the Modicon Modbus protocol used in PLC ( Programmable Logic Controllers ) , equipment that is often found in industrial facilities all over the world , and used to control and automate sensors and motors . In their blog post , CRITIFENCE experts claimed Vulnerability-related.DiscoverVulnerability to have developed a proof-of-concept ransomware that can use the two issues ( CVE-2017-6032 and CVE-2017-6034 ) to delete a PLC 's ladder logic diagram , if a ransom isn't paid Attack.Ransom in due time , effectively wiping the PLC 's software . At the time of writing , CRITIFENCE has not published the technical report they promised . Nevertheless , the two security flaws CRITIFENCE discovered Vulnerability-related.DiscoverVulnerability are real and have resulted Vulnerability-related.PatchVulnerability in a patch from Schneider Electric , the PLC vendor whose products are affected Vulnerability-related.DiscoverVulnerability . Earlier this year , researchers from the Georgia Institute of Technology ( GIT ) have created a proof-of-concept ransomware strain named LogicLocker that can alter programmable logic controller ( PLC ) parameters

An Android SMS-based spyware dubbed SMSVova , which can steal Attack.Databreach and relay a victim 's location to an attacker in real time , has been downloaded between one and five million times since 2014 from the US Google Play store . Zscaler ThreatLabz found that the app claimed Attack.Phishing to give users access to the latest Android software updates , but in fact was being used to spy on a user ’ s exact geolocation , which could have been used for any number of malicious reasons . Despite clear red flags , millions downloaded it . “ The app portrays itself as a ‘ System Update , ’ ” the firm ’ s researchers explained , in a blog . “ After reading the app reviews , it became clear that several users were misled by the app , thinking that it would provide them with latest Android release . Many users were unhappy with the app and conveyed their concerns. ” In addition to the negative reviews , there were other indicators that raised suspicions : The Google Play Store page for this particular app was showing blank screenshots , which is not common , and there was no proper description for the app . It also didn ’ t mention that it would track the victim , nor that it would send location information to a third party . It said only , “ This application updates and enables special location features. ” “ There are many spyware variations present on the Google Play store , such as Cell Tracker , but the legitimate apps are explicit in their intentions , and have specific purposes for tracking a user ’ s device , ” Zscaler researchers noted . As soon as the user tries to start up the app , it abruptly quits and hides itself from the main screen . From there , it sets up an Android service and broadcast receiver to fetch the user ’ s last known location and set it up in Shared Preferences . An attacker could also set a location alert when victim ’ s battery is running low . Interestingly , the code is a carbon copy of the location-stealing code in DroidJack , the remote access trojan . “ There are many apps on the Google Play Store that act as a spyware ; for example , those that spy on the SMS messages of one ’ s spouse or fetch the location of children for concerned parents , ” researchers said . “ But those apps explicitly state their purpose , which is not the case with the app we analyzed for this report . It portrayed itself as Attack.Phishing a system update , misleading Attack.Phishing users into thinking they were downloading an Android System Update. ” Google has removed the app from the store since Zscaler reported it to the Google security team .

Researchers said good social engineering and users ’ trust in the convenience afforded by the OAUTH mechanism guaranteed Wednesday ’ s Google Docs phishing attacks Attack.Phishing would spread quickly . Google said that up to 1 million Gmail users were victimized by yesterday ’ s Google Docs phishing scam Attack.Phishing that spread quickly for a short period of time . In a statement , Google said that fewer than 0.1 percent of Gmail users were affected ; as of last February , Google said it had one billion active Gmail users . Google took measures to protect its users by disabling offending accounts , and removing phony pages and malicious applications involved in the attacks . Other security measures were pushed out in updates to Gmail , Safe Browsing and other in-house systems . “ We were able to stop the campaign within approximately one hour , ” a Google spokesperson said in a statement . “ While contact information was accessed Attack.Databreach and used by the campaign , our investigations show that no other data was exposed Attack.Databreach . There ’ s no further action users need to take regarding this event. ” The messages were a convincing Attack.Phishing mix of social engineering and abuse of users ’ trust in the convenience of mechanisms that share account access with third parties . Many of the phishing messages came from Attack.Phishing contacts known to victims since part of the attack includes gaining access to contact lists . The messages claimed Attack.Phishing that someone wanted to share a Google Doc with the victim , and once the “ Open in Docs ” button in the email is clicked , the victim is redirected Attack.Phishing to a legitimate Google OAUTH consent screen where the attacker ’ s application , called “ Google Docs ” asks for access to victim ’ s Gmail and contacts through Google ’ s OAUTH2 service implementation . While the ruse was convincing Attack.Phishing in its simplicity , there were a number of red flags , including the fact that a Google service was asking for access to Gmail , and that the “ To ” address field was to an odd Mailinator account . Google also quickly updated Safe Browsing and Gmail with warnings about the phishing emails and attempts to steal Attack.Databreach personal information . The phishing emails spread Attack.Phishing quickly on Wednesday and likely started with journalists and public relations professionals , each of whom are likely to have lengthy contact lists ensuring the messages would continue to spread Attack.Phishing in an old-school worm-like fashion . OAUTH ’ s open nature allows anyone to develop similar apps . The nature of the standard and interaction involved makes it difficult to safely ask for permission without giving the users a lot of information to validate whether an app is malicious , said Duo ’ s Sokley . “ There are many pitfalls in implementing OAUTH 2.0 , for example cross site request forgery protection ( XSRF ) . Imagine if the user doesn ’ t have to click on the approve button , but if the exploit would have done this for you , ” said SANS ’ Ullrich . “ OAUTH 2.0 also inherits all the security issues that come with running anything in a web browser . A user may have multiple windows open at a time , the URL bar isn ’ t always very visible and browser give applications a lot of leeway in styling the user interface to confuse the user . ”

Social media phishing attacks Attack.Phishing jumped by a massive 500 % in Q4 , driven by a huge increase in fraudulent accounts including many posing as Attack.Phishing customer support for big name brands , according to Proofpoint . The security vendor revealed the findings in its Q4 2016 Threat Summary and Year in Review report . It claimed Attack.Phishing fraudulent accounts across sites like Twitter and Facebook increased 100 % from the third to fourth quarter . Such accounts are used for phishing Attack.Phishing , malware distribution , spam and other ends . In fact , Proofpoint observed a 20 % increase in Facebook and Twitter spam from Q3 to Q4 , with the quarter recording the second highest spam volume in the year . Yet it was a particular variety of phishing that caught the eye . So-called “ angler phishing Attack.Phishing ” is a relatively new tactic in which the black hats register fake Twitter accounts that masquerade as Attack.Phishing customer support accounts . They monitor the real support accounts for irate customer messages and then quickly jump in to send messages back to those users loaded with malicious links . The tactic was particularly common among financial services and entertainment accounts , according to the report . Elsewhere , the number of new ransomware variants grew 30-fold over Q4 , and malicious email campaigns grew significantly , with Q4 's largest campaign 6.7 times the size of Q3 's . Some of the biggest campaigns apparently involved hundreds of millions of messages dropping Locky ransomware . However , there was some good news , with scams involving the spoofing of CEO emails sent to Attack.Phishing CFOs falling 28 % in the final quarter . This is partly because CFOs are more cautious about the veracity of such messages , but can also be linked to a 33 % surge in DMARC implementation which helped to block attempts to spoof Attack.Phishing the CEO ’ s email address . In addition , exploit kits remained at low levels of activity after some high profile Angler EK arrests in Q2 , although large scale malvertising campaigns persisted , Proofpoint claimed .