Security News > 2021 > November

Academic researchers have released details about a new attack method they call "Trojan Source" that allows injecting vulnerabilities into the source code of a software project in a way that human reviewers can't detect. "The trick is to use Unicode control characters to reorder tokens in source code at the encoding level," reveals Nicholas Boucher, one of the researchers that discovered Trojan Source.

Signal has added an easy way for users to report and block spam straight from message request screens with a single mouse click. Message requests were added to Signal last year, in August 2020, to allow new users to reach out to other Signal users even if they're not in their address books and provide more contextual info to those on the receiving end.

Microsoft Defender for Windows is getting a massive overhaul allowing home network admins to deploy Android, iOS, and Mac clients to monitor antivirus, phishing, compromised passwords, and identity theft alerts from a single security dashboard.For the past few years, Microsoft has been focusing on the enterprise's security while leaving Windows 10 consumers with the passable but fairly generic built-in Microsoft Defender antivirus software.

A 30-year-old alleged sports content pirate in Minneapolis, Minn., has found himself on the receiving end of a criminal complaint alleging that he not only stole user account credentials and sold access to pirated sports content. According to prosecutors, the MLB lost at least $2,995,272 due to Streit's alleged theft of games.

Modern cybercriminals know that choking off an organization's production data will often be enough to force it to the negotiating table, because recovering the data from backups will be simply too time consuming. So how do you set yourself and your fellow over-worked DBAs free from this unending day to day drudgery? Well, you can start by spinning up this upcoming webinar, Modern Backup and Recovery for Modern DBAs, on November 9 at 0900 PT. Our own Tim Phillips, never knowingly over-drudged, will be joined by Rubrik's Rafaela Martuchelli, who will be explaining exactly what modern backup and recovery tools look like.

The attack took place on October 30th, causing regional health systems to shut down their networks and cancel thousands of medical appointments. This outage affected health systems in Central Health, Eastern Health, Western Health, and the Labrador-Grenfell Regional Health authorities.

Kaspersky said today that a legitimate Amazon Simple Email Service token issued to a third-party contractor was recently used by threat actors behind a spear-phishing campaign targeting Office 365 users. Amazon SES is a scalable email service designed to allow developers to send emails from any app for various use cases, including marketing and mass email communications.

Boucher and Anderson discovered that they can be misused to misrepresent source code. "Our key insight is that we can reorder source code characters in such a way that the resulting display order also represents syntactically valid source code."

Named "Trojan Source attacks," the method "Exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers," Cambridge University researchers Nicholas Boucher and Ross Anderson said in a paper published on Monday. The researchers have coordinated disclosure with 19 organizations, many of which are now releasing updates to address the security weakness in code compilers, interpreters, code editors and repositories.

Really interesting research demonstrating how to hide vulnerabilities in source code by manipulating how Unicode text is displayed. We have discovered ways of manipulating the encoding of source code files so that human viewers and compilers see different logic.