15946 matches found
Arms Race In Zero Days Spells Trouble For Privacy, Public Safety
Editor’s Note: This is the second of a two-part podcast with independent security researcher Chris Soghoian. In the first part of our podcast with independent security researcher Chris Soghoian, we talked about the way that the proliferation of “free” applications have forced consumers into the...
Katie Moussouris on Microsoft, Trustworthy Computing and the Evolution of the Security Community
Dennis Fisher talks with Microsoft’s Katie Moussouris about the way that the Trustworthy Computing effort at Microsoft has changed, how the security community has evolved since she got involved in the 1990s and the challenges–and fun–of being a woman in security. Podcast audio courtesy of sykboy6...
Iranian State Broadcaster Clobbered by ‘Clumsy, Buggy’ Code
Footage of opposition leaders calling for the assassination of Iran’s Supreme Leader ran on several of the nation’s state-run TV channels in late January after a state-sponsored cyber-attack on Iranian state broadcaster IRIB. The incident – one of a series of politically motivated attacks in Iran...
Partially Unpatched VMware Bug Opens Door to Hypervisor Takeover
A security vulnerability in VMware’s Cloud Foundation, ESXi, Fusion and Workstation platforms could pave the way for hypervisor takeover in virtual environments – and a patch is still pending for some users. The issue affects a wide swath of the virtualization specialist’s portfolio and affects...
Google Emergency Update Fixes Two Chrome Zero Days
Google has pushed out an emergency Chrome update to fix yet another pair of zero days – the second pair this month – that are being exploited in the wild. This hoists this year’s total number of zero days found in the browser up to a dozen. “Google is aware the exploits for CVE-2021-37975 and...
Novel Meteor Wiper Used in Attack that Crippled Iranian Train System
An attack earlier this month on Iran’s train system, which disrupted rail service and taunted Iran’s leadership via hacked public transit display screens, used a never-before-seen wiper malware called Meteor that appears to have been design for reuse, a security researcher has found. The initial...
Reboot of PunkSpider Tool at DEF CON Stirs Debate
Researchers will release a reboot of a controversial tool that crawls the web to identify back-end vulnerabilities in websites in the hopes that companies will quickly fix them and reduce security risks. However, experts have mixed feelings about the tool called PunkSpider, created by the analyti...
Kubernetes Cloud Clusters Face Cyberattacks via Argo Workflows
Kubernetes clusters are being attacked via misconfigured Argo Workflows instances, security researchers are warning. Argo Workflows is an open-source, container-native workflow engine for orchestrating parallel jobs on Kubernetes – to speed up processing time for compute-intensive jobs like machi...
Linux Variant of HelloKitty Ransomware Targets VMware ESXi Servers
For the first time, researchers have publicly spotted a Linux encryptor used by the HelloKitty ransomware gang: the outfit behind the February attack on videogame developer CD Projekt Red. On Wednesday, MalwareHunterTeam disclosed its discovery of numerous Linux ELF-64 versions of the HelloKitty...
SolarWinds Issues Hotfix for Zero-Day Flaw Under Active Attack
SolarWinds has issued a hotfix for a zero-day remote code execution RCE vulnerability already under active, yet limited, attack on some of the company’s customers. Microsoft alerted the company about the flaw, which affects its Serv-U Managed File Transfer Server and Serv-U Secured FTP products...
Critical Sage X3 RCE Bug Allows Full System Takeovers
Four vulnerabilities afflict the popular Sage X3 enterprise resource planning ERP platform, researchers found – including one critical bug that rates 10 out of 10 on the CVSS vulnerability-severity scale. Two of the bugs could be chained together to allow complete system takeovers, with potential...
New Crypto-Stealer ‘Panda’ Spreads via Discord
Yet another new information stealer – Panda Stealer – is being spread through a worldwide spam campaign. On Tuesday, Trend Micro researchers said that they first spotted the new stealer in April. The most recent wave of the spam campaign has had the biggest impact in Australia, Germany, Japan and...
Zero-Click Wormable RCE Vulnerability in Cisco Jabber Gets Fixed, Again
Cisco Systems released an updated patch for a critical vulnerability in its video and instant messaging platform Jabber, originally patched in September. The cross-site scripting bug could have allowed an adversary to execute arbitrary code by merely sending a specially-crafted chat message and...
4 Unpatched Bugs Plague Grandstream ATAs for VoIP Users
UPDATE Multiple high-severity vulnerabilities in the Grandstream HT800 series of Analog Telephone Adaptors ATAs threaten home office and midrange users alike, with outages, eavesdropping and device takeover. The HT800 series of ATAs is designed for everyone from home or small-office users to...
Amazon-Themed Phishing Campaigns Swim Past Security Checks
Amazon in the era of COVID-19 has become a staple of many people’s lives, as they order everything from sourdough starter to exercise equipment. Cybercrooks have latched onto the delivery behemoth as a lure for phishing emails, knowing that plenty of legitimate delivery messages are also making i...
WhatsApp Phone Numbers Pop Up in Google Search Results — But is it a Bug?
UPDATE A researcher is warning that a WhatsApp feature called “Click to Chat” puts users’ mobile phone numbers at risk — by allowing Google Search to index them for anyone to find. But WhatsApp owner Facebook says it is no big deal and that the search results only reveal what the users have chose...
Alleged Hacker Behind Massive ‘Collection 1’ Data Dump Arrested
A hacker accused of selling hundreds of millions of stolen credentials from last year’s “Collection 1” data dump on the dark web has been arrested in the Ukraine. The Security Service of Ukraine SSU took into custody a threat actor known as “Sanix,” who they claim posted 773 million e-mail...
GDPR Compliance Site Leaks Git Data, Passwords
A website that gives advice on privacy regulation compliance has fixed a security issue that was exposing MySQL database settings — including passwords — to anyone on the internet. The website, GDPR.EU, is an advice site for organizations that are struggling to comply with the General Data...
Eight Common OT / Industrial Firewall Mistakes
Most industrial sites deploy firewalls as the first line of defense for their Operations Technology OT / industrial networks. However, configuring and managing these firewalls is a complex undertaking. Configuration and other mistakes are easy to make. This article explores eight common mistakes...
Valve Confirms CS:GO, Team Fortress 2 Source-Code Leak
The discovery of leaked source code for two popular games – Counter-Strike: Global Offensive CS:GO and Team Fortress 2 – has led to security concerns and even calls for gamers to uninstall the software from their computers. The developer and publisher of the two games, Valve, is downplaying the...
Millions of Guests Impacted in Marriott Data Breach, Again
For the second time in two years, the Marriott hotel empire has suffered a major data breach. This time, approximately 5.2 million guests have been affected. The attack was carried out via third-party software that Marriott’s hotel properties use to provide guest services, according to an online...
Hackers Actively Exploit 0-Day in CCTV Camera Hardware
Multiple zero-day vulnerabilities were actively being exploited in CCTV security cameras manufactured by Taiwan-based LILIN, researchers found. The company, an IP video solution provider, was being targeted by hackers hijacking the company’s DVR hardware. Once commandeered, hackers then planted...
Microsoft Offers Rewards of Up to $20,000 in New Xbox Bug Bounty Program
Microsoft is offering rewards of up to $20,000 for finding vulnerabilities in its Xbox gaming platform through its latest bug bounty program unveiled this week. The Xbox Bounty Program is open to gamers, security researchers and basically anyone who can help the tech giant identify security...
Pwn2Own Miami Contestants Haul in $180K for Hacking ICS Equipment
The very first Pwn2Own hacking competition that exclusively focuses on the industrial control systems ICS has kicked off in Miami. So far, a total of $180,000 has been awarded for pwning five different products. The contest hosts at Trend Micro’s Zero Day initiative ZDI have allocated more than...
Oil-and-Gas APT Pivots to U.S. Power Plants.
A known APT group with ties to the Iran-linked APT33, dubbed Magnallium, has expanded its targeting from the global oil-and-gas industry to specifically include electric companies in North America. That’s according to a report from Dragos, released Thursday, which noted that the discovery is part...
Magecart Group Targets Routers Behind Public Wi-Fi Networks
A faction of the Magecart threat group is testing code that targets routers used to provide free or paid Wi-Fi services in public spaces and hotels. If successful, attackers would able to compromise these commercial-grade routers and be able to siphon payment data of users joining Wi-Fi networks ...
198 Million Car-Buyer Records Exposed Online for All to See
Over 198 million records containing information on prospective car buyers, including loan and finance data, vehicle information and IP addresses for website visitors, has been found exposed on the internet for anyone to see. The non-password protected Elasticsearch database belonged to Dealer...
MSP or System Integrator? Add Incident Response to Your Portfolio at No Cost
As breaches and cyberattacks grow in a steady upward trajectory, organizations are increasingly looking for ways to protect their assets, outsourcing critical Incident Response IR services to third-party providers. Cynet is now providing its IR services at no cost in a market-first offering which...
Mass Spoofing Campaign Abuses Walmart Brand
An ongoing domain name spoofing campaign is taking aim at retail giant Walmart and other big fish, with more than 540 malicious domains being used to harvest consumer information. The scam domains are mimicking legitimate sites in name and appearance, in hopes of fooling visitors into entering...
Chrome 76 Dumps Default Adobe Flash Player Support
Google has launched the latest iteration of the Chrome browser for Windows, Mac and Linux, which blocks Adobe Flash Player default support and comes with more than 40 security fixes. Though plans to deprecate Adobe Flash in Chrome have been brewing for years, Chrome 76 takes an official first ste...
1,300 Popular Android Apps Access Data Without Proper Permissions
Over 1,300 popular Android apps defy user permissions and gather sensitive data with no consent, according to a study by a coalition of academics from the International Computer Science Institute. The report examined popular mobile apps available through the U.S. version of the Google Play store,...
Millions of Golfers Land in Privacy Hazard After Cloud Misconfig
Finding cloud databases with sensitive information left open to the internet has become par for the course these days – as a new exposure of millions of sensitive data points for the users of a golf app demonstrates. Millions of golfer records from the Game Golf app, including GPS details from...
Twitter Leaks Apple iOS Users' Location Data to Ad Partner
Twitter has disclosed a security bug in its platform that it said inadvertently leaked iOS users’ location data. The Twitter for iOS bug leaked location data at the ZIP code or city level, according to the social media company’s announcement on Monday. Twitter stressed that it has fixed the bug,...
Podcast: Chris Vickery on UpGuard's Discovery of Millions of Facebook Records
Data collection and security was thrust to the forefront this week after researchers with UpGuard disclosed that hundreds of millions of Facebook records were found in two separate publicly-exposed app datasets. The two publicly-exposed datasets included one controlled by Mexican media company...
Google Gives Users More Choice with Location-Tracking Apps
Anyone who uses a mobile app knows how convenient the features that use location data can be, from getting turn-by-turn directions and finding nearby restaurants to fitness-tracking and weather integration. But these rich mobile “experiences” – as app developers call them – can be a double-edged...
RSA Conference 2019: Firms Continue to Fail at IoT Security
SAN FRANCISCO – Low prices and firms racing products to market are two of the biggest factors when it comes to why Internet of Things devices are not getting the type of security do diligence they deserve. According to Checkmarx researcher Erez Yalon, despite years of the infosec community soundi...
When Cyberattacks Pack a Physical Punch
More than one in 10 data breaches now involve “physical actions,” according to a recent report. These include leveraging physical devices to aid an attack, but also hacks that involve breaking into hardware and remote attacks on physical infrastructure. The stat underscores the realities of a...
Lenovo Watch X Riddled with Security Vulnerabilities
Researchers are raking the Lenovo Watch X over the security coals in a report that blasts the device for shipping with a half dozen “disturbing” privacy and security vulnerabilities. The budget $50 smartwatch was introduced in June 2018 and was initially praised for its design, features and...
U.S. Government Goes After North Korea's Joanap Botnet
The U.S. Justice Department is looking to retaliate against North Korea-linked hackers who have built up a massive global network of infected computers. The department announced on Wednesday that it would seek to map out the Joanap botnet, which has been built and controlled by North Korea-linked...
Adobe Patches Zero-Day Vulnerability in Flash Player
Adobe on Wednesday released several unscheduled fixes for Flash Player, including a critical vulnerability that it said is being exploited in the wild. The critical vulnerability, CVE-2018-15982, is a use-after-free flaw enabling arbitrary code-execution in Flash. “Adobe has released security...
Google Patches 11 Critical RCE Android Vulnerabilities
Remote code-execution RCE vulnerabilities dominated Google’s December Android Security Bulletin. The flaws are part of a total of 53 unique bugs patched by the Android security team, with a total number of 11 critical bugs – six of which are RCE flaws tied to the operating system’s Media Framewor...
Critical Flaws in Syringe Pump, Device Gateways Threaten Patient Safety
Two previously undocumented, critical vulnerabilities in widely deployed medical devices have sparked patient-safety and data-privacy concerns. Flaws in the Qualcomm Life Capsule Datacaptor Terminal Server and the Becton Dickinson BD Alaris TIVA Syringe Pump have been acknowledged by the vendors...
Microsoft Patches 15 Critical Bugs in March Patch Tuesday Update
Microsoft patched 15 critical vulnerabilities this month as part of its March Patch Tuesday roundup of fixes. In all, the company issued 75 fixes, with 61 rated important. Products receiving the most urgent patches included Microsoft browsers and browser-related technologies such as the company’s...
Google Patches Critical 'Broadpwn' Bug in July Security Update
Google released a security patch Wednesday that addresses a critical vulnerability dubbed “Broadpwn” found in millions of Android devices that could allow remote attackers to execute code on targeted devices. The so-called Broadpwn bug is tied to a vulnerability in Broadcom’s BCM43xx family of Wi...
Adobe Patches Flash Zero Day Under Attack by APT Group
Adobe on Thursday patched a zero-day vulnerability in Flash Player that has been used in targeted attacks carried out by a new APT group operating primarily against high-profile victims in Russia and Asia. Researchers at Kaspersky Lab privately disclosed the flaw to Adobe after exploits against t...
GHOST glibc Linux Remote Code Execution Vulnerability
A critical vulnerability has been found in glibc, the GNU C library, that affects all Linux systems dating back to 2000. Attackers can use this flaw to execute code and remotely gain control of Linux machines. The issue stems from a heap-based buffer overflow found in the nsshostnamedigitsdots...
Bash Vulnerability Exploits Dropping DDoS Bots
A honeypot run by researchers at AlienVault Labs has snared two separate pieces of malware attempting to exploit the Bash vulnerability. One sample is a repurposed IRC bot written in Perl that is trying to build a botnet to be used in distributed denial of service attacks DDoS, said Jaime Blasco,...
Android Root Access Vulnerability Affecting Most Devices
A recently disclosed vulnerability in version 3.14.5 of the Linux kernel is also present in most versions of Android and could give attackers the ability to acquire root access on affected devices. Researchers at Lacoon Mobile Security are calling the bug “TowelRoot,” because it is the very same...
Microsoft Releases Free Threat Modeling Tool 2014
Threat modeling has been part of the security culture at Microsoft for the better part of a decade, an important piece of the Security Development Lifecycle that’s at the core of Trustworthy Computing. Today, Microsoft updated its free Threat Modeling Tool with a number of enhancements that bring...
IE 11 Stands Up to Pwn2Own Exploit Attempt
VANCOUVER – Successful exploits at the Pwn2Own contest get all the glitz, but the rarities are the exploits that fail. A group of four young South Korean hackers from ASRT, all of them well shy of their thirtieth birthdays, stood in proxy for Jung Hoon Lee. Lee was home fulfilling a military...