New Way Found to Use Alexa, Google to 'Voice Phish' and Eavesdrop on Users

Researchers have found new ways that bad actors can exploit Alexa and Google Home smart speakers to spy on users. This time the hack not only includes eavesdropping, but also includes voice-phishing, or using people’s voice cues to determine passwords. The vulnerability lies in small apps created...

Microsoft Tackles Election Security with Bug Bounties

As the 2020 presidential election draws closer and primary season looms around the corner, Microsoft has launched a bug-bounty program specifically aimed at its ElectionGuard product, which the software giant has positioned as performing “end-to-end verification of elections.” ElectionGuard is a...

Execs Could Face Jail Time For Privacy Violations

A new data privacy bill threatens large tech firms, like Facebook, with tough penalties – including monetary fines and up to 20 years of jail time for executives – if they violate user privacy policies. The “Mind Your Own Business Act,” proposed by Sen. Ron Wyden D-Ore. on Thursday, gives the...

Major Airport Malware Attack Shines a Light on OT Security

A cryptomining infection managed to spread to half of all workstations at a major international airport in Europe – shining a spotlight on security for operational tech and IT convergence. Researchers at Cyberbit found the XMRig Monero mining malware, which was a known strain called “Playerz,” bu...

Four-Year-Old Critical Linux Wi-Fi Bug Allows System Compromise

A critical Linux bug has been discovered that could allow attackers to fully compromise vulnerable machines. A fix has been proposed but has not yet been incorporated into the Linux kernel. The flaw CVE-2019-17666, which was classified as critical in severity, exists in the “rtlwifi” driver, whic...

Podcast: Insider Attacks May Soon Cost Less Than Malware-based Equivalent

As it becomes more difficult and expensive to infiltrate environments via malware, cybercriminals may start turning in the future to a more viable and less costly alternative: Insider threats. This podcast is brought to you by Code42. Threatpost talks to Tim Brown, vice president of security at...

Zappos Offers Users 10% Discount in 2012 Breach Settlement

Online retailer Zappos will give customers a 10 percent discount to its online store as settlement for a 2012 data breach that affected 24 million customers, while lawyers in the case will win $1.6 million in fees. The news shows customers once again getting the short end of the stick when it com...

Phorpiex Botnet Shifts Gears From Ransomware to Sextortion

A recent wide-scale campaign indicates that a decade-old botnet is shifting gears from distributing ransomware to delivering millions of sextortion threats to innocent recipients. Worse, researchers say that the botnet’s spam campaign can affect up to 27 million potential victims. The botnet,...

Hacking Back? BriansClub Dark Web Attack a Boon for Banks

UPDATE A Dark Web “carding store” called BriansClub, which specializes in selling stolen payment card information, has itself become a victim, with thieves making off with 26 million credit- and debit-card records. The site appears to be a target of roundabout “hacking back” by a competitor , who...

Trump Campaign Website Left Open to Email Server Hijack

A mistake made by website developers left an official re-election website for President Donald Trump open to attack. The error, impacting hundreds of other websites as well, is tied to a website development tool called Laravel, used to test sites before they go live. The tool, accidentally left...

Cisco Aironet Access Points Plagued By Critical, High-Severity Flaws

Cisco Systems has released a security update stomping out critical and high-severity flaws impacting its Aironet access points, which are entry-level wireless access points APs used by mid-size enterprises in their offices or small warehouses. It also issued a slew of additional patches addressin...

Dangerous Kubernetes Bugs Allow Authentication Bypass, DoS

A pair of bugs in the Kubernetes open-source cloud container software can be “highly dangerous” under some Kubernetes configurations, according to researchers. The flaws, CVE-2019-16276 and CVE-2019-11253, have been patched in Kubernetes builds 1.14.8, 1.15.5 and 1.16.2. Exploitation of the first...

10 Steps for Ransomware Protection

Just the thought of ransomware is enough to keep CISOs and security teams up at night. Victims are caught in an awful choice between paying a ransom to a criminal who may or may not release their captured network and data, or potentially spending millions of dollars to remove the ransomware on...

Silent Librarian Retools Phishing Emails to Hook Student Credentials

Silent Librarian is targeting university students in full force with a revamped phishing campaign. The threat group, aiming to steal student login credentials, is using new tricks that bring more credibility to its phishing emails and helping it avoid detection. The threat group also known as TA4...

.WAVs Hide Malware in Their Depths in Innovative Campaign

UPDATE Audio .WAV files are the latest hiding place for obfuscated malicious code; a campaign has been spotted in which malicious content was secretly woven throughout the file’s audio data. The embedded code consists of two different payloads: A XMRig/Monero CPU cryptominer and Metasploit code...

Docker Containers Riddled with Graboid Crypto-Worm

The Docker cloud containerization technology is the target for a just-discovered cryptojacking worm dubbed Graboid. According to researchers at Palo Alto’s Unit 42, the worm, which looks to mine the Monero cryptocurrency, has infected more than 2,000 unsecured Docker Engine Community Edition host...

Podcast: Departing Employees Could Mean Departing Data

With so many malicious adversaries trying to penetrate companies’ networks, companies are forgetting to watch out for a dangerous threat from within their own ranks – insider threats. Threatpost talks to Tim Bandos, vice president of cybersecurity at Digital Guardian, about the top types of insid...

New Presentation Template: Incident Response Reporting for Management

Every security professional knows it’s only a matter of time before their organization is breached. And even though most security-conscious organizations have implemented procedures and products to facilitate the incident response process, many security decision-makers find much more of a challen...

Cybercrime Tool Prices Bump Up in Dark Web Markets

Prices have been rising in the last two years for longstanding tools available on the Dark Web to help bad actors commit cyber attacks and fraud, alongside newer innovations that are emerging to bolster crimes like ransomware and SIM swapping, new research has found. Keeping track of these trends...

Galaxy S10 Fingerprint Sensor Thwarted With Screen Protector: Report

UPDATE Samsung has acknowledged that anyone can bypass the Galaxy S10 fingerprint sensor using a third-party case after a woman alleged that a $3 smartphone screen protector allowed unauthorized users to dupe her Samsung Galaxy S10’s fingerprint recognition sensor – giving access to her phone and...

Unencrypted Mobile Traffic on Tor Network Leaks PII

Unencrypted, sensitive and confidential user data originating from millions of mobile devices is carried on the Tor network every day. Now researchers say they have devised away to scoop up that data and create personal profiles for specific mobile users, that include GPS coordinates, web...

On-Board 'Mystery Boxes' Threaten Global Shipping Vessels

Commercial shipping environments are rife with vulnerabilities, according to researchers – up to and including unpatched “mystery boxes” that no one knows anything about. “In every single nautical pen test to date we have unearthed a system or device, that of the few crew that were aware, no one...

Fake iOS Jailbreak Site Lures in Apple Users

Bad actors are taking advantage of a recently-disclosed iOS bug with a fake website claiming to give iPhone users the ability to jailbreak their phones. In reality, researchers warn, the site ultimately enables attackers to conduct click fraud. A jailbreak, a method to escape Apple’s limitations ...

Sudo Bug Opens Root Access on Linux Systems

A vulnerability in Sudo, a core command utility for Linux, could allow a user to execute commands as a root user even if that root access has been specifically disallowed. Sudo is a utility that allows a system administrator to give certain users or groups of users the ability to run commands in...

Pitney Bowes Hit with Ransomware Attack

Shipping services company Pitney Bowes was hit with a ransomware attack that disrupted customer access to key services, the company said Monday. The attack comes on the heels of an FBI advisory on Oct. 2 that U.S. companies should be on alert for ransomware attacks, which are increasing in...

A Deepfake Deep Dive into the Murky World of Digital Imitation

About a year ago, top deepfake artist Hao Li came to a disturbing realization: Deepfakes, i.e. the technique of human-image synthesis based on artificial intelligence AI to create fake content, is rapidly evolving. In fact, Li believes that in as soon as six months, deepfake videos will be...

Apple Shares Some Browsing History with Chinese Company

Apple is sending some browsing history of iOS 13 Safari users to Tencent Holdings Limited, a Chinese multinational conglomerate. The data shared is tied to the Safari Safe Browsing technology. Revelations of the relationship have drawn criticism from security and privacy experts. Apple’s Safari...

Software, Supply-Chain Dangers Top List of 5G Cyber Risks

The proliferation of software within 5G networks is one of the top security challenges facing the next generation of mobile networks, according to a report out this week from the European Union. 5G networks are fundamentally different than prior wireless networks in that they are largely...

Imperva: Data Breach Caused by Amazon Cloud Misconfiguration

Imperva, the security vendor, said this week that a misconfiguration of an Amazon Web Services AWS cloud instance allowed hackers to exfiltrate information on customers using its Cloud Web Application Firewall WAF product. Formerly known as Incapsula, the Cloud WAF analyzes requests coming into...

Fin7 Cybergang Retools With New Malicious Code

The Fin7 cybercrime group has ramped up its offensive capabilities by adding new malicious code to its malware arsenal. Researchers said that this is evidence that Fin7 is still a growing threat despite the arrest of several Fin7 members in 2018. The notorious group has adopted a new dropper samp...

Iran-Linked 'Charming Kitten' Touts New Spearphishing Tactics

An Iran-linked advanced persistent threat APT group tied to attacks on President Trump’s 2020 re-election campaign has added new spearphishing techniques to its arsenal in an apparent ramp-up in operations. Charming Kitten—which goes by a number of names, including APT35, Ajax Security Team,...

vBulletin Flaw Exploited in Dutch Sex-Work Forum Breach

Hackers have stolen the account details of 250,000 users of Dutch sex-work forum Hookers.nl – including email addresses of both escorts and customers. The website provides a forum for escorts and customers to discuss sex work — including clients discussing their experiences with sex workers. A...

Cryptomining Crook Steals Game Developer’s Identity to Carry Out Dirty Work

A 29-year-old cybercriminal assumed the guise of a prominent California video-game developer and eSports tournament organizer to throw authorities off his cryptomining track, according to an indictment unsealed on Wednesday. Matthew Ho, a citizen of Singapore, allegedly used the developer’s stole...

Sophisticated Spy Kit Targets Russians with Rare GSM Plugin

A sophisticated cyberespionage platform called Attor has come to light, sporting an unusual capability for fingerprinting mobile devices as part of its attacks on government and diplomatic victims. According to researchers at ESET, Attor, which has flown under the radar since at least 2013, also...

China's Sway Over Tech Companies Tested with Apple, Blizzard

At least two American tech companies, Apple and gaming giant Blizzard, have come under fire – from different quarters – for wading into waters surrounding the Hong Kong protests that have been ongoing since June. The situation is shaping up to be a test for the American tech sector’s commitment t...

Apple iTunes Bug Actively Exploited in BitPaymer/iEncrypt Campaign

Bad actors are actively targeting a vulnerability in the Windows version of Apple iTunes to deliver BitPaymer/iEncrypt ransomware. It’s a new attack pattern that is difficult to detect, security researchers revealed Thursday. Researchers from Morphisec Labs in August identified the abuse of the...

CISO and Security Vendor Relationships are Good for a Laugh in New Comic Videos

It’s not easy being a CISO. One could say “intense” might be the perfect descriptor for the CISO work environment. Tasked with the unenviable job of keeping the organization safe, carrying the burden of failed protection and taking hits for successful breaches, CISOs can never rest. They are...

HP Touchpoint Analytics Opens PCs to Code Execution Attack

A security flaw, discovered in an open-source software program that is a key component of HP’s TouchPoint Analytics service, is opening up a wide swath of HP computers to attack. The vulnerability, if exploited by local attackers with administrative privileges, can allow them to execute arbitrary...

Gamers Warned of High-Severity Intel, Nvidia Flaws

Chip giants Intel and Nvidia have stomped out high-severity flaws in two popular products, both commonly used by gamers. Impacted are the Nvidia Shield TV and Intel NUC short for Next Unit of Computing mini-PC kit. Nvidia Shield TV is a media streaming box powered by Nvidia’s Tegra X1...

Most Americans Fail Cybersecurity Quiz

When it comes to two-factor authentication and secure web browsing, most Americans don’t know their HTTPS from their 2FA to save their digital bacon: A Pew Research Center study found most Americans don’t have a firm grasp of cybersecurity issues core to protecting their data. Click to enlarge. I...

Privacy Groups: Ring's Police Partnerships Can Lead to Sinister Ends

More than 30 privacy and consumer advocacy groups are urging local legislators to intervene in doorbell-camera company Ring’s partnerships with law enforcement. In 2018, Amazon-owned Ring announced that it was starting a “new neighborhood watch” effort, to allow homeowners to provide voluntary...

Podcast: Vendors, Suppliers, Partners – Oh My! Who Will Increase Your Risk of Account Takeover?

Your users’ login credentials are available for sale on the criminal underground — and criminals know it. For the third year running, the 2019 Verizon Data Breach Report calls out the use of weak and stolen credentials as the most common hacking tactic. This podcast is sponsored by SpyCloud The...

Twitter Uses Phone Numbers, Emails to Sell Ads

Twitter has acknowledged that user phone numbers and email addresses gathered for security purposes, as part of its two-factor authentication policy, may have been used to sell ads. It calls the move an accident. The revelation is being widely criticized for its obvious breach of user privacy,...

Intimate Details on Healthcare Workers Exposed as Cloud Security Lags

Yet another non-password protected cloud database has come to light, this time exposing a raft of highly personal information on healthcare workers and traveling nurses – including drug tests and arrest records. The incident showcases the unfortunate reality that cloud data security remains a...

Critical Microsoft Remote Desktop Flaw Fixed in Security Update

Microsoft released patches for nine critical vulnerabilities as part of its October Patch Tuesday security update, including one for a Remote Desktop bug that could allow a remote attacker to execute code on victims’ machines. Overall, Microsoft issued fixes for 59 vulnerabilities – including nin...

Apple Tackles Over a Dozen Bugs in its Catalina 10.15 Update

Apple wasted little time snuffing out bugs in its macOS Catalina operating system. On Tuesday, Apple rolled out 16 patches addressing a wide range of Catalina bugs in components such as CoreAudio, IOGraphics and WebKit. The security fixes are exclusively for macOS 10.15; so pre-Catalina releases ...

Sextortionists Get Past Defenses with Cryptocurrency Shift

A sextortion campaign is making the rounds that attempts to evade detection by demanding payment in cryptocurrencies other than Bitcoin. Sextortion operators typically send emails out claiming to have harvested webcam footage or browser histories related to adult content from the recipient’s...

Google October Android Security Update Fixes Critical RCE Flaws

UPDATE Google has released fixes for three critical-severity vulnerabilities in the Media framework of its Android operating system, which if exploited could allow a remote attacker to execute code. The remote code execution RCE flaws are part of Google’s October 2019 Android Security Bulletin,...

APT Groups Exploiting Flaws in Unpatched VPNs, Officials Warn

State-sponsored advanced persistent threat APT groups are using flaws in outdated VPN technologies from Palo Alto Networks, Fortinet and Pulse Secure to carry out cyber attacks on targets in the United States and overseas, warned U.S. and U.K. officials. The National Security Agency NSA issued a...

California Bans Deepfakes in Elections, Porn

California has passed a law that bans the use of deepfake technology in political speech, and for non-consensual use in adult content. Deepfakes are a manipulation of images and recordings, created by artificial intelligence technology, that make it appear as if an individual is doing or saying...