Privacy Experts: Facebook's $5B Fine Unlikely to Do Much

The $5 billion fine that the Federal Trade Commission has slapped on Facebook for privacy violations may be the largest ever levied by the agency, but it’s being derided as “chump change” and ineffective by lawmakers and privacy analysts. The settlement, reported Friday evening, stems from...

Turla APT Returns with New Malware, Anti-Censorship Angle

The Turla APT has revamped its arsenal in 2019, creating new weapons and tools for targeting government entities. It’s now using booby-trapped anti-internet censorship software as an initial infection vector, suggesting Turla is going after dissident or other civil-society targets. The...

Researcher Bypasses Instagram 2FA to Hack Any Account

A researcher earned a $30,000 bug bounty from Facebook after discovering a weakness in the Instagram mobile recovery process that would allow account takeover for any user, via mass brute-force campaigns. Independent researcher Laxman Muthiyah took a look at Instagram’s mobile recovery flow, whic...

Why Cities Are a Low-Hanging Fruit For Ransomware

Ransomware attacks against local governments and cities are repeatedly making headlines, with crippling results on city operations and budgets. Last month, the Florida city of Riviera Beach paid hackers $600,000 after being hit by a ransomware attack that downed its computer systems for three...

68% of Overwhelmed IT Managers Say They Can't Keep Up with Cyberattacks

IT managers feel overwhelmed by the volume of cyberattack attempts, with most of them admitting that successful hacks of their company networks are becoming the norm. That’s according to a research report The Impossible Puzzle of Cybersecurity, released Friday. In a survey of 3,100 IT managers...

Exploring the Top 15 Most Common Vulnerabilities with HackerOne and GitHub

Join vulnerability experts Michiel Prins, cofounder of HackerOne, and Greg Ose, GitHub’s application security engineering manager, as Threatpost editor Tom Spring moderates a discussion on the 15 most common vulnerability types. Registration Required Originally presented in March 2019, this webin...

Heather Mills Gets An Apology and 'Substantial' Settlement in Spyware Case

The 2010-2011 News of the World phone hacking scandal – in which it was revealed that the tabloid dropped malware on celebrity targets’ phones in order to gather dirt for news stories – is still playing out in court. The latest is a settlement for a “substantial” sum paid to Heather Mills and her...

Unusual Linux Ransomware Targets NAS Servers

A rare instance of ransomware targeting Linux-based file storage systems network-attached storage servers, specifically has been spotted, spreading via 15 separate but related campaigns. The adversaries behind the effort are continuing their depredations on an ongoing basis, according to...

Hacked Hair Straighteners Can Threaten Homes

Researchers have found a way to successfully hack connected hair straighteners to turn them on and increase the heating element up to its maximum temperature—causing a serious fire hazard for unsuspecting owners. Pen Test Partners decided to put the Glamoriser hair straightener through its securi...

Google Home Captures Porn and More, Unbeknownst to Users

Google Home smart speakers and the Google Assistant virtual assistant have been caught eavesdropping without permission — capturing and recording highly personal audio of domestic violence, confidential business calls — and even some users asking their smart speakers to play porn on their connect...

Apple Issues Silent Update Removing Zoom's Hidden Server

Apple has pushed a silent update to Mac users that removes a hidden web server from Zoom users’ machines. The Zoom web- and video-conferencing service has come under scrutiny for its handling of a zero-day bug CVE-2019–13450 found by researcher Jonathan Leitschuh, which would allow an attacker to...

Apple Disables Walkie-Talkie App Due to Eavesdropping Flaw

Apple has temporarily disabled the Walkie-Talkie feature from the Apple Watch due to a vulnerability that could allow potential attackers to eavesdrop in on iPhone calls, a TechCrunch report said. The Apple Watch Walkie-Talkie app allows users to converse with friends in real-time, without having...

Implementing Bug Bounty Programs: The Right and Wrong Approaches

While bug-bounty programs may seem like a cure-all solution for companies looking discover vulnerabilities in their systems more efficiently, the fact remains that a program could overwhelm a firm’s internal security team and cause other major headaches if implemented the wrong way. “You have to...

Bug in Anesthesia Respirators Allows Cyber-Tampering

A vulnerability in GE Healthcare’s Aestiva and Aespire anesthesia devices would allow an unauthenticated cybercriminal on the same network as the device to modify gas composition parameters within the devices’ respirator function, thus changing sensor readings for gas density. According to GE...

Zoom Pushes Emergency Patch for Webcam Hijack Flaw

After facing public outcry over its handling of a zero-day vulnerability in its collaboration client for Mac, the Zoom web- and video-conferencing service has rushed out an emergency patch. The flaw CVE-2019–13450, allows a malicious website to hijack a user’s web camera without their permission,...

Latest FinSpy Modules Lift Data from Secure Messaging Apps

The latest iOS and Android versions of the FinSpy espionage malware have been deployed in the wild, and are capable of collecting a raft of personal information such as contacts, SMS/MMS messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data – even from...

Agent Smith Malware Infects 25M Android Phones to Push Rogue Ads

Researchers are warning of a new breed of Android malware, dubbed “Agent Smith,” that they claim has infected 25 million handsets in order to replace legitimate apps with doppelgangers that display rogue ads. The malware is tied to a China-based firm, according to Check Point researchers, and is...

Intel Patches High-Severity Flaw in Processor Diagnostic Tool

Intel has patched a high-severity vulnerability in its processor diagnostic tool, which could allow local attackers to launch several malicious attacks on affected devices, such as escalation of privilege or denial of service. The Intel Processor Diagnostic tool is a free product that allows user...

Microsoft Patches A Pair of Zero-Days Under Active Attack

Microsoft has addressed 77 vulnerabilities in its July Patch Tuesday update, with 15 of them rated as critical and two known to be under active exploit; and Adobe issued a small group of updates, with surprisingly none for Acrobat Reader or Flash. Eleven of the critical bugs are for scripting...

1,300 Popular Android Apps Access Data Without Proper Permissions

Over 1,300 popular Android apps defy user permissions and gather sensitive data with no consent, according to a study by a coalition of academics from the International Computer Science Institute. The report examined popular mobile apps available through the U.S. version of the Google Play store,...

Marriott Hit With $123M Fine For Massive 2018 Data Breach

The U.K.’s privacy watchdog is hitting Marriott International with a $123 million £99 million penalty stemming from its 2018 data breach of more than 383 million guest records. The Tuesday fine is issued by the Information Commissioner’s Office ICO and comes only a day after the organization...

Zoom Zero-Day Bug Opens Mac Users to Webcam Hijacking

A zero-day vulnerability in the Zoom client for Mac allows a malicious website to hijack a user’s web camera without their permission. Up to 4 million workers that use the Zoom for Mac web-and videoconferencing service are at risk from a flaw in the collaboration client CVE-2019–13450, according ...

Rapid Incident Response Now Available through Cynet’s Free IR Service Providers Offering

Organizations are increasingly outsourcing incident response situations to service providers. This is taking place across the spectrum – from cyber mature companies with highly staffed SOCs, to small operations with no dedicated security personnel. This keeps the IR providers busy, putting the on...

GE Aviation Passwords, Source Code Exposed in Open Jenkins Server

A public Jenkins server owned by GE Aviation has exposed source code, plaintext passwords, global system configuration details and private keys from the company’s internal commercial infrastructure. GE Aviation, a subsidiary of General Electrics, is among the top commercial aircraft engine...

Rules-Based Policy Approaches Need to Go

Enterprises are making tremendous investments in their digital transformations, and no wonder: Increasingly, those who can more rapidly part from old, manual and antiquated ways of managing technology and shift to new ways of thinking will come out on top. That’s especially true when it comes to...

GoBotKR Targets Pirate Torrents to Build a DDoS Botnet

A botnet dubbed GoBotKR is targeting fans of Korean TV, compromising computers via pirated copies of South Korean movies, games and TV shows available via Korean and Chinese torrent sites. Ultimately, the cybercriminals are building a network that can then be used to perform DDoS attacks of vario...

Apple Patches iMessage Bug That Bricks iPhones with Out-of-Date Software

Apple patched a high-severity iMessage bug found by Google Project Zero that can be exploited by an attacker who sends a specially-crafted message to a vulnerable iOS device. Those iPhones receiving the malicious message are rendered inoperable, or bricked. Apple patched the bug with the release ...

Post-Data Breach, British Airways Slapped With Record $230M Fine

UPDATE A record $230 million fine has been proposed against British Airways after a 2018 data breach impacted 500,000 of the airline’s customers. If approved, the fee would be the biggest General Data Protection Regulation GDPR fine to be issued to a company so far. On Monday, the Information...

Data Breach Lessons from the Trenches

In this webcast Threatpost editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. He shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against futu...

WordPress Plugin WP Statistics Patches XSS Flaw

WordPress plugin WP Statistics has patched a cross-site scripting XSS vulnerability that could allow for full website takeover, if the website is operating under certain non-default settings. WP Statistics gives website owners a tool to analyze site statistics, such as the number of visitors on t...

PGP Ecosystem Targeted in ‘Poisoning’ Attacks

A long-feared attack vector used against Pretty Good Privacy, the framework used to authenticate and keep email messages private, is being exploited for the first time. The attack, which takes aim at keyserver verification directories, makes it impossible for Pretty Good Privacy PGP to work...

Apple Transparency Report Now Includes App Store Takedown Requests

For the first time Apple added to its transparency report the number of App Store takedown requests it has received from governments. The report, released Tuesday, also puts some hard numbers on how often law enforcement and governments request device and user data. App Takedown Request Apple’s...

Amazon Admits Alexa Voice Recordings Saved Indefinitely

Amazon has acknowledged that it retains the voice recordings and transcripts of customers’ interactions with its Alexa voice assistant indefinitely. The admission raises questions about how long companies should be able to save highly-personal data collected from voice assistant devices. After U....

Security Camera Firm Arlo Zaps High-Severity Bugs

Two high-severity vulnerabilities in Arlo Technologies’ wireless home security camera gear have been patched. The flaws, which indirectly impact Arlo’s popular fleet of wireless home security cameras, are limited to adversaries with local network and physical access to Arlo Base Stations. Both...

IBM Patches Critical, High-Severity Flaws in Spectrum Protect

IBM has disclosed critical and high-severity vulnerabilities in Spectrum Protect, Big Blue’s security tool under the umbrella of its Spectrum data storage software branding. The most severe of these flaws could cause a remote attacker to execute arbitrary code on impacted systems. Overall, IBM...

Google July Android Security Bulletin Fixes 3 Critical RCE Bugs

Google has released fixes for three critical remote code execution bugs in the media framework of its Android operating system. These flaws could allow a remote attacker to execute arbitrary code. The flaws are part of Google’s July Android Security Bulletin, which included fixes for 12 critical...

Mac Malware Pushed via Google Search Results, Masquerades as Flash Installer

Never-before-seen Mac malware, dubbed OSX/CrescentCore, has been discovered in the wild. The trojan, spotted on various websites masquerading as an Adobe Flash Player installer, drops malicious applications and browser extensions on victims’ systems when downloaded. OSX/CrescentCore is spread via...

Finding Beauty in the IT Architecture

I have a confession to make. I’m a sucker for good architecture. Visiting places like Singapore, London, Rome, Buenos Aires, and New York City, I quickly find myself gravitating towards beautiful archways, spires, and even the voids used in designing some of the world’s most amazing buildings. I...

Facebook Removes Accounts Used to Infect Thousands With Malware

Facebook has shut down more than 30 accounts spreading malware through malicious links that purport to be news about the ongoing political situation in Libya. The campaign, ongoing since 2014, has infected tens of thousands of victims with remote access trojans RATs, according to researchers. The...

Dating App Jack'd Fined After Leaking Users' Nude Pics

LGBTQ dating app Jack’d must cough up a $240,000 fine and “make substantial changes to improve security” on the heels of a security faux pas that leaked the private data – including nude photos – of thousands of its users. Jack’d is a popular location-based app that caters to gay and bisexual men...

New Dridex Variant Slips By Anti-Virus Detection

Researchers have spotted a variant of the Dridex banking trojan with new obfuscation capabilities that help it skirt anti-virus detection. While Dridex has been around since 2011, researchers told Threatpost Friday that they recently spotted phishing emails distributing a never-before-seen varian...

MongoDB Leak Exposed Millions of Medical Insurance Records

An online database belonging to insurance marketing website MedicareSupplement.com was found exposing more than 5 million records with personal information. MedicareSupplement.com is a U.S.-based marketing site that allows users to find supplemental medical insurance available in their area...

FDA Warns of Potentially Fatal Flaws in Medtronic Insulin Pumps

The Food and Drug Administration FDA has issued an emergency alert, warning that Medtronic MiniMed insulin pumps are vulnerable to potentially life-threatening cyberattacks. Specifically impacted are Medtronic’s MiniMed insulin pumps, the MiniMed 508 insulin pump and MiniMed Paradigm series insul...

Death of the VPN: Enterprise Security Needs New Foundations

Introduced to the market nearly two decades ago, enterprise VPN technology has been uniquely enduring. Most large organizations still employ a VPN solution, and many seem to rely on it unquestioningly to provide secure remote access. It’s a rarefied position for a tool that hasn’t fundamentally...

Smart Lock Turns Out to be Not So Smart, or Secure

Researchers are warning a keyless smart door lock made by U-tec, called Ultraloq, could allow attackers to track down where the device is being used and easily pick the lock – either virtually or physically. Ultraloq is a Bluetooth fingerprint and touchscreen door lock sold for about $200. It...

Leaky Amazon S3 Buckets Expose Data of Netflix, TD Bank

Three publicly-accessible cloud storage buckets from data management company Attunity leaked more than a terabyte of data from its top Fortune 100 customers – including internal business documents, system passwords, sensitive employee information. Israel-based Attunity, which was acquired by Qlik...

Scammers Prey on Instagram Vanity and 'Verified Account' Status

UPDATE A new Instagram phishing scam circulating the internet lures victims in with promises of exclusive “verified account” status – and then makes away with their personal information. The scam centers around Instagram’s labeling of verified accounts, which indicates that the account user is a...

New Microsoft Excel Attack Vector Surfaces

UPDATE A feature in Microsoft Office’s Excel spreadsheet program called Power Query can be exploited to plant malware on remote systems. Researchers at Mimecast Threat Center say they have developed a proof-of-concept attack scenario and reported the vulnerability Thursday. The exploitable featur...

Thousands of IoT Devices Bricked By Silex Malware

A 14-year-old hacker used a new strain of malware this week to brick up to 4,000 insecure Internet of Things devices – before abruptly shutting down his command and control server. The malware, dubbed Silex, was first discovered by Larry Cashdollar, senior security intelligence response engineer ...

Google Announces DNS over HTTPS 'General Availability'

Google announced general availability of its Public DNS-over-HTTPS service Wednesday, based on the Internet Engineering Task Force’s RFC 8484 standard. The move is a culmination of three years of Google fine-tuning DNS over HTTPS, otherwise known as DoH. “Today we are announcing general...