Cryptocurrency Wallet Hacks Spark Dustup

LEIPZIG, GERMANY – Hardware based cryptocurrency wallets may not be as secure as promised. That’s the judgement of Dmitry Nedospasov, Thomas Roth and Josh Datko who together presented their research at a session here at the 35c3 conference called “wallet.fail.” In the talk the researchers...

How Facebook Tracks Non-Users via Android Apps

LEIPZIG, GERMANY – If you quit Facebook or never joined because of its data collecting practices the odds are good the social network is still tracking you – despite your protest. Facebook collects data of non-users of its social network via dozens of mainstream Android apps that send tracking an...

‘Snowden Refugee’ Has No Regrets for Helping Whistleblower

LEIPZIG, GERMANY – Refugee families located in Hong Kong that helped shelter Edward Snowden in 2013 are under crushing pressure to cooperate with local authorities or face deportation to their countries of origin, where they face an uncertain fate. However, despite years of what their lawyer call...

First-Ever UEFI Rootkit Tied to Sednit APT

LEIPZIG, GERMANY – Researchers hunting cyber-espionage group Sednit an APT also known as Sofacy, Fancy Bear and APT28 say they have discovered the first-ever instance of a rootkit targeting the Windows Unified Extensible Firmware Interface UEFI in successful attacks. The discussion of Sednit was...

Guardzilla Home Cameras Open to Anyone Wanting to Watch Their Footage

Another day, another internet of things IoT issue: A design flaw in the Guardzilla home video surveillance system has been discovered that allows users to watch other homeowners’ Guardzilla videos. The Guardzilla All-In-One Video Security System is a home security platform that provides indoor...

Hijacking Online Accounts Via Hacked Voicemail Systems

LEIPZIG, GERMANY – Voicemail systems are vulnerable to compromise via brute-force attacks against the four-digit personal identification numbers PINs that protect them. Researchers say a malicious user can thus access the voicemail system to then take over online accounts for services like...

35C3 Day One: Security, Art and Hacking

LEIPZIG, GERMANY – Europe’s largest hacker conference kicked off Thursday marking the 35th Chaos Communication Congress. The confab is a four-day, 24/7 celebration of everything hacker – from the latest threats to cyber-inspired art installations and discussions on how technology impacts ethics,...

FTC Warns of Netflix Phishing Scam Making Rounds

The Federal Trade Commission FTC is warning of a new phishing scam reeling in Netflix customers and stealing their payment information. According to a post published by the FTC, Wednesday, the spotted scam purports to be an email from Netflix. The email claims that the victim’s account was put on...

19K Orange Livebox Modems Open to Attack

A flaw in Orange Livebox ADSL modems allows remote, unauthenticated users to obtain the device’s SSID and WiFi password with a simple GET request. Troy Mursch at Bad Packets said that the company’s honeypots observed a GET request scan right before Christmas targeting the modems, which are used t...

Top 2018 Security and Privacy Stories

It was only three days into 2018 when one of the year’s biggest security stories broke about the Meltdown and Spectre flaws in modern microprocessors. From there, the calendar filled quickly with both privacy and security SNAFUs. While some of year’s privacy and security missteps were just a...

2019: The Year Ahead in Cybersecurity

2018 may have been filled with cybersecurity incidents, but the infosec community is gearing up for what the New Year will bring. From emerging cyber-threat attacks surfaces, new APT groups, and more regulations around data privacy, 2019 is set to be another big year in the cybersecurity space...

Critical Bug Patched in Schneider Electric Vehicle Charging Station

Schneider Electric is warning about a critical vulnerability in its EVLink Parking devices – a line of electric vehicle charging stations. The energy management and automation giant said the vulnerability is tied to a hard-coded credential bug that exists within the device that could enable...

San Diego School District Data Breach Hits 500k Students

A phishing attack against California’s San Diego Unified School District has led to hackers scooping up Social Security numbers and addresses of more than 500,000 students and staff. The district became aware of the breach Oct. 2018. The actual breach occurred between January 2001 and November...

2018: A Banner Year for Breaches

Where to start? In 2018 the mantra became “another day, another data breach.” As a result, consumers and researchers alike are feeling “breach fatigue” and getting a bit numb to the headline. But the reality is, cybercriminals are going after personal information, credit card info and passwords...

FBI Denies Service to 15 DDoS-for-Hire Sites, Charges Operators

The Justice Department has taken 15 internet domains associated with DDoS-for-hire services offline, and has filed charges against three defendants who allegedly ran them. DDoS for hire or DDoS-as-a-service operations make it simple for any layperson to carry out DDoS attacks, flooding targets wi...

Caribou Coffee, Bruegger’s Bagels Bitten by Breach

Hundreds of Caribou Coffee and Bruegger’s Bagels stores have been targeted in a point-of-sale POS system data breach that attempted to steal customers’ payment cards. Hackers gained unauthorized access to the company’s POS systems, exposing some customers’ data – including name and credit-card...

Huawei Router Flaw Leaks Default Credential Status

A vulnerability in some Huawei routers used for carrier ISP services allows cybercriminals to identify whether the devices have default credentials or not – without ever connecting to them. CVE-2018-7900 exists in the router panel and allows credentials information to leak – so attackers can simp...

U.S. Indicts Chinese Duo for Massive, Years-Long Spy Campaign

The Department of Justice on Thursday charged two Chinese hackers with stealing “hundreds of gigabytes” of data from more than 45 other governmental organizations and U.S.-based companies. This has potentially significant national security ramifications: Targets included the NASA Goddard Space...

Amazon Sends 1,700 Alexa Voice Recordings to a Random Person

UPDATE Amazon inadvertently sent 1,700 audio files containing recordings of Alexa interactions by a customer to a random person – and after a newspaper investigation exposed the snafu, characterized it as a “mishap” that came down to one employee’s mistake. In August, an Amazon customer in German...

Facebook Admits Giving Partners Access to Messages

UPDATE Facebook has admitted that it dealt several messaging partnerships with tech giants, giving them read, write and delete access for Facebook messages. The confirmation comes on the heels of a bombshell New York Times article, Tuesday, which leveraged internal documents to show that Facebook...

Microsoft IE Zero Day Gets Emergency Patch

Microsoft patched a zero-day vulnerability in its Internet Explorer browser that is actively being exploited by attackers. The bug, reported by Google, is a remote code execution vulnerability that allowed attackers to infiltrate vulnerable systems via a booby trapped website that could have...

Facebook’s Rough History of Failed User Revolts

Outraged over the latest Facebook privacy flap, half of users polled Tuesday promise to un-friend the social network. We have heard this refrain before. It seems almost weekly now some new dirt about the social media giant’s misuse of consumer data is revealed. Recently, there was the collection ...

Patched Click2Gov Flaw Still Afflicting Local Govs

A vulnerability in a popular municipality payment software, Click2Gov, has left hundreds of thousands of civilian payment cards compromised – and the hacks are ongoing, a new report found. Continual breaches of the vulnerable software have led to the compromise of at least 294,929 payment cards...

Hackers Succeed in NASA Mission, Lifting Thousands of Employee Records

NASA has become the latest victim of a breach, but it’s unlikely that sensitive space mission data was impacted. In an internal memo sent to employees, NASA admitted that it was hacked by an unauthorized intruder in October, and that personally identifiable information for thousands of employees...

Threatpost Poll: Do You Hate Facebook?

Facebook is under fire again after a bombshell report went live, claiming it has had broad data-sharing arrangements with Amazon, Apple, Netflix and others for years. We’re wondering if this changes how you use Facebook in your everyday life. An exhaustive investigation in the New York Times on...

Facebook Fights Back on Secret Data-Sharing Partnerships

UPDATE Facebook is hitting back after a new report on Tuesday said that the company struck broad data-sharing partnerships with more than 150 companies, including Apple, Amazon and Netflix, exempting them from its normal data privacy terms and conditions. An exhaustive investigation in the New Yo...

Sofacy Russia-Linked APT Debuts Fresh Zebrocy Variant

The Zebrocy trojan – a custom downloader malware used by Russia-linked APT Sofacy a.k.a. APT28, Fancy Bear or Sednit – has a new variant. While it’s functionally much the same as its other versions, the new code was written using the Go programming language. The similarities between the new paylo...

WordPress Targeted with Clever SEO Injection Malware

A clever malware built for SEO injection – where a black hat loads up a webpage with spammy links, redirects and ad keywords, unbeknownst to the site owner – has been seen evading detection with an innovative approach that involves appending itself in an unusual place in the back-end code of a...

Hidden Code in Memes Instruct Malware via Twitter

Remember when memes were little more than satirical images overlaid with text? Not anymore. Researchers have identified a new type of malware that receives instructions via hidden code embedded in memes posted to Twitter. According to researchers, the meme-driven malware is nothing more than a...

WSJ Webpage Defaced to Support PewDiePie

UPDATE A webpage owned by the Wall Street Journal was hacked on Monday, in an attempt to promote YouTube celebrity “PewDiePie.” The incident comes on the heels of a separate hack relating to the Swedish YouTuber, comedian and video game commentator, whose given name is Felix Kjellberg. Over the...

Newsmaker Interview: Troy Mursch on Top Botnet Trends

Botnet activity saw a healthy amount of dynamism in 2018. There were new types of devices being targeted, such as carrier-grade MikroTik hardware; and, there was also a host of new types of criminal activity surfacing making the point that botnets aren’t just for DDoS anymore. New types of...

U.S. Ballistic Missile Defense System Rife with Security Holes

The classified networks in the facilities where ballistic missile defense system technical information is housed are vulnerable to a raft of internal and external cyber-threats, according to the Department of Defense Inspector General. In a heavily redacted report issued last week, the DoD issued...

Twitter Draws Data Privacy Concerns with Two New Bugs

Two recently-patched flaws in Twitter’s platform have reignited concerns about user data-privacy issues. On Monday, the social-media giant revealed a hole that accidentally enabled bad actors to pull the country codes of accounts’ phone numbers – and revealed that several IP addresses located in...

Automotive Security: It’s More Than Just What’s Under The Hood

It’s a cool Saturday evening as I head out for a night on the town with my wife and some friends. We’re in a late model German made vehicle driving – below the speed limit – as we drive onto the open road. While focusing on the road I notice a strange effect happening to the radio as I accelerate...

Charming Kitten Iranian Espionage Campaign Thwarts 2FA

A range of political and civil society targets are under fire in an APT attack dubbed the Return of Charming Kitten. The campaign has been tailored to get around two-factor authentication in order to compromise email accounts and start monitoring communications. According to researchers at Certfa...

PewDiePie Hackers Say They Launched Second Printer Siege

UPDATE Hackers have claimed that they launched yet another attack tricking hundreds of thousands of printers globally to print pamphlets promoting YouTube celebrity “PewDiePie.” The latest incident comes on the heels of a similar hack last month. That’s when hackers claimed they commandeered 50,0...

Electric Vehicle Charging Stations Open to IoT Attacks

UPDATE Given that creating proof-of-concept PoC cyberattacks for the Internet of Things IoT is essentially like shooting fish in a barrel these days, perhaps it’s not exactly surprising that a new niche category has proven to present a fresh attack surface: electric vehicle EV charging stations...

WordPress 5.0 Patched to Fix Serious Bugs

WordPress 5.0 users are being urged to update their CMS software to fix a number of serious bugs. The update WordPress 5.0.1 addresses seven flaws and was issued Thursday, less than a week after WordPress 5.0 was released. The most serious of the flaws is a bug that allows the WordPress “user...

Facebook Flaw Exposes Private Photos for 6.8M Users

Facebook on Friday disclosed a bug in its platform that it said enabled third-party apps to access unpublished photos of 6.8 million users. Facebook stores copies of photo drafts, so if someone uploads the photo but doesn’t finish posting it, the photo will still be stored in the platform’s...

Logitech Keystroke Injection Flaw Went Unaddressed for Months

Computer peripheral giant Logitech has finally issued a patched version of its Logitech Options desktop app, after being taken to task for a months-old security flaw. The bug could have allowed adversaries to launch keystroke injection attacks against Logitech keyboard owners that used the app...

Save the Children Federation Duped in $1M Scam

Hackers scammed the Save the Children Federation out of almost $1 million in a business email compromise BEC scam. Save the Children is a well-known U.S.-based non-profit group that offers charity services like fundraising and sponsorships. According to the company’s 2017 income tax returns,...

Bomb Threat Bitcoin Demands Cause Disruption, Evacuations

UPDATE What looks to be an alarming email scam is making the rounds, with extortionists asking for Bitcoin payment in return for not detonating a set of bombs. Multiple law-enforcement agencies in cities across the U.S. responded to calls from recipients on Thursday, concluding that the threats a...

Grammarly Launches Public Bug Bounty Program

Online AI-based communications tool Grammarly is taking its private bug bounty program public in hopes of finding and fixing more vulnerabilities in its software. The company has run a private bug bounty program – which currently has 1,500 participants – in conjunction with HackerOne for over a...

Secure Critical Infrastructure Top of Mind for U.S.

When it comes to cyber-threats and defense, the U.S. government says that critical infrastructure threats are a growing concern. Rob Joyce, senior advisor of cybersecurity strategy for the National Security Agency NSA, said that while attacks targeting the systems that power the manufacturing,...

Google Beefs Up Android Key Security for Mobile Apps

Google is making a few tweaks to its tools for Android mobile developers to boost the security of their wares – an apropos announcement against the backdrop of recent security issues stemming from poor development practices. Cryptographical changes this week for Android Keystore give developers...

Shamoon Reappears, Poised for a New Wiper Attack

A new version of the Shamoon data-wiping malware has emerged, marking the third time the destructive virus has been seen in the wild – and researchers believe a new campaign may be imminent. First spotted in 2012 in the attack on Saudi Aramco, Shamoon has the ability to destroy files on infected...

Android Trojan Targets PayPal Users

Want to download an Android battery utility app from a third-party Android app store? What could possibly go wrong? Last month researchers downloaded a power management app called “Optimization Android” from an undisclosed third-party app store. What they found was instead of optimizing the phone...

ThreatList: Holiday Spam, the Perfect Seasonal Gift for Criminals

Maybe holiday cheer makes people less cynical. If so, that explains why social-engineering spam tactics prove to be more effective during the festive season. New research shows that spam campaigns disguised as delivery notifications or online shopping invoices, while always a favored tactic by...

Operation Sharpshooter Takes Aim at Global Critical Assets

Researchers have detected a widespread reconnaissance campaign using a never-before-seen implant framework to infiltrate global defense and critical infrastructure players — including nuclear, defense, energy and financial companies. The campaign, dubbed Operation Sharpshooter, began Oct. 25 when...

Super Micro Says Its Gear Wasn't Bugged By Chinese Spies

U.S.-based computing vendor Super Micro has issued the findings of an investigation that it says proves that its hardware was not bugged by the Chinese government. Super Micro, which specializes in green computing for data centers and cloud computing, enterprise IT, big data, high performance...