Cisco Accidentally Released Dirty CoW Exploit Code in Software

Cisco Systems revealed in a security bulletin Wednesday that it “inadvertently” shipped in-house exploit code that was used in security tests of scripts as part of its TelePresence Video Communication Server and Expressway Series software. The code exploits the Dirty Cow vulnerability...

'DerpTroll' Faces 10 Years in Prison for DDoSing Gaming Sites as a Teen

After a short but disruptive career knocking popular online gaming sites offline for sport, Austin Thompson, a.k.a. “DerpTroll,” has pleaded guilty to hacking charges. He faces a maximum penalty of 10 years prison and a $250,000 fine. Thompson, a 23-year-old Utah resident, made his plea on Tuesda...

DJI Patches Forum Bug That Allowed Drone Account Takeovers

Leading commercial drone maker DJI patched a cross-site scripting bug impacting its forums that could have allowed a hacker to hijack user accounts and gain access to sensitive online data, ranging from flight images, bank card data, flight records and even real time camera images. The...

Podcast: Troy Hunt Talks Bad Passwords – and Who’s to Blame for Them

With credential-stuffing making headlines when it comes to certain data breaches – including the recent HSBC breach reported earlier this week – the security community has continued to ponder an age-old question: Who is responsible for effective password hygiene and security measures? The account...

Apple Modernizes Its Hardware Security with T2

When Apple launched its latest MacBook Air last month, one of its more unusual features is that the built-in microphone automatically turns off when the lid is closed. Apple introduced the feature to eliminate any possibility of malware – or other unwanted applications – using the laptop’s...

Program Looks to Tap Military Vets for Cyber-Jobs

Cisco Talos, NetApp and Maryland’s state government announced an initiative to help military veterans in that state transition into civilian positions in cybersecurity. The hope is that it will address twin goals: To help the hundreds of thousands of discharged veterans flowing into the workplace...

WordPress Flaw Opens Millions of WooCommerce Shops to Takeover

Up to 4 million online merchants who use the popular WooCommerce WordPress plugin are vulnerable to a file deletion vulnerability that could allow a rogue “shop manager” to escalate privileges and eventually execute remote code on impacted websites. Researchers at RIPS Technologies trace the bug ...

Rapidly Growing Router Botnet Takes Advantage of 5-Year-Old Flaw

A fresh botnet is spreading across the landscape, targeting router equipment. So far, hundreds of thousands of bot endpoints have already been identified, and they’re apparently being marshaled to send out massive amounts of spam. The botnet first emerged in September, according to 360Netlab...

HSBC Data Breach Hits Online Banking Customers

International banking giant HSBC has reported that it was breached in October, as a result of a credential-stuffing attack. In a notice PDF filed with the state of California, the bank said that it became aware of some online accounts being accessed by unauthorized users between October 4 and 14...

ThreatList: Despite Fraud Awareness, Password Reuse Persists for Half of U.S. Consumers

As National Fraud Day approaches Nov. 11, it remains clear that more consumer education is required when it comes to thwarting scammers and identity thieves. Despite almost half of U.S. consumers 49 percent believing their security habits make them vulnerable to information fraud or identity thef...

Samsung, Crucial’s Flawed Storage Drive Encryption Leaves Data Exposed

Self-encrypting solid-state storage drives from Samsung and Crucial are open to tampering that would allow an attacker with physical access to harvest their data without knowing the user’s password, researchers have discovered. Researchers at Radboud University in the Netherlands found that it’s...

U.S. Elections True Test for Facebook’s Disinformation Crackdown

As the U.S. midterm elections commence on Tuesday, all eyes are on Facebook and other social-media companies to see how they continue to crack down on misinformation and other political meddling efforts on their platforms. Facebook for its part on Monday evening said it has barred an additional 1...

Apache Struts Warns Users of Two-Year-Old Vulnerability

The Apache Software Foundation warned in an advisory that the latest version of the Commons FileUpload library is susceptible to a two-year-old remote code execution flaw. Users of the vulnerable library must update their projects manually. The critical bug in Commons FileUpload library is a know...

Online Radio Stations at Risk from Icecast Flaw

A vulnerability in Icecast, an open-source streaming media server used by online radio stations to broadcast their content, could be used to knock a station off-air. It also could potentially allow remote code-execution. Icecast is maintained by the Xiph.org Foundation, and it supports tens of...

Newsmaker Interview: Tom Kellermann on Hacking the Midterm Elections

Midterm elections are being held across the country Tuesday which means millions will be paying close attention to wins and losses. But, for cybersecurity experts, such as Tom Kellermann, the focus will be on voting irregularities. Tom Kellermann Kellermann is chief cybersecurity officer for Carb...

PortSmash Side Channel Attack Siphons Data From Intel, Other CPUs

Yet another side-channel attack, this time dubbed PortSmash, has been discovered in CPUs. The attack allows attackers to manipulate a glitch in the simultaneous multithreading SMT architecture used in CPUs — and siphon processed data from chips. Several attacks have popped up over the past year...

Passwords: Here to Stay, Despite Smart Alternatives?

The lowly password is much-maligned as being the weakest link in any company’s security defenses. That’s for good reason: It’s a fact that password reuse, a lack of strong passwords, a failure to change them on a regular basis and other human errors plague the efficacy of this de facto standard f...

Facebook Blames Malicious Extensions in Breach of 81K Private Messages

Hackers have published what they claim are private messages from at least 81,000 Facebook accounts – and they say the trove contains a fraction of the details they have from a larger cadre of 120 million accounts. In an English-language Dark Web advertisement now taken down, the perpetrators...

Cisco Security Appliance Zero-Day Found Actively Exploited in the Wild

Attackers are actively exploiting a zero-day vulnerability in certain Cisco security products, to cause a denial-of-service DoS condition. The as-yet-unpatched flaw CVE-2018-15454 has an 8.6 CVSS score and is rated high-severity. It exists in the Session Initiation Protocol SIP inspection engine ...

ThreatList: Fewer Big DDoS Attacks in Q3, Overall Rate Holds Steady

When it comes to distributed denial of service DDoS attacks, the third quarter of 2018 marked an apparent lull in the action, with fewer huge, multi-day attacks than in previous quarters. Researchers however warn against having a false sense of security: The total number of attacks in the quarter...

Yi IoT Home Camera Riddled with Code-Execution Vulnerabilities

Multiple vulnerabilities in the firmware used by the Yi Technology Home Camera version 27US have been found, which could allow remote code-execution on the connected devices. The Yi Home Camera i27US is one of the newer IoT camera models sold in the U.S. It’s an entry-level gadget, which lets...

GDPR’s First 150 Days Impact on the U.S.

Apple CEO Tim Cook publicly entered the data privacy fray earlier this month, praising the European Union’s General Data Protection Regulation GDPR. At the International Conference of Data Protection and Privacy Commissioners Conference ICDPPC, Cook advocated for GDPR rules to have a far-reaching...

Utilities, Energy Sector Attacked Mainly Via IT, Not ICS

While industrial control systems ICS are the most talked-about when it comes to cyberattacks against energy and utilities firms, most attacks actually take aim at the enterprise IT networks used by these organizations, rather than critical infrastructure itself. The Vectra 2018 Spotlight Report o...

PoC Exploit Compromises Microsoft Live Accounts via Subdomain Hijacking

A proof-of-concept PoC attack details how an attacker can gain access a victim’s Microsoft Live webmail session, without having the person’s credentials. It relies upon the hijack of a Microsoft-owned Live.com website subdomain. The PoC, developed by CyberInt, demonstrates what it characterizes a...

Two Zero-Day Bugs Open Millions of Wireless Access Points to Attack

UPDATE Two zero-day vulnerabilities in Bluetooth Low-Energy chips made by Texas Instruments and used in millions of wireless access points open corporate networks to crippling stealth attacks. Adversaries can exploit the bugs by simply being approximately 100 to 300 feet from the vulnerable...

Apple Fixes Multiple macOS, iOS Bugs Including a Quirky FaceTime Bug

UPDATE Apple tackled a bevy of vulnerabilities across all its platforms Tuesday, including one that allowed a remote attacker to initiate a FaceTime call by exploiting a bug in some model iPhones, iPads, and iPad Air devices. The wide-ranging security fixes came on the same day Apple announced a...

Kraken Ransomware Upgrades Distribution with RaaS Model

The Kraken ransomware author has released a second version of the malicious code, along with a unique affiliate program on the Dark Web. According to research into Kraken v.2 the new version is being promoted in a ransomware-as-a-service RaaS model to underground forum customers, via a video...

Square, PayPal POS Hardware Open to Multiple Attack Vectors

Mobile point-of-sale POS terminals have revolutionized the retail space in many ways, with devices such as Square offering locations like mall kiosks, small coffee shops and roadside stands a handy and cost-effective way to accept credit cards. Unfortunately, more than half of leading mobile POS...

Google Updates reCAPTCHA: No More Boxes to Check

Google this week has rolled out its latest version of the reCAPTCHA mechanism, which is meant to weed out spam and abuse by robots on websites. It marks a dramatic departure from previous reCAPTCHA efforts by eliminating the need for visitors to take any extra steps in order to log onto a website...

ThreatList: Dead Web Apps Haunt 70 Percent of FT 500 Firms

A study of abandoned websites owned by leading global corporations hammers home the point that old web applications need to be properly mitigated or retired. Otherwise, these resources often haunt a firm long after they have been forgotten. Researchers at High-Tech Bridge used the Financial Times...

IoT Flaw Allows Hijacking of Connected Construction Cranes

A connected construction crane, from Telecrane, has a vulnerability that would allow cyberattackers to intercept its communications and take the equipment over. The internet of things IoT continues to add new types of objects to its footprint, as industries start leveraging connectivity to increa...

Girl Scouts Issues Data Breach Warning to 2,800 Members

The Orange County, Calif. branch of the Girl Scouts of America has been hacked, potentially exposing personal information for thousands of members. Rest assured though: The cookies are safe, even those of the computing type. According to a letter to members filed with the state PDF, an...

Nation-State Phishing: A Country-Sized Catch

Thanks to the traditional role of phishing in widespread email scams, there is a general tendency to equate it with clearly fraudulent and obnoxiously implausible emails. While this misperception has not evolved, phishing campaigns have. Andrea Little Limbago Once a threat that went hand-in-hand...

X.Org Flaw Allows Privilege Escalation in Linux Systems

A local privilege-escalation and file-overwrite vulnerability in X.Org X server opens the door to trivial compromise in Linux systems that use the open-source software. The X server is a core graphics and windowing technology that can be found in most Linux and BSD distributions that use a...

ThreatList: 1 Out of 5 Would Ditch a Business After a Data Breach

About a fifth of Americans would ditch a business in the wake of a major data breach, new research has found. In a survey of 2,000 adult consumers across the United States by PCI Pal, almost half 44 percent of them have personally suffered the negative consequences of a security breach or hack. S...

PoC Attack Leverages Microsoft Office and YouTube to Deliver Malware

A stealthy malware delivery tactic has been uncovered in the way videos are embedded into Microsoft Word Documents, according to researchers. It allows JavaScript code-execution when a user clicks on a weaponized YouTube video thumbnail within a Word document – with no alert message displayed by...

British Airways Data Breach Takes Off Again with 185K More Victims

British Airways said that the data breach it first reported in September is larger than previously thought. It has added an additional 185,000 victims to the official tally. The airline said that hackers may have stolen personal data connected to an additional 77,000 payment cards, including name...

DemonBot Fans DDoS Flames with Hadoop Enslavement

A Linux-based DDoS botnet dubbed DemonBot has been found enslaving Hadoop frameworks, using a vulnerability in Hadoop’s resource management tool to infect cloud servers with the botnet malware. Hadoop is a popular open-source framework, usually deployed in cloud environments, that organizations c...

UK Slaps Facebook with $645K Fine Over Cambridge Analytica Scandal

The UK has fined Facebook $645,000 over Cambridge Analytica’s data harvesting practices, which exploited the data of 87 million users of the social network. That represents a gnat bite for the tech giant, which generated $5.1 billion in net profit in the second quarter of the year. However, the...

Pentagon Expands Bug-Bounty Program to Include Physical Systems

The Department of Defense is expanding its “Hack the Pentagon” bug-bounty program to include hardware assets, tapping the Synack, HackerOne and Bugcrowd platforms to attract more white hats to the effort. The news comes two weeks after the Government Accountability Office GAO released a report...

Debunking AI’s Impact on the Cybersecurity Skills Gap

Artificial intelligence is the latest buzzword to take hold of the cybersecurity industry. It is being touted, among other things, as the ultimate solution to the cybersecurity skills gap. But just how accurate is this belief? Will AI be the cure to all of our cybersecurity ailments, as human...

Magecart Cybergang Targets 0days in Third-Party Magento Extensions

Criminals behind the Magecart gang have shifted tactics, and are now targeting nearly two dozen unpatched vulnerabilities found in third-party plugins used in the Magento e-commerce platform. Previously, the Magecart cybergang had focused on the core of Magento, using attack strategies such as...

Windows ‘Deletebug’ Zero-Day Allows Privilege Escalation, Destruction

A proof-of-concept exploit for a Windows zero-day that works on fully patched Windows 10 machines has been released by a security researcher. It allows an attacker to delete any kind of file on a victim machine, including system data. The flaw no CVE has been assigned since it was just exposed on...

sLoad Banking Trojan Downloader Displays Sophisticated Recon and Targeting

A new PowerShell downloader dubbed sLoad is making the rounds, sporting impressive reconnaissance tactics and a penchant for geofencing, which indicate increasing sophistication when it comes to targeting efforts. First spotted in May 2018, sLoad typically delivers the Ramnit banking trojan but h...

ThreatList: Ransomware, EKs and Trojans lead the Way in Q3 Malware Trends

When it comes to malware activity, businesses took a big hit in the third quarter, with detection trending upward by a whopping 55 percent, according to new research. Consumers saw an uptick too, but only a modest one: volume was up just 4 percent quarter-over-quarter for this segment. Overall,...

City Pays $2K in Ransomware, Stirs ‘Never Pay’ Debate

The city of West Haven, Conn. made the hard choice to pay cyberattackers a $2,000 ransom after being hit with malware that ground their operations to a halt. West Haven said that its City Hall offices were the victim of a ransomware attack, which the U.S. Department of Homeland Security determine...

StrongPity APT Changes Tactics to Stay Stealthy

The APT group behind the sophisticated malware known as StrongPity a.k.a. Promethium has changed its tactics, after various research groups analyzed the malware and exposed its methods of deployment. The efforts have allowed the group to return to hidden status, even after being labeled a known...

ThreatList: 3 Out of 4 Employees Pose a Security Risk to Businesses

While much is always made of external hackers, insider threats remain a problem at more organizations. A full 75 percent of professionals pose a moderate or severe risk to their company’s data, according to a recent survey. MediaPRO’s third-annual State of Privacy and Security Awareness Report...

Adult Website Hack Exposes 1.2M ‘Wife Lover’ Fans

The database underlying an erotica site known as Wife Lovers has been hacked, making off with user information protected only by a simple-to-crack, outdated hashing technique known as the DEScrypt algorithm. Over the weekend, it came to light that Wife Lovers and seven sister sites, all similarly...

Thousands of Applications Vulnerable to RCE via jQuery File Upload

A widely used plugin by Blueimp called jQuery File Upload contains a years-old vulnerability that potentially places 7,800 different software applications at risk for compromise and remote code-execution RCE. jQuery File Upload is a is a user-contributed open-source package for software developer...