Deceased Patient Data Being Sold on Dark Web

It is no shocker medical records are a prime target for cybercriminals. But less intuitive is the market for medical records of the deceased on the dark web. We took a closer look at the reason behind this strange trend. Here is what we found. First off, despite best efforts, stolen medical recor...

Newsmaker Interview: Scott Helme on Securing the Web

Scott Helme, the well-known security researcher, international speaker and the founder of the securityheaders.com and report-uri.com free tools for web security, has devoted himself to improving the security environment of the internet for the past decade. Scott Helme Threatpost sat down with Hel...

Fresh Spectre Variants Come to Light

Two new speculative execution bugs have earned researchers a $100,000 bug bounty from Intel. MIT’s Vladimir Kiriansky and independent researcher Carl Waldspurger uncovered what they call Spectre1.1 and a subset, Spectre1.2, collectively referred to as Variant 4 of Spectre by Intel and ARM. Like t...

Microsoft Fixes 17 Critical Bugs in July Patch Tuesday Release

UDPATE Browser vulnerabilities took center stage in Microsoft’s July Patch Tuesday security bulletin. In all, Microsoft patched 17 bugs rated critical, with ten tied to scripting engine flaws impacting Internet Explorer. In total, Microsoft is reporting 53 bugs: 17 critical, 34 rated important, o...

Adobe Issues Over 100 Patches for Flash, Acrobat and Reader

Adobe fixed a slew of critical vulnerabilities in its Flash Player and Acrobat products as part of its regularly scheduled update on Tuesday morning. Overall, the company issued a 112 fixes for vulnerabilities in its products spanning from Flash Player two bugs, Acrobat and Reader 104 bugs, and...

Researchers Reveal Workaround for Apple’s USB Restricted Mode

Just as Apple rolled out its new USB Restricted Mode security feature in an OS update, Monday, researchers said that they have already found a workaround. USB Restricted Mode, released as part of iOS 11.4.1, had removed an iPhone USB access feature, so that an hour after the iPhone has been locke...

Apple OS Update Lifts Curtain on iPhone USB Restricted Mode

Apple has officially added a controversial security feature, USB Restricted Mode, to iPhones as part of its new iOS 11.4.1, released on Monday. The feature removes the infamous iPhone USB access feature, blocking out hackers – but also potentially law enforcement – from accessing a locked phone’s...

How to Solve the Developer vs. Cybersecurity Team Battle

There is an ongoing tension between developers and security teams in many organizations. On one hand, developers face mounting pressure to build rich, feature-driven applications on nearly impossible timelines to remain competitive. On the other hand, security teams face rising pressures of their...

Polar Fitness App Exposes Location of ‘Spies’ and Military Personnel

Fitness device maker Polar Flow suspended an Explore tracking feature on its mobile app after researchers discovered profile and geolocation data of high-ranking military personnel and “spies” that were being exposed to the public on its network. In a report released by Dutch publication De...

ThreatList: Virtualization-related Bug Reports Jump 275 Percent in 2018

Zero Day Initiative said Monday that so far in 2018, it has published 600 advisories – up 33 percent from the 451 published in 2017, which was previously its “busiest year ever.” “Interestingly, we had fewer advisories released as 0-day this year,” the company said in its mid-year report on...

Timehop Breach Impacts Personal Data of 21 Million Users

The personal data of millions of Timehop customers has been compromised after a hacker gained access to its cloud-based backend computing environment. Timehop, a service that plugs into users’ social media platforms and shows them memories from the past, disclosed the data breach on Sunday. The...

Newsmaker Interview: Patrick Wardle Talks Apple Malware Flubs and Successes

Patrick Wardle is the chief research officer at Digita Security and founder of Mac security company Objective-See. For years, the self-described “surfer from Hawaii” has been one of the most prolific and respected Mac malware-hunters, uncovering vulnerabilities affecting the macOS platform as wel...

Old Malware Gives Criminals Tricky New Choice: Ransomware or Mining

An old ransomware sample has been rejiggered with a sneaky new trick – allowing adversaries to either extort money from victims via ransomware, or hijack a computer’s CPU cycles via a stealthy cryptominer. The Rakhni Trojan Trojan-Ransom.Win32.Rakhni, first spotted in 2013, is now giving bad acto...

Google Patches Critical Remote Code Execution Bugs in Android OS

Google issued 44 patches for its Android operating system as part of its July Security Bulletin this week. Of those vulnerabilities, 11 were rated critical and the remainder were rated high in severity. The vulnerabilities varied from OS framework to Media framework bugs, including system and...

Keeping False Positives in Check

In 2017, seven out of ten organizations said their security risks increased significantly, according to a Ponemon Institute study. This is no surprise given that last year organizations suffered the largest ransomware outbreak in history WannaCry and vulnerabilities such as Meltdown and Spectre...

Newsmaker Interview: VDOO CEO Talks Top IoT Threats

IoT security is like a game of Whac-A-Mole. Fix one CVE and four new bugs pop up. Last month, researchers found a slew of vulnerabilities in Axis cameras that could enable an attacker to access camera video streams, control the camera, add it to a botnet or render it useless. Also in June, IP...

Year-Old Critical Vulnerabilities Patched in ISP Broadband Gear

Patches for three critical vulnerabilities impacting broadband gateways made by Advanced Digital Broadcast ADB have been released to the public, nearly two years after the bugs were first found. Issues range from a privilege escalation flaw, an authorization bypass vulnerability and a local...

ThreatList: Biggest Cybercrime Developments in 2018, So Far

Despite several successful crackdowns on several cybercriminal underworld gangs, miscreants have been highly active during the first half of 2018, according Flashpoint. According to Flashpoint’s mid-year Business Risk Intelligence report, released last month, the major developments in the...

Android Apps Are Sharing Screenshots, Video Recordings to Third Parties, Report Finds

UPDATE New research claims that several Android apps have “alarming” privacy holes – enabling mobile apps to take and share screenshots and video of the phones’ app activity without users’ knowledge. The research paper, conducted by researchers from Northeastern University and published Wednesday...

Samsung Investigates Claims of Spontaneous Texting of Images to Contacts

Samsung says it isn’t seeing any software or hardware issues after a slew of Samsung phone users reported that their devices are randomly sending camera roll photos to their contacts without permission. Users took to Reddit and Samsung’s official forums over the past week to complain that their...

More Federal Agencies Wrapped Up in Facebook Data Privacy Probe

The Securities and Exchange Commission, FBI, and the Department of Justice are now reportedly investigating the social media giant after it failed to disclose that more than the data of 70 million platform users had leaked through a third-party application, sources told the Washington Post, Monda...

Welcome to a New Look for Threatpost

Today we’re excited to unveil a better Threatpost. The update brings a fresh new look to the site, but also gives us a better platform overall, built and designed from the ground up for the future. Our first goal was to preserve all the things that didn’t need fixing – starting with Threatpost’s...

Navigating an Uncharted Future, Bug Bounty Hunters Seek Safe Harbors

When researcher Kevin Finisterre found a security error in drone-maker DJI’s systems enabling him to access flight log data and images of customers, he thought he had hit the $30,000 jackpot as part of the drone company’s newly announced bug bounty program. Instead, when the incident occurred in...

ThreatList: Exploit Kits Still a Top Web-based Threat

What we can glean from a 2018 roundup of current web-threats is old vulnerabilities die hard. In a report, released by Palo Alto Networks Unit 42, researchers said so far this year cybercriminals are targeting unpatched PCs with ancient CVEs and well-known exploit kits. Here is a ThreatList from...

ThreatList: Top Summer DDoS Trends

On Tuesday, Akamai released a report on the year’s biggest distributed denial of service DDoS attacks. The report illustrates how this time-tested attack method continues to morph and adopt new tricks, and discusses trends to watch as we move into the summer months. According to the study, Summer...

Newsmaker Interview: Marten Mickos the Future of Bug Bounty

Since the launch of the Hack the Pentagon program in 2016, bug bounty programs have quickly grown in popularity. The program was bolstered by HackerOne, a bug bounty security crowdsourcing platform led by CEO Marten Mickos. “The numbers have exploded,” Mickos told Threatpost. “There’s a larger...

Bug Bounty Programs Turn Attention to Data Abuse

More companies – particularly social media firms – may follow Facebook’s footsteps in turning to bug bounty programs to scout out any data privacy abuse on their platforms, experts say. On the heels of Facebook’s Cambridge-Analytica scandal in March, the social media giant launched a “Data Abuse...

MacOS Malware Targets Cryptocurrency Community on Slack, Discord

Hackers using MacOS malware are targeting cryptocurrency investors that use both the Slack and Discord chat platforms. The malware, dubbed OSX.Dummy, uses an unsophisticated infection method, but those who are successfully attacked open their systems up to remote arbitrary code execution. “If the...

EFF Sues to Repeal Controversial Online Sex Trafficking FOSTA Law

The Electronic Frontier Foundation on Thursday announced it is suing to invalidate a recently passed law that is meant to fight online sex trafficking. The Allow States and Victims to Fight Online Sex Trafficking Act of 2017 FOSTA, which was passed 97-2 by Congress in March and signed into law in...

Rowhammer Variant ‘RAMpage’ Targets Android Devices All Over Again

Researchers have found a new variation of the Rowhammer attack technique they have dubbed RAMpage. The vulnerability could allow an adversary to create an exploit to gain administrative control over targeted Android smartphones and tablets. The flaw impacts Android devices dating back to 2012...

Norwegian Agency Dings Facebook, Google For “Unethical” Privacy Tactics

While GDPR is forcing large data-crushing service providers to be transparent around data collection and usage, some are still employing a number of tactics to nudge end users away from data privacy. That’s what the Norwegian Consumer Council said in an in-depth report, released Wednesday, which...

Rewards Points Targeted by Teens in Hack of 500K Accounts

A pair of Russian teens have been arrested for infiltrating more than a half-million online accounts, in particular targeting services that offer rewards points. Russian authorities at the Ministry of Internal Affairs said in an announcement Wednesday that the duo came to their attention in late...

Ticketmaster Chat Feature Leads to Credit-Card Breach

Tens of thousands of people have been caught up in a data breach at Ticketmaster UK, which exposed credit-card and personal information for UK and some international customers. Customers in North America are not affected. The ticket-selling giant said that on Saturday it found malware within a...

Reality Winner, N.S.A. Contractor, Sentenced to 5+ Years in Leak Case

A former NSA contractor, Reality L. Winner, has plead guilty on charges of leaking classified information, regarding a report on election meddling by Russian operatives in the 2016 U.S. elections. She was charged with espionage and was sentenced to more than five years in prison and three years o...

WebAssembly Changes Could Ruin Meltdown/Spectre Browser Patches

Upcoming changes to the WebAssembly Wasm format may defang the browser patches for infamous side-channel attacks Meltdown and Spectre. Wasm was invented to improve execution speed for porting desktop applications to web-based environments; programs are compiled in Wasm and then can easily be run ...

ThreatList: Biggest Attack Targets

DO NOT SET LIVE The biggest verticals targeted by hackers in 2018, so far, are Education, Retail, Biotechnology, Construction, and Nonprofit Organizations. According to researchers at eSentire, attackers zeroed in on exploit attempts against the Education vertical, targeting consumer-grade router...

Mozilla Announces Firefox Monitor Tool Testing, Firefox 61

Mozilla has made some sweeping security announcements this week: On Monday, the company announced it is testing a new security tool called Firefox Monitor, which the firm said securely checks to see if users’ accounts have been hacked. That news came just as the browser giant released Firefox 61...

Simple Security Flaws Could Steer Ships Off Course

A proof-of-concept attack could cause ships to dangerously veer off course, and it all stems from simple security issues, including the failure to change default passwords or segment networks. Researcher Ken Munro, with Pen Test Partners, on Monday showed how the attack could work and how it’s...

WannaCry Extortion Fraud Reemerges

Extortion emails that threaten recipients with a WannaCry infection if they don’t pay up are making the rounds in the UK and elsewhere. The activity prompted an alert Friday from the City of London’s Action Fraud unit, which said at the time that police had already received almost 300 reports in...

UK Tax Agency Collects 5.1M Biometric Voice IDs, May Violate GDPR

Her Majesty’s Revenue and Customs HMRC in the UK is under investigation by that country’s regulator over the collection of more than 5 million biometric voice IDs. The Information Commissioner’s Office ICO is investigating the tax agency’s practice, which may violate the recently implemented...

Fortnite Fraudsters Infest the Web with Fake Apps, Scams

Fortnite, the sandbox video game, has become so popular that its maker, Epic Games, is ponying up $100 to $300 million to supply prize money for eSports tournaments. What it hasn’t ponied up for – at least not yet – is an Android version. Which means the bad guys are having a field day. We report...

Malicious App Infects 60,000 Android Devices – But Still Saves Their Batteries

UPDATE A battery-saving app that also allows attackers to snatch text messages and read sensitive log data has been downloaded by more than 60,000 Android devices so far. But what’s unique about the attack, according to the researchers at RiskIQ who discovered it, is that it holds true to its...

U.S. Supreme Court Bolsters Mobile-Phone Privacy Rights

The U.S. Supreme Court ruled in a decision that bolsters digital privacy rights of cellphone users. In a 5-4 vote, the court ruled law enforcement needs a warrant to obtain mobile phone tower records that can reveal a user’s location over time. The ruling was made on Friday in a case involving...

DDoS-Happy ‘Bitcoin Baron’ Sentenced to Almost 2 Years in Jail

The Bitcoin Baron, a self-proclaimed vigilante responsible for DDoS attacks on civic networks in Madison, Wisc., San Marcos, Texas, and other sites in 2015, has been collared in Phoenix and sentenced to serve 20 months in prison. The conviction and sentencing is only for the former attack, in whi...

Roku TV, Sonos Speaker Devices Open to Takeover

The DNS rebinding flaw reported in Google Home and Chromecast devices earlier this week is about to get a patch — but the same type of flaws have come to light for other top-name consumer Internet of Things devices, from Roku and Sonos. Fortunately, Roku has already started deploying its update,...

Sneaky Web Tracking Technique Under Heavy Scrutiny by GDPR

What will new General Data Protection Regulation laws mean for websites that use sneaky web trackers such as browser fingerprinting to profile visitors? Privacy experts say the practice is likely illegal under the newly-enacted GDPR regulation. But they also say don’t expect the method of trackin...

Financial Services Sector Rife with Hidden Tunnels

Global financial services organizations are seeing a significant uptick in the rate of being actively targeted by sophisticated cyber-attackers using hidden-tunnel techniques for post-intrusion data exfiltration. In an attempt to steal critical data and personally-identifiable information PII,...

New Phishing Scam Reels in Netflix Users to TLS-Certified Sites

Researchers are warning of a new Netflix phishing scam that leads victims to sites with valid Transport Layer Security TLS certificates. Johannes Ullrich, dean of research at the SANS Technology Institute, said Wednesday that there’s been an uptick in Netflix phishing mails using TLS-certified...

Mylobot Botnet Emerges with Rare Level of Complexity

An unusual botnet dubbed Mylobot has emerged, percolating up from the Dark Web – and displaying a never-before-seen level of complexity in terms of the sheer breadth of its various tools, especially evasion techniques. According to an analysis posted on Tuesday by Tom Nipravsky, a security...

APT15 Pokes Its Head Out With Upgraded MirageFox RAT

The elusive APT15 cyber-espionage group, believed to be affiliated with the Chinese government, has been spotted for the first time in many months, mounting a highly targeted spy campaign using an upgraded version of the Mirage remote access trojan. This is the first evidence of the China-linked...