Feb. 29, 2020
The European Commission has decided to adopt for its staff the popular cross-platform encrypted messaging service Signal for its communications. The news was first reported earlier this month by the Politico website, a message issued on the commission’s internal messaging boards asked employees of the European Commission to use Signal. Of course, Signal have to be used only to send non-classified, but sensitive information, because classified documents must be transmitted through more secure channels.
Feb. 29, 2020
On Monday, networking hardware maker Zyxel released security updates to plug a critical security hole in its network attached storage (NAS) devices that is being actively exploited by crooks who specialize in deploying ransomware. Today, Zyxel acknowledged the same flaw is present in many of its firewall products. This week’s story on the Zyxel patch was prompted by the discovery that exploit code for attacking the flaw was being sold in the cybercrime underground for $20,000.
Feb. 29, 2020
It was reported yesterday that French sporting retail giant Decathlon leaked over 123 million records through an improperly secured ElasticSearch server, leaving customer and employee details exposed. The leak was spotted by security researchers Noam Rotem and Ran Locar at VPNmentor on 12th February, Decathlon were notified four days later, the leak was investigated, and the server pulled down shortly after.
Source: itsecurityguru.org
Feb. 29, 2020
A high-severity hardware vulnerability, dubbed Kr00k, in Wi-Fi chips manufactured by Broadcom and Cypress expose over a billion devices to hack. Cybersecurity researchers from ESET have discovered a new high-severity hardware vulnerability, dubbed Kr00k, that affects Wi-Fi chips manufactured by Broadcom and Cypress. The vulnerability could have a severe impact on the IT sector, the flawed chips are used in over a billion devices, including routers, smartphones, tablets, laptops, and IoT gadgets.
Feb. 29, 2020
The controversial surveillance program that gave the NSA access to the phone call records of millions of Americans has cost US taxpayers $100m – and resulted in just one useful lead over four years. That’s the upshot of a report [PDF] from the US government’s freshly revived Privacy and Civil Liberties Oversight Board (PCLOB). The panel dug into the super-snoops’ so-called Section 215 program, which is due to be renewed next month.
Feb. 27, 2020
A new version of the ‘Cerberus’ Android banking trojan will be able to steal one-time codes generated by the Google Authenticator app and bypass 2FA-protected accounts. Security researchers say that an Android malware strain can now extract and steal one-time passcodes (OTP) generated through Google Authenticator, a mobile app that’s used as a two-factor authentication (2FA) layer for many online accounts.
Source: zdnet.com
Feb. 24, 2020
‘The privacy issues are not fixable with regulation and there is no balance that can be struck,’ the Amazon employee said of Ring. The post was published Sunday by the advocacy group Amazon Employees for Climate Justice and it was meant to protest the company’s external communications policy.
Source: businessinsider.nl
Feb. 24, 2020
Wells Fargo, the nation’s fourth-largest bank, agreed Friday to pay a $3 billion fine to settle a civil lawsuit and resolve a criminal prosecution filed by the Justice Department over its fake account scandal. Under pressure to meet sales quotas, bank employees opened millions of savings and checking accounts in the names of actual customers, without their knowledge or consent. Since the fraud became public in 2016, the bank has faced a torrent of lawsuits.
Feb. 21, 2020
Last November, software developers Lenny Bakkalian and David Albert discovered two loopholes in the German McDonald’s system which allowed them to order an endless supply of free food. Recently, I met the two Hamburglars and their colleague Mats Tesch at an East Berlin McDonald’s so they could show me how they did it. McDonald’s receipts in Germany end with a link to a survey page.
Feb. 21, 2020
Yodlee, the largest financial data broker in the U.S., sells data pulled from the bank and credit card transactions of tens of millions of Americans to investment and research firms, detailing where and when people shopped and how much they spent. The company claims that the data is anonymous, but a confidential Yodlee document obtained by Motherboard indicates individual users could be unmasked. The findings come as multiple Senators have urged the Federal Trade Commission (FTC) to investigate Envestnet, which owns Yodlee, for selling Americans’ transaction information without their knowledge or consent, potentially violating the law.
Feb. 21, 2020
ISPs say that a law requiring users to opt-in to having their location and financial data sold is a ‘burdensome restriction’ on their ‘protected speech.’
Source: vice.com
Feb. 21, 2020
10.6 million people who had stayed at MGM Resorts have had their personal data published on a hacking forum, it was revealed this week. It is thought that the recent breach stems from an earlier incident which occurred last year, whereby unauthorised actors were able to access MGM’s internal cloud and therefore the personal information of previous guests. The biggest concern in the MGM disclosure is that hackers stole deeper, more sensitive data on 1300 individuals, including information off driver’s licenses and military D cards.
Feb. 17, 2020
Samsung’s attempt to prevent attacks on Galaxy phones by modifying kernel code ended up exposing it to more security bugs, according to Google Project Zero (GPZ). Not only are smartphone makers like Samsung creating more vulnerabilities by adding downstream custom drivers for direct hardware access to Android’s Linux kernel, vendors would be better off using security features that already exist in the Linux kernel,according to GPZ researcher Jann Horn. It was this type of mistake that Horn found in the Android kernel on the Samsung Galaxy A50.
Feb. 8, 2020
You should feel cranky about all the phishing emails you get. Because getting your brain in a grumpy gear will elevate the odds of your not getting fooled by the next phony invitation to log into your account. The roughly 100 million phishing emails Google blocks every day fall into three main categories: highly targeted but low-volume spear phishing aimed at distinct individuals, “boutique phishing” that targets only a few dozen people, and automated bulk phishing directed at thousands or hundreds of thousands of people.
Jan. 24, 2020
UpGuard can now disclose that a repository hosted on GitHub with data from an Amazon Web Services engineer containing personal identity documents and system credentials including passwords, AWS key pairs, and private keys has been secured from public access. The data was committed to a public repository on the morning of 13 January, 2020. It was detected within half an hour by UpGuard analysts, reported to AWS Security, and secured that same day
Jan. 24, 2020
Rogue NYPD officers are using a sketchy facial-recognition software that it’s own facial recognition unit doesn’t want to touch because of concerns about security and potential for abuse, The Post has learned. Clearview AI, which has scraped millions of photos from social media and other public sources for its facial recognition program — earning a cease-and-desist order from Twitter — has been pitching itself to law enforcement organizations across the country, including to the NYPD. The department’s facial-recognition unit tried out the app in early 2019 as part of a complimentary 90-day trial but ultimately passed on it, citing a variety of concerns.
Jan. 23, 2020
We reveal details on the most sophisticated browser locker campaign we’ve seen yet. Learn how this tech support scam fools users by hiding in plain sight. In the early days, practically all tech support scammers would get their own leads by doing some amateur SEO poisoning and keyword stuffing on YouTube and other social media sites.
They’d then leverage their boiler room to answer incoming calls from victims. Today, these practices continue, but we are seeing more advanced operations with a clear separation between lead generation and actual call fulfillment. Malvertising campaigns and redirections from compromised sites to browser locker pages are owned and operated by experienced purveyors of web traffic.
Jan. 23, 2020
Motherboard has obtained the report made by FTI Consulting into how Crown Prince Mohammad Bin Salman allegedly hacked Amazon CEO Jeff Bezos’s phone. A report investigating the potential hack of Jeff Bezos’ iPhone indicates that forensic investigators found a suspicious file but no evidence of any malware on the phone. It also says that investigators had to reset Bezos’s iTunes backup password because investigators didn’t have it to access the backup of his phone.
Jan. 23, 2020
The United Nations is at odds with the world’s most notorious spyware company over an age-old question: Who built the tech that hacked Amazon CEO Jeff Bezos’s cell phone, allegedly by sending him a poisoned WhatsApp message from the Crown Prince of Saudi Arabia? Bezos has a conflicted relationship with the Saudi royal family. As the owner of the Washington Post, he’s called for justice for Khashoggi, who wrote for the paper, and who was assassinated by Saudi agents the CIA believes were acting on bin Salman’s orders, though bin Salman denies involvement.
Jan. 23, 2020
Bezos hack connected to Khashoggi murder and the Washington Post’s subsequent media coverage. A timeline of events surrounding the Bezos phone hack Bezos hack connected to Khashoggi murder and the Washington Post’s subsequent media coverage.
Source: zdnet.com