Latest News

6 mins ago
Brian Barrett / Wired

Facebook Flaw Exposed Photos of 6.8 Million Users to Developers Whether the Photos Were Shared or Not

Facebook disclosed the latest in a series of user privacy and security violations by announcing that for two weeks in September, a bug let third-party developers view the photos of up to 6.8 million Facebook users, whether they’d shared them or not.  The bug may have affected people who used Facebook Login and granted permission to third-party apps to access their photos, with up to 1,500 apps, from 876 developers, potentially having had access to private photos, the company said. Facebook will let affected users know about their exposure but in the meantime has posted a page where users can check to see. The permissions were supposed to apply to photos users had shared on their timelines but the flaw allowed developers to access photos shared to other areas of Facebook, including Marketplace and Stories, in addition to photos uploaded to Facebook but not shared at all. The bug was found on September 13 and fixed on September 25.

2 hours ago
Frederic Lardinois / TechCrunch

Kubernetes Security Firm Tigera Raises $30 Million in Series B Venture Funding Round

Kubernetes security and compliance start-up Tigera raised $30 million in a Series B venture funding round led by Insight Venture Partners and joined by existing investors Madrona, NEA, and Wing. Tigera lays claim to having all four public cloud players, AWS, Microsoft Azure, Google Cloud and IBM Cloud adopting its solutions for their public Kubernetes service, along with the large Kubernetes distros such as Red Hat and Docker.

3 hours ago
Steve Knopper / Rolling Stone

Taylor Swift’s Use of Facial Recognition Scans at Concert Highlights Growing Use of Technology at Stadiums, Arenas

A facial recognition camera hidden inside a video kiosk at a Taylor Swift concert was taking photos of concertgoers to run through a facial recognition system where they were cross-referenced with a database of hundreds of the pop star’s known stalkers, according to Mike Downing, chief security officer of Oak View Group, an advisory board for concert venues including Madison Square Garden and the Forum in Los Angeles. This controversial use of facial recognition technology is on the rise in stadiums and arenas as underscored by Ticketmaster’s investment in Blink Identity, a startup that claims its sensors can identify people walking past at full speed in about half a second.

5 hours ago
Romain Dillet / TechCrunch

France Travel Registry Ariane’s Website Hacked, Emergency Contacts Data for 54,000 Citizens Stolen

The Ministry of Europe and Foreign Affairs in France said that personal data for 54,000 citizens had been stolen from its Ariane website, a destination created for citizens traveling abroad to unsafe countries. Among the data stolen were the names, phone numbers and email addresses of the travelers’ emergency contacts. The breach occurred on December 5 and the Ministry contacted France’s data watchdog, the CNIL, within 72 hours.

5 hours ago
Jacqueline Thomsen / The Hill

FEC Adopts Measure to Allow Lawmakers to Spend Surplus Campaign Funds on Personal Tech, Email Cybersecurity

Adopting a measure proposed by Senator Ron Wyden (D-OR), the Federal Election Commission voted to allow members of Congress to use their surplus campaign funds on cybersecurity protection for lawmakers personal tech devices and email accounts. The move comes after the Senate Sergeant at Arms informed Senators that its offices are not allowed to spend appropriated money on securing lawmakers’ personal devices.

6 hours ago
ABRAR AL-HEETI / CNET

‘123456’ and ‘password’ Rank Number One and Two in This Year’s Top 100 Worst Passwords, Report

Bad passwords chronically stand in the way of good cybersecurity and this year’s list of the top 100 worst passwords from SplashData, proves the point. Culled from more than five million leaked passwords from primarily North American and European users, the worst number one bad password on the list is ‘123456,’ followed by ‘password,’ and ‘123456789.’ New bad passwords include “666666” (No. 14), “princess” (No. 11) and “donald” (No. 23).

14 hours ago
Rhett Jones / Gizmodo

Wave of Emailed Bomb Threats Sweep the U.S., Demand Bitcoin Ransom Payments as High as $20,000

A wave of bomb threats sent by email demanding ransom payments in Bitcoin, some as high as $20,000, were reported at various cities across the U.S., targeting businesses, schools, government offices, and even private residents. The National Cybersecurity and Communications Integration Center (NCCIC), recommends that the recipients of the threats not respond to the emails or contact the sender, not pay the ransom and contact the FBI.

19 hours ago
Colin Kruger / Sydney Morning Herald

Credit Rating Giant Fitch Warns That Australia’s Anti-Encryption Law Could Damage Australia’s Tech Sector, International Companies

Credit rating group Fitch said in a report that the Australian government’s controversial new anti-encryption law, the Assistance and Access Bill 2018, could damage Australia’s flourishing tech sector along with harming Internet giants, such as Google, Facebook, and Apple, that might be forced to go along with it. “The new rules are negative for Australia’s tech sector, but they will have the most impact globally, as they target international companies. If they have to follow these rules in Australia, other jurisdictions will also ask for the same concessions, further weakening the security of messages,” the Fitch report says. The new law forces tech companies to give federal authorities access to encrypted communications and in some cases gives the government the ability to compel the incorporation of new encryption backdoor capabilities.

20 hours ago
Catalin Cimpanu / ZDNet

WordPress Pushes Out Second Major Update In a Week to Fix Seven Security Flaws, Plug Serious Privacy Leak

One week after pushing out its first major update in quite a while, WordPress developers have pushed out another update, version 5.0.1, that fixes seven security vulnerabilities, some of which allow site takeover, and plugs a serious privacy leak. The security leak was found by the authors of the popular Yoast SEO plugin, who discovered that in some cases the activation screen for new users could end up being indexed by Google. With specially crafted Google searches, attackers could find the pages, collect users email addresses and in some cases default generated passwords, which could be catastrophic if the user has an admin role.

20 hours ago
Blake Sobczak / E&E News

[Updated] Apparent Resurgence of Shamoon Malware Knocks Out 400 Servers at Italian Oil Services Company Saipem

About 400 servers in the Middle East belonging to the Italian oil-services company Saipem SpA were hit by what appears to be a resurgence of the Shamoon wiper malware, experts say. Shamoon wiped tens of thousands of computers belonging to Saudi Aramco six years ago, an attack attributed to Iran. However, experts caution against attributing this latest round of Shamoon attacks to Iran because no hard evidence points to that country. No evidence suggests that any data was stolen during the attack, which hit Saipem’s servers in the United Arab Emirates and Saudi Arabia the hardest. The only attack in Europe was in Aberdeen, Scotland, where the company employs fewer than 30 people. Saipem says it is working to bring up the targeted servers as soon as possible.

21 hours ago
Lawrence Abrams / Bleeping Computer

Taxpayer IDs and Wealth of Personal Information on 120 Million Brazilians Exposed by Misconfigured Server

A misconfigured Apache web server exposed the taxpayer identification numbers, or Cadastro de Pessoas Físicas (CPFs), for 120 million Brazilian nationals for an unknown period of time, researchers at InfoArmor discovered. The CPF is similar to the U.S. social security number. “Each exposed CFP linked to an individual’s banks, loans, repayments, credit and debit history, voting history, full name, emails, residential addresses, phone numbers, date of birth, family contacts, employment, voting registration numbers, contract numbers, and contract amounts,” InfoArmor said.

23 hours ago
Raphael Satter / Associated Press

Iranian Hacking Group Charming Kitten Targeted At Least 13 U.S. Treasury Officials, Atomic Scientists Following As Trump Was Re-Imposing Sanctions on Iran, Report

An Iranian hacking group known as Charming Kitten tried to break into personal emails of at least thirteen U.S. Treasury officials tasked with enforcing Donald Trump’s re-imposed sanctions against Iran, according to an analysis by the Associated Press, which drew on data gathered by the London-based cybersecurity group Certfa. The attackers also targeted high-profile defenders, detractors and enforcers of the nuclear deal struck between Washington and Tehran, as well as Arab atomic scientists, Iranian civil society figures and D.C. think tank employees. The target list of Charming Kitten was discovered when the group mistakenly left one of its servers open to the internet last month. Cerfta extracted a list of 77 Gmail and Yahoo addresses targeted by the hackers, which likely reflect only a fraction of the targets. The most striking targets were a scientist working on a civilian nuclear project for the Pakistan’s Ministry of Defense, a senior operator at the Research and Training Reactor in the Jordanian city of Ramtha, and a high-ranking researcher at the Atomic Energy Commission of Syria, suggesting an interest in nuclear technology and administration. Other targets included Andrew J. Grotto, whose tenure on the U.S. National Security Council straddled the Obama and Trump administrations and who has written about Iran’s nuclear ambitions and Jarrett Blanc, the State Department coordinator responsible for the implementation of the nuclear deal under Obama. Yet another target was a senior director of “breakthrough technology” at the aerospace arm of Honeywell International.

1 day ago
Dell Cameron / Gizmodo

Democratic Senators Introduce ‘Data Care Act,’ FTC Would Enforce Fidiciary-Like Data Personal Data Protection Standards

The Data Care Act, a new bill proposed by Senator Brian Schatz (D-HI) and co-sponsored by 14 other Senate Democrats, would establish a set of consumer protection duties, defined and enforced by the Federal Trade Commission, preventing tech companies from knowingly doing harm to their users, making Equifax and Facebook responsible for the protection of our personal information in the same way we hold banks and hospitals responsible. The bill would draft new rules for pursuing fines against companies that misuse private data, holding them accountable to fiduciary-like standards, including legal duties to be loyal to consumers and maintain their confidentiality.

2 days ago
Ryan Browne / CNBC

‘Operation Sharpshooter’ Social Media Phishing Campaign Targeted 87 Mostly Defense, Government-Related Companies to Steal Data, McAfee

A hacking campaign dubbed Operation Sharpshooter targeted individuals at 87 primarily defense and government-related companies using social media phishing efforts to exfiltrate data during October and November, researchers at McAfee report. The phishing messages lured the victims into installing a program called “Rising Sun” which opened a “backdoor” portal that gave hackers the ability to extract intelligence and send it on to a control server. The attack could be linked to North Korea’s Lazarus Group, although McAfee said the attacks could be a false flag to divert attention to an obvious culprit such as North Korea.

2 days ago
Catalin Cimpanu / ZDNet

Login Credentials for More Than 40,000 Government Portal Accounts in 30 Countries Discovered, Might Be for Sale on Dark Web, Group IB

Login credentials for more than 40,000 accounts on government portals in more than 30 countries, which might be for sale in underground forums, have been discovered by Group-IB’s Computer Emergency Response Team (CERT-GIB). The data includes usernames and cleartext passwords and have been collected over time by cyber-criminals with the help of off-the-shelve malware strains such as the Pony and AZORult infostealers and the Qbot (Qakbot) multi-purpose trojan. Group-IB shared the cached accounts with CERT teams in the relevant countries so they can contact the affected agencies. More than half of the accounts, 52%, belong to Italian government officials, followed by Saudi Arabian government accounts (22%), and Portugal government accounts (5%).

2 days ago
David E. Sanger, Nicole Perlroth, Glenn Thrush and Alan Rappeport / New York Times

Marriott’s Massive Breach Part of China’s Efforts to Build Massive Databases on Americans, Sources Say, Administration Plans to Declassify Substantiating Documents

The Marriott Starwood hotels breach, which compromised the personal details of roughly 500 million guests, was part of a Chinese on Ministry of State Security intelligence-gathering effort that also hacked health insurers and the security clearance files of millions more Americans, according to persons familiar with the matter. The Marriott breach and other breaches are reportedly part of a much larger effort to amass as much data as possible on Americans, which goes back to the 2014 breach of the Office of Personnel Management, attributed to China, in which detailed government workers’ security clearance forms were breached. The Marriott breach, which included passport numbers, adds a critical data point, travel activity, to the data points amassed on Americans, all the better to track them with, particularly regarding possible meetings with Chinese spies. The Trump Administration is planning actions targeting China’s trade, cyber and economic policies, perhaps within days, according to officials, and plans to declassify documents revealing Chinese efforts dating back to 2014 to build massive databases on Americans.

3 days ago
Brian Krebs / Krebs on Security

Microsoft and Adobe Each Fix Dozens of Vulnerabilities in Last Patch Tuesday of 2018, One Microsoft Zero-Day Flaw Fixed Already Exploited in the Wild

Microsoft and Adobe both issued their Patch Tuesday updates for December, with Microsoft fixing three dozen vulnerabilities in Windows and related applications and Adobe patching dozens of flaws in Acrobat and PDF Reader products. Adobe’s patch update includes last week’s out-of-band patch for yet another zero-day flaw in Flash Player that is already being exploited in the wild. Nine of Microsoft’s patches are deemed critical. One Microsoft fix is for a zero-day flaw that is already being exploited (CVE-2018-8611) which allows an attacker to elevate his privileges on a host system but is not deemed critical because the attacker needs to be logged in first.

3 days ago
Ellen Nakashima and David J. Lynch / Washington Post

Trump Administration Expected to Take Widespread Action This Week Against China for Computer Espionage, Intellectual Property Theft, Including Indictments of Hackers

The Trump Administration is preparing to take actions this week to condemn China for what the administration believes is continued efforts by the country to steal American trade secrets and advanced technologies and to compromise sensitive government and corporate computers, in violation of a landmark 2015 pact to refrain from hacking for commercial gain, officials say. Multiple agencies are expected to be involved, although the most high-profile one is the Justice Department, which is expected to announce the indictments of multiple hackers suspected of working for a Chinese intelligence service and participating in a long-running espionage campaign that targeted U.S. networks. The administration is also planning to declassify intelligence relating to the breaches, which date to 2014, and to impose sanctions on some of those believed responsible.

3 days ago
Angus Loten / Wall Street Journal

NSA’s Joyce Says The Trend is ‘Going the Wrong Way’ Regarding U.S. Firms’ Ability to Defend Against Cyber Threats, Warns That China May Be Readying Critical Infrastructure Cyberattacks

National Security Agency (NSA) official Rob Joyce said that the “trend is going the wrong way” in terms of corporate leaders’ ability to defend their own networks from cybersecurity threats. Speaking at the Wall Street Journal’s Pro Cybersecurity Executive Forum, Joyce also warned that Chinese cyber activity in the United States had risen in recent months and that he feared that Chinese cyber operations suggested an attempt to lay the groundwork for future disruptive attacks.

3 days ago
Jon Emont and Robert McMillan and Laura Stevens / Wall Street Journal

Amazon Reportedly Fired Employees Suspected of Leaking Internal Data Following Seller Scam Probe

Amazon has fired employees suspected of having helped supply independent merchants with inside information as it fights a barrage of seller scams on its website, people familiar with the company’s effort say. Amazon began investigating suspected data leaks and bribes of its employees in September, focusing its internal bribery investigation on India. Some employees in China say that their access to an internal database that allows them to find data about specific product performance or trending keywords has been dramatically limited. Amazon said in a statement that “we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them, including terminating their selling accounts, deleting reviews, withholding funds, and taking legal action.”

Podcasts

4 hours ago
ISC StormCast

Fake E-Mail Bomb Threats; Phishing Via Non-Delivery Notices

Johannes Ullrich talks about Fake E-Mail Bomb Threats, Phishing Via Non-Delivery Notices, LamePyre MacOS Malware.


4 hours ago
Cracking Cyber Security

“GDPR has empowered extortionists” – Tim Lambon, Director, Global Response Team, NYA

Tim Lambon, Director of NYA, the Global Response Team, discusses the stigma attached to admitting your business has been a victim of ransomware, the emotional trauma some victims go through, how GDPR has empowered the criminals, as well as top tips for dealing with cyber extortion.


4 hours ago
IoT Podcast

Episode 194: Is it time to address privacy in the Constitution?

Om Malik, a partner at True Ventures, joins the podcast to talk about the New York Times’ investigation into app location sharing and Google CEO Sundar Pichai’s testimony before Congress and other topics. Bianca Wylie co-founder of Tech Reset Canada and a Senior Fellow at the Centre for International Governance Innovation discusses why we need to hit pause before adding too much technology to cities


4 hours ago
Secure Digital Life #92

Cybersecurity Christmas Gifts

Russ Beauchemin and Doug White talk about their favorite security gifts


Spotlight











Cybersecurity Events

Dec. 2-6Asiacrypt2018BrisbaneAustralia
Dec. 3-6BlackHat EuropeLondonUK
Dec. 3-8SANS DublinDublinIreland
Dec. 3-8SANS Santa MonicaSanta Monica, CAUSA
Dec. 10-11The Digital Society Conference 2018: Empowering EcosystemsBerlinGermany
Dec. 10-13World Congress on Internet SecurityCambridgeUK
Dec. 12-15Hyperledger Global ForumBaselSwitzerland
Dec. 13Secure CISO SeattleSeattle, WAUSA
Jan. 7-10FloconNew Orleans, LAUSA
Jan. 18-20ShmooConWashington, DCUSA
Jan. 21-28Cyber Threat Intelligence SummitArlington, VAUSA
Jan. 26BSides Long IslandGlen Head, NYUSA
Jan. 28-30Enigma 2018Burlingame, CAUSA
Feb. 15-16OffensiveConBerlinGermany
Mar. 1-2NullconGoaIndia


Support Us!

Subscribe to Our Newsletter

Subscribe to our newsletter and get our daily and highly enjoyable summary of cybersecurity developments you must know if you want to stay ahead.

We don't spam and we value your privacy. We don't sell or share our subscriber lists ever. For more information, please read our privacy policy at Metacurity's Privacy Policy page.

DON'T FORGET TO CONFIRM YOUR SUBSCRIPTION AFTER SIGNING UP. PLEASE CHECK YOUR SPAM FILTER FOR OUR CONFIRMATION EMAIL.


Listen to Us on Alexa!

Join hundreds of your peers who listen to our concise summaries on Amazon Alexa every day. Search for cybersecurity news or go here.