Latest News

45 mins ago
Lawrence Abrams / Bleeping Computer

Apple Pushes Out Security Updates for Slew of Core Products Including iOS 12.1.3

Apple has pushed out updates for their core products that includes iCloud, Safari, macOS Mojave, High Sierra, & Sierra, tvOS 12.1.2, and of course iOS 12.1.3,  fixing a number of code execution, privilege escalations, and information disclosure vulnerabilities. iOS 12.1.3 fixes numerous privilege elevation, remote code execution, and sandbox escape bugs including CVE-2019-6200, a Bluetooth attack that could allow an attacker to perform remote code execution and CVE-2019-6206  which allows password autofill to fill in passwords after they were manually cleared.

2 hours ago
Matthias Gafni / Mercury News

California Family Terrorized with Fake Ballistic Missile Alert Were Victims of Hacker Using Stolen Credentials

An Orinda, California family was briefly terrorized when an emergency broadcast alert followed by a detailed warning of three North Korean intercontinental ballistic missiles headed to Los Angeles, Chicago and Ohio was broadcast over their Nest camera system. The family was the victim of a hacker who had gained access to the WiFi-enabled home surveillance device using stolen credentials in third-party data breaches. Nest recommends all customers enable two-factor authentication and said it is actively introducing features that will reject comprised passwords, allow customers to monitor access to their accounts and track external entities that abuse credentials.

10 hours ago
Lorenzo Franceschi-Bicchierai | / Motherboard

Alphabet’s Jigsaw Develops Quiz to Teach People How to Spot Phishing Emails

Alphabet subsidiary Jigsaw has developed a quiz with Google to teach people how to better spot malicious phishing emails. The quiz walks through eight examples of potentially malicious emails, allowing quiz-takers to customize the examples to make them more realistic. One of the emails is inspired by the emails that tricked Hillary Clinton campaign manager and veteran Republican politician Colin Powell to give their passwords to Russian hackers.

11 hours ago
Sean Lyngaas / Cyberscoop

DHS Issues Rare Emergency Directive Ordering Federal Agencies to Audit All DNS Records Following Discovery of DNS Tampering of Executive Branch Domains

The U.S. Department of Homeland Security has issued a rare “emergency” directive ordering federal agencies to audit all DNS records within ten days after becoming aware of a series of incidents involving Domain Name System (DNS) infrastructure tampering that impacted multiple executive branch agency domains. The DNS translates a domain name to a valid IP address most users understand. The Emergency Directive requires agencies to add multi-factor authentication to their DNS accounts, change account passwords, audit their DNS records, and monitor certificate logs. The government shutdown could interfere with agencies’ ability to implement the directive. The campaign was first identified last fall by cybersecurity firms Cisco and FireEye, which detected malicious DNS activity in the Middle East

14 hours ago
Robert Abel / SC Magazine

Adobe Issues Unscheduled Security Updates for Experience Manager Platform to Patch Flaws That Can Lead to Information Disclosure

Adobe issued unscheduled security updates for its Experience Manager and Experience Manager Forms products that address several vulnerabilities that can lead to information disclosure. The updates patch a “moderate” rated cross-site scripting vulnerability and an “important” rated stored cross-site scripting vulnerability in Adobe Experience Manager version 6.0 through version 6.4 across all platforms.

16 hours ago
Richard Speed / The Register

Microsoft Issues Second Round of Fixes for Windows 10 This Month Resolving Third-Party Hotspot Authentication Issues

Microsoft has released a second round of fixes for Windows 10 following the monthly Patch Tuesday security updates issued last week. The latest fixes cover the 1803, 1709 and 1703 releases of Windows 10. All three updates resolve an issue that cropped up during the January 8th patching releases which left third-party applications having difficulty authenticating hotspots. Microsoft also Microsoft also issued a patch for the current fast ring version of Windows 10 (aka 19H1) rather than simply issuing an entirely new build, fixing File Explorer getting too attached to USB drives and a GSOD (Green Screen of Death) problem the OS developed over the last couple of versions.

23 hours ago
Greg Otto / Cyberscoop

Exposed Communications on a Command Control Server Used by a Nation-State’s Attackers Show How Easy It Is for Countries to Buy Spyware

It’s easier than ever for countries to obtain high-grade spyware based on direct evidence of some of the deliberations that occur when a nation-state group is trying to develop a cyber surveillance program obtained by Andrew Blaich and Michael Flossman of Lookout Security.  The threat actor made several operational security missteps, which resulted in their discovery and allowed the Lookout researchers to gain long term visibility into their operations. In particular, the researchers uncovered communications found on a command and control server used by the nation-state attackers. The spyware vendors mentioned in the exposed communications included Expert Team, FinFisher, IPS, NSO Group, Ozeda Group, Palantir, Verint, Wintego, and Wolf Intelligence and the researchers were able to read their sales pitches on the exposed communications. This particular nation-state, which had a budget of $23 million. was looking for a WhatsApp exploit but chose after being pitched by the various vendors to build the exploit itself.

1 day ago
VAKASHA SACHDEV / The Quint

Supposed Indian Cybersecurity Expert Lobs Explosive Claims That India’s 2014 General Election Was Rigged Through Hacking

At a press conference organized in London by the Indian Journalists’ Association (Europe), a supposed cybersecurity expert from Hyderabad, Syed Shuja, claimed via Skype that India’s 2014 general election was “rigged” through the Electronic Voting Machines (EVMs), which, he says, can be hacked. Shuja supposedly worked for the ECIL Electronics Corporation of India Ltd, the maker of India’s EVMs from 2009-2014. He claimed that the late Union Minister Gopinath Munde knew about the rigging of elections and was considering going public with it, but was “murdered” before he could do that and that he officer probing Munde’s death, Tanzil Ahmed, also died while he was looking into Munde’s death and was planning to file an FIR regarding the same.

2 days ago
LAURA KAYALI / Politico EU

France’s Data Protection Watchdog Fines Google $57 Million for GDPR Violation

France’s data protection regulator, the Commission nationale de l’informatique et des libertés (CNIL), hit Google with a record €50 million (around $57 million) fine for breaching European privacy rules over ad targeting and transparency requirements on its Android mobile operating system, marking the first time Google has been fined under the EU’s GDPR (General Data Protection Regulation). In its announcement, CNIL said the “information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent.” Two privacy groups, Max Schrems’ None Of Your Business (NYOB) and France’s La Quadrature du Net, had filed complaints to the CNIL in May, arguing that Google processed the personal data of their users for advertising purposes without a proper legal basis.

2 days ago
Paul Sawers / Venture Beat

WhatsApp Sets Limit of Forwarded Messages to Five to Counter ‘Misinformation and Rumors’

Facebook-owned WhatsApp messaging platform is now limiting the number of recipients allowed on forwarded messages to five to limit what it calls misinformation and rumors, down from the previous limit of 20 individuals or groups. WhatsApp says it is trying to clamp down on the spread of fake news, manipulated photos, videos without context, and audio hoaxes, particularly in Asian countries. WhatsApp has been testing the lowered number of recipients in India since July following a series of violent lynchings in that country following the spread of fake news.

2 days ago
Catalin Cimpanu / ZDNet

Ex-Employee Blamed for Hack of Popular WordPress Translation Plug-In WPML, Left Backdoor on Server and Spammed Site Users

A popular WordPress plugin, WPML (or WP MultiLingual), which, with over 600,000 paying customers, is the most popular WordPress plugin for translating and serving WordPress sites in multiple languages, was hacked over the weekend after a hacker defaced its website and sent a mass message to all its customers revealing the existence of supposed unpatched security holes. The developers blamed an ex-employee for the hack, who they claim left a backdoor on the website. In the spam message, the attacker claimed to be a security researcher who reported several vulnerabilities to the WPML team, which were ignored and recommended site owners “triple-enforce” security on websites using WPML. The company says it is now rebuilding its server from scratch to remove the backdoor.

3 days ago
Luis Paez-Pumar / Deadspin

Portuguese Man Who Allegedly Ran Football Leaks Website Arrested in Hungary, Faces Extradition and Ten Years in Prison

Portuguese man Rui Pinto was arrested in Hungary on suspicion of extortion and hacking charges related to the infamous Football Leaks website, which has been publishing hacked documents regarding powerful soccer clubs and organizations since 2015. Rui, the alleged owner of Football Leaks, was outraged by the “criminality” of the sport, according to one of his attorneys, William Bourdon, who previously represented NSA whistleblower Edward Snowden and Assange. Pinto is the main suspect in the hacking of emails from Portuguese clubs Benfica, Sporting and Porto, among other hacks, including multiple on the FIFA database. Between 2016 and 2018, Football Leaks leaked over 70 million documents, according to the European Investigative Collaborations. Pinto is being held in Budapest where he faces extradition to Portugal and could face up to ten years in prison if convicted.

4 days ago
Dan Goodin / Ars Technica

Malicious Apps in Google Play Store Activate Banking Malware Payloads Only When Motion is Detected to Avoid Getting Caught, Trend Micro

Malicious apps hosted in the Google Play store activate Anubis banking malware payloads only when motion is detected first in order to avoid emulators used by security researchers, Trend Micro reports. Trend Micro found the motion-activated dropper in two apps, BatterySaverMobi, which had about 5,000 downloads, and Currency Converter, which had an unknown number of downloads. Once one of the apps installed Anubis on a device, the dropper also used requests and responses over Twitter and Telegram to locate the required command and control server. Google has removed the apps from the Play Store.

4 days ago
Natasha Lomas / TechCrunch

Austrian Privacy Watchdog Files Privacy Complaints Against Amazon, Apple, Netflix and Other Tech Companies for Violating GDPR Rules

European privacy campaigner Max Schrems has filed new GDPR complaints regarding tech giants, including Amazon, Apple, Netflix, Spotify and YouTube, via his nonprofit privacy and digital rights organization, noyb. The complaints contend that the tech firms are structurally violating the right of access to the data held by the firms as stipulated under Article 15 of Europe’s General Data Protection Regulation (GDPR). The organization contends that the tech giants have built automated systems to respond to data access requests which, after being tested by noyb, failed to provide the user with all the relevant information to which they are legally entitled. noyb said it tested eight firms and all have failed their tests. and it has filed formal complaints with the Austrian Data Protection Authority against the eight, which also include music and podcast platform SoundCloud; sports streaming service DAZN; and video on-demand platform Flimmit.

4 days ago
Tony Romm and Elizabeth Dwoskin / Washington Post

Facebook Could Be Facing Record-Setting Fine for Violating Its 2011 FTC Consent Decree, Sources

The Federal Trade Commission is contemplating a record-setting fine against Facebook for violating a 2011 privacy consent decree, according to three sources, a penalty that is expected to be much larger than the $22.5 million fine the agency imposed on Google in 2012. The 2011 decree requires Facebook to notify users, and seek their permission before data is shared with third parties in a way that differs from existing privacy settings and obtain users’ affirmative permission before sharing their data with third parties. The decree further requires Facebook to tell the FTC in cases where others misuse that information. Privacy advocates have maintained that Facebook violated the decree in its relationship with Cambridge Analytica, under which researchers collected names, locations, interests and other data from those who played a Facebook quiz, as well as from their friends. Since then, Facebook has been embroiled in a host of other privacy-related troubles.

5 days ago
MARYALICE PARKS and LEE FERRAN / ABC News

DNC Says Russia’s Cozy Bear Hacking Group Targeted Dozens of Its Email Addresses in Phishing Campaign Days After 2018 Midterm Elections

In an amended complaint filed in the U.S. District Court for the Southern District of New York, the Democratic National Committee (DNC) says it was the intended victims of a widespread cyber attack that was detected days after the 2018 midterm elections. “On November 14, 2018, dozens of DNC email addresses were targeted in a spear-phishing campaign, although there is no evidence that the attack was successful,” the DNC wrote in the amended complaint, part of an ongoing lawsuit against the Russian government, the 2016 Donald Trump campaign and others. The DNC said that the content of the emails and the timestamps were consistent with a spearphishing campaign that cybersecurity experts have tied to the Russian intelligence-controlled hacking group known as Cozy Bear, or APT 29.

5 days ago
Elizabeth Weise / USA Today

Hackers Used Stolen Personal and Financial Data to Order 2,400 DNA Testing Kits So They Could Pocket $10 Amazon Gift Cards

Hackers used stolen credit card and personal data to order about 2,400 Israeli online genealogy company’s My Heritage DNA testing kits during the company’s holiday “Refer a Friend” program, looking to steal a $10 Amazon gift card offered for each referral. Customers who purchased the kits got a $10 discount and a $10 Amazon gift card. The hackers used the stolen data to buy the DNA kits and then sent the gift card to an email address they had created, allowing them to pocket the $10 gift card. The company suspected fraud on December 24th and suspended the gift card giveaway on December 26th.

5 days ago
Shaun Nichols / The Register

Twitter Bug in ‘Protect Your Tweets’ Exposed Private Tweets for Some Android Users for More Than Four Years

For more than four years, an issue in Twitter for Android that disabled the “Protect your Tweets” setting if certain account changes were made exposed private tweets, Twitter revealed. This setting enables Twitter users who protect or padlock their tweets out of fear of harassment or due to the sensitive natures of their tweets or for other privacy reasons. Twitter said it informed users that it knows were affected by the problem and has turned “Protect Your Tweets” back on for them.

6 days ago
Catalin Cimpanu / ZDNet

Banks in West Africa Hit by Four Hacking Campaigns That Use Low-Level Malware, ‘Living Off the Land’ Tools, Symantec

Banks and financial institutions in the West African countries of Cameroon, Congo (DR), Equatorial Guinea, Ghana, and the Ivory Coast were hit by four different hacking campaigns last year that used low-level malware, researchers at Symantec report. The malware used is the kind shared for free online or that can be purchased via dedicated websites or from hacking forums, including remote access trojans Cobalt Strike, Mimikatz, and the NanoCore, Imminent Monitor, and Remote Manipulator System. Hoping to “hide in plain sight, the attackers also used so-called “living off the land” local tools already residing on computers such as PowerShell (a native Windows scripting utility), PsExec (a Microsoft Sysinternals tool used for executing processes on networked systems), and Windows RDP (a native Windows utility for connecting to remote Windows systems via a desktop-like interface).

6 days ago
Adam Satariano / New York Times

Facebook Deleted Nearly 500 Pages Tied to Russian Disinformation Campaigns, One Tied to Kremlin-Controlled News Agency Sputnik

Facebook said it deleted nearly 500 pages after it had identified two disinformation campaigns originating from Russia, including one tied to Sputnik, a news agency controlled by the Kremlin, that were targeted at users in Europe and Central Asia. One of the Sputnik efforts misrepresented itself using independent news pages on topics like weather, travel, and sports and represented  289 pages and 75 accounts of the deleted accounts, which also spent about $135,000 on Facebook advertising from 2013 to this month. About 790,000 users followed one or more of the pages, and up to 1,200 people expressed interest in attending one of the roughly 190 events organized by the fake pages. Another disinformation effort targeted users in Ukraine and covered 107 Facebook pages, groups, and accounts, as well as 41 Instagram accounts.

Podcasts

1 hour ago
ISC StormCast

Turning MISP Data into RPZs; APT Vulnerability; PEAR compromise; Apple Updates

Johannes Ullrich talks about Turning MISP Data into RPZs, Man in the Middle Vulnerability in apt, PHP PEAR Compromised Package, Apple Security Updates.


1 hour ago
SECURITY NOW 698

WHICH MOBILE VPN CLIENT?

Steve Gibson and Leo Laporte talk about the week’s top news including Which is the right VPN client for Android, and which should you avoid at all costs?, A very worrisome WiFi bug affecting billions of devices, Hack a Tesla Model 3 at Pwn2Own, Russia’s ongoing, failing and flailing efforts to control the Internet and more.


2 hours ago
Wall Street Journal Tech News Briefing

Google Fined $57 Million Under New European Law

The Wall Street Journal’s Sam Schechner reports on how a French regulator fined Google $56.8 million-the biggest penalty so far under a new European privacy law-alleging the search-engine giant because it didn’t go far enough getting valid user consent to gather data for targeted advertising.


2 hours ago
ThugCrowd

Ep 043 – TinkerSec

In this week’s podcast, Police license plate readers are still exposed on the internet, WiFi firmware bug affects laptops, smartphones, routers, gaming devices, Hackers take control of giant construction cranes and more. Special guest TinkerSec shares some physical pentest stories.


2 hours ago
The Security Ledger

Podcast Episode 130: Troy Hunt on Collection 1 and Tailit’s Tale of IoT Security Redemption

Troy Hunt, the founder of HaveIBeenPwned.com, talks about his latest disclosure: a trove of more than 700 million online account credentials he’s calling “Collection #1.” Martin Hagen of the Norwegian device firm Tailit talks about how failing a security audit of the company’s GPS watch sparked a security make-over at the company.


2 hours ago
Risky Business #527

Featuring Alex Stamos, The Grugq, Susan Hennessey, Brian Krebs, Kelly Shortridge and Bobby Chesney

Patrick Gray and Alex Stamos discuss the week’s top news including DNC says Russia tried to own its servers in November 2018, South Korea’s Defense Ministry breached, West African banks suffer multiple intrusions and more, featuring guest appearances by The Grugq, Susan Hennessey, Brian Krebs, Kelly Shortridge, and Bobby Chesney.


Spotlight



Lorenzo Franceschi-Bicchierai | / Motherboard

Alphabet’s Jigsaw Develops Quiz to Teach People How to Spot Phishing Emails

 

Find

 

10 hours ago

 








Cybersecurity Events

Jan. 21Cryptography and Security in Computing SystemsValenciaSpain
Jan. 21-22Cyber Security for Critical Assets Summits MENADubaiUAE
Jan. 21-26SANS MiamiMiami, FLUSA
Jan. 21-28SANS Cyber Threat Intelligence SummitArlington, VAUSA
Jan. 25BSides LeedsLeedsUK
Jan. 26BSides Long IslandGlen Head, NYUSA
Jan. 28-30Enigma 2018Burlingame, CAUSA
Jan. 29-31CDANS 2019LondonUK
Feb. 1BSides PhiladelphiaPhiladelphia, PAUSA
Feb. 1HACKRONTenerifeSpain
Feb. 2BSides TampaTampa, FLUSA
Feb. 2BSides CairoCairoEgypt
Feb. 2-9SANS Security East 2019New Orleans, LAUSA
Feb. 7-8MANUSECMunichGermany
Feb. 9BSides SeattleSeattle, WAUSA


Support Us!

Subscribe to Our Newsletter

Subscribe to our newsletter and get our daily and highly enjoyable summary of cybersecurity developments you must know if you want to stay ahead.

We don't spam and we value your privacy. We don't sell or share our subscriber lists ever. For more information, please read our privacy policy at Metacurity's Privacy Policy page.

DON'T FORGET TO CONFIRM YOUR SUBSCRIPTION AFTER SIGNING UP. PLEASE CHECK YOUR SPAM FILTER FOR OUR CONFIRMATION EMAIL.


Listen to Us on Alexa!

Join hundreds of your peers who listen to our concise summaries on Amazon Alexa every day. Search for cybersecurity news or go here.