Latest News

18 hours ago
Lorenzo Franceschi-Bicchierai / Motherboard

Phineas Fisher Launches ‘Bug Bounty’ Program to Pay Hacktivists Up to $100,000 for Politically Motivated Hacks, Also Claims to Have Hacked Cayman Bank and Trust Company

The infamous vigilante hacker known as Phineas Fisher, best known for their hits on surveillance companies, is launching a new kind of bug bounty to reward hacktivists who do public interest hacks and leaks. In a manifesto, Fisher is offering to pay hackers up to $100,000 in what they called the ‘Hacktivist Bug Hunting Program,” which entails payments in cryptocurrency to hackers who carry out politically motivated hacks against companies that could lead to the disclosure of documents in the public interest. Fisher offers up Israeli spyware vendor NSO Group, and oil company Halliburton as the kind of companies that would qualify for the bounties. In the manifesto, the hacker also says that in 2016, they hacked the Cayman Bank and Trust Company from the Isle of Man, an island between the UK and Northern Island. Fisher says they were able to steal money, documents, and emails from the bank. Documents from that heist are posted on leaking website Distributed Denial of Secrets, run by journalist and activist Emma Best.

22 hours ago
Zack Whittaker / TechCrunch

Backup File Unprotected by Password Exposed Data for 452,000 Players of Magic: The Gathering

A security lapse exposed the data on 452,000 game players for the game Magic: The Gathering, the game maker Wizards of the Coast has confirmed. Wizards of the Coast said it had left a database backup file in a public Amazon Web Services storage bucket unprotected by a password exposing the users’ data, which was discovered by U.K. cybersecurity firm Fidus Information Security. The database included player names and usernames, email addresses, and the date and time of the account’s creation, with the data going back to 2012. The database also had user passwords, which were hashed and salted, making it difficult but not impossible to unscramble, along with about 470 email addresses associated with Wizards’ staff. After TechCrunch reached out to the game maker, they pulled the storage bucket offline.

22 hours ago
Tom Spring / Threatpost

Security Experts Warn of Dangers From Checkra1n iOS 13 Jailbreak, Particularly When Devices Must Be Handed Over at International Borders

Checkra1n, a working jailbreak for devices running Apple’s iOS 13 that leverages the checkm8 BootROM vulnerability, was released over a week ago, and security experts are urging mobile-device managers to watch out for the powerful new tool because of hackers and iPhone users who may recklessly use it. One key risk factor is users jailbreaking their own iOS devices, making them susceptible to rogue or unstable apps downloaded from outside of Apple’s curated App Store. The jailbreak, however, will not survive a reboot, although an attacker could persist on the device by sideloading an app on it. A third-party jailbreak needs access to an unlocked iPhone and then must tether it to a macOS computer running the exploit code. These kinds of attacks can occur when a device must be handed over for inspection while crossing international borders.

23 hours ago
Mohit Kumar / The Hacker News

WhatsApp Quietly Patches Another Critical Vulnerability, Newly Discovered Flaw Can Allow Attacker to Execute Remote Code or Launch DoS Attack By Simply Sending MP4 File

On the heels of the recent revelation that Facebook-owned WhatsApp had a vulnerability that could be exploited by Israeli spyware company NSO Group, WhatsApp quietly patched yet another critical vulnerability in its app that could have allowed attackers to remotely compromise targeted devices and potentially steal secured chat messages and files stored on them. The vulnerability tracked as CVE-2019-11931 is a stack-based buffer overflow issue that resided in the way previous WhatsApp versions parse the elementary stream metadata of an MP4 file, resulting in denial-of-service or remote code execution attacks. All an attacker needs to have to exploit the flaw is the phone number of targeted users and then send them a maliciously crafted MP4 file over WhatsApp, which can be programmed to install spyware or a backdoor silently. WhatsApp confirmed the flaw and said it had no evidence it had been exploited in the wild.

23 hours ago
Olivia Solon / NBC News

Microsoft Hires Eric Holder to Audit Facial Recognition Company AnyVision for Potential Violations of Its Ethical Principles in Israel’s West Bank

Microsoft has hired former United States Attorney General Eric Holder to conduct an audit of Israeli-headquartered facial recognition company AnyVision to determine whether it complies with Microsoft’s ethical principles on how the biometric surveillance technology should be used. Microsoft invested $74 million in AnyVision in a Series A round in June. It stipulated at that time that it had to comply with its six ethical principles to guide its facial recognition work: fairness, transparency, accountability, non-discrimination, notice and consent, and lawful surveillance. However, AnyVision’s technology has become a source of controversy in Israel for powering a secret military surveillance project that has monitored Palestinians in the West Bank, which human rights activists say is incompatible with Microsoft’s ethical principles.

24 hours ago
Jack Corrigan / NextGov

Bipartisan Bill Would Require Law Enforcement to Obtain Warrant Before Using Facial Recognition to Track Americans

A bipartisan bill, the Facial Recognition Technology Warrant Act, was introduced that would force law enforcement agencies to obtain a warrant before using facial recognition software to track American citizens. Sponsored by Senators. Chris Coons, (D-DE) and Mike Lee (R-UT), the bill would require law enforcement agencies to prove probable cause and obtain a warrant before using facial recognition systems to surveil suspects, mirroring the legal procedures used to authorize other intrusive activities like cell phone searches, wiretaps, and geotracking. The requirement would apply to any surveillance lasting more than 72 hours, although urgent exceptions would apply.

1 day ago
Dave Gershgorn / OneZero

Knightscope’s Automated Security Robots Collect Mounds of Data Using Facial Recognition, License Plate Scanning, Wireless Device Detection and Tracking

A previously unreported Knightscope presentation shows just how much data automated security robots made by the company can collect. The slides, presented to the city council of Huntington Park, CA, in June 2019, which had signed a $240,000 contract to lease a Knightscope robot for three years in November 2018, detail the software used by police to control the Knightscope robot, and how the company analyzes the collected data. According to the presentation, the company can, using facial recognition, surface a known person’s name, the similarity of the person’s face compared to a known image, and a log of other identities that the robot has seen. The notes attached to the person’s face indicate such things as “person of interest,” “Causes Trouble,” or “Sketchy Dude.” The robot can also conduct license plate recognition, alerting for blacklisted plates.  It can further scan an area using cameras, lidar, and optional thermal imaging, Knightscope robots also scan for wireless devices and discreetly track individuals regardless of whether it has recognized their faces.

1 day ago
Lauren Kaori Gurley / Motherboard

Digital Rights Activists Showcased the Threat of Harmful Consequences from Facial Recognition Technology By Scanning Nearly 14,000 Face Outside the Halls of Congress

Digital rights activists Fight for the Future used Amazon’s commercially available facial scanning technology, Rekognition, to scan the faces of thousands of DC residents outside the halls of Congress and inside the city’s busiest metro stations to showcase the harmful consequences of facial recognition surveillance. In a few hours, the activists’ scanners processed nearly 14,000 faces, identifying one congressperson, seven reporters, and 25 lobbyists. The technology also claimed to spot long-dead singer Roy Orbison.

2 days ago
Catalin Cimpanu / ZDNet

Hacked Disney+ User Accounts Are Now Offered on Hacking Forums, Prices Range From Free to $11

Thousands of hacked Disney+ user accounts hours are now offered for free on hacking forums, or available for sale for prices varying from $3 to $11, just days after the now-hugely popular service was launched. Disney+, which garnered more than ten million subscribers on its first day of launch in the U.S., Canada, and The Netherlands, was flooded with technical complaints at the outset, among them reports from subscribers that hackers were accessing their accounts and changing their passwords. Although some users’ emails and passwords could have been obtained from previous data breaches, other users could have been infected with keylogging or info-stealing malware. Several lists offer usernames and cleartext credentials that subscribers admitted were accurate and still active. Users are advised to use strong, unique passwords for Disney+ and all other Internet accounts.

2 days ago
Tara Seals / Threatpost

Lizard Squad Takes Credit for DDoS Attacks Against Labour Party, Claims Attacks Against Corbyn and Family, Vows More Attacks

Hacktivist group Lizard Squad, which specializes in DDoS attacks, has taken credit for the large-scale DDoS attack on the UK’s Labour Party, saying in a tweet that “no terrorist-supporting government should be allowed to rule a country,” a reference to leader Jeremy Corbyn’s views on Northern Ireland. It has also threatened more attacks against the whole of the government and Labour websites and claims to have launched DDoS attacks against Jeremy Corbyn’s family members and their home.

2 days ago
Alex Horton / Washington Post

Elite Army Intelligence Unit Soldiers Revolted Against Use of Information App They Believe Exposes Their Data, Location to Foreign Adversaries, Others

Army Col. Deitra L. Trotter, the commander of Fort Hood’s 504th Military Intelligence Brigade, ordered soldiers in her intelligence unit with top-secret clearances to download an information app that many fear could expose their actions to foreign adversaries.  The app was developed by Straxis LLC based in Tulsa but with a subsidiary in southern India. The new app designed for the unit could provide weather updates, training changes, and other logistics but also required them to submit substantial amounts of personal data.  The app could also pull GPS location data, photos, contacts, and even rewrite memory cards. Concerns about the app circulated among the security-conscious soldiers on social media, and many deleted it from their devices in protest. Although the use of the app was at one point deemed mandatory, military brass has now downgraded it to “highly encouraged.”

3 days ago
Douglas MacMillan and Greg Bensinger / Washington Post

Google Nearly Posted More Than 100,000 Chest X-Ray Images Without Properly Vetting the Data for Privacy Concerns, Abruptly Canceled Project, Report

Two days before Google was set to publicly post more than 100,000 images of human chest X-rays, the National Institutes of Health informed the tech giant that some of them still contained details that could be used to identify the patients, a potential privacy and legal violation.  Google’s researchers didn’t obtain any legal agreements covering the privacy of patient information, according to a source who also said the company rushed toward publicly announcing the project without properly vetting the data for privacy concerns. Google quickly canceled the project shortly afterward. Google is currently under investigation by the Department of Health and Human Services for its mass collection of individuals’ health records through a partnership with health care company Ascension which may violate the Health Insurance Portability and Accountability Act, or HIPAA, the federal law that protects the privacy of some types of medical records.

3 days ago
Omar Abdulaziz / Washington Post

Activist Says He’s One of the People Targeted by Two Former Twitter Employees Who Spied for Saudi Arabia

Saudi activist Omar Abdulaziz, who counted murdered journalist Jamal Khashoggi as a friend and ally, says he was one of the individuals targeted by the two former Twitter employees who were spying for Saudi Arabia as part of a campaign of harassment by the Kingdom of Saudi Arabia. He said that more than 30 influencers told him that the Saudi government blackmailed them with material obtained by hacking their phones and were ordered to either Tweet propaganda or have their private content, including pictures, released on Twitter.

3 days ago
Lorenzo Franceschi-Bicchierai / Motherboard

Trail of Bits Launches iVerify Security Toolkit to Help Users Detect if Their iOS Devices Are Being Hacked

Security firm Trail of Bits launched iVerify, a user-friendly iPhone security toolkit to help users detect if their iOS device is being hacked. iVerify is one of the first-ever apps that promises to catch iPhone hacks to be approved to be on the official App Store. iVerify is designed to look for “side effects” or anomalies created by iPhone hacks or jailbreaks based on studying all existing past public jailbreaks and reverse-engineering of the iPhone’s operating system. iVerify also includes a series of detailed how-to guides that help users lock down their iPhone settings to improve their privacy and reduce the chances of getting hacked.

3 days ago
Khari Johnson / Venture Beat

GitHub Launches Security Lab to Protect Open-Source Code Projects, Tech Giants Partner to Help Spot Exploits

GitHub launched the GitHub Security Lab, an ongoing effort to protect open-source code projects by bringing together security researchers from partner organizations like Google, Microsoft, Mozilla, Oracle, Uber, and HackerOne. To power the lab, GitHub is open-sourcing CodeQL, variant analysis software from Semmle, a company it acquired in September to help GitHub better spot exploits in code. GitHub also launched Security Advisories to give security researchers a way to apply for Common Vulnerabilities and Exposures (CVE).

3 days ago
Catalin Cimpanu / ZDNet

LA County District Attorney Publishes Warning to Avoid Using Public USB Power Stations, Biggest Risk Is ‘Juice Jacking’

The Los Angeles County District Attorney last week published a warning to avoid using public USB power charging stations in airports, hotels, and other locations because they may contain dangerous malware. One primary concern in using public USB power charging stations is “juice jacking,” by which malicious actors can transfer malware to unsuspecting phone users. LA officials recommend that travelers use an AC power outlet, not a USB charging station, take AC and car chargers for devices when traveling, and consider buying a portable charger for emergencies.

3 days ago
Sarah Emerson / OneZero

On-Demand Transcription Service Rev Has Security Issues, Sensitive Customer Files Were Accessible to Company’s 40,000 Transcribers

Popular on-demand transcription service Rev has a security issue involving uploaded customer data on the platform, which allows audio files and other data, including full names and business titles for customers, to be accessible to all of Rev’s 40,000 transcribers.  Despite the company’s touted “strict customer confidentiality policy,” all of the uploaded audio can be accessed by the transcribers while it’s in Rev’s database. Until a policy change last year, Revvers could also claim and download files, then “unclaim” and return them to the queue, an option that was removed “due to recent breaches of our confidentiality agreement and an overall effort to bolster our efforts to protect the data and privacy of our customers” Rev said in a statement to freelancers.

3 days ago
Lawrence Abrams / Bleeping Computer

New Threat Actor Impersonates Government Agencies in Germany, Italy and the U.S. to Send Malware

A new threat actor is using government agencies to impersonate government agencies, including the United States Postal Service, the German Federal Ministry of Finance, and the Italian Revenue Agency to deliver ransomware, backdoors, and banking Trojans through malicious attachments, researchers at Proofpoint report. The threat actor is sending the messages to organizations in Germany, Italy, and the United States, with recipients heavily weighted towards business and IT services, manufacturing, and healthcare.

3 days ago
Kate Fazzini / CNBC

Justice Department Indicts Two Alleged Thieves for Using SIM Swapping in $550,000 Scheme

The Justice Department indicted two alleged thieves, Eric Meiggs and Declan Harrington, for targeting cryptocurrency executives and threatening their families, allegedly stealing or attempting to steal over $550,000 in a wide-ranging scheme. The indictment says that Meiggs and Harrington used cell phone SIM card swapping to gain access to victims’ crypto coin accounts, and sent hostile messages to targets, often threatening their families. The two men were charged wire fraud, computer fraud, and aggravated identity theft, among other charges.

4 days ago
Zak Doffman / Forbes

Vulnerabilities in Qualcomm-Powered Phones Allowed Researchers to Hack Into TrustZone on Samsung, LG and Motorola Phones, Qualcomm Says Those Flaws Are Fixed

Cybersecurity firm Check Point said it has hacked into the TrustZone on Android phones from Samsung, LG, and Motorola, but says the issue could be far broader and affect Qualcomm’s hardware that powers almost half of all mobile phones. The Trust Zone is the “hardware-enforced isolation built into the CPU” on the devices in which the most sensitive data such as fingerprints, facial recognition, credit cards, and passports are held. Qualcomm confirms the flaws leveraged by Check Point but says they’ve been fixed, and the company says it has received no reports of active exploitation of them.

Podcasts

20 hours ago
Cyber Speaks Live

Live from Microsoft Ignite – Cybersecurity in Local Government

Charles Burton of the Calcasieu Parish Police Jury and Mark Simos of Microsoft discuss the topic of cybersecurity best practices in local governments

20 hours ago
Security Compliance Weekly #6

Passwords Are Dead

The hosts of Security and Compliance Weekly answer questions like what is a security program and what is a compliance program?, Aren’t they the same thing?, What are some differences?, Where do they overlap or how should they work together?, Do they compete for the same budget? and more

2 days ago
Bring Your Own Security Radio

Hacking Attack Vectors You Forgot About

Printers, Wireless, and other attack vectors you might not be thinking about.

2 days ago
BBC News / Trending

How ‘state-sponsored trolling’ works

Governments are using trolls and campaigns of abuse to silence critics, to sow discord and hold onto power. We meet the targets of government trolling campaigns and the researchers trying to combat them. What can we do about state-sponsored trolling?

3 days ago
What Next TBD

How WhatsApp Got Hacked

The New York Time’s Nicole Perlroth talks about the Facebook lawsuit against a little-known Israeli spyware firm called NSO Group. Facebook is accusing NSO of supplying technology that enabled a hack of 1,400 WhatsApp accounts. Perlroth talks about what the lawsuit means for the spyware industry? And why are governments lining up to buy these products?

3 days ago
CYBER / Motherboard

How Scary Is Critical Infrastructure Hacking?

Selena Larson, a former CNN reporter and cyber threat intelligence analyst working over at Dragos which is a leading cybersecurity company that specializes in critical infrastructure security, talks about what we should be really worried about when it comes to hacking critical infrastructure.

Spotlight











Cybersecurity Events

Nov. 4-9SANS Paris November 2019ParisFrance
Nov. 7-9POC2019SeoulKorea
Nov. 9BSides CharlestonCharleston, SCUSA
Nov. 11-16SANS London November 2019LondonUK
Nov. 15-17SecureWV 2019 Hack3rCon XCharleston, WVUSA
Nov. 16-28SANS Gulf Region 2019DubaiUAE
Nov. 17-20FS-ISAC Fall SummitWashington, DCUSA
Nov. 18SANS AustinAustin, TXUSA
Nov. 18Securing Mobility SummitLos Angeles, CAUSA
Nov. 18-25Pen Test HackFest Summit & TrainingBethesda, MDUSA
Nov. 18-20NICE ConferencePhoenix, AZUSA
Nov. 18-23SANS Munich November 2019MunichGermany
Nov. 20-21Infosecurity North America and ISACANew York, NYUSA
Nov. 20-21ISC EastNew York, NYUSA
Nov. 21CyberwarconArlington, VAUSA


Listen to Metacurity on Alexa

Metacurity now has over 500 monthly listeners, and thousands of plays for our ongoing summaries on Amazon Alexa.

Sign up on Alexa today and just ask “Alexa, what’s the latest in cybersecurity news!


Support Us!

If you enjoy Metacurity, let us know by becoming a patron. For less than the price of a cup of coffee per day, you can ensure that we continue to deliver you the best of information security news from across the web. We need help in support our growing hosting charges and have great plans for delivering even more dynamic and useful information.Become a Patron!