Latest News

31 mins ago
Ionut Ilascu / Bleeping Computer

Four-Year Flaw in Libssh is Stupidly Simple to Exploit, Grants Server Access With a Single Simple Message

A four-year-old vulnerability the Secure Shell (SSH) implementation library known as Libssh that grants access to the server by just telling it that the procedure was a success has been fixed in the newly released versions of the libssh library. The severe vulnerability was discovered by Peter Winter-Smith of NCC Group and has received the identification number CVE-2018-10933. All that is needed to leverage the flaw is to present the server with the  SSH2_MSG_USERAUTH_SUCCESS message, which shows that the login already occurred without a problem.

3 hours ago
Ian Barker / BetaNews

Worldwide Security Skills Gap Is Nearly Three Million, Most of the Worker Shortage in Asia-Pacific, Survey

New research from cybersecurity trade association (ISC)² concludes there is a worldwide cybersecurity skills gap of 2.9 million. The Asia-Pacific region has the greatest shortage, at 2.14 million, with North America experiencing a shortfall of half a million cybersecurity workers. Sixty-three percent of the firms surveyed by the organization say they have a shortage of IT staff dedicated to cybersecurity, with 59 percent of those saying their companies are at moderate or extreme risk of cyber attacks due to the shortage.

3 hours ago
Catalin Cimpanu / ZDNet

Oracle Issues Massive Security Update to Address 300+ Vulnerabilities, 46 With 9.8+ Severity Ratings

Oracle has issued a massive security update to address more than 300 CVE-listed vulnerabilities in its various enterprise products, from its flagship Database to E-Business Suite to Fusion Middleware packages, including 46 with a 9.8+ severity rating, meaning they can be remotely exploited. One vulnerability that received a 10 rating impacts Oracle GoldenGate, a data replication framework that can work with large quantities of information in real-time.

4 hours ago
Kurt Wagner / Recode

Facebook Admits Its Portal Device Will Collect Data That Can Be Used for Targeted Ads

Despite earlier assertions, Facebook has admitted that its new video and audio-activated in-home gizmo Portal is capable of collecting data about its users and using that data to target ads but does not plan to do so, at least not for a while. A Facebook spokesperson stated that because Portal voice and video is built on the Messenger platform, “we collect the same types of information (i.e. usage data such as length of calls, frequency of calls) that we collect on other Messenger-enabled devices. We may use this information to inform the ads we show you across our platforms. Other general usage data, such as aggregate usage of apps, etc., may also feed into the information that we use to serve ads.”

6 hours ago
Jack Stubbs / Reuters

A Successor to BlackEnergy, GreyEnergy, Has Infected Energy and Transport Companies in Ukraine and Poland, Researchers

A successor of the BlackEnergy APT group, dubbed GreyEnergy, has infected three energy and transport companies in Ukraine and Poland with sophisticated new malware and may be planning destructive cyber attacks, researchers at ESET report. The toolset used by the group was last seen knocking out the power grid for major portions of Ukraine in 2015. Since then, however, GreyEnergy has engaged in less destructive campaigns, using a more modern toolkit with an even greater focus on stealth. GreyEnergy’s malware framework bears many similarities to BlackEnergy. ESET observed GreyEnergy deploying an early version of the TeleBots’ NotPetya worm, six months before it was altered, improved, and deployed in the most damaging ransomware outbreak in history. Although ESET has not blamed GreyEnergy’s attacks on Russian intelligence, BlackEnergy has been widely considered to be an effort by Russian-state actors.

7 hours ago
Mohit Kumar / The Hacker News

New iPhone Bypass Bug Similar to One Just Patched Can Allow Hackers to Access Photos and Send Them Using Apple Messages

An iPhone bypass bug similar to one that was patched in iOS 12 in late September which allows attackers with physical access to an iPhone to access the device’s contacts and photos was discovered by Jose Rodriguez, a Spanish amateur security researcher, who also found the first bug. The new hack he discovered is even easier than the first one and allows hackers to access the iPhone’s photo album and send selected photos to anyone using Apple messages. The new hack requires ten steps and uses Siri and VoiceOver screen reader to get through the phone’s defenses.

1 day ago
Joseph Cox and Jason Koebler / Motherboard

Trump-Loving Daters’ Information Exposed in Misconfigured Database for ‘Make America Date Again’

“Make America Date Again,” the website for the dating app Donald Daters, which aims to connect those seeking dates with fellow Trump supporters,  is exposing user information in an open database, security researcher Baptiste Robert, who goes by the handle Elliot Alderson. The leaked data includes biographical details such as names and profile photos, but also potentially tokens for logging into peoples’ accounts and private messages. The cause of the leak is a  misconfigured database which contains the Donald Daters user information.

1 day ago
Yoko Kubota / Wall Street Journal

Apple Says It’s ‘Deeply Apologetic’ About iCloud Accounts That Were Hacked in China Using Stolen Apple IDs

Apple apologized in a statement regarding a situation, first reported last week, in which Chinese mobile payment companies Alipay and WeChat experienced thefts from hackers who used stolen Apple IDs. In its statement, Apple said “[w]er are deeply apologetic about the inconvenience caused to our customers by these phishing scams.” The victims whose IDs were stolen had not turned on two-factor authentication, according to Apple, although Apple didn’t specify how the hackers gained access to the IDs, nor how many users were affected nor how much money was stolen.

1 day ago
Ricardo Alonso-zaldivar / Associated Press

Anthem Agrees to Pay HHS $16 Million to Settle Privacy Violations Stemming from 2015 Breach, An Amount Three Times That of Previous Record Penalty

Anthem, the nation’s second-largest health insurer, has agreed to pay the government a record $16 million to settle potential privacy violations for a data breach that exposed the personal information of nearly 79 million people in 2015. The settlement between Anthem and the U.S. Department of Health and Human Services (HHS) comes after HHS found that Anthem had failed to deploy adequate measures for countering hackers. It represents the largest amount collected the Department in a health-care related breach, nearly three times larger than the previous record amount. Anthem also agreed to a corrective action plan under government monitoring, which involves a process for the company to assess its electronic security risks, take appropriate countermeasures and maintain ongoing surveillance.

1 day ago
Nitasha Tiku / Wired

Google CEO Discusses Censored ‘Project Dragonfly’ Search Engine for China, Says Over 99% of Queries Are Able to Be Served

Google CEO Sundar Pichai spoke publicly for the first time about the company’s controversial censored “Project Dragonfly” search engine under development for China, saying that tests show that Google will be able to serve well over 99 percent of the queries users submit, despite the state-mandated censorship. Pichai did concede that Google’s decision to move forward with the search engine “weighs heavily” on the company but that it also follows the rule of law in every country.

1 day ago
Zack Whittaker / TechCrunch

Many Sensitive Government Departments and Agencies, Including DoD, CIA and NSA, Are Still Not Using Mandated Email Security Feature Despite Deadline

Some of the most sensitive U.S. government departments and agencies are still not using DMARC (domain-based message authentication), a basic email security feature that cuts down on incoming spam or phishing emails, security firm Agari reports. Among the government departments and agencies not using DMARC are the CIA, the NSA, and the Department of Defense, even though the deadline for adopting DMARC under a Homeland Security directive (BOD 18-01) passed on Tuesday.

1 day ago
David Bond / Financial Times

NCSC: UK Hit by More Than 1,000 Serious Cyberattacks Over the Past Two Years, Catastrophic ‘Category One’ Attack On the Way

According to the latest annual report by the UK’s National Cyber Security Centre, an arm of the country’s top intel agency, GCHQ, the UK was hit by more than 1,000 serious cyberattacks over the past two years, with more than 70% launched by hostile state hackers such as Russia, China and North Korea. Between September 2017 and August 2018, the NCSC handled what it described as 577 “front line” cyber attacks, attacks that require detailed analysis and investigation by GCHQ, slightly down from the 590 such attacks handled in the previous 12 months. But the persistence and frequency of these attacks mean the UK must stay on high alert, Ciaran Martin, chief executive of NCSC, said. Martin said there is little doubt the UK would eventually be tested by a category one attack, which causes “sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or to loss of life.”

1 day ago
Ingrid Lunden / TechCrunch

Temasek to Acquire Israeli Cybersecurity Start-Up Sygnia for a Reported $250 Million

Singaporean government-controlled company Temasek has acquired Israeli cybersecurity company Sygnia for a reported $250 million. Sygnia, which came out of stealth less than a year ago after being incubated by cybersecurity-focused Team8, was co-founded by a team of elite security specialists from Israel, and had received only $4.3 million in investments by Team8. Sygnia has apparently been generating revenue even before it came out of stealth mode, supplying customers with technology to combat cyber threats.

1 day ago
WNCT9

North Carolina Water Utility Hit by Ransomware Attack, Account, Engineering and Human Resources Will Run Manually for Weeks to Come

In echoes of a major ransomware attack that crippled the city of Atlanta’s systems last year, the internal computer system for Onslow Water and Sewer Authority (ONWASA) in North Carolina was hit by banking trojan EMOTET malware Saturday, which was followed by an infestation of the RYUK ransomware. ONWASA has received one email from the cybercriminals, who may be based in a foreign country, and is working with the FBI, which has advised ONWASA not to pay the ransom. ONWASA is also working with cybersecurity firms. Although no customer data was compromised, ONWASA says it has to rebuild all of its customer databases entirely. Although no water and wastewater services have been disrupted, the utility said the timeliness of payment service will be impaired for weeks to come and all service orders, account creation, connections, disconnections, development review, backflow program, engineering, and human resources will utilize manual processes until the computer systems are restored.

1 day ago
Catalin Cimpanu / ZDNet

Voter Records for Around 36 Million U.S. Citizens Offered for Sale on Dark Web for $42,000

Voter information for approximately 35 million US citizens is being offered for sale on a popular hacking forum, according to researchers from Anomali Labs and Intel471. The data for sale include full name, phone numbers, physical addresses, voting history, and other voting-related information. Many of the states involved already offer the information for download but not all states have this policy. The data covers 19 states and is priced at $42,000 for all of them combined. The seller claims the data is being refreshed every Monday. Many of the forum users have pooled money to buy one or more databases and share them with the rest of the forum’s users. The forum administrator, known as Omnipotent, has a long history of sharing voter data on the forum.

2 days ago
Jon Fingas / Engadget

Malicious Message Bug in PlayStation 4 Causes Consoles to Crash, Renders Them Unable to Start Properly

Numerous PlayStation 4 (PS4) owners have reported receiving malicious Playstation Network messages where an unrecognized character effectively bricks their consoles, making them crash and leaving them unable to start properly. Deleting the messages doesn’t solve the problem; the only solution is to rebuild the database in Safe Mode or factory reset the system. Users can apparently protect themselves from the malicious messages by restricting messages on their consoles. Whatever malicious message bug is afflicting PS4 has in some instances been used during matches to cause the opposing team to crash and be unable to complete a match.

2 days ago
BBC News

UK Government Issues Voluntary Code of Practice for Manufacturers to Strengthen IoT Device Security

The UK’s Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre have published a code of practice to strengthen the security of Internet-connected devices such as home alarm systems, fridges and toys. The goal is to stop Internet-of-things (IoT) devices from being hijacked for use in cyber attacks. The code outlines 13 separate steps that manufacturers can take to make their IoT devices more secure, such as securely storing customer data, regularly updating software, requiring users to employ stronger passwords and more. The code, however, is voluntary but so far two top electronics makers, HP and Hive Centrica, have agreed to follow it.

2 days ago
Jonathan Chadwick / Computer Business Review

UK-Based Secure Browsing Start-Up Garrison Raises Another $30 Million in Venture Round

UK-based secure web browsing start-up Garrison has raised $30 million (£22.7 million) in its latest funding round, the biggest venture funding round in cybersecurity by UK investors since Digital Shadows secured a $26 million investment 13 months ago. The round was led by Dawn Capital with IP Group, BGF, and NM Capital also participating. Garrison lays claim to developing the first truly secure web browser, applying national-security-grade levels of protection to the commercial environment.

2 days ago
Janene Pieters / NL Times

Dutch Defense Minister Says Her Country Is In a ‘Cyber War’ With Russia, Has Offered ‘Cyber Soldiers’ to Help NATO Countries

Defense Minister Ank Bijleveld said The Netherlands is the midst of a “cyber war” with Russia after the country’s security forces a foiled cyber attack by the Russian secret service on chemical weapons watchdog OPCW. Calling what the Russians are doing “dangerous,” Bijleveld said that The Netherlands “offered to NATO that we can deploy our cyber soldiers. We are actively looking into where we can secure and increase resilience, but also where we can do things offensively if necessary.”

2 days ago
Rohan Pearce / Computerworld

Cisco, Mozilla Join Growing List of Australia’s Encryption-Busting Bill Critics, Express ‘Grave Concern’ Over Loss of Security

Tech giant Cisco has joined other Silicon Valley giants in expressing “grave concern” about Australia’s encryption-busting bill, the Telecommunications Assistance and Access legislation designed to give law enforcement access to encrypted communications. I a submission to Parliament, Cisco said the bill would “undercut sustained efforts by Cisco and others to develop, deploy and maintain technologies that are secure, trustworthy, transparent and accountable.” Mozilla also weighed in with its objections, saying the “breadth and lack of clarity” of the proposed legislation “would result in a net loss for security and due process, and would introduce substantial international complexities impacting both developers and users of technology.”

Podcasts

5 hours ago
Risky Business #518

‘Russian Cambridge Analytica’ booted off Facebook after token hack

Adam Boileau and Patrick Gray discuss the week’s top news including More info on the Facebook token hack, Facebook boots “Russian Cambridge Analytica” off platform, Chinese MSS officer extradited to USA after being lured to Belgium, NotPetya linked to Sandworm crew and more.


5 hours ago
ISC StormCast

Oracle CPU; libssh vulnerability; Vending Machine Mobile App; TLS1.0/1.1

Johannes Ullrich talks about Oracle CPU, libssh vulnerability, Vending Machine Mobile App Compromise, Browsers Announce Timeline to Discontinue TLS1.0/1.1 support.


5 hours ago
SECURITY NOW 685

GOOD SAMARITANS?

Steve Gibson and Leo Laporte observe the untimely death of Microsoft’s co-founder Paul Allen, revisit the controversial Bloomberg China supply chain hacking report, catch up on Microsoft’s October patching fiasco, follow-up on Facebook’s privacy breach, consider the implications of grey-hat vigilante hacking of others’ routers and more.


5 hours ago
Hack Naked News #193

Microsoft, Apple. & Fake Adobe Updates

Millions of voter records for sale on the Dark Web, Apple passcode bypass can access pictures and contacts, how Chrome and Firefox could ruin your business, Fake Adobe updates, Microsoft Zero-Day patch for JET bug incomplete, and 5 ways attackers are targeting the Healthcare Industry. Doug White joins the podcast for expert commentary how China used a Tiny Chip to infiltrate America’s top companies.


Spotlight











Cybersecurity Events

Oct. 15-16Cyber Recoded 2018LondonUK
Oct. 16-17Privacy. Security. Risk. 2018Austin, TXUSA
Oct. 17SecureWorld CincinnatiCincinnati, OHUSA
Oct. 19Hacking Politics: SymposiumBerkeley, CAUSA
Otct. 22-25ICS Cyber Security ConferenceAtlanta, GAUSA
Oct. 23-24MITRE ATT&CKMcLean, VAUSA
Oct. 24Cyber Security Summit Minneapolis, MNUSA
Oct. 25Belgian Cybersecurity ConventionMECHELENBelgium
Oct. 25-26WildWildWest HackFestDeadwood, SDUSA
Oct. 29-Nov. 2Code BlueTokyoJapan
Oct. 30Swiss Cyber StormBerneSwitzerland
Oct. 31-Nov. 1SecureWorld DenverDenver, COUSA
Nov. 2-3Hackfest 2018Quebec CityCanada
Nov. 2-3BSidesBDXBordeauxFrance
Nov. 2-4International Conference on Communication and Network SecurityQingdaoChina


Support Us!

Listen to Us on Alexa!

Join hundreds of your peers who listen to our concise summaries on Amazon Alexa every day. Search for cybersecurity news or go here.


Sign Up for Our Daily Newsletter

Newsletter subscribers can unsubscribe or update their data and consent at any time. We take your privacy seriously and don't sell your data.