Get Your List of Top Infosec Journalists and Sources Today!

Become a Patron of Metacurity today and gain access to our exclusive quarterly lists ot top infosec journalists and resources.

Sponsor message. Interested in sponsoring Metacurity? Email us at info@metacurity.com and we’ll get back to you right away.


Latest News

2 days ago
Cynthia Brumfield

This Version of Metacurity is on Hiatus While We Move to a New Format

While Metacurity has been a wonderful challenge over the past five years, it makes no financial sense in its current format. Therefore, we are going on hiatus until after Labor Day to create a new newsletter version of Metacurity. We are also going to set up an automated page, behind a paywall, that is lightly edited, with no original summaries, updated once per day, offering the same curated and clustered cybersecurity news developments you’ve come to expect from the site. Thanks to our smart and steady readers out there and sign up for our updates. Read more about this development here.

3 days ago
Lawrence Abrams / Bleeping Computer

Online Exam Proctoring Company ProctorU Has Confirmed Data Breach, 440,000 People Allegedly Affected

Online exam proctoring solution ProctorU has confirmed a data breach after a threat actor released a stolen database of user records on a hacker forum. Last month, Bleeping Computer reported that a known data breach seller had leaked 18 company’s databases for free on a hacker forum. One of the leaked databases was for Proctoru.com and contains user records for 444,000 people allegedly registered at the online proctoring service. The database contains email addresses, full names, addresses, phone numbers, hashed passwords, the affiliated organization, and other information. Some of the colleges and universities that may be impacted are North Virginia Community College, UCLA, Princeton, University of Texas, Harvard, Yale, Syracuse University, Columbia, UC Davis, and many more.

3 days ago
Catalin Cimpanu / ZDNet

Chinese Government is Blocking Encrypted HTTPS Connections That Use TLS 1.3 and ESNI

Since the end of July, the Chinese government has deployed an update to its national censorship tool, the Great Firewall (GFW), to block encrypted HTTPS connections that are being set up using interception-proof protocols and technologies, according to a joint report published this week by three organizations tracking Chinese censorship — iYouPort, the University of Maryland, and the Great Firewall Report. Chinese officials are only targeting HTTPS traffic that is set up with new technologies like TLS 1.3 and ESNI (Encrypted Server Name Indication).

4 days ago
Julian Barnes / New York Times

Russia and China in Tug-of-War Over U.S. Election, With Russia the Graver Threat, U.S. Intelligence Officials Say

Russia is using a range of techniques to denigrate Joseph R. Biden Jr., while China prefers to defeat Donald Trump, American intelligence officials said Friday in their first public assessment that Moscow continues to try to interfere in the 2020 campaign to help Trump. Even though there is a push-pull among these two leading foreign powers as to who should lead the United States, officials say Russias is the far graver threat. Russia is deploying a range of measures that are dangerous to the American body politic while China has so far signaled its position mostly through increased public criticism of the administration’s tough line on China on a variety of fronts. Mr. Evanina and other intelligence officials have expanded their warnings about election interference beyond Russia and have included China and Iran during briefings on Capitol Hill.

New for Patrons Only! Five Easy Questions

New for Metacurity’s Patrons!

Metacurity is proud to offer our patrons original content only available to upper tier Patreon supporters.  Five Easy Questions is a new feature that poses five questions to industry influencers, starting with infosec journalist Catalin Cimpanu.

Sign up today and gain insight into what top influencers think is important in information security.

(Sponsor message)


4 days ago
Catalin Cimpanu / ZDNet

Facebook Launches Static Analyzer Called Pysa for Finding Bugs in Instagram’s Vast Python Codebase

Facebook has formally launched today one of Instagram’s secret tools for finding and fixing bugs in the app’s vast Python codebase, a static analyzer named Pysa.  Facebook said that in the first half of 2020, Pysa detected 44% of all security bugs in Instagram’s server-side Python code.

4 days ago
Byron Tau / Wall Street Journal

Small Government Contractor Anomaly Six Can Track Movements of Hundreds of Millions of Mobile Phones Worldwide, Draw Location Data From More Than 500 Apps

A small U.S. company called Anomaly Six LLC with ties to the U.S. defense and intelligence communities has embedded its software in numerous mobile apps, allowing it to track the movements of hundreds of millions of mobile phones worldwide, according to interviews and documents reviewed by The Wall Street Journal. In its marketing material, Anomaly said it is able to draw location data from more than 500 mobile applications, in part through its own software development kit, or SDK, that is embedded directly in some of the apps.

5 days ago
Raphael Satter, Humeyra Pamuk / Reuters

U.S. State Department Was Behind Those Puzzling Text Messages Sent to Users in Iran and Russia Offering $10 Million Reward for Nation-State Hacker Identities

The U.S. State Department has admitted it was behind confusing and highly ridiculed text messages sent to people in Iran and Russia, and seemingly elsewhere in the world, offering them a $10 million reward for information about nation-state hackers attempting to interfere in the U.S. election. The State Department said its goal was to raise awareness of the award internationally.

5 days ago
Kashmir Hill / New York Times

Former Employees Say Online Therapy App Talkspace Applies Data Mining Techniques to Patients’ Chat Transcripts, Gave Employees Burner Phones to Skirt Google App Store’s False Review Screening Mechanism

Online app Talkspace, which lets people talk with a licensed therapist throughout the day, has questionable privacy practices and treats patient chat logs as data mines, according to former employees. Talkspace has been analyzing transcripts to develop bots that monitor and augment therapists’ work, the former employees say. The company also reportedly uses the data to sell Talkspaces products better. Since the pandemic and recession began, Talkspace’s client base has soared. But in 2015 and 2016, the company purportedly also sought to improve its rating by asking its workers to write positive reviews, even going so far as to give employees “burner” phones to help evade the Google app stores’ techniques for detecting false reviews.

5 days ago
Catalin Cimpanu / ZDNet

Hackers Deface Tens of Reddit Channels to Show Pro-Trump Messages, NFL, Disneyland, Boston Celtics Channels Affected

A massive hack hit Reddit after tens of Reddit channels have been hacked and defaced to show messages in support of Donald Trump’s reelection campaign. The Reddit channels defaced include those for NFL, many TV shows, The Pirate Bay, Disneyland, Disney’s Avengers, Boston Celtics, several city channels, and more. The channels have combined tens of millions of subscribers. Although Reddit hasn’t issued any details on the hack, the massive scale of the incident suggests that the intruder(s) might have gained access to a high-privileged moderator or admin account. Channel owners who are having problems have been asked to report problems in a Reddit ModSupport thread. The Reddit hack also comes after Reddit banned r/The_Donald, a channel for Donald Trump supporters.

5 days ago
Troy Hunt / TroyHunt.com

Troy Hunt Open Sources ‘Have I Been Pwned,’ Asks the Community to Help Support the Effort

On the heels of an aborted merger and acquisition initiative, highly respected cybersecurity expert Troy Hunt has decided open source his ground-breaking Have I Been Pwned code base. He said he is turning over the code to the public “for the betterment of the project and frankly for the betterment of everyone who uses it.” He said the project solely depends on him and is asking the community to help support the effort.

5 days ago
Sergiu Gatlan / Bleeping Computer

Flaws in Qualcomm’s Snapdragon DSP Chip Could Allow Attackers to Control Almost 40% of Smartphones

Six security vulnerabilities were found in Qualcomm’s Snapdragon chip Digital Signal Processor (DSP) chip that could allow attackers to take control of almost 40% of all smartphones, spy on their users, and create un-removable malware capable of evading detection, researchers at Check Point say. The chips can be found in nearly every Android phone, including high-end phones from Google, Samsung, LG, Xiaomi, OnePlus, and more. Qualcomm has already patched the six security flaws found to affect the Qualcomm Snapdragon DSP chip; mobile vendors still have to implement and deliver security fixes to their devices’ users.

5 days ago
Andy Greenberg / Wired

Chinese State-Sponsored Hacking Group ‘Operation Skeleton Key’ Has Compromised at Least Seven Taiwanese Chip Firms

A hacking campaign called Operation Skeleton Key has compromised at least seven Taiwanese chip firms over the past two years, researchers at Taiwanese cybersecurity firm CyCraft say. The deep intrusions, which use a skeleton key injector” technique, appeared aimed at stealing as much intellectual property as possible, including source code, software development kits, and chip designs. CyCraft previously called the group of hackers Chimera, the company’s new findings include evidence that ties them to mainland China and loosely links them to the notorious Chinese state-sponsored hacker group Winnti, also sometimes known as Barium, or Axiom.

5 days ago
Zack Whittaker / TechCrunch

More Than a Dozen Vulnerabilities in Mercedes-Benz E-Class Cars Allowed Security Researchers to Remotely Open Doors, Start Engine

More than a dozen vulnerabilities in a Mercedes-Benz E-Class car allowed security researchers at the Sky-Go Team, the car hacking unit at Qihoo 360, to remotely open its doors and start the engine. The 19 security vulnerabilities are now fixed but could have affected as many as two million Mercedes-Benz connected cars in China.

5 days ago
Dan Goodin / Ars Technica

Researchers Who Intercepted Signals of Eighteen Satellites Says Satellite Communications Put Millions of People at Risk

Satellite-based Internet is putting millions of people at risk, despite providers adopting new technologies that are supposed to be more advanced Oxford Ph.D. candidate James Pavur showed. Pavur intercepted the signals of 18 satellites beaming Internet data to people, ships, and planes in a 100 million-square-kilometer swath that stretches from the United States, Caribbean, China, and India. Pavur said current solutions such as VPNs are ineffective for satellite communications and that he is presenting his findings so that the community can devise solutions.

6 days ago
Brian Krebs / Krebs on Security

Fraudsters Reportedly Responsible for Collecting Millions in COVID-19 Loans, Unemployment Benefits Got Massively Detailed Consumer Dossiers from Little-Known Data Broker Whose Legit Business Customers Were Likely Hacked

A group of thieves thought to be responsible for collecting millions in fraudulent small business loans, and unemployment insurance benefits from COVID-19 economic relief efforts gathered personal data on people and businesses they were impersonating by leveraging several compromised accounts at a little-known U.S. consumer data broker, Interactive Data, also known as IDIdata.com. The fraudsters obtained massively data-rich consumer dossiers from IDI that included full Social Security number and date of birth, current and all known previous physical addresses, all known current and past mobile and home phone numbers, the names of any relatives and known associates, all known associated email addresses, available lines of credit and amounts, vehicle registrations and much more. IDI believes that its legitimate business customers experienced a breach giving the fraudsters access to the data and says the firm is working with law enforcement. Communication among the fraudsters indicates they are cashing out their ill-gotten gains primarily through financial instruments like prepaid cards and a small number of online-only banks that allow consumers to establish accounts and move money just by providing a name and associated date of birth and SSN.

6 days ago
Catalin Cimpanu / ZDNet

Intel is Investigating How 20 GB of Internal Documents Were Uploaded on File-Sharing Site, Hacker Claims to Have Obtained Data via Unsecured Server

US chipmaker Intel is investigating a security breach after earlier today 20 GB of internal documents, with some marked “confidential” or “restricted secret,” were uploaded online on file-sharing site MEGA. Swiss software engineer Till Kottmann published the data because he manages a popular Telegram channel where he regularly publishes data that accidentally leaked online from major tech companies. Kottmann said he received the files from an anonymous hacker who claimed to have breached Intel earlier this year, and the files are part of a series of Intel-related leaks.  None of the leaked files contain sensitive data about Intel customers or employees. Intel denies getting hacked and said that an individual with access to its Resource and Design Center might have downloaded the confidential data without authorization and shared it with the Swiss researcher. The alleged hacker claimed to have obtained the data via an unsecured server hosted on the Akamai CDN, and not by using an account on the Intel Resource and Design Center.

6 days ago
Ionut Ilascu / Bleeping Computer

Already-Patched Stuxnet-Like Print Spooler Zero-Day Flaw in Windows Printing Services Can Give Attackers Elevated Privileges

Peleg Hadar and Tomer Bar of SafeBreach Labs found a way to bypass an already patched bug in the Windows printing services, which gives attackers a path to executing malicious code with elevated privileges. The so-called zero-day flaw, tracked as CVE-2020-1048, first got fixed by Microsoft in May and another patch is forthcoming in August’s security updates. Exploiting CVE-2020-1048 is possible by crafting malicious files parsed by the spooler. Ten years ago, Stuxnet, the cyber weapon jointly launched by the U.S. and Israel to cause physical damage at a nuclear enrichment facility in Iran, used a print spooler exploit to gain remote access. Although Microsoft’s fix for the Stuxnet vulnerability closed the remote access, the flaw found by Hadar and Bar is a local privilege escalation hole.

6 days ago
Anna Maria Andriotis / Wall Street Journal

Government Bank Regulator Fines Capital One $80 Million for Inadequate Risk Assessment Processes That Led to Data Breach

The Office of the Comptroller of the Currency (OCC) has fined Capital One $80 million over a data breach last year that compromised the personal information of about 106 million card customers and applicants. The OCC said the bank failed “to establish effective risk assessment processes“ before transferring information-technology operations to the public cloud and “to correct the deficiencies in a timely manner.” The order requires the bank to make risk-management changes and beef up its cybersecurity defenses. The bank said it has already made many of the needed changes.

6 days ago
Sean Lyngaas / Cyberscoop

Top Voting Machine Vendor ES&S Has a New Vulnerability Disclosure Policy That Gives Ethical Hackers More Latitude to Find Bugs

The country’s largest voting machine vendor ES&S announced a new vulnerability disclosure policy that will allow it to work more closely with security researchers to find software bugs in the company’s IT networks and websites. The new policy, which gives the company 90 days to fix problems before the researchers go public, allows researchers to probe ES&S’s corporate systems and public-facing websites, but not the election systems in place at jurisdictions around the country, which are subject to different testing regimes.

6 days ago
Laurens Cerulus / Politico

Pompeo Announces Plans for Blocking ‘Untrusted’ Chinese Apps from U.S. App Stores

U.S. Secretary of State Mike Pompeo presented plans showing how the U.S. wants to expand its campaign against China’s involvement in the global technology industry and block “untrusted” Chinese apps from the U.S. app stores. He also said the U.S. government wants to stop U.S. citizens’ data and companies’ intellectual property from running on “cloud-based systems run by companies such as Alibaba, Baidu, China Mobile, China Telecom and Tencent,” Pompeo said.

6 days ago
Julian Barnes / New York Times

State Department Will Pay Up to $10 Million for Information on Foreign Government Hackers Trying to Interfere in U.S. Elections, Issues Report on Russia’s Continued Disinformation Campaigns

The State Department said it would offer rewards of up to $10 million for information to help identify any person who, acting at the direction of a foreign government, tries to hack into election or campaign infrastructure. The diplomatic arm of the government offered the bounty on the same day it released a report that states Russia continues to use a network of proxy websites to spread disinformation in the West. The report, produced by the Department’s Global Engagement Center, says that the Strategic Culture Foundation is directed by Russia’s foreign intelligence service, the S.V.R., and stands as “a prime example of longstanding Russian tactics to conceal direct state involvement in disinformation and propaganda outlets.”

Podcasts

5 days ago
BBC Tech Tent

The future for TikTok in the United States

Why the popular video app faces being bought out or banned in the US. Chris Fox is joined by the BBC’s North America technology reporter James Clayton to discuss the history of the app and why Donald Trump appears determined to ban it. Alex Stamos, former chief security officer at Facebook, discusses whether TikTok is really a security concern. Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, explains why banning an app is tough to do. Vishal Shah from Instagram touts his TikTok alternative ‘Reels’ – one of the platforms hoping to attract TikTok users.

5 days ago
ISC StormCast

FTCODE Ransomware Resurfaces; MSFT Defender vs hosts file; MSFT Print Spool Vulnerabilities

Johannes Ullrich talks about FTCode Ransomware Resurfaces, Microsoft Anti-Malware Flagging Host File Manipulation, Reviving older printer vulnerablity.

5 days ago
Cyber Security Today

August 7, 2020 – How to avoid going to fake web sites

Ways to make sure you go where you want, not to sites created by crooks.

6 days ago
CYBER / Motherboard

The Internet Vigilante That Hunts Gaming’s Biggest Cheaters

Motherboard reporter Lorenzo Francheschi Bicchierai talks about the infamous cheater hunter, Gamerdoc, who infiltrates secret online chatrooms to hunt down wrongdoing and the dishonest who prey upon and exploit the system.

6 days ago
Smashing Security

190: Twitter hack arrests, email bad behaviour, and Fawkes vs facial recognition

Graham Cluley and Carole Theriault, joined this week by “Crime Dot Com” author Geoff White talk about the creepy (and apparently legal) way websites can find out your email and postal address even if you don’t give it to them, take a look at how the alleged Twitter hackers were identified, and learn about Fawkes – the technology fighting back at facial recognition.

6 days ago
Wall Street Journal Tech News Briefing

Hackers Get the Green Light to Test Elections Systems

After years of keeping security researchers at bay, election equipment makers are opening their devices to hackers to try and uncover vulnerabilities ahead of the election. Robert McMillan joins again to explain what’s going on. Amanda Lewellyn hosts.

Spotlight











Cybersecurity Events

Aug. 6-9 DefconVirtualVirtual
Aug. 6Future of Digital Identity: Self-Sovereign Identity & Verifiable CredentialsVirtualVirtual
Aug. 10-15SANS TrainingVirtualVirtual
Aug. 12Dolphin Tank®: Cyber Security (VIRTUAL)VirtualVirtual
Aug. 13CISO LiveVirtualVirtual
Aug. 13SecureWorld Chicago - Twin Cities - St. Louis Virtual ConferenceVirtualVirtual
Aug. 13Cloud Security SummitVirtualVirtual
Aug. 10-14Tactical EdgeVirtualVirtual
Aug. 12-14USENIX Security SymposiumVirtualVirtual
Aug. 15Digital Kids SecuriDayVirtualVirtual
Aug. 19ExploitCon SpokaneVirtualVirtual
Aug. 21-22The Diana InitiativeVirtualVirtual
Aug. 25SecureITVirtualVirtual
Aug. 27SecureWorld Atlanta - Charlotte VirtualVirtual
Sept. 23DC METRO 2020 Virtual Cyber Security SummitVirtualVirtual


Listen to Metacurity on Alexa

Metacurity now has over 500 monthly listeners, and thousands of plays for our ongoing summaries on Amazon Alexa.

Sign up on Alexa today and just ask “Alexa, what’s my flash briefing!”


Please Support Us!

We need the help and support of our individual readers as we develop new forms of corporate support, including sponsorships and an information security job hub. Please support Metacurity’s  by one of the two following methods. If you have any questions at all, please don’t hesitate to contact us at info@metacurity.com

Patreon

We’ve launched a Patreon campaign to help you support the Metacurity community. Check it out and earn lots of goodwill from your infosec peers and even get a great Metacurity sticker, among other patron rewards!

One-Time or Recurring Payments

If you like to support our effort to truly become the end of cybersecurity information overload, chip in and for less than a proverbial cup of coffee you will be doing your part to help Metacurity survive. Please select one of the options below to ensure that Metacurity sticks around as an important information security resource.