Latest News

5 hours ago
Brian Krebs / Krebs on Security

Around 885 Million Mortgage Deal Documents Were Leaked From Website of Real Estate Title Insurance Giant First American Financial, Bank Records, SSNs, Drivers License Images Exposed

Serving up an invaluable cache for phishers, scammers and cybercriminals, the web site for Fortune 500 real estate title insurance giant First American Financial Corp. leaked an estimated 885 million documents related to mortgage deals going back to 2003, Brian Krebs discovered after being tipped off by real estate developer Ben Shoval. The digitized records included bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images. These records were available without authorization to anyone on the Internet. Any visitor to the website who knew the URL for a valid document could view other documents just by modifying a single digit in the link, including anyone who had ever been sent a document link via email by First American. Most of the exposed files were wire transactions with bank account numbers and other information from home or property buyers and sellers. Shoval was able to view other people’s records by modifying document numbers in a link sent to him by moving the numbers up or down. As of the morning of May 24, First American was returning sensitive documents for strangers up to the present day, including many PDFs and post-dated forms for upcoming real estate closings. By Friday afternoon, First American Financial disabled the site that exposed the records.

6 hours ago
Thomas Claburn / The Register

Top License Plate Reader Company Perceptics Has Been Hacked, Internal Files Stolen and Offered for Free on the Internet

Tennessee-based Perceptics, which makes vehicle license plate readers used extensively by the US government and cities to identify and track citizens and immigrants, has been hacked, with its internal files stolen and currently offered for free on the Internet. Perceptics recently announced it had landed “a key contract by US Customs and Border Protection to replace existing LPR technology and to install Perceptics next generation License Plate Readers (LPRs) at 43 US Border Patrol checkpoint lanes in Texas, New Mexico, Arizona, and California.” Someone named Boris Bullet-Dodger, who might be the same person who flagged the hack of German IT management company CityComp las month, drew attention to the hack. The stolen files fill hundreds of gigabytes and include Microsoft Exchange and Access databases, ERP databases, HR records, Microsoft SQL Server data store and more. Perceptics acknowledged it was hacked and said it is investigating the matter.

11 hours ago
Joseph Cox / Motherboard

Multiple Snap Employees Used Privileged Access to Spy on Snapchat Users Using Internal Tools, Including One to Respond to Law Enforcement Requests

Multiple employees inside social media giant Snap have abused their privileged access to dedicated tools for accessing user data to spy on Snapchat users according to sources and internal company emails obtained by Motherboard. The internal tools allowed Snap employees at the time to access user data, including in some cases location information, their own saved Snaps and personal information such as phone numbers and email addresses. One of the tools, called SnapLion, which purportedly provides “the keys to the kingdom,” was originally used to gather information on users in response to valid law enforcement requests, such as a court order or subpoena.

14 hours ago
Kate Fazzini / CNBC

In a First, Moody’s Slashes Equifax’s Credit Rating From Stable to Negative Due to Fallout From Massive 2017 Breach

Investor rating giant Moody’s slashed its rating outlook on consumer credit rating company Equifax from stable to negative as the company experiences the fallout from its massive 2017 consumer data breach, the first time cybersecurity issues have been cited as the reason for a downgrade. Moody’s cited Equifax’s recent $690 million first-quarter charge for ongoing legal costs and regulatory fines as contributing to the downgrade. Looking ahead, Moody’s doesn’t see the breach-related cost picture improving for Equifax, estimating the company will incur breach-related expenses and capital investments of $400 million in 2019 and 2020.

14 hours ago
Zack Whittaker / TechCrunch

Google Pulls Two Malicious Apps Masquerading As Cryptocurrency Apps on Play Store, One Impersonated Popular Wallet Trezor

Two malicious apps masquerading as cryptocurrency apps on Android’s app store, Google Play, were found by security firm ESET. One of the apps was a dud but the other app impersonated Trezor, a hardware cryptocurrency wallet. Although that app couldn’t be used to steal cryptocurrency, it was connected to a second Android app that could have been used to scam funds out of unsuspecting victims by tricking users to turn over their login credentials. Both apps were collectively downloaded more than 1,000 times and after ESET contacted Google, the apps were pulled down.

14 hours ago
Charlie Savage / New York Times

U.S. Indicts Julian Assange on 17 Counts of Violating Espionage Act in Case That Raises Profound First Amendment Fears of Government Intrusion on a Free Press

In a case that has roiled journalists and First Amendment lawyers because it raises profound issues of government intrusion on First Amendment rights, Wikileaks leaders and co-founder Julian Assange has been indicted by the Justice Department on 17 counts of violating the Espionage Act for his role in obtaining and publishing secret military and diplomatic documents in 2010. The new charges raise the legal stakes for Assange who has already been indicted on an earlier hacking-related count brought by federal prosecutors in Northern Virginia. Legal experts and free speech advocates are raising the alarm bells that this latest indictment against the former but now disgraced and widely despised government transparency activist could open the door to criminalizing activities that are crucial to American investigative journalists who write about national security matters. The case focuses on Mr. Assange’s role in the leak of hundreds of thousands of State Department cables and military files by the former Army intelligence analyst Chelsea Manning, with prosecutors arguing that the publication of sensitive government documents cultivated from a source without government authorization, a bread-and-butter everyday activity for journalists across the globe, constitutes a crime. Top journalists and First Amendment legal experts fear this rationale could establish a precedent used to criminalize future acts of national-security journalism.

1 day ago
Catalin Cimpanu / ZDNet

Researcher and Exploit Seller SandboxEscaper Publishes Two New Windows Zero-Day Flaws, Proof-of-Concept Code, Marking Third Day in a Row for Revealing Previously Unknown Windows Vulnerabilities

The security researcher and exploit seller who calls herself SandboxEscaper has published today new Windows zero-days, representing the third day in a row she has published Windows zero-days. On her Github account, she published proof-of-concept code for two zero-days, but also short explainers on how to use the two exploits, marking the seventh and eight zero-days the researcher has published in the last ten months. Her first exploit published today is a bypass for Microsoft’s current patch for CVE-2019-084, a vulnerability that allows low privileged users to hijack files that are owned by NT AUTHORITY\SYSTEM. The second zero-day she published today targets the Windows Installer folder (C:\Windows\Installer). Over the last three days, SandboxEscaper has published a local privilege escalation exploit in the Windows Task Scheduler process, a sandbox escape for Internet Explorer and a local privilege exploit in the Windows Error Reporting service, which is technically not a zero-day given that Microsoft has already patched the problem.

1 day ago
Ian Duncan / Baltimore Sun

Google Disabled Gmail Accounts Created by Baltimore Officials Used as Workaround While City Recovers From Ransomware Attack but Upon Appeal Restored Them

Gmail accounts used by Baltimore officials as a workaround while the city recovers from the Robbinhood ransomware attack that struck the city on May 7 were disabled because the creation of a large number of new accounts in one place triggered Google’s automated security system. Initially, Google said that the accounts were “circumventing their paid service” and the city would need to pay for a business account. But after city employees were able to talk to Google executives, Google resolved the situation in the city’s favor and restored their access to the accounts.

1 day ago
Kim Sengupta / Independent

UK Foreign Secretary Calls out Russia for Its Cyber Warfare Campaign Against Critical Infrastructure, Says UK Has Worked With 16 NATO States to Track Russia’s Hunt for Vulnerabilities

In a keynote speech at the Nato Cyber Defence Pledge Conference today, UK foreign secretary Jeremy Hunt will say that Russia has been engaged in a systematic and malicious “global campaign” of cyber warfare targeting critical national infrastructure with Britain providing help to allied states to counter the threat. Hunt will point to the UK’s National Cyber Security Centre, which he says has been working with 16 other Nato states, and even more nations outside the alliance, over the past 18 months to chart how Russia has been looking for vulnerabilities in cyber systems and seeking to compromise government networks.

1 day ago
Stephen Losey / Military Times

The Air Force is Investigating a Cyber Intrusion by a Navy Prosecutor Into an Air Force Lawyer’s Computer, ‘Splunk Tool’ Malware Allegedly Sent to Spy on Defense Attorney’s Computer

The Air Force is investigating the Navy for a cyber intrusion into its network, according to a May 19 memo from Navy Capt. David Wilson, chief of staff for the Navy’s Defense Service Offices. The incident stems from a decision by a Navy prosecutor to embed hidden tracking software into emails sent to defense attorneys, including one Air Force lawyer, involved in a high-profile war-crimes case of a Navy SEAL in San Diego in an effort to track the leak of information to the editor of The Navy Times. A similar tracking device was also sent to Carl Prine, the Navy Times editor, who has written many articles about the case. The defense lawyer’s information security manager concluded the malware was a “splunk tool,” which allowed the sender of the malware to gain “full access to his computer and all files on his computer.” The media leaks relate to the separate courts-martial of Special Operations Chief Edward Gallagher, a Navy SEAL, and Lt. Jacob Portier, the commander of Gallagher’s platoon, which had been under a gag under by the judge in Gallagher’s case.

2 days ago
BBC News

Irish Data Regulator Opens an Investigation Into Whether Google’s Ad Exchange Violates GDPR Privacy Rules

The Irish Data Protection Commission (DPC) has opened up a statutory inquiry into the way Google provides advertising services across the European Union to probe whether the use of personal data to target online advertising is compliant with the European Union’s General Data Protection Regulation (GDPR) in the context of Google’s online Ad Exchange.  Google’s Ad Exchange system is used by companies to target people with personalized advertisements across the Internet. If Google is found to be in violation of the GDPR, it could face fines up to 4% of its annual revenue.

2 days ago
Jeff Stone / Cyberscoop

Dutch Authorities, Europol Seize One of Top Cryptocurrency ‘Mixing’ Services BestMixer.io

The Dutch Fiscal Information and Investigation Service (FIOD) along with Europol and investigative support from McAfee has seized BestMixer.io, a bitcoin mixing website that authorities say served as one of the busiest cryptocurrency laundering services in the world. Bestmixer.io was one of the three largest mixing services for cryptocurrencies and offered services for mixing the cryptocurrencies bitcoins, bitcoin cash and litecoins, according to Europol. It offered to launder those currencies that may have been tainted in association with Internet crime.

2 days ago
Jim Saunders / News Service Florida

Florida Governor DeSantis Orders a Cybersecurity Review of All 67 Counties in Wake of New Election-Related Hacking Revelations

Eight days after hosting a press conference to announce that two Florida counties were penetrated by Russian hackers during the 2016 presidential election, Republican Florida Governor Ron DeSantis has directed Secretary of State Laurel Lee to immediately start a review of the security of state and county election systems after disclosures about Russian hacking during the 2016 campaign. The review will focus on cybersecurity and involve all 67 counties. In a letter to Lee, DeSantis directed that the “Department [of State] shall develop a plan to identify and address any vulnerabilities,” the letter said. “You are further directed to make this a top priority of the department and report your findings to the Executive Office of the Governor upon completion of your review.”

2 days ago
Ian Duncan / Baltimore Sun

Baltimore Deploys Forensic and Recovery Teams to Slowly Bring City Systems Back Online After May 7 Ransomware Attack Hobbled Its Digital Infrastructure

In the most extensive comments made by city officials since a Robbinhood ransomware attack struck Baltimore’s municipal systems on May 7, Sheryl Goldstein, a deputy chief of staff given the job of overseeing the response to the cyber attack, said the technical staff dealing with the attack is split into a forensic team and a recovery team. The forensic team is moving slowly to hunt for the malware in nooks and crannies of Baltimore’s network and the recovery team is also moving cautiously to bring back systems such as email and databases. The attackers have demanded $76,000 in Bitcoin but the city has thus far refused to pay. Goldstein has not provided a timeline for when the city will be back and fully functional.

2 days ago
BEN FOX RUBIN, ALFRED NG / CNET

Amazon Shareholder Proposals to Limit, Study Facial Recognition Technology Fail at Annual Meeting

Two Amazon shareholder proposals about the company’s controversial facial recognition technology, Rekognition, which were promoted by civil rights groups and activist shareholders, failed to pass at the company’s annual shareholder meeting. One proposal would have banned the company from selling the technology to governments and the other called for an independent study of the potential privacy and human rights violations caused by the technology. The proposals were non-binding on the company and proponents of the measures said they would continue to keep pressure on the company.

2 days ago
Natasha Lomas / TechCrunch

Transport London Will Start Tracking Wi-Fi Devices in July on the London Underground, Commuters Who Don’t Want to Be Tracked Will Be Forced to Turn Off Wi-Fi or Their Phones or Place Devices in Airplane Mode

The integrated body responsible for London’s transport system, Transport London (TfL), will roll out default Wi-Fi device tracking on the London Underground this summer, following a trial in 2016. TfL says that “secure, privacy-protected data collection will begin on July 8.” TfL will also offer alerts and says it could incorporate crowding data into its free open-data API to allow app developers, academics and businesses to expand the utility of the data by using it in their own products and services. Commuters using the Underground who do not wish to be tracked will have to turn off their Wi-Fi or phones or put their devices in airplane mode when using the transport. It’s not clear if TfL will encrypt the location data gathered from devices that authenticate to use the free Wi-Fi at the 260 or Wi-Fi-enabled London Underground stations. However, a genuine MAC address will be collected for each device, which TfL says will be depersonalized (pseudonymized) and encrypted to prevent the identification of the original MAC address and associated device. TfL contends it will not collect any other data from the devices.

2 days ago
BBC News

Personal Data of 4,545 TalkTalk Customers Found Exposed Online, Company Failed to Inform Them That Their Data Were Stolen in 2015 Breach

UK telecommunications company TalkTalk failed to inform 4,545 customers that their personal information, including bank account details, was stolen as part of a high-profile 2015 data breach, a BBC investigation revealed after those customers personal details were found online. The 2015 attack saw a range of sensitive personal data stolen for 157,000 customers, an incident that resulted in a record-setting fine of £400,000 against TalkTalk. TalkTalk said in a statement that the 4,545 customers “may have received the wrong notification regarding this incident. This was a genuine error and we have since written to all those impacted to apologize.”

2 days ago
Malcolm Owen / Apple Insider

Apple’s WebKit to Include Privacy Preserving Ad Click Attribution That Prevents Ad Clicks From Being Attributed to a Single User

Apple has introduced a new privacy technology it will incorporate into WebKit, the browser rendering engine used by Safari, that will allow attribution of ad clicks on the web while preserving user privacy by preventing ad clicks from being attributed to a single user. Traditional ad click attribution has been done by cookies and so-called tracking pixels that enable advertisers to identify specific users. The new privacy-preserving ad click attribution introduced by Apple will store ad clicks, match conversions (actions such as adding an item to a shopping cart, entering shipment or payment information, signing up for a new service and other activity) against stored ad clicks and then send out the ad click data. The data stored on the ad clicks will be delayed in a randomized fashion for 24 to 48 hours and neither the website where the ad click happened nor the website where the conversion occurred will be able to see whether the ad click data has been stored, matched or scheduled for reporting. Apple is offering Privacy Preserving Ad Click Attribution as an experimental feature in Safari Technology Preview 82.

2 days ago
Dave Lee / BBC News

UK Chip Designer ARM Suspends Business With Huawei in Wake of U.S. Trading Ban

UK chip designer ARM has told staff it must suspend business with Huawei, according to internal documents in order to comply with the Trump Administration’s technology trading ban directed at Chinese telecom tech giant Huawei, a move that could damage the long-term prospects for Huawei to develop its own chips. ARM staff was instructed to suspend all interactions with Huawei and its subsidiaries. ARM doesn’t manufacture processors but licenses its design to others. ARM had been described as the UK’s largest tech firm until its takeover by a Japanese fund.

3 days ago
Catalin Cimpanu / ZDNet

SandboxEscaper Publishes Demo Exploit Code for New Windows Local Privilege Escalation Zero-Day Vulnerability

A security researcher who goes by the name SandboxEscaper has published demo exploit code on GitHub for a Windows 10 local privilege escalation (LPE) zero-day vulnerability without notifying Microsoft. According to a description, this vulnerability resides in the Windows Task Scheduler process, allowing attackers to run a malformed .job file that exploits a flaw in the way the Task Scheduler process changes DACL (discretionary access control list) permissions for an individual file. When exploited the vulnerability allows the attackers to gain admin privileges giving them access and control over the entire system. Although the zero-day has been tested only on Windows 10 32-bit systems, it should work with some fine-tuning on all Windows versions going back to XP and Server 2003.

Podcasts

11 hours ago
ISC StormCast

Custom URL Schemes; Skimming Trends; #Apple T2 Chip Update; #MSFT APT for MacOS @IntelAdvanced @zer0pwn

Johannes Ullrich talks about Dangers of Custom URL Schemes, Update on Phyiscal Skimmer Market, Apple Supplemental Update For macOS 10.14.5, Microsoft Releases Advanced Threat Protection for MacOS.


11 hours ago
The Shared Security Podcast

Remotely Killing Car Engines, Password Expiration Policies, Facial Recognition at Airports, InfoSec vs. Cybersecurity

In this week’s podcast, a hacker finds he can remotely kill car engines after breaking into GPS tracking, Microsoft says password expiration policies are stupid and will be removing them from their security baselines, opting out of facial recognition at airports, is it “infosec” or “cybersecurity” and more.


11 hours ago
Cracking Cyber Security

Can cyber security be creative?

Tim Sadler, CEO and co-founder of Tessian, talks about whether amidst high stress and anxiety CISOs can afford to be creative and take risks in their decision-making. He also shares advice on how to *creatively recruit* for *creative thinkers* and how he keeps his own leadership inspired.


11 hours ago
Human Factor

EPISODE 98: JAKE MOORE

Jake Moore, a Cyber Security Specialist for ESET, previously worked for Dorset Police spanning 14 years primarily investigating computer crime in the Digital Forensics Unit on a range of offenses from fraud to murder, where he learned how to retrieve digital evidence from all devices whilst engaging in a variety of ways to ethically break security in order to help protect innocent victims of cyber crime.


1 day ago
ISC StormCast

Yet Another BlueKeep Update; SanboxExcaper; Signed Malware

Johannes Ullrich talks about An Update on the Microsoft Windows RDP BlueKeep Vulnerability, New Zero Day Exploits by SandboxEscaper, Signed Exploit Code.


2 days ago
Hack Naked News #219

May 21, 2019

This week, Unistellar attackers wiped over 12,000 MongoDB databases, a Slack bug that allows remote file hijacking, Baltimore ransomware nightmare could last weeks more, over 25,000 smart Linksys routers are leaking sensitive data, and Huawei’s microchip vulnerability explained.


Spotlight











Cybersecurity Events

May 24-29SecurityFestGothenburgSweden
May 25-26BSides StuttgartStuttgartGermany
May 26-28Global AppSec Tel AvivTel AvivIsrael
May 27You Shot the SherriffSão PauloBrazil
May 31-June 2CackalackyConChapel Hill, NCUSA
May 31-June 2Circle City ConIndianapolis, INUSA
June 3-4ConfidenceKrakowPoland
June 7CONFERENCE FOR KOTLINERSBudapestHungary
June 8-9EkopartyLos Angeles, CAUSA
June 10-14TyphoonConSeoulSouth Korea
June 14SthackBordeauxFrance
June 15-15SummerconBrooklyn, NYUSA
June 17-18OffzoneMoscowRussia
June 17-19Hi Tech & Digital Investigations ConferenceAustin, TXUSA
June 19-20Research Innovation to Implementation in Forensic Science Symposium (RI2I)Gaithersburg, MDUSA


Listen to Metacurity on Alexa

Metacurity now has over 500 monthly listeners, and thousands of plays for our ongoing summaries on Amazon Alexa.

Sign up on Alexa today and just ask “Alexa, what’s the latest in cybersecurity news!


Support Us!

Subscribe to Our Newsletter

Subscribe to our newsletter and get our daily and highly enjoyable summary of cybersecurity developments you must know if you want to stay ahead.

We don't spam and we value your privacy. We don't sell or share our subscriber lists ever. For more information, please read our privacy policy at Metacurity's Privacy Policy page.

DON'T FORGET TO CONFIRM YOUR SUBSCRIPTION AFTER SIGNING UP. PLEASE CHECK YOUR SPAM FILTER FOR OUR CONFIRMATION EMAIL.