Latest News

21 hours ago
Sean Gallagher / Ars Technica

RSA Conference Mobile App Leaked Conference Attendee Data

A mobile app built by a third-party contractor, Eventbase Technology, for the cybersecurity industry’s biggest conference, RSA, was plagued by security problems including hard-coded security keys and passwords that allowed a researcher to extract the conference’s attendee list.  Within four hours of the discovery of the vulnerability that leaked attendees’ data, which was an API call that allowed anyone to download data with attendee information, Eventbase had fixed the leak. This security flaw marks the second time an RSA mobile application has leaked attendee data.

21 hours ago
Austen Hufford and Christina Rexrode / Wall Street Journal

SunTrust Surreptitiously Reveals a Likely Insider Data Breach Affecting 1.5 Million Customers

SunTrust announced Friday that a former employee may have tried to steal and share data of about 1.5 million customers, including names, addresses, phone numbers and account balances, even as it announced it is offering identity protection services at no charge to all of its clients in the form of Experian IDnotify. SunTrust, which has known of the potential theft since February, said the employee may have attempted to print the information and give it a criminal third party.  SunTrust said the stolen data did not include personally identifying information, such as social security number, account number, PIN, User ID, password, or driver’s license information.  Clients will not be held responsible for any fraudulent activity or losses on their accounts due to the data breach, the bank said.

1 day ago
Lorenzo Franceschi-Bicchierai / Motherboard

Teen Crackas with Attitude Hacker Sentenced to Two Years for Hacking U.S. Officials

Eihteen year-old hacker Kane Gamble, part of a group known as Crackas with Attitiude or CWA, was sentenced in a London youth court to two years in a youth detention center for compromising the email and phone accounts of senior U.S. government officials, including former CIA director John Brennan, former director of intelligence James Clapper, and other high-profile US government employees. Gamble was arrested in February 2016 and pleaded guilty to ten hacking charges in October 2017.

2 days ago
Cynthia Brumfield / Metacurity

Friday Report: Telegram Doesn’t Play and Facebook’s So-Called GDPR Moves

Welcome to Metacurity’s Friday report where we hit the infosec news high points of the week (and this week the Friday report falls on 4/20, so many of the cool folks in cybersecurity won’t read this until, at the earliest, Saturday.)

The most interesting news of the week involved encrypted app Telegram, which is increasingly facing stiffer gales of censorship around the globe. First, France announced it will build its own messaging app to replace WhatsApp and Telegram, despite French President Macron’s fondness of Telegram. (Read the rest of the report here.)

2 days ago
Patrick Howell O'Neill / Cyberscoop

Kaspersky Banned from Twitter Ads, CEO Claims Decision Violates Twitter’s Own Principles

Embattled Russian cybersecurity firm Kaspersky Lab has been banned from advertising on Twitter due to its ostensible too-close ties with the Kremlin, another problem for the anti-virus maker after the DHS banned the use of Kaspersky products at government agencies and several companies, including retail giant Best Buy, stopped selling Kaspersky products. Twitter claims the decision is based on its determination that Kaspersky operates using a business model that inherently conflicts with acceptable Twitter Ads business practices. In an open letter, company founder and CEO Eugene Kaspersky complained that Twitter’s rationale for the ban makes no sense and the ban itself contradicts Twitter’s declared-as-adopted principle of freedom of expression.

2 days ago
Tom Hamburger, Rosalind S. Helderman and Ellen Nakashima / Washington Post

DNC Files Lawsuit Against Trump, Russia and Wikileaks Alleging Hacks Were Conspiracy

The Democratic National Committee (DNC) filed a multimillion-dollar lawsuit in federal district court in Manhattan Friday against the Russian government, the Trump campaign and Wikileaks alleging that top officials of the Trump campaign conspired with the Russian government and its military spy agency, GRU, to hurt candidate Hillary Clinton and help Donald Trump by hacking the computer networks of the Democratic Party and disseminating stolen material found there. The complaint says the Russian hacking campaign combined with Trump campaign officials’ ongoing contacts with Russia was an illegal conspiracy to interfere in the election. The suit is unlikely to be successful although the DNC filed a similar suit, and won, against then-President Richard Nixon’s reelection committee in 1972 seeking $1 million in damages for the break-in at Democratic headquarters in the Watergate building.

2 days ago
Josh Constine / TechCrunch

Third-Party JavaScript Trackers Use ‘Login with Facebook’ Feature to Collect User Data

Facebook is investigating a security research report from a group of researchers from Princeton’s Center For Information Technology Policy that claims Facebook user data can be grabbed by third-party JavaScript trackers embedded on websites using Login With Facebook. The researchers found seven scripts collecting Facebook user data, with the scripts embedded on a total of 434 of the top 1 million sites. It is unlikely the sites know the trackers are in place. It’s also unclear what the trackers are used for although many of their parent companies including Lytics and ProPS sell publisher monetization services based on collected user data. In the short term, Facebook has taken action by suspending the ability to link unique user IDs for specific applications to individual Facebook profile pages, and are working to institute additional authentication and rate limiting for Facebook Login profile picture requests.

2 days ago
Zack Whittaker / ZDNet

LinkedIn AutoFill Plugin Flaw Gave Attackers Ability to Steal Users’ Profile Data

A flaw in LinkedIn’s widely used AutoFill plugin, which allows approved third-party websites to let LinkedIn users automatically fill in basic information from their profiles, could have allowed attackers to steal users’ profile data, researcher Jack Cable of Lightning Security reports. Dozens of whitelisted domains approved for LinkedIn’s AutoFill, such as Twitter or Microsoft, could be leveraged by attackers if any of those domains had a cross-site scripting vulnerability (XSS). One such unnamed domain did have an XSS and Cable was able to silently run his proof-of-concept code from his own server. LinkedIn ultimately fixed the problem but waited until after Cable contacted ZDNet to do so.

2 days ago
David Ingram / Reuters

Facebook Plans to Cut off 1.5 Billion of Its Users from GDPR Privacy Protections

Facebook is planning to argue that only European users are governed by the European Union’s General Data Protection Regulation (GDPR) terms of service agreed with the company’s international headquarters in Ireland, meaning 1.5 billion members in Africa, Asia, Australia and Latin America will not fall under the GDPR’s protection, which takes effect on May 25. The excluded users amount to more than 70% of Facebook’s global users. The move cuts down on Facebook’s legal liability under the GDPR which amounts to  4 percent of global annual revenue for infractions, a sum that could cost Facebook billions. Facebook said this decision isn’t important because it will apply the same privacy protections everywhere.

2 days ago
India Today

Brazilian Hackers Allegedly Took Down India’s Supreme Court Site After High-Profile Decision

The Indian Supreme Court website was hacked and non-functional for over seven hours following its controversial decision that Central Bureau of Investigation judge Brijgopal Harkishan Loya died of natural causes and was not murdered as petitioners before the court claimed. The hack of the website delayed uploading the Loya verdict online. Although court officials denied a hack, screenshots circulated showing signs left by a Brazilian hacking team called HighTech Brazil HackTeams who may have targeted the site.

2 days ago
Nicholas Fearn and Graeme Burton / Computing

Nigerian Hacking Ring, ‘Gold Galleon,’ is Stealing $7 Million Annually from Maritime Firms

A Nigerian hacking ring, dubbed “Gold Galleon,” has been targeting maritime shipping firms in order to steal millions of dollars on an annual basis, according to researchers at Secureworks.  Between June 2017 and January 2018, the hackers attempted to steal nearly $3.9 million and may be stealing nearly $6.7 million per year, according to the researchers’ estimates. The group uses business email compromise (BEC) and business email spoofing (BES) fraud to dupe their victims and gain access to company accounts. Companies operating in South Korea, Japan, Singapore, Philippines, Norway, the US, Egypt, Saudi Arabia, and Colombia have been targeted by the group.

2 days ago
Liam Tung / ZDNet

Malicious Fake Ad-Blocker Extensions on Chrome Store Were Installed by 20 Million Users

Five malicious ad-blocker extensions on the Chrome Web Store were installed by 20 million Chrome users before Google removed them, according to anti-tracking tech and ad-blocking firm AdGuard. The most frequent malware installed was called AdRemover for Google Chrome, infecting 10 million users. The widespread installations in effect created a botnet composed of browsers infected with the fake ad-block extensions. Google removed the fakes from the Chrome Web Store and the extensions have been disabled on Chrome instances with them installed.

3 days ago
Fred Weir / Christian Science Monitor

Russia’s Telegram Ban Has Backfired After Company’s Shift to Amazon, Google Clouds

Russia’s efforts to ban Telegram are backfiring following Telegram’s rapid shift to the cloud services of Amazon and Google where millions of IP addresses can be used. The futile efforts of the country’s communication regulator, Roskomnadzor, to block about 15 million IP addresses have been so far futile, with the majority of Russia’s Telegram user still maintaining access to the service, according to Telegram’s CEO Pavel Durov. The ban has, however, wreaked havoc among legitimate Russian websites that use the same services, affecting large swaths of Russian business and government services. The successful tactic by Telegram may not last, however, given that Roskomnadzor is trying to convince internet giants Google and Amazon to drop Telegram from their app stores.

3 days ago
Russell Brandom / The Verge

Google’s Shuttering of ‘Domain Fronting’ Threatens Anti-Censorship Tools Including Signal

The Google App Engine is discontinuing a practice called domain fronting, which allows developers to use Google as a proxy for getting around state-level censorship. The change has been rolling out since at least April 13 and threatens to disrupt a number of privacy-oriented services including Signal, GreatFire.org and Psiphon’s VPN service. Google said the changes were part of a long-planned update and that domain fronting was never a supported feature.

3 days ago
Cecilia D'Anastasio / Kokatu

Around 50,000 Minecraft Users Were Infected by Malware-Tainted Uploaded Skins

Around 50,000 of Minecraft accounts have been infected with malware that can format users’ hard drives, delete backup data, and remove system applications, researchers at Avast report. The malware is delivered via Minecraft character skins created in the PNG file format and uploaded to the game’s official website by fans. Avast says the malware is unimpressive and could be created quite easily, raising the bigger question of Microsoft-owned Minecraft’s lack of malware screening when users upload skins. Microsoft said the infected skins are no longer available and it has put into place extra measures to prevent similar malware-laden skin uploads in the future.

3 days ago
Saeed Kamali Dehghannd Andrew Roth/ The Guardian

Iran Plans to Block Telegram After Ayatollah Khamenei Announces He’s Leaving the App

Signaling an imminent shutdown of the encrypted messaging service, Iran’s supreme leader, Ayatollah Ali Khamenei, announced he was leaving Telegram, the most popular communications app in the country with about 40 million Iranians, almost half of the country’s population, estimated to be using it. The announcement by the Ayatollah said his decision “comes ahead of plans by the authorities to block Telegram and is aimed at supporting domestic social media apps.” Officials in Iran blame Telegram for providing a platform for protesters to organize rallies. Iran’s decision follows a hard line ban on Telegram in Russia after the company refused to provide user encryption keys to Russian intelligence agency FSB.

3 days ago
Dell Cameron / Gizmodo

TaskRabbit Puts Website and App Back Online Following Suspected Breach

The website and app for TaskRabbit is back online after the company took it down following preliminary evidence showing that an unauthorized user gained access to it systems, TaskRabbit said. Certain personally identifiable information of TaskRabbit users may have been compromised in the breach, the details of which have not yet been revealed. TaskRabbit has hired a forensics firm and is looking into ways to make its login process more secure, evaluating its data retention practices and enhancing its network threat detection technology. In the meantime, TaskRabbit is advising customers to change their passwords.

3 days ago
Lily Hay Newman / Wired

iPhone Users that Sync with Random PCs Can Cede Device Control to ‘Trustjackers,’ Symantec

iTunes Wi-Fi Sync, the tool that lets iOS devices sync with desktop iTunes over Wi-Fi, can be abused by hackers when the user’s phone is connected to the same Wi-Fi network as the hackers, researchers at Symantec report. A whole range of exploits dubbed “trustjacking” by Symantec can be used against iOS devices when the “Trust This Device” function is triggered, or when a user physically connects a mobile device to a computer once, then indicates that the iOS device can trust the computer going forward, and then enable iTunes Wi-Fi Sync from the PC. Once a trusted connection is established, a hacker can install malware on a phone, watch a target device’s screen and engage in more actions to manipulate a victim iOS device. After Symantec disclosed these findings to Apple, the company added a second prompt in iOS 11 to require a device’s passcode as part of authorizing a new computer as trusted. Symantec recommends that users take further steps, including encrypting their backups and deleting their list of old trusted machines via Settings> General> Reset> Reset Location and Privacy.

4 days ago
Dan Goodin / Ars Technica

Malware Masquerading as a Stress-Relieving Paint Program Has Infected 40K Facebook Users

Criminals have been using a purported paint program for relieving stress, called “Relieve Stress Paint,” to compromise 40,000 Facebook accounts over the past few days, researchers at Radware report. The fake program, which is in fact researchers dubbed Stresspaint, is available through a domain that uses Unicode representation to show up as aol.net on search engines and in emails. Although functional as a paint program, the malware copies Chrome data that stores cookies and any saved passwords for previously accessed Facebook accounts, sending the data back to a centralized command and control center. The interface used in the malware copies any payment details tied to an account, the number of friends the account had, and whether the account was used to manage a page as well possibly credentials for victims’ Amazon accounts. Facebook users  who believe they are victims of the malware are advised to check the security and login section of their Facebook settings for logins by unrecognized computers.

4 days ago
Ingrid Lunden / Techcrunch

Stripe Launches Radar for Fraud Teams, Premium Anti-Fraud System for Larger Companies

Online payment company Stripe has announced Radar for Fraud Teams, which is a paid expansion of its free AI-based Radar service that runs alongside Stripe’s core payments API to help identify and block fraudulent transactions. Radar helps detect fraud using a machine learning component that trains on more than 100,000 companies globally. On top of the new premium option, geared toward companies large enough to have fraud detection teams, Stripe has updated its core product, which it calls Radar 2.0, which the company claims improves fraud detection by 25%.

Podcasts

2 hours ago
Business Security Weekly #81

Attorney-Client Privilege & Security

Michael Santacangelo and Shawn Tuma talk about  misinformation surrounding attorney-client privilege in security. (Photo by Maarten van den Heuvel on Unsplash.)


2 hours ago
Threatpost Podcast

HOW MILLIONS OF APPS LEAK PRIVATE DATA

Threatpost’s Tom Spring talked to Roman Unuchek, senior malware analyst at Kaspersky Lab, about new research on leaky apps made public this week.  (Photo by Markus Spiske on Unsplash.)


2 hours ago
Tech Tent / BBC World News

Fake Videos Threaten Trust

Rory Cellan-Jones, with BBC tech reporter Zoe Kleinman, and Akshat Rathi, from Quartz talk about deep fake videos, whether there is a case for sharing more data about ourselves with smart devices and more. (Photo by Rachit Tank on Unsplash.)


2 days ago
Smashing Security

074: Smashing Security isn’t bullsh*t

Graham Cluley and Carole Theriault talk about crime forums on Facebook, fraudsters pose as anti-fraud hotlines, and how big advertising companies are in bed with the rampant data collection of internet giants. They’re joined by by special guest B J Mendelson, author of “Social media is bullsh*t.” (Photo by Livin4wheel on Unsplash.)


Cybersecurity Events

Apr. 23-28SANS Cyber Security Training in BaltimoreBaltimore, MDUSA
Apr. 23 -30SANS Blue Team Summit & TrainingLouisville, KYUSA
Apr. 26CEME Conference CentreLondonUK
May 1-8SANS 2nd Annual Automotive Cybersecurity SummitChicago, ILUSA
May 2-4Summit XLos Angeles , CAUSA
May 4-5ThotconChicago, IL`USA
May 7-8x33fconGdyniaPoland
May 8-10Google I/OMountain View, CAUSA
May 8-10Red Hat SummitSan Francisco, CAUSA
May 10-12CONVERGE CONFERENCE AND BSIDES DETROITDetroit, MIUSA
May 11-13DEFCON ChinaBeijingChina
May 11-18SANS Security WestSan Diego, CAUSA
May 20-25SANS Cyber Security Training in RestonReston, VAUSA
May 26HackInBoBolognaItaly
May 29-June 3SANS Cyber Security Training in AtlantaAtlanta, GAUSA


Subscribe to Our Newsletter

Subscribe to our newsletter and get our daily and highly enjoyable summary of cybersecurity developments you must know if you want to stay ahead.

We don't spam and we value your privacy. We don't sell or share our subscriber lists ever.