Latest News

11 hours ago
Joseph Marks / Washington Post

Hackers Find Bad Bugs in F-15 Fighter Jet That Could Shut Down Key Aircraft Information System

A team of highly vetted hackers approved by the Pentagon’s Digital Defense Service sabotaged a vital flight system for an F-15 fighter jet during Def Con. The seven hackers, brought to Las Vegas by the cybersecurity company Synack, the first such white hat hackers to have physical access to the jet, found a host of vulnerabilities that could completely shut down the Trusted Aircraft Information Download Station, which collects reams of data from video cameras and sensors while the jet is in flight. They also found bugs that the Air Force had tried but failed to fix after the same group of hackers performed similar tests in November without actually touching the device.

20 hours ago
Kyle Rempfer / Army Times

New, Rapidly Created Army Cyber and Electronic Warfare Units Suffer Serious Staffing, Equipping and Training Challenges, One Unit Understaffed by More Than 80%, GAO

The U.S. Army’s recent moves to rapidly create new cyber and electronic warfare units have resulted in challenges with staffing, equipping and training for the new teams, according to a report by the Government Accountability Office (GAO). Some of these new units are being activated before cyber training and equipment have been updated and they remain short on personnel, according to the report which focused on the 915th Cyber Warfare Support Battalion and a recently activated Intelligence, Cyber, Electronic Warfare, and Space (ICEWS) unit. The cyber battalion, which was activated in December 2018, was understaffed by more than 80 percent as of March 2019. The ICEWS unit has only 55 percent of positions filled. The GAO recommends that the Army should assess the risk associated with staffing, equipping and training for the existing ICEWS unit and the 915th Cyber Warfare Support Battalion.

1 day ago
Katie Paul / Reuters

Users Sue Facebook for Failing to Warn Them of Risks Tied to Single Sign-On Tool Which Led to the Theft of 29 Million Access Tokens

In a heavily redacted section of a filing in the U.S. District Court for the Northern District of California, Facebook users are suing the social media network over a 2018 data breach alleging the company failed to warn them about risks tied to its single sign-on tool, even though it protected its employees from those same risks. The lawsuit stems from Facebook’s worst-ever security breach last September when hackers stole login codes, or “access tokens,” that allowed them to access nearly 29 million accounts. The lawsuit combines several legal actions. In January, Judge William Alsup told Facebook he was willing to allow “bone-crushing discovery” in the case to uncover how much user data was stolen in connection with this litigation.

2 days ago
Lawrence Abrams / Bleeping Computer

‘KNOB’ Flaw Allows Attackers to Break Into Bluetooth Connections, Monitor or Manipulate Data Between Paired Devices

In a coordinated disclosure among the Center for IT-Security, Privacy and Accountability (CISPA), ICASI, and ICASI members such as Microsoft, Apple, Intel, Cisco, and Amazon, a new Bluetooth vulnerability named “Key Negotiation Of Bluetooth attack” or “KNOB” has been disclosed that allow attackers to more easily brute force the encryption key used during pairing to monitor or manipulate the data transferred between two paired devices. KNOB, assigned CVE ID CVE-2019-9506,  affects Bluetooth BR/EDR devices, otherwise known as Bluetooth Classic, using specification versions 1.0 – 5.1, and allows an attacker to reduce the length of the encryption key used for establishing a connection, sometimes down to a single octet. The vulnerability was discovered by Daniele Antonioli from SUTD, Singapore, Dr. Nils Ole Tippenhauer, CISPA, Germany and Prof. Kasper Rasmussen, University of Oxford, England.

2 days ago
AnnaMaria Andriotis and Rachel Louise Ensign / Wall Street Journal

Employees in Capital One’s Cybersecurity Unit Raised Concerns With Auditors, Human Resources and Senior Executives Prior to Recent Major Data Breach, Sources

Even before the recent massive data breach at the company, employees inside Capital One’s cybersecurity unit raised concerns with the bank’s internal auditors, human-resources department and other senior executives about what they saw as high turnover in the unit and a failure to promptly install some software to help spot and defend against hacks, according to people familiar with the matter. About a third of the unit’s employees left in 2018.

2 days ago
Lindsey O'Donnell / Threatpost

Apache Struts Issued Two Dozen Errors in Security Advisories Listing Incorrect Versions Impacted by Vulnerabilities

Apache Struts had two dozen errors in its security advisories which listed incorrect versions impacted by the vulnerabilities, according to researchers at Synopsis. The researchers investigated 115 releases of Apache Struts and correlated them against 57 existing Apache Struts security advisories that covered a total of 64 vulnerabilities. From there, they found that 24 security advisories incorrectly stated the impacted versions. They further found that previously-disclosed vulnerabilities affect an additional 61 versions that weren’t listed in the original security advisories. Impacted Apache Struts software versions that were part of the erroneous advisories range from versions 2.0.0 to 2.5.12. Apache Software Foundation said that the CVE entries have been updated to reflect corrections for impacted versions, as well as versions that contain the appropriate fixes.

2 days ago
Susan Decker / Bloomberg

Apple Files Copyright Lawsuit Against Software Startup Corellium Accusing the Security Vulnerability Tool Company of Illegally Selling Virtual Copies of iPhone, iPad Operating Systems

In a copyright infringement lawsuit filed in West Palm Beach, FL, Apple has accused upstart Corellium of illegally selling virtual copies of the iPhone and iPad operating systems under the guise of helping discover security flaws. Corellium provides a research tool for those trying to discover security vulnerabilities and other flaws in Apple’s software. Apple alleges that the software company has copied the operating system, graphical user interface and other aspects of the devices without permission, and wants a federal judge to stop the violations. Apple further argues that Corellium allows the creation of a virtual Apple device, copies new versions of Apple works as soon as they are announced and doesn’t require users to disclose flaws to Apple. In its suit, Apple is further asking for a court order forcing Corellium to notify its customers that they are in violation of Apple’s rights, destruction of any products using Apple copyrights, and cash compensation.

2 days ago
Charlie Savage / New York Times

Trump Administration Acknowledges NSA Shuttered Call Records Program But Wants to Revive It Along With Making Three Other Surveillance Authorities Permanent

The Trump administration acknowledged that the National Security Agency (NSA) program that sifts records of Americans’ telephone calls and text messages in search of terrorists has been shut down. However, in a letter to Congress Dan Coats, outgoing Director of National Intelligence urged lawmakers to make permanent the legal authority for the National Security Agency to gain access to logs of Americans’ domestic communications, the USA Freedom Act.  In one of his last acts as the director of National Intelligence, Coats said the NSA has indefinitely shut down that program after recurring technical difficulties repeatedly caused it to collect more records than it had the legal authority to gather. Mr. Coats also said the administration supported makings permanent three other surveillance authorities primarily used by the F.B.I. that are also set to expire in mid-December. These provisions allow investigators to get court orders to collect business records relevant to a national security investigation, wiretap “lone wolf” terrorists without links to a foreign power, and keep wiretapping someone suspected of being a spy or a terrorist who switches phone lines in an effort to evade surveillance.

2 days ago
Patricia Kowsmann / Wall Street Journal

European Central Bank Said One of Its Websites Was Hacked and Injected With Malicious Software via Externally Hosted Website, Contact Information of 481 Subscribers Possibly Stolen

The European Central Bank, which supervises data protection at Europe’s largest banks, said that it temporarily shut down one of its websites after it was hacked and injected with malicious software via its Banks’ Integrated Reporting Dictionary (BIRD) website, which is hosted by an external third party.  The central bank said neither its internal systems nor market-sensitive data were affected but that contact information of 481 subscribers of the site’s newsletter may have been obtained.

2 days ago
Ionut Ilascu / Bleeping Computer

Kaspersky Antivirus Injected Unique Identification Numbers Into Web Pages Visited by Users That Could Track Browsing Interests

Kaspersky antivirus solutions injected in the web pages visited by its users an identification number unique for each system starting in late 2015 up through 2019 that could be used to track a user’s browsing interests. The problem originated with a JavaScript from a Kaspersky server loaded from an address that included a unique ID for every user. The issue, now identified as CVE-2019-8286, is not restricted to Kaspersky antivirus. Kaspersky issued a patch for the vulnerability in June but users of older Kaspersky antivirus still face the same tracking problem.

2 days ago
Kate Brumback / Associated Press

Judge Bars Georgia From Using Insecure Paperless Touchscreen Voting Machines, Management System Beyond This Year

In a challenge to Georgia’s outdated voted system plagued with security vulnerabilities, U.S. District Judge Amy Totenberg ordered the state of Georgia from using its paperless touchscreen machines and election management system beyond this year. She also said the state must be ready to use hand-marked paper ballots if its new system isn’t in place for the March 24 presidential primary election. In late July, Georgia agreed to buy new voting machines from Denver-based Dominion Voting Systems that also print a paper record for each vote using a QR code. Voting activists contend that the new machines suffer from the same vulnerabilities as the old machines, although that issue was not before Totenberg in this specific challenge. Totenberg ordered election officials to develop a contingency plan in case the new system isn’t in place before the primary election. She also ordered a pilot of that contingency plan during elections this November and ordered state officials to develop a plan by January 3 to address errors and discrepancies in the state’s voter registration database.

2 days ago
Jordan Novet / CNBC

Cloudflare Issues Pre-IPO Filing Showing Revenue Jump of 48%, Loss Increase of 13% in First Half of 2019, Notes That Offensive Customers Such as 8chan Could Have Negative Consequences

Cybersecurity and content distribution network company Cloudflare issued its pre-initial public offering S-1 filing showing a $36.8 million net loss on $129.2 million in revenue for the first half of 2019, with revenues up 48%  and loss up 13% year-over-year. The company had 74,873 paying customers at the end of the first half of 2019, with 408 of them contributing more than $100,000 in annualized billings. In the filing, the company noted the recent controversies of its hosting of notorious 8chan, which it stopped providing services for in the wake of the massacre by a white nationalist gunman in El Paso, as well as its hosting of neo-Nazi website Daily Stormer, which it dropped in 2017. “Activities of our paying and free customers or the content of their websites or other Internet properties, as well as our response to those activities, could cause us to experience significant adverse political, business, and reputational consequences with customers, employees, suppliers, government entities, and others,” the company said in the filing.

2 days ago
Karl Bode / Vice

Google’s Password Checkup Extension for Chrome Shows That Reuse of Unsafe Passwords of Passwords Is Higher for Less Popular Sites, Around 26% of Users Ignore Warnings of Breached Passwords

Based on anonymous telemetry reported by the Password Checkup extension, an experimental feature the tech giant introduced to Chrome in February to alert users of their use of breached passwords, users continued to use breached, unsafe credentials for some of their most sensitive financial, government, and email accounts. This reuse is particularly true for sites outside the most popular ones, where users are 2.5X more likely to reuse vulnerable passwords, putting their account at risk of hijacking. Users opted to ignore 81,368, or 25.7 percent, of the breach warnings presented to users. Google said that 650,000 people have participated in the experiment so far. In the first month alone, the extension scanned 21 million usernames and passwords and flagged over 316,000 as unsafe, 1.5% of sign-ins scanned by the extension.

2 days ago
Shannon Vavra / Cyberscoop

Cyber Command Uploads to Virus Total Two Malicious Software Samples Linked to North Korea’s Lazarus Group

Two malicious software samples uploaded by U.S. Cyber Command to VirusTotal are associated with campaigns from North Korea-linked APT threat actor Lazarus Group, according to researchers from Symantec and Crowdstrike. The move by Cyber Command is the second time in as many months it has added malware details to the VirusTotal security repository as part of an information-sharing effort with the private sector. One of the samples uploaded is a DLL, a dynamically linked library, which is usually part of a set of malware while the other file shared is an executable, which is capable of running by itself.

3 days ago
Natasha Lomas / TechCrunch

WebKit Publishes New Tracking Prevention Policy That Cracks Down on Malicious Web Tracking Practices, Clamps Down on Those Who Violate It

WebKit, the open-source engine that underpins Internet browsers including Apple’s Safari browser, published its new tracking prevention policy, that spells out the web tracking practices that WebKit believes, as a matter of policy, should be prevented by default by web browsers because they infringe on a user’s privacy without giving users the ability to identify, understand, consent to, or control them. Technologies such as tracking pixels, browser and device fingerprinting and navigational tracking, among others, are deployed by an unregulated digital adtech industry and can be used to violate users’ privacy as well as serve as vehicles for injecting malware. WebKit also said it’s going to treat attempts to circumvent its policy as akin to malicious hack attacks to be responded to in kind; i.e. with privacy patches and fresh technical measures to prevent tracking.

3 days ago
Zack Whittaker / TechCrunch

Credit Karma Users Report Ability to See Strangers’ Credit Reports When Logging In, Company Says It Was a ‘Malfunction’

A bug in credit monitoring site Credit Karma allowed users to see other people’s account information when they logged in, according to complaints on Reddit and Twitter regarding the security lapse. Several users on the social media sites complained about being able to see other people’s credit reports. Credit Karma said the company experienced a technical malfunction that has now been fixed and that it has no evidence a data breach occurred.

3 days ago
Catalin Cimpanu / ZDNet

Capital One Hacker May Have Stolen Data From More Than Thirty Other Companies Prosecutors Say

Paige Thompson, the hacker accused of breaching US bank Capital One, is also believed to have stolen data from more than 30 other companies, US prosecutors said in a filing in support of a motion for Thompson’s detention. Prosecutors said that Thompson’s seized servers include not only data stolen from Capital One, but also multiple terabytes of data stolen by Thompson from more than 30 other companies, educational institutions, and other entities. The investigation into Thompson’s activities is still ongoing but prosecutors say much of the data appear not to contain personal identifying information. Although the filing doesn’t say which companies were affected, press reports have suggested that Unicredit, Vodafone, Ford, Michigan State University, and the Ohio Department of Transportation were also victims of Thompson’s hacking.

4 days ago
Joe Parkinson, Nicholas Bariyo and Josh Chin / Wall Street Journal

Technicians at Chinese Tech Giant Huawei Helped African Governments Spy on Political Opponents Using NSO Group Spyware, ‘Safe Cities’ Surveillance Systems, Report

In at least two cases, technicians at controversial Chinese telecom and tech giant Huawei have personally helped African governments spy on their political opponents, including intercepting their encrypted communications and social media and using cell data to track their whereabouts, according to senior security officials working directly with the Huawei employees in these countries. After failing to hack into the WhatsApp and Skype accounts for Bobi Wine, Ugandan pop star turned political threat to the 33-year regime of President Yoweri Museven, security officials there turned to Huawei to successfully breach those accounts using Pegasus spyware supplied by notorious Israeli spyware company NSO Group. This effort ultimately thwarted Wine’s plans to organize street rallies and resulted in his arrest along with the arrests of dozens of his supporters. In Zambia, Huawei technicians helped the government access the phones and Facebook pages of a team of opposition bloggers running a pro-opposition news site, which had repeatedly criticized President Edgar Lungu. The technicians also helped track down the bloggers so that authorities could arrest them, implicating the surveillance systems Huawei sells governments, often branded “safe cities” which it has installed in 700 cities across 100 countries. Huawei has also sold video surveillance systems in dozens of developing nations.  Huawei denies any involvement in these efforts and says it does not engage in these kinds of activities on behalf of governments.

4 days ago
Sarah Frier / Bloomberg

Facebook Used Outside Contractors to Transcribe Messenger Audio Clips, Says It Paused Human Review of Audio More Than a Week Ago

Facebook has been paying hundreds of outside contractors to transcribe clips of audio from users of its Messenger app, according to people with knowledge of the work, which Facebook subsequently confirmed. The contractors’ employees are not told where the audio was recorded or how it was obtained according to the sources. The Irish Data Protection Commission, which takes the lead in overseeing Facebook in Europe, said it was examining the activity for possible violations of the EU’s strict privacy rules under GDPR. Facebook said it paused human review of audio more than a week ago, much like Apple and Google did after the media uncovered their practices of human review of audio recordings.

4 days ago
Brian Krebs / Krebs on Security

Microsoft Issues Patches for 93 Vulnerabilities in Windows and Related Software, Adobe Patches 118 Flaws Across Most Products But Not for Flash

Microsoft released patches to fix 93 vulnerabilities in Windows and related software, 35 of which affect various Server versions of Windows, and another 70 that apply to the Windows 10 operating system, including four so-called wormable flaws in Microsoft’s Remote Desktop Service, a feature which allows users to remotely access and administer a Windows computer. Adobe patched 118 vulnerabilities across After Effects, Character Animator, Premiere Pro, Prelude, Creative Cloud, Acrobat and Reader, Experience Manager, and Photoshop products. For the second month in a row, Adobe issued no security updates for its chronically problematic Flash product.

Podcasts

19 hours ago
BBC Tech Tent

Are you being watched?

How privately-operated facial recognition in public places threatens privacy according to campaigners. Presented by Rory Cellan-Jones.

2 days ago
ISC StormCast

Spearphishing Maldoc Analysis; No News IoT Security; Kaspersky Insecurity

Johannes Ullrich talks about Analysis of a Spearphishing Maldoc, IoT Security Stagnation, Kaspersky Insecurity.

2 days ago
Cracking Cyber Security

Why can’t we retain the cyber talent that we need?

Vicki Gavin, an advisor on security, privacy and resilience and previously CISO for the Economist, talks about whether cyber security hiring and retention processes doing more harm than good.

2 days ago
Defense in Depth

Proactive Security

How proactive should we be about security? What’s the value of threat intelligence vs. just having security programs in place with no knowledge of what attackers are trying to do?

2 days ago
Wall Street Journal Tech News Briefing

Is Facial-Recognition Technology a Threat?

Airlines and the TSA are starting to scan faces to get people through security and boarding faster, but does facial recognition at the airport come with unintended consequences?

3 days ago
ISC StormCast

MedusaHTTP Malware; DuckDNS C&C; HTTP/2 Vulnerabilities; Intel NUC

Johannes Ullrich talks about MedusaHTTP Malware, Cryptominer uses DuckDNS for C&C, Intel NUC Vulnerabilities, HTTP/2 Vulnerabilities.

Spotlight











Cybersecurity Events

Aug. 8-11DefconLas Vegas, NVUSA
Aug. 12-17SANS San JoseSan Jose, CAUSA
Aug. 14-16USENIX Security SymposiumSanta Clara, CAUSA
Aug. 14UsenixSanta Clara, CAUSA
Aug. 19Energysec Security and Compliance SummitAnaheim, CAUSA
Aug. 19-21Linux Security SummitSan Diego, CAUSA
Aug. 12-16AfricaHackOnNairobiKenya
Aug. 19-24SANS ChicagoChicago, ILUSA
Aug. 22NIST Post-Quantum Cryptography (PQC) Standardization ConferenceSanta Barbara, CAUSA
Aug. 23-25Infosec CampoutKing County, WAUSA
Aug. 25SANS Tampa-ClearwaterTampa, FLUSA
Aug. 26BSides VancouverVictoria IslandCanada
Aug. 29BSides ManchesterManchesterUK
Sept. 5Kent Cyber Security Forum (KCSF) 2019KentUK
Sept. 6BSides AmsterdamAmsterdamThe Netherlands


Listen to Metacurity on Alexa

Metacurity now has over 500 monthly listeners, and thousands of plays for our ongoing summaries on Amazon Alexa.

Sign up on Alexa today and just ask “Alexa, what’s the latest in cybersecurity news!


Support Us!

If you enjoy Metacurity, let us know by becoming a patron. For less than the price of a cup of coffee per day, you can ensure that we continue to deliver you the best of information security news from across the web. We need help in support our growing hosting charges and have great plans for delivering even more dynamic and useful information.Become a Patron!