Latest News

11 hours ago
Brian Krebs / Krebs on Security

FBI Warns Banks of Impending, Global ‘ATM Cash-Out’ Attacks by Cybercriminals

The FBI is warning banks that cybercriminals are preparing to carry out a highly choreographed global fraud scheme known as an “ATM cash-out” in which the crooks hack a bank or payment card processor and use cloned cards to fraudulently withdraw millions from ATMs around the world in a short time span. The focus of the crime gangs will be the traditional small or mid-sized banks and virtually all such operations take place on weekends. The FBI is urging banks to review how they’re handling security, such as implementing strong password requirements and two-factor authentication using a physical or digital token when possible for local administrators and business critical roles.

11 hours ago
Lily Hay Newman / Wired

Police Body Cameras Are Vulnerable to Remote Digital Attacks, Footage Manipulation

Many body cameras on the market today are vulnerable to remote digital attacks, including some that could result in the manipulation of footage, Josh Mitchell, a consultant at the security firm Nuix discovered. Mitchell analyzed five body camera models from five different companies: Vievu, Patrol Eyes, Fire Cam, Digital Ally, and CeeSc. Of all the devices, only the Digital Ally device did not contain vulnerabilities that would allow an attacker to download footage off a camera, edit things out or potentially make more intricate modifications, and then re-upload it, leaving no indication of the change. None of the body cams have a cryptographic mechanism to confirm the validity of the video files they record. Mitchell disclosed his finding to the vendors and is working with them to fix the flaws.

16 hours ago
Charlie Osborne / ZDNet

Apple macOS Flaw Leads to System Compromise With Synthetic Mouse Click Attacks

A zero-day flaw in Apple software that can lead to MacOS system security issues was discovered by security researcher Patrick Wardle, Chief Research Officer of Digita Security. The zero-day relates to “synthetic” interactions with a user interface (UI), which are when attackers can virtually “click” objects in order to load code without user consent. If an attacker is able to “click” a security prompt and load a kernel extension, this could lead to the full compromise of an operating system. It’s possible to synthetically generate clicks silently and in an invisible way. In the case of the Apple zero-day, the relevant vulnerability is CVE-2017-7150, a bug impacting modern versions of Apple macOS software before version 10.13, which allows unprivileged code to interact with any UI component including ‘protected’ security dialogues, leading to the bypass of the keychain access prompt and password exfiltration. Apple patched that particular problem but the redesign of the UI ultimately failed and the new zero-day is based on the macOS High Sierra’s incorrect interpretation of software events based on an incomplete patch. Apple’s next version of the OS, Mojave, will block synthetic events altogether.

17 hours ago
Joseph Menn / Reuters

Three Out of Every Ten U.S. House Candidates Have Websites Vulnerable to Security Threats

Three of every 10 candidates running for the U.S. House of Representatives, whether Republican or Democrat, have significant security problems with their websites, four independent researchers led by former National Institutes for Standards and Technology security expert Joshua Franklin concluded. Using automated scans and test programs, the team identified multiple vulnerabilities, including problems with digital certificates used to verify secure connections with users. The team also found numerous potentially malicious web pages that closely resemble the names of candidates, a deceptive technique know as typosquatting.  The candidates most at risk are those with small staffs and little computer expertise.

19 hours ago
Ryan Nakashima / Associated Press

Google Tracks Users’ Location Data Even If They Turn Off Location History

Many Google services on Android devices and iPhones store potential privacy-violating users’ location data even if they’ve used a privacy setting that says it will prevent Google from doing so, an investigation by the Associated Press reveals and researchers at Princeton confirm. According to Google’s support page, turning off “location history” will stop its apps from storing your location information, which runs contrary to what the investigation found, namely that some Google apps, including Google’s map app, automatic daily weather updates, and other apps automatically store time-stamped location data without asking. Although turning off location history does not stop the apps from storing location data, pausing another Google setting, “Web and App Activity,” will stop the tracking of locations. The AP learned of this issue from K. Shankari, a graduate researcher at UC Berkeley who studies the commuting patterns of volunteers in order to help urban planners.

20 hours ago
Andy Greenberg / Wired

Hackers Devised Intricate Technique to Secretly Stream Audio from Amazon Echo to Remote Attacker

An intricate, multi-step penetration technique that chains together a series of bugs in Amazon’s second-generation Echo to take over the devices has been devised by security researchers Wu Huiyu and Qian Wenxiang, who work on the Blade team of security researchers at Chinese tech giant Tencent. The researchers demonstrated the technique at DEF CON by taking a device and streaming audio from its microphone to a remote attacker, while offering no clue to the user that the device has been compromised. The researchers notified Amazon of their finding in advance and the company sent out a patch to prevent this specific attack in July.

21 hours ago
Jill Colvin and Catherine Lucey / Associated Press

Omarosa’s Surreptitious Recording in the Situation Room’s SCIF Raises Fears of Lax White House Security Protocols

Audio recordings in the White House Situation Room, which is a Sensitive Compartmented Information Facility (SCIF), released this weekend by Omarosa Manigault Newman have raised concerns among security professionals and previous Administration officials over what might be perceived as lax security protocols on the part of the Trump Administration. Ned Price, who served as spokesman of the National Security Council in the Obama administration, called the breach of protocol unprecedented and suggested it reflects a culture of disregarding security protocols among Trump officials. He also questioned why John Kelly, whose voice is heard on one of the tapes, chose to hold a personnel meeting with Omarosa in the highly sensitive Situation Room.

23 hours ago
Dean Takahashi / Venture Beat

‘Faxploit’ Fax Machine Exploit Gives Hackers Access to Home, Corporate Networks

Hackers can exploit home or corporate networks by exploiting vulnerabilities in all-in-one printer fax machines using a technique dubbed the Faxploit, researchers at Check Point report. The attack can be carried out using only a fax number and can enter the networks using lateral movement and can thus jump to networks that are not even connected directly to the Internet. To protect against these kinds of attacks, CheckPoint recommends segmenting networks and patching devices regularly.

24 hours ago
Lawrence Abrams / Bleeping Computer

Hackers Are Hijacking Certain DLink DSL Routers’ DNS Settings to Redirect Users to Fake Banks

An exploit is being used by attackers to perform remote unauthenticated changes to DNS settings on certain DLink DSL modems/routers to redirect users attempting to connect to their online banks to fake banking websites that steal the user’s account information, according to researchers at Radware. The fake sites look almost identical to the real sites, with the only indication that something’s amiss is a warning that the site is not secure. In one attack, these servers allowed the online banks for Banco de Brasil ( and Itau Unibanco (hostname to be redirected to fake clones.

2 days ago
Kevin Collier / Buzzfeed News

11-Year-Old Girl Hacked Replica of Florida’s Voting Total, Changed Its Appearance, Within 10 Minutes

At this year’s DEF CON Voting Village, in a special section designed to allow young children to alter the appearance of votes on real-world voting machines, an eleven-year-old girl named Audrey hacked a replica of the Florida secretary of state’s website within 10 minutes and changed the appearance of the results. Another hacker turned a Diebold TSX voting machine, versions of which are used in at least some areas of 20 states, into a jukebox that played music from speakers and showed a display for an Illuminati GIF he found online. DHS’s top cybersecurity official, Jeanette Manfra said that these and other hacks of voting machines at DEF CON don’t represent real-world voting conditions where compensating controls, such as intense physical security, could prevent these and other hacks.

3 days ago
Lily Hay Newman / Wired

Lack of Funding Is The Biggest Threat to Election Security Officials and Experts Say

As DEF CON’s Voting Machine Hacking Village gets underway this weekend, the main message from both security experts and state officials is that the lack of funding is the biggest security threat to the nation’s elections. Despite Congress appropriating $340 million last month for election security, more is needed California Secretary of State, Alex Padilla, said. Jake Braun, a co-organizer of the Voting Village, said that even DEF CON’s effort is expensive and loses money. Despite gaining steam, the bi-partisan Secure Elections Act, which would give states more resources, is months away from passage.

3 days ago
Kevin Collier, Jason Leopold / Buzzfeed News

U.S. State Department Blamed Crippling DDoS Attacks Against Swedish News Sites on Russia

Russian hackers were targeting at least nine Swedish news sites with DDoS attacks in an apparent attempt to dissuade Sweden from cooperating with NATO at the same time they were targeting Hillary Clinton’s presidential campaign in 2016, a partially released State Department cable obtained through the Freedom of Information Act (FOIA) reveals. The cable to primarily U.S. ambassadors in Europe was dated October 19, 2016, twelve days after the U.S. government first proclaimed that Russia was interfering in the U.S. election, and was obtained in an FOIA lawsuit by Buzzfeed News and Ryan Shapiro, a Ph.D. candidate at the Massachusetts Institute of Technology and the co-founder of the transparency project Property of the People. The communique warned of a Russian campaign to destabilize NATO and blamed crippling cyberattacks against Swedish news organizations, which began March 19, 2016, and knocked several of the country’s largest news organizations offline, on Russia.

3 days ago
Cynthia Brumfield / Metacurity

Friday Report: Hacker Summer Camp’s Parade of Scary Things, WannaCry is Back and FCC Fesses to Fraud (Sort Of)

Welcome to Metacurity’s Friday Report, where we sum up the week’s big trends in information security news.

No single theme dominated the week’s news but a single city did: Las Vegas, where the annual grueling cybersecurity and hacking “summer camp” of back-to-back BSides Las Vegas, BlackHat and DEF CON conferences is hosted at the hottest (literally) peak of the year. True to tradition, security researchers and firms and tech suppliers trotted out a ton of demos, announcements, and findings, all of which is enough to scare the blue out of the sky. (Read the rest of the report here.)

4 days ago
Russell Brandom / The Verge

Open-Source Facial Recognition Tool ‘Social Mapper’ Aims to Help Ethical Security Researchers With Social Engineering Attacks

A new open-source tool called Social Mapper, which is designed to help ethical security researchers perform social engineering attacks, uses facial recognition to track subjects across social media networks, according to the researchers at Trustwave who developed it. Social Mapper automatically locates profiles on Facebook, Instagram, Twitter, LinkedIn, and other networks based on a name and picture. Instead of relying on APIs, as similar past, failed efforts have done, the Social Mapper system performs a more time-consuming automated manual searches in an instrumented browser window.

4 days ago
Nadeem Badshah / The Guardian

UK Holiday Camp Firm Butlin’s Breached, Data for Up to 34,000 Guests Exposed

UK holiday camp firm Butlin’s announced it has suffered a data breach that has exposed customer data for up to 34,000 guest records. The data exposed includes names, home addresses, email addresses and phone numbers, but that no payment data was exposed in the breach. Butlin’s said it has no found any fraudulent activity related to this breach.

4 days ago
Mark Rockwell / FCW

DHS Warns of New North Korean Malware Variant ‘Keymarble’ Linked to Hidden Cobra

A Trojan malware variant, dubbed “Keymarble,” appears to be the latest used by the North Korean government, US-CERT said in an alert. Research conducted by DHS and the FBI said Keymarble came from North Korea’s “Hidden Cobra” hacking group that lobs distributed denial-of-service attacks at media, aerospace, financial and critical infrastructure sectors in the United States and around the globe. Little detail about Keymarble was offered in the alert.

4 days ago
Alfred Ng / CNET

Flaws in Cheap PayPal, SumUp and Square Point-of-Sale Credit Card Readers Could Let Hackers Steal Credit Card Numbers

Cheap mobile payment systems, specifically the point-of-sale terminals such as credit card readers for these systems, have serious vulnerabilities that could let hackers steal credit card info or change the value of what people pay, researchers at Positive Technologies reveal. The researchers examined popular mobile point-of-sale, or mPOS, providers in the US and Europe, Square, PayPal, SumUp and iZettle, and found that three of the card readers costing less than $50 had a flaw that allowed the merchants to change what the customers see on the screen. Moreover, most of the terminals didn’t use a secure form of Bluetooth pairing. The researchers first informed the vendors of the flaws in April, although three of the vendors downplay the researchers’ concerns.

4 days ago
Lily Hay Newman / Wired

Bug in Set-Up Tool of Brand New Enterprise Macs Gave Hackers Remote Access on First Wi-Fi Connection

A bug in the set-up tool of brand new enterprise Macs that use Apple’s Device Enrollment Program and its Mobile Device Management platform can be remotely hacked out-of-the-box the first time the devices connect via Wi-Fi, Jesse Endahl, the chief security officer of the Mac management firm Fleetsmith, and Max Bélanger, a staff engineer at Dropbox, demonstrated at Black Hat. The bug allows an attacker to compromise the device before the user is even logged in for the first time. Endahl and Bélanger notified Apple about the issue, and the company released a fix in macOS High Sierra 10.13.6 last month. However, devices that have already been manufactured and ship with an older version of the operating system will still be vulnerable.

4 days ago
Dan Goodin / Ars Technica

Researchers Demo Life-Threatening Hacks on Medtronics’ Pacemakers, Insulin Pumps

Hackers can install malware on pacemakers manufactured by Medtronics that threaten patients’ lives due to a lack of encryption, researchers Billy Rios WhiteScope and Jonathan Butts of QED Secure Solutions said during a Black Hat presentation. Rios and Butts first informed Medtronics of the security flaw in January 2017 and said that the proof-of-concepts they’ve developed still work today despite Medtronics belief that existing controls mitigate the issue. At Black Hat, they demonstrated one hack of a CareLink 2090 programmer, a device doctors use to control the pacemakers after they’re implanted in patients, a hack made possible because updates to the programmer aren’t delivered over HTTPS.  Rios and Butts also demonstrated a hack against a Medtronics insulin pump using a $200 HackRF software-defined radio.

4 days ago
Alex Hern / The Guardian

Vulnerabilities in Embedded Satcom Operating System Expose Maritime, Military Users to High-Intensity Radio Frequency Attacks, Researchers

Satellite communications that ships, planes and the military use to connect to the Internet are vulnerable to hackers due to several critical vulnerabilities were found in the embedded operating system WingOS, originally owned by Motorola but now owned by Extreme Networks, researchers at IOActive report. Although a nuisance to airlines, military and maritime users are at the risk of “cyber-physical attacks” where a miscreant could reposition the antenna and set its output as high as it will go to launch a “high-intensity radio frequency (HIRF) attack” in essence turning Satcom devices into radio frequency weapons. The aviation sector is less at risk because planes tend to be built with a significant amount of HIRF shielding in place and IOActive has worked with the aviation industry to make sure it is no longer at risk. Although IOActive has reported the problems to the U.S. and EU regulatory bodies, it has not received any further information about fixes.


22 hours ago
ISC StormCast

VIA C3 “God Mode”; Apple MDM Vulnerability; Peeking into MSG Files; JA3

Johannes Ullrich talks about VIA C3 “God Mode,” Apple MDM Vulnerability, Peeking into MSG Files, Hunting SSL/TLS Clients Using JA3, Mobile Payment Terminal Vulnerabilities.

22 hours ago
Collective Intelligence Podcast

Runa Sandvik on a Culture of Security at the New York Times

In this podcast recorded during Black Hat, Runa Sandvik, senior director of information security at the New York Times, explains the importance of championing relationships with the Times’s newsroom and how important it is for her team to enable reporters and editors to do their job securely, protecting not only their sources, but in some cases, their physical safety as well.

4 days ago
ISC StormCast

Pacemaker/Insulin Pump Vuln; Panic Attacks; Process Doppleganging

Johannes Ullrich talks about Vulnerabilities in Pacemaker Programmer and Insulin Pumps, “Panic Attacks” Against City Infrastructure, Kaspersky VPN Leaks DNS Traffic, Osiris Dropper Uses Process Dopplegaenging.

4 days ago
Security Conversations

Christine Gadsby, Director of Product Security Operations, BlackBerry

BlackBerry security response executive Christine Gadsby joins the podcast to talk about tough decisions around shipping secure software, the challenges of securing supply chain dependencies, BlackBerry’s new ransomware recovery feature and her BlackHat presentation.

Cybersecurity Events

Aug. 12-14Symposium on Usable Privacy and SecurityBaltimore, MDUSA
Aug. 12-14International Conference on Science of Cyber Security BeijingChina
Aug. 12-15IEEE CyberSciTech 2018 aAthensGreece
Aug. 21SecureWorld Bay AreaSanta Clara, CAUSA
Aug. 23Secure CISO HoustonHouston, TXUSA
Sept. 6Secure CISO New YorkNew York, NYUSA
Sept. 6SecureWorld Twin CitiesMinneapolis, MNUSA
Sept. 12-13SecureWorld DetroitDetroit, MIUSA
Sept. 12-1444CONLondonUK
Sept. 14STHACKBordeauxFrance
Sept. 17-19The International Consortium of Minority Cybersecurity Professionals Atlanta, GAUSA
Sept. 18-19SecureWorld St. LouisSt. Louis, MOUSA
Sept. 195th annual Industrial Control Cybersecurity USA conferenceSacramento, CAUSA
Sept. 27Secure CISO Los AngelesLos Angeles, CAUSA
Sept. 28-29CactusConMesa, AZUSA

Sign Up for Our Daily Newsletter!

Subscribe to our newsletter and get our daily and highly enjoyable summary of cybersecurity developments you must know if you want to stay ahead.

We don't spam and we value your privacy. We don't sell or share our subscriber lists ever. For more information, please read our privacy policy at Metacurity's Privacy Policy page.