Employers! Gain Access to Thousands of Elite Cybersecurity Professionals Each Month.

Metacurity has launched a jobs destination to offer our thousands of unique visitors each month access to infosec job opportunities. We offer employers cost-effective access to the elite cybersecurity personnel who visit Metacurity.  Post your jobs there now to find the scarce talent you seek.

Sponsor message. Interested in sponsoring Metacurity? Email us at info@metacurity.com and we’ll get back to you right away.


Latest News

4 hours ago
FinSMEs

McAfee Is Buying Browser Isolation Company Light Point Security, Plans to Integrate Technology Into MVISION UCE Solution

Cybersecurity company McAfee announced it is buying Light Point Security, LLC, a Baltimore, MD-based provider of browser isolation solutions. Terms of the deal were not disclosed. McAfee plans to integrate Light Point Security’s browser isolation technology into McAfee Secure Web Gateway, complementing its existing comprehensive inbound and outbound protection for all web and cloud traffic. McAfee also plans to integrate browser isolation into the newly released MVISION UCE solution, which includes McAfee Secure Web Gateway, McAfee Data Loss Prevention, and MVISION Cloud (CASB).

4 hours ago
Zak Doffman / Forbes

Serious Bug in PayPal’s Contactless Payment System Likely Behind String of Recent Fraudulent Charges in Germany, Flaw Was Reported to PayPal a Year Ago But Remains Unfixed

German PayPal users have reported thefts as high as 1,000 euros (or around $1,084) over the past several days involving fraudulent transactions with U.S. stores likely due to a serious issue in PayPal’s contactless payment system, security researcher Markus Fenske says.  Fenske and his colleague Andreas Mayer say the flaw enables an attacker “near your mobile phone [to have] a virtual credit card which deducts money from your PayPal account.” The issues surrounding these problems appear linked to the way Google Pay is set up on a PayPal user’s account, although there is no official confirmation that the two are related. Fenske and Mayer say they reported the issue to PayPal in February 2019 and were paid a bug bounty of $4,400, but recently discovered the bug still hasn’t been fixed.

5 hours ago
Gareth Corfield / The Register

Samsung Admits It Suffered a Data Breach Following Strange Push Notifications Sent to Galaxy Users

Samsung admitted it suffered a data breach last week following strange notifications sent to some users via their Samsung Galaxy devices. Most of these notifications flowed through the phones’ Find My Mobile apps. Although Samsung initially said the messages were errant missives sent by the company, it has now admitted that what it calls a “small number” of users could indeed read other people’s data following a data breach. The company says it removed the ability to log in to the store on its website until the issue was fixed and is now in the process of contacting affected users.

ANNOUNCING METACURITY’S INFOSEC JOBS DESTINATION

Metacurity is now offering employers a unique way to reach out to thousands of elite infosec job candidates. Visit our infosec jobs destination today and take advantage of early-bird pricing.

(Sponsor message)


5 hours ago
Ionut Ilascu / Bleeping Computer

Critical Flaw in OpenSMTPD Email Service Could Allow Attacker to Run Root Commands, PoC Exploit Code Coming, Admins Urged to Patch ASAP

Researchers at Qualys have discovered a new critical vulnerability in the OpenSMTPD email server, which could enable a remote attack that runs shell commands as root on the underlying operating system. OpenSMTPD is present on many Unix-based systems, including FreeBSD, NetBSD, macOS, Linux (Alpine, Arch, Debian, Fedora, CentOS. The vulnerability, tracked as CVE-2020-8794, is present in OpenSMTPD’s default installation, and proof-of-concept exploit code will be released on February 26. The fix for the flaw is delivered in OpenSMTPD 6.6.4p1, which the developer recommends installing “AS SOON AS POSSIBLE.”

6 hours ago
Catalin Cimpanu / ZDNet

Mozilla Says DNS Over HTTPS Is Now Turned on by Default for Firefox Users in the U.S.

Mozilla announced that starting today, it will turn on by default DNS over HTTPS (DoH) for Firefox users in the US. The only users not receiving this update are those who specifically disabled DoH inside Firefox’s settings panel. DoH is a privacy-focused protocol that lives on top of the current DNS ecosystem that encrypts DNS queries inside browsers when IP addresses are pinged. DoH is controversial because although it supports privacy, some view it as a way for criminals and malware to evade detection and DNS-based filtering systems.

19 hours ago
Laurens Cerulus / Politico EU

European Commission Tells Staff to Start Using End-to-End Encrypted Signal for Communications

The European Commission has told its staff to start using end-to-end encrypted messaging app Signal to increase the security of its communications. The instructions appeared on an internal messaging board in February. The suggestion is that Signal be used for communications between staff and those outside the institution. Signal is generally considered one of the more secure encrypted messaging platforms by cybersecurity specialists.

22 hours ago
Paul Sawers / Venture Beat

HackerOne Paid Out Record $40 Million in Bug Bounties During 2019, Says Eight Hackers Have Earned $1 Million or More in Lifetime Earnings

Bug bounty platform HackerOne paid out $40 million in bounties in 2019, roughly equal to the total for all previous years combined, with the community of hackers participating in its program almost double during the past year to 600,000 registered hackers. U.S.-based hackers earned 19% of all bounties in 2019, followed by hackers in India (10%), Russia (8%), China (7%), Germany (5%), and Canada (4%), according to the company’s annual report. HackerOne also announced its eighth hacker to have earned $1 million or more in lifetime earnings, while 13 have now earned at least $500,000.

24 hours ago
Charlie Osborne / ZDNet

Open Cybersecurity Alliance Unveils New Framework, OpenDXL Ontology, to Create Common Language Among Cybersecurity Tools

The Open Cybersecurity Alliance (OCA), a consortium of cybersecurity vendors including IBM, Crowdstrike, and McAfee, announced a new language framework called OpenDXL Ontology designed to breach fragmentation gaps between cybersecurity tools. Now available, OpenDXL Ontology aims to create a common language among cybersecurity tools and systems by removing the need for custom integrations between products that can be most effective when communicating with each other — such as endpoint systems, firewalls, and behavior monitors — but suffer from fragmentation and vendor-specific architecture.

1 day ago
BBC News

Google Warns Users Not to Sideload Google Apps on Newer Huawei Phones Due to Risk

Google has warned users not to bypass the ban on Google apps that affects newer Huawei phones and to stop “sideloading” the apps or manually to install them from places found online, saying the practice is risky. Recent Huawei devices cannot download the Google Play app store or popular apps such as Gmail, YouTube, or Google Maps because the US government placed Huawei on a trading restrictions database called the “entity list” in May 2019.

3 days ago
Nandita Bose / Reuters

New Senate Bill Revokes Tech Companies’ Section 230 Immunity From Prosecution If They Use End-to-End Encryption With No Backdoors

A bill proposed by Republican Senator Lindsey Graham, Chairman of the Senate Judiciary Committee, and Democratic Senator Richard Blumenthal, “The Eliminating Abuse and Rampant Neglect of Interactive Technologies Act of 2019,” or the “EARN IT Act,” eliminates in certain circumstances legal immunity under section 230 of the Communications Decency Act making tech providers vulnerable to state lawsuits if any of their platforms distribute child sex abuse material. Under the draft legislation, this current immunity will be revoked if unless companies comply with a set of “best practices,” which will be determined by a 15-member commission led by the Attorney General. One of the “best practices” is to condemn end-to-end encryption.

3 days ago
Kate Cox / Ars Technica

New Mexico Sues Google Alleging Its Data Collection From Schoolchildren Violates COPPA, State’s Unfair Practices Act

New Mexico Attorney General Hector Balderas filed a lawsuit alleging Google’s collection and use of data from schoolchildren in his state violates the Children’s Online Privacy Protection Act (COPPA) and New Mexico’s Unfair Practices Act. Under COPPA, websites, apps, and digital platforms that collect data from young users are required to post a privacy policy and have parents consent to it. The goals are to give parents the option to opt-out of having their children’s information shared with third parties, to let parents review their children’s data, and to follow sound data storage and retention policies. The suit accuses Google of deceiving school districts about its data collection policies and claims it has used its education-oriented program, called Google Education, to spy on New Mexico children and their families” by collecting personal information for advertising purposes. Google claims the state’s lawsuit is factually wrong, and it doesn’t collect data from children for advertising purposes.

3 days ago
Joseph Cox / Motherboard

Google Indexes WhatsApp Group Chat Invite Links So That Random People Can Join Wide Range of Groups Using Google Searches

Google is indexing invite links to WhatsApp group chats whose administrators may want to be private, potentially allowing random people to discover and join a wide range of WhatsApp group chats using particular Google searches. Motherboard tested the proposition and was able to enter several groups, including one WhatsApp group chat that described itself as being for NGOs accredited by the United Nations. WhatsApp says that like all public links, “links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.”

3 days ago
Lawrence Abrams / Bleeping Computer

Slickwraps Suffered Data Breach, Hacker Claims Access to 9GB of Personal Customer Photos, Credentials, Hashed Passwords and More

Mobile device case retailer Slickwraps has suffered a data breach after a security researcher was able to access their systems and, after receiving no response to emails, publicly disclosed via a now-revoked Medium post how they gained access to the site and the data that was exposed. In the Medium post, a security researcher named Lynx states that in January 2020, he was able to gain full access to the Slickwraps web site using a path traversal vulnerability in an upload script used for case customizations. Lynx stated that they were allegedly able to gain access to the resumes of employees, 9GB of personal customer photos, ZenDesk ticketing system, API credentials, and personal customer information such as hashed passwords, addresses, email addresses, phone numbers, and transactions. Lynx said another unauthorized user sent an email to 377,428 customers using Slickwraps’ ZenDesk help desk system. In response to the exploits, Slickwrap’s CEO apologized for the data breach and promised to do better in the future.

4 days ago
Ryan Grim / The Intercept

Feds Arrest Man Tied to Katie Hill Campaign in Connection With DDoS Attacks Against Hill’s Opponents

Federal agents arrested Arthur Dam, a”graphic design and website security consultant” to the Democrat Katie Hill, who successfully ran for Congress in 2018 in connection with a series of DDoS attacks against Hill’s opponents. Dam’s wife worked for Katie Hill. The FBI traced the attacks to an Amazon Web Services account tied to the email address preatorian_@hotmail.com, though the credit card used to pay for the service was listed under Dam.

4 days ago
Craig Silverman / Buzzfeed News

Google Removes Nearly 600 Apps from Play Store, Bans Developers in Massive Crackdown on Ad Fraud, Disruptive Mobile Ads

Google removed close to 600 Android apps and banned their developers from the Play Store and Google AdMob and Google Ad Manager for violating its disruptive ads policy and disallowed interstitial policy as part of a massive crackdown on ad fraud and “disruptive” mobile ads. One of the biggest developers banned in the crackdown was Cheetah Mobile, a publicly-traded Chinese company that BuzzFeed News revealed in November 2018 had been engaging in ad fraud. The banned apps, which had been installed more than 4.5 billion times, primarily targeted English-speaking users and were mainly from developers based in China, Hong Kong, Singapore, and India.

5 days ago
Charlie Osborne / ZDNet

Adobe Issues Out-of-Schedule Patches to Fix Critical Vulnerabilities in Adobe Media Encoder, Adobe After Effects

Adobe has released an out-of-schedule fix to resolve two vulnerabilities that may expose user systems to code execution attacks warning that each bug is deemed critical, the highest severity score available. The first vulnerability, CVE-2020-3764, an out-of-bounds write vulnerability, impacts Adobe Media Encoder versions 14.0 and earlier on the Microsoft Windows platform. The second vulnerability, CVE-2020-3765, also an out-of-bounds write vulnerability, impacts Adobe After Effects versions 16.1.2 and earlier on Windows machines. Adobe does not usually issue out-of-band patches unless the flaws at hand are deemed quite serious indeed.

5 days ago
Molly Osberg and Dhruv Mehrotra / Jezebel

Prominent Internet-Based Therapy-on-Demand Apps Share Sensitive Data on User Activity With Social Media Companies, Other Third-Parties

Despite reassuring promises of privacy and encryption, sensitive information users provide to Better Help, one of the most prominent “therapy-on-demand” apps, ends up being shared with third parties all with the ostensible goal of better tracking user behavior, and perhaps giving social media companies an easy way to see who’s feeling depressed. Following its “intake” process, Better Help sends users data to dozens of third parties, monitoring their behavior online and signaling to companies like Facebook and Google and Snapchat and Pinterest that users are considering Better Help treatment. For example, Facebook is alerted every time a person opens the app. During therapy sessions, metadata from every message, though not its contents, is also sent to the social media company, meaning that Facebook knows what time of day users go to therapy, their approximate location, and how long they chat on the app. Other third parties, including a research and analytics firm, MixPanel, receive far more granular data from the Better Help app. Other online mental health services apps such as Talk Space also share detailed and sensitive user information with third parties. These data-sharing practices are buried deep in user agreements with the likelihood that most users are unaware that data about their personal communications on sensitive topics is being shared widely across the internet.

5 days ago
Ionut Ilascu / Bleeping Computer

Industrial Control Systems Became a Larger Target for a Growing Number of Sophisticated Threat Actors in 2019, Three New Groups Identified Last Year, Report

Industrial control systems (ICS) across the world became a larger target in 2019 as researchers discovered new threat actors attacking this sector while old ones evolved and expanded their operations, ICS security firm Dragos said in its 2019 ICS Year in Review report. Most of the ICS attackers are sophisticated with frequent targets of oil and gas, electric power, and water suppliers. The ICS attackers are looking to cause damage or disrupt operations, according to Dragos. Among the new ICS threat actors to emerge last year are Hexane (a.k.a. Lyceum), mostly focused on oil and gas companies in the Middle East, Parisite, focused on several industrial sectors including aerospace and Wassonite, which has been active since 2018 and is responsible for the attack on the Kudankulam Nuclear Power Plant in India noticed on September 4. Including previously discovered threat actors, Dragos is now tracking 11 industrial threat groups.

5 days ago
Dean Takahashi / Venture Beat

Cybercriminals Are Targeting APIs at Financial Services Firms to Avoid Front-End Defenses, Up to 75% of Credential Abuse Attacks Target APIs, Akamai

Cybercriminals are targeting application programming interfaces (APIs) at financial services firms with up to 75% of all credential abuse attacks against the financial services industry targeted APIs directly, Akamai says in its most recent State of the Internet report.  Criminals use bots and tools that allow threading, or multiple simultaneous connections, attempting numerous logins at once in the hopes of avoiding some front-end defenses and speeding up their validation times through targeting APIs. From December 2017 through November 2019, Akamai observed 85.42 billion credential abuse attacks. Nearly 20%, or 16.55 billion, were against hostnames that were clearly identified as API endpoints. Of these, 473.5 million attacked organizations in the financial services industry.

5 days ago
Shannon Vavra / Cyberscoop

CrowdStrike CTO and Co-Founder Alperovitch Has Left the Company to Launch Non-Profit Policy Accelerator

Dmitri Alperovitch, CrowdStrike’s chief technology officer and co-founder, has left the company to launch a non-partisan, non-profit policy accelerator, he announced in a tweet. Under his leadership, Crowdstrike gained prominence for attributing the 2016 Democratic National Committee breach to two Russian APT groups, known as Cozy Bear and Fancy Bear. Michael Sentonas at CrowdStrike will assume the role of the company’s chief technology officer.

Podcasts

7 hours ago
Security Ledger

Episode 176: Security Alarms in Census II Open Source Audit. Also: The New Face of Insider Threats with Code42

Topics include the security implications of the recently released Census II audit of open source software and how tools like Slack and Microsoft Teams are revolutionizing how workers collaborate and communicate but also make it easier than ever for employees or malicious insiders to abscond with sensitive information.

7 hours ago
ISC StormCast

ScrollToTextFragment Google Chrome; WhatsApp Invite Links @JordanWildon; OpenSMTPD again

Johannes Ullrich talks about ScrollToTextFragment, Privacy Concerns in Google Chrome 80, Another OpenSMTPD Vulnerability, WhatsApp Group Invite Links in Search Engines.

7 hours ago
BBC Tech Tent

US tells the UK to think again on Huawei 5G

America’s top cyber-security official tells us that the US is still working to get Britain to change its mind and drop Huawei tech from its 5G networks.

7 hours ago
Cyberlaw Podcast

Episode 301: Ratchet to Disaster

Conservative lawyers and tech experts discuss recent developments including Internet content regulation problem and Section 230 of the Communications Decency Act, how Google’s effort to stamp out ad click fraud can generate a secondary form of criminal extortion, and Ben Buchanan talks about his new book, The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics.

7 hours ago
Detections

Detections and the Chamber of SOC Detections

Topics include ownership of a SOC. Co-managing can be difficult as we humans tend to be difficult when interacting with one another.

8 hours ago
SwigCast

EPISODE 5: EDUCATION

Daniel Dresner, current Academic Cyber Security lead at the University of Manchester talks about cybersecurity education and the benefits of obtaining a university degree.

Spotlight











Cybersecurity Events

Feb. 24-28RSA ConferenceSan Francisco, CAUSA
Mar. 2-3SANS Cyber Threat Intelligence SummitOrlando, FLUSA
Mar. 2-9Blue Team Summit & Training 2020Louisville, KYUSA
Mar. 3-5Nullcon GoaGoaIndia
Mar. 5-7RootedConMadridSpain
Mar. 10-13WWHF SAN DIEGO 2020San Diego, CAUSA
Mar. 12-14WiCyS 2020 ConferenceAurora, COUSA
Mar. 19-20InsomnihackGenevaSwitzerland
Mar. 30-Apr. 1CyberCon2020Anaheim, CAUSA
Mar. 30-Apr. 1InfoSec WorldLake Buena Vista, FLUSA
Apr. 2-3Cyphercon 5.0Milwaukee, WIUSA
Apr. 4-5BSidesCharmBaltimore, MDUSA
Apr. 6-9SAS 20BarcelonaSpain
Apr. 15-20Defcon ChinaBeijingChina
May 1-3CackalackyCon2Chapel Hill, NCUSA


Listen to Metacurity on Alexa

Metacurity now has over 500 monthly listeners, and thousands of plays for our ongoing summaries on Amazon Alexa.

Sign up on Alexa today and just ask “Alexa, what’s the latest in cybersecurity news!”


Please Support Us!

We need the help and support of our individual readers as we develop new forms of corporate support, including sponsorships and an information security job hub. Please support Metacurity’s  by one of the two following methods. If you have any questions at all, please don’t hesitate to contact us at info@metacurity.com

Patreon

We’ve launched a Patreon campaign to help you support the Metacurity community. Check it out and earn lots of goodwill from your infosec peers and even get a great Metacurity sticker, among other patron rewards!

One-Time or Recurring Payments

If you like to support our effort to truly become the end of cybersecurity information overload, chip in and for less than a proverbial cup of coffee you will be doing your part to help Metacurity survive. Please select one of the options below to ensure that Metacurity sticks around as an important information security resource.