Latest News

21 hours ago
Rachel Weiner / Washington Post

Latvian Computer Programmer Sentenced to 14 Years in Federal Prison for Creating, Running Scan4You Service

Latvian computer programmer Ruslan Bondars was sentenced to 14 years in prison for creating and running a service named Scan4You that allowed malware developers to check the detection rates of their malicious code, including some used in the 2013 Target breach. Bonders was found guilty at a May trial in federal court in Alexandria, Virginia during which a co-conspirator said they both had worked with Russian law enforcement.

1 day ago
Lawrence Abrams / Bleeping Computer

For Over a Year, Twitter Bug Mistakenly Sent Around 30 Million Users’ Direct Messages, Private Tweets to Unauthorized Twitter Developers

Twitter said that from May 2017 to September 10th 2018, a  bug in their API may have caused users’ private direct messages or protected tweets to be sent to Twitter developers who were not authorized to view them. Twitter said the bug was fixed within hours of discovery and that it affected less than 1% of Twitter users, or approximately 30 million people.

2 days ago
Cynthia Brumfield / Metacurity

Friday Report: Offensive Cyber Efforts Are All the Rage, Another Credit Card Skimming Malware Incident, Tech Companies Ride to the Election Rescue

Welcome to Metacurity’s Friday report, where we wrap up the week’s infosec news based on the top themes that dominated the week.

One of the most important trends to emerge this week is that nation-state policies toward cyber activity are suddenly turning more aggressive. First, the Pentagon issued its newly revised cyber strategy, which calls for a more aggressive, “defend forward” stance against foreign attackers, saying the military will “defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.” (Read the rest of the report here.)

2 days ago
BBC News

Scottish Arran Brewery Hit by Ransomware Attack That Came Through Tainted Resumes

A Scottish brewery, Arran Brewery, was locked out of its own computer system after a phishing link infected the firm with ransomware. The attackers demanded two bitcoins, worth a total of £9,600, to restore the locked and encrypted files, but Arran declined to pay, despite being locked out of three months worth of sales data from one server. The phishing link came via an email response to an employment ad placed by Arran, with a number of received resumes tainted by the malware. Arran hired a consultant to rid its system of the malware and is in the process of restoring its files.

2 days ago
John D. McKinnon and Douglas MacMillan / Wall Street Journal

Google Confirms That Third-Party App Developers Can Scan, Share Data Obtained From Users’ Emails

Responding to a letter from Republican Senator John Thune, chairman of the Senate Commerce Committee, Susan Molinari, vice president of Google’s America public policy and government affairs said the company allows third-party app developers to scan users’ emails even though Google itself abandoned the practice a year ago.  Moreover, app developers are free to share data obtained from users’ emails so long as they are transparent about how they are using the data.

2 days ago
Lawrence Abrams / Bleeping Computer

Microsoft Windows’ Jet Database Engine Has a Zero-Day Remote Code Execution Flaw

A zero-day vulnerability in the Microsoft Windows Jet Database Engine could allow attackers to perform remote code execution on a vulnerable machine, researchers at Trend Micro’s Zero Day Initiative report. To launch the attack, a specially crafted Jet database file would need to be opened, which would then perform an out-of-bounds write to the program’s memory buffer. This vulnerability has been assigned the ZDI-18-1075 ID but Microsoft has not yet released a patch for the flaw. The only method of protecting against the bug until Microsoft does issue a security update is to only open trusted Jet database files.

2 days ago
Lucy Fisher / The Times

UK, With Help From U.S. and Allied Nations, Launched Secret Cyber Offensive, ‘Glowing Symphony,’ Against Islamic State, Sources

The UK’s GCHQ and military forces, alongside the U.S. and other allied nations, tested new cyberweapons against the Islamic State in Syria and Iraq in a secret offensive campaign known as Glowing Symphony, according to sources. The effort used new capabilities to spread malware to block jihadists’ access to data, along with techniques to block the terrorists’ cash transactions and disseminated fake news to sew confusion among Islamic State supporters. In addition, Glowing Symphony destroyed “many, many terabytes” of Islamic State data used in propaganda campaigns, leading to a marked drop-off in the quantity and quality of its propaganda.

2 days ago
Lucy Fisher / The Times

UK’s Ministry of Defence, GCHQ Will Launch Offensive Joint Cyber Force Unit With 2,000 ‘Digital Warriors’

The UK’s Ministry of Defence and the nation’s chief intelligence agency GCHQ plan to launch a £250 million-plus (around $327 million) offensive cyber force unit that will comprise about 2,000 digital warriors, with experts recruited from the military, security services and industry, according to sources. The creation of the new unit will quadruple the number of personnel in offensive cyber-roles. The new unit has been given the working name “joint cyber-force” and will have its own headquarters with possible locations at RAF Wyton in Cambridgeshire and MoD Corsham in Wiltshire.

2 days ago
Richard Chirgwin / The Register

Defunct Retailer NCIX’s Unwiped Servers, Storage Kit, Desktops Sold on Craigslist, Contained 258,000 Customers’ Credit Card Payment Details in Plaintext

Eighteen Dell Poweredge boxes, plus storage kit, and 300 desktop machines that once belonged to defunct Canadian gadget retailer NCIX turned up on the second-hand market without being wiped and the customer data contained in them sold overseas, Travis Doering, of Privacy Fly discovered. Among a wealth of data, the servers, kit and desktops contained full credit card payment details in plain text for 258,000 customers. The equipment was seized by NCIX’s landlord to compensate for CA$150,000 in overdue rent and was sold at auction to another person, who then offered it all for sale on Craigslist. The database files were unencrypted and dated back to 2007. The contact person for the sale, identified only as “Jeff,” said that he’d sold NCIX data to more than one overseas customer for $15,000 per buyer.

2 days ago
Donie O'Sullivan and Alex Marquardt / CNN

Google Confirms It Told Wyden About Foreign Hackers Targeting Senators, Staff

Google has admitted that it is the company that notified Senator Ron Wyden (D-OR) that an unspecified number of US senators and Senate staff have been targeted by foreign government hackers. Wyden sent a letter earlier this week to Senate leadership that “at least one major technology company has informed a number of Senators and Senate staff members that their personal email accounts were targeted by foreign government hackers.” Google says it sends these notices out of an abundance of caution and not to necessarily convey the accounts had been compromised.

2 days ago
Zack Whittaker / TechCrunch

AdGuard Reset All User Passwords in Face of Credential Stuffing Attack

Popular ad-blocker AdGuard has reset all user passwords after experiencing what appeared to be a credential stuff attack, an attack where hackers attempt to use a database of stolen credentials in a rapid-fire automated attempt to break into accounts. AdGuard said it stopped the attack through rate-limiting, which slows down how often the attempts can be made. Some accounts, however, were improperly accessed during the attack.  AdGuardsaid it now has set stricter password requirements and connects to Have I Been Pwned, a breach notification database set up by security expert Troy Hunt.

2 days ago
Spencer S. Hsu / Washington Post

Romanian Woman Pleads Guilty in Hacking of D.C. Police Surveillance Cameras

A Romanian woman, Eveline Cismaru, pleaded guilty in connection with the hacking of 126 D.C. police surveillance cameras days before the 2017 presidential inauguration as part of an extortion scheme. Cismaru was part of a group of hackers that planned to take over the cameras to use them to email ransomware to 179,600 accounts. Cismaru pleaded guilty to two of 11 counts and agreed to cooperate against a co-defendant. If her cooperation is substantial, she will receive less than the 24 to 30 months suggested under sentencing guidelines.

2 days ago
Christopher Bing / Reuters

New White House National Cybersecurity Strategy Focuses on Offensive Measures As Deterrence

The White House has released a new updated national cybersecurity strategy aimed at shaping how the Administration maneuvers in defensive and offensive cybersecurity situations, with a new emphasis on offensive measures against foreign adversaries. White House National Security Adviser John Bolton said the policy shift toward offensive measures is meant as a deterrent to adversaries. The updated strategy also references a broad set of anodyne cybersecurity goals such as the need to develop global Internet policies and boosting the cybersecurity workforce.

3 days ago
Catalin Cimpanu / Bleeping Computer

Chinese Police Arrested Hacker Who Tried to Sell Hundreds of Millions of Huazhu Hotels’ Guest Records

China-based hotel chain Huazhu Hotels Group Ltd announced this week that Shanghai police arrested the hacker who was selling over 500 million records of its customers on the dark web. The man’s name wasn’t released but local reports suggest the hacker is a 30-year-old man named Liu. The hacker tried to sell the data on the dark web in mid-August, asking for 8 Bitcoin, worth around $56,000 at the time. The stolen data included 240 million pieces of content related to hotel stays such as name, credit card details, and mobile number and 123 million pieces of registration data recorded on the group’s official website such as userID and login pin, along with 130 million pieces of check-in data, including birthday and home address. The hotel chain said Liu was unsuccessful in selling the stolen data.

3 days ago
Charlie Osborne / ZDNet

Testing Company NSS Files Antitrust Suit Against CrowdStrike, Symantec and ESET Alleging Product Testing Conspiracy

Security product testing company NSS Labs has filed an antitrust lawsuit in the U.S. district court in Northern California against CrowdStrike, Symantec, and ESET, alleging that the three firms have conspired to restrict independent product testing through  Anti-Malware Testing Standards Organization (AMTSO) membership. The lawsuit alleges that the cybersecurity firms are actively conspiring to prevent independent testing that uncovers product deficiencies to prevent consumers from finding out about them, according to NSS’s CEO Vikram Phatak. Phatak alleges that AMTSO’s idea of “fair and useful” testing is inherently flawed because it is driven by the same security vendors whose products are being tested. NSS specifically cites CrowdStrike, pointing to clauses in end-user licensing agreements (EULA) which allegedly prevent tests occurring without the firm’s permission. Crowdstrike says the suit is baseless and that NSS is a for-profit, pay-for-play testing organization that obtains products through fraudulent means.

3 days ago
Lawrence Abrams / Bleeping Computer

Adobe Issues Out-of-Band Security Update for Critical Code Execution Vulnerability in Acrobat, Reader

Adobe released an out-of-band security update for a critical vulnerability in Adobe Acrobat and Adobe Reader to resolve an out-of-bounds write vulnerability that could lead to code execution. This update follows last week’s release by Adobe of fixes for six out-of-bounds read vulnerabilities that could lead to information disclosure. The code execution vulnerability (CVE-2018-12848) was reported to Adobe by Check Point Software.

3 days ago
FRANK BAJAK and RAPHAEL SATTER / Associated Press

Wyden: Personal Email Accounts of Senators and Aides Have Been Targeted by Foreign Government Hackers

Senator Ron Wyden (D-OR) said in a letter to Senate leaders that his office discovered that “at least one major technology company” has warned an unspecified number of senators and aides that their personal email accounts were “targeted by foreign government hackers.” The targeting took place within the last few weeks or months but the Senate’s Office of the Sergeant at Arms, which oversees Senate security, informed legislators and staffers that it has no authority to help secure personal, rather than official, accounts. Wyden has proposed legislation that would allow the security office to offer digital protection for personal accounts and devices.

3 days ago
BBC News

UK Fines Equifax $664,000 for Failing to Protect Personal Data of 15 Million Brits in 2017 Data Breach

The UK’s Information Commissioner’s Office (ICO) has fined Equifax £500,000 (around $664,000) for failing to protect the personal data of 15 million UK customers in the credit ratings’ agency massive 2017 data breach, which exposed detailed personal information on 146 million people worldwide. The ICO said that Equifax’s UK branch had “failed to take appropriate steps” to protect UK citizens’ data and that “multiple failures” meant personal information had been kept longer than necessary and left vulnerable.

3 days ago
Catalin Cimpanu / ZDNet

Bitcoin Core Developers Issue Emergency Patch for Severe Denial-of-Service Flaw

The Bitcoin Core team issued an emergency patch for a severe vulnerability in the software that underpins the entire Bitcoin network. The vulnerability is tracked as CVE-2018-17144 and is categorized as a simple “denial of service” (DoS) issue, although its impact is more severe than the category suggests because it can take down enough nodes to cause a 51% attack on the Bitcoin network and manipulate transactions. The patch was also ported to Litecoin, a currency that began as a fork of the original Bitcoin project code.

3 days ago
Gearoid Reidy and Sophie Jackman / Bloomberg

Hackers Stole $60 Million in Cryptocurrency From Japanese Exchange Zaif

Hackers last week stole $60 million worth of Bitcoin, Monacoin and Bitcoin Cash from Toyko-based cryptocurrency exchange Zaif, owned by Osaka-based Tech Bureau Corp. About 2.2 billion yen ($19.6 million) of the stolen coins belonged to the exchange, with the rest belonging to exchange users. Withdrawals and deposits have been halted at Zaif with no determination as to when it will resume normal activities. Tech Bureau pledged to compensate users who lost assets in the hacking, and immediately signed an agreement with investment support services company Fisco aimed at receiving 5 billion yen in financial support in exchange for selling the majority of the company.

Podcasts

2 days ago
The Deception Chronicles

Episode 71: Mark Godsland

Mark Godsland, Cyber Protect Officer at Thames Valley Police, talks about developing and delivering a cyber-protect strategy across the force


2 days ago
ISC StormCast

OSSEC Hunting; NSSLabs; Bitcoin DoS; WebAuthn

Johannes Ullrich talks about Hunting for Suspicious Processes with OSSEC, NSSLabs Sues Crowdstrike, Symantec, ESET, Bitcoin Core Vulnerability, WebAuthn Standard.


2 days ago
Risky Business feature

iOS exploits just got a lot more expensive

Patrick Gray talks with Chris Wade of Corellium, an iOS emulator and Dr. Silvio Cesare of Infosect about the introduction of pointer authentication on the latest Apple iPhones, a development that flew under the radar of most of the infosec media which is significant because it is going to basically wipe out ROP exploits as we know them.


2 days ago
Smashing Security

096: Bribing Amazon staff, and blinking deepfakes

Graham Cluley and Carole Theriault, joined this week by David Bisson talk about the week’s top news including Amazon staff are being bribed to delete negative reviews and leak data, deepfakes are getting more dangerous, an update on John McAfee’s bitcoin bet and more.


Spotlight





John D. McKinnon and Douglas MacMillan / Wall Street Journal

Google Confirms That Third-Party App Developers Can Scan, Share Data Obtained From Users’ Emails

 

Find

 

2 days ago

 





Donie O'Sullivan and Alex Marquardt / CNN

Google Confirms It Told Wyden About Foreign Hackers Targeting Senators, Staff

 

Find

 

2 days ago

 

Cybersecurity Events

Sept. 27Secure CISO Los AngelesLos Angeles, CAUSA
Sept. 28-29CactusConMesa, AZUSA
Sept. 29INDIAN CYBER CONGRESSTirupati, Andhra PradeshIndia
Oct. 1-4FireEye Cyber Defense SummitWashington, DCUSA
Oct. 3-4DerbyconLouisville, KYUSA
Oct. 3-5Privacy and Security ForumWashington, DCUSA
Oct. 3-15Virus BulletinMontrealCanada
Oct. 4Secure CISO MunichMunichGermany
Oct. 5BourbonConLouisville, KYUSA
Oct. 5-6c0c0nKochiIndia
Oct. 8-11HackIT 4.0KyivUkraine
Oct. 10-11SecureWorld DallasDallas, TXUSA
Oct. 10-12BroConArlington, VAUSA
Oct. 11Secure CISO CharlotteCharlotte, NCUSA
Oct. 11Secure CISO LondonLondonUK


Sign Up for Our Daily Newsletter!

Subscribe to our newsletter and get our daily and highly enjoyable summary of cybersecurity developments you must know if you want to stay ahead.

We don't spam and we value your privacy. We don't sell or share our subscriber lists ever. For more information, please read our privacy policy at Metacurity's Privacy Policy page.

DON'T FORGET TO CONFIRM YOUR SUBSCRIPTION AFTER SIGNING UP. PLEASE CHECK YOUR SPAM FILTER FOR OUR CONFIRMATION EMAIL.