Latest News

9 hours ago
Samuel Gibbs / The Guardian

Google Sued for $4.3 Billion in the UK over ‘Safari Workaround’ That Collected Information from 4.4 Million iPhone Users

Representing a group called Google You Owe Us, former Which? director Richard Lloyd is suing Google in the UK’s High Court in a collective action, akin to a class-action suit, for as much as £3.2bn (or around $4.3 billion) for the alleged “clandestine tracking and collation” of personal information from 4.4 million iPhone users in the UK. The suit centers on the so-called “Safari Workaround” discovered by a security researcher which allowed Google to bypass the privacy settings of Apple’s Safari browser on iPhones between August 2011 and February 2012 in order to divide people into categories for advertisers. Google has already paid $39.5 million to settle claims in the US relating to the practice. Google argues that Lloyd is not the right representative to bring this action and claims the Safari Workaround resulted in no information being disclosed to third parties nor is it possible to identify who was affected by the practice.

10 hours ago
Danny Palmer / ZDNet

‘Roaming Mantis’ Malware Expands Into New Regions, Now Targets iOS Devices and Mines for Cryptocurrency

Newly updated malware, dubbed Roaming Mantis, has added iOS device phishing and cryptocurrency mining to its arsenal and expanded its geographic scope from Southeast Asia to encompass Europe and the Middle East, researchers at Kaspersky Lab report. The operators behind the malware have further expanded attacks to cater for 27 different languages, including English, Spanish, Hebrew, Chinese, Russian and Hindi, to help coordinate successful infections. The attacks spread through DNS hijackings, rerouting users to a rogue sites where a pop-up encourages them to download malicious files. The newly added Apple redirect mimics the Apple website. Although Kaspersky has measured only 150 Roaming Mantis attacks, the true number may be far higher given that DNS hijacking makes it difficult identify the true number.

10 hours ago
BBC News

University of Greenwich Hit with £120,000 Fine for 2013 Data Breach, First University to Receive Fine Under UK’s Data Protection Act

The first university to receive a fine under the UK’s Data Protection Act of 1998, the University of Greenwich, has been fined £120,000 ($160,000) by the country’s Information Commissioner for a 2013 data breach in which the personal data of 19,500 students was placed online. The exposed data included names, addresses, dates of birth, phone numbers, signatures and – in some cases – physical and mental health problems. In some cases, the stolen information included individual students’ study progress, including reasons why they had fallen behind, and copies of emails between them and staff.

13 hours ago
Chance Miller / 9to5Mac

Apple Shuts Off CallKit-Enabled Apps in China’s App Store, Tells Developers to Remove Integration

Following its removal of VPN apps in China, Apple is now removing applications in its Chinese app store that use the CallKit framework in the Internet-restrictive country in response to newly enforced regulation from the Chinese Ministry of Industry and Information Technology. Apple has started sending notices to developers who offer apps in China with CallKit integration telling them they must remove the CallKit integration. CallKit was introduced in iOS 10 as a way for developers to integrate calling services with other call-related applications, providing the calling interface but allowing developers to handle the back-end integration with VoIP service.

15 hours ago
Stacy Cowley / New York Times

Big Banks Adopt Military Approach to Cybersecurity, Opening ‘Fusion Centers,’ Hiring Ex-Counterintelligence Officials, Cyberspies

Top banks, including Citigroup and Wells Fargo and regional players such as Bank of the West, have in recent years adopted military-like strategies to deal with cybercrime, opening fusion centers, a military-oriented collaborative effort of two or more agencies that provide resources, expertise and information to the center with the goal of maximizing their ability to detect, prevent, investigate, and respond to criminal and terrorist activity. Former government cyberspies, soldiers and counterintelligence officials now populate the ranks of banks’ security teams in intelligence hubs similar to those used in counterterrorism work. The financial sector has created its own version of combat drills, Quantum Dawn, a biennial simulation of a catastrophic cyberstrike which attracted 900 participants from 50 banks, regulators and law enforcement agencies during its most recent effort last year. The Financial Services Information Sharing and Analysis Center has launched a fail-safe measure called Sheltered Harbor, which went into operation last year, to help banks recover from a devastating cyberattack.

1 day ago
Zack Whittaker / ZDNet

Monitoring App Used by Parents, Teen Safe, Leaked Tens of Thousands of Accounts of Both Parents and Children

A mobile app, TeenSafe, which claims to be a “secure” monitoring app of children’s text messages and locations, among other surveillance-like activity, has heaked tens of thousands of accounts of both parents and children, UK-based security researcher Robert Wiggins discovered. Wiggins found two unsecured AWS servers used by TeenSafe, both of which were pulled offline after ZDNet reported the security hole to the company.  TeenSafe claims it has a million customers using its service.

2 days ago
Cyrus Farivar / Ars Technica

Real-Time User Location Data Supplier LocationSmart Under Investigation by FCC, Wyden Says FCC Chairman Should Recuse Himself

LocationSmart, the California firm that suddenly finds itself amid high controversy because it supplies mobile phone users real-time location data to third parties and recently was discovered to be leaking mobile users’ real-time location data from one of its websites, is now under investigation by the Federal Communications Commission’s (FCC) Enforcement Bureau. Sen. Ron Wyden (D-OR) said “location aggregation industry” has functioned with “essentially no oversight.” Wyden also said that FCC Chairman Ajit Pai, who served in 2012 as an attorney for Securus, one of the companies LocationSmart supplied with data, to recuse himself from any related investigation.

2 days ago
BBC News

UK Minister Aims to Introduce Legislation to Tame ‘Wild West’ Culture of Social Media, Internet

UK Secretary for Culture, Media and Sport Matt Hancock said that the failure of ten of fourteen social media giants to appear before the government to talk about social media problems is a “big impetus” to introduce legislation to tame what he called the Internet’s “Wild West” culture. Speaking on BBC One’s Andrew Marr show, Hancock pressed for new laws on age verification for user access to some content and said that companies can be fined up to 4% of their global turnover under the Data Protection Bill moving through Parliament, which could amount to $1 billion or more for some companies, if they don’t abide by the age verification requirements in that bill. Hancock also said the government would publish later this year a policy document that sets out proposals for future legislation regulating social media companies.

3 days ago
Cynthia Brumfield / Metacurity

Friday Report: Cybercrims Face Reckoning, WH Not Overly Concerned About Cybersecurity, Data Leaking Everywhere

Welcome to Metacurity’s Friday Report where we try to wrap things up for the week to help you make sense of the never-ending stream of cybersecurity news.

Prosecutors and law enforcement across the globe may be trying to clear the decks for their summer vacations or something but this past week had a lot of news about cybercriminals facing their legal reckonings. First, a Serbian man accused of having ties to the hacking syndicate known as “The Dark Overlord” was arrested in Belgrade in an international operation conducted by the FBI. The Dark Overlord got down to a lot of nasty business over the past few years, including hacking Netflix and sending death threats to schools. (Read the rest of the report here.)

3 days ago
Music Business Worldwide

Tidal Music Platform Investigating Possible Data Breach Amid Allegations of Inflated Streaming Numbers for Kanye, Beyonce

Jay-Z’s streaming music platform Tidal has hired an “independent, third party cyber-security firm” to investigate a possible data breach. The platform is currently in the midst of a controversy over allegations that it inflated streaming numbers for Kanye West’s The Life Of Pablo and Beyoncé’s Lemonade in order to increase those artists’ royalties at the expense of other artists. Tidal denies those allegations, which were made by Norwegian newspaper Dagens Næringsliv, which claims it obtained data on a hard drive that purports to contain “billions of rows of [internal TIDAL data]: times and song titles, user IDs and country codes,” in addition to a forensic report of this data from the Center for Cyber and Information Security (CCIS) at the Norwegian University of Science and Technology. Tidal has said that the data used by the newspaper was stolen.

3 days ago
Charlie Osborne / ZDNet

Brutal Cryptocurrency Mining Malware Crashes PCs When Encountered by ‘Weaker’ Anti-Virus Software

A new form of crytpocurrency mining malware, dubbed WinstarNssmMiner, crashes computer systems the moment “weaker” anti-virus software solutions attempt to remove it, researchers at 360 Total Security Report. The malware quits its operations automatically if “decent” anti-virus solutions discover it. However, if less-than-ideal anti-virus software encounters the malware, the crash process begins and victims have to contend with crippling slowness and blue screens while the malware continues its mining.

3 days ago
Rachel Weiner / Washington Post

Alleged Syrian Electronic Army Hackers Indicted on Eleven Counts of Wire Fraud, Identity Theft

Two Syrian hackers who promoted the Syrian government by compromising media coverage as part of a group called the “Syrian Electronic Army” were indicted Thursday in Alexandria federal court on 11 counts of wire fraud and aggravated identity theft. The hackers, Ahmad Umar Agha, known online as “The Pro,” and Firas Dardar, known as “The Shadow, are still at large and believed to be in Syria. A co-conspirator, Peter Romar, was extradited from Germany and pleaded guilty in 2016. All three were charged two years ago with carrying out online attacks in support of Syrian President Bashar al-Assad. The hackers compromised media accounts by stealing credentials via spearphishing techniques and then would deface media websites with messages in support of Assad. The Washington Post, CNN, the Associated Press, NPR, the Onion, Human Rights Watch, NASA, Microsoft and the Executive Office of the President were all victims of the spearphishing attacks. The hackers also used the stolen credentials to disrupt access to The Post, the New York Times, Marines.com and HuffPost

4 days ago
Zack Whittaker / ZDNet

Security Researcher Anonymously Reports Serious Bug in Password Manager Keeper That Could Have Allowed Access to Users’ Private Data

Password manager Keeper, which has fallen out of favor among infosec professionals for suing a journalist who accurately reported a bug in its software, has fixed a flaw that a security researcher claimed could have allowed access to a user’s private data. The bug, filed anonymously by the researcher to a public security disclosure list, allowed anyone controlling Keeper’s API server to gain access to the decryption key to a user’s vault of passwords and other sensitive information.

4 days ago
Thomas Fox-Brewster / Forbes

Malware Made by ‘Sun Team’ Masqueraded as Apps on Google Play Store and Was Promoted via Facebook to Target North Korean Defectors

A mysterious hacker crew dubbed the Sun Team has attempted to infiltrate the Android phones of North Korean defectors via phishing attempts on Facebook and malware hosted on Google Play, researchers at McAfee report. The Sun Team infiltrated Google Play with two supposed but fake security applications, Fast AppLock and AppLockFree, and another application that was related to food ingredients. The fake applications were posted on Facebook groups associated with defectors between January and March by a fake profile set up by the Sun Team or delivered via private messages on the social network. Google has taken down the spy tools but they remained active on Google Play for two months and received around 100 downloads, which might be a success considering who the targeted victims are. Facebook said it has taken action and notified the targets.

4 days ago
Nina Agrawal / Los Angeles Times

Highly Sensitive Data from LA County Health and Human Services Nonprofit Exposed in Unsecured AWS Server

Sensitive data from the 211 L.A. County, a nonprofit assistance organization that serves as an information and referrals for all health and human services in LA County, was publicly exposed online, researchers at Upguard discovered and county officials confirmed. The data had been kept in an unsecured AWS repository maintained by 211 L.A. County and included information about Social Security numbers, addresses and sensitive notes about calls regarding mental health and abuse. The exposed data also included names, email addresses and weakly encrypted passwords of users operating the 211 system, potentially opening them to attack, according to Chris Vickery of Upguard. Ralph Johnson, L.A. County’s chief information security officer, denied the sensitivity of the leaked information, calling it “innocuous log data” but Upguard provided excerpts from the data which detail notes about an elderly woman with dementia who was allegedly being abused by her son, a meth addict who said she was suicidal and similar highly sensitive information. Bill Kehoe, the county’s chief information officer, said the county “promptly directed” that access to the exposed information be blocked after talking with Upguard.

4 days ago
Brian Krebs / Krebs on Security

Website of Location Data Aggregator LocationSmart Leaked the Precise Locations of Mobile Customers’ Phones in Real Time

LocationSmart, an aggregator of real-time data about the precise location of mobile phone devices, has been leaking these data in real-time to anyone via a flawed website that required no password or authentication or authorization. LocationSmart was revealing the location of any AT&T, Sprint, T-Mobile or Verizon phone in the United States to an accuracy of within a few hundred yards on a demo tool offered by the company. The tool was taken down after journalist Brian Krebs contacted the company to inform them of the flaw. Krebs learned of the problem from Robert Xiao, a security researcher at Carnegie Mellon University, who poked around the demo site and discovered that it failed to perform basic checks to prevent anonymous and unauthorized queries. The location data was provided to LocationSmart by the mobile carriers without customers’ consent, the latest revelation in a string of revelations that reveal the privacy flaws in the carriers’ legal ability to sell location data to third party companies such as LocationSmart.

4 days ago
Peter Bright / Ars Technica

In Anticipation of a World Where HTTPS is the Default, Google Plans to Do Away with ‘Secure’ Indicator in Chrome

Starting in September, Google’s Chrome browser will no longer mark HTTPS sites as “Secure” because Google is anticipating a world where HTTPS is the default. Google will instead label sites that do not use HTTPS as “Not Secure” under the theory that only the occasional unsafe site should have its URL highlighted.

4 days ago
Cynthia Brumfield / Metacurity

NTIA’s Redl: It’s Premature to Say How the Administration Will Respond to FCC Rulemaking That Implicates ZTE

(Washington, DC) David Redl, the head of the National Telecommunications and Information Administration, a part of the Department of Commerce, today said that it would be premature to say anything about where the Executive Branch stands on a key rulemaking underway at the Federal Communications Commission (FCC) regarding national security threats to the communications supply chain. “Our statutory role is to serve as the voice of the executive branch at the FCC but right now we are working across the federal government to see if there is a set of comments people would like to make in response to the FCC’s NPRM (Notice of Proposed Rulemaking),” Redl told attendees of a Media Institute luncheon here. (Read more by clicking on headline.)

5 days ago
Catalin Cimpanu / Bleeping Computer

Dutch Police Seize Servers of ‘Bulletproof’ Hosting Provider MaxiDed, Two Men Arrested in Thailand, Bulgaria

Dutch police have seized the servers belonging to “bulletproof” hosting provider MaxiDed for harboring child pornography sites and command and control servers for DDoS botnets, cyber-espionage, malvertising, spam, and malware operations. Launched in 2008 but increasingly marketing itself in cybercrime forums over the past two years, MaxiDed claimed to host nearly 2,500 servers across 30 hosting providers in 82 countries. “Bulletproof” refers to a hosting provider that overlooks illegal activity on the servers it hosts. Simultaneous with the Dutch seizure, Thai police in the province of Chumphon, south of Bangkok, also arrested a Moldavian national who is allegedly the owner of not only MaxiDed but also the file-sharing service through which child pornography content was being shared. At the same time, Bulgarian police arrested a second man, a 37-year-old Moldavian national, suspected of being one of the MaxiDed administrators.

5 days ago
Tom McKay / Gizmodo

Operator of Security Scan-Dodging Malware Scan4You Convicted on Three Counts in Federal Court

Ruslans Bondars, a Latvian “non-citizen” or “citizen of the former USSR who had been residing in Riga, Latvia,” has been convicted on three counts in federal court for helping to run the Scan4You, a counter-antivirus tool used by cybercriminals to determine whether their malware would be flagged during routine security scans. Bondars was found guilty for violations of the Computer Fraud and Abuse Act, conspiracy to commit wire fraud, and another charge related to computer intrusion for operating Scan4You from 2009 to 2016. In one case that reportedly resulted in $500 million in damages, the developer of a bank account-hijacking malware called “Citadel” integrated parts of the Scan4You API “directly into the Citadel toolkit.” Cybersecurity firm Trend Micro  worked with the U.S. Justice Department for three years to bring Scan4You down.

Podcasts

17 hours ago
ISC StormCast

Redis Cryptocoin Mining Worm; Rowhammer over the Network; DrayTek CSRF Exploit

Johannes Ullrich talks about Redis Cryptocoin Mining Worm, Evolving Chrome’s Security Indicator, DrayTek CSRF 0-Day Exploited to Change DNS Servers, Rowhammer Remote Exploit.


17 hours ago
Cyenthia Podcast

Episode 9: Phil Roth

Wade Baker and Jay Jacobs talk with Phil Roth, Senior Data Scientist at Endgame about machine learning in security and the new malware benchmark data Phil released called EMBER


4 days ago
Smashing Security

078: Hounds hunt hackers, too-human Google AI, and ethnic recognition tech – WTF?

Graham Cluley and Carole Theriault, joined this week by investigative journalist Geoff White, talk about dogs trained to sniff out hackers’ hard drives, facial recognition taking an ugly turn, and whether you should trust Google to book your hair appointment.


4 days ago
ISC StormCast

Claymore Miner Attack; PCI 3.2.1 Released; Keeper Update; Cisco Security Fixes

Johannes Ullrich talks about Claymore Miner Attack, PCI DSS Version 3.2.1. Released , Keeper Releases Update , Cisco Security Update .


Spotlight











Cybersecurity Events

May 20-25SANS Cyber Security Training in RestonReston, VAUSA
May 26HackInBoBolognaItaly
May 29-June 3SANS Cyber Security Training in AtlantaAtlanta, GAUSA
May 31SC Media RiskSecNew York, NYUSA
June 1Security FestGothenburg,Sweden
June 2Hak4Kidz Chicago, ILUSA
June 1-3CircleCityCon 5.0Indianapolis, INUSA
June 2-3OzSecCon 2018MelbourneAustralia
June 4ACSC Campaign Cyber DefenseBoston, MAUSA
June 4-6Cyber:Secured ForumDenver, COUSA
June 3-6TechnoSecurity and Digital ForensicsMyrtle Beach, SCUSA
June 4-9SANS LondonLondonUK
June 5SecureWorld ChicagoChicago, ILUSA
June 5-7Infosecurity EuropeLondonUK
June 5-72018 NYS Cyber Security ConferenceAlbany, NYUSA


Subscribe to Our Newsletter

Subscribe to our newsletter and get our daily and highly enjoyable summary of cybersecurity developments you must know if you want to stay ahead.

We don't spam and we value your privacy. We don't sell or share our subscriber lists ever.