Search Results for “Wired”

January 24, 2020
Andy Greenberg / Wired

Andy Greenberg / Wired  
Researchers at First Pwn2Own Event Focusing on Industrial Control Security Take Home $280,000, Incite Team Top Winner

Researchers who took part this week in the Zero Day Initiative’s Pwn2Own Miami hacking competition, which for the first time focused on industrial control at the S4 industrial control system security conference, have earned a total of $280,000 for exploits targeting industrial control systems (ICS) and associated protocols. Participants were given three months to study the industrial control system software that would serve as the contest’s targets, developing their hacking techniques ahead of the competition. Over the three-day competition, contestants successfully hacked every one of the eight industrial control system applications put before them, with hackers offered as much as $25,000 if they could exploit the target software to achieve remote code execution on the victim machines. The winner of this event was the Incite Team, whose members were researchers Steven Seeley and Chris Anastasio. They earned a total of $80,000 for exploits targeting the Triangle Microworks SCADA Data Gateway, Inductive Automation Ignition, Rockwell Automation Studio 5000, the OPC Foundation’s OPC UA .NET standard, and Iconics Genesis64.

November 23, 2015
Cyberkov

Cyberkov  
Official Statement Regarding Media Confusion on Cyberkov Journalist Cybersecurity Manual

For the past few days, many articles around the world started referencing an alleged ISIS OPSEC manual that is claimed to be unearthed by the U.S Military Academy Combating Terrorism Center at West Point by Dr. Aaron Brantly and other researchers. The first mention of this manual (and the most widespread so far) was Kim Zetter’s WIRED article (ISIS’ OPSEC Manual Reveals How It Handles Cybersecurity). The original claim was that this manual was written by ISIS as its cyber security policy for its fighters.
Related: SC Magazine, Reddit Computer Security Forum, Wired

[expand title=”More”]

Wired: ISIS’ OPSEC Manual Reveals How It Handles Cybersecurity
SC Magazine: ISIS issues manual for using the web anonymously
Reddit Computer Security Forum: ISIS’ OPSEC Manual Reveals How It Handles Cybersecurity
[/expand]

November 22, 2019
Lily Hay Newman / Wired

Lily Hay Newman / Wired  
Massive Trove of Information on 1.2 Billion People Found Exposed on an Unsecured Server, Provides Rich Resource for Hackers to Impersonate or Hijack People’s Accounts

A trove of aggregated consumer data was sitting exposed and easily accessible on an unsecured server, comprising four terabytes of personal information, encompassing 1.2 billion records in all, dark web researcher Vinny Troia discovered. The data does not include sensitive information like passwords, credit card numbers, or Social Security numbers. But it does provide hackers with a rich resource for impersonating or hijacking people’s accounts. It contains profiles of hundreds of millions of people that include home and cell phone numbers, associated social media profiles like Facebook, Twitter, LinkedIn, and Github, work histories seemingly scraped from LinkedIn, almost 50 million unique phone numbers, and 622 million unique email addresses. The IP address for the server containing the data simply traced to Google Cloud Services, making it hard to determine the owner.  Three of the data sets come from a data broker based in San Francisco called People Data Labs, which claims to have data on 1.5 billion people for sale. One of the data sets might belong to Wyoming-based data broker Oxydata, which claims to have 4 TB of data, including 380 million profiles on consumers and employees in 85 industries and 195 countries around the world. Neither data broker claims to be the owner of the trove. Troia provided information from the trove to Hunt for HaveIBeenPwned. In all, Hunt added more than 622 million unique email addresses and other data to his repository and is currently notifying the HaveIBeenPwned network. Troia reported the exposure to contacts at the Federal Bureau of Investigation, and within a few hours, someone pulled the server and the exposed data offline.

Related: Data Viper, Android Central , PYMNTS.com, PCMag.com, SC Magazine, CNET, Security Affairs, Daily Mail, Mashable, Solutions ReviewDark Reading, Reddit – cybersecurity, DataBreachToday.comRT News, The Mac Observer

Tweets:@lilyhnewman @pseudohvr @vinnytroia @DataViperIO @gabsmashh @brysonbort

Data Viper: Personal And Social Information Of 1.2 Billion People Discovered In Massive Data Leak
Android Central : OnePlus security breach leaks emails, phone numbers and addresses
PYMNTS.com: Google Cloud Server Left A Billion Users’ Info Vulnerable
PCMag.com: Mysterious User Hoarded Records on 1.2B People Via Leaky Database
SC Magazine: Unsecured server exposes 4 billion records, 1.2 billion people | SC Media
CNET: 1.2 billion records exposed in unsecured database
Security Affairs: Personal and social information of 1.2B people exposed on an open Elasticsearch install
Daily Mail : Profiles of 1.2 billion people are discovered on the dark web in an unsecure server
Mashable: Absolutely humongous data breach exposes more than a billion records
Mashable: Absolutely humongous data breach exposes more than a billion records
Solutions Review: 1.2 Billion Records Exposed in Historic Server Leak: What We Know
Dark Reading: 1.2B Records Exposed in Massive Server Leak
Reddit – cybersecurity: 1.2 Billion records found exposed online in a single server.
DataBreachToday.com: Unsecured Server Exposed Records of 1.2 Billion: Researchers
RT News: 1.2 BILLION people’s data – including social media profiles and contact info – found on unsecured Google Cloud server
The Mac Observer: Database of 1.2 Billion Records Found With Scraped Data

@lilyhnewman: "Given the proliferation, just how much data is out there, somebody is going to find a way to exploit even the most mundane items of information” @pseudohvr
@pseudohvr: Excellent article from @WIRED’s @lilyhnewman . One of my big takeaways after chatting was to not sit idly by with a “meh, so what” attitude towards even small bits of information being leaked. It’s YOUR data. And it can be used against you.
@vinnytroia: Info on 1.2 Billion users exposed online. Includes personal info, @facebook@Twitter and @LinkedIn profiles. https://wired.com/story/billion-records-exposed-online/ #databreach @DataViperIO
@DataViperIO: Read our official analysis on the 1.2 Billion exposed used records. https://dataviper.io/blog/2019/pdl-data-exposure-billion-people/ #databreach @vinnytroia @MayhemDayOne @troyhunt
@gabsmashh: sooo...a breach of compiled, already-publically-available data?
@brysonbort: So... someone discovered what we used to call... a phone book?

June 15, 2016
The Smoking Gun

The Smoking Gun  
Guccifer 2.0 Releases Hacked DNC Files to Show Up CrowdStrike

On the heels of yesterday’s top news that cybersecurity research firm CrowdStrike had found sophisticated Russian hacking groups had infiltrated DNC servers, a hacker called Guccifer 2.0 released some of those files, claiming to be a lone hacker who wanted to disprove CrowdStrike’s serious sounding claims.
Related: CSO Online, Zero Hedge, OODA Loop, Motherboard, Mother Jones, Softpedia News, The Register, FastCoNewsBGRIBTimes.co.uk : Technology, Re/code, Guccifer 2.0, The VergeCNET NewsTechnology | The Guardian, The Register, Washington Post National, , IBTimes.co.uk : Technology,  CNET News, WIRED » Andy Greenberg, WIRED,  The Seattle Times, McClatchyDC.com , U.S. News – News, The Inquisitr News,  CNN.com – Politics, NPR, DataBreachToday.com, Washington Post NationalArs Technica, Slashdot

[expand title=”More”]

CSO Online: DNC hacker slams CrowdStrike, publishes opposition memo on Donald Trump
Zero Hedge: Hacker Who Breached Democratic National Committee Server Posts Confidential Trump, Hillary Files
OODA Loop: DNC’s servers allegedly hacked by a lone hacker
Motherboard: ‘Guccifer 2.0’ Claims Responsibility for DNC Hack, Releases Docs to Prove it
Mother Jones: Hackers Just Released What Appears to Be DNC Opposition Research on Trump
Softpedia News: Hacker Guccifer 2.0 Claims DNC Hack, Dumps Files Online
FastCoNews : This appears to be the DNC’s opposition research on Donald Trump
BGR: A hacker has leaked the Democrats’ dirt file on Trump
IBTimes.co.uk : Technology: DNC breach: Donald Trump research dossier stolen by Russian hackers leaked online
Re/code: Here’s the leaked opposition research document on Donald Trump that’s circulating the web
Guccifer 2.0: GUCCIFER 2.0 DNC’S SERVERS HACKED BY A LONE HACKER
The Verge: Here are 128,000 words about Donald Trump, compiled by his enemies
CNET News: DNC’s hacked ‘playbook’ against Trump may have been leaked – CNET
Technology | The Guardian: Six things we learned from the hacked DNC file on Donald Trump
The Register: Russian government hackers spent a year in our servers, admits DNC
Washington Post National: ‘Guccifer 2.0’ claims credit for DNC hack
IBTimes.co.uk : Technology: DNC breach: Donald Trump research dossier stolen by Russian hackers leaked online
CNET News: DNC’s hacked ‘playbook’ against Trump may have been leaked – CNET
WIRED » Andy Greenberg: A Chaotic Whodunnit Follows the DNC’s Trump Research Hack
The Seattle Times: Gawker posts anti-Trump playbook; was it stolen from DNC?
McClatchyDC.com : Gawker posts anti-Trump playbook; was it stolen from DNC?
U.S. News – News: The Latest: Gawker posts anti-Trump playbook; is it DNC’s?
The Inquisitr News: Hackers Leak Stolen DNC’s Dirt On Donald Trump
CNN.com – Politics: Trump: DNC hacked itself
NPR : Russian Hackers Penetrate Democratic National Committee, Steal Trump Research
DataBreachToday.com: Report: Russia’s ‘Best’ Hackers Access DNC’s Trump Research
Washington Post National: ‘Guccifer 2.0’ claims credit for DNC hack
Ars Technica: Lone wolf claims responsibility for DNC hack, dumps purported Trump smear file
Slashdot: DNC Hacker Releases Trump Opposition File
[/expand]

June 10, 2016
Kevin Collier and Vladi Vovcuk / Vocativ

Kevin Collier and Vladi Vovcuk / Vocativ  
Interviews with Tess88 and Peace, Hackers Behind Twitter, LinkedIn and Other Dumps

Vocativ and Wired’s Andy Greenberg have snagged interviews with Tess88 and Peace, Russian hackers who claim to be behind the massive data dumps of LinkedIn, Twitter, Instagram, Tumblr, Russia’s VK and other major login datasets.
Related: Tech Times, WIRED. Digital Munition, Los Angeles Times

[expand title=”More”]

Tech Times: Hacker Linked To MySpace, Tumblr, LinkedIn Breaches Now Selling 32 Million Twitter Accounts For 10 Bitcoins
WIRED: An Interview With the Hacker Probably Selling Your Password Right Now
Digital Munition: The story of Russian female hacker behind Twitter, MySpace, VK, LinkedIn data leaks
Los Angeles Times: How much is your Twitter account worth? Hackers suggest it’s less than your LinkedIn
[/expand]

December 20, 2015
Steve Ragan / CSO Online

Steve Ragan / CSO Online  
Database leak exposes 3.3 million Hello Kitty fans

A database for sanriotown.com, the official online community for Hello Kitty and other Sanrio characters, has been discovered online by researcher Chris Vickery. The database houses 3.3 million accounts and has ties to a number of other Hello Kitty portals.
Related: Softpedia NewsThe Hill, Neowin, Security Intelligence, V3.co.uk, The Register, CERT-EU , International Business Times, IWIRED » Andy Greenberg, WIRED » Andy Greenberg, GeekWire, Slashdot, Security Affairs, IT SECURITY GURU,

[expand title=”More”]

Softpedia News: Data Breach on Hello Kitty Servers, Over 3.3 Million Accounts Exposed
The Hill: 3.3M Hello Kitty fans exposed in database hack
Neowin: Information on 3.3 million Hello Kitty fans leaked in data breach
Security Intelligence: How to Stop Data From Leaving the Building
V3.co.uk: Hello Kitty community website SanrioTown leaks over three million user accounts
The Register: Hello Kitty hack exposes 3.3 million users’ details, says infosec bod
International Business Times: Hello Kitty Leak: Details Of Over 3 Million Customer Accounts Leaked Online
WIRED » Andy Greenberg: Hack Brief: Hello Kitty Sites Spill Details of 3.3 Million Users
GeekWire: Hello Kitty gets hacked: 3.3 million users’ data exposed
Slashdot: Database Leak Exposes 3.3 Million Hello Kitty Fans
Security Affairs: Discovered a database containing data of 3.3 million Hello Kitty fans
IT SECURITY GURU: 3.3 million Hello Kitty fans’ accounts discovered in database leak
[/expand]

January 3, 2020
Andy Greenberg / Wired

Andy Greenberg / Wired  
Following Trump Administration’s Assassination of Soleimani, Iran Could Be Gearing Up to Launch Cyberattacks, Including Wiper Malware Attacks, Hacks of Industrial Control Systems

In the wake of the Trump Administration’s assassination of Iranian general Qasem Soleimani, military and cybersecurity analysts caution Iran’s response could include, among other possibilities, a wave of disruptive cyberattacks. Iran has been building up its cyberwar capabilities ever since a joint US-Israeli intelligence operation deployed the malware known as Stuxnet against the country’s Natanz uranium enrichment facility in 2008. The most likely form of cyberattack that Iran will deploy is one it has used against its neighbors in recent years – so-called wiper malware designed to destroy as many computers as possible inside target networks. Also, several cybersecurity experts have pointed out that Iran has been looking for points of ingress into potential targets in the US, including the Department of Energy and US National Labs, probes that might be for espionage but can equally be laying the groundwork for attacks. Other security experts say that Iran appears to be developing hacking abilities that could directly target industrial control systems.

Related: Bloomberg, Mother Jones, Defense One, Cyberscoop, SC Magazine, Ars Technica, Reddit – cybersecurity, CNBC, Tech Insider, Computer Business Review, BleepingComputer.com, New on MIT Technology Review, New York Times, AP Top News, PYMNTS.com, Washington Post, Computer Business Review, GlobalNews.ca, VICE News, Quartz, SC Magazine, Telegraph, The Hill, Fifth Domain | Cyber, Pylos.co

Tweets:@a_greenberg @zackwhittaker @janelytv @CISAKrebs @Bing_Chris @bobgourley @joseph_azam @joseph_azam @benhammersley @hackerfantastic @nxthompson @GossiTheDog @rickhholland @katefazzini @DHS_Wolf @langnergroup @quicktake @jfslowik

Bloomberg: Iran Is Big on Cyberwarfare. How Does That Work?
Mother Jones: Here’s What a Cyber Attack by Iran Might Look Like
Defense One: What’s Next for Iran’s Cyber Actors?
Cyberscoop: After U.S. kills Iranian general, analysts warn of Tehran’s ability to retaliate in cyberspace
SC Magazine: Soleimani killing will likely result in reprisal cyberattacks by Iran | SC Media
Law & Disorder – Ars Technica: Pick your poison: The potential Iranian responses to US drone strike
Reddit – cybersecurity: Iran’s ‘forceful revenge’ against the US is likely to include cyber warfare, and experts warn cyberattacks could bring US infrastructure to a grinding halt
CNBC: Iran has shown a talent for cyberattacks, and businesses may be a prime target for retaliation
Tech Insider: Iran’s ‘forceful revenge’ against the US is likely to include cyberwarfare, and experts warn that the attacks could be devastating
Computer Business Review: Top US Security Official: “Brush Up” on Hostile Online Iranian Tactics
BleepingComputer.com: U.S. Government Issues Warning About Possible Iranian Cyberattacks
New on MIT Technology Review: Iran may launch “destructive” cyberattacks against the US, experts warn
New York Times: Homeland Security Sees ‘No Specific, Credible Threat’ From Iran, but Warns of Cyberattacks
Associated Press: Iranian cyberattacks feared after killing of top general
PYMNTS.com: US Prepares For Potential Iranian Cyberattack
Washington Post: ‘A cyberattack should be expected’: U.S. strike on Iranian leader sparks fears of major digital disruption
Computer Business Review: Top US Security Official: “Brush Up” on Hostile Online Iranian Tactics
GlobalNews.ca: In wake of Soleimani’s death, Iran could retaliate with cyberattacks: experts
VICE News: We Talked to Experts About Iran’s Cyberwar Capabilities
Quartz: Iran may retaliate with cyberattacks for Soleimani’s death
SC Magazine: Soleimani killing will likely result in reprisal cyberattacks by Iran | SC Media
Tech Insider: Iran’s ‘forceful revenge’ against the US is likely to include cyberwarfare, and experts warn that the attacks could be devastating
Telegraph : Qassim Soleimani: What are Iran’s cyber warfare capabilities? – Telegraph.co.uk
The Hill: Cybersecurity: US officials, lawmakers warn of potential Iranian cyberattacks
Fifth Domain | Cyber: ‘They’re going to want bloodshed’: 5 ways Iran could retaliate in cyberspace
Pylos.co: Assassination, Retaliation, and Implications

@a_greenberg: Ahead of counterattacks, reminder that Iran's hackers: > Targeted US orgs w/ phishing in 2019 as tensions rose, including DOE & national labs > Have been trying to breach industrial control system suppliers > Will likely use wiper malware as in years past
@zackwhittaker: After the death of Iran's Soleimani, FireEye's @JohnHultquist says anticipate an "uptick in espionage, primarily focused on government systems, as Iranian actors seek to gather intelligence and better understand the dynamic geopolitical environment."
@janelytv: Iran is an extremely sophisticated disinformation actor. Here's fantastic research from @citizenlab on some of their tactics in the past:
@CISAKrebs: Given recent developments, re-upping our statement from the summer. Bottom line: time to brush up on Iranian TTPs and pay close attention to your critical systems, particularly ICS. Make sure you’re also watching third party accesses! https://dhs.gov/news/2019/06/22/cisa-statement-iranian-cybersecurity-threats
@Bing_Chris: It’s difficult as an outside observer to predict what retaliation may look like. But the cyber angle makes some sense. Iran using ~existing access~ to cause damage against US infrastructure isn’t unheard of. We should keep an eye on Holmium/APT33...: https://wired.com/story/iran-apt33-industrial-control-systems/
@bobgourley: Not sure if the successful strike against Soleimani will mean any real increase in threats from Iran... they are already bad actors. But might be prudent to prepare for heavy seas. CEOs who have not met with their CSOs/CISOs in a while should probably set up a meeting.
@joseph_azam: Not sure if the successful strike against Soleimani will mean any real increase in threats from Iran... they are already bad actors. But might be prudent to prepare for heavy seas. CEOs who have not met with their CSOs/CISOs in a while should probably set up a meeting.
@joseph_azam: I agree with this. What I hope the govt and the private sector understand is that vulnerabilities in systems are well-known, Iranian cyber actors have been attacking for years, and have likely been saving something in the tank to be able to respond to this sort of act.
@benhammersley: Silly bastards probably think the reaction will only be kinetic. This time next week, APT33, MRSCO, N3O and all their friends - who all read Burning Chrome when you did - will be releasing the tax returns, and flicking the eastern seaboard power grid on and off.
@hackerfantastic: ICYMI: for over a year in the run up to US act in Iran, some hackers were actively leaking information from APT34 over telegram, presumed to be Russia or US - they took issue with @ESET after they supplied EDR to the regime which disrupted a malware attack (ICS related).
@nxthompson: Cyber-attacks are a way that weak states can take on strong ones. And Iran has been preparing its cyberwarfare teams for a while. Here's how they will likely attack us first.
@GossiTheDog: Re Iran - for a vast majority of orgs (like 99.99%) you’re more likely to get owned by a Word macro while having a meeting to talk about Iran.
@rickhholland: Now is not the time to ZOMG CYBER IRAN! Look at your threat model. How do Iranian actors fit into it? How do Iranian interests intersect your business? How has historic Iranian targeting related to your business? When did u last update your threat model? Do u have a threat model?
@katefazzini: I joined Closing Bell to discuss Iran and the possibility of cyber retaliation.
@DHS_Wolf: At this time there is no specific, credible threat against the homeland. DHS operational components are implementing measures to enhance homeland security within their authorities and mission sets when necessary and prudent.
@langnergroup: "The country has spent years building the capability to execute not only the mass-destruction of computers but potentially more advanced—albeit far less likely—attacks on Western critical infrastructure like power grids and water systems." -- Years spent without any success.
@quicktake: Retired Admiral James Stavridis tells @BloombergTV Iran is capable of launching "a significant cyber-attack" in response to the U.S. airstrike
@jfslowik: Detailed thoughts on the #Suleimani event, its implications for #infosec, and how the game of judging your adversary's responses may mean we see less "action" than many are predicting:

July 10, 2019
Lily Hay Newman / Wired

Lily Hay Newman / Wired  
Zoom Reverses Course and Pushes Out Patch to Plug Security Hole That Turned on Mac Users’ Cameras

Videoconferencing service Zoom has reversed course and has pushed out a patch to alter Zoom’s functionality and eliminate a security hole that allowed Zoom for Mac users’ cameras to be turned on without their permission. In addressing the bug’s discovery by security researcher Jonathan Leitschuh, Zoom initially said that it would adjust the settings by which a user chooses to launch video by default with every call, a solution that satisfied few critics. The just-issued patch will remove the local web server functionality Zoom was using to bypass protections in Safari and facilitate instant meeting joins.

Related: Sensors Tech Forum, TechNadu, BetaNews, ForbesFull Disclosure, TechRepublic, TIME, AppleInsider, Six Colors, Cyberscoop, iTnews – Security, Mashable, 9to5Mac, BuzzFeed – TechLorenzo Franceschi-Bicchierai – VICE, Security Affairs, Boing Boing, Quartz, VICE NewsiMore, Tech InsiderThe Verge,  VICE NewsWCCFtech, Trusted Reviews, TechNadu, Fortune, How-To Geek, SecurityWeek, PCMag.com, Engadget, MacworldHackReadThe Register – Security, Verdict, Tech Insider, iTnews – Security, HackRead, Fortune, Dark Reading: Attacks/Breaches, Silicon RepublicHomeland Security Today, Vox, MacRumorsPackt Hub, Silicon Republic, Security Affairs, Zoom Blog, TechCrunch

Tweets:@campuscodi @gcluley @zackwhittaker @gossithedog

Sensors Tech Forum: CVE-2019-13450: Dangerous Zero-Day in Mac Zoom Client
TechNadu: Zero Day Vulnerability Discovered in the Mac Zoom Client
Beta News : Zoom for Mac has a security hole that means your webcam could be turned on without permission
Forbes: Zoom Security Flaw Exposes Webcam Hijack Risk — Change Settings Now
Full Disclosure: Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!
TechRepublic: How to secure your Zoom conference line from hackers
TIME: A Flaw in Teleconferencing App Zoom Could Have Let Hackers Access Your Webcam. Here’s How to Fix it
AppleInsider: Zoom to patch flaw that enabled access to Mac webcams
Six Colors: Zoom videoconferencing app contains major vulnerability ?
Cyberscoop : Zoom flaw could enable hackers to activate Mac webcams without permission
iTnews – Security: Zoom.us flaw forces users onto video and audio calls
Mashable: Security flaw in Zoom allows website to turn on your Mac’s camera without consent
9to5Mac: [Update: Zoom responds] Major Zoom vulnerability could allow websites to hijack your Mac’s webcam
BuzzFeed – Tech: There’s A Major Security Vulnerability In Zoom’s Desktop App. The Company Said It’s A Feature, Not A Flaw.
Lorenzo Franceschi-Bicchierai – VICE: How To Remove Zoom From Your Mac
Security Affairs: Flaw in Zoom video conferencing software lets sites take over webcam on Mac
Boing Boing: Zoom has slow-walked a fix for a bug that allows randos to take over your Mac’s camera
Quartz: Zoom has a security flaw that could let attackers view your Mac webcam
VICE News: Zoom Vulnerability Lets Hackers Hijack Your Webcam
iMore: Zoom vulnerability lets websites access your Mac’s camera
Tech Insider: A flaw in video conferencing tool Zoom is leaving Apple Mac users’ webcams vulnerable to being hijacked (ZM)
The Verge: Zoom fixes major Mac webcam security flaw with emergency patch
WCCFtech: Zoom Hack Lets Attackers Access Mac’s Webcam, Affects 4 Million Users
Trusted Reviews: Zoom security vulnerability could let sites hijack your Mac’s webcam
TechNadu: Zero Day Vulnerability Discovered in the Mac Zoom Client
Fortune: Zoom Vulnerability on Mac Lets Anyone Instantly Turn on Your Webcam. Here’s the Fix
How-To Geek: Zoom Lets Websites Start Filming You Without Your Consent, Even on Windows
How-To Geek: Daily News Roundup: Mac Exploit Activates Webcams Without Your Permission
Inc : Zoom Has a Major Security Flaw That Could Let Websites Literally Spy on You
SecurityWeek: Vulnerability Gives Attackers Remote Access to Zoom Users’ Cameras
PCMag.com: Zoom App Can Let Hackers Spy on Mac Users Via Webcams
WCCFtech: Zoom Hack Lets Attackers Access Mac’s Webcam, Affects 4 Million Users
Engadget: A flaw in Zoom’s Mac app may have let attackers hijack webcams
Macworld: Zoom Mac app flaw sparks serious security concerns—and it’s up to you to fix it
Techcentral : Zoom teleconferencing app flaw leaves webcams open to hijacking
Macworld: Zoom Mac app flaw sparks serious security concerns—and it’s up to you to fix it
HackRead: Vulnerability in Zoom video conference app lets Mac’s camera hijacking
Digital Trends : Zoom flaw lets websites launch video calls without permission on Macs
Daily Mail : ‘Zoom’ app on Mac exposes users to having their webcam hijacked
The Register – Security: Anyone for unintended Chat Roulette? Zoom installs hidden Mac web server to allow auto-join video conferencing
Naked Security : Zoom flaw could force you into a meeting, expose your video feed
WIRED: A Zoom Flaw Gives Hackers Easy Access to Your Webcam
IT World : Mac client of Zoom video conferencing has serious bug, warns researcher
Verdict: Critical Zoom vulnerability underlines need for webcam covers “at all times”
Tech Insider: A flaw in video conferencing tool Zoom is leaving Apple Mac users’ webcams vulnerable to being hijacked (ZM)
iTnews – Security: Zoom.us flaw forces users onto video and audio calls
HackRead: Vulnerability in Zoom video conference app lets Mac’s camera hijacking
Fortune: Zoom Vulnerability on Mac Lets Anyone Instantly Turn on Your Webcam. Here’s the Fix
Dark Reading: Attacks/Breaches: Zoom Client for Mac Exposing Users to Serious Risks
Silicon Republic: Vulnerability in Zoom could allow websites to hijack Mac webcams
Homeland Security Today: Serious Zoom Security Flaw Could Let Websites Hijack Mac Cameras
Vox: Hackers can hijack your Mac webcam with Zoom. Here’s how to prevent it.
MacRumors: Serious Vulnerability in Zoom Video Conference App Could Let Websites Hijack Mac Webcams
Packt Hub: A zero-day vulnerability on Mac Zoom Client allows hackers to enable users’ camera, leaving 750k companies exposed
MacRumors: Serious Vulnerability in Zoom Video Conference App Could Let Websites Hijack Mac Webcams
Quartz: Zoom has a security flaw that could let attackers view your Mac webcam
Silicon Republic: Vulnerability in Zoom could allow websites to hijack Mac webcams
Zoom Blog: Response to Video-On Concern
Techcrunch: Zoom patches Mac client after flaw allowed websites to turn on webcams without permission

@campuscodi: This is a video PoC that someone put together for this report, from yesterday:
@gcluley: r/t Zoom Mac flaw allows webcams to be hijacked - because the developers wanted to save you a click. Sheesh. https://www.grahamcluley.com/zoom-mac-flaw-allows-webcams-to-be-hijacked-because-they-wanted-to-save-you-a-click/ …
@zackwhittaker: After yesterday's ruckus, Zoom has patched its Mac video conferencing client to remove a rogue web server that allowed any website to join a video call without permission. Here's our updated story.
@gossithedog: Re the Zoom thing, other web conferencing vendors with similar issues on Mac - BlueJeans opens a webserver on port 18171, RingCentral on port 19424, both allow launching of meetings via localhost as browser permissions bypass. Still looking at WebEx.

April 3, 2019
Issie Lapowsky / Wired

Issie Lapowsky / Wired  
Researchers Found Exposed Personal Data in 540 Million Facebook User Records Left Unprotected on Cloud Servers

Researchers at security firm Upguard found two troves of Facebook user data sitting unprotected on Amazon cloud servers which exposed 146 gigabytes of personal data, including 540 million different users’ records, including their names, passwords, comments, interests, and likes. One of the exposed databases belonged to a Mexican company called Cultura Colectiva, which used Amazon cloud services to store around 146 gigabytes of data, including 540 million different records. Despite warning Cultura in early January, the dataset wasn’t secured until today. The other database belonged to an app called At the Pool, which contained plaintext user passwords for 22,000 users, presumably for the At the Pool app rather than Facebook passwords. Facebook said it is continuing to assess the extent of the information that was available and how people might have been impacted.

Related: Appuals.com, Wired, Stars and Stripes, Slashdot, Reuters, Daring Fireball, Channel News Asia, Threatpost, Daily Mail, NBC News Top Stories, BleepingComputer.com, CNBC Technology, iPhone Hacks, Engadget, ZDNet Security, The Hill: Cybersecurity, Motherboard, Mashable, Upguard, Daily Dot, Ad Week, The Verge, Zero Hedge, Boing Boing, DigitalMunition, Axios, Softpedia News, Gizmodo, TIME, TechCrunch, LA Daily News, MacRumors, Tech Insider

Wired: Third-Party Apps Exposed Over 540 Million Facebook Records
Stars and Stripes: Millions of sensitive Facebook user records were left exposed, security researchers say
Slashdot : Millions of Facebook Records Found on Amazon Cloud Servers
Reuters: Millions of Facebook records found on Amazon cloud servers: UpGuard
Daring Fireball: Millions of Facebook Records Found on Amazon Cloud Servers
Channel News Asia: Millions of Facebook records found on Amazon cloud servers: UpGuard
Threatpost: Facebook Data of Millions Exposed in Leaky Datasets
Daily Mail : Facebook left hundreds of MILLIONS of users’ data exposed on Amazon’s cloud servers, report claims
NBC News Top Stories: Researchers find data for millions of Facebook users exposed on the internet
BleepingComputer.com: 540 Mllion Facebook Records Leaked by Public Amazon S3 Buckets
CNBC Technology: Facebook dips on report that user records were exposed on Amazon cloud servers
iPhone Hacks: Facebook Revealed to Have Exposed Millions of Private Records on Amazon Servers
Engadget: Third-party errors left over 540 million Facebook records exposed
ZDNet Security: Over 540 million Facebook records found on exposed AWS servers
The Hill: Cybersecurity: Hundreds of millions of Facebook user records were exposed, researchers find
Motherboard: App Developers Left 540 Million Facebook Users’ Records on the Public Internet
Mashable: Report: Millions of Facebook user records, including plain text passwords, left exposed online
Upguard: Losing Face: Two More Cases of Third-Party Facebook App Data Exposure
Daily Dot: Facebook’s new sign-up feature resembles a phishing attack
Ad Week: Security Firm Finds Millions of Facebook Data Files Were Stored on Amazon’s Public Cloud Servers
The Verge: Facebook app developers leaked millions of user records on cloud servers, researchers say
Zero Hedge: Millions Of Facebook Records Found On Amazon Cloud Servers
Boing Boing: 540 million Facebook users’ data exposed by third party developers
DigitalMunition: Millions of Facebook records found on Amazon cloud servers: UpGuard
Axios: Facebook data found on publicly accessible Amazon servers
Softpedia News: Over 540 Million Facebook User Records Were Found on Amazon Cloud Servers
Gizmodo: 540 Million Facebook User Records Exposed Online, Plus Passwords, Comments, and More
TIME: Millions of Facebook Users’ Personal Info Was Posted Publicly On Amazon Servers
TechCrunch: Researchers find 540 million Facebook user records on exposed servers
LA Daily News: 540 million of Facebook records found on Amazon cloud servers
MacRumors: Facebook Exposes Millions of Records on Amazon Cloud Servers
Tech Insider: 540 million Facebook user records were left exposed by app developers (FB)
The Sun: Facebook ‘left HALF A BILLION users’ private data exposed on Amazon’s cloud servers in latest security breach’

December 14, 2018
Brian Barrett / Wired

Brian Barrett / Wired  
Facebook Flaw Exposed Photos of 6.8 Million Users to Developers Whether the Photos Were Shared or Not

Facebook disclosed the latest in a series of user privacy and security violations by announcing that for two weeks in September, a bug let third-party developers view the photos of up to 6.8 million Facebook users, whether they’d shared them or not.  The bug may have affected people who used Facebook Login and granted permission to third-party apps to access their photos, with up to 1,500 apps, from 876 developers, potentially having had access to private photos, the company said. Facebook will let affected users know about their exposure but in the meantime has posted a page where users can check to see. The permissions were supposed to apply to photos users had shared on their timelines but the flaw allowed developers to access photos shared to other areas of Facebook, including Marketplace and Stories, in addition to photos uploaded to Facebook but not shared at all. The bug was found on September 13 and fixed on September 25.

Related: Facebook, Facebook, CNET, Engadget, Reuters, 9to5Mac, BleepingComputer.com, Threatpost, VentureBeat, GeekWire, ZDNet Security, TechCrunch, Mashable, Tech Insider, MobileSyrup.com, Cyberscoop, The Verge, WCCFtech, Android Authority, Recode, Axios, The Sun, Techaeris, Slate Articles, ET news, Big News NetworkThe Verge, The Inquisitr News, Channel News Asia, Reuters, Reuters, ETTelecom.com, BuzzFeed News, SlashGear, iMore, The Next WebArs Technica UK, BGR, CERT-EU , Washington Examiner, PCMag.com, The GuardianTechSpotTechJuice, Techradar, Voice of America, Boing Boing, Metro – Latest News, Cyber Kendra, fossBytes, HackRead, Japan Times, WIRED, AppleInsider, Phys.org, Star Tribune, CBC Engadget, The Register – Security, Investor’s Business DailyPYMNTS.com, The Drum, Quartz, The Hacker News, Slashdot, WRAL Tech Wire, [H]ardOCP NewsAppuals.com, GBHackers On SecurityReddit-hacking, SecurityWeek, Fortune, Pocket-lint, GeekWire

Facebook: Notifying our Developer Ecosystem about a Photo API Bug
Facebook: Important information about your photos on Facebook
CNET: Facebook discloses bug that exposed 6.8 million people’s photos
Engadget: Facebook bug let apps access unposted photos for millions of users
Reuters: New Facebook bug exposed photos of up to 6.8 million users
9to5Mac: Facebook admits unshared photos from 6.8 million users affected by latest privacy flaw
BleepingComputer.com: Facebook Photo API Bug Exposed Pics of Up to 6.8 Million Users
Threatpost: Facebook Flaw Exposes Private Photos for 6.8M Users
VentureBeat: Facebook reveals API bug that exposed extra photos to third-party apps
GeekWire: Uploaded a photo to Facebook but didn’t post it? It may have been shared with other apps anyway
ZDNet Security: Facebook bug exposed private photos of 6.8 million users
TechCrunch: Facebook bug exposed up to 6.8M users’ unposted photos to apps
Mashable: Facebook bug gave developers access to photos you never meant to share
Tech Insider: Facebook’s latest privacy scandal: The private photos of millions of users were accidentally shared with 1,500 apps (FB)
MobileSyrup.com: Facebook bug potentially exposed photos of 6.8 million users to developers
Cyberscoop: Facebook bug gave developers access to private photos of 6.8 million users
The Verge: Facebook exposed up to 6.8 million users’ private photos to developers in latest leak
WCCFtech: Facebook Admits to Storing Your Never-Posted Photos; Data of 6.8 Million Users Exposed to Third Party Apps
Android Authority: Facebook bug may have exposed your private photos to the wider web
Recode: Another Facebook bug may have exposed millions of users’ private photos to app developers
Axios: Facebook bug exposed photos for up to 6.8 million users
The Sun: Facebook exposed private UNPOSTED photos from your phone – how to check if you were affected
Techaeris: Facebook API bug might have exposed 6.8 million users private photos to developers
Fortune: Facebook Discovers New Security Flaw Affecting Up to 6.8 Million Users
Slate Articles: Inside Facebook’s One-Day “Privacy Shop”
ET news: Facebook talks privacy and data over free hot chocolate at pop-up event in NYC
Big News Network: At a New York Privacy Pop-Up, Facebook Sells Itself
The Verge: Facebook’s New York privacy pop-up was small, weird, and filled with sugar
The Inquisitr News: Facebook Could Face Billions Of Dollars In Fines For Failing To Protect User Privacy
Channel News Asia: Facebook discovers bug that may have affected up to 6.8 million users
ETTelecom.com: Facebook’s lead EU regulator opens probe into data breach
BuzzFeed News: Why, After 2018’s Privacy Scandals, Does Facebook Deserve Our Data?
SlashGear: Facebook API bug exposed photos of millions of users
iMore: If you need Facebook but not your data leaked, you can remove your info!
The Next Web: How numb are we to Facebook’s fuck-ups at this point?
Ars Technica UK: “We’re sorry,” Facebook says, again—new photo bug affects millions
BGR: 7 paid iPhone apps you can download for free on December 14th
Washington Examiner: Facebook’s photo-exposing bug may heighten congressional scrutiny
PCMag.com: Facebook Photo API Bug Exposes Up to 6.8M Users’ Private Photos
The Guardian: Facebook’s privacy problems: a roundup
TechSpot: Facebook bug let apps access millions of unauthorized photos
TechJuice: Facebook’s latest leak exposed 6.8 million users’ private photos to developers
Techradar: Facebook’s latest app data bug exposed the private photos of 6.8m users
Voice of America: Facebook Flaw May Have Exposed Private Photos
Boing Boing: Facebook gave third party developers access to 6.8 million users’ private photos
Metro – Latest News: New Facebook bug exposed private photos of 6.8 million, company says
Cyber Kendra: Facebook API Bug Leaks Photos of 6.8 Million Users
fossBytes: Facebook Hit By Another Security Breach; 6.8 Million Users’ Photos Exposed
HackRead : Facebook bug exposed private photos of 6.8M users to third-party developers
Japan Times: Bug may have exposed photos from 7 million Facebook users
WIRED: Facebook Exposed 6.8 Million Users’ Photos to Cap Off a Terrible 2018
Apple Insider : Facebook says bug may have briefly exposed photos of 6.8 million app users
Phys.org : Irish data authority probes Facebook photo breach
Star Tribune: Bug may have exposed photos from 7M Facebook users
CBC : Millions of Facebook users may have had their photos exposed due to privacy flaw
Engadget: Facebook bug let apps access unposted photos for millions of users
The Register – Security: Stop us if you’ve heard this one: Facebook apologizes for bug leaking private photos
Investor’s Business Daily: Facebook Software Bug Allowed Apps To Access Private Photos
PYMNTS.com: Facebook: API Bug May Have Exposed 6.8 Million Users’ Photos
The Drum: Facebook apologizes after photo bug exposed photos of millions of users
Quartz: Oh look, another Facebook data leak!
The Hacker News: New Facebook Bug Exposed 6.8 Million Users Photos to Third-Party Apps
Slashdot: Facebook Says A Bug May Have Exposed The Unposted Photos Of Millions Of Users
WRAL Tech Wire: Facebook says bug may have exposed photos on 7M users
[H]ardOCP News: Facebook Reveals Photo API Bug
Appuals.com: Facebook Has Another Slip Up, Exposes Millions of Private Photos to Third-Party Devs
GBHackers On Security: A New Facebook Bug May have been Exposed 6.8 Million Users Private Photos
Reddit-hacking: Facebook’s latest bug affects 6.8 Million User Photos!
SecurityWeek: Photos of 6.8 Million Facebook Users Exposed by API Bug
Fortune: Facebook Discovers New Security Flaw Affecting Up to 6.8 Million Users
Pocket-lint: Another Facebook privacy scandal: devs had access to the photos of 6.8 million users
GeekWire: Uploaded a photo to Facebook but didn’t post it? It may have been shared with other apps anyway