At Least No One Was Wearing a Hoodie…

Is there a screen trope simultaneously more loved and reviled than real-time hacking? Not a chance. From the early 1980s, movies and TV shows have developed a seemingly endless appetite for scrolling gibberish, 3D interfaces, pop-up windows, and other kinds of eye candy that scream L33T H4X0R ATTEMPT UNDERWAY. But now, on the latest episode of Technique Critique, security researcher Samy Kamkar blazes a trail of destruction through the chicanery, diagnosing what each famous sequence gets right—or, as is much more likely, wrong.

Peter Rubin in Wired recapping Samy Kamkar’s latest and always amusing video take-down of how Hollywood depicts hacking.

43 mins ago

Magecart Card Skimming Malware Removed From Infowars’ Online Store, 1,600 Customers Possibly Affected

Magecart card skimming malware was removed from the conspiracy theory website Infowars’ online store after it was spotted there by Dutch security researcher Willem de Groot and subsequently reported to the site by ZDNet. Infowars owner Alex Jones told ZDNet that “only 1,600 customers may have been affected,” but the number may be even smaller as some of these customers placed re-orders. De Groot discovered the malware using a scanner he built to detect vulnerabilities and malware on in online stores built on top of the Magento e-commerce platform. The Infowars infection lasted less than a day. (ZDNet)
1 hour ago

DHS’ Main Cybersecurity Unit to Become the Cybersecurity and Infrastructure Security Agency, Krebs to Become New Agency Director

The U.S. House of Representatives unanimously passed a bill to establish a new cybersecurity agency, known as the Cybersecurity and Infrastructure Security Agency (CISA), that is the same stature as other units within DHS, such as Secret Service or FEMA rebranding DHS’ main cybersecurity unit, known as National Protection and Programs Directorate (NPPD). The legislation already passed the Senate and now heads to Donald Trump’s desk for his signature.  NPPD’s top cyber official, Christopher Krebs, becomes the new cyber agency’s director. (The Hill)
1 hour ago

Cathay Pacific Facing ‘Most Serious’ Crisis in Its History Over Data Breach, 27 Regulators Investigating Across 15 Jurisdictions, Hong Kong Lawmakers Call Airline ‘Pathetic’

Cathay Pacific Airways said it is facing one of the ‘most serious’ crises in its history, according to Chairman John Slosar as the airline revealed it was being questioned by 27 regulators from 15 jurisdictions over a data breach that has affected 9.4 million passengers. The admission of the depths of the hacking problem came after the airline’s executives underwent a grilling in the Hong Kong legislature. The executives told the lawmakers that 245,000 Hong Kong identity card holders and 55,000 passport holders in the city had been affected. Lawmakers called Cathay “pathetic” and accused the airline of covering up the breach because it waited seven months between March when the breach occurred and October 24 when the breach was announced, during which interval the airline admitted it was battling the breach. Cathay may also be subject to punishing fines by the EU under the GDPR regulations adopted in May, which could require the company to pay up to 4% of its revenues in fines for the delay in reporting the breach. (South China Morning Post)
2 hours ago

Google Expands Project Fi’s VPN Service to Cellular Connections Over ‘Enhanced Network’

Google’s Project Fi wireless service now an optional always-on VPN service and a smarter way to switch between Wi-Fi and cellular connections over its “enhanced network.” Fi already offers VPN service to users connected over Wi-Fi but now it is extending that option to cellular connections, with traffic encrypted over every connection. The VPN also shields users’ traffic from Google itself and isn’t tied to Google accounts or phone numbers. The enhanced network also allows for faster connections. (TechCrunch)
3 hours ago

Patch Tuesday: Microsoft Issues 63 Patches, Including Two for Zero-Day Flaws, Adobe Releases Fixes For Top Products

Microsoft and Adobe have issued security updates for November, with Microsoft issuing 62 patches, including two for zero-day flaws. The first Microsoft zero-day fix is for a vulnerability tracked as CVE-2018-8589, a Win32k elevation of privilege bug that is already being targeted in the wild. Microsoft credited Kaspersky Lab for finding that flaw, which is being exploited by multiple APT groups. The other zero-day affects the Windows Data Sharing Service (dssvc.dll), which was discovered by a researcher who uses the pseudonym Sandboxer, who disclosed the flaw on Twitter. Adobe issued patches for its Flash Player, Acrobat and Reader and Photoshop CC. (ZDNet)
15 hours ago

Target, Google’s G-Suite Twitter Accounts Hacked to Promote Bitcoin Giveaway Scams, Twitter Says It’s Implementing Measures to Stop These Hacks

Retailer Target’s Twitter account was hacked to promote Bitcoin giveaway scams, the latest in a series of such hacks that have ensnared high-profile figures and accounts. Twitter confirmed that the account was hacked for about a half hour before the phony scam was removed. Shortly after the Target account was hacked, Google’s official G Suite Twitter account was also hacked to promote Bitcoin giveaway scams. The G-Suite account hack lasted at least eleven minutes. Twitter says it has implemented measures to counteract the spread of Bitcoin scams on its platform. However, Twitter made a similar statement after banning accounts that used the name “Elon Musk” in Bitcoin give-away and months later the Elon Musk scams continue. (The Next Web)
15 hours ago

XM Cyber, Israeli APT Remediation Start-Up Founded by Former Mossad Head, Raises $22 Million in Series A Venture Funding Round

Israeli APT threat simulation and remediation start-up XM Cyber has raised $22 million in a Series A funding round with Macquarie Capital, Our Innovation Fund, LP, UST Global, Nasdaq Ventures and others participated in the funding. XM Cyber was founded by former Mossad director Tamir Pardo and other leading figures from the Israeli intelligence community. XM Cyber’s HaXM Advanced Persistent Threat (APT) simulation and remediation platform aims to continuously expose attack vectors, which are unprotected by existing measures. (Jerusalem Post)
15 hours ago

Cloud Security Provider Netskope Raises $169 Million in New Venture Funding Round, Valuation Tops $1 Billion

Security Firm Netskope has raised $169 million in a Series F round of venture capital funding, pushing it into the “unicorn” class of start-ups that have private valuations of $1 billion or more. Lightspeed Venture Partners, an existing investor that controls two Netskope board seats with existing, investors re-upped their investments in the latest round of funding, including Accel, Geodesic Capital, Iconiq Capital, Sapphire Ventures, and Social Capital. Base Partners, a new investor, joined the round as well. (Fortune)
19 hours ago

Hackers Are Exploiting Critical Flaw in Popular WordPress GDPR Compliance Plug-In

Hackers are exploiting a now-patched zero-day vulnerability in a popular WordPress plugin, WP GDPR Compliance, to install backdoors and take over sites. The plug-in helps site owners become GDRP-compliant and has over 100,000 active installs. Despite the patches, the attacks continue because the attackers are targeting a WP GDPR Compliance bug that allows them to make a call to one of the plugin’s internal functions and change settings for both the plugin, but also for the entire WordPress CMS. The attackers don’t appear to be doing anything malicious with the hacked sites and appear to be simply stockpiling them. (ZDNet)
22 hours ago

Now-Patched Facebook Cross-Site Request Forgery Flaw Could Have Exposed Private Information of Users and Their Friends

A Facebook vulnerability, now patched, could have exposed private information about users and their friends, Ron Masas, a security researcher at Imperva, found.  The flaw stemmed from the fact that Facebook search results weren’t properly protected from cross-site request forgery (CSRF) attacks, allowing websites to siphon off certain data from any user’s logged-in Facebook profile in another tab. Imperva privately disclosed the bug in May. Facebook fixed the bug days later by adding CSRF protections and paid out $8,000 in two separate bug bounties. (TechCrunch)
22 hours ago

Wyden Releases Letter Showing That Facebook Wasn’t Monitoring How Its Partners Handled User Data Despite 2011 Consent Decree

Senator Ron Wyden (D-OR) released a letter showing that Facebook failed to closely monitor device makers after granting them access to the personal data of hundreds of millions of people. Facebook’s loose oversight of the partnerships was detected by the company’s government-approved privacy monitor in 2013, details of which were in the letter. In 2013, Facebook entered into data sharing agreements with seven device makers to provide what it called the “Facebook experience,” custom-built software that gave the device makers access to Facebook on their phones.  Those partnerships fell under a 2011 consent decree with the Federal Trade Commission designed to monitor the company’s privacy practices. When a team from PricewaterhouseCoopers conducted the initial F.T.C.-mandated assessment in 2013, it tested Facebook’s partnerships with Microsoft and Research in Motion, maker of the BlackBerry handset, they found only “limited evidence” that Facebook had monitored or checked its partners’ compliance with its data use policies. (New York Times)
1 day ago

Valve Pays Researcher $20,000 for Finding Bug in Steam That Allowed Unlimited Games for Free

Researcher Artem Moskowsky found a bug in Valve’s Steam marketplace that could have been exploited by thieves to steal game license keys and play pirated titles. Moskowsky discovered that he could change the parameters in an API request and get activation keys, also known as CD keys, for any game. Valve gave Moskowsky a $15,000 bug bounty as well as a $5,000 bonus for the find in August, though Valve only allowed the report to go public on October 31. (The Register)
1 day ago

Magecart Online Payment Card Data Theft Malware Now Used By Seven Groups Who Have Hacked More Than 110,000 Different Shops, Report

The name of online payment card data theft malware, “Magecart,” has evolved  to become an umbrella term used to describe the activities of at least seven hacking groups, all who appear to have taken inspiration from an initial Magecart campaign that was first detected in 2016, according to a deep dive technical analysis of Magecart conducted by RisqIQ and Flashpoint. These groups have deployed similar malware in similarly-orchestrated attacks to the initial campaign, in an effort to replicate the success of the first Magecart group. The attacks all follow a similar pattern, from the hackers gaining access to an online store’s back-end to putting the data up for sale on carding forums.  RisqIQ says it’s tracking at least seven Magecart groups, responsible for hacks on more than 110,000 different shops. RiskIQ says it is also working with AbuseCH and the Shadowserver Foundation to take down the server infrastructure of most of these groups. (ZDNet)
1 day ago

Google Traffic Was Misdirected to China and Russia in Suspicious Incident That Google Called a ‘Glitch’

A border gateway protocol (BGP) hijacking incident rerouted Google’s primarily business-grade data through Russia and China and disrupted the Internet giant’s services on Monday, including search, cloud-hosting services and its bundle of collaboration tools for businesses. The incident lasted for about an hour and a half and ended at 5:30 pm EST yesterday.  Google said the incident was a technical glitch relating to BGP peering agreements and said it had no reason to believe it was a malicious hacking attempt. Security firm Thousand Eyes said some of Google’s search and cloud hosting services were rerouted data through Russia and China, effectively landing at state-run China Telecom. Thousand Eyes said the incident could have possibly been a glitch given that the origin of this leak was the BGP peering relationship between MainOne, a Nigerian provider, and China Telecom. MainOne has a peering relationship with Google via IXPN in Lagos and has direct routes to Google, which leaked into China Telecom. However, a recent study by U.S. Naval War College and Tel Aviv University scholars found that China systematically hijacks and diverts U.S. internet traffic using China Telecom. (Wall Street Journal)
2 days ago

Spyware Vendor NSO Group in Talks to Buy Predictive Policing Cybersecurity Firm Fifth Dimension Holdings, Sources

Israeli spyware company NSO Group is in early-stage talks to acquire predictive policing and threat assessment cybersecurity company Fifth Dimension Holdings Ltd, according to people familiar with the matter.  Fifth Dimension is chaired by Benny Gantz, former chief of staff for the Israeli military and former deputy head of the Mossad Ram Ben-Barak is on the company’s advisory board. Private equity firm Francisco Partners Management holds a majority stake in NSO Group, which has earned a controversial reputation for selling its best-known spyware called Pegasus to repressive regimes, including the Saudi government. A recent analysis found that the Pegasus malware had inadvertently spread to 45 countries. Fifth Dimension develops artificial intelligence systems to spot unusual or suspicious criminal behavior for military, government and civil data analytics and like NSO Group sells primarily to governments and government agencies. (CTech)