1 week ago

vBulletin Issues New Security Patch Update to Address Three High-Severity Vulnerabilities That Allow Attackers to Take Over Targeted Web Servers

On the heels of releasing a patch for a critical zero-day remote code execution flaw in late-September, forum software company vBulletin published a new security patch update that addresses three more high-severity vulnerabilities in its forum software. If left unpatched, the flaws, which affect vBulletin 5.5.4 and prior versions, could allow remote attackers to take complete control over targeted web servers and steal sensitive user information. Discovered by application security researcher Egidio Romano, the first vulnerability, tracked as CVE-2019-17132, is a remote code execution flaw, while the other two are SQL injection issues, both assigned a single ID as CVE-2019-17271. (The Hacker News)
1 week ago

FISA Court Found FBI’s Efforts to Conduct Warrantless Database Searches on Americans Violated the Law and the Constitution

In a rare rebuke to U.S. spying programs, a secret surveillance court, the Foreign Intelligence Surveillance (FISA) Court, last year found that the FBI’s efforts to search for data about Americans violated the law authorizing the program, as well as the Constitution’s Fourth Amendment protections against unreasonable searches. The ruling was just made public by the intelligence community after the government lost an appeal of the judgment earlier this year before another secret court. The latest decision found that there were improper searches of raw intelligence databases by the bureau in 2017 and 2018 that was part of a warrantless Internet surveillance program. One fundamental problem was the breadth of the searches, which sometimes involved queries related to thousands or tens of thousands of pieces of data, such as emails or telephone numbers. The court found the FBI strayed from its mandate to search only for evidence of a crime or for foreign intelligence information. In one case, the FBI conducted searches to vet its personnel and cooperating sources. (Wall Street Journal)
1 week ago

Microsoft Pushes Out Patches for 59 Vulnerabilities, Nine Deemed Critical Including Remote Desktop Bug That Could Allow Remote Attacker to Execute Code on Victims’ Machines

Microsoft released patches for 59 vulnerabilities, including nine critical vulnerabilities, as part of its October Patch Tuesday security update. One of the fixes addresses a critical Remote Desktop bug that could allow a remote attacker to execute code on victims’ machines. The patches encompass a wide range of products including  Microsoft Windows, Internet Explorer, Edge (EdgeHTML-based), ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, SQL Server Management Studio, Microsoft Dynamics 365, Windows Update Assistant and Open Source Software. (Threatpost)
1 week ago

Cellebrite Has Been Offering In-House iPhone, Android Cracking Capabilities to Law Enforcement Since 2018, Manhattan DA Has Cracked Client’s Phone Using It Lawyer Says

The recently announced UFED Premium program offered by Israeli digital forensics firm Cellebrite gives law enforcement the ability to “unlock and extract data from all iOS and high-end Android devices” on their own, using software installed on computers in their offices. However, according to documents obtained by OneZero, Cellebrite had been selling this new product to law enforcement for over a year before making that announcement. New York City has been a customer of this service since 2018, with the Manhattan District Attorney’s Office gaining access to the UFED Premium in-house starting January 2018. According to a contract seen by OneZero, the DA’s office agreed to pay Cellebrite about $200,000 over three years for UFED Premium. Legal Aid Society attorney Jerome Greco, who runs the public defender practice’s digital forensics unit, believes that the phone of one of his clients had been accessed using the Cellebrite program. (OneZero)
1 week ago

Thirty-Six Civil Rights Groups Demand End to Partnerships Between Amazon’s Ring and Law Enforcement Agencies, Seek Local Ordinances Against Such Partnerships, Ask Congress to Investigate Ring’s Practices

Thirty-six civil rights organizations signed an open letter published by digital rights advocacy group Fight for the Future demanding local, state, and federal officials to end partnerships between Ring, Amazon’s home surveillance company, and over 405 law enforcement agencies around the country. The letter also demands two other things: municipalities should pass surveillance oversight ordinances to “deter” police from partnering with companies like Ring in the future, and Congress needs to investigate Ring’s practices. The signatories to the letter include Media Justice, the Tor Project, and Media Mobilizing Project, and racial justice coalition like The Black Alliance for Just Immigration, Mijente, and the American-Arab Anti-Discrimination Committee. (Motherboard)
1 week ago

Twitter Says It Unintentionally Used Some Users’ Email Addresses, Phone Numbers Supplied for Two-Factor Authentication for Advertising Purposes

Twitter said that it unintentionally used some users’ email addresses and phone numbers they provided for security purposes, such as two-factor authentication, for advertising purposes. Twitter’s Tailored Audiences and Partner Audiences advertising system, which matches email addresses and phone numbers with those already obtained by advertisers, used the data. Twitter can’t say how many people were affected by the issue but did say that the company fixed the problem as of September 17. (Motherboard)
1 week ago

Software Developer Hacked Back Against Muhstik Ransomware Gang and Released Decryption Keys, Free Decryptor to Allow Victims to Get Files Back

German software developer Tobias Frömel has hacked back on the Muhstik ransomware gang, which encrypted his files, by hacking their server and releasing nearly 3,500 decryption keys for all other victims to get their files back. He also released a free decrypter. The Muhstik ransomware gang, which has been active since the end of September, has been hacking into publicly exposed QNAP NAS devices and encrypting the files on them. After paying the ransom, Frömel also analyzed the ransomware and gained access to the PHP script that generates passwords for a new victim. He then published the decryption keys on Pastebin and published a decrypter that all Muhstik victims can use to unlock their files. The decrypter is available on MEGA [VirusTotal scan], and usage instructions are available on the Bleeping Computer forum. (Bleeping Computer)
1 week ago

Cybersecurity Leaders Band Together to Launch Open Cybersecurity Alliance Designed to Tackle Fragmentation, Interoperability of Security Tools

To help manage the average 47 cybersecurity tools the average enterprise deploys, IBM, McAfee, and 16 other cybersecurity leaders have launched through the OASIS international consortium an initiative called the Open Cybersecurity Alliance (OCA) designed to tackle fragmentation and interoperability problems in the cybersecurity space. Through the OCA, each company will lend cybersecurity resources, whether threat insight, code, or expertise, to “develop open source security technologies which can freely exchange information, insights, analytics, and orchestrated responses.” The Alliance will focus on the development of open-source content, code, tooling, practices, and patterns for improving the interoperability of cybersecurity solutions and work on ways to bolster information sharing across vendors and their product lines. (ZDNet)
1 week ago

Opera 64 Offers Users Improved Privacy Protections From Online Tracking Which It Says Can Speed Browsing by Almost 20%

Browser maker Opera is releasing Opera 64 to the stable channel, offering users improved privacy protections from online tracking. Opera is shipping with a new privacy setting that allows users to toggle on the Block Trackers feature alongside the existing built-in ad blocker, which it says can speed up web browsing by almost 20% because web trackers make websites slower to load. Opera is using the EasyPrivacy Tracking Protection List for its tracker blocker, which contains a list of known tracking scripts and blocks them. (ZDNet)
1 week ago

With Its Latest Android App Update Signal Fixes Crucial Flaw That Could Allow Bad Actor to Answer Audio Calls

Encrypted messaging app Signal has, in its latest update of the app (version 4.47.7), fixed a crucial flaw in its Android app that could’ve allowed bad actors to answer calls but no interaction. Users need to take no action to update for the fix other than update to the most current version of the app. Google’s Project Zero team reported the flaw in September, which only affects audio calls. (The Next Web)
1 week ago

Instagram Adds New Anti-Phishing Feature to Detect Whether Instagram-Sent Emails Are Legit

Facebook-owned photo-sharing site Instagram said it’s introducing a new way for users to check if Instagram really sent them an email by incorporating an anti-phishing feature. The new feature is available in the site’s settings under the security tab. Instagram now also offers steps on its site users can take to secure their accounts if they believe they’ve been hacked. That includes requesting a login link, reverting an email change, and reporting the account. (CNET)
1 week ago

Commerce Adds Twenty Chinese Entities to Trade Blacklist Including Video Surveillance, Facial Recognition Giants

The U.S. Commerce Department has added twenty Chinese public security bureaus and eight companies including video surveillance firm Hikvision, as well as leaders in facial recognition technology SenseTime Group Ltd and Megvii Technology Ltd., to its “entities list,” a trade blacklist that bars the firms from buying from buying components from U.S. companies without U.S. government approval. The move, which could prove crippling to the companies, follows the decision last spring to add other Chinese companies, including telecom giant Huawei, to the entities list amid a controversial trade war waged by Donald Trump. The administration, however, said this recent action is not tied to trade but contends it’s because the companies have been implicated “in human rights violations and abuses in the implementation of China’s campaign of repression, arbitrary mass detention, and high-technology surveillance against Uighurs, Kazakhs, and other members of Muslim minority groups.” (Reuters)
1 week ago

Google Issues October Patches for Android Including a Fix for the Zero-Day Flaw Discovered by Project Zero That Could Give Attackers Full Device Control

Google issued its Android October security updates fixing eight issues ranging from moderate to severe, with the most severe relating to the media framework and a remote attacker possibly executing arbitrary code through a crafted file. One of the significant updates patches a zero-day security vulnerability on the original Pixel and Pixel 2 discovered by Google’s Project Zero team that could give attackers full device control if a malicious app is installed. (9to5Google)
1 week ago

Alabama Hospitals Pay Ransom Following Attack That Crippled Computer Systems, Working to Restore Normal Operations

The DCH Health System in Tuscaloosa Alabama has made a payment to the hackers responsible for the crippling ransomware attack on its computer system that impacted operations at its three hospitals The hospitals didn’t reveal how much they paid the attackers but said they are quickly working to restore normal operations. (Tuscaloosa News)
1 week ago

Vast Majority of Deepfakes Are Porn, Target Women and Are Non-Consensual, Study

A new study by the cybersecurity firm Cybertrace has found that the vast, vast majority of deepfakes are pornographic, and virtually all of the pornographic deepfakes analyzed in the study exclusively targeted women. Likewise, almost all, or 96%, of the14,678 deepfake videos the researchers found online are non-consensual. (Motherboard)