Security Feeds

General Security News

Wired Security News

Security Latest

A YubiKey for iOS Will Soon Free Your iPhone From Passwords

Yubico has finally gotten the green light from Apple to make a hardware authentication token that works on iPhones and iPads.

01/08/19 9:00 am

Mueller Investigation 2019: Indictments, Witnesses, and More

The special counsel has lots of unfinished business on his to-do list this year, including a final report. Here's a rundown.

01/08/19 4:00 am

The 'Twinning' Fad, the Weather Channel, and More Security News

A rogue PewDiePie fan, Marriott hack details, and more of the week's top security news.

01/05/19 6:00 am

A Major Hacking Spree Gets Personal for German Politicians

Hundreds of German politicians who have had their private digital lives exposed online are victims of a hacking campaign with unclear motives.

01/04/19 12:34 pm

The Elite Intel Team Still Fighting Meltdown and Spectre

One year after a pair of devastating processor vulnerabilities were first disclosed, Intel's still dealing with the fallout.

01/03/19 9:33 am

Dark Reading

6 Ways to Beat Back BEC Attacks

Don't assume your employees know how to spot business email compromises - they need some strong training and guidance on how to respond in the event of an attack.

01/09/19 6:00 am

New 'Crypto Dusting' Attack Gives Cash, Takes Reputation

This new form of crypto wallet fraud enlists unwary consumers and companies to help defeat anti-money laundering methods for law enforcement and regulators.

01/08/19 4:00 pm

Remote Code Execution Bugs Are Primary Focus of January Patch Tuesday

This month's security update includes seven patches ranked Critical and one publicly known vulnerability.

01/08/19 2:00 pm

20-Year Old Student Admits to Massive Data Leak in Germany

Hack was not politically motivated; no sign of third-party involvement, authorities say.

01/08/19 12:20 pm

Your Life Is the Attack Surface: The Risks of IoT

To protect yourself, you must know where you're vulnerable - and these tips can help.

01/08/19 11:30 am

Security Magazine

More intelligent viewing, from Bosch

The latest Bosch AUTODOME IP range is the only camera with built-in Essential Video Analytics and a pan, tilt and zoom (PTZ) function.

10/01/17 11:17 am

Over the Horizon: Emerging Security Threats and Risks to the Enterprise

We are entering a period of time when we are going to see an uptick in the number of security threats, both physical and in cyberspace. There is an increasing global unrest. Over the past few months what we’ve seen electorally, in the U.S., but also in Europe and in other parts of the world, has been a manifestation of that.

10/01/17 4:11 am

Protecting History: A Culture of Security at the Art Institute of Chicago

The Art Institute of Chicago hosts 1.5 million visitors annually, holds 300,000 works of art, serves as the venue for hundreds of private events every year and is a cornerstone of downtown Chicago tourism. All of these factors make security absolutely essential and absolutely challenging.

10/01/17 4:11 am

Preserving & Securing: Keeping Security Discreet at the Darwin Martin House

Iconic American architect Frank Lloyd Wright was commissioned to build a unique residential complex for Buffalo, New York, businessman Darwin D. Martin and his family between 1903 and 1905. Scholars consider the complex of six interconnected buildings as one of Wright’s finest achievements, but the history of the house has been a rocky one.

10/01/17 4:09 am

University Campuses Take Center Stage

Bike thefts, drug abuse, assaults and other violent crimes, protest-counterprotest melees, and cyber hackers are crowding onto the ever-expanding plates of college and university police and security forces. But those in the field say they’re up to those myriad challenges thanks to the combination of equipment, technology and training they can bring to bear.

10/01/17 4:08 am

The Hacker News

The Hacker News

Chinese Hacker Publishes PoC for Remote iOS 12 Jailbreak On iPhone X

Here we have great news for all iPhone Jailbreak lovers and concerning one for the rest of iPhone users. A Chinese cybersecurity researcher has today revealed technical details of critical vulnerabilities in Apple Safari web browser and iOS that could allow a remote attacker to jailbreak and compromise victims' iPhoneX running iOS 12.1.2 and before versions. To do so, all an attacker needs to

01/23/19 6:09 am

Someone Hacked PHP PEAR Site and Replaced the Official Package Manager

Beware! If you have downloaded PHP PEAR package manager from its official website in past 6 months, we are sorry to say that your server might have been compromised. Last week, the maintainers at PEAR took down the official website of the PEAR (pear-php.net) after they found that someone has replaced original PHP PEAR package manager (go-pear.phar) with a modified version in the core PEAR file

01/23/19 1:43 am

Critical RCE Flaw in Linux APT Allows Remote Attackers to Hack Systems

Just in time… Some cybersecurity experts this week arguing over Twitter in favor of not using HTTPS and suggesting software developers to only rely on signature-based package verification, just because APT on Linux also does the same. Ironically, a security researcher just today revealed details of a new critical remote code execution flaw in the apt-get utility that can be exploited by a

01/23/19 12:19 am

DHS Orders U.S. Federal Agencies to Audit DNS Security for Their Domains

The U.S. Department of Homeland Security (DHS) has today issued an "emergency directive" to all federal agencies ordering IT staff to audit DNS records for their respective website domains, or other agency-managed domains, within next 10 business days. The emergency security alert came in the wake of a series of recent incidents involving DNS hijacking, which security researchers with "

01/22/19 11:31 pm

Google fined $57 million by France for lack of transparency and consent

The French data protection watchdog CNIL has issued its first fine of €50 million (around $57 million) under the European Union's new General Data Protection Regulation (GDPR) law that came into force in May last year. The fine has been levied on Google for "lack of transparency, inadequate information and lack of valid consent regarding the ads personalization," the CNIL (National Data

01/21/19 10:54 am


Focused Security News

Krebs on Security

How the U.S. Govt. Shutdown Harms Security

The ongoing partial U.S. federal government shutdown is having a tangible, negative impact on cybercrime investigations, according to interviews with federal law enforcement investigators and a report issued this week by a group representing the interests of FBI agents. Even if lawmakers move forward on new proposals to reopen the government, sources say the standoff is likely have serious repercussions for federal law enforcement agencies for years to come. One federal agent with more than 20 years on the job told KrebsOnSecurity that the shutdown "is crushing our ability to take the fight to cyber criminals."

01/23/19 9:51 am

Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com

Two of the most disruptive and widely-received spam email campaigns over the past few months -- including an ongoing sextortion email scam and a bomb threat hoax that shut down dozens of schools, businesses and government buildings late last year -- were made possible thanks to an authentication weakness at GoDaddy.com, the world's largest domain name registrar, KrebsOnSecurity has learned. Perhaps more worryingly, experts warn this same weakness that let spammers hijack domains tied to GoDaddy also affects a great many other major Internet service providers, and is actively being abused to launch phishing and malware attacks which leverage dormant Web site names currently owned and controlled by some of the world's most trusted corporate names and brands.

01/22/19 6:44 pm

773M Password ‘Megabreach’ is Years Old

My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum. A story in The Guardian breathlessly dubbed it "the largest collection ever of breached data found." But in an interview with the apparent seller, KrebsOnSecurity learned that it is not even close to the largest gathering of stolen data, and that it is at least two to three years old.

01/17/19 12:11 pm

“Stole $24 Million But Still Can’t Keep a Friend”

Unsettling new claims have emerged about Nicholas Truglia, a 21-year-old Manhattan resident accused of hijacking cell phone accounts to steal tens of millions of dollars in cryptocurrencies from victims. The lurid details, made public in a civil lawsuit filed this week by one of his alleged victims, paints a chilling picture of a man addicted to thievery and all its trappings. The documents suggest that Truglia stole from his father and even a dead man -- all the while lamenting that his fabulous new wealth brought him nothing but misery.

01/15/19 4:52 pm

Courts Hand Down Hard Jail Time for DDoS

Seldom do people responsible for launching crippling cyberattacks face justice, but increasingly courts around the world are making examples of the few who do get busted for such crimes. On Friday, a 34-year-old Connecticut man received a whopping 10-year prison sentence for carrying out distributed denial-of-service (DDoS) attacks against a number of hospitals in 2014. Also last week, a 30-year-old in the United Kingdom was sentenced to 32 months in jail for using an army of hacked devices to crash large portions of Liberia's Internet access in 2016.

01/14/19 11:37 am

Naked Security

Ep. 016 – Email fraud, Android apps, Collection #1 and the 10 year challenge [PODCAST]

Here's the latest Naked Security podcast. Enjoy!

01/23/19 5:11 am

100 million online bets exposed by leaky database

Online gamblers lose their private data as yet another unsecured Elasticsearch database is discovered.

01/23/19 5:04 am

PewDiePie-spammers and whale-flingers exploit hole in Atlas game

Last week hackers allegedly compromised an admin’s Steam account and used it to spawn planes, tanks, and whales in Atlas.

01/23/19 4:18 am

Google fined $57m for data protection violations

In a landmark ruling, France’s data protection commissioner has fined Google 50 million Euros (around $57m) for violating Europe’s privacy laws.

01/23/19 3:28 am

Hijacked Nest cam broadcasts bogus warning about incoming missiles

A hacked Nest camera broadcast the fake warning about incoming North Korean missiles, sending a family into “five minutes of sheer terror.”

01/23/19 2:45 am

Security Week

SecurityWeek RSS Feed

EU-Japan Deal to Protect Data Exchanges Takes Effect

The European Union and Japan on Wednesday launched the "world's largest areas of safe data flows" after finalizing common rules to protect personal information, the EU said.

Firms can transfer data now that the executive European Commission finds that Japanese law offers "a comparable level of protection of personal data," the commission said.

read more

01/23/19 9:39 am

Apple Patches Dozens of Vulnerabilities in iOS, macOS

Apple this week released new updates for iOS and macOS users to address tens of security vulnerabilities and other bugs in the two platforms.

read more

01/23/19 8:53 am

Code Execution Vulnerability Impacts Linux Package Manager

A remote code execution vulnerability was recently discovered in APT, the high level package manager used in many Linux distributions. 

read more

01/23/19 8:27 am

WhiteHat Security Launches New Software Testing Products

Application security firm WhiteHat Security on Tuesday announced the general availability of a new product line designed to help organizations conduct comprehensive code analysis.

read more

01/23/19 8:05 am

Recorded Future Adds Third-Party Risk to Threat Intelligence Platform

Over the last few years, the supply chain has emerged as a primary attack vector for both criminal gangs and nation-state groups. Attackers are compromising often smaller and less well-defended suppliers in order to gain access to larger primary targets. This problem is getting worse with the increasing digital transformation of business around the world -- more companies are dealing electronically with each other than ever before.

read more

01/23/19 6:14 am

Graham Cluley

Graham Cluley

Automated phishing attack tool bypasses 2FA protection

Automated phishing attack tool bypasses 2FA protection

Modlishka may help raise awareness of the danger of reverse proxy phishing attacks, but it’s easy to imagine that many criminals will be tempted to put it to malicious use.

01/09/19 4:43 am

Being paid to quit Facebook

Facebook money thumb

Research claims Facebook users are prepared to give up the social network for a year… if paid over $1000.

01/09/19 3:27 am

Earn $2,000,000 by remotely jailbreaking an iPhone

Earn $2,000,000 by remotely jailbreaking an iPhone

Will anyone come up with a zero-day remote exploitation of iOS 12.x without user interaction?

The sad truth is that we may never know for sure… but intelligence agencies might.

01/07/19 8:24 am

Unlock the power of threat intelligence with this practical guide. Get your free copy now

Unlock the power of threat intelligence with this practical guide. Get your free copy now

Graham Cluley Security News is sponsored this week by the folks at Recorded Future. Thanks to the great team there for their support!

At Recorded Future, we believe every security team can benefit from threat intelligence. That’s why we’ve published “The Threat Intelligence Handbook.”

It’s aimed at helping security professionals realize the advantages of threat intelligence by offering practical steps for applying threat intelligence in any organization.

Download your free copy now.

About Recorded Future

Recorded Future delivers the only complete threat intelligence solution powered by patented machine learning to lower risk. We empower organizations to reveal unknown threats before they impact business, and enable teams to respond to alerts 10 times faster. To supercharge the efforts of security teams, our technology automatically collects and analyzes intelligence from technical, open web, and dark web sources and aggregates customer-proprietary data. Recorded Future delivers more context than threat feeds, updates in real time so intelligence stays relevant, and centralizes information ready for human analysis, collaboration, and integration with security technologies. 91 percent of the Fortune 100 use Recorded Future.


If you’re interested in sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.

01/07/19 3:55 am

Town of Salem hack exposes details of 7.6 million gamers

Town of Salem hack exposes details of 7.6 million gamers

Just before Christmas, hackers managed to break into a database belonging to a popular online game and steal the details of over seven million players.

Read more in my article on the Hot for Security blog.

01/04/19 8:04 am


Technical Security News

PacketStorm

Packet Storm

AddressSanitizer (ASan) SUID Executable Privilege Escalation

This Metasploit module attempts to gain root privileges on Linux systems using setuid executables compiled with AddressSanitizer (ASan). ASan configuration related environment variables are permitted when executing setuid executables built with libasan. The log_path option can be set using the ASAN_OPTIONS environment variable, allowing clobbering of arbitrary files, with the privileges of the setuid user. This module uploads a shared object and sprays symlinks to overwrite /etc/ld.so.preload in order to create a setuid root shell.

01/23/19 1:55 pm

I2P 0.9.38

I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties. This is the source code release version.

01/23/19 1:53 pm

Ghostscript Pseudo-Operator Remote Code Execution

Ghostscript has an issue with pseudo-operators that can lead to remote code execution. Version 9.26 is affected.

01/23/19 1:51 pm

Coppermine 1.5.46 Cross Site Scripting

Coppermine version 1.5.46 suffers from multiple cross site scripting vulnerabilities.

01/23/19 1:49 pm

Abantecart 1.2.12 Cross Site Scripting

Abantecart version 1.2.12 suffers from a cross site scripting vulnerability.

01/23/19 1:47 pm

ThreatPost

Redaman Spams Russian Banking Customers with Rotating Tactics

The banking trojan hides its misdeeds with a rotating set of tactics.

01/23/19 12:27 pm

Malware in Ad-Based Images Targets Mac Users

Researchers detected 191,970 bad ads and estimates that around 1 million users were impacted.

01/23/19 12:00 pm

Monero: Cybercrime’s Top Choice for Mining Malware

Illicit Monero-mining malware accounts for more than 4 percent of the XMR in circulation, and has created $57 million in profits for the bad guys.

01/23/19 10:17 am

6 Signs of Successful Threat Hunting

Here are six tips to put threat hunters in the driver's seat so they can outsmart their adversaries.

01/23/19 8:34 am

‘Chaos’ iPhone X Attack Alleges Remote Jailbreak

The attack makes use of previously disclosed critical vulnerabilities in the Apple Safari web browser and iOS.

01/23/19 8:23 am