InfoSec News Nuggets 10/31/2019

1 - Apple Patches Tens of Vulnerabilities in macOS Catalina, iOS 13 Security updates released by Apple this week for iOS 13 and macOS Catalina 10.15 address roughly 40 vulnerabilities, including issues that affect both operating systems. macOS Catalina 10.15.1, the first security update for the latest major version of the operating system, fixes 33 vulnerabilities, including flaws that can be exploited through malicious applications or by getting the targeted user to process a specially crafted file.…
Read More

InfoSec News Nuggets 10/30/2019

1 - iPhone 5 users risk losing internet access Apple iPhone 5 users have been warned to update their software before the weekend or face losing access to the internet. The technology giant said users who did not download iOS 10.3.4 by 3 November would be locked out of features that rely on the correct time and date. This includes the App Store, email, web browsing and storage service iCloud. While it is not the latest…
Read More

InfoSec News Nuggets 10/29/2019

1 - UniCredit reveals data breach exposing 3 million customer records UniCredit has revealed a data breach resulting in the leak of information belonging to three million customers. On Monday, the Italian bank and financial services organization said that a compromised file, generated in 2015, is the source of the security incident. In total, roughly three million records were exposed, revealing the names, telephone numbers, email addresses, and cities where clients were registered. While UniCredit caters to an international…
Read More

InfoSec News Nuggets 10/28/2019

1 - Facebook starts testing News, its new section for journalism Facebook’s news section, which was previously reported to be imminent, is here: The company is rolling out Facebook News in a limited test in the U.S. as a home screen tab and bookmark in the main Facebook app. In a blog post, Facebook’s Campbell Brown (vice president of global news partnerships) and Mona Sarantakos (product manager, news) said that news articles will continue to appear in the main…
Read More

InfoSec News Nuggets 10/24/2019

1 - Ransomware Hits B2B Payments Firm Billtrust Business-to-business payments provider Billtrust is still recovering from a ransomware attack that began last week.  The company said it is in the final stages of bringing all of its systems back online from backups. With more than 550 employees, Lawrence Township, N.J.-based Billtrust is a cloud-based service that lets customers view invoices, pay, or request bills via email or fax. In an email sent to customers today, Billtrust said…
Read More

InfoSec News Nuggets 10/23/2019

1 - Vatican's wearable rosary gets fix for app flaw allowing easy hacks The road to internet-connected salvation is paved with cybersecurity issues. The Vatican discovered that Thursday, after a security researcher disclosed a severe vulnerability with the "Click to Pray" eRosary app. On Wednesday, the Vatican announced its $110 wearable rosary, an internet of things device that syncs with an app from the Pope's Worldwide Prayer Network. One advantage of IoT devices is that they open up a…
Read More

InfoSec News Nuggets 10/22/2019

1 - Open AWS buckets expose more than 200K CVs at two online recruitment firms Unsecured AWS servers belonging to two online recruitment firms – U.S.-based Authentic Jobs and Sonic Jobs in the U.K. – have exposed more than 250,000 CVs of job candidates. Unsecured AWS servers belonging to two online recruitment firms – U.S.-based Authentic Jobs and Sonic Jobs in the U.K. – have exposed more than 250,000 CVs of job candidates.   2…
Read More

InfoSec News Nuggets 10/18/2019

1 - California adds biometric specs to data breach law California is changing its Information Practices Act of 1977 to expand the definition of personal information with additional identifiers, including biometric data of those affected. The amendment comes with new instructions on how to notify affected parties by a breach. The legislation is old and uses a definition too broad to describe personal information in all the shapes and forms found today. As such, amendment…
Read More

InfoSec News Nuggets 10/17/2019

1 - Argentinian security researcher arrested after tweeting about government hack Argentinian police briefly detained and raided the home of a well-known security researcher last week on suspicion of hacking and leaking data from government systems. Following his release, Javier Smaldone, the security researcher, obtained and published court documents pertaining to his arrest on Twitter. The documents showed that authorities arrested and raided the security expert just for tweeting about a recent government hack, with…
Read More

InfoSec News Nuggets 10/16/2019

1- Mozilla Rolls Out Code Injection Attack Protection in Firefox Mozilla rolled out protection measures to block code injection attacks in the Firefox web browser, with the attack surface being reduced by removing eval()-like functions and inline scripts occurrences. "A proven effective way to counter code injection attacks is to reduce the attack surface by removing potentially dangerous artifacts in the codebase and hence hardening the code at various levels," said the Mozilla Security Team today.…
Read More

InfoSec News Nuggets 10/15/2019

Apple Shares Some Browsing History with Chinese Company Apple is sending some browsing history of iOS 13 Safari users to Tencent Holdings Limited, a Chinese multinational conglomerate. The data shared is tied to the Safari Safe Browsing technology. Revelations of the relationship have drawn criticism from security and privacy experts. Apple’s Safari Browser on iOS has a “Fraudulent Website Warning” feature set as a default that has used Google Safe Browsing technology as a back-end.…
Read More

InfoSec News Nuggets 10/14/2019

Gamers Warned of High-Severity Intel, Nvidia Flaws Chip giants Intel and Nvidia have stomped out high-severity flaws in two popular products, both commonly used by gamers. Impacted are the Nvidia Shield TV and Intel NUC (short for Next Unit of Computing) mini-PC kit. Nvidia Shield TV is a media streaming box (powered by Nvidia’s Tegra X1 system-on-chip) that runs on the Android operating system and can be used for gaming and media streaming. Intel’s NUC mini-PC…
Read More

InfoSec News Nuggets 10/11/2019

Pinterest says AI reduced self-harm content on its platform by 88% Yesterday, on international World Mental Health Day, Pinterest announced in a blogpost that for the past year, it’s been using machine learning techniques to identify and automatically hide content that displays, rationalizes, or encourages self-injury. Using this technology, the social networking company says it has achieved an 88 percent reduction in reports of self-harm content by users, and it’s now able to remove harmful content three times faster…
Read More

InfoSec News Nuggets 10/10/2019

Twitter says user data meant for security purposes may have been used for advertising Twitter said on Tuesday email addresses and phone numbers uploaded by users to meet its security requirements may have been ‘inadvertently’ used for advertising purposes. The micro-blogging site said the issue was rectified as of Sept. 17, without disclosing how many users were impacted. “This was an error and we apologize,” the company said in a blog post. Social media companies, including Twitter and Facebook,…
Read More

InfoSec News Nuggets 10/09/2019

Ransomware attack hits Spanish city demanding undisclosed amount of Bitcoin A hacker is holding computer systems belonging to the southern Spanish city of Jerez de la Frontera, demanding a Bitcoin ransom to unlock them, RFI reports. The ransomware attack, which reportedly began on Tuesday night, has already caused service outages for the city’s website.  There’s currently no indication of the amount of Bitcoin the hacker is demanding. AFP notes that Spain‘s interior ministry has sent three computer…
Read More

InfoSec News Nuggets 10/08/2019

Signal patches Android bug that allowed hackers to answer calls on your behalf  Popular encrypted messaging app Signal has fixed a crucial flaw in its Android app that could’ve allowed bad actors to answer calls on your behalf. What’s more, it needed no intervention from your end. Google’s Project Zero team, which uncovered the bug on September 28, said it only affects audio calls, as the video option needs to be manually enabled for all incoming calls. Signal has since patched the…
Read More

InfoSec News Nuggets 10/07/2019

Kaspersky finds Uzbekistan hacking op… because group used Kaspersky AV A new "threat actor" tied to Uzbekistan's State Security Service has been unmasked by threat researchers at Kaspersky Lab. And the unmasking wasn't very hard to do, since, as Kim Zetter reports for Vice, the government group used Kaspersky antivirus software—which sent binaries of the malware it was developing back to Kaspersky for analysis. Uzbekistan has not been known for having a cyber-espionage capability. But the…
Read More

InfoSec News Nuggets 10/04/2019

Researchers Say They Uncovered Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC Nation-state spy agencies are only as good as their operational security—the care they take to keep their digital spy operations from being discovered. But occasionally a government threat actor appears on the scene that gets it all wrong. This is the case with a threat actor recently discovered by Kaspersky Lab that it’s calling SandCat—believed to be Uzbekistan’s repressive and much-feared intelligence agency, the State…
Read More

InfoSec News Nuggets 10/03/2019

How an AI trained to read scientific papers could predict future discoveries In the new study, an AI learned to retrieve information from scientific literature via unsupervised learning. This has remarkable implications. So far, most of the existing automated NLP-based methods are supervised, requiring input from humans. Despite being an improvement compared to a purely manual approach, this is still a labour intensive job. However, in the new study, the researchers created a system that…
Read More

InfoSec News Nuggets 10/02/2019

600 armed German cops storm Cyberbunker hosting biz on illegal darknet market claims Cops have seized the physical premises and servers of the Dutch-German ISP that once hosted The Pirate Bay – after storming the hosting biz's ex-NATO bunker hideout with 600 gunmen. Cyberbunker, aka CB3ROB, was shut down by German police in what appears to be a military-grade operation targeting the hosting firm's Traben-Trarbach premises: a Cold War-era bunker complete with its original anti-intrusion…
Read More

InfoSec News Nuggets 10/01/2019

Driver's License Thefts Spur ADOT to Boost Online Safeguards Arizona transportation officials announced enhanced security measures Thursday for a state website that identity thieves exploited to get dozens of duplicate driver's licenses. The Arizona Department of Transportation announced new safeguards after acknowledging to Azfamily.com this week that at least 164 drivers have been the victims of theft. The cases go back to July 2018. The agency has also been involved in four criminal investigations that…
Read More

InfoSec News Nuggets 9/30/2019

WordPress sites hacked through defunct Rich Reviews plugin An estimated 16,000 websites are believed to be running a vulnerable and no-longer-maintained WordPress plugin that can be exploited to display pop-up ads and redirect visitors to webpages containing porn, scams, and–worst of all–malware designed to infect users’ computers. Researchers at WordFence went public about how hackers are exploiting a zero-day vulnerability in a third-party WordPress plugin called Rich Reviews to inject malvertising code into vulnerable WordPress sites. The…
Read More

InfoSec News Nuggets 9/27/2019

Microsoft challenges ‘sneak and peek’ warrant that requests data from one of its big corporate customers Microsoft said on Wednesday it was challenging a federal judge’s order that prevents the software maker from informing one of its large corporate customers that the U.S. government has issued a warrant for the customer’s data. “We have challenged that order in the lower court, and we will pursue an appeal in the appellate court if necessary,” said Dev…
Read More

InfoSec News Nuggets 9/26/2019

Whoops! Google Says Mysterious Wave of Unbootable Macs Is Their Bad A serious flaw in Google Keystone, which controls Chrome updates, is capable of doing major damage to macOS file systems on some computers and has been linked to data corruption that struck Hollywood video editors and others on Monday evening, Variety reported. Initially, blame for the corrupted file systems was largely directed at Avid and its Media Composer software, which was identified as a common link by film and…
Read More

InfoSec News Nuggets 9/25/2019

Avid Users Are Suddenly Finding That Their Macs Won’t Boot Avid video editors have started reported that when they shutdown their Macs, they will no longer boot up afterwards.  It is not known exactly what is causing this issue, but it appears to be affecting older versions of Mac OS X who have the Avid Media Creator software installed. As reported by Variety, film and TV editors all over the world suddenly found yesterday that after shutting…
Read More

InfoSec News Nuggets 9/24/2019

Android VPN apps found serving disruptive ads A security researcher has discovered four VPN apps that serve ads while running in the background and also on the home screen of Android smartphones in the latest case of adware found on the Google Play Store. While researching suspicious Android VPN apps, Andy Michael found that Hotspot VPN, Free VPN Master, Secure VPN and Security Master by Cheetah Mobile were all showing full screen pop-up ads on his smartphone even though none of…
Read More

InfoSec News Nuggets 9/23/2019

Second Wave of Click2Gov Breaches Hits United States In December 2018, Gemini Advisory covered a breach of Click2Gov, a self-service bill-pay portal for utilities, community development, and parking tickets, which compromised over 300,000 payment card records from dozens of cities across the United States and Canada between 2017 and late 2018. Gemini has now observed a second wave of Click2Gov breaches beginning in August 2019 and affecting over 20,000 records from eight cities across the…
Read More

InfoSec News Nuggets 9/20/2019

Documents reveal how Russia taps phone companies for surveillance In cities across Russia, large boxes in locked rooms are directly connected to the networks of some of the country’s largest phone and internet companies. These boxes, some the size of a washing machine, house equipment that gives the Russian security services access to the calls and messages of millions of citizens. This government surveillance system remains largely shrouded in secrecy, even though phone and web companies…
Read More

InfoSec News Nuggets 9/19/2019

Robocalls now flooding US phones with 200m calls per day This is unlikely to surprise anybody who owns a phone: according to a new report, nearly 30% of all US calls placed in the first half of this year were garbage, as in, nuisance, scam or fraud calls. That puts the approximate volume of sludge coming into people’s phones at a mind-boggling 200 million unwanted calls per day. The TNS 2019 Robocall Investigation Report comes from Transaction…
Read More

InfoSec News Nuggets 9/18/2019

U.S. cyber-offensive against ISIS continues, and eyes are now on Afghanistan, general says As loyalties among Afghanistan’s Islamic extremists continue to shift, the U.S. military may be poised to rely more heavily on offensive cyber capabilities to target one group in particular — the dispersed but still active membership of ISIS, according to one military cyber commander. Joint Task Force ARES, the outfit charged with running joint and coalition cyber-operations against ISIS, is working to uncover information about how…
Read More

InfoSec News Nuggets 9/17/2019

T-Mobile Has a Secret Setting to Protect Your Account From Hackers That It Refuses to Talk About It’s called “NOPORT” and, in theory, it makes it a bit harder for criminals to hijack phone numbers with an attack known as “SIM swapping,” a type of social engineering that Motherboard has covered extensively and which is increasingly being used to steal people's phone numbers. SIM swapping attackers usually trick wireless providers into giving them control of…
Read More

InfoSec News Nuggets 9/16/2019

198 Million Car-Buyer Records Exposed Online for All to See Over 198 million records containing information on prospective car buyers, including loan and finance data, vehicle information and IP addresses for website visitors, has been found exposed on the internet for anyone to see. The non-password protected Elasticsearch database belonged to Dealer Leads, which is a company that gathers information on prospective buyers via a network of SEO-optimized, targeted websites. According to Jeremiah Fowler, senior…
Read More

InfoSec News Nuggets 9/12/2019

‘Cobalt Dickens’ group is phishing universities at scale again, researchers say An Iran-linked hacking group whose operatives the U.S. government indicted last year has launched a phishing operation to steal login credentials against computer users at over 60 universities in the United States, the United Kingdom, and elsewhere, researchers said Wednesday. The campaign sees victims redirected to spoofed login pages, where their passwords are stolen, said Secureworks, a Dell-owned cybersecurity company that uncovered the activity.…
Read More

InfoSec News Nuggets 9/11/2019

Toyota Parts Supplier Hit By $37 Million Email Scam The Toyota Boshoku Corporation, a major supplier of Toyota auto parts, reported some distressing news this week. Fraudsters fleeced the company via an email scam to the tune of about ¥ 4 billion (JPY). That works out to just over $37 million at today's exchange rate. On August 14th, attackers managed to convince someone with financial authority to change account information on an electronic funds transfer.…
Read More

InfoSec News Nuggets 9/10/2019

Capital One hacker Paige Thompson pleads not guilty on all counts The alleged Capital One hacker Paige Thompson has pleaded not guilty to all charges on her first appearance in court. Appearing at the Western District of Washington federal court late last week, Thompson pleaded not guilty to charges that included wire fraud, and computer fraud and abuse. She could be sentenced to up to 25 years in prison if convicted. A full trial is…
Read More

InfoSec News Nuggets 9/9/2019

South Korean Firm’s Email Leak Exposes Global Clients Security researchers have discovered a South Korean company leaking highly sensitive client and personal emails, which has refused to engage with either them or journalists asking for more info. Industrial pipe manufacturer DKLOK exposed an unprotected email database to the public internet, where white hat hackers from vpnMentor were able to probe it using simple port scanning techniques. “Our team was able to access this database through a vulnerability…
Read More

InfoSec News Nuggets 9/6/2019

A Chinese APT is now going after Pulse Secure and Fortinet VPN servers A group of Chinese state-sponsored hackers is targeting enterprise VPN servers from Fortinet and Pulse Secure after details about security flaws in both products became public knowledge last month. The attacks are being carried out by a group known as APT5 (also known as Manganese), ZDNet has learned from sources familiar with the attacks. According to a FireEye report, APT5 has been…
Read More

InfoSec News Nuggets 9/5/2019

Scamming You Through Social Media Many of us have received phishing email, either at work or home. These emails look legitimate, such as from your bank, your boss, or your favorite online store, but are really an attack, attempting to pressure or trick you into taking an action you should not take, such as opening an infected email attachment, sharing your password, or transferring money. The challenge is, the more savvy we become at spotting…
Read More

InfoSec News Nuggets 9/4/2019

Over 47,000 Supermicro servers are exposing BMC ports on the internet More than 47,000 workstations and servers, possibly more, running on Supermicro motherboards are currently open to attacks because administrators have left an internal component exposed on the internet. These systems are vulnerable to a new set of vulnerabilities named USBAnywhere that affect the baseboard management controller (BMC) firmware of Supermicro motherboards. Patches are available to fix the USBAnywhere vulnerabilities, but Supermicro and security experts…
Read More

InfoSec News Nuggets 9/3/2019

Facebook is thinking about hiding like counts, too Facebook might start testing whether it should begin hiding public-facing like counts. App researcher Jane Manchun Wong found code inside Facebook’s Android app that hides the exact amount of likes on a post from everyone but the original poster. Other users will just see a few reaction emoji and a note that it was liked by “[a friend] and others” instead of a specific number of other people. Facebook confirmed…
Read More

InfoSec News Nuggets 9/02/2019

Another convincing deepfake app goes viral prompting immediate privacy backlash Zao, a free deepfake face-swapping app that’s able to to place your likeness into scenes from hundreds of movies and TV shows after uploading just a single photograph, has gone viral in China. Bloomberg reports that the app was released on Friday, and quickly reached the top of the free charts on the Chinese iOS App Store. And like the FaceApp aging app before it, the creators of Zao are now…
Read More

InfoSec News Nuggets 8/30/2019

NIST Wants Insight on Combatting Telehealth Cybersecurity Risks The National Institute of Standards and Technology wants to hear from vendors who can deliver technical expertise and products that can help secure health organizations’ telehealth capabilities.  According to a notice set to be published in the Federal Register Thursday, the agency wants vendors to provide insight and demonstrations to support the National Cybersecurity Center of Excellence’s health care sector-specific use case, “Securing Telehealth Remote Patient Monitoring Ecosystem.” “This notice…
Read More

InfoSec News Nuggets 8/29/2019

1 A new IOT botnet is infecting Android-based set-top boxes A new IoT botnet named Ares is infecting Android-based devices that have left a debug port exposed on the Internet. Among this botnet's most common victims are Android set-top boxes manufactured by HiSilicon, Cubetek, and QezyMedia, cyber-security firm WootCloud said today. The attacks aren't using a vulnerability in the Android operating systems, but are exploiting a configuration service that has been left enabled and unprotected…
Read More

InfoSec News Nuggets 08/28/2019

1 Senators Question NHTSA on Risks of Connected Vehicles Two United States senators have sent a letter to the National Highway Traffic Safety Administration (NHTSA) to inquire about cyber-risks associated with connected vehicles. In their letter, Senator Edward J. Markey (D-Mass.) and Senator Richard Blumenthal (D-Conn.), members of the Commerce, Science and Transportation Committee, also expressed concerns regarding the lack of publicly available information on the cyber-vulnerabilities associated with these automobiles. The letter (PDF) also asks NHTSA…
Read More

InfoSec News Nuggets 08/27/2019

1 Hostinger Security Breach Impacts 14M Customers Web hosting company Hostinger suffered a security breach on Aug. 23 that allowed an unauthorized third-party to gain access to its internal systems. As TechCrunch reports, the server contained the company's internal system API and associated database which held customer usernames, email addresses, first names, IP addresses, and hashed passwords. The passwords were protected with the SHA-1 algorithm, but that has been proven to be vulnerable to attack.…
Read More

InfoSec News Nuggets 08/26/2019

1 Peripheral Maker Fanatec Hacked, Customer Details Stolen If you've ever been in the market for a high-end gaming controller, racing wheel, or pedals, chances are peripheral maker Fanatec was on your radar. Purchasing directly from Fanatec turned out to be a bad idea, though, as your personal details are probably in the hands of hackers. As Kotaku reports, Fanatec CEO Thomas Jackermeier sent out an email yesterday to all customers informing them that, "our online shop of…
Read More

InfoSec News Nuggets 08/23/2019

1 Intel unveils first artificial intelligence chip Springhill Intel Corp on Tuesday unveiled its latest processor that will be its first using artificial intelligence (AI) and is designed for large computing centers. The chip, developed at its development facility in Haifa, Israel, is known as Nervana NNP-I or Springhill and is based on a 10 nanometer Ice Lake processor that will allow it to cope with high workloads using minimal amounts of energy, Intel said.…
Read More

InfoSec News Nuggets 08/22/2019

1 DoorDash takes another step toward automated food delivery TechCrunch speculates that the acquisition is the latest attempt by DoorDash to reduce its reliance on human delivery drivers, by using more automated systems to deliver food. Back in 2017 the company partnered with Starship Technologies to test food deliveries using a small semi-autonomous robot, and earlier this year it started working with GM to use its autonomous vehicles to deliver food in San Francisco.  …
Read More

InfoSec News Nuggets 08/21/2019

1 Cyber Safety for Students As summer break ends, many students will return to school with mobile devices, such as smart phones, tablets, and laptops. Although these devices can help students complete schoolwork and stay in touch with family and friends, there are risks associated with using them. However, there are simple steps that can help students stay safe while using their internet-connected devices. The Cybersecurity and Infrastructure Security Agency (CISA) recommends reviewing the following…
Read More

InfoSec News Nuggets 08/19/2019

1 Apple's warning: Break Safari's web-tracking rules and we'll hit back ITP broadly aims to limit marketers from tracking iOS and macOS Safari users across different websites, but without impeding a marketer's ability to measure the performance of their online ads. The document outlines what Apple considers to be tracking, different types of tracking, the types it will prevent, and how it treats any attempt to bypass its anti-tracking measures. The company warns it will…
Read More