OCR Software Dev Exposes 200,000 Customer Documents

A misconfigured MongoDB server belonging to Abbyy, an optical character recognition software developer, allowed public access to customer files. [...]

https://www.bleepingcomputer.com/news/security/ocr-software-dev-exposes-200-000-customer-documents/

Novel Attack Technique Uses Smart Light Bulbs to Steal Data

Researchers have determined that some light bulbs are suitable for covert data exfiltration from personal devices, and can leak multimedia preferences by recording their luminance patterns from afar. [...]

https://www.bleepingcomputer.com/news/security/novel-attack-technique-uses-smart-light-bulbs-to-steal-data/

Booz Allen Hamilton Researchers Detail New RtPOS Point-of-Sale Malware

Security researchers from Booz Allen Hamilton have spotted a previously unseen and undocumented malware strain that targets point-of-sale (POS) systems. [...]

https://www.bleepingcomputer.com/news/security/booz-allen-hamilton-researchers-detail-new-rtpos-point-of-sale-malware/

Exploit Published for Unpatched Flaw in Windows Task Scheduler

A security researcher has published on Twitter details about a vulnerability in the Windows OS. The vulnerability is a "local privilege escalation" issue that allows an attacker to elevate the access of malicious code from a limited USER role to an all-access SYSTEM account. [...]

https://www.bleepingcomputer.com/news/security/exploit-published-for-unpatched-flaw-in-windows-task-scheduler/

US Government Takes Steps to Bolster CVE Program

The US government is taking steps to fix the Common Vulnerabilities and Exposures (CVE) system that's been plagued by various problems in recent years. [...]

https://www.bleepingcomputer.com/news/security/us-government-takes-steps-to-bolster-cve-program/

Active Attacks Detected Using Apache Struts Vulnerability CVE-2018-11776

After last week a security researcher revealed a vulnerability in Apache Struts, a piece of very popular enterprise software, active exploitation attempts have started this week. [...]

https://www.bleepingcomputer.com/news/security/active-attacks-detected-using-apache-struts-vulnerability-cve-2018-11776/

Instagram Expands 2FA Support Following Recent Wave of Account Hacks

Instagram announced today plans to improve its two-factor authentication (2FA) mechanism by adding support for third-party authenticator apps. [...]

https://www.bleepingcomputer.com/news/security/instagram-expands-2fa-support-following-recent-wave-of-account-hacks/

Sticky Notes 3.0 Is Now Available for Windows Insiders

Microsoft has been teasing a major update for Sticky Notes app over the last few weeks and today you can download the update if you're a Skip Ahead ring Insider. The Sticky Notes 3.0 for Windows 10 comes with the dark theme, cross-device syncing and more. [...]

https://www.bleepingcomputer.com/news/microsoft/sticky-notes-30-is-now-available-for-windows-insiders/

You May Soon Be Able to Log Into Windows 10 Using a Google Account

According to a new project uploaded to the Chromium team's code review site, users may soon be able to login into Windows 10 using their Google G Suite accounts. This new feature uses a "Google Credential Provider" that will allow Windows to authenticate enterprise users against their company's G Suite account and possibly regular Go [...]

https://www.bleepingcomputer.com/news/google/you-may-soon-be-able-to-log-into-windows-10-using-a-google-account/

Data of 130 Million Chinese Hotel Chain Guests Sold on Dark Web Forum

A hacker is selling the personal details of over 130 million hotel guests for 8 Bitcoin ($56,000) on a Chinese Dark Web forum. [...]

https://www.bleepingcomputer.com/news/security/data-of-130-million-chinese-hotel-chain-guests-sold-on-dark-web-forum/

Beware of Fake "Shipping Docs" Malspam Pushing the DarkComet RAT

A new malspam campaign is underway that pretends to be shipping documents and contains an attachment that installs the DarkComet remote access Trojan. When DarkComet is installed, the malware has the ability to log your keystrokes, application usage, take screenshots, and more, which is then sent back to the malware developer. [...]

https://www.bleepingcomputer.com/news/security/beware-of-fake-shipping-docs-malspam-pushing-the-darkcomet-rat/

Critical Flaw Fixed in Packagist, PHP's Largest Package Repository

The maintainers of Packagist, the PHP ecosystem's largest package repository, have fixed a critical vulnerability on their official website that could have allowed an attacker to hijack their service. [...]

https://www.bleepingcomputer.com/news/security/critical-flaw-fixed-in-packagist-phps-largest-package-repository/

Stingray Devices May Interfere With 911 Emergency Calls

A popular vendor of cell-site simulators (also known as IMSI catchers or stingray devices) has told a US Senator that its equipment may interfere with 911 emergency calls. [...]

https://www.bleepingcomputer.com/news/government/stingray-devices-may-interfere-with-911-emergency-calls/

OpenSSH Versions Since 2011 Vulnerable to Oracle Attack

OpenSSH continues to be vulnerable to oracle attacks, and the issue affects all versions of the suite since September 2011. Developers fixed a similar bug less than a week ago. [...]

https://www.bleepingcomputer.com/news/security/openssh-versions-since-2011-vulnerable-to-oracle-attack/

Air Canada Mobile App Users Affected By Data Breach

Air Canada informed today 20,000 of its mobile app users that information listed under their profile may have been accessed without authorization. [...]

https://www.bleepingcomputer.com/news/security/air-canada-mobile-app-users-affected-by-data-breach/

Researchers Detail Two New Attacks on TPM Chips

Some PC owners may need to apply motherboard firmware updates in the near future to address two attacks on TPM chips detailed earlier this month by four researchers from the National Security Research Institute of South Korea. [...]

https://www.bleepingcomputer.com/news/security/researchers-detail-two-new-attacks-on-tpm-chips/

4-Year Old Misfortune Cookie Rears Its Head In Medical Gateway Device

Four years after its public disclosure, the Misfortune Cookie vulnerability continues to be a threat, this time affecting medical equipment that connects bedside devices to the hospital's network infrastructure. [...]

https://www.bleepingcomputer.com/news/security/4-year-old-misfortune-cookie-rears-its-head-in-medical-gateway-device/

Android Phones Expose Sensitive Data via Internal System Broadcasts

Internal system broadcasts happening inside the Android OS expose sensitive user and device details that apps installed on the phone can access without the user's knowledge or permission. [...]

https://www.bleepingcomputer.com/news/security/android-phones-expose-sensitive-data-via-internal-system-broadcasts/

Anonymous Catalonia Claims DDoS Attack On Bank of Spain Website

The website of Banco de España, the national central bank of Spain, was taken offline at the beginning of the week by a DDoS attack claimed by hacktivist group Anonymous Catalonia. [...]

https://www.bleepingcomputer.com/news/security/anonymous-catalonia-claims-ddos-attack-on-bank-of-spain-website/

Temporary Patch Available for Recent Windows Task Scheduler ALPC Zero-Day

Earlier this week a security researcher released exploit code for a Windows zero-day affecting the Task Scheduler ALPC interface. Today, cyber-security firm Acros Security published a temporary fix (called a micropatch) that prevents exploitation of that particular zero-day. [...]

https://www.bleepingcomputer.com/news/security/temporary-patch-available-for-recent-windows-task-scheduler-alpc-zero-day/

Unsophisticated Android Spyware Monitors Device Sensors

A new family of spyware for Android grabbed the attention of security researchers through its unusual set of features and their original implementation. [...]

https://www.bleepingcomputer.com/news/security/unsophisticated-android-spyware-monitors-device-sensors/