β Amazon Sends 1,700 Alexa Voice Recordings to a Random Person β
π Read
via "Threatpost | The first stop for security news".
The intimate recordings paint a detailed picture of a man's life.π Read
via "Threatpost | The first stop for security news".
Threat Post
Amazon Sends 1,700 Alexa Voice Recordings to a Random Person
The intimate recordings paint a detailed picture of a man's life.
π΄ Automating a DevOps-Friendly Security Policy π΄
π Read
via "Dark Reading: ".
There can be a clash of missions between security and IT Ops teams, but automation can help.π Read
via "Dark Reading: ".
Dark Reading
Automating a DevOps-Friendly Security Policy
There can be a clash of missions between security and IT Ops teams, but automation can help.
π 3 ways to protect your employees' inboxes from phishing threats π
π Read
via "Security on TechRepublic".
Some 42% of companies say employees have fallen victim to a phishing attack, according to EdgeWave. Here's how to keep them safe.π Read
via "Security on TechRepublic".
TechRepublic
3 ways to protect your employees' inboxes from phishing threats
Some 42% of companies say employees have fallen victim to a phishing attack, according to EdgeWave. Here's how to keep them safe.
π΄ 2018 In the Rearview Mirror π΄
π Read
via "Dark Reading: ".
Among this year's biggest news stories: epic hardware vulnerabilities, a more lethal form of DDoS attack, Olympic 'false flags,' hijacked home routers, fileless malware - and a new world's record for data breaches.π Read
via "Dark Reading: ".
Dark Reading
2018 In the Rearview Mirror
Among this year's biggest news stories: epic hardware vulnerabilities, a more lethal form of DDoS attack, Olympic 'false flags,' hijacked home routers, fileless malware - and a new world's record for data breaches.
ATENTIONβΌ New - CVE-2017-9704
π Read
via "National Vulnerability Database".
In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, There is no synchronization between msm_vb2 buffer operations which can lead to use after free.π Read
via "National Vulnerability Database".
π΄ Hackers Bypass Gmail, Yahoo 2FA at Scale π΄
π Read
via "Dark Reading: ".
A new Amnesty International report explains how cyberattackers are phishing second-factor authentication codes sent via SMS.π Read
via "Dark Reading: ".
Darkreading
Hackers Bypass Gmail, Yahoo 2FA at Scale
A new Amnesty International report explains how cyberattackers are phishing second-factor authentication codes sent via SMS.
π΄ US Indicts 2 APT 10 Members for Years-Long Hacking Campaign π΄
π Read
via "Dark Reading: ".
In an indictment unsealed this morning, the US ties China's state security agency to a widespread campaign of personal and corporate information theft.π Read
via "Dark Reading: ".
Darkreading
US Indicts 2 APT10 Members for Years-Long Hacking Campaign
In an indictment unsealed this morning, the US ties China's state security agency to a widespread campaign of personal and corporate information theft.
π Amazon sent private Alexa voice interactions from Echo smart speaker to the wrong customer π
π Read
via "Security on TechRepublic".
After one German user requested a copy of their Alexa voice history under the GDPR, he got another user's data in the process.π Read
via "Security on TechRepublic".
TechRepublic
Amazon sent private Alexa voice interactions from Echo smart speaker to the wrong customer
After one German user requested a copy of their Alexa voice history under the GDPR, he got another user's data in the process.
β Drones shut down major international airport β
π Read
via "Naked Security".
A drone operator has repeatedly flown two (UAVs close to the runway, grounding flights at the airport since last night.π Read
via "Naked Security".
Naked Security
Drones shut down major international airport
A drone operator has repeatedly flown two (UAVs close to the runway, grounding flights at the airport since last night.
<b>⌨ Feds Charge Three in Mass Seizure of Attack-for-hire Services ⌨</b>
<code>Authorities in the United States this week brought criminal hacking charges against three men as part of an unprecedented, international takedown targeting 15 different βbooterβ or βstresserβ sites β attack-for-hire services that helped paying customers launch tens of thousands of digital sieges capable of knocking Web sites and entire network providers offline.</code><code>Media</code><code>The seizure notice appearing on the homepage this week of more than a dozen popular βbooterβ or βstresserβ DDoS-for-hire Web sites.</code><code>As of Thursday morning, a seizure notice featuring the seals of the U.S. Justice Department, FBI and other law enforcement agencies appeared on the booter sites, including:</code><code>anonsecurityteam[.]com
booter[.]ninja
bullstresser[.]net
critical-boot[.]com
defcon[.]pro
defianceprotocol[.]com
downthem[.]org
layer7-stresser[.]xyz
netstress[.]org
quantumnstress[.]net
ragebooter[.]com
request[.]rip
str3ssed[.]me
torsecurityteam[.]org
vbooter[.]org</code><code>Booter sites are dangerous because they help lower the barriers to cybercrime, allowing even complete novices to launch sophisticated and crippling attacks with the click of a button.</code><code>Cameron Schroeder, assistant U.S. attorney for the Central District of California, called this weekβs action the largest simultaneous seizure of booter service domains ever.</code><code>βThis is the biggest action U.S. law enforcement has taken against booter services, and weβre doing this in cooperation with a large number of industry and foreign law enforcement partners,β Schroeder said.</code><code>Booter services are typically advertised through variety of methods, including Dark Web forums, chat platforms and even youtube.com. They accept payment via PayPal, Google Wallet, and/or cryptocurrencies, and subscriptions can range in price from just a few dollars to several hundred per month. The services are priced according to the volume of traffic to be hurled at the target, the duration of each attack, and the number of concurrent attacks allowed.</code><code>Purveyors of stressers and booters claim they are not responsible for how customers use their services, and that they arenβt breaking the law because β like most security tools β stresser services can be used for good or bad purposes. For example, all of the above-mentioned booter sites contained wordy βterms of useβ agreements that required customers to agree they will only stress-test their own networks β and that they wonβt use the service to attack others.</code><code>But experts say todayβs announcement shreds that virtual fig leaf, and marks several important strategic shifts in how authorities intend to prosecute booter service operators going forward.</code><code>βThis action is predicated on the fact that running a booter service itself is illegal,β said Allison Nixon, director of security research at Flashpoint, a security firm based in New York City. βThatβs a slightly different legal argument that has been made in the past against other booter owners.β</code><code>For one thing, the booter services targeted in this takedown advertised the ability to βresolveβ or determine the true Internet address of a target. This is especially useful for customers seeking to harm targets whose real address is hidden behind mitigation services like Cloudflare (ironically, the same provider used by most of these booter services to withstand attacks by competing booter services).</code><code>Some resolvers also allowed customers to determine the Internet address of a target using nothing more than the targetβs Skype username.</code><code>βYou donβt need to use a Skype resolver just to attack yourself,β assistant U.S. Attorney Schroeder said. βClearly, the people running these booter services know their services are being used not by people targeting their own infrastructure, and have built in capabilities thatβ¦
<code>Authorities in the United States this week brought criminal hacking charges against three men as part of an unprecedented, international takedown targeting 15 different βbooterβ or βstresserβ sites β attack-for-hire services that helped paying customers launch tens of thousands of digital sieges capable of knocking Web sites and entire network providers offline.</code><code>Media</code><code>The seizure notice appearing on the homepage this week of more than a dozen popular βbooterβ or βstresserβ DDoS-for-hire Web sites.</code><code>As of Thursday morning, a seizure notice featuring the seals of the U.S. Justice Department, FBI and other law enforcement agencies appeared on the booter sites, including:</code><code>anonsecurityteam[.]com
booter[.]ninja
bullstresser[.]net
critical-boot[.]com
defcon[.]pro
defianceprotocol[.]com
downthem[.]org
layer7-stresser[.]xyz
netstress[.]org
quantumnstress[.]net
ragebooter[.]com
request[.]rip
str3ssed[.]me
torsecurityteam[.]org
vbooter[.]org</code><code>Booter sites are dangerous because they help lower the barriers to cybercrime, allowing even complete novices to launch sophisticated and crippling attacks with the click of a button.</code><code>Cameron Schroeder, assistant U.S. attorney for the Central District of California, called this weekβs action the largest simultaneous seizure of booter service domains ever.</code><code>βThis is the biggest action U.S. law enforcement has taken against booter services, and weβre doing this in cooperation with a large number of industry and foreign law enforcement partners,β Schroeder said.</code><code>Booter services are typically advertised through variety of methods, including Dark Web forums, chat platforms and even youtube.com. They accept payment via PayPal, Google Wallet, and/or cryptocurrencies, and subscriptions can range in price from just a few dollars to several hundred per month. The services are priced according to the volume of traffic to be hurled at the target, the duration of each attack, and the number of concurrent attacks allowed.</code><code>Purveyors of stressers and booters claim they are not responsible for how customers use their services, and that they arenβt breaking the law because β like most security tools β stresser services can be used for good or bad purposes. For example, all of the above-mentioned booter sites contained wordy βterms of useβ agreements that required customers to agree they will only stress-test their own networks β and that they wonβt use the service to attack others.</code><code>But experts say todayβs announcement shreds that virtual fig leaf, and marks several important strategic shifts in how authorities intend to prosecute booter service operators going forward.</code><code>βThis action is predicated on the fact that running a booter service itself is illegal,β said Allison Nixon, director of security research at Flashpoint, a security firm based in New York City. βThatβs a slightly different legal argument that has been made in the past against other booter owners.β</code><code>For one thing, the booter services targeted in this takedown advertised the ability to βresolveβ or determine the true Internet address of a target. This is especially useful for customers seeking to harm targets whose real address is hidden behind mitigation services like Cloudflare (ironically, the same provider used by most of these booter services to withstand attacks by competing booter services).</code><code>Some resolvers also allowed customers to determine the Internet address of a target using nothing more than the targetβs Skype username.</code><code>βYou donβt need to use a Skype resolver just to attack yourself,β assistant U.S. Attorney Schroeder said. βClearly, the people running these booter services know their services are being used not by people targeting their own infrastructure, and have built in capabilities thatβ¦
π΄ How to Optimize Security Spending While Reducing Risk π΄
π Read
via "Dark Reading: ".
Risk scoring is a way of getting everyone on the same page with a consistent, reliable method of gathering and analyzing security data.π Read
via "Dark Reading: ".
Darkreading
How to Optimize Security Spending While Reducing Risk
Risk scoring is a way of getting everyone on the same page with a consistent, reliable method of gathering and analyzing security data.
β U.S. Indicts China-Backed Duo for Massive, Years-Long Spy Campaign β
π Read
via "Threatpost | The first stop for security news".
The homeland security implications are significant: the two, working with Beijing-backed APT10, allegedly stole sensitive data from orgs like the Navy and NASA.π Read
via "Threatpost | The first stop for security news".
Threat Post
U.S. Indicts China-Backed Duo for Massive, Years-Long Spy Campaign
The Chinese duo, working with APT10, stole sensitive data from orgs like the Navy and NASA.
β Huawei Router Flaw Leaks Default Credential Status β
π Read
via "Threatpost | The first stop for security news".
It makes it simple for attackers to find devices to take over and add to botnets.π Read
via "Threatpost | The first stop for security news".
Threat Post
Huawei Router Flaw Leaks Default Credential Status
It makes it simple for attackers to find devices to take over and add to botnets.
π Russian infowar: A reminder your data is being bought and sold π
π Read
via "Security on TechRepublic".
Dan Patterson discusses the wake-up call provided by new reports for the Senate that detail Russia's pervasive interference in the 2016 presidential election.π Read
via "Security on TechRepublic".
TechRepublic
Russian infowar: A reminder your data is being bought and sold
Dan Patterson discusses the wake-up call provided by new reports for the Senate that detail Russia's pervasive interference in the 2016 presidential election.
π Russian infowar: A reminder your data is being bought and sold π
π Read
via "Security on TechRepublic".
Dan Patterson discusses the wake-up call provided by new reports for the Senate that detail Russia's pervasive interference in the 2016 presidential election.π Read
via "Security on TechRepublic".
TechRepublic
Russian infowar: A reminder your data is being bought and sold
Dan Patterson discusses the wake-up call provided by new reports for the Senate that detail Russia's pervasive interference in the 2016 presidential election.
π΄ Attackers Use Scripting Flaw in Internet Explorer, Forcing Microsoft Patch π΄
π Read
via "Dark Reading: ".
Microsoft issues an emergency update to its IE browser after researchers notified the company that a scripting engine flaw is being used to compromised systems.π Read
via "Dark Reading: ".
Dark Reading
Vulnerabilities & Threats recent news | Dark Reading
Explore the latest news and expert commentary on Vulnerabilities & Threats, brought to you by the editors of Dark Reading
π΄ Security 101: How Businesses and Schools Bridge the Talent Gap π΄
π Read
via "Dark Reading: ".
Security experts share the skills companies are looking for, the skills students are learning, and how to best find talent you need.π Read
via "Dark Reading: ".
Dark Reading
Security 101: How Businesses and Schools Bridge the Talent Gap
Security experts share the skills companies are looking for, the skills students are learning, and how to best find talent you need.
β Update now! Microsoft patches another zero-day flaw β
π Read
via "Naked Security".
Microsoft has released an emergency patch for a remote code execution (RCE) zero-day vulnerability in Internet Explorerβs Jscript scripting engine affecting all versions of Windows, including Windows 10.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π΄ 3 Reasons to Train Security Pros to Code π΄
π Read
via "Dark Reading: ".
United Health chief security strategist explains the benefits the organization reaped when it made basic coding training a requirement for security staff.π Read
via "Dark Reading: ".
Dark Reading
3 Reasons to Train Security Pros to Code
United Health chief security strategist explains the benefits the organization reaped when it made basic coding training a requirement for security staff.
ATENTIONβΌ New - CVE-2017-9732
π Read
via "National Vulnerability Database".
The read_packet function in knc (Kerberised NetCat) before 1.11-1 is vulnerable to denial of service (memory exhaustion) that can be exploited remotely without authentication, possibly affecting another services running on the targeted host.π Read
via "National Vulnerability Database".
β Apple spams users with unwanted βCarpool Karaokeβ push notifications β
π Read
via "Naked Security".
It's U2 dΓ©jΓ vu: Apple's yet again shoving stuff at users without their say-so. This time, it's via the TV app, to some iOS users.π Read
via "Naked Security".
Naked Security
Apple spams users with unwanted βCarpool Karaokeβ push notifications
Itβs U2 dΓ©jΓ vu: Appleβs yet again shoving stuff at users without their say-so. This time, itβs via the TV app, to some iOS users.