ATENTION‼ New - CVE-2017-9704

In all android releases(Android for MSM, Firefox OS for MSM, QRD Android) from CAF using the linux kernel, There is no synchronization between msm_vb2 buffer operations which can lead to use after free.

📖 Read

via "National Vulnerability Database".

🕴 Hackers Bypass Gmail, Yahoo 2FA at Scale 🕴

A new Amnesty International report explains how cyberattackers are phishing second-factor authentication codes sent via SMS.

📖 Read

via "Dark Reading: ".

🕴 US Indicts 2 APT 10 Members for Years-Long Hacking Campaign 🕴

In an indictment unsealed this morning, the US ties China's state security agency to a widespread campaign of personal and corporate information theft.

📖 Read

via "Dark Reading: ".

🔐 Amazon sent private Alexa voice interactions from Echo smart speaker to the wrong customer 🔐

After one German user requested a copy of their Alexa voice history under the GDPR, he got another user's data in the process.

📖 Read

via "Security on TechRepublic".

⚠ Drones shut down major international airport ⚠

A drone operator has repeatedly flown two (UAVs close to the runway, grounding flights at the airport since last night.

📖 Read

via "Naked Security".

<b>&#9000; Feds Charge Three in Mass Seizure of Attack-for-hire Services &#9000;</b>

<code>Authorities in the United States this week brought criminal hacking charges against three men as part of an unprecedented, international takedown targeting 15 different “booter” or “stresser” sites — attack-for-hire services that helped paying customers launch tens of thousands of digital sieges capable of knocking Web sites and entire network providers offline.</code><code>Media</code><code>The seizure notice appearing on the homepage this week of more than a dozen popular “booter” or “stresser” DDoS-for-hire Web sites.</code><code>As of Thursday morning, a seizure notice featuring the seals of the U.S. Justice Department, FBI and other law enforcement agencies appeared on the booter sites, including:</code><code>anonsecurityteam[.]com
booter[.]ninja
bullstresser[.]net
critical-boot[.]com
defcon[.]pro
defianceprotocol[.]com
downthem[.]org
layer7-stresser[.]xyz
netstress[.]org
quantumnstress[.]net
ragebooter[.]com
request[.]rip
str3ssed[.]me
torsecurityteam[.]org
vbooter[.]org</code><code>Booter sites are dangerous because they help lower the barriers to cybercrime, allowing even complete novices to launch sophisticated and crippling attacks with the click of a button.</code><code>Cameron Schroeder, assistant U.S. attorney for the Central District of California, called this week’s action the largest simultaneous seizure of booter service domains ever.</code><code>“This is the biggest action U.S. law enforcement has taken against booter services, and we’re doing this in cooperation with a large number of industry and foreign law enforcement partners,” Schroeder said.</code><code>Booter services are typically advertised through variety of methods, including Dark Web forums, chat platforms and even youtube.com. They accept payment via PayPal, Google Wallet, and/or cryptocurrencies, and subscriptions can range in price from just a few dollars to several hundred per month. The services are priced according to the volume of traffic to be hurled at the target, the duration of each attack, and the number of concurrent attacks allowed.</code><code>Purveyors of stressers and booters claim they are not responsible for how customers use their services, and that they aren’t breaking the law because — like most security tools — stresser services can be used for good or bad purposes. For example, all of the above-mentioned booter sites contained wordy “terms of use” agreements that required customers to agree they will only stress-test their own networks — and that they won’t use the service to attack others.</code><code>But experts say today’s announcement shreds that virtual fig leaf, and marks several important strategic shifts in how authorities intend to prosecute booter service operators going forward.</code><code>“This action is predicated on the fact that running a booter service itself is illegal,” said Allison Nixon, director of security research at Flashpoint, a security firm based in New York City. “That’s a slightly different legal argument that has been made in the past against other booter owners.”</code><code>For one thing, the booter services targeted in this takedown advertised the ability to “resolve” or determine the true Internet address of a target. This is especially useful for customers seeking to harm targets whose real address is hidden behind mitigation services like Cloudflare (ironically, the same provider used by most of these booter services to withstand attacks by competing booter services).</code><code>Some resolvers also allowed customers to determine the Internet address of a target using nothing more than the target’s Skype username.</code><code>“You don’t need to use a Skype resolver just to attack yourself,” assistant U.S. Attorney Schroeder said. “Clearly, the people running these booter services know their services are being used not by people targeting their own infrastructure, and have built in capabilities that…

🕴 How to Optimize Security Spending While Reducing Risk 🕴

Risk scoring is a way of getting everyone on the same page with a consistent, reliable method of gathering and analyzing security data.

📖 Read

via "Dark Reading: ".

❌ U.S. Indicts China-Backed Duo for Massive, Years-Long Spy Campaign ❌

The homeland security implications are significant: the two, working with Beijing-backed APT10, allegedly stole sensitive data from orgs like the Navy and NASA.

📖 Read

via "Threatpost | The first stop for security news".

❌ Huawei Router Flaw Leaks Default Credential Status ❌

It makes it simple for attackers to find devices to take over and add to botnets.

📖 Read

via "Threatpost | The first stop for security news".

🔐 Russian infowar: A reminder your data is being bought and sold 🔐

Dan Patterson discusses the wake-up call provided by new reports for the Senate that detail Russia's pervasive interference in the 2016 presidential election.

📖 Read

via "Security on TechRepublic".

🔐 Russian infowar: A reminder your data is being bought and sold 🔐

Dan Patterson discusses the wake-up call provided by new reports for the Senate that detail Russia's pervasive interference in the 2016 presidential election.

📖 Read

via "Security on TechRepublic".

🕴 Attackers Use Scripting Flaw in Internet Explorer, Forcing Microsoft Patch 🕴

Microsoft issues an emergency update to its IE browser after researchers notified the company that a scripting engine flaw is being used to compromised systems.

📖 Read

via "Dark Reading: ".

🕴 Security 101: How Businesses and Schools Bridge the Talent Gap 🕴

Security experts share the skills companies are looking for, the skills students are learning, and how to best find talent you need.

📖 Read

via "Dark Reading: ".

⚠ Update now! Microsoft patches another zero-day flaw ⚠

Microsoft has released an emergency patch for a remote code execution (RCE) zero-day vulnerability in Internet Explorer’s Jscript scripting engine affecting all versions of Windows, including Windows 10.

📖 Read

via "Naked Security".

🕴 3 Reasons to Train Security Pros to Code 🕴

United Health chief security strategist explains the benefits the organization reaped when it made basic coding training a requirement for security staff.

📖 Read

via "Dark Reading: ".

ATENTION‼ New - CVE-2017-9732

The read_packet function in knc (Kerberised NetCat) before 1.11-1 is vulnerable to denial of service (memory exhaustion) that can be exploited remotely without authentication, possibly affecting another services running on the targeted host.

📖 Read

via "National Vulnerability Database".

⚠ Apple spams users with unwanted ‘Carpool Karaoke’ push notifications ⚠

It's U2 déjà vu: Apple's yet again shoving stuff at users without their say-so. This time, it's via the TV app, to some iOS users.

📖 Read

via "Naked Security".

⚠ Nagging text messages can help you to quit smoking ⚠

Does nicotine have you in its addictive grip? Chinese researchers have found that you might be helped with an SMS-based intervention.

📖 Read

via "Naked Security".

⚠ Fortnite hackers making a fortune from reselling stolen accounts ⚠

Teenage hackers have been making thousands of pounds selling stolen accounts for popular online game Fortnite, it emerged this week.

📖 Read

via "Naked Security".

🔐 A year after Spectre and Meltdown, how well do patches work? 🔐

Attempts to mitigate the landmark vulnerabilities have caused crashes, sudden reboots, and performance degradations. Here's the progress report on the Spectre and Meltdown solution.

📖 Read

via "Security on TechRepublic".

🔐 12 ways to stay cybersecure over the holidays 🔐

Unboxing a new device gift can be exciting, but you need to follow these steps to ensure you don't invite hackers in, according to Palo Alto Networks.

📖 Read

via "Security on TechRepublic".