π΄ Redefining Critical Infrastructure for the Age of Disinformation π΄
π Read
via "Dark Reading: ".
In an era of tighter privacy laws, it's important to create an online environment that uses threat intelligence productively to defeat disinformation campaigns and bolster democracy.π Read
via "Dark Reading: ".
Darkreading
Redefining Critical Infrastructure for the Age of Disinformation
In an era of tighter privacy laws, it's important to create an online environment that uses threat intelligence productively to defeat disinformation campaigns and bolster democracy.
β Snowdenβs Attorney Talks Govt Harrassment of Whistleblower Helpers (Part One) β
π Read
via "Threatpost | The first stop for security news".
Robert Tibbo discusses the challenges he and his clients face in Hong Kong as the government there targets both in a harassment campaign for aiding Edward Snowden.π Read
via "Threatpost | The first stop for security news".
Threat Post
Snowdenβs Attorney Talks Govt Harrassment of Whistleblower Helpers (Part One)
Robert Tibbo discusses the challenges he and his clients face in Hong Kong as the government there targets both in a harassment campaign for aiding Edward Snowden.
π΄ Town of Salem Game Breached, 7.6M Players Affected π΄
π Read
via "Dark Reading: ".
BlankMediaGames disclosed a data breach that affects millions using the browser-based role-playing game.π Read
via "Dark Reading: ".
Darkreading
Town of Salem Game Breached, 7.6M Players Affected
BlankMediaGames disclosed a data breach that affects millions using the browser-based role-playing game.
π Second-gen facial recognition tech aims to improve biometric security π
π Read
via "Security on TechRepublic".
Facial recognition technology is getting a second look from solutions vendors, though legal frameworks for how biometrics are used are out of date.π Read
via "Security on TechRepublic".
TechRepublic
Second-gen facial recognition tech aims to improve biometric security
Facial recognition technology is getting a second look from solutions vendors, though legal frameworks for how biometrics are used are out of date.
ATENTIONβΌ New - CVE-2017-18330
π Read
via "National Vulnerability Database".
Buffer overflow in AES-CCM and AES-GCM encryption via initialization vector in snapdragon automobile, snapdragon mobile and snapdragon wear in versions IPQ8074, MDM9206, MDM9607, MDM9635M, MDM9640, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SDA660, SDM439, SDM630, SDM660, SDX24, Snapdragon_High_Med_2016.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-18329
π Read
via "National Vulnerability Database".
Possible Buffer overflow when transmitting an RTP packet in snapdragon automobile and snapdragon wear in versions MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 810, SD 820, SD 835, SD 845 / SD 850, SDA660, SDM630, SDM660, Snapdragon_High_Med_2016, SXR1130π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-18328
π Read
via "National Vulnerability Database".
Use after free in QSH client rule processing in snapdragon mobile and snapdragon wear in versions MDM9206, MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 425, SD 427, SD 430, SD 435, SD 450, SD 625, SD 636, SD 820, SD 835, SDA660, SDM630, SDM660, Snapdragon_High_Med_2016.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-18327
π Read
via "National Vulnerability Database".
Security keys are logged when any WCDMA call is configured or reconfigured in snapdragon automobile, snapdragon mobile and snapdragon wear in versions MDM9607, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 425, SD 430, SD 450, SD 625, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SDA660, SDX20, SXR1130.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-18326
π Read
via "National Vulnerability Database".
Cryptographic keys are printed in modem debug messages in snapdragon mobile and snapdragon wear in versions MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 636, SD 650/52, SD 800, SD 810, SD 820, SD 835, SDA660, SDM630, SDM660, Snapdragon_High_Med_2016.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-18324
π Read
via "National Vulnerability Database".
Cryptographic key material leaked in debug messages - GERAN in snapdragon mobile and snapdragon wear in versions MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 800, SD 810, SD 820, SD 835, SD 855, SDX24, Snapdragon_High_Med_2016.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-18323
π Read
via "National Vulnerability Database".
Cryptographic key material leaked in TDSCDMA RRC debug messages in snapdragon automobile, snapdragon mobile and snapdragon wear in versions MDM9206, MDM9607, MDM9615, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 712 / SD 710 / SD 670, SD 820, SD 820A, SD 835, SD 845 / SD 850, SDA660, SDX20, SXR1130.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-18322
π Read
via "National Vulnerability Database".
Cryptographic key material leaked in WCDMA debug messages in snapdragon mobile and snapdragon wear in versions MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9640, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 800, SD 810, SD 820, SD 835, Snapdragon_High_Med_2016.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-18321
π Read
via "National Vulnerability Database".
Security keys used by the terminal and NW for a session could be leaked in snapdragon mobile in versions MDM9650, MDM9655, SD 835, SDA660.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-18320
π Read
via "National Vulnerability Database".
QSEE unload attempt on a 3rd party TEE without previously loading results in a data abort in snapdragon automobile and snapdragon mobile in versions MSM8996AU, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 712 / SD 710 / SD 670, SD 810, SD 820, SD 820A, SD 835, SDA660, SDM439, SDM630, SDM660, SDX24, Snapdragon_High_Med_2016, SXR1130.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-18319
π Read
via "National Vulnerability Database".
Information leak in UIM API debug messages in snapdragon mobile and snapdragon wear in versions MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MDM9645, MDM9650, MDM9655, MSM8909W, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 625, SD 650/52, SD 800, SD 810, SD 820, SD 835, Snapdragon_High_Med_2016.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-18141
π Read
via "National Vulnerability Database".
When a 3rd party TEE has been loaded it is possible for the non-secure world to create a secure monitor call which will give it access to privileged functions meant to only be accessible from the TEE in Snapdragon Automobile, Snapdragon Mobile and Snapdragon Wear in versions IPQ8074, MDM9206, MDM9607, MDM9635M, MDM9650, MDM9655, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 625, SD 632, SD 636, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SDA660, SDM439, SDM630, SDM660, SDX24, Snapdragon_High_Med_2016.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-11004
π Read
via "National Vulnerability Database".
A non-secure user may be able to access certain registers in snapdragon automobile, snapdragon mobile and snapdragon wear in versions IPQ8074, MDM9206, MDM9607, MDM9635M, MDM9650, MDM9655, MSM8996AU, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 650/52, SD 810, SD 820, SD 820A, SD 835, SDA660, SDM439, SDM630, SDM660, SDX24, Snapdragon_High_Med_2016.π Read
via "National Vulnerability Database".
β MobSTSPY Info-Stealing Trojan Goes Global Via Google Play β
π Read
via "Threatpost | The first stop for security news".
Across six apps, the spyware managed to spread to 196 different countries.π Read
via "Threatpost | The first stop for security news".
Threat Post
MobSTSPY Info-Stealing Trojan Goes Global Via Google Play
Across six apps, the spyware managed to spread to 196 different countries.
β Dual Data Leaks of Blur, Town of Salem Impact Millions β
π Read
via "Threatpost | The first stop for security news".
Password-manager Blur and role-playing game Town of Salem both disclosed data breaches this week that impacted a combined 10 million.π Read
via "Threatpost | The first stop for security news".
Threat Post
Dual Data Leaks of Blur, Town of Salem Impact Millions
Password-manager Blur and role-playing game Town of Salem both disclosed data breaches this week that impacted a combined 10 million.
π Ohio law creates cybersecurity 'safe harbor' for businesses π
π Read
via "Security on TechRepublic".
Businesses showing good faith by modeling their cybersecurity after an approved framework will have legal protection under Ohio's Data Protection Act.π Read
via "Security on TechRepublic".
TechRepublic
Ohio law creates cybersecurity 'safe harbor' for businesses
Businesses showing good faith by modeling their cybersecurity after an approved framework will have legal protection under Ohio's Data Protection Act.
<b>⌨ Apple Phone Phishing Scams Getting Better ⌨</b>
<code>A new phone-based phishing scam that spoofs Apple Inc. is likely to fool quite a few people. It starts with an automated call that displayβs Appleβs logo, address and real phone number, warning about a data breach at the company. The scary part is that if the recipient is an iPhone user who then requests a call back from Appleβs legitimate customer support Web page, the fake call gets indexed in the iPhoneβs βrecent callsβ list as a previous call from the legitimate Apple Support line.</code><code>Jody Westby is the CEO of Global Cyber Risk LLC, a security consulting firm based in Washington, D.C. Westby said earlier today she received an automated call on her iPhone warning that multiple servers containing Apple user IDs had been compromised (the same scammers had called her at 4:34 p.m. the day before, but she didnβt answer that call). The message said she needed to call a 1-866 number before doing anything else with her phone.</code><code>Hereβs what her iPhone displayed about the identity of the caller when they first tried her number at 4:34 p.m. on Jan. 2, 2019:</code><code>Media</code><code>What Westbyβs iPhone displayed as the scam callerβs identity. Note that it lists the correct Apple phone number, street address and Web address (minus the https://).</code><code>Note in the above screen shot that it lists Appleβs actual street address, their real customer support number, and the real Apple.com domain (albeit without the βsβ at the end of βhttp://β). The same caller ID information showed up when she answered the scammersβ call this morning.</code><code>Westby said she immediately went to the Apple.com support page (https://www.support.apple.com) and requested to have a customer support person call her back. The page displayed a βcase IDβ to track her inquiry, and just a few minutes later someone from the real Apple Inc. called her and referenced that case ID number at the start of the call.</code><code>Westby said the Apple agent told her that Apple had not contacted her, that the call was almost certainly a scam, and that Apple would never do that β all of which she already knew. But when Westby looked at her iPhoneβs recent calls list, she saw the legitimate call from Apple had been lumped together with the scam call that spoofed Apple:</code><code>Media</code><code>The fake call spoofing Apple β at 11:44 a.m. β was lumped in the same recent calls list as the legitimate call from Apple. The call at 11:47 was the legitimate call from Apple. The call listed at 11:51 a.m. was the result of Westby accidentally returning the call from the scammers, which she immediately disconnected.</code><code>The call listed at 11:51 a.m. was the result of Westby accidentally returning the call from the scammers, which she immediately disconnected.</code><code>βI told the Apple representative that they ought to be telling people about this, and he said that was a good point,β Westby said. βThis was so convincing Iβd think a lot of other people will be falling for it.β</code><code>KrebsOnSecurity called the number that the scam message asked Westby to contact (866-277-7794). An automated system answered and said Iβd reached Apple Support, and that my expected wait time was about one minute and thirty seconds. About a minute later, a man with an Indian accent answered and inquired as to the reason for my call.</code><code>Playing the part of someone who had received the scam call, I told him Iβd been alerted about a breach at Apple and that I needed to call this number. After asking me to hold for a brief moment, our call was disconnected.</code><code>No doubt this is just another scheme to separate the unwary from their personal and financial details, and to extract some kind of payment (for supposed tech support services or some such). But it is remarkable that Appleβs own devices (or AT&T, which sold her the phone) canβt tell the difference between a call from Appleβ¦
<code>A new phone-based phishing scam that spoofs Apple Inc. is likely to fool quite a few people. It starts with an automated call that displayβs Appleβs logo, address and real phone number, warning about a data breach at the company. The scary part is that if the recipient is an iPhone user who then requests a call back from Appleβs legitimate customer support Web page, the fake call gets indexed in the iPhoneβs βrecent callsβ list as a previous call from the legitimate Apple Support line.</code><code>Jody Westby is the CEO of Global Cyber Risk LLC, a security consulting firm based in Washington, D.C. Westby said earlier today she received an automated call on her iPhone warning that multiple servers containing Apple user IDs had been compromised (the same scammers had called her at 4:34 p.m. the day before, but she didnβt answer that call). The message said she needed to call a 1-866 number before doing anything else with her phone.</code><code>Hereβs what her iPhone displayed about the identity of the caller when they first tried her number at 4:34 p.m. on Jan. 2, 2019:</code><code>Media</code><code>What Westbyβs iPhone displayed as the scam callerβs identity. Note that it lists the correct Apple phone number, street address and Web address (minus the https://).</code><code>Note in the above screen shot that it lists Appleβs actual street address, their real customer support number, and the real Apple.com domain (albeit without the βsβ at the end of βhttp://β). The same caller ID information showed up when she answered the scammersβ call this morning.</code><code>Westby said she immediately went to the Apple.com support page (https://www.support.apple.com) and requested to have a customer support person call her back. The page displayed a βcase IDβ to track her inquiry, and just a few minutes later someone from the real Apple Inc. called her and referenced that case ID number at the start of the call.</code><code>Westby said the Apple agent told her that Apple had not contacted her, that the call was almost certainly a scam, and that Apple would never do that β all of which she already knew. But when Westby looked at her iPhoneβs recent calls list, she saw the legitimate call from Apple had been lumped together with the scam call that spoofed Apple:</code><code>Media</code><code>The fake call spoofing Apple β at 11:44 a.m. β was lumped in the same recent calls list as the legitimate call from Apple. The call at 11:47 was the legitimate call from Apple. The call listed at 11:51 a.m. was the result of Westby accidentally returning the call from the scammers, which she immediately disconnected.</code><code>The call listed at 11:51 a.m. was the result of Westby accidentally returning the call from the scammers, which she immediately disconnected.</code><code>βI told the Apple representative that they ought to be telling people about this, and he said that was a good point,β Westby said. βThis was so convincing Iβd think a lot of other people will be falling for it.β</code><code>KrebsOnSecurity called the number that the scam message asked Westby to contact (866-277-7794). An automated system answered and said Iβd reached Apple Support, and that my expected wait time was about one minute and thirty seconds. About a minute later, a man with an Indian accent answered and inquired as to the reason for my call.</code><code>Playing the part of someone who had received the scam call, I told him Iβd been alerted about a breach at Apple and that I needed to call this number. After asking me to hold for a brief moment, our call was disconnected.</code><code>No doubt this is just another scheme to separate the unwary from their personal and financial details, and to extract some kind of payment (for supposed tech support services or some such). But it is remarkable that Appleβs own devices (or AT&T, which sold her the phone) canβt tell the difference between a call from Appleβ¦
Apple
Official Apple Support
Learn more about popular features and topics, and find resources that will help you with all of your Apple products.