❌ IDenticard Zero-Days Allow Corporate Building Access, Location Recon ❌
📖 Read
via "Threatpost | The first stop for security news".
Multiple hardcoded passwords allow attackers to create badges to gain building entry, access video surveillance feeds, manipulate databases and more.📖 Read
via "Threatpost | The first stop for security news".
Threat Post
IDenticard Zero-Days Allow Corporate Building Access, Location Recon
Multiple hardcoded passwords allow attackers to create badges to gain building entry, access video surveillance feeds, manipulate databases and more.
<b>⌨ “Stole $24 Million But Still Can’t Keep a Friend” ⌨</b>
<code>Unsettling new claims have emerged about Nicholas Truglia, a 21-year-old Manhattan resident accused of hijacking cell phone accounts to steal tens of millions of dollars in cryptocurrencies from victims. The lurid details, made public in a civil lawsuit filed this week by one of his alleged victims, paints a chilling picture of a man addicted to thievery and all its trappings. The documents suggest that Truglia stole from his father and even a dead man — all the while lamenting that his fabulous new wealth brought him nothing but misery.</code><code>Media</code><code>The unflattering profile was laid out in a series of documents tied to a lawsuit lodged by Michael Terpin, a cryptocurrency investor who co-founded the first angel investor group for bitcoin enthusiasts in 2013. Terpin alleges that crooks stole almost $24 million worth of cryptocurrency after fraudulently executing a “SIM swap” on his mobile phone account at AT&T in early 2018. Terpin also is pursuing a $200 million civil lawsuit against AT&T in connection with the theft.</code><code>Authorities arrested Truglia on November 14, 2018 on suspicion of using SIM swaps to steal approximately $1 million worth of cryptocurrencies from a different Silicon Valley executive. But Terpin’s civil lawsuit (PDF) maintains that evidence was revealed at Truglia’s bail hearing that he had texted his father and multiple friends to brag about the $24 million hack on the day of Terpin’s theft, allegedly offering to take friends to the Super Bowl with “porn star escorts.”</code><code>Terpin’s lawsuit includes a large number of supporting documents, including an affidavit filed by Chris David, a 25-year-old New York City resident who claims to have been an acquaintance of Truglia’s until he began to unravel the source of his new friend’s overnight riches.</code><code>In his affidavit (PDF), David describes himself as a self-employed private jet broker who met Truglia in a fitness center attached to Truglia’s luxury apartment building. Truglia allegedly struck up a conversation about booking private jets with his cryptocurrency. When the two met again a few days later, David says Truglia showed him accounts on his mobile phone and computer indicating he had over $7 million in cash in a JP Morgan account and more than $12 million in various cryptocurrencies.</code><code>“At the same time, Nick showed me two thumb drives (Trezors),” David recounted. “One had over $40 million in cash value of various cryptos, and the other one had over $20 million cash value of various cryptos.”</code><code>David said Truglia initially explained his wealth by saying he’d made the money by mining cryptocurrencies, but that Truglia later would admit he stole the funds.</code><code>“Over the next few months, Nick and I socialized at nightclubs, local bars, the gym, and in his apartment playing video games,” David recounted. “Gradually, I got to know Nick. He does not have a job or visible means of support. His typical day is to get up late, go to the gym, eat at the deli across the street, play video games late into the night and he had no friends. Nick was an egotistical braggart about his life and wealth. For example, once at a crowded lounge, he said: ‘Chris, I have more money than all of the people here tonight.'”</code><code>David started documenting Truglia’s activities after he and several of his friends were arrested for allegedly stealing Truglia’s laptop, mobile phone and Trezor drive. That incident, recounted in this New York Post story and in David’s own testimony, indicates that Truglia later recanted the accusation and chalked it up to confusion resulting from a heavy night of drinking.</code><code>According to David, when Truglia wasn’t bragging about his wealth he was displaying it openly: He lived in a $6,000 per month apartment, wore a Rolex watch which he claimed cost $100,000, and boasted he was going to purchase…
<code>Unsettling new claims have emerged about Nicholas Truglia, a 21-year-old Manhattan resident accused of hijacking cell phone accounts to steal tens of millions of dollars in cryptocurrencies from victims. The lurid details, made public in a civil lawsuit filed this week by one of his alleged victims, paints a chilling picture of a man addicted to thievery and all its trappings. The documents suggest that Truglia stole from his father and even a dead man — all the while lamenting that his fabulous new wealth brought him nothing but misery.</code><code>Media</code><code>The unflattering profile was laid out in a series of documents tied to a lawsuit lodged by Michael Terpin, a cryptocurrency investor who co-founded the first angel investor group for bitcoin enthusiasts in 2013. Terpin alleges that crooks stole almost $24 million worth of cryptocurrency after fraudulently executing a “SIM swap” on his mobile phone account at AT&T in early 2018. Terpin also is pursuing a $200 million civil lawsuit against AT&T in connection with the theft.</code><code>Authorities arrested Truglia on November 14, 2018 on suspicion of using SIM swaps to steal approximately $1 million worth of cryptocurrencies from a different Silicon Valley executive. But Terpin’s civil lawsuit (PDF) maintains that evidence was revealed at Truglia’s bail hearing that he had texted his father and multiple friends to brag about the $24 million hack on the day of Terpin’s theft, allegedly offering to take friends to the Super Bowl with “porn star escorts.”</code><code>Terpin’s lawsuit includes a large number of supporting documents, including an affidavit filed by Chris David, a 25-year-old New York City resident who claims to have been an acquaintance of Truglia’s until he began to unravel the source of his new friend’s overnight riches.</code><code>In his affidavit (PDF), David describes himself as a self-employed private jet broker who met Truglia in a fitness center attached to Truglia’s luxury apartment building. Truglia allegedly struck up a conversation about booking private jets with his cryptocurrency. When the two met again a few days later, David says Truglia showed him accounts on his mobile phone and computer indicating he had over $7 million in cash in a JP Morgan account and more than $12 million in various cryptocurrencies.</code><code>“At the same time, Nick showed me two thumb drives (Trezors),” David recounted. “One had over $40 million in cash value of various cryptos, and the other one had over $20 million cash value of various cryptos.”</code><code>David said Truglia initially explained his wealth by saying he’d made the money by mining cryptocurrencies, but that Truglia later would admit he stole the funds.</code><code>“Over the next few months, Nick and I socialized at nightclubs, local bars, the gym, and in his apartment playing video games,” David recounted. “Gradually, I got to know Nick. He does not have a job or visible means of support. His typical day is to get up late, go to the gym, eat at the deli across the street, play video games late into the night and he had no friends. Nick was an egotistical braggart about his life and wealth. For example, once at a crowded lounge, he said: ‘Chris, I have more money than all of the people here tonight.'”</code><code>David started documenting Truglia’s activities after he and several of his friends were arrested for allegedly stealing Truglia’s laptop, mobile phone and Trezor drive. That incident, recounted in this New York Post story and in David’s own testimony, indicates that Truglia later recanted the accusation and chalked it up to confusion resulting from a heavy night of drinking.</code><code>According to David, when Truglia wasn’t bragging about his wealth he was displaying it openly: He lived in a $6,000 per month apartment, wore a Rolex watch which he claimed cost $100,000, and boasted he was going to purchase…
🕴 Hijacking a PLC Using its Own Network Features 🕴
📖 Read
via "Dark Reading: ".
Researcher to show how attackers can exploit the built-in advanced connectivity functions in some Rockwell PLCs.📖 Read
via "Dark Reading: ".
Dark Reading
Hijacking a PLC Using its Own Network Features
Researcher to show how attackers can exploit the built-in advanced connectivity functions in some Rockwell PLCs.
ATENTION‼ New - CVE-2016-10738
📖 Read
via "National Vulnerability Database".
Zenbership v107 has CSRF via admin/cp-functions/event-add.php.📖 Read
via "National Vulnerability Database".
ATENTION‼ New - CVE-2016-10737
📖 Read
via "National Vulnerability Database".
Serendipity 2.0.4 has XSS via the serendipity_admin.php serendipity[body] parameter.📖 Read
via "National Vulnerability Database".
⚠ Police can’t compel biometric phone unlocking, rules judge ⚠
📖 Read
via "Naked Security".
The landmark decision asserts the same legal protection for biometrics that we're given for passcodes.📖 Read
via "Naked Security".
Naked Security
Feds can’t force you to unlock your phone with finger or face, says judge
The landmark decision asserts the same legal protection for biometrics that we’re given for passcodes.
⚠ Beware buying Fortnite’s V-Bucks, you could be funding organised crime ⚠
📖 Read
via "Naked Security".
Credit card thieves are laundering money by purchasing the in-game currency V-Bucks, then selling it back at a discount to players.📖 Read
via "Naked Security".
Naked Security
Beware buying Fortnite’s V-Bucks, you could be funding organised crime
Credit card thieves are laundering money by purchasing the in-game currency V-Bucks, then selling it back at a discount to players.
⚠ Intel patches another security flaw in SGX technology ⚠
📖 Read
via "Naked Security".
Of the six advisories Intel released last week, the most interesting is a flaw discovered in the company’s Software Guard Extensions (SGX).📖 Read
via "Naked Security".
Naked Security
Intel patches another security flaw in SGX technology
Of the six advisories Intel released last week, the most interesting is a flaw discovered in the company’s Software Guard Extensions (SGX).
⚠ Are you sure those WhatsApp messages are meant for you? ⚠
📖 Read
via "Naked Security".
Abby Fuller got a shock when she logged into WhatsApp using a new telephone number. She found someone else’s messages waiting for her.📖 Read
via "Naked Security".
Naked Security
Are you sure those WhatsApp messages are meant for you?
Abby Fuller got a shock when she logged into WhatsApp using a new telephone number. She found someone else’s messages waiting for her.
❌ VOIPO Database Exposes Millions of Texts, Call Logs ❌
📖 Read
via "Threatpost | The first stop for security news".
VOIPO acknowledged that a development server had been accidentally left publicly accessible, and took the server offline.📖 Read
via "Threatpost | The first stop for security news".
Threat Post
VOIPO Database Exposes Millions of Texts, Call Logs
VOIPO acknowledged that a development server had been accidentally left publicly accessible, and took the server offline.
❌ Magecart Returns with Advertising Library Tactic ❌
📖 Read
via "Threatpost | The first stop for security news".
The threat group also has a new subsidiary, Magecart Group 12.📖 Read
via "Threatpost | The first stop for security news".
Threat Post
Magecart Returns with Advertising Library Tactic
The threat group also has a new subsidiary, Magecart Group 12.
🔐 Top 10 app vulnerabilities: Unpatched plugins and extensions dominate 🔐
📖 Read
via "Security on TechRepublic".
Despite the existence of patches, the proliferation of unpatched installations are enticing targets for malicious actors, according to a WhiteHat report.📖 Read
via "Security on TechRepublic".
TechRepublic
Top 10 app vulnerabilities: Unpatched plugins and extensions dominate
Despite the existence of patches, the proliferation of unpatched installations are enticing targets for malicious actors, according to a WhiteHat report.
🕴 Triton/Trisis Attack Was More Widespread Than Publicly Known 🕴
📖 Read
via "Dark Reading: ".
Signs of the attack first showed up two months before it was identified as a cyberattack, but they were mistaken for a pure equipment failure by Schneider Electric, security expert reveals at S4x19.📖 Read
via "Dark Reading: ".
Darkreading
Triton/Trisis Attack Was More Widespread Than Publicly Known
Signs of the attack first showed up two months before it was identified as a cyberattack, but they were mistaken for a pure equipment failure by Schneider Electric, security expert reveals at S4x19.
ATENTION‼ New - CVE-2016-9651 (chrome, enterprise_linux_desktop, enterprise_linux_server, enterprise_linux_workstation)
📖 Read
via "National Vulnerability Database".
A missing check for whether a property of a JS object is private in V8 in Google Chrome prior to 55.0.2883.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.📖 Read
via "National Vulnerability Database".
❌ Fortnite Hacked Via Insecure Single Sign-On ❌
📖 Read
via "Threatpost | The first stop for security news".
Leaky Fortnite single sign-on mechanism could have allowed hackers to access game accounts.📖 Read
via "Threatpost | The first stop for security news".
Threat Post
Fortnite Hacked Via Insecure Single Sign-On
Leaky Fortnite single sign-on mechanism could have allowed hackers to access game accounts.
🕴 Are You Listening to Your Kill Chain? 🕴
📖 Read
via "Dark Reading: ".
With the right tools and trained staff, any organization should be able to deal with threats before information is compromised.📖 Read
via "Dark Reading: ".
Darkreading
Are You Listening to Your Kill Chain?
With the right tools and trained staff, any organization should be able to deal with threats before information is compromised.
❌ U.S. Issues Multiple Charges For 2016 SEC Hack ❌
📖 Read
via "Threatpost | The first stop for security news".
The two were able to hack into the SEC's computer systems due to phishing attacks that stole credentials and spread malware.📖 Read
via "Threatpost | The first stop for security news".
Threat Post
U.S. Issues Multiple Charges For 2016 SEC Hack
The two were able to hack into the SEC's computer systems due to phishing attacks that stole credentials and spread malware.
🔐 To stay competitive, MSSPs need to grow and evolve 🔐
📖 Read
via "Security on TechRepublic".
Managed Security Service Providers can alleviate many of the headaches suffered by in-house security, but they need to remain nimble and focused to retain their edge.📖 Read
via "Security on TechRepublic".
TechRepublic
To stay competitive, MSSPs need to grow and evolve
Managed Security Service Providers can alleviate many of the headaches suffered by in-house security, but they need to remain nimble and focused to retain their edge.
🕴 Fortnite Players at Risk Via Epic Games Vulnerability 🕴
📖 Read
via "Dark Reading: ".
Bugs in Epic Games' platform could let intruders take over players' accounts, view personal data, and/or buy in-game currency.📖 Read
via "Dark Reading: ".
Darkreading
Fortnite Players Compromised Via Epic Games Vulnerability
Bugs in Epic Games' platform could let intruders take over players' accounts, view personal data, and/or buy in-game currency.
ATENTION‼ New - CVE-2015-9280
📖 Read
via "National Vulnerability Database".
MailEnable before 8.60 allows XXE via an XML document in the request.aspx Options parameter.📖 Read
via "National Vulnerability Database".
ATENTION‼ New - CVE-2015-9279
📖 Read
via "National Vulnerability Database".
MailEnable before 8.60 allows Stored XSS via malformed use of "<img/src" with no ">" character in the body of an e-mail message.📖 Read
via "National Vulnerability Database".