β WhatsApp fights the spread of deadly fake news with recipient limit β
π Read
via "Naked Security".
WhatsApp has capped the number of people you can forward messages to, after India was seized by rumour-inspired mob lynchings.π Read
via "Naked Security".
Naked Security
WhatsApp fights the spread of deadly fake news with recipient limit
WhatsApp has capped the number of people you can forward messages to, after India was seized by rumour-inspired mob lynchings.
β DNC targeted by Russian hackers beyond 2018 midterms, it claims β
π Read
via "Naked Security".
The Democratic National Committee has filed a civil complaint accusing Russia of trying to hack its computers as recently as November 2018.π Read
via "Naked Security".
Naked Security
DNC targeted by Russian hackers beyond 2018 midterms, it claims
The Democratic National Committee has filed a civil complaint accusing Russia of trying to hack its computers as recently as November 2018.
β Bicycle-riding hitman convicted with Garmin GPS watch location data β
π Read
via "Naked Security".
Location data extracted from the athletic hitman's Garmin GPS watch and TomTom sat nav led to his conviction in two gangland murders.π Read
via "Naked Security".
Naked Security
Bicycle-riding hitman convicted with Garmin GPS watch location data
Location data extracted from the athletic hitmanβs Garmin GPS watch and TomTom sat nav led to his conviction in two gangland murders.
β Rogue websites can turn vulnerable browser extensions into back doors β
π Read
via "Naked Security".
A researcher has found that websites can use some extensions to bypass security policies, execute code, and even install other extensions.π Read
via "Naked Security".
Naked Security
Rogue websites can turn vulnerable browser extensions into back doors
A researcher has found that websites can use some extensions to bypass security policies, execute code, and even install other extensions.
π Rushing to patch? Here's how to prioritize your security efforts π
π Read
via "Security on TechRepublic".
When addressing security vulnerabilities, enterprises should focus on those with publicly available exploit code, according to a Kenna Security report.π Read
via "Security on TechRepublic".
TechRepublic
Rushing to patch? Here's how to prioritize your security efforts
When addressing security vulnerabilities, enterprises should focus on those with publicly available exploit code, according to a Kenna Security report.
β Adobe Issues Unscheduled Updates for Experience Manager Platform β
π Read
via "Threatpost | The first stop for security news".
The patches are part of Adobe's second unscheduled update this month.π Read
via "Threatpost | The first stop for security news".
Threat Post
Adobe Issues Unscheduled Updates for Experience Manager Platform
The patches are Adobe's second unscheduled update this month.
π΄ How Cybercriminals Clean Their Dirty Money π΄
π Read
via "Dark Reading: ".
By using a combination of new cryptocurrencies and peer-to-peer marketplaces, cybercriminals are laundering up to an estimated $200 billion in ill-gotten gains a year. And that's just the beginning.π Read
via "Dark Reading: ".
Darkreading
How Cybercriminals Clean Their Dirty Money
By using a combination of new cryptocurrencies and peer-to-peer marketplaces, cybercriminals are laundering up to an estimated $200 billion in ill-gotten gains a year. And that's just the beginning.
π Hackers turn to data theft and resale on the Dark Web for higher payouts π
π Read
via "Security on TechRepublic".
Selling personal information and compromised accounts of popular Instragram users has become more lucrative than ransomware and cryptojacking campaigns.π Read
via "Security on TechRepublic".
TechRepublic
Hackers turn to data theft and resale on the Dark Web for higher payouts
Selling personal information and compromised accounts of popular Instragram users has become more lucrative than ransomware and cryptojacking campaigns.
β Google Fined $57M in Largest GDPR Slap Yet β
π Read
via "Threatpost | The first stop for security news".
The French Data Protection Authority (DPA) found a lack of transparency when it comes to how Google harvests and uses personal data for ad-targeting purposes.π Read
via "Threatpost | The first stop for security news".
Threat Post
Google Fined $57M in Largest GDPR Slap Yet
The French Data Protection Authority (DPA) found a lack of transparency when it comes to how Google harvests and uses personal data for ad-targeting purposes.
ATENTIONβΌ New - CVE-2017-6923
π Read
via "National Vulnerability Database".
In Drupal 8.x prior to 8.3.7 When creating a view, you can optionally use Ajax to update the displayed data via filter parameters. The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax. This is mitigated if you have access restrictions on the view. It is best practice to always include some form of access restrictions on all views, even if you are using another module to display them.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2017-6922
π Read
via "National Vulnerability Database".
In Drupal core 8.x prior to 8.3.4 and Drupal core 7.x prior to 7.56; Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users. Drupal core did not previously provide this protection, allowing an access bypass vulnerability to occur. This issue is mitigated by the fact that in order to be affected, the site must allow anonymous users to upload files into a private file system.π Read
via "National Vulnerability Database".
π΄ Google Hit With $57 Million GDPR Fine in France π΄
π Read
via "Dark Reading: ".
The fine represents the first major penalty for a US technology company under the new European regulations.π Read
via "Dark Reading: ".
Dark Reading
Google Hit With $57 Million GDPR Fine in France
The fine represents the first major penalty for a US technology company under the new European regulations.
β How Web Apps Can Turn Browser Extensions Into Backdoors β
π Read
via "Threatpost | The first stop for security news".
Researchers show how rogue web applications can be used to attack vulnerable browser extensions in a hack that gives adversaries access to private user data.π Read
via "Threatpost | The first stop for security news".
Threat Post
How Web Apps Can Turn Browser Extensions Into Backdoors
Researchers show how rogue web applications can be used to attack vulnerable browser extensions in a hack that gives adversaries access to private user data.
π΄ Real-World Threats That Trump Spectre & Meltdown π΄
π Read
via "Dark Reading: ".
New side-channel attacks are getting lots of attention, but other more serious threats should top your list of threats.π Read
via "Dark Reading: ".
Darkreading
Real-World Threats That Trump Spectre & Meltdown
New side-channel attacks are getting lots of attention, but other more serious threats should top your list of threats.
π΄ The Fact and Fiction of Homomorphic Encryption π΄
π Read
via "Dark Reading: ".
The approach's promise continues to entice cryptographers and academics. But don't expect it to help in the real world anytime soon.π Read
via "Dark Reading: ".
Darkreading
The Fact and Fiction of Homomorphic Encryption
The approach's promise continues to entice cryptographers and academics. But don't expect it to help in the real world anytime soon.
π΄ Security Talent Continues to Fetch Top Dollar on IT Job Market π΄
π Read
via "Dark Reading: ".
IT and cybersecurity positions continue to rank near the top of the salary ranges paid to IT professionals, according to a new survey.π Read
via "Dark Reading: ".
Dark Reading
Security Talent Continues to Fetch Top Dollar on IT Job Market
IT and cybersecurity positions continue to rank near the top of the salary ranges paid to IT professionals, according to a new survey.
π΄ Hack of Plug-in Website Ruffles WordPress Community π΄
π Read
via "Dark Reading: ".
An intruder thought to be a former employee used a backdoor into the WPML website to skim email addresses and send a mass email blast.π Read
via "Dark Reading: ".
Darkreading
Hack of Plug-in Website Ruffles WordPress Community
An intruder thought to be a former employee used a backdoor into the WPML website to skim email addresses and send a mass email blast.
π΄ Stealthy New DDoS Attacks Target Internet Service Providers π΄
π Read
via "Dark Reading: ".
Adversaries took advantage of the large attack surface of large communications networks to spread small volumes of junk traffic across hundreds of IP prefixes in Q3 2018, Nexusguard says.π Read
via "Dark Reading: ".
Darkreading
Stealthy New DDoS Attacks Target Internet Service Providers
Adversaries took advantage of the large attack surface of large communications networks to spread small volumes of junk traffic across hundreds of IP prefixes in Q3 2018, Nexusguard says.
<b>⌨ Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com ⌨</b>
<code>Two of the most disruptive and widely-received spam email campaigns over the past few months β including an ongoing sextortion email scam and a bomb threat hoax that shut down dozens of schools, businesses and government buildings late last year β were made possible thanks to an authentication weakness at GoDaddy.com, the worldβs largest domain name registrar, KrebsOnSecurity has learned.</code><code>Perhaps more worryingly, experts warn this same weakness that let spammers hijack domains registered through GoDaddy also affects a great many other major Internet service providers, and is actively being abused to launch phishing and malware attacks which leverage dormant Web site names currently owned and controlled by some of the worldβs most trusted corporate names and brands.</code><code>Media</code><code>In July 2018, email users around the world began complaining of receiving spam which began with a password the recipient used at some point in the past and threatened to release embarrassing videos of the recipient unless a bitcoin ransom was paid. On December 13, 2018, a similarly large spam campaign was blasted out, threatening that someone had planted bombs within the recipientβs building that would be detonated unless a hefty bitcoin ransom was paid by the end of the business day.</code><code>Experts at Cisco Talos and other security firms quickly drew parallels between the two mass spam campaigns, pointing to a significant overlap in Russia-based Internet addresses used to send the junk emails. Yet one aspect of these seemingly related campaigns that has been largely overlooked is the degree to which each achieved an unusually high rate of delivery to recipients.</code><code>Large-scale spam campaigns often are conducted using newly-registered or hacked email addresses, and/or throwaway domains. The trouble is, spam sent from these assets is trivial to block because anti-spam and security systems tend to discard or mark as spam any messages that appear to come from addresses which have no known history or reputation attached to them.</code><code>However, in both the sextortion and bomb threat spam campaigns, the vast majority of the email was being sent through Web site names that had already existed for some time, and indeed even had a trusted reputation. Not only that, new research shows many of these domains were registered long ago and are still owned by dozens of Fortune 500 and Fortune 1000 companies. </code><code>Thatβs according to Ron Guilmette, a dogged anti-spam researcher who has made a living suing spammers and helping law enforcement officials apprehend online scammers. Researching the history and reputation of more than 5,000 Web site names used in each of the extortionist spam campaigns, Guilmette made a startling discovery: Virtually all of them had at one time been registered via GoDaddy.com, a Scottsdale, Ariz. based domain name registrar and hosting provider.</code><code>Guilmette told KrebsOnSecurity he initially considered the possibility that GoDaddy had been hacked, or that thousands of the registrarβs customers perhaps had their GoDaddy usernames and passwords stolen.</code><code>But as he began digging deeper, Guilmette came to the conclusion that the spammers were exploiting an obscure β albeit widespread β weakness among hosting companies, cloud providers and domain registrars that was first publicly detailed in 2016.</code><code>EARLY WARNING SIGNS</code><code>In August 2016, security researcher Matthew Bryant wrote about spammers hijacking some 20,000 established domain names to blast out junk email. A few months later, Bryant documented the same technique being used to take over more than 120,000 trusted domains for spam campaigns. And Guilmette says he now believes the attack method detailed by Bryant also explains whatβs going on in the more recent sextortion and bomb threat spams.</code><code>Graspingβ¦
<code>Two of the most disruptive and widely-received spam email campaigns over the past few months β including an ongoing sextortion email scam and a bomb threat hoax that shut down dozens of schools, businesses and government buildings late last year β were made possible thanks to an authentication weakness at GoDaddy.com, the worldβs largest domain name registrar, KrebsOnSecurity has learned.</code><code>Perhaps more worryingly, experts warn this same weakness that let spammers hijack domains registered through GoDaddy also affects a great many other major Internet service providers, and is actively being abused to launch phishing and malware attacks which leverage dormant Web site names currently owned and controlled by some of the worldβs most trusted corporate names and brands.</code><code>Media</code><code>In July 2018, email users around the world began complaining of receiving spam which began with a password the recipient used at some point in the past and threatened to release embarrassing videos of the recipient unless a bitcoin ransom was paid. On December 13, 2018, a similarly large spam campaign was blasted out, threatening that someone had planted bombs within the recipientβs building that would be detonated unless a hefty bitcoin ransom was paid by the end of the business day.</code><code>Experts at Cisco Talos and other security firms quickly drew parallels between the two mass spam campaigns, pointing to a significant overlap in Russia-based Internet addresses used to send the junk emails. Yet one aspect of these seemingly related campaigns that has been largely overlooked is the degree to which each achieved an unusually high rate of delivery to recipients.</code><code>Large-scale spam campaigns often are conducted using newly-registered or hacked email addresses, and/or throwaway domains. The trouble is, spam sent from these assets is trivial to block because anti-spam and security systems tend to discard or mark as spam any messages that appear to come from addresses which have no known history or reputation attached to them.</code><code>However, in both the sextortion and bomb threat spam campaigns, the vast majority of the email was being sent through Web site names that had already existed for some time, and indeed even had a trusted reputation. Not only that, new research shows many of these domains were registered long ago and are still owned by dozens of Fortune 500 and Fortune 1000 companies. </code><code>Thatβs according to Ron Guilmette, a dogged anti-spam researcher who has made a living suing spammers and helping law enforcement officials apprehend online scammers. Researching the history and reputation of more than 5,000 Web site names used in each of the extortionist spam campaigns, Guilmette made a startling discovery: Virtually all of them had at one time been registered via GoDaddy.com, a Scottsdale, Ariz. based domain name registrar and hosting provider.</code><code>Guilmette told KrebsOnSecurity he initially considered the possibility that GoDaddy had been hacked, or that thousands of the registrarβs customers perhaps had their GoDaddy usernames and passwords stolen.</code><code>But as he began digging deeper, Guilmette came to the conclusion that the spammers were exploiting an obscure β albeit widespread β weakness among hosting companies, cloud providers and domain registrars that was first publicly detailed in 2016.</code><code>EARLY WARNING SIGNS</code><code>In August 2016, security researcher Matthew Bryant wrote about spammers hijacking some 20,000 established domain names to blast out junk email. A few months later, Bryant documented the same technique being used to take over more than 120,000 trusted domains for spam campaigns. And Guilmette says he now believes the attack method detailed by Bryant also explains whatβs going on in the more recent sextortion and bomb threat spams.</code><code>Graspingβ¦
β Hijacked Nest cam broadcasts bogus warning about incoming missiles β
π Read
via "Naked Security".
A hacked Nest camera broadcast the fake warning about incoming North Korean missiles, sending a family into βfive minutes of sheer terror.βπ Read
via "Naked Security".
Naked Security
Hijacked Nest cam broadcasts bogus warning about incoming missiles
A hacked Nest camera broadcast the fake warning about incoming North Korean missiles, sending a family into βfive minutes of sheer terror.β
β Google fined $57m for data protection violations β
π Read
via "Naked Security".
In a landmark ruling, Franceβs data protection commissioner has fined Google 50 million Euros (around $57m) for violating Europeβs privacy laws.π Read
via "Naked Security".
Naked Security
Google fined $57m for data protection violations
In a landmark ruling, Franceβs data protection commissioner has fined Google 50 million Euros (around $57m) for violating Europeβs privacy laws.