⭐Google recommends Android developers to encrypt app data on the users' devices, especially when they use external storage that's prone to hijacking, man-in-the-disk, & other side-channel attacks.

Also, considering that there are not many reference frameworks available for the same, Google also offered an open-source crypto library—called JetSec—that lets developers easily read and write encrypted files by following best security practices.

Read details ➤ https://thehackernews.com/2020/02/android-app-data-encryption.html

Researchers uncover a new 📡 LTE network security vulnerability that could let attackers impersonate Android and iOS users on the 📶 4G networks.

Dubbed 'IMP4GT,' this new LTE attack could let remote attackers forge any traffic to the Internet with an identity (IP address) associated with the victims.

Read details ➤ https://thehackernews.com/2020/02/lte-network-4g-vulnerability.html

🔥 Kr00k Attack </>

New Wi-Fi chip-based #encryption flaw affects over a billion devices—including phones, laptops, routers, IoTs—that could let hackers decrypt packets transmitted by vulnerable devices without knowing WiFi password or connecting to it.

https://thehackernews.com/2020/02/kr00k-wifi-encryption-flaw.html

⭐ Milestone! Let's Encrypt has issued a BILLION free SSL certificates since its launch in 2015

Read here ➤ https://thehackernews.com/2020/02/lets-encrypt-ssl-certificate.html

Meanwhile, Apple also takes a significant step forward by limiting the maximum lifetime for TLS certs on its devices & Safari browser to 398 days

🐱 GhostCat ~ A new high risk 'file read/inclusion' vulnerability (CVE-2020-1938) affects all versions of the 'Apache Tomcat' (9.x/8.x/7.x/6.x) released in the past 13 years.

Read details: https://thehackernews.com/2020/02/ghostcat-new-high-risk-vulnerability.html

Web admins should patch it immediately, as several proof-of-concept (PoC) exploits have been posted online.

Weekly Roundup : In Case You Missed Any Important Story!

➤ Microsoft Antivirus for Linux
https://bit.ly/32AaKeu

➤ OpenSMTPD / OpenBSD Bug
https://bit.ly/2vpKffq

➤ Chrome 0-Day Attacks
https://bit.ly/2VEB7OG

➤ Firefox DoH by Default
https://bit.ly/2T8apN0

➤ Mobile 4G Network Bug
https://bit.ly/2vi2dRh

➤ Wi-Fi Encryption Bug
https://bit.ly/3ciRYg6

➤ Apache Tomcat Bug
https://bit.ly/2Tb4Hd8

SurfingAttack — Hackers can use ultrasonic guided waves to send inaudible commands and hijack voice-activated phones (Android, #
iPhone) & smart assistants.

Details & Demos ➤ https://thehackernews.com/2020/03/voice-assistants-ultrasonic-waves.html

It works over a longer distance and without the need to be in line-of-sight.

U.S. has charged and sanctioned 2 Chinese nationals for helping North Korean hackers (Lazarus Group) launder nearly $100 million that was stolen as part of $250 million heists during the hacks of two separate cryptocurrency exchanges

https://thehackernews.com/2020/03/cryptocurrency-lazarus-hackers.html

Researchers claim the CIA hackers were behind an 11-year-long hacking and cyber-espionage campaign against several critical Chinese industries (aviation, petroleum, and more) and government agencies.

Read more: https://thehackernews.com/2020/03/china-cia-hackers.html

⚠️ Important Notice ⚠️

Let's Encrypt is going to revoke 3,048,289 TLS certificates within the next 24 hours that may have been issued wrongfully due to a bug in its Certificate Authority software.

Affected website owners have until 8 PM UTC (3 PM EST) March 4 to manually renew and replace their TLS HTTPS certificates, failing which visitors to the websites will be greeted with TLS security warnings — as the certificates are revoked — until the renewal process is complete.

Read details: https://thehackernews.com/2020/03/lets-encrypt-certificate-revocation.html

🏰 Project Sandcastle </>

😔 Not happy with your expensive iPhone?

😃 Don't worry, you can now run Android on an iPhone.

A new hack gives users freedom to run a different operating system on the iPhone hardware.

Details here ➤ https://thehackernews.com/2020/03/install-android-on-iphone.html

A massive unprotected, sensitive & real-time U.S. property and demographic database exposes over 200 million records to the Internet.

Read more: https://thehackernews.com/2020/03/us-property-records-database.html

At this moment, it's not known who, or which service, owns this database hosted on the Google Cloud server.

Telecom giant T-Mobile recently suffered yet another data breach.

Hackers compromise some of its employees' email accounts and unauthorizedly access information contained in their inboxes, including details of customers and other employees.

https://thehackernews.com/2020/03/hackers-compromise-t-mobile-employees.html

Telecom provider Virgin Media recently suffered a data leak incident exposing personal details of roughly 900,000 customers.

Details ⁠— https://thehackernews.com/2020/03/virgin-media-data-breach.html

A critical unpatchable "Root of Trust'" CSME flaw (CVE-2019-0090) affects all Intel CPUs released in the last 5 years.

https://thehackernews.com/2020/03/intel-csme-vulnerability.html

It could let hackers compromise cryptographic operations for hardware-enabled security technologies, including DRM, fTPM, and IPT.

💻 AMD processors manufactured between 2011 and 2019 have been found vulnerable to 2 new side-channel attacks that could let attackers exploit cache-related feature to steal sensitive data.

➡️ Collide+Probe
➡️ Load+Reload

Details here:
https://thehackernews.com/2020/03/amd-processors-vulnerability.html

A judge on Monday declared a mistrial in the case against an ex-CIA employee (Joshua Schulte) who was charged for stealing classified hacking tools (‘Vault 7’) from the agency and leaking it to WikiLeaks.

Read: https://thehackernews.com/2020/03/cia-joshua-schulte-hacking.html

LVI Attacks 🔥 CVE-2020-0551

A new hardware vulnerability affecting modern Intel CPUs puts virtual workloads and data centers at risk of hacking.

Read details: https://thehackernews.com/2020/03/intel-load-value-injection.html

It involves reversely exploiting Meltdown and MDS-type flaws to bypass existing defenses.

In a large-scale coordinated operation, Microsoft successfully disrupted Necurs, one of the largest email-spam botnet malware networks that infected over 9 million computers worldwide.

https://thehackernews.com/2020/03/necurs-botnet-takedown.html

After cracking Necurs’s domain generation algorithm, researchers predicted over 6 million web domains that the malware was supposed to use in the next 25 months; but Microsoft and related authorities hijacked them in advance to seize the malware operation.

Turns out mitigation against RowHammer attacks added to the latest DDR4 and LPDDR4 DRAM chips are still insufficient, allowing attackers to re-enable the critical bit-flipping vulnerability.

https://thehackernews.com/2020/03/rowhammer-vulnerability-ddr4-dram.html

Bonus: Researchers have also released 'TRRespass,' an open source RowHammer fuzzing tool that can identify sophisticated hammering patterns to mount real-world attacks.