MIT invention builds memory walls to protect against Meltdown, Spectre attacks

The new system could potentially prevent similar memory-based attacks from risking our PCs and global services.

Equifax engineer who designed breach portal gets 8 months of house arrest for insider trading

SEC said engineer figured out on his own that the website he was building was for the company's security breach.

Hack Naked News #193 - October 16, 2018

This week, Millions of voter records for sale on the Dark Web, Apple passcode bypass can access pictures and contacts, how Chrome and Firefox could ruin your business, Fake Adobe updates, Microsoft Zero-Day patch for JET bug incomplete, and 5 ways attackers are targeting the Healthcare Industry! Doug White joins us for expert commentary how China used a Tiny Chip to infiltrate America's top companies, and more on this episode of Hack Naked News!

 

Full Show Notes: https://wiki.securityweekly.com/HNNEpisode193

 

Visit https://www.securityweekly.com/hnn for all the latest episodes!

Visit https://www.activecountermeasures/hnn to sign up for a demo or buy our AI Hunter!!

 

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

Tumblr discloses vulnerability but says 'no evidence that this bug was abused'

Bug hunter finds security flaw in Tumblr's "Recommended Blogs" widget.

Researcher finds simple way of backdooring Windows PCs and nobody notices for ten months

"RID Hijacking" technique lets hackers assign admin rights to guest and other low-level accounts.

Rapid7 acquires web app security developer tCell

The deal is designed to boost Rapid7's Insight platform.

Git On That - Application Security Weekly #35

This week, Keith and Paul interview Garrett Gross, Senior Solutions Engineer at Rapid7! They talk about catching bugs earlier in the process of development, what can lead to certain successes in development, and more! In the Application Security News, Git Project patches Remote Code Execution Vulnerability, Google is shutting down Google+ after 500k accounts potentially affected by a data breach, Facebook wants people to Invite its cameras into their homes, GitHub introduces user blocking notifications, DevOps producing more insecure apps than ever, and more on this episode of Application Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/ASW_Episode35

 

Visit https://www.securityweekly.com/asw for all the latest episodes!

 

Visit https://www.activecountermeasures/asw to sign up for a demo or buy our AI Hunter!

 

→Visit our website: https://www.securityweekly.com

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

Creator of remote access tool LuminosityLink sent behind bars

The RAT software was a popular choice for cyberattackers.

Google to charge phone vendors for its Android apps in Europe

If device makers want to ship Android phones with Google apps --and especially the Play Store app-- in Europe, they'll now have to pay a licensing fee.

Security flaw in libssh leaves thousands of servers at risk of hijacking

Vulnerability not as bad as it gets, as most servers use the openssh library to support server-side SSH logins.

Oracle patches 301 vulnerabilities, including 46 with a 9.8+ severity rating

This wasn't Oracle's biggest patch ever. That title goes to the July 2018 CPU.

Keep It Tight - Business Security Weekly #102

This week, Michael and Paul talk about the Article Discussion on Leadership, Communication, and Innovation! They discuss how to automate habits and never think about them again, why it’s important to explain to employees that organizational changes are coming, how journaling can boost your leadership skills, why you need to tell them why, and more on this episode of Business Security Weekly!

Full Show Notes: https://wiki.securityweekly.com/BSWEpisode102

 

Visit https://www.securityweekly.com/bsw for all the latest episodes!

 

Visit https://www.activecountermeasures/bsw to sign up for a demo or buy our AI Hunter!!

 

→Visit our website: https://www.securityweekly.com

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

Chrome 70 released with revamped Google account login system

Chrome 70 also comes with support for the final version of the TLS 1.3 standard and the AV1 video format.

Zero-days, fileless attacks are now the most dangerous threats to the enterprise

These attacks cost the average organization millions and SMBs are the worst affected.

Epson reported to Texas AG for bricking third-party ink cartridges

EFF argues Epson's practice is making users avoid installing firmware updates, leaving millions of printers and companies vulnerable to cyber attacks.

GPU-Z now warns users if they have purchased fake Nvidia graphics cards

As the demand for high-power graphics cards continues to surge, some sellers are seeking to cash in on Nvidia's name.

Anthem agrees to pay $16 million in data breach privacy settlement

The insurer will shell out to settle a privacy violations case issued by the US government.

Temasek snaps up Sygnia, founded by Israel's NSA, in $250m deal

The cybersecurity consulting firm was created by former members of Israel's 8200 unit.

Hackers tamper with exploit chain to drop Agent Tesla, circumvent antivirus solutions

A new campaign is spreading information-stealing malware including Agent Tesla and Loki.

Czech intelligence service shuts down Hezbollah hacking operation

Hezbollah agents used Facebook profiles for attractive women to trick targets into installing spyware-infected apps.

US voter records from 19 states sold on hacking forum

Seller is asking $42,200 for all 19 US state voter databases.

Chrome, Edge, IE, Firefox, and Safari to disable TLS 1.0 and TLS 1.1 in 2020

UPDATE: The big four --Apple, Google, Microsoft, and Mozilla-- announce end of support for TLS 1.0 and 1.1 standards.

Octopus Trojan exploits Telegram ban fears to snag diplomatic targets across Asia

A fresh attack wave is launching Octopus at diplomatic organizations across the region.

Sony working on a fix for bug that's crashing PlayStation 4 consoles

Bug crashes and freezes PlayStation 4 consoles. The only way to recover is by performing a factory reset for the entire console.

Apple VoiceOver iOS vulnerability permits hacker access to user photos

The bug can be exploited to gain access to photos stored on a user's device.

Around 62 percent of all Internet sites will run an unsupported PHP version in 10 weeks

The highly popular PHP 5.x branch will stop receiving security updates at the end of the year.

Pentagon discloses card breach

Around 30,000 DOD civilian and military personnel are believed to be affected.

Get the Wagyu - Paul's Security Weekly #578

This week, we welcome Lee Neely, Senior Cyber Analyst at Lawrence Livermore National Lab for an interview! In the Technical Segment, Omer Yair from Javelin Networks brings us through his talk he presented at DerbyCon entitled: “Goodbye Obfuscation, Hello Invisi-Shell”! In the security news, new Apple and Microsoft security flaws at Black Hat Europe, CCTV makers leaves at least 9 million cameras public, upset Google+ users are suing Google, US weapons systems apparently can be easily hacked, not all multifactor authentication is created equal, and Kanye's '000000' password makes iPhone security Great again! All that and more, on this episode of Paul's Security Weekly!

 

Full Show Notes: https://wiki.securityweekly.com/Episode578

Visit https://www.securityweekly.com/psw for all the latest episodes!

 

→Visit https://www.activecountermeasures/psw to sign up for a demo or buy our AI Hunter!

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

Microsoft JET vulnerability still open to attacks, despite recent patch

Microsoft's patch for a JET database engine zero-day deemed incomplete.

Facebook downgrades breach count from 50 million to 30 million users

Company said 29 million of the 30 million also had personal data scraped by the attackers.

A mysterious grey-hat is patching people's outdated MikroTik routers

Internet vigilante claims he patched over 100,000 MikroTik routers already.

Yale alarm app debacle causes chaos across UK homes

Customers have reported that app failures left them powerless to disable or enable alarms.

GandCrab ransomware operators team up with crypter service

The hacking agreement could result in the ransomware strain becoming more difficult to spot and analyze in the future.

This Trojan masquerades as Google Play to hide on your phone in plain sight

GPlayed is a new Trojan which attacks Android devices while acting as a legitimate Google service.

The Land Down Under - Enterprise Security Weekly #110

This week, in the Enterprise News, Paul is joined by Joff Thyer to discuss WhiteHat Security's single page application scanning, Palo Alto Networks acquires RedLock to build out Cloud Security, KnowBe4 boosts security awareness training, Symantec brings workload assurance security to the cloud, and Splunk unveils first IoT platform for Customers! In our final segment, we air a Pre Recorded interview from Microsoft Ignite with Secure Digital Life host Doug White and CTO of Microsoft, Mark Russinovich!

 

Full Show Notes: https://wiki.securityweekly.com/ES_Episode110

 

Visit https://www.securityweekly.com/esw for all the latest episodes!

 

Visit https://www.activecountermeasures/esw to sign up for a demo or buy our AI Hunter!

 

→Follow us on Twitter: https://www.twitter.com/securityweekly

→Like us on Facebook: https://www.facebook.com/secweekly

IETF approves new internet standards to secure authentication tokens

New IETF standards aim to protect authentication tokens against replay attacks.

Proof-of-concept code published for Microsoft Edge remote code execution bug

The PoC can be hosted on any website and requires that users press the Enter key just once.

Facebook removes 800 accounts and pages for political spam, disinformation

Social network cracks down on spammers using political topics to drive traffic towards ad farms.

Senators demand Google hand over internal memo urging Google+ cover-up

Republican senators start inquiry in Google's handling of Google+ security breach.

FitMetrix user data exposed via passwordless ElasticSearch server cluster

Exact number of affected users is unknown but the server cluster is now secure.

Hackers breach web hosting provider for the second time in the past year

Company hacked again despite claiming to have boosted security measures and undergone a security audit.

Security researchers find solid evidence linking Industroyer to NotPetya

A web of code reuse and shared infrastructure links together a slew of famous cyber-attacks.

Arrest of top Chinese intelligence officer sparks fears of new Chinese hacking efforts

Suspect is a top official in one of China's intelligence agencies, accused of controlling China's state hacking operations.

Google's Pixel 3 is the first Android device to ship with new CFI kernel protections

Google adds Control Flow Integrity protection to the Android kernel.

Google opens up G Suite security threat alert service to businesses

The alert center's security notification system has been opened up days after Google revealed an exposure of private data to outside developers on its Google+ service.

Five years later, Italian police identify hacker behind 2013 NASA hacks

Hacker pleaded guilty to breaching and defacing sites belonging to NASA, Italian police, Italian government, and an Italian TV station.

A deep dive into the forces driving Russian and Chinese hacker forums

Profit, hacktivism, and politics are only some of the differences between Russia and China's hacking communities.

Adobe security update fixes a handful of critical bugs, ignores Flash Player

The light set of updates does not contain a single security patch for Flash, an unusual event for the company.

WhatsApp fixes bug that let hackers take over app when answering a video call

Bug only affects WhatsApp for Android and iOS, but the issue has been fixed this week.

Pentagon's new next-gen weapons systems are laughably easy to hack

Bad passwords, non-encrypted communications, and a lot of unpatched bugs.

Hack Naked News #192 - October 9, 2018

This week, Tenable researcher reveals extended MikroTik Router Vulnerability, Wi-Fi versions will get names people can actually understand, don't accept Facebook's 2nd friend request, Google Plus exposed 500,000 users data, weak passwords are being banned in California, and code execution bug in malicious repositories resolved by Git Project! Juxin Dyrmishi Brigjaj of Acunetix joins us for expert commentary to talk about the resurgence of XSS after the big British Airways and NewEgg Hack! All that and more, on this episode of Hack Naked News!

 

Full Show Notes: https://wiki.securityweekly.com/HNNEpisode192

Sponsor Landing Page: https://www.acunetix.com/securityweekly/

Visit https://www.securityweekly.com/hnn for all the latest episodes!

Visit https://www.activecountermeasures/hnn to sign up for a demo or buy our AI Hunter!

Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly 

Microsoft October 2018 Patch Tuesday fixes zero-day exploited by FruityArmor APT

Microsoft also fixes 48 other security bugs, 18 of which are rated "Critical."

Panda Banker Trojan becomes part of Emotet threat distribution platform

The Zeus variant is now actively targeting organizations in the US, Canada, and Japan.

Over nine million cameras and DVRs open to APTs, botnet herders, and voyeurs

Re-branded IP cameras and DVRs sold by over 100 companies can be easily hacked, researchers say.

New Magecart hack detected at Shopper Approved

Malicious code removed after two days. Impact is smaller compared to previous incidents at Ticketmaster, Feedify, or British Airways.

Garmin's Navionics exposed data belonging to thousands of customers

An unsecured MongoDB server containing 19GB in customer and product data was exposed online.

Google restricts which Android apps can request Call Log and SMS permissions

Only apps selected as the device's default app for making calls or sending text messages will be able to access call logs and SMS data from now on.

Security researcher source in Supermicro chip hack report casts doubt on story

Updated: The explosive report "doesn't make sense," according to the expert which described hardware implant uses in theoretical attacks.

Heathrow Airport fined £120,000 over USB data breach debacle

In a prime example of data protection failure, a USB containing sensitive information ended up in the hands of the public.

Firefox will be able to show notifications inside the Windows 10 Action Center

New Windows 10-friendly notification system to arrive in December, with Firefox 64.