Saturday, January 19, 2019

Ars Technica

Windows 10 October 2018 Update is at last being pushed automatically

Enlarge / Who doesn't love some new Windows? (credit: Peter Bright / Flickr) The ill-fated Windows 10 October 2018 Update has hitherto been offered only to those Windows users that manually sought it, either by using the dedicated upgrade and media creation tools or by manually checking for...

Windows 7 enters its final year of free support

Enlarge / Licensing and support lifecycles are not really the easiest topics to illustrate. (credit: Peter Bright) Windows 7's five years of extended support will expire on January 14, 2020: exactly one year from today. After this date, security fixes will no longer be freely available for the...

Latest Windows 10 build makes setup quieter, passwords optional

The latest Insider build of Windows 10, 18309, expands the use of a thing that Microsoft has recently introduced: passwordless Microsoft accounts. It's now possible to create a Microsoft account that uses a one-time code delivered over SMS as its primary authenticator, rather than a conventional password. In the new...

Computerworld

Get 3 Years of NordVPN Service for Just $2.99 Per Month – Deal Alert

NordVPN promises a private and fast path through the public internet, with no logs, unmetered access for 6 simultaneous devices and access to 5,232 servers worldwide. They are currently running a promotion, but you'll have to use this link to find it. Its typical price has been discounted for...

‘We need new privacy laws’ urges Apple CEO, Tim Cook

In a sidelong slap at the business model of Facebook, Google and others, Apple CEO Tim Cook has published an article in which he urges the U.S. government to put surveillance capitalists/data brokers under transparent legal oversight.Stand up for your rights “In 2019, it's time to stand up for the...

Start-up Devvio claims its blockchain can handle 8M transactions a second

A start-up firm claims its highly efficient distributed ledger protocol can address all the major problems facing blockchain networks, including being able to scale for global financial business by executing up to eight million transactions per second (TPS).The new blockchain protocol, called Devv, was unveiled and demonstrated at CES...

CSO

Temporary micropatch available for zero-day Windows exploit

Microsoft has left two publicly known vulnerabilities unpatched in Windows this month, but researchers have stepped in and created temporary patches that can be easily applied to protect systems until an official fix becomes available.During the last two weeks of December, a security enthusiast who uses the online handle...

Get 3 Years of NordVPN Service for Just $2.99 Per Month – Deal Alert

NordVPN promises a private and fast path through the public internet, with no logs, unmetered access for 6 simultaneous devices and access to 5,232 servers worldwide. They are currently running a promotion, but you'll have to use this link to find it. Its typical price has been discounted for...

Rocke coinminer disables cloud protection agents

A group of hackers that specializes in infecting servers with cryptocurrency mining software has started disabling security software agents used in cloud environments to evade detection. Known as Rocke in the security industry, the group has been active since at least April 2018 and is known for exploiting critical...

Dark Reading

2018’s Most Common Vulnerabilities Include Issues New and Old

The most common vulnerabilities seen last year run the gamut from cross-site scripting to issues with CMS platforms.

VC Investments in Cybersecurity Hit Record Highs in 2018

But rate of funding appears unsustainable, according to Strategic Cyber Ventures.

GDPR Suit Filed Against Amazon, Apple

An Austrian non-profit, led by privacy activist and attorney Max Schrems, has filed suit against 8 tech giants for non-compliance with the EU General Data Protection Regulation.

PCI Council Releases New Software Framework for DevOps Era

The PCI Software Security Framework will eventually replace PCI DA-DSS when it expires in 2022.

Errata Security

Notes on Build Hardening

I thought I'd comment on a paper about "build safety" in consumer products, describing how software is built to harden it against hackers trying to exploit bugs.What is build safety?Modern languages (Java, C#, Go, Rust, JavaScript, Python, etc.) are inherently "safe", meaning they don't have "buffer-overflows" or related problems.However,...

Notes about hacking with drop tools

In this report, Kasperky found Eastern European banks hacked with Raspberry Pis and "Bash Bunnies" (DarkVishnya). I thought I'd write up some more detailed notes on this.Drop toolsA common hacking/pen-testing technique is to drop a box physically on the local network. On this blog, there are articles going back...

Some notes about HTTP/3

HTTP/3 is going to be standardized. As an old protocol guy, I thought I'd write up some comments.Google (pbuh) has both the most popular web browser (Chrome) and the two most popular websites (#1 Google.com #2 Youtube.com). Therefore, they are in control of future web protocol development. Their first...

F-Secure

NRSMiner updates to newer version

More than a year after the world first saw the Eternal Blue exploit in action during the May 2017 WannaCry outbreak, we are still seeing unpatched machines in Asia being infected by malware that uses the exploit to spread. Starting in mid-November 2018, our telemetry reports indicate that the...

Phishing Campaign targeting French Industry

We have recently observed an ongoing phishing campaign targeting the French industry. Among these targets are organizations involved in chemical manufacturing, aviation, automotive, banking, industry software providers, and IT service providers. Beginning October 2018, we have seen multiple phishing emails which follow a similar pattern, similar indicators, and obfuscation...

Ethics In Artificial Intelligence: Introducing The SHERPA Consortium

In May of this year, Horizon 2020 SHERPA project activities kicked off with a meeting in Brussels. F-Secure is a partner in the SHERPA consortium – a group consisting of 11 members from six European countries – whose mission is to understand how the combination of artificial intelligence and...

FireEye

A Nasty Trick: From Credential Theft Malware to Business Disruption

FireEye is tracking a set of financially-motivated activity referred to as TEMP.MixMaster that involves the interactive deployment of Ryuk ransomware following TrickBot malware infections. These operations have been active since at least December 2017, with a notable uptick in the latter half of 2018, and...

Global DNS Hijacking Campaign: DNS Record Manipulation at Scale

Introduction FireEye’s Mandiant Incident Response and Intelligence teams have identified a wave of DNS hijacking that has affected dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America. While we do not currently link...

Digging Up the Past: Windows Registry Forensics Revisited

Introduction FireEye consultants frequently utilize Windows registry data when performing forensic analysis of computer networks as part of incident response and compromise assessment missions. This can be useful to discover malicious activity and to determine what data may have been stolen from a network. Many...

Forbes

How Deception Technology Gives You The Upper Hand In Cybersecurity

Deception offers an effective way to detect attacks in progress, with no false positives. It alters the balance of power between attacker and target, giving companies the upper hand in combating both external and internal threats.

California Revives Stronger Net Neutrality Bill After Public Backlash

After outcry over a hollowed-out version, California lawmakers are moving forward with a restored bill to protect state consumers without federal rules.

Facial Recognition And Future Scenarios

Will facial recognition technologies mean we will be permanently under surveillance in the future? Should schools and colleges be teaching children how this technology works? Or should we just ignore this technology as if it wasn’t happening? Are there any alternatives?

Google Security

PHA Family Highlights: Zen and its cousins

Posted Lukasz Siewierski, Android Security & Privacy Team Google Play Protect detects Potentially Harmful Applications (PHAs) which Google Play Protect defines as any mobile app that poses a potential security risk to users or to user data—commonly referred to as "malware." in a variety of ways, such as static...

Google Public DNS now supports DNS-over-TLS

Posted by Marshall Vale, Product Manager and Puneet Sood, Software EngineerGoogle Public DNS is the world’s largest public Domain Name Service (DNS) recursive resolver, allowing anyone to convert Internet domain names like www.example.com into Internet addresses needed by an email application or web browser. Just as your search queries...

Android Pie à la mode: Security & Privacy

Posted by Vikrant Nanda and René Mayrhofer, Android Security & Privacy TeamThere is no better time to talk about Android dessert releases than the holidays because who doesn't love dessert? And what is one of our favorite desserts during the holiday season? Well, pie of course. In all seriousness,...

Graham Cluley

Ingenious! The Android malware which only triggers if you’re moving

Android malware in the Google Play Store could tell whether it was likely to be running on a genuine victim’s device or being analysed by a security team.

The Collection #1 data breach – what you need to do about it

A huge collection of email addresses and passwords, which can be used in attempts to break into online accounts, has been discovered. If you are one of the affected users, what should you do about it?

Magecart hits hundreds of websites via ad supply chain hijack

A criminal Magecart gang successfully compromised hundreds of ecommerce websites via a malicious script that silently harvested personal data and payment card information as customers bought goods and services online. Read more in my article on the Tripwire State of Security blog.

IBM Security

Succeed in Your Cloud Migration With a Secure Hybrid Cloud Strategy

Picture this: An object storage misconfiguration has left thousands of customer records fully exposed. Your company is about to face costly compliance consequences and a loss of customer trust. How should you respond? More importantly, how could a secure hybrid cloud strategy have helped prevent such an incident from...

10 Cybersecurity Conference Trips You Should Make Time for This Year

Cybersecurity remains a top priority for chief information security officers (CISOs) worldwide, but it’s easy to get out of touch as the industry evolves at breakneck speed and attackers discover new and innovative ways to compromise corporate networks. That’s why it’s worth investing in cybersecurity conference trips to help...

Board Directors Can’t Afford to Ignore Cybersecurity Risk

Co-authored by Mark Whitecavage. As organizations rush to adopt new digital channels, big data, advanced analytics, and emerging technologies such as blockchain, artificial intelligence (AI) and quantum computing, they face new risks that may be difficult to quantify today. The obvious challenge with emerging risk is the lack of historical perspective...

Info Security Buzz

Fortnite Vulnerabilities Allow Hackers To Take Over Gamers’ Accounts, Data And In-Game Currency

Cybersecurity researchers today shared details of vulnerabilities that could have affected any player of the hugely popular online battle game, Fortnite. If exploited, the vulnerability would have given an attacker full access to a user’s account and their personal information  as well as enabling them to purchase virtual in-game currency using the...

Do You Know Your Customers?

Every third Thursday of each quarter, ‘Know Your Customer’ Day is held. The day transcends all industries, aimed at businesses and designed to serve as a reminder of how important it is to take the time to understand your customer. In the cybersecurity industry, it is equally important. When it comes to knowing the ‘customers’, it...

Who Goes There? How Blockchain Could Transform Identity And Access Management

Marc Vanmaele, CEO of TrustBuilder considers whether blockchain will become an IAM game changer From a niche cryptocurrency discussed only in the most technical and computing-focused circles, to an imagination-capturing marketplace featured in the mainstream press, bitcoin has undergone a transformative journey over the past decade. As part of this evolution, bitcoin’s public transaction ledger has...

Infosec Island

Four Technologies that will Increase Cybersecurity Risk in 2019

Attackers are not just getting smarter, they are also using the most advanced technologies available, the same ones being used by security professionals – namely, artificial intelligence (AI) and machine learning (ML). Meanwhile, the widespread adoption of cloud, mobile and IoT technologies has created a sprawling IT attack surface that...

Strategies for Winning the Application Security Vulnerability Arms Race

As cyber criminals continuously launch more sophisticated attacks, security teams increasingly struggle to keep up with the constant stream of security threats they must investigate and prioritize. When observing companies that have a large web presence (e.g., retail/e-commerce companies), consider the broad threat landscape at play. Web application attacks...

Taking Advantage of Network Segmentation in 2019

Overview Security is and will always be top of mind within organizations as they plan out the year ahead. One method of defense that always deserves attention is network segmentation. In the event of a cyberattack, segmented networks will confine the attack to a specific zone – and by doing so,...

Infosecurity Magazine

New Year, New Features for Fallout EK

New Year, New Features for Fallout EKThe new year is a time for resolutions and promises of change, so much so that even malware has returned from a bit of time off with some new features, including a new Flash exploit, according to Malwarebytes head of investigations, Jérôme Segura. The Fallout...

Malware Evades Detection One Step at a Time

Malware Evades Detection One Step at a TimeMalicious code was lurking about in two different apps within the Google Play store, according to researchers at Trend Micro who have disclosed that they discovered a banking Trojan in what seemed like legitimate apps. Both the currency converter and the battery-saving app have...

Hackers Use PayPal to Phish with Ransomware

Hackers Use PayPal to Phish with RansomwareA new strain of yet another ransomware campaign has been discovered in which the malicious actors have expanded payment options beyond Bitcoin; they are instead offering alternatives (such as PayPal) that include a phishing link, according to MalwareHunterTeam. Attackers are stealing a page from Daedalus and...

Krebs on Security

773M Password ‘Megabreach’ is Years Old

My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum. A story in The Guardian breathlessly dubbed...

“Stole $24 Million But Still Can’t Keep a Friend”

Unsettling new claims have emerged about Nicholas Truglia, a 21-year-old Manhattan resident accused of hijacking cell phone accounts to steal tens of millions of dollars in cryptocurrencies from victims. The lurid details, made public in a civil lawsuit filed this week by one of his alleged victims, paints a...

Courts Hand Down Hard Jail Time for DDoS

Seldom do people responsible for launching crippling cyberattacks face justice, but increasingly courts around the world are making examples of the few who do get busted for such crimes. On Friday, a 34-year-old Connecticut man received a whopping 10-year prison sentence for carrying out distributed denial-of-service (DDoS) attacks against...

Naked Security

Vast data-berg washes up 1.16 billion pwned records

Have I Been Pwned? (HIBP) has revealed a huge cache of breached email addresses and passwords, which it has named Collection #1.

Google cracks down on access to your Android phone and SMS data

Android apps that want access to your call and SMS data now have to pass muster with Google's team of reviewers.

Did you know you can see the ad boxes Facebook sorts us into?

...or that they can edit the (often inaccurate) pigeon-holes Facebook likes to put us in, a study found.

Ep. 015 – USB anti-hacking, bypassing 2FA and government insecurity [PODCAST]

Here's the latest Naked Security podcast - enjoy!

PC Mag

‘Collection #1’ Breach Is Huge, But Should You Be Worried?

The dealer behind the Collection #1 data dump has been circulating six other databases with almost 1TB of data. But opinions vary on whether they contain data from previously reported hacks or newly released information.

Amazon’s Facial Recognition Tech Collides With Shareholder Protest

Whether Amazon can sell its controversial facial recognition technology to government groups and police departments may be determined by a shareholders' vote later this spring.

Tim Cook: FTC Needs to Make It Easy to Delete Your Online Data

Apple's CEO calls on the US Federal Trade Commission to set up a 'data-broker clearinghouse,' where consumers can track and delete the information companies have mined from their internet activities.

SC Magazine

Researchers find Telegram bot chatter is actually Windows malware commands

Decrypted Telegram bot chatter was found to actually be a new Windows malware, dubbed GoodSender, which uses the messenger platform to listen and wait for commands. Forcepoint researchers discovered what it described as a “fairly simple” year old malware that creates a new administrator account that enables remote desktop...

Google Play boots fake apps that spy on devices’ motion sensor data before dropping Anubis malware

A fake currency converter and a phony battery utility program are among the latest fraudulent apps to be expunged from Google Play, according to researchers who discovered they were infecting users with a version of the Anubis banking malware family. Both fraudulent apps employ a crafty technique to determine whether...

Android ES File Explorer open port vulnerability divulged

A French cybersecurity researcher is reporting that Android ES File Explorer app can allow others on your local network to remotely access a file on your phone. The app, which has more than 100 million Android installs and is designed to allow for the management of all varieties of file...

Schneier on Security

Friday Squid Blogging: Squid Lollipops

Two squid lollipops, handmade by Shinri Tezuka. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here.

Evaluating the GCHQ Exceptional Access Proposal

The so-called Crypto Wars have been going on for 25 years now. Basically, the FBI­and some of their peer agencies in the U.K., Australia, and elsewhere­argue that the pervasive use of civilian encryption is hampering their ability to solve crimes and that they need the tech companies to make...

Prices for Zero-Day Exploits Are Rising

Companies are willing to pay ever-increasing amounts for good zero-day exploits against hard-to-break computers and applications: On Monday, market-leading exploit broker Zerodium said it would pay up to $2 million for zero-click jailbreaks of Apple's iOS, $1.5 million for one-click iOS jailbreaks, and $1 million for exploits that take over...

SecureMac

Checklist 121: On Checklist, TV Watches You!

On this week’s Checklist by SecureMac we talk about TVs that are too smart for your own good, putting a lock on individual iOS Apps and some security resolutions. The post Checklist 121: On Checklist, TV Watches You! appeared first on SecureMac.

2019 Kicks Off with several Apple Security Issues

The year may not yet even be a few weeks old, but already the headlines have been crowded with a range of issues that Apple users would do well to notice. From malware slipping past Gatekeeper to a mysteriously cancelled hacker conference appearance, there’s plenty to take in this...

Checklist 120: New Year Old Worries

It’s a new year — but some old worries have followed us into 2019, still lingering and causing some concerns. That means it’s time to shake off the last of the sleepiness still hanging around from the holidays and get back down to business. We have phishers making calls...

Security Affairs

6 Reasons We Need to Boost Cybersecurity Focus in 2019

Paying attention to cybersecurity is more important than ever in 2019. But, some companies are still unwilling to devote the necessary resources to securing their infrastructures against cyberattacks, and naive individuals think they’re immune to the tactics of cybercriminals, too. For people who still need some convincing that cybersecurity...

A bug in Microsoft partner portal ‘exposes ‘ support requests to all partners, fortunately, no customer data was exposed. The Register in exclusive reported that Microsoft partner portal ‘exposed ‘every’ support request filed worldwide.’ Tickets submitted from all over the world were exposed to all Microsoft support partners due to...

Oracle critical patch advisory addresses 284 flaws, 33 critical

Oracle released the first critical patch advisory for 2019 that addresses a total of 284 vulnerabilities, 33 of them are rated “critical”. Let’s give a close look at some of the vulnerabilities fixed by this patch advisory. The advisory fixed the CVE-2016-1000031 flaw, a remote code execution (RCE) bug in the Apache...

SecurityWeek

Bulgaria Extradites Russian Hacker to US: Embassy

Bulgaria has extradited a Russian indicted by a US court for mounting a complex hacking scheme to the United States, the Russian embassy in Washington said Saturday. read more

Exploit for Recent Flash Zero-Day Added to Fallout Exploit Kit

An updated version of the Fallout exploit kit recently emerged with an exploit for a recent Flash zero-day included in its arsenal, Malwarebytes Labs security researchers warn. read more

Hackers Actively Scanning for ThinkPHP Vulnerability, Akamai Says

There is widespread scanning for a recently disclosed remote code execution vulnerability in the ThinkPHP framework, Akamai reveals.  read more

TechRepublic

Bug bounty programs: Everything you thought you knew is wrong

One common criticism of bug bounty programs is that very few hackers actually make money. Not only is this untrue, but it misses the point.

5 blockchain trends to expect in 2019

Blockchain may finally be ready to move from hype to reality, with continued IoT integrations and tokenization, according to KPMG.

Microsoft launches Azure DevOps bug bounty program, $20,000 rewards on offer

The Redmond giant is keenly interested in remote code execution and privilege escalation flaws.

The Guardian

Largest collection of breached data ever seen is found

Store of 770m email addresses and passwords discovered after being posted to a hacking forumThe largest collection of breached data ever seen has been discovered, comprising of more than 770m email addresses and passwords posted to a popular hacking forum in mid-December.The 87GB data dump was discovered by security...

I got a phishing email that tried to blackmail me – what should I do?

Pauline received a spam message that looked like a sextortion or webcam scamI got this email today. It says “I hacked your device, because I sent you this message from your account.” It goes on to claim that it has filmed me watching pornography, and demands $698 in bitcoin....

Steep price rises and even steeper streets | Brief letters

Data grabbing | Country diary | Cost of stamps | A question of perspective | Steepest street titleThe solution is surely to use the non-profit Ecosia search engine that plants trees and quite simply guarantees that it protects your data (Together we can thwart big tech’s data grab, Opinion,...

The Hacker News

New Android Malware Apps Use Motion Sensor to Evade Detection

Even after so many efforts by Google for preventing its Play Store from malware, shady apps somehow managed to fool its anti-malware protections and get into its service to infect Android users with malware. Two such Android apps have recently been spotted on the Google Play Store by security researchers...

A Twitter Bug Left Android Users’ Private Tweets Exposed For 4 Years

Twitter just admitted that the social network accidentally revealed some Android users' protected tweets to the public for more than 4 years — a kind of privacy blunder that you'd typically expect from Facebook. When you sign up for Twitter, all your Tweets are public by default, allowing anyone to...

Ukrainian Police Arrest 6 Hackers Linked to DDoS and Financial Attacks

Ukrainian Police have this week busted out two separate groups of hackers involved in carrying out DDoS attacks against news agencies and stealing money from Ukrainian citizens, respectively. According to the authorities, the four suspected hackers they arrested last week, all aged from 26 to 30 years, stole more than...

The Register

DDoS sueball, felonious fonts, leaky Android file manager, blundering building security, etc etc

Plus, Safari security foiled by… a finger swipe? Roundup  This week we wrangled with alleged Russian election meddling, hundreds of millions of username-password combos spilled online, Oracle mega-patches, and cliams of RICO swap-gangs.…

The Iceman cometh, his smartwatch told the cops: Hitman jailed after gizmo links him to Brit gangland slayings

Killer jailed for life after fitness kit data tips off plod Avid runner and hitman Mark Fellows was this week found guilty of murder after being grassed up by his Garmin watch.…

US midterms barely over when Russians came knocking on our servers (again), Democrats claim

Лучшая защита – нападение? Russian hackers attempted to infiltrate the Democratic National Committee (DNC) just after the US midterm elections last year, according to a new court filing.…

The Security Ledger

Report: Iranian APT Actors Regroup After Main Security Forum Shuts Down

Iranian state-sponsored hackers are regrouping after the shutdown last year of their main security forum, migrating to other forums and making new connections for potential cyber-response against mounting political pressures from the United States and Europe, according to a new report. The post Report: Iranian APT Actors Regroup After Main...Read...

Podcast Episode 129: Repair Eye on the CES Guy and Sensor Insecurity

In this week’s podcast: For all the great new gadgets unveiled in Las Vegas, how many can be repaired? Kyle Wiens of iFixit joins us to report from the CES show. Also: more and more our physical surroundings are populated by small, wireless sensors. How secure are they from hacking...

That Other Moscow: Sketchy LinkedIn Job Posts Mix US, Russian Locales

Bogus LinkedIn job postings for leading US organizations, including the US Army, the State of Florida and defense contractor General Dynamics, are popping up for Russian locales like St. Petersburg and Moscow, the firm Evolver has found. Is it AI-Gone-Wild, or is something more nefarious afoot?  Moscow, on the...

Threatpost

Google Play Removes Malicious Malware-Ridden Apps

Two apps on Google Play were infecting devices with the Anubis mobile banking trojan.

Fallout EK Retools for a Fresh New 2019 Look

The Fallout EK has added the latest Flash vulnerability to its bad of tricks, among other tune-ups.

Threatpost News Wrap Podcast For Jan. 18

Threatpost editors break down the top headlines from the week ended Jan. 18.

Critical, Unpatched Cisco Flaw Leaves Small Business Networks Wide Open

A default configuration allows full admin access to unauthenticated attackers.

Tripwire

Microsoft Announces Azure DevOps Bug Bounty Program

The Microsoft Security Response Center (MSRC) has announced the creation of a bug bounty program for Azure DevOps services. On 17 January, MSRC said it would begin awarding bounties of up to $20,000 for reports on eligible vulnerabilities affecting Azure DevOps, a cloud service which helps developers collaborate on...

Nearly 800 Million Email Addresses Exposed in “Collection #1” Data Breach

A data breach known as “Collection #1” exposed approximately 800 million email addresses as well as tens of millions of passwords. In the beginning of January, multiple people reached out to Australian web security expert Troy Hunt about a sizable collection of files hosted on cloud service MEGA. This...

Two Ukrainians Charged with Plot to Hack into SEC and Commit Fraud

The U.S. Department of Justice (DOJ) has charged two Ukrainians with participating in a plot to hack into computers systems at the U.S. Securities and Exchange Commission (SEC) and use the information they stole to commit fraud. On 15 January, the U.S. Attorney’s Office for the District of New...

Troy Hunt

Weekly Update 122

Presently sponsored by: Live Workshop! Watch the Varonis DFIR team investigate a cyberattack using our data-centric security stackAnd then there was the biggest data breach to go into HIBP ever! I wrote that sentence from home just after publishing all the data, then I got on a plane...Holy cow...

The 773 Million Record “Collection #1” Data Breach

Presently sponsored by: Live Workshop! Watch the Varonis DFIR team investigate a cyberattack using our data-centric security stackMany people will land on this page after learning that their email address has appeared in a data breach I've called "Collection #1". Most of them won't have a tech background or...

Weekly Update 121

Presently sponsored by: Twilio: Need to add 2FA quickly to your application? Use the Authy API to easily add more than just SMS 2FA within a matter of days.Well, it's one more sunny weekly update then snow time again so I've gone particularly beachy today. I'm also particularly breachy,...

We Live Security

Two men charged with hacking into SEC in stock-trading scheme

The hacking duo is believed to have exploited a software flaw and compromised several SEC workstations with malware in order to take early peeks at financial disclosures The post Two men charged with hacking into SEC in stock-trading scheme appeared first on WeLiveSecurity

Week in security with Tony Anscombe

773 million email IDs, 21 million passwords exposed for anyone to see in massive data dump. A car and almost $1m on offer for Tesla Model 3 hacks. Plus some resolutions for 2019 with tips for securing your router The post Week in security with Tony Anscombe appeared first on...

21 million passwords for anyone to see amid massive data dump

The vast dossier of stolen login details, which also comprises 773 million email addresses, appears to have been gathered from data stolen in many breaches The post 21 million passwords for anyone to see amid massive data dump appeared first on WeLiveSecurity

Wired

DNC Accuses Russia, ACLU Sues ICE, and More Security News This Week

Trump dominated security headlines this week, but there's plenty of other news to catch up on.

If Trump Told Cohen to Lie, Impeachment Is Coming

An explosive new report from Buzzfeed News makes the impeachment of Donald Trump not just possible, but likely.

How the Feds Failed to Track Thousands of Separated Children

Ad-hoc systems and haphazard databases made the Trump administration’s cruel border separation policies somehow even worse.

Be Careful Using Bots on Telegram

Introducing a bot to a secure Telegram conversation downgrades the level of encryption—without providing any visual cues.

ZDNet

Websites can steal browser data via extensions APIs

Researcher finds nearly 200 Chrome, Firefox, and Opera extensions vulnerable to attacks from malicious sites.

DNC says Russia tried to hack its servers again in November 2018

Democrats say the spear-phishing attack, which was attributed to Russian group Cozy Bear, was unsuccessful.

WiFi firmware bug affects laptops, smartphones, routers, gaming devices

List of impacted devices includes PS4, Xbox One, Samsung Chromebooks, and Microsoft Surface devices.