Saturday, July 20, 2019

Iran-Linked APT34 Invites Victims to LinkedIn for Fresh Malware Infections

The group was posing as a researcher from Cambridge, and was found to have added three new malware families to its spy arsenal.

Adult Sites Lack Privacy, Open the Door for Harassment and Tracking

Third-party tracking is rampant on sites like Pornhub, with users' sexual preferences on full view.

Bug in NVIDIA’s Tegra Chipset Opens Door to Malicious Code Execution

Researcher creates 'Selfblow' proof-of-concept attack for exploiting a vulnerability that exists in "every single Tegra device released so far".

Security Watch: Elon Musk’s NeuraLink Links Brains to iPhones via Bluetooth

Directly linking thoughts to a phone via Bluetooth -- what could go wrong?

Mirai Botnet Sees Big 2019 Growth, Shifts Focus to Enterprises

Mirai activity has nearly doubled between the first quarter of 2018 and the first quarter of 2019.

Slack Initiates Mass Password Reset

More victims of a 2015 credential-harvesting incident have come to light.

Google Triples Some Bug Bounty Payouts

Google is announcing much higher bug bounty payouts for Chrome, Chrome OS and Google Play.

Ke3chang APT Linked to Previously Undocumented Backdoor

The cyberspy group's activities are broader than originally thought.

Wormable BlueKeep Bug Still Threatens Legions of Windows Systems

Two months after the alarm sounded warning of a WannaCry-level event, progress in patching exposed Windows systems varies by country and industry.

Firmware Bugs Plague Server Supply Chain, 7 Vendors Impacted

Lenovo, Acer and five additional server manufacturers are hit with supply-chain bugs buried in motherboard firmware.

Bluetooth Flaws Could Allow Global Tracking of Apple, Windows 10 Devices

Identifying tokens and random addresses, meant to create anonymity, do not change in sync on some devices -- opening an attack vector.

Massive Malvertising Campaign Reaches 100M Ads, Manipulates Supply Chain

A sophisticated and growing malvertising attacker is partnering with legitimate ad tech platforms to drop malware at scale.

StrongPity APT Returns with Retooled Spyware

The group is using malicious versions of WinRAR and other legitimate software packages to infect targets, likely via watering-hole attacks.

LenovoEMC Storage Gear Leaks Sensitive Financial Data

Lenovo patches enterprise and SMB network attached storage devices for a vulnerability that leaked data to the public internet.

The Future is Female: A Key to the Cybersecurity Workforce Challenge

With cybersecurity worldwide facing a major applicant shortage, businesses should be courting women and supporting girls.

WhatsApp, Telegram Coding Blunders Can Expose Personal Media Files

The issue, present on Android versions, is similar to the known man-in-the-disk attack vector.

JetBlue Bomb Scare Set Off with Apple AirDrop

Someone AirDropped a picture of a suicide vest to multiple people on a JetBlue flight, prompting an evacuation.

Privacy Experts: Facebook’s $5B Fine Unlikely to Do Much

The FTC has levied its biggest fine ever against the social network, but it's unlikely to have much effect.

Turla APT Returns with New Malware, Anti-Censorship Angle

A dropper called “Topinambour" is the first-stage implant, which in turn fetches a spy trojan built in several coding languages.

Researcher Bypasses Instagram 2FA to Hack Any Account

An independent researcher earned a $30,000 bug bounty after discovering a weakness in the mobile recovery process.

Cisco Patches Critical Flaw in Vision Dynamic Signage Director

Cisco this week released a security patch for the Vision Dynamic Signage Director, to address a Critical vulnerability that could allow attackers to execute arbitrary actions on the local system.  Tracked as CVE-2019-1917, the vulnerability was found in the REST...

The Great Hack: the film that goes behind the scenes of the Facebook data scandal

This week, a Netflix documentary on Cambridge Analytica sheds light on one of the most complex scandals of our time. Carole Cadwalladr, who broke the story and appears in the film, looks at the fallout – and finds ‘surveillance...
SecurityWeek

Scotland Yard Twitter and Emails Hacked

London's Metropolitan Police apologised Saturday after its Twitter, emails and news pages were targeted by hackers and began pumping out a series of bizarre messages. read more

Browser Extensions Scraped Data From Millions of People

Slack passwords, NSO spyware, and more of the week's top security news.
ZDNet

Hackers breach FSB contractor, expose Tor deanonymization project and more

SyTech, the hacked company, was working on research projects for the FSB, Russia's intelligence service.