Top CyberSecurity News for November 16th 2016

  1. CRYPTSETUP VULNERABILITY GRANTS ROOT SHELL ACCESS ON SOME LINUX SYSTEMSFrom ThreatPost.  A vulnerability in cryptsetup, a utility used to set up encrypted filesystems on Linux distributions, could allow an attacker to retrieve a root rescue shell on some systems. From there, an attacker could have the ability to copy, modify, or destroy a hard disk, or use the network to exfiltrate data. Cryptsetup, a utility used to setup disk encryption based on the dm-crypt kernel module, is usually deployed in Debian and Ubuntu. Researchers warned late last week that if anyone uses the tool to encrypt system partitions for the operating systems, they’re likely vulnerable.

Advertisements

Top CyberSecurity News For October 4th 2016

  1. Apple’s iMessage Exposes User IP Address and Device Details to SpammersFrom Softpedia.  

    Apple might need to fine-tune the link preview feature the company added to iMessage in iOS 10 and macOS 10.12, released two weeks ago, in September.

    According to Ross McKillop, this new feature contains an information leak bug that allows an attacker to learn an iMessage user’s IP address, OS version, and device details.

    Link previews are the small content cards that appear whenever you type and share a URL in a chat window. IM services such as Facebook, Twitter, Skype, or Slack also provide this feature, which can be quite handy, offering a preview of what the link holds, without having to leave the IM app.

Top CyberSecurity News For 27th August 2016

  1. Tinder Social Engineering AttackFrom hert.org. 

    The initial target has to be a male, the attack is less likely to succeed if we pick a female. Men propose, women dispose…

    We swipe left until we find our target. We will call him, Bob.

    We have to make sure Bob is attractive or the attack will probably not work. If in doubt we can ask a female friend.

    We take a screenshot of Bob’s profile pictures and write down his biography.

Top CyberSecurity News For 26th August 2016

  1. The Big Short: Alleged Security Flaws Fuel Bet Against St. Jude MedicalFrom Security Ledger. Call it The Big Short – or maybe just the medical device industry’s “Shot Heard Round The World”: a report from Muddy Waters Research recommends that its readers bet against (or “short”) St. Jude Medical after learning of serious security vulnerabilities in a range of the company’s implantable cardiac devices.

    The Muddy Waters report on St. Jude’s set off a steep sell off in St. Jude Medical’s stock, which finished the day down 5%, helping to push down medical stocks overall. The report cites the “strong possibility that close to half of STJ’s revenue is about to disappear for approximately two years” as a result of “product safety” issues stemming from remotely exploitable vulnerabilities in STJ’s pacemakers, implantable cardioverter defibrillator (ICD), and cardiac resynchronization therapy (CRT) devices. The vulnerabilities are linked to St. Jude’s Merlin@home remote patient management platform, said Muddy Waters.

Top CyberSecurity News For 25th August 2016

  1. Government Hackers Caught Using Unprecedented iPhone Spy ToolFrom Motherboard. Since its founding in 2010, [Israeli vendor] NSO has developed a reputation for providing sophisticated malware to governments that need to target cellphones in their investigations, although the use of its tools has never been documented before. The company claims that its products are completely stealthy, like a “ghost.” The company has been so guarded about its wares that it’s never had a website, and has rarely given interviews or any comments to the press. But some information has leaked out, including an investment for $120 million by a US-based venture capital firm in 2014 and a subsequent reported valuation of $1 billion.

Top CyberSecurity News For 23rd August 2016

  1. Epic’s forums hacked again, with thousands of logins stolenFrom ZDNet. A hacker has stolen hundreds of thousands of forum accounts associated with Unreal Engine and its maker, Epic Games. More than 808,000 accounts were stolen in the attack — with more than half a million from Unreal Engine’s forums alone. Breach notification site LeakedSource.com, which obtained a copy of the database, said the attack was carried out August 11. The hacker, whose name isn’t known, exploited a known SQL injection vulnerability found in an older vBulletin forum software, which allowed the hacker to get access to the full database.

Top CyberSecurity News For August 15th, 2016

  1. Researchers Find Serious Flaws in iMessage EncryptionFrom On The Wire. New research from a team at Johns Hopkins University shows that there are serious problems with the way Apple implemented encryption on itsiMessage system, leaving it open to retrospective decryption attacks that can reveal the contents of all of a victim’s past iMessage texts.

Top CyberSecurity News For August 13th 2016

  1. How to Hack an Election in 7 MinutesFrom Politico. When Princeton professor Andrew Appel decided to hack into a voting machine, he didn’t try to mimic the Russian attackers who hacked into the Democratic National Committee’s database last month. He didn’t write malicious code, or linger near a polling place where the machines can go unguarded for days.Instead, he bought one online.

Top CyberSecurity News For August 11th 2016

  1. A New Wireless Hack Can Unlock 100 Million Volkswagens From Wired. IN 2013, WHEN University of Birmingham computer scientist Flavio Garcia and a team of researchers were preparing to reveal a vulnerability that allowed them to start the ignition of millions of Volkswagen cars and drive them off without a key, they were hit with a lawsuit that delayed the publication of their research for two years. But that experience doesn’t seem to have deterred Garcia and his colleagues from probing more of VW’s flaws: Now, a year after that hack was finally publicized, Garcia and a new team of researchers are back with another paper that shows how Volkswagen left not only its ignition vulnerable but the keyless entry system that unlocks the vehicle’s doors, too. And this time, they say, the flaw applies to practically every car Volkswagen has sold since 1995.

Top CyberSecurity News For August 10th 2016

  1. Annoying “Open PDF in Edge” Default Option Puts Windows 10 Users at RiskFrom Softpedia.  Microsoft has released today its monthly security patch, and one of the five security bulletins labeled as critical concerns a remote code execution (RCE) flaw in its standard PDF rendering library that could be exploited when opening PDF files. The issue, tracked as CVE-2016-3319, is found in the Microsoft Windows PDF Library, the default Windows utility used to open, read, and render PDF files, embedded by default in a couple of apps such as Edge. An attacker could craft malicious code, add it to the header of a PDF file, and host the file on a Web server.