Twitter is asking users to change their account password immediately. This comes in after the social media giant identified a bug that was storing unmasked passwords in an internal log visible to everyone on Twitter.
According to Twitter, the bug occurred due to an issue in the hashing process that masks passwords by replacing them with a random string of characters that get stored on Twitter's system. But due to an error with the system, apparently passwords were being saved in plain text to an internal log, instead of masking them with the hashing process.
Twitter claims to have found the bug on its own and removed the passwords. It’s working to make sure that similar issues don’t come up again.
A virus that hijacks users devices and uses them to mine cryptocurrencies is spreading fast through Facebook.
The malware, named "Digmine", affects desktop versions of the app when running on a Google Chrome browser, according to researchers at Trend Micro.
How does the virus work?
If a user clicks on the malicious video link, it opens using Chrome browser and FacexWorm redirects the victim to a fake YouTube site.
The user is then urged to download an innocent-looking Chrome extension as a codec extension that's "needed" to play the video.
Once the extension is installed, the virus downloads more modules from its control server to perform a variety of malicious tasks.
The malware can access or modify data for any website the user visits since the extension applies all the extended permissions at the time of installation.
Now, it seems as though everyone wants to build on the blockchain or is at least interested in learning more about how to harness the technology's potential, and some financial gurus have been calling this the dot-com boom, all over again.
With all of the hype around blockchain technology, industry experts are looking to disrupt even the most specialized fields. Large companies like IBM and Walmart are working to track shipments of pork in China more effectively on the blockchain, and other more traditional applications include financial services, gaming, and cloud computing.
Here are a few ways blockchain technology may help disrupt not only the behemoths like IBM and Walmart, but even mom-and-pop shops, and how you can be prepared for what's to come:
In a letter to the Ministry of Electronics and Information Technology, the Central Provident Fund Commissioner has written that hackers have stolen data from the Aadhaar seeding portal of EPFO. He has also asked the ministry's technical team to plug vulnerabilities on the portal aadhaar.epfoservices.com that has now been temporarily shut. The portal links the Aadhaar number of employees with their provident fund accounts.
"Each person contributes 12% of salary as provident fund, so salary details could also have been stolen. Also the bank account numbers as people tend to withdraw their PF," said cybersecurity expert Anand Venkatnarayan.
The Telecom Commission has approved much-awaited proposal in-flight connectivity in Indian airspace. In January, TRAI issued a recommendations to allow both telephony and Internet services on domestic flights. Both the domestic and international carrier passengers would be able to make calls and web surfing after an aircraft fly above the minimum height of 3000 meters, the body has said in its recommendation.
The internet services will be allowed through Wi-Fi onboard. For calling services, the airplane/flight mode on the phone will have to be kept off. A separate category of IFC service provider should be created to permit IFC services in Indian airspace where service provider should be required to get itself registered with the DoT.
Soon after the Telecom Regulatory Authority of India (TRAI) recommendation to allow in-flight connectivity (IFC) in Airlines, Chicago-based in-flight internet company Gogo has announced its plan to enter the Indian market. It is eyeing Indian market with major investment plans.
A $700-million US-based in-flight connectivity provider will open an engineering and software development centre in Chennai.
A new "confidential mode" can also be used to stop recipients being easily able to forward, copy, download or print correspondence sent via Gmail.
Google's e-mail service is including the choice to permit messages to change into inaccessible after a set time because it prepares for harder information privacy legal guidelines.
Since it isn't sensible to remotely wipe emails from any individual else's pc after they’ve been downloaded, the self-destruct function works by sending a hyperlink to a web page the place the delicate content material will be considered moderately than together with the fabric within the authentic message.
In a matter of minutes a hacker with the right knowledge could spoof their way into almost any hotel room in the world.
Researchers say flaws they found in the equipment's software meant they could create "master keys" that opened the rooms without leaving an activity log.
How was the vulnerability exploited?
In theory, it's easy. First, an attacker would need to get hold of an electronic key – RFID or magstripe – either from a hotel or even one that operates a storage closet or garage. They would then need to buy a portable programmer online for a few hundred pounds to overwrite it, thus creating a master key within minutes. However, F-Secure says it is its custom software made this particularly hack possible, and it won’t (for obvious reasons) be releasing it.
MazarBOT is a new malware sent as a SMS link to the victim to gain remote access to the latter's cellphone images, call records and texts.
Over a dozen Bengalureans have fallen prey to a new SMS-spoofing malware through which fraudsters have accessed their bank-generated One Time Passwords (OTPs) and swindled them of lakhs of rupees.
"The SMSs appear like regular text messages sent by banks. However, they are sent by fraudsters and contain a link. All the complainants clicked on the link, which resulted in a malware invading their phone, via which the conmen gained access to the device and all SMSs received by the user," revealed an investigating officer probing the fraud.
Trying to break the encryption on the iPhone is a constantly-evolving cat-and-mouse game, and not many law enforcement agencies are capable of taking part. Rather than hiring their own cryptographers, law enforcement around the country instead buys “exploits” from hacking firms, who sell their technology to anyone who can pay tens of thousands of dollars.
A new type of iPhone cracker, called the GrayKey, is a simple-to-use box that can reportedly crack the latest iPhone X running iOS 11, and as you’d expect, cops are lining up to buy it.
Police forces and federal agencies around the country have bought relatively cheap tools to unlock up-to-date iPhones and bypass their encryption, according to a Motherboard investigation based on several caches of internal agency documents, online records, and conversations with law enforcement officials. Many of the documents were obtained by Motherboard using public records requests.
Installing patches every month is an important first step, but is still insufficient unless all relevant patches are included in those updates. Most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks.
Google releases security patches every month to keep its Android ecosystem safe and secure from the underlying risks, but since every manufacturer and mobile carrier modify the operating system to make their smartphone unique, they often fail to apply all those patches in time.
At the Hack in the Box security conference in Amsterdam, researchers Karsten Nohl and Jakob Lell of the firm Security Research Labs plan to present the results of two years of reverse-engineering hundreds of Android phones' operating system code, painstakingly checking if each device actually contained the security patches indicated in its settings. They found what they call a "patch gap": In many cases, certain vendors' phones would tell users that they had all of Android's security patches up to a certain date, while in reality missing as many as a dozen patches from that period—leaving phones vulnerable to a broad collection of known hacking techniques.
YouTube's music video for the hit song Despacito, which has had over five billion views, has been hacked.
More than a dozen other artists, including Shakira, Selena Gomez, Drake and Taylor Swift are also affected. The original clips had been posted by Vevo. A number of high-profile music videos disappeared from YouTube and had their titles and hold images defaced, after the video streaming website was targeted by hackers.
All the affected videos were uploaded to YouTube artist accounts associated with the video hosting service Vevo. It is unclear whether hackers accessed individual accounts or Vevo as a whole. One of the hackers claims they used a script to change the video titles.
A Twitter account that apparently belongs to one of the hackers posted: "It's just for fun, I just use [the] script 'youtube-change-title-video' and I write 'hacked'."Don't judge me I love YouTube," it added.
The Tech Mahindra-Balbix partnership will help serve the market using a new proactive approach that combines advanced AITechnology and with deep domain expertise in cybersecurity and infrastructure.
It can prioritize the actionable intelligence for the proactive handling of identified critical risks; it also prevents security incidents and reduces compliance verification cycles from months to minutes. Additionally, the iSOC improves reporting by accurately measuring overall breach risk and cyber-resilience.
"Balbix and Tech Mahindra's partnership is aimed at catering to the growing needs of customers to combat the rampantly increasing number of cyber threats," said Gaurav Banga, CEO and Founder - Balbix.
Who could be accessing your camera and microphone?
You have numerous apps that take access to hardware on your mobile devices as you install them. Apps like WhatsApp, Facebook, Snapchat, Instagram, Twitter, LinkedIn, Viber might do a lot on their own even without you knowing.
The terms and conditions and privacy statements you sign up to when you buy a smartphone or download an app are rarely scrutinised before we tick the box and wade in.
The apps running in the foreground, can access both the front and the back camera and can record you at any time. It can also snap pictures and videos without telling you and upload them.
In addition to this, the hackers can access your device via apps, PDF files, multimedia messages and even emojis. An application, Metasploit on the ethical hacking platform Kali uses an Adobe Reader 9. The hacker can alter the PDF with the program by sending a malicious file to the user. Once they open it, the hacker can have total control over user's device remotely.
The security focused content delivery network provider, Cloudflare, opened up a global Domain Name System (DNS) for consumers to run both DNS-over-TLS and DNS-over-HTTPS. The service is called 18.104.22.168. That is the IPv4 address for Cloudflare’s DNS resolver (along with 22.214.171.124).
With this offering, they're fixing the foundation of the Internet by building a faster, more secure and privacy-centric public DNS resolver. The DNS resolver, 126.96.36.199, is available publicly for everyone to use - it is the first consumer-focused service Cloudflare has ever released.
DDEattacks are also known as 'macro-less' malware. The attacks are able to use PowerShell and hidden scripts to dodge network defences.
Cybercriminals using MicrosoftOffice documents to conduct 'macro-less' attacks that dodge organisations' defences and inject malware – a technique that has been named a top threat in WatchGuard Technologies' Q4 2017 Internet Security Report.
Malicious Office documents generally targeted Germany, China and the United States, and there was a large increase in malicious documents during Q4, the report notes.
Egyptian internet users suddenly noticed that their computers were slowing down or overheating while taking in the entertainment. The slowdown was actually a result of the Egyptian government secretly hijacking its citizens' computers "en masse" in order to mine the cryptocurrency monero.
But it's not just criminals who think cryptomining is a way to make money. Some in the online media industry also see it as an alternative revenue generator that reduces their reliance on ads.
As cryptocurrencies only grow more popular, bad actors from hackers to criminal enterprises to corrupt governments are exploring ways to conduct massive campaigns, which risk compromising tens of thousands of computers and millions of smartphones along the way.
Mozilla is rolling out a new Firefox container extension that isolates web activity from Facebook and makes it harder for the social network to track user activity on other websites via third-party cookies.
Unsatisfied by Zuckerberg's apology tour, Mozilla said last week that it was pulling its advertising from Facebook in protest to the social network's data collection practices. When announcing the decision, Mozilla's chief business and legal officer, Denelle Dixon, acknowledged Zuckerberg's pledge to restrict third-party access to user data, but said that Facebook's default privacy settings were still a problem.
As for the Facebook Container, Mozilla said the add-on is not meant to be a direct jab at Facebook, but rather a tool that helps users better manage their online privacy and security.
A newly-discovered keylogger malware has been found infecting computers in the wild and spreading via infected USB drives, according to threat detection firm Cybereason.
Once executed, the malware gathers a list of drives on the machine and starts replicating itself to them, which allows it to spread to any of the connected external drives.
Furthermore, the keylogger renames the external drives to match its naming scheme. Specifically, the drive's new name would include its original name, its size, and the string "(Secured by Kaspersky Internet Security 2017)".The malware also creates an autorun.inf file to point to a batch script.
The user names, encrypted passwords and email addresses of at least 150m subscribers to the app, owned by US firm Under Armour, were stolen in February, the company said in a statement.
The company said on Thursday that the accounts were compromised in February, sending shares of the company down 3% in after-hours trade. The breach was not discovered until 25 March and users were informed four days later.
The app allows customers to monitor their calorie intake and measure it against the amount of exercise they are doing using a database of more than 2 million foods. While the breach did not include financial data, large troves of stolen email addresses can be valuable to cyber criminals.
Tighter controls after Facebook breach make Indian developers worried.
Facebook will become less attractive to app developers if it tightens norms for data usage as a fallout of the prevailing controversy over alleged misuse of personal information mined from its platform, say industry members.
India has the second largest developer base for Facebook, a community that builds apps and games on the platform and engage its users. With 241 million users, the country last July over took the US as the largest userbase for the social network platform.
"Apart from videos and posts, applications and games are what makes facebook entertaining. App developers help build Facebook's audience, so there wouldn't be any major restrictions for long.
The content streaming service,Netflix is ready to invite researchers worldwide to participate in the firm's bug bounty program and has now made the scheme public.
Over the past five years, Netflix has been accepting vulnerability reports from hackers and has been patching bugs through responsible disclosure setups, as well as a private bug bounty program.
The company says that over the past 18 months and after extending the scheme's reach beyond Bugcrowd's top 100 researchers to over 700 hackers, a total of 275 submissions have been made, of which 145 reports were valid.
"We have attempted to fine tune things like triage quality, response time and researcher interactions to build a quality program that researchers like to participate in," Netflix added.
Targets include the Netflix website, API, help center, and mobile applications for iOS and Android.
Over the past week we have been hearing how data from Facebook was used to potentially swing voters in the US elections and other campaigns by a firm called CambridgeAnalytica.
What is Cambridge Analytica?
It is a British company which uses social media data to help clients influence voters or consumers by targeting messages based on people's hopes and fears.
How can data from Facebook potentially help in a political campaign?
Well, to start with, based on your interactions with Facebook over time, the platform has enough data about your likes and dislikes. It knows the kind of people you follow, the types of news sources you read and the range of actions and reactions these posts elicit from you. All these data points in combination are good enough to know your political affiliation, or a lack of such inclination.
How is this data used?
While none of us really use this, there is a Facebook ad preferences page that tells you how the social network sees you in reference to serving ads. It is not a perfect science at all, but based on your likes and dislikes Facebook lists the topics, people and interests which it thinks are good enough to push ads to you.
Emerging from several days in hiding while the Cambridge Analytica storm swamped his company, Facebook founder and CEO Mark Zuckerberg finally spoke on Thursday. “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you,” his post sets out.
Security researchers at CheckPoint have discovered that Chinese Cyber Criminals are using a malware named as RottenSys to attack android phones all over the world; almost 5 million android devices in their botnet network.
Dubbed RottenSys, the malware that disguised as a 'System Wi-Fi service' app came pre-installed on millions of brand new smartphones manufactured by Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung and GIONEE—added somewhere along the supply chain.
To evade detection, the fake System Wi-Fi service app comes initially with no malicious component and doesn’t immediately start any malicious activity. Instead, RottenSys has been designed to communicate with its command-and-control servers to get the list of required components, which contain the actual malicious code.
Routers are always an attractive target for hackers. They're always on and connected, often full of unpatched security vulnerabilities, and offer a convenient chokepoint for eavesdropping on all the data you pipe out to the internet.
A newly discovered nation-state cyber espionage campaign targeting Africa and the Middle East infects network routers in order to snare administrative credentials from its targets and then move freely throughout the network.
Infecting a router at a business or coffee shop, for instance, would then potentially give access to a broad range of users.
The flaw in 4G networks allows someone to make phone calls that appear to be from a number of their choice, which could be used by criminals to extract 4G customers' personal details to empty victims' bank accounts.
Using panic attack, attackers can create artificial chaos by broadcasting fake emergency messages about life-threatening attacks or riots to a large number of users in an area.
The mobile phone is the primary attack platform and mobile tracking is one of the fastest growing modes of spying worldwide.
Lots of tools that are used by companies to target ads on users could potentially be used also to spy on individuals, said Eva Galperin, director of cybersecurity at EFF, a digital rights organisation that helps activists and dissidents to protect their digital privacy.
Kali Linux, a very popular, free, and open-source Linux-based operating system widely used for hacking and penetration testing, is now natively available on Windows 10, without requiring dual boot or virtualization.
In Windows 10, Microsoft has provided a feature called "Windows Subsystem for Linux" (WSL) that allows users to run Linux applications directly on Windows. If this is your first time using Windows Subsystem for Linux (WSL), you need to enable this optional Windows feature before getting the Kali Linux app.
Follow these simple steps to enable WSL:
Now search for Kali Linux on Windows Store, download it with just a single click. Once you launch the application, it automatically completes Kali installation and will open the console window.
Putting a chip under your skin is not so very different from getting a piercing or tattoo - except there was often less blood.
At a trendy east London bar, a group of body hackers are putting forward their reasons for human augmentation to a packed audience of mainly under-35s, many of whom are sporting piercings and tattoos.
Bio-hacker Lepht Anonym has nine implants and strongly believes what she does will benefit humankind as well as her own curiosity.The magnets allow her to sense electromagnetic radiation so she can tell if a device is on or off, whether a microwave is running and identify where power lines are. All of which, she admits, is "not hugely useful".
She also has a chip under her skin that lets her interact with her phone and unlock doors. She hopes that the "primitive results" she has achieved can be used by other, more skilled people, to build something better.
Equifax Inc said on Thursday that it identified an additional 2.4 million U.S. consumers affected by last year's massive data breach, bringing the total number of people whose data was compromised to more than 147 million.
The new information is the latest blow to the industry giant, which lost three top executives — including its longtime CEO Rick Smith — in the fallout of the mega-breach that exposed private information belonging to 143 million people.
The data breach, which was discovered July 29, included sensitive information such as social security numbers, birthdays, addresses, and in some instances, driver's license numbers. Equifax said on Thursday it would contact the newly identified breach victims and offer them free identity theft protection and credit monitoring services.
Cellebrite may be using zero-day flaws in iOS to gain access to devices, which wouldn't be surprising—it's a commonly used trick. The concern for anyone with an iOS device would be the security of the exploits Cellebrite has discovered but not shared.
With Cellebrite claiming to be able to access the newest iPhones and iOS versions, it's safe to assume they've discovered new, unknown exploits. Previous leaks of government-level security tools have resulted in ransomware outbreaks like WannaCry, which means an attack on Cellebrite could lead to an iOS security incident on a level previously unseen.
If you have this software installed on your computer, it's time to download its latest version for windows as soon as possible.
World's most popular torrent download software µTorrent has been detected with multiple security flaws. If you have this software installed on your computer, it's time to download its latest version for windows as soon as possible.
The serious remote code execution vulnerability that lets attackers intrude into a user's computer is discovered by Google's security researcher Tavis Ormandy in both µTorrent classic version and the newly launched µTorrent Web version.
At least three fake social media accounts posing as young women have encouraged victims into downloading highly invasive Android malware.
Victims are sent a link to install what they're told is the Kik messaging platform in order to continue the conversation.
If the target goes through with the installation - which requires them to allow apps to be installed from unknown sources - they're provided with a very convincing copy of Kik, but one which is laced with commands for conducting espionage.
The malware contains a variety of modules for collecting information about the victim, including their contacts, photos, call logs and text messages, as well as information about the device including its geolocation - meaning the user can be physically tracked - number, network operator and model.
An easy-to-exploit security bug recently discovered in dating app,Tinder that left accounts and private chats exposed to hackers. A flaw in a Facebook-linked program called Account Kit let attackers access profiles armed with just a phone number.
Account Kit, implemented into Tinder, is used by developers to let users log in to a range of apps using mobile details or email addresses without a password.
But there was, until recently, a crack in this process that, according to Prakash, could let hackers compromise "access tokens" from users' cookies – small pieces of data on computers that remember browsing activity as people traverse the internet. The attacker could then exploit a bug in Tinder to use the token, which stores security details, and log in to the dating account with little fuss.
Ukraine-based hacking group, known as Coinhoarder, has been stealing cryptocurrency from Blockchain.ino users. blockchain.info is one of the most popular crypto wallet solution available and Coinhoarder has been manipulating this service to steal more than $50 million from its users.
The hackers bought ads that contained certain popular keywords related to cryptocurrency. After buying the ads, hackers could poison the victim’s search results and display the compromised ads when a user googled terms such as "bitcoin", "wallet", or "blockchain". The malicious ads would show up and mislead users into thinking that they were being redirected to a legitimate website of blockchain.info wallet services.
A CRYPTOCURRENCY vault aimed at protecting online currencies such as Bitcoin from hacking is about to be launched by a digital Canadian bank, it has been reported.
The digital nature of cryptocurrencies means that many traders are often vulnerable to being hit by an online attack.
Mr Taylor added: "Our differentiator in this market is to be secure and super private. The bank wouldn’t have any kind of back door to open up the vault, we’re just providing the facility that folks could put their digital keys in."
The official 2018 Winter Olympics website went down for several hours causing a disruption to ticket sales and downloads during the opening ceremony. Localized Wi-Fi networks surrounding the games in South Korea also became temporarily unavailable in the preceding hours.
Olympic Destroyer uses the increasingly common combination of a malicious payload and credential stealer with two legitimate software tools, including Window’s PsExec and WMI (Windows Management Instrumentation), to laterally move across an already compromised network in order to covertly delete files, like shadow backups, Boot Configuration Data (BCD) and event logs on infected machines. In other words, it wipes remote data located on mapped share folders; not local files.
Websites, including those belonging to the Information Commissioner's Office, Student Loans Company and Scottish NHS helpline, were infected with a malicious script.
While tracing it back to its source, a website plug-in called Browsealoud was found, which helps people with low vision, dyslexia and low literacy access the internet.
The cryptocurrency involved was Monero - a rival to Bitcoin that is created to make transactions in it "untraceable" back to the senders and recipients involved. Since the cryptocurrency's creation the value of one Bitcoin has soared from just 72p to £12,300.
McAfee recently uncovered Operation GoldDragon, a malware attack targeting organizations affiliated with the 2018 Winter Games. Further investigation by McAfee Advanced Threat Research analysts has uncovered the consequences for victims of malware implant GoldDragon include attackers' accessing end-user systems and collecting data stored on the device and connected cloud accounts.
Potential risks include: attacker's access to customer and employee financial or personal data, Winter Games related details, trade secrets, and more.
McAfee anticipates an increase in Winter Games cyber attacks using spear phishing techniques and cautions fans to be aware of suspicious links that attempt to lure victims into malicious content.
The Indian Railways has asked the Ministry of Electronics and Information Technology to block 19 websites over concerns of misuse of software on its catering and tourism portal for tatkal booking.
The 19 websites included myrailinfo.in, www.tatkalaap.com and www.tatkalsoftservice.com, according to a statement.
Samsung and Roku smart TVs are vulnerable to hackers and "raise privacy concerns by collecting very detailed information on their users."
A relatively unsophisticated hacker could change channels, play offensive content or crank up the volume, which might be deeply unsettling to someone who didn't understand what was happening," Consumer Reports said. "This could be done over the web, from thousands of miles away."
The good news is these TVs' security vulnerabilities apparently won't allow hackers to spy on you or steal your information, according to Consumer Reports.
There have been some ads on YouTube recently, created by a few unknown attackers, that have been slowing down YouTube users' computers, and using their CPUs and electricity to generate digital currency.
The ads forced them to help malicious actors earn the cryptocurrency Monero, a bitcoin alternative, by hogging their computer processing power.
"An analysis of the malvertisement-riddled pages revealed two different web miner scripts embedded and a script that displays the advertisement from DoubleClick," said Trend Micro.
The affected webpage will show the legitimate advertisement while the two web miners covertly perform their task.
Intel had issued its software patch to address a security issue affecting millions of its processors worldwide.
But the software caused many machines to reboot or shut down and Intel later told people not to install it. Researchers discovered gaps in security stemming from central processing units - better known as the chip or microchip - that could allow privately stored data in computers and networks to be hacked.
Facebook is tracking you more than anything, not Aadhaar, said American author Thomas Friedman.
Aadhar doesn't store anything about you except your biometrics. It's not tracking you.
"Facebook is tracking you much more today. If you are worried about privacy, then you shouldn’t be using Google, Facebook, Twitter, any of these things."
At least six attacks have taken place within the last week. They ranged in location from the Pacific Northwest to the Gulf region to New England. Thieves have stolen over $1 million in attacks so far.
To execute the cyber-attack, a thief needs physical access to an ATM and will use malware, physical hacking tools, or both, to take control of the machine and force it to dispense cash quickly. If it works, cash pours out of the ATM like the hacker won a jackpot.
Several Modules have been identified performing different malicious activities. 27 Android gaming apps were listed On this malware module with all the famous gaming category.
The Malware used steganography method to inject malicious script into the Images file and send it to users to get infected.
Using a Module called Android.RemoteCode.127.origin it relied on connection to remote servers with a link to download additional module called Android.RemoteCode.126.origin.
The exploit chain triggers two vulnerabilities, CVE-2017-5116 and CVE-2017-14904, Chaining the vulnerabilities the attackers can remotely inject arbitrary code into the system_server process when a malicious URL in Chrome is accessed.
The victims can be tricked into clicking on such a URL by hackers that can fully compromise their mobile device.
The security researcher also received additional $7500 through the Chrome Rewards program.
Intel warned that you should stop deploying its current versions of Spectre/Meltdown patches, which Linux creator Linus Torvalds calls 'complete and utter garbage'.
Since last week, users are reporting that they are facing issues like spontaneous reboots and other 'unpredictable' system behaviour on their affected computers after installing Spectre/Meltdown patch released by Intel.
Keeping these problems in mind, Intel has advised OEMs, cloud service providers, system manufacturers, software vendors as well as end users to stop deploying the current versions of its patches until the chip giant develops 'a solution to address it'.
Oneplus admitted of their credit card information belonging to 40,000+ customers stolen by an unknown hacker.
The attack was possibly by targeting one of the firm's systems by inserting malicious script into the payment page code and sniff out credit card information.
The stolen data included card numbers, expiry dates, and security codes, directly from a customer's browser window.
Skygofree is a new Android spyware has been designed for targeted surveillance, and it is believed to have been targeting a large number of users for the past four years.
It steals Location-based audio recording using device's microphone, the use of Android Accessibility Services to steal WhatsApp messages, and the ability to connect infected devices to malicious Wi-Fi networks controlled by attackers.
GhostTeam, the new malware has been found so far in 50+ apps on Google Play Store that is designed to steal Facebook login credentials and aggressively display pop-up advertisements to users.
Play Protect security feature uses machine learning and app usage analysis to remove malicious apps from user’s Android smartphones in an effort to prevent any further harm.
Yet another new and manipulation of default behaviour within Intel Active Management Technology (AMT) can allow an attacker to bypass login and gain control over a user's device in less than 30 seconds.
Anyone with physical access to the affected laptop can bypass the login of BIOS/BitLocker etc.
Steps of exploitation:
Security researchers discovered a vulnerability in Whatsapp & Signal which allows anyone who controls the servers to covertly add new members in a private group.
The purpose of implementing end-to-end encryption was to stop anyone, be it the company himself or the server that transmits the data, from decrypting it. The vulnerability can enable anyone with the access to the server to break the transport security layer and take full control over a group chat. Since Whatsapp & Signal failed to authenticate who is adding a new member in the group, it is possible to add a new member in a private group by someone who is neither a group administrator nor a member.
Source: : https://www.isoeh.com/research-article-details-private-end-to-end-encrypted-whatsapp-group-chats-are-not-secured.html
Fuxploider is an open source penetration testing tool that automates the process of detecting and exploiting file upload forms flaws.
It has ability to detect the file types allowed to be uploaded and is able to detect which technique will work best to upload web shells or any malicious file on the desired web server.
Security researchers discovered malicious apps designed to steal credentials from users have been downloaded million times from Google play store. Among these, the most popular app is a gaming app. Though, according to a blog post, it was a normal app without any malicious code but later it was updated with information-stealing capabilities.
Since these apps looked like they came from VK.com – for listening to music or for monitoring user page visits, requiring a user to login into his/her account through a standard login page did not look suspicious at all. The information stolen through the apps are helping cyber criminals to promote groups and increase their popularity.
To avoid your credentials being stolen, make sure to enable Google Play Protect in devices.
When it comes to account compromise, phishing poses a greater threat than data breaches, say researchers at Google and UC Berkeley.
Data collected by Google shows that 80 percent of all the phishing kits observed targeted usernames, passwords, and geolocation; followed by phone numbers and device details. A smaller subset of the phishing attacks also targeted secret questions, full names, credit card data, and Social Security Numbers. (tahawultech.com)
For some people, Google controls most of their identity online, and losing access to that critical account could be devastating. According to Google, enterprising hijackers are constantly finding out, and are able to realize, billions of different platforms’ usernames and passwords on black markets.
The ads come with provocative headlines about hot-button political issues and targeted Facebook users likely to click based on political ideologies.
In September, an ad with the headline, "New Approval Ratings For President Trump Announced And It's Not Going The Way You Think," targeted Facebook users over 40. "Regardless of what you think of Donald Trump and his policies, it's fair to say that his appointment as President of the United States is one of the most…," ran the text. There was a "Learn more" button to lure the audience to click to read the whole news.
Those who clicked the button to read the elaborate news found their computers frozen with a warning and a phone number that users could call to get it fixed for a price. Though the freeze was temporary and restarting the computer would have unlocked it, some worried users who called the number were asked to pay to restore their access, according to computer security experts who have tracked the scam for more than a year.
The vulnerability in question stems from the fact that the affected apps’ cryptographically signed certificate failed to verify the hostname on the server it attempted to connect with. This could allow malicious third parties on the same network as the victim to step in and take control of an online banking session, intercepting usernames and passwords to hijack an account.
Researchers have tested a new tool on a sample of 400 apps, and found that several banking apps had a critical vulnerability that could have allowed hackers to access anyone's username and password who is connected to the same network as the victim, to perform a 'Man in the Middle Attack.'
Apps from some of the world's largest banks were found to contain this flaw, which, if exploited, could have allowed an attacker to decrypt, view and modify network traffic from users of the app.
The cryptocurrency mining company NiceHash announced the breach in a statement where they recommended users to change their passwords. Nicehash had suspended their operations for the time being as the compromise of their payment system caused 64million loss.
Hackers made off with contents of the company's bitcoin account, according to Andrej Škraba, the Slovenian marketplace's head of marketing. He told Reuters that the compromise was highly professional and involved "sophisticated social engineering".
"There are certainly a number potential security issues to discuss, from API vulnerabilities to web application and database protection, however, without more details from NiceHash, we can only speculate by which method of attack their website was compromised," said Rusty Carter, vice president of product management for mobile app security company Arxan Technologies, via email.
Hackers may have obtained personal information for 1.6 million individuals after compromising the systems of Paypal's subsidiary TIO Networks.
An investigation conducted in collaboration with third-party cybersecurity experts revealed that TIO's network had been breached, including servers that stored the information of TIO clients and customers of TIO billers. Affected companies and individuals will be contacted via mail and email and offered free credit monitoring services via Experian.
The company has already been fined more than $40 million in the US over the scandal which involved tens of millions of people around the world.
Google is accused of bypassing the default privacy settings on Apple phones and successfully tracking the online behavior of people using the Safari browser which is then used. The data is used in its DoubleClick advertising business, which enables advertisers to target content according to a user's browsing habits.
Google believes that U.K. privacy laws do not apply to the company, and so British consumers that want to take the tech giant to court are facing a losing battle.
Three Chinese were charged for stealing 407 GB of sensitive data and trade secrets by sending "spearphishing" emails to computers in western Pennsylvania and around the world.
They were also accused of exploiting vulnerabilities in computer systems and using malware to gain access to confidential business and commercial information, work product, and sensitive employee information including usernames and passwords.
Imgur security breach probably happened because of an older hashing algorithm. The stolen passwords were scrambled with older SHA-256 hashing algorithm which could be easily cracked using brute force attacks.
Imgur stated of encrypting passwords of users in database, with the outdated SHA-256 which is quite feasible to be broken.
If you use Facebook as a backup drive to store important and often personal photos/videos, then drop this habit. A newly discovered Facebook vulnerability could let anyone with some technical know-how to delete any or all photos you posted on the social networking website.
This is because Facebook's Graph API wasn't checking permissions properly. If you sent a request to the Graph API to delete another user's photo album and toss your own Facebook for Android token as the required stamp of approval, it'd blindly accept it and the album would vanish.
Bloomberg has revealed that the company concealed for more than a year a massive data breach that exposed sensitive records of millions of drivers and customers. The stolen information included names, email addresses and mobile phone numbers of Uber users around the world, and the names and license numbers of 600,000 U.S. drivers.
Two attackers accessed a private GitHub coding site used by Uber software engineers and then used login credentials they obtained there to access data stored on an Amazon Web Services account that handled computing tasks for the company. From there, the hackers discovered an archive of rider and driver information. Later, they emailed Uber asking for money, according to the company.
Experts found 482 of the top 50,000 websites use session replay scripts. You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use "session replay" scripts.
Hundreds of homepages, including those of Microsoft, Adobe and Wordpress, Spotify, Skype use secret code, called 'session replay' scripts, to monitor your online activity.
This could be used by third parties to reveal everything from credit card details to medical complaints, as well as putting you at risk of identity theft and online scams.
If you are an android user, then you are also among the billions of users whose smartphone is secretly gathering location data and sending it back to Google.
Android devices have been sending location information about nearby cell towers to Google since the beginning of 2017, with Google getting pinged every time a user entered the range of a new tower. Even if the user actively turned off location services, Google can still access their location and movements without their knowledge.
Cars on the road may already being targeted by hackers and it is feared that vehicles built after 2005 are vulnerable to be controlled remotely, although models up to 17 years old could also be affected.
The government is now being urged to create laws that would force car manufacturers to constantly provide software updates for their vehicles.
Carsten Maple, professor of cyber engineering at the University of Warwick, said: "We’ve already seen vehicles used as weapons. Cybersecurity researchers must ensure systems are engineered to stop new attacks."
Siri helpfully obeys the orders of any hacker who talks to her—even, in some cases, one who's silently transmitting those commands via radio from as far as 16 feet away.
It can use radio waves to silently trigger voice commands on any #Androidphone or #iPhone that has Google Now or Siri enabled, if it also has a pair of headphones with a microphone plugged into its jack.
Their clever hack uses those headphones' cord as an antenna, exploiting its wire to convert surreptitious electromagnetic waves into electrical signals that appear to the phone's operating system to be audio coming from the user’s microphone.
Without speaking a word, a hacker could use that radio attack to tell Siri or #Google Now to make calls and send texts, dial the hacker's number to turn the phone into an eavesdropping device, send the phone's browser to a malware site, or send spam and phishing messages via email, Facebook, or Twitter.
Researchers found that that IOT cameras can be infected with a variant of a known malware program known as : Bashlite, or Lightaidra or GayFgt, specially designed for ARM versions of Linux.
The target of the DDoS attack was a rarely-used asset of a large cloud service, serving millions of users worldwide.
All of the compromised cameras monitored by the researchers were logged from multiple locations in almost every case, suggesting that several different hackers were abusing the weakness of unsecured CCTV cameras.
Top targeted countries for CCTV botnets around the world include India, China, Iran, Indonesia, US, and Thailand.
Chip-and-Pin Card Fraud: Man-in-the-Middle Attack
How it works?
A typical EMV transaction involves three steps:
When a buyer inserts the altered card, the original chip allows to respond with the card authentication as normal. But, during cardholder authorization, the POS system would ask to enter a PIN.
In this case, the fraudster could respond with any PIN, and the fraudulent chip comes into play and will result in a "YES" signal regardless of whatever random PIN the thief has entered.
The attacker intercepts the PIN query and replies that it is correct, whatever the code is!
Fixed — at least in Europe, researchers declined to fully detail new security measures.
AT&T and #Verizon's implementations of LTE are said to be vulnerable to "to several issues" that could result in eavesdropping, data spoofing, and over-billing for potentially millions of phones.
Android devices on these networks are at most risk because the software "does not have appropriate permissions model" for LTE networks.
LTE (also known as #4G) relies on packet switching, a common way of sending data across the internet, rather than the old method of circuit switching.
This new method of sending data allows for new kinds of attacks, particularly against the Session Initiation Protocol (#SIP), nowadays more commonly used in voice calls and instant messaging.
Researchers have found a method that exploits the way that SIP works, by spoofing phone numbers for calls or text messages.
It's also possible for an attacker to obtain free bandwidth for more data-intensive activities, like video calling, without incurring any additional costs.
In some cases, an attacker can establish multiple SIP sessions at the same time, which could lead to a denial-of-service attack on the network
US company #Battelle has developed a shoulder-mounted rifle to deal with unwanted drones flying around.
"#DroneDefender" the revolutionary weapon specifically designed to target and knock drones out of the sky at a range of just 400 meters,is incepted without totally destroying them.
The Battelle DroneDefender utilizes radio waves to neutralize in-flight Drones and force them to land or hover or return to its point of origin.
#DroneDefender emits radio pulses that interrupt the communications system of the drone (both drone and #GPS signal it sends out) and makes it think that it gone out of range, thereby preventing the drone from accepting any additional commands from its operator.
Nearly 5.6 Million Fingerprints of its federal employees were also stolen in the massive data breach took place in April this year.
The OPM, the US government agency that handles all federal employee data, reported that some 1.1 Million Fingerprints were stolen. which escalated to increased to 5.6 Million.
OPM's nteragency team –(members of the #FBI, Defense Department, and #Homeland Security) is reviewing the potential ways hackers could misuse the data.
Whoever has access to the #Goldmine – Stolen #OPM data – holds a highly Powerful, unchangeable key.
The Apple website is not secure. While surfing the Apple site http://www.apple.com/ I have found several encryption related vulnerabilities. Here are those:-
Appraisal letter from Apple:-
Re: Apple Developer Feedback
Thank you for contacting Apple Developer Support regarding the Developer website.
We appreciate that you have taken the time to send us your feedback. Please be assured that all of your comments have been forwarded to the appropriate Apple team.
If you have further questions or comments, please let us know.
Apple Developer Support
About the university:
Sikkim Manipal is one of the largest private University in India. The Institute attracts students from all over the country, with over 1700 students enrolled in the various engineering disciplines. 102 full-time faculties are employed.
Type of problem:
User Name: *sanjay*
[any name will work]
Password: *' OR ''='
*Choose "*Center Login*" radio button
You have access to the main admin panel. Option to download & print ALL student records, contact information, admit cards for upcoming examinations, assignments, results, etc. Option to change password.
About the university:
Calcutta University is the oldest existing University in Indian Subcontinent. Founded 1857, it is ranked 39th in the world.
Vulnerability:The main page is spreading virus. www.caluniv.ac.in It has iframe code injection & pulling virus from the Russian site pantscow.ru.
Hundreds will be infected while checking for results on the website.
Banks are warning customers of the risk of their mobile banking credentials being stolen by malware masquerading as a Flash player sent to them through unwarranted messages or through pop-ups on websites.Read Details