Jump to content

LSW

Moderators
  • Posts

    1,625
  • Joined

  • Last visited

  • Days Won

    28

Posts posted by LSW

  1. Adobe Releases February 2019 Patch Updates For 75 Vulnerabilities

    https://thehackernews.com/2019/02/adobe-software-update.html

    Quote

     

    Adobe has today released its monthly security updates to address a total of 75 security vulnerabilities across its various products, 71 of which resides in Adobe Acrobat and Reader alone.
     
    February 2019 patch Tuesday updates address several critical and important vulnerabilities in Adobe Acrobat Reader DC, Adobe Coldfusion, Creative Cloud Desktop Application, and Adobe Flash Player for Windows, macOS, Linux, and Chrome OS.
     
    According to the advisory released today, 43 out of 71 vulnerabilities addressed by Adobe in Acrobat and Reader are rated as critical in severity, most of which could lead to arbitrary code execution in the context of the current user upon successful exploitation.

     

     

  2. Microsoft Patch Tuesday — February 2019 Update Fixes 77 Flaws

    https://thehackernews.com/2019/02/microsoft-patch-tuesday-february.html

    Quote

    Microsoft has issued its second Patch Tuesday for this year to address a total of 77 CVE-listed security vulnerabilities in its Windows operating systems and other products, 20 of which are rated critical, 54 important and 3 moderate in severity.

     
    February security update addresses flaws in Adobe Flash Player, Internet Explorer, Edge, Windows, MS Office, and Office Services and Web Apps, ChakraCore, .NET Framework, Exchange Server, Visual Studio, Azure IoT SDK, Dynamics, Team Foundation Server, and Visual Studio Code.
     
    Four of the security vulnerabilities patched by the tech giant this month have been reported as being publicly known at the time of release, and one is being actively exploited in the wild.

     

  3. Google releases Chrome extension to check for leaked usernames and passwords

    https://www.zdnet.com/article/google-releases-chrome-extension-to-check-for-leaked-usernames-and-passwords/

    Quote

     

    Today, on Safer Internet Day, Google has released a new Chrome extension named "Password Checkup" that checks if usernames and password combinations entered in login forms have been leaked online during past data breaches and security incidents.
     
    The extension works every time users log into an online service. The extension takes the username and password entered in the login form and checks them against a database of over four billion credentials that Google engineers have collected from public breaches in the past few years.
     
    If the username and password combo are found in Google's internal database of unsafe credentials, the extension will show a popup alerting the user that he needs to change the credentials.

     

     

  4. Google Created Faster Storage Encryption for All Low-End Devices

    https://thehackernews.com/2019/02/fast-adiantum-file-encryption.html

    Quote

     

    Google has launched a new encryption algorithm that has been built specifically to run on mobile phones and smart IoT devices that don't have the specialized hardware to use current encryption methods to encrypt locally stored data efficiently.
     
    Encryption has already become an integral part of our everyday digital activities.
     
    However, it has long been known that encryption is expensive, as it causes performance issues, especially for low-end devices that don't have hardware support for making the encryption and decryption process faster.
     
    Since data security concerns have recently become very important, not using encryption is no more a wise tradeoff, and at the same time, using a secure but slow device on which apps take much longer to launch is also not a great idea.

     

     

     

  5. https://thehackernews.com/2019/02/ios-security-update-facetime.html

    Quote

     

    Apple has finally released iOS 12.1.4 software update to patch the terrible Group FaceTime privacy bug that could have allowed an Apple user to call you via the FaceTime video chat service and hear or see you before you even pick up the call without your knowledge.
     
    The Facetime bug (CVE-2019-6223) was discovered by 14-year-old Grant Thompson of Catalina Foothills High School while he was trying to set up a Group FaceTime session with his friends.
     
    Thompson reported the bug to the company a week before it made headlines across the internet, forcing Apple to temporarily disable the group calling feature within FaceTime.

     

     

  6. https://thehackernews.com/2019/02/unsend-delete-facebook-message.html

    Quote

     

    Ever sent a message on Facebook Messenger then immediately regretted it, or an embarrassing text to your boss in the heat of the moment at late night, or maybe accidentally sent messages or photos to a wrong group chat?
     
    Of course, you have. We have all been through drunk texts and embarrassing photos many times that we later regret sending but are forced to live with our mistakes.
     
    Good news, Facebook is now giving us a way to erase our little embarrassments.
     
    After offering a similar feature to WhatsApp users two years ago, Facebook is now rolling out a long-promised option to delete text messages, photos, or videos inside its Messenger application starting from Tuesday, February 5.

     

     

     

  7. Android Phones Can Get Hacked Just by Looking at a PNG Image

    https://thehackernews.com/2019/02/hack-android-with-image.html

    Quote

     

    Beware! You have to remain more caution while opening an image file on your smartphone—downloaded anywhere from the Internet or received through messaging or email apps.
    Yes, just viewing an innocuous-looking image could hack your Android smartphone—thanks to three newly-discovered critical vulnerabilities that affect millions of devices running recent versions of Google's mobile operating system, ranging from Android 7.0 Nougat to its current Android 9.0 Pie.
     
    The vulnerabilities, identified as CVE-2019-1986, CVE-2019-1987, and CVE-2019-1988, have been patched in Android Open Source Project (AOSP) by Google as part of its February Android Security Updates.
     
    However, since not every handset manufacturer rolls out security patches every month, it's difficult to determine if your Android device will get these security patches anytime sooner.

     

     

  8. http://www.scienceinsanity.com/2019/01/elon-musk-plans-to-give-entire-planet.html


     

    Quote

     

    In Musk’s case though, the project is about sending top-grade satellites into space, and not a few, we are talking about 4425 satellites, in a project that will cost a whopping $10bn.

    …He is planning to send them all at once, with no thought of testing waters with a few before sending more.

     

  9. Facebook Paid Teens $20 to Install 'Research' App That Collects Private Data

     
    Quote

     

    If you are thinking that Facebook is sitting quietly after being forced to remove its Onavo VPN app from Apple's App Store, then you are mistaken.
     
    It turns out that Facebook is paying teenagers around $20 a month to use its VPN app that aggressively monitors their smartphone and web activity and then sends it back to Facebook.
     
    The social media giant was previously caught collecting some of this data through Onavo Protect, a Virtual Private Network (VPN) service that it acquired in 2013.

     

    I really hope no one is doing this and ensure your teens are not as well. Teens as in 13 and up.  - LSW

  10. New FaceTime Bug Lets Callers Hear and See You Without You Picking Up

    https://thehackernews.com/2019/01/apple-facetime-privacy-hack.html

    Quote

     

    If you own an Apple device, you should immediately turn OFF FaceTime app for a few days.
     
    A jaw-dropping unpatched privacy bug has been uncovered in Apple's popular video and audio call app FaceTime that could let someone hear or see you before you even pick up their call.
    The bug is going viral on Twitter and other social media platforms with multiple users complaining of this privacy issue that can turn any iPhone into an eavesdropping device without the user's knowledge.
     
    The Hacker News has tested the bug on iPhone X running the latest iOS 12.1.2 and can independently confirm that it works, as flagged by 9to5Mac on Monday. We were also able to replicate the bug by making a FaceTime call to a MacBook running macOS Mojave.

     

     

    Apple Rushes to Fix Serious FaceTime Eavesdropping Flaw

    https://www.databreachtoday.com/apple-rushes-to-fix-serious-facetime-eavesdropping-flaw-a-11978

    Quote

     

    Apple has disabled Group FaceTime after reports emerged on Monday that the feature could be abused to eavesdrop on iPhone users.
     
    "We're aware of this issue and we have identified a fix that will be released in a software update later this week," an Apple spokesman tells Information Security Media Group.
     
    Apple's system status page says that Group FaceTime, as of 3:16 a.m. British Time, remains "temporarily unavailable" due to an "issue."
     
    The technology giant's move follows an exploit for the flaw going viral via social media and Reddit on Monday after a proof-of-concept demonstration video was posted.

     

     

  11. Millions of PCs Found Running Outdated Versions of Popular Software

    https://thehackernews.com/2019/01/software-vulnerabilities-hacking.html

    Quote

     

    It is 2019, and millions of computers still either have at least one outdated application installed or run outdated operating systems, making themselves vulnerable to online threats and known security vulnerabilities/exploits.
     
    Security vendor Avast has released its PC Trends Report 2019 revealing that millions of users are making themselves vulnerable to cyber attacks by keeping outdated versions of popular applications on their computers.
     
    Probably the most overlooked vectors for any cyber attack is out-of-date programs, which most of the times, is the result of the users’ laziness and company’s administrators ignoring the security updates in a business environment as they can't afford the downtime.
     
    According to the report [PDF], Adobe Shockwave tops the list of software that most user left outdated on their PCs, followed by VLC Media Player, Skype, Java Runtime Environment , 7-Zip File Manager, and Foxit Reader.

     

     

  12. Data Breach Collection Contains 773 Million Unique Emails

    https://www.databreachtoday.com/blogs/data-breach-collection-contains-773-million-unique-emails-p-2713

    Quote

     

    On Thursday, Australian information security expert Troy Hunt warned that a collection of email address and passwords combinations that's currently in circulation contains 2.7 billion rows.
     
    He says the massive collection of breached data, called "Collection #1," appears to have been compiled from a hodgepodge of sources, and contains 773 million unique email addresses.
     
    "It's made up of many different individual data breaches from literally thousands of different sources," Hunt writes in a blog post.
     
    Hunt runs the free Have I Been Pwned service, which enables users to register their email address and receive an alert anytime the email shows up in a data dump that Hunt loads into the service. He says that of the 2.2 million email addresses that users have registered with Have I Been Pwned, about 768,000 of them appear in the Collection #1 breach, and thus his service is sending out that many notifications to affected users.

     

     

  13. Your Garage Opener Is More Secure Than Industrial Remotes

    https://www.databreachtoday.com/your-garage-opener-more-secure-than-industrial-remotes-a-11950

    Quote

     

    Radio-frequency controllers used in the construction, mining and shipping industries are dangerously vulnerable to hackers, making the devices prime targets for attacks that could shut down operations and possibly hurt workers, Trend Micro says in new report.
     
    RF controllers, which are critical for safety, often use proprietary communication protocols that haven't kept pace with security threats. An attacker could spend less than $2,000 to build a battery-powered, coin-sized device that can take over an industrial device, Trend Micro claims.
     
    The results from such an attack could be unavailable equipment, financial losses, and at worst, human injuries. The affected vendors include Saga, Juuko, Gain Electronic Co. Ltd., Telecrane, and Hetronic, Trend Micro reports.

     

     

  14. 5 Popular Web Hosting Services Found Vulnerable to Multiple Flaws
     Bluehost, Dreamhost, HostGator, OVH, and iPage

    https://thehackernews.com/2019/01/web-hosting-server-security.html

    Quote

     

    A security researcher has discovered multiple one-click client-side vulnerabilities in the some of the world's most popular and widely-used web hosting companies that could have put millions of their customers as well as billions of their sites' visitors at risk of hacking.
     
    Independent researcher and bug-hunter Paulos Yibelo, who shared his new research with The Hacker News, discovered roughly a dozen serious security vulnerabilities in Bluehost, Dreamhost, HostGator, OVH, and iPage, which amounts to roughly seven million domains.
     
    Some of the vulnerabilities are so simple to execute as they require attackers to trick victims into clicking on a simple link or visiting a malicious website to easily take over the accounts of anyone using the affected web hosting providers.

     

     

  15. Reminder: Microsoft to end support for Windows 7 in 1-year from today

    https://thehackernews.com/2019/01/microsoft-windows-7-support.html

     

    Quote

     

    A new reminder for those who are still holding on to the Windows 7 operating system—you have one year left until Microsoft ends support for its 9-year-old operating system.
     
    So it's time for you to upgrade your OS and say goodbye to Windows 7, as its five years of extended support will end on January 14, 2020—that's precisely one year from today.
     
    After that date, the tech giant will no longer release free security updates, bug fixes and new functionalities for the operating system that's still widely used by people, which could eventually leave a significant number of users more susceptible to malware attacks.

     

     

  16. Police Can't Force You To Unlock Your Phone Using Face or Fingerprint Scan

    https://thehackernews.com/2019/01/phone-fingerprint-unlock.html

    Quote
    Can feds force you to unlock your iPhone or Android phone?
     
    ..."NO"
     
    A Northern California judge has ruled that federal authorities can't force you to unlock your smartphone using your fingerprints or other biometric features such as facial recognition—even with a warrant.
     
    The ruling came in the case of two unspecified suspects allegedly using Facebook Messenger to threaten a man with the release of an "embarrassing video" to the public if he did not hand over money.
     
    The federal authorities requested a search warrant for an Oakland residence, seeking to seize multiple devices connected to the suspects and then compel anybody on the premises at the time of their visit to unlock the devices using fingerprint, facial or iris recognition.
     
    However, Magistrate Judge Kandis Westmore of the U.S. District Court for the Northern District of California turned down the request, ruling the request was "overbroad and neither limited to a particular person nor device."

    [Let me add a few words here:

    1. Although I trust the site, they are not legal experts. This is one ruling in California.
    2. It is a fact that you cannot be forced to open your phone if secured with the less secure password/code. Nothing that is in your head. You can up until this point be forced to open your phone if you use the more secure physical methods like finger prints. This has been confirmed by many legal scholars. So outside of California, it may still be an issue.
    3. Lastly, I am currently training in cyber forensics and it has included the requirements for a search warrant, as we find evidence used in courts. Search warrants must be very specific about what they expect to find. Note I have bolded above how the judge found that the warrant was not limited to a person or device. They cannot have me open your phone because I happen to be in the room with you or your device.

    That said, this is an important call made by this judge and I applaud it. I do not use fingerprint or facial recognition as I can be forced to open my phone, I use the less secure options so that I cannot be forced to open it.]

     

  17. Hackers are spreading Islamic State propaganda by hijacking dormant Twitter accounts

    https://techcrunch.com/2019/01/02/hackers-islamic-state-propaganda-twitter/

    Quote
    Hackers are using a decade-old flaw to target and hijack dormant Twitter accounts to spread terrorist propaganda, TechCrunch has learned.
     
    Many of the affected Twitter accounts appeared to be hijacked in recent days or weeks — some longer — after years of inactivity. A sudden shift in tone or the language used in tweets often gives away the hijack — usually a single tweet in Arabic, sometimes praising Allah or retweeting propaganda from another account.
     
    Twitter has suspended most of the accounts we reviewed, but some remain active.
     
    The recent resurgence in hijacked accounts appears to be hackers exploiting Twitter’s legacy lack of email confirmation. Twitter took steps to prevent the automated creation of new accounts in June by requiring new accounts to be confirmed using an email address or phone number, but many older accounts remain unconfirmed.

     

  18. Microsoft Patch Tuesday — January 2019 Security Updates Released

    https://thehackernews.com/2019/01/windows-security-updates.html

    Quote
    Microsoft has issued its first Patch Tuesday for this year to address 49 CVE-listed security vulnerabilities in its Windows operating systems and other products, 7 of which are rated critical, 40 important and 2 moderate in severity.
     
    Just one of the security vulnerabilities patched by the tech giant this month has been reported as being publicly known at the time of release, and none are being actively exploited in the wild.
     
    All the seven critical-rated vulnerabilities lead to remote code execution and primarily impact various versions of Windows 10 and Server editions.

     

  19. Adobe Issues Emergency Patches for Two Critical Flaws in Acrobat and Reader

    https://thehackernews.com/2019/01/adobe-reader-vulnerabilities.html

    Quote

    Adobe has issued an out-of-band security update to patch two critical vulnerabilities in the company's Acrobat and Reader for both the Windows and macOS operating systems.

    Though the San Jose, California-based software company did not give details about the vulnerabilities, it did classify the security flaws as critical since they allow privilege escalation and arbitrary code execution in the context of the current user.

     

  20. Thousands of Google Chromecast Devices Hijacked to Promote PewDiePie

    https://thehackernews.com/2019/01/chromecast-pewdiepie-hack.html

    Quote

    A group of hackers has hijacked tens of thousands of Google's Chromecast streaming dongles, Google Home smart speakers and smart TVs with built-in Chromecast technology in recent weeks by exploiting a bug that's allegedly been ignored by Google for almost five years.

    The attackers, who go by Twitter handles @HackerGiraffe and @j3ws3r, managed to hijack Chromecasts’ feeds and display a pop-up, spreading a security warning as well as controversial YouTube star PewDiePie propaganda.

    The hackers are the same ones who hijacked more than 50,000 internet-connected printers worldwide late last year by exploiting vulnerable printers to print out flyers asking everyone to subscribe to PewDiePie YouTube channel.

     

  21. Microsoft Issues Emergency Patch For Under-Attack IE Zero Day

    https://thehackernews.com/2018/12/internet-explorer-zero-day.html

    Quote
    Microsoft today issued an out-of-band security update to patch a critical zero-day vulnerability in Internet Explorer (IE) Web browser that attackers are already exploiting in the wild to hack into Windows computers.
     
    Discovered by security researcher Clement Lecigne of Google's Threat Analysis Group, the vulnerability, tracked as CVE-2018-8653, is a remote code execution (RCE) flaw in the IE browser's scripting engine.
     
    According to the advisory, an unspecified memory corruption vulnerability resides in the scripting engine JScript component of Microsoft Internet Explorer that handles execution of scripting languages.
     
    If exploited successfully, the vulnerability could allow attackers to execute arbitrary code in the context of the current user.

     

  22. PHP Version 5 End of Life: Millions of Websites are About to Become Vulnerable

    https://www.riskiq.com/blog/external-threat-management/php-version-5-end-of-life/

    Quote
    Beginning this month, versions 5.6 and 7.0 of the server-side scripting language PHP will reach end-of-life and will no longer be supported. That means websites using these versions of PHP will run on a platform that no longer receives updates or patches, leaving them extremely vulnerable to hacks and data exposure.
     
    Sites running PHP 5 should update to newer, supported versions of PHP 7.2 immediately, but many lack the visibility into their internet-exposed attack surface that helps these organizations identify assets running PHP and upgrade to the latest version if needed.
     
    Just how prevalent is this now outdated version of PHP?  Of the 78.9% of all the websites using PHP, 59.6% of them using Version 5. According to RiskIQ telemetry data, 55,714,034 of the sites we crawled all-time ran version 5, and 11,612,312 since the start of 2018.

     

×
×
  • Create New...