• “Major Flaw” Discovered in Evernote’s Chrome Extension

    “Major Flaw” Discovered in Evernote’s Chrome ExtensionA major flaw has been discovered in the code of the Web Clipper Chrome extension of note-taking service Evernote.The flaw, a universal XSS marked CVE-2019-12592 which could have allowed threat actors to extract personal information from the browser environment, was unearthed by security company Guardio and disclosed to Evernote in late May. Within a week, Evernote addressed the issue and rolled-out a complete fix.Accord
  • Europol Gamifies Cryptocurrency Crime Prevention

    Europol Gamifies Cryptocurrency Crime PreventionEuropol trained its members on cryptocurrency-related crime at a conference last week, announcing the development of a new game.The cross-jurisdictional law enforcement organization claimed that over 300 experts in cryptocurrency, from both the police and private sector, attended its headquarters in The Hague for the region’s largest conference of its kind last week.The aim was to share best practice and look at new partnership-building oppor
  • Liberty mounts latest court challenge to 'snooper's charter'

    Rights group argues powers of MI5 and GCHQ to obtain and store data breach human rightsThe legality of the intelligence services’ bulk surveillance activities under which personal data is obtained from social media companies as well as through hacking and interception is being being challenged in court.Monday’s action by the civil rights organisation Liberty follows revelations last week that MI5 had lost control of its data storage operations and admitted there were “ungoverne
  • US Lawmakers Hear Testimony on Concerns of Deepfakes

    US Lawmakers Hear Testimony on Concerns of DeepfakesDays after a video of a transformed Arnold Swartzenegger went viral on YouTube, members of the US House Intelligence Committee heard testimony on Thursday, June 13, on raising concerns about the threat of  "deepfakes," according to The Hill.In his opening remarks, committee chairman Adam Schiff said, “Advances in AI and machine learning have led to the emergence of advanced digitally doctored media, so-called ‘deepfakes’
  • Advertisement

  • Malware a Serious Threat for Industrial Orgs

    Malware a Serious Threat for Industrial OrgsDuring Q1 2019, Cryptolocker malware spiked to account for 24% of all malware used, up from only 9% in Q4 2018, according to a new report from Positive Technologies.“This malware is often used in combination with phishing, with hackers constantly inventing new ways of deceiving users and making them pay a ransom. Healthcare has proved to be a favorite target of cryptolockers. Medical institutions are more likely to pay a ransom compared to other
  • Canadian City Fell Prey to a $375K Phish

    Canadian City Fell Prey to a $375K PhishYet another city has fallen victim to a "a complex phishing email." The scam cost Burlington, Ontario, Canada, C$503,000 – the equivalent of nearly US$375,000.“On Thursday, May 23, the City of Burlington discovered it was a victim of fraud. A single transaction was made to a falsified bank account as a result of a complex phishing email to City staff requesting to change banking information for an established City vendor. The transaction w
  • Home Secretary Signs Assange US Extradition Request

    Home Secretary Signs Assange US Extradition RequestThe UK home secretary Sajid Javid has approved an extradition request from the US for WikiLeaks founder Julian Assange to be extradited.The Tory leadership hopeful told BBC Radio 4’s Today program on Thursday that the controversial figure is one step closer to a trial on US soil, where he faces an 18-count indictment.“He’s rightly behind bars. There’s an extradition request from the US that is before the courts tomor
  • Millions of Email Servers at Risk from Cryptomining Worm

    Millions of Email Servers at Risk from Cryptomining WormResearchers have spotted a major new cyber-attack campaign targeting millions of Linux email servers around the world with a cryptomining malware payload.Exim accounts for over half (57%) of the globe’s internet email servers. Over 3.5 million are at risk from a vulnerability discovered last week, CVE-2019-10149, according to security vendor Cybereason.There appears to be two waves of attack: the first involved attackers initiall
  • Advertisement

  • MI5 Breached Surveillance Law for Years

    MI5 Breached Surveillance Law for YearsMI5’s breaches of the law in its handling and retention of bulk surveillance data are much worse than first thought, according to new legal documents revealed as part of an ongoing case.Rights group Liberty is challenging outgoing Prime Minister Theresa May’s flagship Snoopers’ Charter, aka the Investigatory Powers Act (IPA): a law which allows the security services to hack devices and intercept communications en masse, collecting and
  • Employees Out of Work after ASCO Hit by Ransomware

    Employees Out of Work after ASCO Hit by RansomwareNearly 1,000 employees in ASCO’s Zaventem, Belgium, office have been left incapable of doing their jobs after a ransomware attack crippled the aircraft-parts manufacturer, according to a June 11 report from vrt NWS.“From the ISF’s standpoint, everyone who has access to an organization’s information and systems should be made aware of the risks from ransomware and the actions required to minimize those risks,” said St
  • Gaming's All Fun and Games Till Someone Gets Hacked

    Gaming's All Fun and Games Till Someone Gets HackedCyber-criminals are playing games with the gaming industry according to two new reports published by Akamai and Kaspersky.  The Akamai 2019 State of the Internet/Security Web Attacks and Gaming Abuse Report found that cyber-criminals have targeted the gaming industry by carrying out 12 billion credential-stuffing attacks against gaming websites, with a total of 55 billion credential-stuffing attacks across all industries within the 17-month
  • AGs Warn ACMA Breach Impact Rose to over 20 Million

    AGs Warn ACMA Breach Impact Rose to over 20 MillionAfter the data of more than 20 million patients was potentially exposed during the cyber-attack against American Medical Collection Agency (AMCA), the third-party collection agency for laboratories, hospitals, physician groups, medical providers and others, attorney generals (AGs) in such states as New Jersey, Illinois, Connecticut and Maryland have started alerting citizens and looking for answers to exactly what happened.&l
  • Advertisement

  • Suspended door supervisor pleads guilty to working unlicensed

    Suspended Cardiff door supervisor pleaded guilty to working while unlicensed.
  • UK Orgs Lose 2.5 Months a Year on Poor Password Management

    UK Orgs Lose 2.5 Months a Year on Poor Password ManagementBusinesses in the UK lose an average of two-and-a-half months per year in time spent dealing with poor password management, according to new research from OneLogin.As detailed in its report Password Practices 2019, OneLogin surveyed 600 global IT professionals to gauge how companies are protecting passwords in terms of tools, guidelines and practices.The key findings indicated that companies spend too much time resetting passwords that us
  • UK Orgs Lose 2 & 1/2 Months a Year on Poor Password Management

    UK Orgs Lose 2 & 1/2 Months a Year on Poor Password ManagementBusinesses in the UK lose an average of two-and-a-half months per year in time spent dealing with poor password management, according to new research from OneLogin.As detailed in its report Password Practices 2019, OneLogin surveyed 600 global IT professionals to gauge how companies are protecting passwords in terms of tools, guidelines and practices.The key findings indicated that companies spend too much time resetting passwords
  • KnowBe4 Gets Whopping $300m in Funding

    KnowBe4 Gets Whopping $300m in FundingA private equity giant has invested an additional $300 million in cybersecurity awareness firm KnowBe4 only three months after announcing its initial investment of $50 million, according to Fortune.At the helm of the company, which provides integrated security awareness training and a simulated phishing platform, are Stu Sjouwerman, CEO, and Kevin Mitnick, chief hacking officer. Founded in 2010, the company now boasts more than 25,000 users across the globe
  • Philly Courts Still Down after Cyber-Attack

    Philly Courts Still Down after Cyber-AttackAfter a May 21, 2019, cyber-attack downed Philadelphia’s online court system for e-filing and docketing services, issues remain throughout the county, according to Government Technology.On June 11, Government Technology reported that the computer networks of the Luzerne County Correctional Facility in Pennsylvania continue to be impacted, leaving inmates unable to order items from the jail commissary.“The First Judicial District and City OIT
  • Flaw in SymCrypt Can Trigger DDoS

    Flaw in SymCrypt Can Trigger DDoSA vulnerability in the SymCrypt cryptographic library of Microsoft's OS can trigger a distributed denial-of-service (DDoS) disruption in Windows 8 servers and above, causing a perpetual operation "when calculating the modular inverse on specific bit patterns with bcryptprimitives!SymCryptFdefModInvGeneric," according to Tavis Ormandy, a Google researcher.“I noticed a bug in SymCrypt, the core library that handles all crypto on Windows. It's a DoS, but this
  • XSS is Most Rewarding Bug Bounty as CSRF is Revived

    XSS is Most Rewarding Bug Bounty as CSRF is RevivedCross-site scripting (XSS) is the most rewarding security vulnerability, according to data on the number of bug bounties paid.According to HackerOne’s top 10 most impactful security vulnerabilities, which have earned hackers over $54m in bounties and based on over 1400 HackerOne customer programs and 120,000 reported vulnerabilities, XSS is the most paid out vulnerability, followed by “improper authentication – generi
  • Microsoft Fixes Four SandboxEscaper Zero-Days

    Microsoft Fixes Four SandboxEscaper Zero-DaysMicrosoft has released its latest monthly security updates and there are four fixes for zero-day threats published recently by SandboxEscaper.In total Redmond fixed 88 vulnerabilities in this update round with 21 labelled critical.The four zero-days are all elevation of privilege flaws which affected Windows: CVE-2019-1069 is a bug in the Windows Task Scheduler, CVE-2019-1064 is an elevation of privilege bug in Windows, CVE-2019-10
  • FBI: Don’t Trust HTTPS or Padlock on Websites

    FBI: Don’t Trust HTTPS or Padlock on WebsitesThe FBI has been forced to issue an alert warning users that the sight of "HTTPS" and a padlock icon in the address bar may not be enough to prove the authenticity of a website.The latest Public Service Announcement from the bureau’s public-facing Internet Crime Complaint Center (IC3) revealed that cyber-criminals are increasingly abusing trust in TLS-secured websites to improve the success rate of phishing attacks.“They are more fre
  • Code Signing Shortcomings Leave Gaps for Hackers

    Code Signing Shortcomings Leave Gaps for HackersOnly a little over a quarter (28%) of global organizations have a clearly defined security process in place for code signing, potentially opening the door for hackers to steal and use these certificates in attacks, according to new Venafi research.The security vendor polled 320 security professionals in the US, Canada and Europe to better understand the risks posed by code signing — the process used to secure software updates.Although half sa
  • Radiohead Officially Releases Music Stolen in Hack

    Radiohead Officially Releases Music Stolen in HackA week after receiving a ransom request for $150,000, alternative-rock band Radiohead decided to go live with the 18 hours of stolen music that was never intended for public consumption.On June 5, Consequence of Sound reported that 18 hours of Radiohead’s music was leaked online. The band announced on June 11 that it has officially released the leaked material through Bandcamp and is donating the proceeds to the climate activist g
  • SOCs Struggle with Staffing, Reporting and Visibility

    SOCs Struggle with Staffing, Reporting and VisibilityStaffing remains an issue for security operations centers (SOCs), which continue to struggle with reporting and documentation while barely being able to stay afloat in a sea of alerts and false positives, according to the annual State of the SOC report from Exabeam.The report found approximately one-third of respondents said that their SOC was understaffed by 6–10 people. “Nearly 50% of understaffed SOCs indicated they don&rsq
  • HaveIBeenPwned.com Open to Acquisition

    HaveIBeenPwned.com Open to AcquisitionSince its inception in 2013, the website HaveIBeenPwned.com (HIBP) has grown exponentially – to the point where it is no longer feasible for one person to maintain, which is why Troy Hunt, the site’s creator, today announced that he is open to the possibility of an acquisition.The prevalence of breaches, combined with the analysis he was doing and the scale of Adobe, is what sparked the idea for HIBP, Hunt said. “I wonder how many peop
  • Child spies used by police at risk of severe harm, high court told

    Campaigners say there are not enough safeguards to protect children in covert operationsChildren recruited to spy on drug dealers, gangs, terrorists and paedophiles have fewer safeguards when handled by investigators than those arrested for minor offences such as shoplifting, the high court has heard.At a judicial review hearing at the Royal Courts of Justice, campaigners challenging the use of children as covert human intelligence sources (CHISs) argued the lack of safeguards violates children&
  • FTSE 250+ Demonstrate Weak Security, but Low SMB Exposure

    FTSE 250+ Demonstrate Weak Security, but Low SMB ExposureFTSE 250+ organizations leave an average of 35 servers and devices exposed to the open internet, while 231 have “weak or non-existent” phishing defenses.According to research by Rapid7, many companies in the FTSE 250+ indicate how many and which cloud service providers they use in their DNS metadata. The research found that 114 organizations use between two and seven cloud service providers. Tod Beardsley, director of rese
  • UK security services could get Facebook-style data analysis tools

    Counter-terror officials may be able to scan data from across population, official report says
    The security services may soon be able to scan sensitive data from a significant proportion of the British population for signs of terrorism, an official report reveals.David Anderson QC examined reforms put in place by MI5 and counter-terrorism policing after the 2017 attacks in Britain. His report for the government on progress so far reveals that counter-terrorism investigators may soon have powerfu
  • MI5 accused of ‘extraordinary and persistent illegality’

    Agency has been obtaining surveillance warrants based on false information, high court told
    MI5 has lost control of its data storage operations and has been obtaining surveillance warrants on the basis of information it knows to be false, the high court has heard.
    The security agency has been accused of “extraordinary and persistent illegality” in a legal challenge brought by the human rights organisation Liberty. The failures have been identified by the official watchdog, the Invest
  • Welsh Man Gets Four Years for TalkTalk Attack

    Welsh Man Gets Four Years for TalkTalk AttackA Welsh man diagnosed with Asperger’s syndrome has been sentenced to four years behind bars for his role in a cyber-attack on TalkTalk which cost the company £77m.Daniel Kelley, 22, from Llanelli, Carmarthenshire, will spend his sentence in a young offender institute after first pleading guilty to 11 offenses back in 2016.These included: hacking the ISP and attempting to blackmail CEO Dido Harding and other executives, as well as “ha

Follow @Security_UKnws on Twitter!