Category: Security Threats

Facebook hack the work of spammers, not foreign adversary

The Facebook hack may be the work of spammers, not a nation-state affiliated group, according to a report. The Wall Street Journal reported last week that, according to anonymous sources familiar with Facebook Inc.’s internal investigation, the hack of 30 million users was the work of spammers, not a nation-state as previously assumed.

Facebook has been investigating the hack since it discovered the incident in late September and is working with the FBI on the criminal portion of the investigation. The social media giant last week found that the attack affected 30 million user accounts, which is 20 million less than the original estimate.

Read more about this developing story on TechTarget.

AWS FreeRTOS Bugs Allow Compromise of IoT Devices

Researchers have found that a popular Internet of Things real-time operating system – FreeRTOS – is riddled with serious vulnerabilities. The bugs could allow hackers to crash connected devices in smart homes or critical infrastructure systems, leak information from the devices’ memory, and take them over. And while patches have been issued, researchers warn that it still may take time for smaller vendors to update.

Researcher Ori Karliner, with Zimperium’s zLabs team, recently analyzed some of the leading operating systems in the IoT market – including FreeRTOS, an open-source OS specifically designed for the microcontrollers that are within IoT devices. Within several versions of FreeRTOS, Karliner found 13 vulnerabilities enabling an array of attacks.

Read more about the vulnerabilities affecting FreeRTOS on Threatpost.

Zero-day in popular jQuery plugin actively exploited for at least three years

For at least three years, hackers have abused a zero-day in one of the most popular jQuery plugins to plant web shells and take over vulnerable web servers. The vulnerability impacts the jQuery File Upload plugin authored by prodigious German developer Sebastian Tschan.

The plugin is the second most starred jQuery project on GitHub, after the jQuery framework itself. It is immensely popular, has been forked over 7,800 times, and has been integrated into hundreds, if not thousands, of other projects, such as CMSs, CRMs, Intranet solutions, WordPress plugins, Drupal add-ons, Joomla components, and so on.

Read more about the zero-day affecting the plugin used in hundreds, if not thousands, of projects on ZDNet.

Researcher finds simple way of backdooring Windows PCs and nobody notices for ten months

A security researcher from Colombia has found a way of gaining admin rights and boot persistence on Windows PCs that’s simple to execute and hard to stop –all the features that hackers and malware authors are looking for from an exploitation technique.

What’s more surprising, is that the technique was first detailed way back in December 2017, but despite its numerous benefits and ease of exploitation, it has not received either media coverage nor has it been seen employed in malware campaigns. The technique targets one of the parameters of Windows user accounts known as the Relative Identifier (RID).

Read more about the “RID Hijacking” technique on ZDNet.

(ISC)² : Global Cybersecurity Workforce Short 3 Million People

The global shortage of cybersecurity experts has reached 2.93 million, posing a growing risk to businesses worldwide struggling to find, hire, and retain skilled employees to maximize their defenses.

According to the new (ISC)² 2018 Cybersecurity Workforce Study published today, the shortage is greatest in Asia Pacific, which lacks 2.14M security workers, followed by North America (498K), Europe, the Middle East, and Africa (142K), and Latin America (136K). Researchers calculated the percentage of businesses with open roles, businesses’ estimated growth and future hiring needs, and estimates of entrants into the security field to come up with the numbers.

Read more about the findings of the new (ISC)² study on DarkReading.

Researchers expose security vulnerabilities in terahertz data links

A new study shows that terahertz data links, which may play a role in ultra-high-speed wireless data networks of the future, aren’t as immune to eavesdropping as many researchers have assumed. The research shows that it is possible for a clever eavesdropper to intercept a signal from a terahertz transmitter without the intrusion being detected at the receiver.

Because of its higher frequency, terahertz radiation can carry up to 100 times more data than the microwaves used in wireless communication today, which makes terahertz an attractive option for use in future wireless networks. The researchers say that while there are inherent security enhancements associated with terahertz links in comparison with lower frequencies, these security improvements are still far from foolproof.

Read more about the research findings on Help Net Security.

Up to 35 Million 2018 Voter Records For Sale on Hacking Forum

Up to 35 million US voter records have been found up for sale on a popular hacking forum from 19 states, researchers discovered.

Researchers at Anomali Labs and Intel 471 have discovered Dark Web communications offering a large quantity of voter databases for sale – including valuable personally identifiable information and voter history. This represents the first indication of 2018 voter registration data for sale on a hacking forum, said the researchers. The discovery comes weeks before the US November mid-term elections.

Read more about the discovery of millions of US voter records on an undisclosed Dark Web hacking forum om Threatpost.

Apple VoiceOver iOS vulnerability permits hacker access to user photos

A vulnerability has been discovered in the Apple iOS VoiceOver feature which can be exploited by attackers to gain access to a victim’s photos. As reported by Apple Insider, the bug, a lock screen bypass made possible via the VoiceOver screen reader, relies on an attacker having physical access to the target device.

Revealed by iOS hacker Jose Rodriguez and subsequently demonstrated in the YouTube video below, the attack chain begins with the attacker calling the victim’s phone. This can be made possible by asking the Siri voice assistant to read out the phone number digit by digit, should the attacker not possess this information.

Read more about the newly discovered iOS lock screen bypass on ZDNet.

Pentagon discloses card breach

Pentagon official said last Friday that the US Department of Defense had suffered a security breach thanks to a third-party contractor. An investigation is still underway, so the exact details haven’t been made public, but according to an Associated Press report, a DOD official said that roughly 30,000 DOD military and civilian personnel are believed to be affected. This number is expected to grow as the Pentagon’s investigation continues.

The official said the breach was discovered on October 4. An attacker (or multiple attackers) appear to have compromised a third-party contractor and used the vendor’s access to the Pentagon network to steal travel data for DOD personnel.

Read more about the Department of Defense security breach on ZDNet.

Microsoft JET vulnerability still open to attacks, despite recent patch

A vulnerability in the Microsoft JET database engine is still open to attacks, even after Microsoft shipped an update earlier this week during the October 2018 Patch Tuesday.

The vulnerability, which was a zero-day at the time of its disclosure in mid-September, raised some alarms, mainly due to the fact that the JET database engine is included in all versions of Windows, and provided attackers with a huge attack vector they could target. Microsoft shipped an update this past Tuesday. But according to Mitja Kolsek, co-founder of 0patch, the recent patch is incomplete, and an attacker can still exploit the original vulnerability.

Read more about the issues with Microsoft’s recent JET patch on ZDNet.