Weekly Top 10 security news (26th-mar-1st-apr)

Army CIO must improve security for commercial mobile devices, says IG

The Army CIO has failed so far to implement an effective cybersecurity program for commercial mobile devices (CMDs), and until the service does so its networks will remain vulnerable to cyberattack and possible leaks of sensitive data, according to a report from the Defense Department’s Inspector General.

The DOD IG study sought to determine whether the Army had an effective cybersecurity program that was capable of identifying and mitigating risks around CMDs and removable media. During site inspections, IG officials sought to verify whether Army officials were properly tracking, configuring and sanitizing CMDs.

Read More

Chpwn and other developers hit with iMessage DoS attack

Over the past few days, several well-known iOS and jailbreak developers have reported that they’ve been hit with an iMessage DoS, or denial of service, attack. The attacks feature a series of spam messages that end up crashing the iMessage app.

The list of affected developers include Sn0wBreeze creator iH8sn0w, Zephyr creator Chpwn, and others. And the perpetrator has been tracked to a Twitter account involved in selling things like provisioned UDIDs and Siri proxy servers…

Read More

Phony Adobe Flash update spreads home page-changing malware

A new trojan disguised as an Adobe Flash Player update is spreading via email that redirects people to a malicious web session when their browser is opened.Microsoft said it has received 70,000 reports this week of the bug, which changes users’ home pages and then redirects them.

Read More

Cybercriminals Use Evernote as C&C(Command & Control) Server

With its rich functionality and accessibility, Evernote is a popular note-taking tool for its many users. Unfortunately, it may also provide the perfect cover for cybercriminals’ tracks.We recently uncovered a malware that appears to be using Evernote as a communication and control (C&C) server. Detected as BKDR_VERNOT.A, the malware attempts to connect to Evernote via https://evernote.com/intl/zh-cn, which is a legitimate URL.

Read More


Spamhaus DDoS Attacks Triple Size of Attacks on US Banks

The internet activist accused of being behind one of the biggest distributed denial-of-service (DDoS) attacks to date, claims he is the victim of an establishment conspiracy.Investigators have accused Dutch internet operator Sven Kamphuis of unleashing  DDoS attacks in support of web hosting company Cyberbunker after it was blacklisted by anti-spam website Spamhaus.But Kamphuis said the allegations against him were caused by the row between his company Cyberbunker and Spamhaus, according to the Telegraph.

Read More

Amazon S3 Users Exposing Data to Public Due to Bad 'Bucket' Settings

An analysis by security risk management company Rapid7 found that one in six of the data storage buckets the company studied were incorrectly set as “public.”Bad system configurations are exposing countless pieces of data housed in Amazon Simple Storage Service (S3) "buckets" and leaving them open to prying eyes.

Amazon S3 is an online storage service offered by Amazon. The number of database objects users can store is unlimited. The objects are stored in buckets and users retrieve them with a unique, developer-assigned key. According to vulnerability management firm Rapid7, however, many businesses are not properly restricting access to those buckets. In an analysis, Rapid7 found 1,951—or approximately one in six—of the 12,328 buckets it analyzed were public.

Read More

Microsoft hit with competition complaint over Windows 8 UEFI Secure Boot

A Spanish Linux software group has filed a complaint against Microsoft to the European Commission over its controversial implementation of UEFI Secure Boot for Windows 8 hardware.

The Linux group Hispalinux filed a complaint with the Madrid office of the European Commission on Tuesday morning,according to Reuters.

The complaint focuses on the Microsoft's Windows 8 "certified PC" feature UEFI (Unified Extensible Firmware Interface) Secure Boot, which the group has labelled an "obstruction mechanism".

Read More

Spring ushers in US tax scam season

In the US, it's spring, aka tax fraud season.To remind taxpayers to be on the lookout for scams ranging from identity theft to return-preparer fraud, the Internal Revenue Service (IRS) on Tuesday posted its Dirty Dozen list of tax scamsfor 2013.

The IRS compiles the list every year. It notes that taxpayers can expect the scams any time of year, but many of the schemes peak now, during filing season.

Read More

Using Customer Premise Eqipment to Take Over the Internet

It’s the ultimate what-if scenario: What if an attacker could own all the customer premises equipment (CPE) doled out by ISPs such as routers and modems? Would it be trivial with available scanning equipment and other tools to find vulnerable gear, and then modify and re-upload the firmware to be able do anything such as control Web traffic, launch DDoS attacks, or even disconnect large blocks of machines from the Internet?

The answer to those questions, and several related ones, appears to be yes. Two researchers took a stab at what would happen if enough home Internet connections were pieced together for such purposes and learned that a dangerous mix of lax security and insecure default configurations from ISPs and vendors alike are contributing to this risk.

Read More

Sorry Apple gets respect in China after tabloid trial

(Reuters) - With its rare apology, Apple Inc went from pariah to praiseworthy in the eyes of China's state-controlled media, a lesson for other foreign firms not to underestimate the speed and power of the government press.

After coming under near-daily media assault for the past two weeks and facing the threat of penalties from two Chinese government bureaus, Apple apologized to Chinese consumers on Monday for poor communication over its warranty policy and said it will change the terms for some of its iPhones sold in China.

Read More

© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service