Troy Hunt is making his Have I Been Pwned database open source. He says it’s already a community project with companies like Cloudflare providing free services to HIBP.
The single most important objective of that process was to seek a more sustainable future for HIBP and that desire hasn’t changed; the project cannot be solely dependent on me. Yet that’s where we are today and if I disappear, HIBP quickly withers and dies.
An anonymous leaker took to Twitter to leak 20GB of Intel data and says more is coming soon.
The poster encourages downloaders to look for mentions of ‘backdoors’ in some of the Intel source code, and even provides a sample clip of one such listing, but we aren’t sure of the intentions behind the listings in the code.
Hitting Command + F to look for mentions of backdoors, because such backdoors would conveniently be labeled as such, right?
LogMeIn announced on Wednesday the arrival of LastPass dark web monitoring, as well as a security dashboard for the password manager.
The new LastPass dark web monitoring feature proactively checks email addresses against a 3rd party database of breached credentials. If that email address has been found in the database, the user will be immediately notified by email and with a message directly in their LastPass Security Dashboard. From there, users will be prompted to update the password for that compromised account.
Apple is introducing a new security measure for the App Store called the App Attest API and it will be used in iOS 14 and later.
Bob Gendler is an IT Specialist in the Apple world and a Jamf guru. He holds a B.S. degree in Information Technology from the Rochester Institute of Technology. He is now part of the Mac Management team at NIST, the National Institute of Standards and Technology, in Washington, D.C.
From a very early age, Bob fell into the world of Apple starting with an Apple IIgs and, as a teenager, a Power Mac 6100. Quickly, as an undergraduate, his specialty became system administration, and, later, that served him well landing the job at NIST. Bob filled me in on his latest project, the “macOS Security Compliance Project,” and the security problem the community faced with macOS. Basically, the new GitHub project leverages a library of scriptable actions which are mapped to compliance requirements in existing security guides or used to develop customized guidance. Bob nicely explains this crucial tool, his team, and who would benefit.
Andrew Orr joins host Kelly Guimont for Security Friday to discuss Apple’s new security research, a privacy app, and other security news.
Over 1,000 insecure databases have been completely erased, and the attackers leave no trace except the word “meow.”
Since then, Meow and a similar attack have destroyed more than 1,000 other databases. At the time this post went live, the Shodan computer search site showed that 987 ElasticSearch and 70 MongoDB instances had been nuked by Meow. A separate, less-malicious attack tagged an additional 616 ElasticSearch, MongoDB, and Cassandra files with the string “university_cybersec_experiment.” The attackers in this case seem to be demonstrating to the database maintainers that the files are vulnerable to being viewed or deleted.
Better erased than breached, right?
TikTok has faced accusations of data collecting and spying for the Chinese government. Here’s what the experts say.
First, over a million DNA profiles from GEDmatch were leaked. Then, email addresses from the breach were used in a phishing attack against users of genealogy website MyHeritage.
As a result of this breach, all user permissions were reset, making all profiles visible to all users. This was the case for approximately 3 hours. During this time, users who did not opt in for law enforcement matching were available for law enforcement matching and, conversely, all law enforcement profiles were made visible to GEDmatch users.
If GEDmatch sounds familiar, it was the DNA database used to identify the Golden State Killer.
The Apple Security Research Device program launched today, and it aims to provide special iPhones to researchers with shell access.
Andrew Orr joins host Kelly Guimont to discuss Security Friday news tidbits, tips for security on iOS 14, and how to share passwords safely.
Major Twitter accounts were hacked today, reports Kevin Truong. Accounts like Apple, Bill Gates, Elon Musk, Uber, and others were the victim of a hacking campaign that involved bitcoin.
Events kicked off when the Twitter accounts for major cryptocurrency platforms Coinbase, Gemini, and Binance, among others, all put out tweets minutes apart stating they had partnered up with an organization called CryptoForHealth and that they would be “giving back 5000 BTC to the community.” The tweets all included a link to a site that has been tagged by Google and Cloudflare as a phishing site […]
Most of the tweets have been removed already. Apple’s Twitter account appears to be entirely wiped of tweets.
A fascinating hack that clearly took advantage of Twitter vulnerabilities. But I’d also like to point out that Apple has never actually tweeted, so there wasn’t much to wipe.
The U.S. Secret Service sent out a security alert to warn of an increase in hacking to Managed Service Providers. These provide remote management software for companies, like file-sharing systems.
In a security alert sent out on June 12, Secret Service officials said their investigations team (GIOC — Global Investigations Operations Center) has been seeing an increase in incidents where hackers breach MSP solutions and use them as a springboard into the internal networks of the MSP’s customers.
Security researcher Jeff Johnson is going public with a flaw found in a macOS privacy protection system. Apple is still investigating the issue.
A new piece of macOS ransomware has been spotted in the wild within multiple pirated Mac software, and it’s called OSX.EvilQuest.
A WWDC20 presentation shows how Apple is adding support for encrypted DNS to iOS 14 and macOS 11. It will support HTTPS and TLS.
A feature coming to Safari 14 later this year involves logging into websites with Face ID and Touch ID through the Web Authentication API.
Senators Lindsey Graham (R-South Carolina), Tom Cotton (R-Arkansas) and Marsha Blackburn (R-Tennessee) introduced the Lawful Access to Encrypted Data Act yesterday. It seeks to bring back the Crypto Wars of the 1990s by crippling encryption with the introduction of backdoors.
Yet increasingly, technology providers are deliberately designing their products and services so that only the user, and not law enforcement, has access to content – even when criminal activity is clearly taking place. This type of “warrant-proof” encryption adds little to the security of the communications of the ordinary user, but it is a serious benefit for those who use the internet for illicit purposes.
”Adds little to the security of the communications of the ordinary user.” That’s the level of contempt these people have for the rest of us.
An investigation from Amnesty International reveals that NSO Group tools were used to target human rights journalist Omar Radi via his iPhone.
Through our investigation we were able to confirm that his phone was targeted and put under surveillance during the same period he was prosecuted. This illustrates how human rights defenders (HRDs) may often have to deal with the twin challenges of digital surveillance alongside other tactics of criminalisation at the hands of Moroccan authorities leading to a shrinking space for dissent.
The same NSO Group that hopes to woo American law enforcement with its dazzlingly array of hacking tools.
Team Telcom is calling on the FCC to cancel part of an undersea cable that links Los Angeles to Hong Kong over Chinese spying fears.
A report from Sophos today reveals a wave of adware belonging to the Bundlore family that targets macOS. Bundlore is one of the most common bundlware installers for macOS, accounting for almost 7% of attacks detected by Sophos.
This installer carried a total of seven “potentially unwanted applications” (PUAs)—including three that targeted the Safari web browser for the injection of ads, hijacking of download links, and redirecting of search queries for the purpose of stealing users’ clicks to generate income. The injected content in at least one case was used for malvertising—popping up a malicious ad that prompted the download of a fake Adobe Flash update.
After a lot of negative attention from press and privacy advocates, Zoom has backtracked on its stance. It will provide free users with end-to-end encryption, a feature previously limited to paying customers.
The company said that free users will have to verify themselves with a phone number in a one-time process. It claimed that this will stop bad actors from creating multiple abusive accounts.
Zoom is also releasing an updated design of its end-to-end encryption solution on GitHub that intends to achieve a balance between “the legitimate right of all users to privacy and the safety of users.”
Good to see Zoom do this.
The objective of this project is to develop an extensible, modern approach to security guidance that can be used by any organization to adhere to security compliance frameworks and policy. Project outputs include scripts, documentation, and configuration profile payloads
A report today from Motherboard details how Facebook and the FBI used a zero-day exploit for privacy OS Tails to catch a child predator. The reason I’m specifically linking to it is because of this paragraph:
Facebook told Motherboard that it does not specialize in developing hacking exploits and did not want to set the expectation with law enforcement that this is something it would do regularly. Facebook says that it identified the approach that would be used but did not develop the specific exploit, and only pursued the hacking option after exhausting all other options.
That is a slippery slope argument that will be used by politicians, like how Apple does what it can to help the FBI get into terrorists’ iPhones. “But you helped them before, why not again?” More fuel on the EARN IT fire.
