It’s 2020 and hackers are still hijacking Windows PCs by exploiting font parser security holes. No patch, either

Spreading in the wild, no vaccine, people told to distance themselves from dodgy sources… sounds familiar.

Hackers are commandeering victims’ Windows PCs by exploiting at least one remote-code-execution flaw in the Adobe Type Manager Library included with the Microsoft operating system. No patches are available right now.

Complete article at The Register

Hackers Were Inside Citrix for Five Months

Networking software giant Citrix Systems says malicious hackers were inside its networks for five months between 2018 and 2019, making off with personal and financial data on company employees, contractors, interns, job candidates and their dependents. The disclosure comes almost a year after Citrix acknowledged that digital intruders had broken in by probing its employee accounts for weak passwords.

Complete article on KrebsOnSecurity

Meet the Mad Scientist Who Wrote the Book on How to Hunt Hackers

Thirty years ago, Cliff Stoll published The Cuckoo’s Egg, a book about his cat-and-mouse game with a KGB-sponsored hacker. Today, the internet is a far darker place—and Stoll has become a cybersecurity icon.

In 1986, Cliff Stoll’s boss at Lawrence Berkeley National Labs tasked him with getting to the bottom of a 75-cent accounting discrepancy in the lab’s computer network, which was rented out to remote users by the minute. Stoll, 36, investigated the source of that minuscule anomaly, pulling on it like a loose thread until it led to a shocking culprit: a hacker in the system.

Complete article at Wired.com

Beware of bad Santas this Xmas: Piles of insecure smart toys fill retailers’ shelves

It seems to come around quicker every year – the failure of so-called smart toys to meet the most basic of security requirements. Which? has discovered a bunch of sack fillers that dirtbags can use to chat to your kids this Christmas.

Back in 2017, the consumer group found toys with security problems relating to network connections, apps or other interactive features. The results of its latest round of testing show manufacturers are struggling to improve standards.

Complete Article on The Register

How Researchers Are Fighting Back Against Ransomware

For too long, cybercriminals have been raking in billions of dollars from businesses around the globe through the use of crypto-ransomware. This is a specific type of ransomware that uses encryption technology to ‘scramble’ the data of its victims. The victim is then instructed to pay a ransom, by a specific deadline, to have their data decrypted. The threat is increasing. Global losses have risen from $5 billion in 2017 to an anticipated $11.5 billion by the time 2019 is out. New variants such as Phobos and Ryuk are now making the news with Los Angeles IT Consulting firm DCG Inc. revealing, in a recent blog post, that Phobos increased its prevalence by 940% through 2019. Worrying times!

Complete Article on Cybrary

Mozilla Firefox to begin slow rollout of DNS-over-HTTPS by default at the end of the month

To protect query privacy, browser maker will run everything through Cloudflare

On Friday, Mozilla said it plans to implement the DNS-over-HTTPS (DoH) protocol by default in its Firefox browser, with a slow rollout starting in late September.

Under development since 2017, DoH transfers domain-name queries – which try to match domain names with server IP addresses – over a secure, encrypted HTTPS connection to a DNS server, rather than via an unprotected, unencrypted bog-standard DNS connection.

Complete Article on The Register

If Uncle Sam could quit using insecure .zip files to swap info across the ‘net, that would be great, says Silicon Ron Wyden

Influential US Senator Ron Wyden (D-OR) is not happy about Uncle Sam’s employees using insecure .zip files and other archive formats to electronically transfer information.

The Oregon Democrat today sent a letter [PDF] to Walter Copan, director of America’s National Institute of Standards and Technology (NIST), asking that the standards body put together a guidance document for government workers on alternatives to .zip archiving tools.

Complete article on wired.com

Radiohead Dropped 18 Hours of Unreleased Music to Screw Pirates

ON TUESDAY, RADIOHEAD guitarist and composer Jonny Greenwood made an announcement on Twitter and Facebook: The band had been “hacked,” and the perpetrator attempted a $150,000 shakedown to prevent the public release of the files. In response? Radiohead dumped all of it online for free. You can stream it below for the next 18 days, or buy it on Bandcamp for about $23. All proceeds will go to a climate protest organization called Extinction Rebellion.

Complete article on wired.com

LabCorp: 7.7 Million Consumers Hit in Collections Firm Breach

Medical testing giant LabCorp. said today personal and financial data on some 7.7 million consumers were exposed by a breach at a third-party billing collections firm. That third party — the American Medical Collection Agency (AMCA) — also recently notified competing firm Quest Diagnostics that an intrusion in its payments Web site exposed personal, financial and medical data on nearly 12 million Quest patients.

Complete article on krebsonsecurity.com

Maker of America’s license-plate, driver recognition tech hacked, camera images swiped

The US Customs and Border Patrol today said hackers broke into one of its bungling technology subcontractors – and made off with images of people and their vehicle license plates as they passed through America’s land border.

The CBP issued a statement outlining how it learned on May 31 that the unnamed contractor, against Uncle Sam’s privacy rules and security measures, copied license plate scans and traveler pictures to its own network, only to have that network invaded by hackers and the data stolen.

Complete article on theregister.co.uk