A security researcher found a way to delete any picture on Facebook, irrespective of whether it’s public or private, by cunning use of polls.
Pouya Daribi was digging around in the software used by Facebook users to set up quick opinion polls on their profile pages. When creating these informal surveys, the social media addicts can select photos to appear alongside the questions, and the ID codes for these pictures are embedded in the HTML form submitted to Facebook’s servers.
More data records were leaked or stolen by miscreants during the first half of 2017 (1.9 billion) than all of 2016 (1.37 billion).
Digital security company Gemalto’s Breach Level Index (PDF), published Wednesday, found that an average of 10.4 million records are exposed or swiped every day.
During the first half of 2017 there were 918 reported data breaches worldwide, compared with 815 in the last six months of 2016, an increase of 13 per cent. A total 22 breaches in Q1 2017 included the compromise, theft or loss of more than a million records.
Researchers are in a full-out sprint to notify the owners of a substantial list of connected devices and associated telnet credentials that has been available on Pastebin since June but gone viral since Thursday when it was posted on Twitter.
The list has more than 20,000 views as of Saturday morning, up substantially from fewer than 1,000 on Thursday.
The ransomware problems reported by The Reg over the past few weeks are enough to make you, er, wanna cry. Yet all that’s happened is that known issues with Windows machines – desktop and server – have now come to everyone’s attention and the bandwidth out of Microsoft’s Windows Update servers has likely increased a bit relative to the previous few weeks.
But there’s more to life than Windows XP and the day-to-day computing landscape consists of a rich sediment of accumulated and inherited non-Windows operating systems. And my fiver says that only a tiny minority of you have leapt into action and rushed to update these particular systems in the wake of WannaCry.
What exactly are we talking about? According to netmarketshare.com the non-Windows market share is about 10 per cent – 2 per cent of which is Linux and 3.6 per cent macOS. In the server world the story’s not dissimilar: looking this time at some data from Spiceworks, about 12 per cent of servers run non-Windows OSs, with RHEL at 1.2 per cent and various other Linuxes making up 10.5 per cent. The core server Linuxes aside from RHEL are Ubuntu, SUSE, CentOS, Debian and Oracle Linux.
The Federal Trade Commission (FTC) has released an alert about how quickly criminals begin using your personal information once it is posted to a hacker site by an identity thief. FTC researchers found that it can take as few as 9 minutes for crooks to access stolen personal information posted to hacker sites. To prevent identity theft, a user should follow password security best practices, such as multi-factor authentication, which requires a user to simultaneously present multiple pieces of information to verify their identity.
US-CERT encourages users to refer to the FTC alert and the US-CERT Tips on Preventing and Responding to Identity Theft, Choosing and Protecting Passwords, and Supplementing Passwords for more information.
US President Donald Trump’s cybersecurity executive order, signed on Thursday after a series of delays, will make federal agency heads accountable for protecting their networks.
On the other side of the fence, computer security product makers have broadly welcomed the policy, which also calls on government and industry to reduce the threat from automated attacks on the internet.
The delayed cybersecurity executive order aims to bolster the government’s information security while protecting the nation’s critical infrastructure from cyberattacks. The order is important because it sets the direction for US infosec policy in government and beyond. Unlike many of President Trump’s other policy initiatives, the order is largely uncontroversial and might (whisper this gently) be seen largely as a continuation of measures former President Barrack Obama was putting into place.
Google has released Chrome version 58.0.3029.96 for Windows, Mac, and Linux. This version addresses a vulnerability that an attacker could exploit to cause a denial-of-service condition.
US-CERT encourages users and administrators to review the Chrome page and apply the necessary updates.
As the Tax Day 2017 filing deadline of Tuesday April 18 nears, IBM is warning of an increase in tax-related spam and scams.
It’s that time of year again, when Americans rush to file income taxes with the U.S Internal Revenue Service (IRS) and hackers fill inboxes with tax-related spam and phishing email attacks. As the Tax Day 2017 filing deadline of Tuesday April 18 nears, IBM Security is warning of a spike in tax-related spam email and related fraud scams that aim to exploit unsuspecting tax filers.
IBM is out with a new report today titled, ‘Cybercrime Riding Tax Season Tides: Trending Spam and Dark Web Findings’ that details how attackers are ramping up their efforts ahead of Tax Day 2017. According to the report, IBM X-Force security researchers have tracked a 6,000 percent increase in tax-related spam emails from December 2016 to February 2017. A year ago ahead of Tax Day 2016, the IRS issued a warning of its own, about a 400 percent increase in phishing and malware incidents during that year’s tax season.
Sean Michael Kerner
Researchers from Israeli zero-day security firm Cybellum have discovered a 15-year-old code injection vulnerability and exploit technique that could allow attackers to maliciously take over antivirus programs and other software by abusing Microsoft’s Windows Application Verifier debugging tool.
The zero-day exploit, dubbed DoubleAgent, only works if the attacked computer has already been previously compromised. Still, the technique can seriously escalate the severity of a previous breach, Cybellum claims, allowing an adversary to further elevate privileges and perform virtually any attack imaginable. Moreover, DoubleAgent continues injecting code even after reboot, allowing actors to establish silent persistence on a machine.