Uber disclosed Tuesday that hackers had stolen 57 million driver and rider accounts and that the company had kept the data breach secret for more than a year after paying a $100,000 ransom.
The deal was arranged by the company’s chief security officer and under the watch of the former chief executive, Travis Kalanick, according to several current and former employees who spoke on the condition of anonymity because the details were private. The security officer, Joe Sullivan, has been fired. Mr. Kalanick was forced out in June, although he remains on Uber’s board. The two hackers stole data about the company’s riders and drivers.Read more
The Google Play Store is seeing a wave of malware-infested apps like never before. Four separate security companies have reported — or are preparing to release reports — on malware campaigns currently underway via Android apps available on the Play Store.
Reports published today by Dr.Web, Malwarebytes, and McAfee reveal the presence of three new Android malware families hidden in games and apps uploaded on the Play Store. An ESET spokesperson told Bleeping Computer the company also found a new multi-stage malware strain they're going to detail in a report later today.Read more
Anyone with a free Amazon Web Services account could have looked at the hoard of information stored in the cloud by the U.S. Defense Department, according to Chris Vickery, a researcher at cybersecurity firm UpGuard who discovered the exposure.
Amazon Web Services is a cloud platform that individuals, businesses and the government use for things like storing data and boosting computing power. Amazon said on its website it is best practice to restrict access to information stored in the cloud to "people that absolutely need it." The military databases hold at least 1.8 billion internet posts scraped from social media, news sites, forums and other publicly available websites, Vickery told.Read more
The personal computer of an NSA worker who took government hacking tools and classified documents home with him was infected with a backdoor trojan, unrelated to these tools, that could have been used by criminal hackers to steal the US government files.
The Moscow-based antivirus firm, which has been accused of using its security software to improperly grab NSA hacking tools and classified documents from the NSA worker's home computer and provide them to the Russian government, says the worker had at least 120 other malicious files on his home computer.Read more
Security research firm Rhino Security Labs found a vulnerability in the Amazon Key in-home delivery service's security procedures that could allow either the courier or even a savvy and malicious bystander to enter your home undetected after the delivery is completed.
Amazon has promised to change how Key works in order to make it easier for you to tell when something unusual is happening in this event, but the changes proposed by Amazon don't necessarily resolve the vulnerability. Amazon Key is available to Amazon customers who have bought and installed Amazon's own Cloud Cam security camera and installed it at their front door.Read more
Researchers are warning users about a wave of recent attacks targeting U.S. financial institutions that leverage a new banking Trojan dubbed IcedID.
The IcedID Trojan was spotted in September. They said the Trojan has several standout techniques and procedures, such as the ability to spread over a network and the ability to monitor a browser’s activity by setting up a local proxy for traffic tunneling. “At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S.,” researchers wrote in a report released Monday explaining the discovery.Read more
More than 20 million Amazon Echo and Google Home devices are vulnerable to attacks via the BlueBorne Bluetooth vulnerability that was first disclosed back in September.
Security firm Armis said this week that BlueBorne, a Bluetooth-based attack vector that was initially reported as exploitable on phones and PCs with an active Bluetooth connection, is now setting its sights on digital AI assistants. The firm said that both the Amazon Echo and Google Home can be exploited using existing BlueBorne vulnerabilities (of which there are eight in total).Read more
Imagine a plane: large, wings, lots of passengers — you get the picture. And it can be hacked, or so it seems. Such a theoretical possibility has been voiced more than a few times by more than a few people; a plane, like any other modern craft, is after all a network of computers, some of which are connected to the Internet. Now such theorizing seems to have been confirmed in practice.
The claim was made by none other than a representative of the US Department of Homeland Security. In the space of two days, Robert Hickey managed to gain access to the internal systems of an aircraft parked at an airport, without having physical access to the aircraft or any insider assistance.Read more
Jake Williams awoke last April in an Orlando, Fla., hotel where he was leading a training session. Checking Twitter, Mr. Williams, a cybersecurity expert, was dismayed to discover that he had been thrust into the middle of one of the worst security debacles ever to befall American intelligence.
Mr. Williams had written on his company blog about the Shadow Brokers, a mysterious group that had somehow obtained many of the hacking tools the United States used to spy on other countries. Now the group had replied in an angry screed on Twitter. It identified him — correctly — as a former member of the National Security Agency’s hacking group, Tailored Access Operations, or T.A.O., a job he had not publicly disclosed.Read more
The US government doesn't get along with hackers. That's just how it is. Hacking protected systems, even to reveal their weaknesses, is illegal under the Computer Fraud and Abuse Act, and the Department of Justice has repeatedly made it clear that it will enforce the law.
In the last 18 months, a new Department of Defense project called "Hack the Pentagon" has offered real glimmers of hope that these prejudices could change. The government's longstanding defensive posture makes some sense in theory—it has important secrets to keep—but in practice experts have long criticized the stance as a fundamental misunderstanding of how cybersecurity works.Read more