In what appears to be a major breakthrough for law enforcement, and a possible privacy problem for Apple customers, a major U.S. government contractor claims to have found a way to unlock pretty much every iPhone on the market.
Cellebrite, a Petah Tikva, Israel-based vendor that's become the U.S. government's company of choice when it comes to unlocking mobile devices, is this month telling customers its engineers currently have the ability to get around the security of devices running iOS 11. That includes the iPhone X.
Read moreAs more amplified attacks were expected following the record-breaking 1.35 Tbps Github DDoS attack, someone has just set a new record after only four days — 1.7 Tbps DDoS attack.
Network security and monitoring company Arbor Networks claims that its ATLAS global traffic and DDoS threat data system have recorded a 1.7Tbps reflection/amplification attack against one of its unnamed US-based customer's website. Similar to the last week's DDoS attack on GitHub, the massive bandwidth of the latest attack was amplified by a factor of 51,000 using thousands of misconfigured Memcached servers exposed on the Internet.
Read moreAttackers have generated $3,900 so far in an ongoing campaign that's exploiting the popular rTorrent application to install currency-mining software on computers running Unix-like operating systems, researchers said Thursday.
The misconfiguration vulnerabilities are similar in some respects to ones Google Project Zero researcher Tavis Ormandy reported recently in the uTorrent and Transmission BitTorrent apps. Proof-of-concept attacks Ormandy developed exploited weaknesses in the programs' JSON-RPC interface, which allows websites a user is visiting to initiate downloads and control other key functions.
Read moreA slew of newly discovered vulnerabilities can wreak havoc on 4G LTE network users by eavesdropping on phone calls and text messages, knocking devices offline, and even spoofing emergency alerts.
Ten attacks detailed in a new paper by researchers at Purdue University and the University of Iowa expose weaknesses in three critical protocol operations of the cellular network, such as securely attaching a device to the network and maintaining a connection to receive calls and messages. Those flaws can allow authentication relay attacks that can allow an adversary to connect to a 4G LTE network by impersonating an existing user -- such as a phone number.
Read moreOver one-third of all security incidents start with phishing emails or malicious attachments sent to company employees, according to F-Secure.
The single most common source of breaches analyzed in the report was attackers exploiting vulnerabilities in an organization’s Internet facing services, which accounted for about 21 percent of security incidents investigated by F-Secure’s incident responders. Phishing and emails with malicious attachments together accounted for about 34 percent of breaches, which F-Secure Principal Security Consultant Tom Van de Wiele says make attacks arriving via email a much bigger pain point for organizations.
Read morePurity is so hard to find. Everything is, in some way, tainted, even if you don't see it at first. This painful truth seems to have descended upon one of the purer minds in tech, that of Apple co-founder Steve Wozniak.
Speaking on Monday in New Delhi, India, at the Economic Times Global Business Summit, Woz explained that he was fascinated by the purity of cryptocurrency. "Bitcoin to me was a currency that was not manipulated by the governments. It is mathematical. It is pure. It can't be altered," he said. Ah, but it seems it can be stolen. "I had seven bitcoins stolen from me through fraud," he said.
Read moreMicrosoft Word documents can now be used by hackers to deliver a cryptojacking script—hijacking a victim's computer to mine the cryptocurrency Monero. The attack utilizes Word's Online Video feature to commandeer the CPU.
The feature allows a Word user to simply paste the iframe embed code to add an internet video to a Word document. The video will then pop up in the Word document, and can be played the next time a user opens the document. However, an attacker can add the cryptojacking script in with the video code, tricking the victim into performing Monero mining for them.
Read moreTwo versions of uTorrent, one of the Internet's most widely used BitTorrent apps, have easy-to-exploit vulnerabilities that allow attackers to execute code, access downloaded files, and snoop on download histories, a Google Project Zero researcher said.
uTorrent developers are in the process of rolling out fixes for both the uTorrent desktop app for Windows and the newer uTorrent Web product. The vulnerabilities make it possible for any website a user visits to control key functions in both the uTorrent desktop app for Windows and in uTorrent Web, an alternative to desktop BitTorrent apps that uses a Web interface and is controlled by a browser.
Read moreA security researcher hijacked hundreds of GitLab domains in just a few seconds by exploiting a weakness in how the company handles domain verification -- a security issue that the company has now fixed.
GitLab, a web-based git repository manager that lets developers track and collaborate on source code and project development, also allows users to host their own content and projects with a custom domain name. But the company said in a security notification on February 5 that no validation was being performed when a user added a custom domain to their GitLab accounts.
Read moreA newly published attack let researchers take over Tinder accounts with just a user’s phone number. Tinder has changed its login system to protect against the attack and there’s no evidence it was exploited before the patch.
Still, it’s a reminder of how fragile many login systems still are, and how powerful even basic vulnerabilities can be when chained together. The attack worked by exploiting two separate vulnerabilities: one in Tinder and another in Facebook’s Account Kit system, which Tinder uses to manage logins. The Account Kit vulnerability exposed users’ access tokens, making them accessible through a simple API request with an associated phone number.
Read moreAxarhöfði 14,
110 Reykjavik, Iceland