A missile control system developed by US defense contractor Raytheon is detailed in the CIA’s project ‘Protego,’ shared by WikiLeaks as part of the ‘Vault7’ series. WikiLeaks said the project differed to the “usual” malware development project from the CIA, with no indication as to why it’s contained within a repository of hacking techniques.
The release details micro-controller units which exchange data and signals over encrypted and authenticated channels, used on-board Pratt & Whitney aircraft equipped with missile launch systems. ‘Master Processor’ and ‘Deployment Box’ systems are on board the flight, with micro-controllers for the missile.Read more
Equifax is one of the largest credit reporting agencies in America, which makes an announcement the company just issued particularly disconcerting. An authorized third party gained access to Equifax data on as many as 143 million Americans.
That's nearly half the population of the United States as of the last census. Equifax announced the incident this afternoon. Included among files accessed by hackers was a treasure trove of personal data: names, dates of birth, Social Security numbers, addresses. In some cases -- Equifax states around 209,000 -- the records also included actual credit card numbers. Documentation about disputed charges was also leaked.Read more
Modern smartphones take pains to “sandbox” apps, keeping them carefully segregated so that no mischievous program can meddle in another app’s sensitive business.
But security researchers have found an unexpected feature of Android that can surreptitiously grant an app the permission to not merely reach outside its sandbox but fully redraw the phone’s screen while another part of the operating system is running, tricking users into tapping on fake buttons that can have unexpected consequences. And while that hijacking of your finger inputs isn’t a new feat for Android hackers, a fresh tweak on the attack makes it easier than ever to pull off.Read more
The ShadowBrokers have promised the release of NSA exploit UNITEDRAKE which remotely targets Windows machines to subscribers. This week, the threat group posted an update to the Monthly Dump service, which will now include two cache dumps every four weeks for subscribers.
The changes have been made potentially as a means to drum up extra interest for cyberattackers, government groups, or vendors which have chosen to subscribe to the service to gain access to the stolen exploits and malware samples. The September dump includes a manual for UNITEDRAKE, modular malware which remotely targets Microsoft Windows machines.Read more
Vendors relying on Mastercard’s Internet Gateway Service for processing online payments ought to double-check every transaction before they send out items to customers.
There is a critical flaw in the system’s validation protocol and it appears the company is completely ignoring it. Independent security researcher has stumbled upon a glaring flaw in the MIGS protocol that allows hackers to spoof the payment system and trick merchants into accepting invalid transactions as successful. “It can be said that this is a MIGS client bug, but the hashing method chosen by Mastercard allows this to happen,” the researcher explains.Read more
A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server -- putting sensitive corporate data at risk. The vulnerability allows an attacker to remotely run code on servers that run applications using the REST plugin, built with Apache Struts.
All versions of Struts since 2008 are affected, said the researchers. Apache Struts is used across the Fortune 100 to provide web applications in Java, and it powers front- and back-end applications. Man Yue Mo said that Struts is used in many publicly accessible web applications, such as airline booking and internet banking systems.Read more
Users who purchased a Lenovo PC between September 2014 and January 2015 got an extra special surprise in the form of adware that left them wide open to malicious attacks. After two and a half years of legal wrangling, the Federal Trade Commission settled its lawsuit against the company, and it’s hard to imagine that executives learned their lesson.
On Monday, the FTC announced that Lenovo will have to inform its customers of all the software that comes pre-loaded on its products and receive the user’s consent. The company will also be subject to 20 years of audited security checks.Read more
Earlier this summer the House Science Committee sent letters to 22 US government agencies requesting information on their use of Kaspersky Lab security products.
As the federal government continues to investigate claims of ties between the Trump administration and Russia, officials in Washington have expressed concern that the government's use of software from Kaspersky Lab—a well-known security vendor based in Russia—could compromise domestic intelligence. This request represents the most recent action in an aggressive campaign by Congress.Read more
Companies must tell employees in advance if their work email accounts are being monitored and such checks must not unduly infringe workers’ privacy, the European Court of Human Rights ruled.
In a judgment in the case of a man fired 10 years ago for using a work messaging account to communicate with his family, the judges found that Romanian courts failed to protect Bogdan Barbulescu’s private correspondence because his employer had not given him prior notice it was monitoring his communications. Email privacy has become a contested issue as more people use work addresses for personal correspondence even as employers demand the right to monitor email.Read more
China's new cybersecurity law will enable its government to discover potential security vulnerabilities of any company doing business in the country, threat intelligence firm Recorded Future warns.
The law grants the China Information Technology Evaluation Center, an office in the Ministry of State Security, the power to request source code and other intellectual property of tech suppliers operating in the country. Information gleaned might easily be exploited by CNITSEC in furtherance of its intelligence operations. Director of strategic threat development at the firm reckons the measures place companies between a rock and a hard place.Read more