#Google is under fire after a report found that Google Home and Google Assistant records user audio, even when no wake-up word is used.
threatpost.com/google-home-r…
A white hat hacker reverse engineered 30 mobile financial applications and found sensitive #data buried in the underlying #code of nearly all apps examined.
threatpost.com/financial-app…
Breaking: Hundreds of millions of #Facebook records – including account names and plaintext #passwords – have been found in two separate publicly-exposed app datasets, researchers at @UpGuard found.
threatpost.com/facebook-data…
#Citrix warned of multiple #security flaws that could allow code injection and data theft - including four that are exploitable by unauthenticated, remote attackers.
threatpost.com/citrix-bugs-a…
Secure password firms (1Password, Dashlane, KeePass and LastPass) are blasting a #security report highlighting how the utilities can be cracked open to steal #passwords.
threatpost.com/1password-das…
The latest #iOS and Android versions of the FinSpy #malware have been deployed in the wild. The espionage tool can eavesdrop on Signal, Telegram and WhatsApp messages and calls.
threatpost.com/finspy-module…
A strange glitch in #Gmail can be exploited to place emails into a person’s “Sent” folder — even if that person never sent them.
threatpost.com/gmail-glitch-…
#Amazon admitted it saves #Alexa voice recordings indefinitely - and even if customers delete their data, third-party developers can still save records of interactions.
threatpost.com/amazon-admits…
A vulnerability in #Google’s Chromium-based browsers allows attackers to bypass the Content #Security Policy on websites, in order to steal data and execute rogue code.
threatpost.com/google-chrome…
Top 2020 #security predictions:
-Mobile will become a prime phishing attack vector
-Hackers will increasingly employ machine learning in attacks
-Cloud increasingly seen as fertile ground for compromise
Add your own 2020 predictions in the comments ⤵️
threatpost.com/2020-cybersec…
Hackers are still using #Metasploit and a highly effective technique called Shikata Ga Nai to slip past modern day endpoint protections, said @FireEye researchers.
threatpost.com/metasploit-st…
The open-source Virtual Network Computing (VNC) project, often found in industrial environments, is plagued with 37 different memory-corruption #security vulnerabilities.
threatpost.com/critical-flaw…
A former analyst for the U.S. Defense Intelligence Agency was sentenced to 2+ years in prison after sharing highly classified, national defense intelligence with two reporters.
threatpost.com/former-dia-an…
Multiple zero-days in a Counter-Strike client were used to build a major #botnet - and almost 40 percent of Counter-Strike 1.6 game servers on Steam were found to be malicious.
threatpost.com/zero-days-cou…
The entire population of #Ecuador has been impacted by an open database on an unsecured server. Exposed data includes:
-Full name
-Date and place of birth
-Home address
-Cell phone numbers/emails
-Taxpayer IDs
-Marital status
(Via @vpnmentor)
threatpost.com/marketing-ana…
Two zero-day #security flaws have been uncovered in #Zoom’s macOS client version. The flaws could give local, unprivileged attackers root privileges, and allow them to access victims’ microphone and camera.
threatpost.com/two-zoom-zero…
A seven-year #Android surveillance campaign has been exposed, which used four malware tools to spy on the Uyghur ethnic minority group. (via @Lookout)
threatpost.com/four-android-…
A fake #Adobe update actually updates victims’ Flash Player – but also installs malicious #cryptomining malware.
Researchers at @Unit42_Intel warned that the fake updates also borrow pop-up notifications from the official Adobe installer.
threatpost.com/stealthy-fake…
The operators of Shade #ransomware called it quits, releasing 750,000 encryption keys on GitHub and publicly apologizing to victims affected by the malware.
threatpost.com/shade-threat-…
A researcher dropped a zero-day #security vulnerability that affects the Steam game client for #Windows. Valve has published a patch - but the same researcher said it can be bypassed.
threatpost.com/gamers-zero-d…
#Cisco is warning of a critical #security flaw in the web server of its IP phones.
An unauthenticated, remote attacker could exploit the flaw to execute code with root privileges or launch a DoS attack.
threatpost.com/critical-cisc…
A new variant of the #Mirai IoT botnet is targeting wireless presentation systems and LG display systems used by enterprises.
threatpost.com/mirai-enterpr…
Researchers demonstrated for the third time how #hacking into the key fob of a #Tesla can allow someone to access and steal the car in minutes.
threatpost.com/tesla-hacked-…
The #NSA and #CISA have issued an alert warning that adversaries could be targeting critical infrastructure across the U.S.
threatpost.com/nsa-urgent-wa…
A stack of #Linux backdoor malware used for espionage is being used as a shared resource by five different Chinese-language #APT groups.
threatpost.com/black-hat-lin…
#Apple has made Group FaceTime temporarily unavailable following a major flaw discovered on Monday evening that allows eavesdropping via #FaceTime.
More to come soon on Threatpost.
Unencrypted mobile traffic on #Tor network is leaking personal identifiable information, researchers say. That includes GPS coordinates, web addresses, phone numbers and keystrokes.
threatpost.com/unencrypted-m…
Researchers are urging #Ring users to update to the latest version of the smart doorbell after a serious flaw triggered #privacy concerns.
threatpost.com/ring-doorbell…
A threat actor known as “Sanix” was taken into custody, for allegedly posting 773 million e-mail addresses and 21 million passwords on a #hacker forum last year. #ICYMIthreatpost.com/alleged-hacke…
Tens of thousands of cameras have failed to patch a critical, 11-month-old CVE, leaving thousands of organizations exposed. threatpost.com/cybercriminal…
A high-severity flaw was discovered in a #WordPress plugin installed on more than 100,000 sites.
The vulnerability could lead to XSS and the injection of malicious #JavaScript anywhere on a victim's site.
threatpost.com/wordpress-plu…
#Cisco is warning of three high-severity #Webex flaws, including one that could allow unauthenticated attackers to remotely execute code on impacted systems.
threatpost.com/cisco-webex-r…
A critical #Linux bug has been discovered that could allow attackers to fully compromise vulnerable machines.
A #security fix has been proposed but has not yet been incorporated into the Linux kernel.
threatpost.com/critical-linu…
A database on #Apple’s macOS computers is storing emails, that are supposed to be protected with encryption, as readable files.
It's a problem that the company has been aware for months - and still has yet to solve.
threatpost.com/encrypted-ema…
More than 2 million #IoT devices have serious vulnerabilities that have been publicly disclosed for more than two months – yet they are still without a patch or even any vendor response.
threatpost.com/consumers-urg…
The first-stage Golang malware loader, spotted in active campaigns, has added additional exploits and a new backdoor capability.
threatpost.com/worm-golang-m…
Threat actors can easily build #malware-laced Community Amazon Machine Images (AMI) and make them available to unsuspecting #AWS customers, researchers warn.
threatpost.com/malicious-aws…
A researcher found that phone numbers tied to #WhatsApp accounts are indexed publicly on #Google Search creating what he claims is a “privacy issue” for users.
threatpost.com/whatsapp-phon…
A vulnerability discovered in #mobile SIM cards is being actively exploited to track phone users – all merely by sending an #SMS message to victims, researchers say.
threatpost.com/1b-mobile-use…
Researchers are warning of a dangerous spearphishing campaign, which has targeted 17 U.S. utility companies with a new #malware variant.
The malware, which @proofpoint calls LookBack, has capabilities to view system data and reboot machines.
threatpost.com/more-u-s-util…
A long-feared attack vector against Pretty Good Privacy (PGP) is being exploited for the first time, making it impossible for #PGP to work properly for victims targeted.
threatpost.com/pgp-ecosystem…
Join our #WomenInSTEM webinar to learn more about why women are a crucial piece of the #cyber workforce puzzle.
Threatpost will talk to Cynthia Brossman of @BU_Tweets about expanding female representation in the cyber workforce.
Register now! bit.ly/2Pj4iQw
#Dell patched a high-severity flaw in its SupportAssist #software, which could allow attackers to execute arbitrary code (with admin privileges)
threatpost.com/dell-patches-…