Browsing category
Apple fixes flaw attackers used to trick uninformed users into paying a fine. Ransomware scammers have been exploiting a flaw in Apple’s Mobile Safari browser in a campaign to extort fees from uninformed users. The scammers particularly target those who viewed porn or other controversial content. Apple patched the vulnerability on Monday with the release […]
The Brits join US intelligence agencies who’d want a backdoor into the encryption feature on all services. End-to-end encryption services like WhatsApp are once more being slammed for offering protection for users everywhere. This time, the UK is doing all the finger pointing, and it’s because of the terrorist attack that took place on Wednesday. […]
Hackers have breached America’s Job Link Alliance (AJLA), a job portal offered by the Department of Labor (DOL), and stolen personal details from an undisclosed number of job seekers. AJLA, a multi-state database of US job seekers, acknowledged the security breach through a message on its website. Hackers stole information from job seekers in 10 […]
Thanks a Miele-on for making everything dangerous, Internet of things security slackers. Don’t say you weren’t warned: Miele went full Internet-of-Things with a dishwasher, gave it a web server and now finds itself on the wrong end of a bug report and it’s accused of ignoring. The utterly predictable bug report at Full Disclosure details […]
Security experts say they are skeptical that a group of hackers called Turkish Crime Family actually possess a cache of hundreds of millions of Apple iCloud account credentials. A more plausible explanation, they say, is that crooks used credential stuffing attacks to amass a limited number of valid Apple usernames and passwords in attempt to […]
Burglars can use a recently disclosed security flaw affecting several Google Nest cams to make vulnerable cameras go offline for approximately 60 to 90 seconds. The flaw can be exploited via the cameras’ Bluetooth connection and can provide thieves with the time window they need to get close and break into a home unseen, and […]
Security researcher Dylan Ayrey detailed last week a new web-based attack named XSSJacking that combines three other techniques — Clickjacking, Pastejacking, and Self-XSS — to steal data from careless users. Ayrey says XSSJacking can help attackers reach sensitive information for which they would normally need a more complex security flaw, such as a stored XSS […]
Just over one year ago (November 2015), I released WMIOps, a PowerShell script that enables a user to carry out different actions via Windows Management Instrumentation (WMI) on the local machine or a remote machine. WMIOps can: Start or stop a process. Return a list of all running processes. Power off, reboot, or log users […]
Apache Struts is a free and open-source framework used to build Java web applications.This is not the first remote code execution vulnerability discovered on Apache Struts. Apache Struts2 official released a security bulletin, the bulletin pointed out that Apache Struts2 Jakarta Multipart parser plug-in, there is a remote code execution vulnerability, vulnerability number CVE-2017-5638. An […]
It’s only a couple of weeks since WikiLeaks unleashed the first batch of its Vault 7 CIA documents, revealing the agency’s spying and hacking capabilities. Now the organization has released a second cache of files dubbed Dark Matter, and they show that the CIA has developed tools for hacking Apple products. Bold and exciting names […]
A remote code execution flaw in the SAP Windows client opens the door for ransomware attacks targeting enterprises that rely on various SAP products to manage and keep track of their business operations. SAP, a German company that makes enterprise software used by over 335,000 customers in 190 countries, has patched the issue last week. […]
Last week, KrebsOnSecurity received an email from eBay. The company wanted me to switch from using a hardware key fob when logging into eBay to receiving a one-time code sent via text message. I found it remarkable that eBay, which at one time was well ahead of most e-commerce companies in providing more robust online […]
LastPass says it patched one of two separate bugs that affected its Chrome and Firefox browser extensions, which if exploited, would have allowed a third-party to extract passwords from users visiting a malicious website. Both bugs were discovered by Tavis Ormandy, a security researcher working for Google’s Project Zero. Of the two bugs Ormandy discovered, […]
Metasploit RFTransceiver extension implements the Hardware Bridge API that will allow organizations to test wireless devices operating outside 802.11 spec. Recently we reported the news of the availability of a new hardware bridge for Metasploit extension to test hardware, including IoT devices. We have to consider that IoT devices are pervading our day life such as into […]
With news of another so-called Fappening (nude photos of celebrities distributed without permission) doing the rounds, it was inevitable that scammers would look to take advantage. We’ve already seen message board aficionados warn others of dodgy download links and random Zipfiles claiming to contain stolen nude photos and video clips, but today we’re going to look […]
The vulnerability (CVE-2017-2641) allows an attacker to execute PHP code at the vulnerable Moodle server. This vulnerability actually consists of many small vulnerabilities, as described further in the blog post. Moodle is a very popular learning management system, deployed in many universities around the world, including top institutes such as MIT, Stanford, the University of Cambridge, […]
Over 300 Cisco products are affected by a zero-day vulnerability Cisco discovered last week, and for which no patch is available at the time of writing. Cisco engineers discovered the zero-day following a company-wide effort to investigate how the recently disclosed WikiLeaks “Vault 7” leak affected the company’s products. Vault 7 investigation leads to zero-day […]
Increasingly, cyberattackers have been leveraging “non-malware” attack methods to target vulnerable organizations. Recently, the Carbon Black Threat Research Team was alerted about such an attack by a partner’s incident response (IR) team. The attack ultimately compromised accounts and stole research and intellectual property. In this specific attack, a malicious Excel document was used to create […]
In another classic example of why you shouldn’t leaving your work laptop in the car, national security may have been compromised. An Oregon sportswear company is suing its former IT administrator, alleging he left backdoor accounts on their network and used them more than 700 times to search for information for the benefit of its […]
If you are from India and have ordered Burger in McDonald’s, your personal details are at risk. Security researchers from Fallible found a serious vulnerability McDonald’s India application that allows hackers to access millions of customer data. There is no authentication or authorization check in API used in the application. Sending request to “http://services.mcdelivery.co.in/ProcessUser.svc/GetUserProfile” […]
Hack worked by stitching together three separate exploits. Contestants at this year’s Pwn2Own hacking competition in Vancouver just pulled off an unusually impressive feat: they compromised Microsoft’s heavily fortified Edge browser in a way that escapes a VMware Workstation virtual machine it runs in. The hack fetched a prize of $105,000, the highest awarded so […]