Joe Warminsky – Page 13 – WindowsTechs.com

Third-party Facebook apps left people’s data publicly exposed, researchers say

Posted on April 3, 2019 by Joe Warminsky

Two separate exposures of sensitive information about Facebook users are the latest alarming discoveries by researchers at UpGuard. In both cases, the operators of third-party apps that connected to Facebook were storing data about people in Amazon Web Services S3 buckets configured for public access, said UpGuard, a Silicon Valley-based security company known for identifying misconfigured cloud services. One database originated with Mexico-based Cultura Colectiva, while the other was stored by the makers of an app called “At the Pool.” Both had been secured by Wednesday, UpGuard said. The Cultura Cultiva is the bigger of the two exposures, including 146 gigabytes of information about comments, likes, reactions, account names, Facebook IDs and more, UpGuard said. The “At the Pool” discovery, while not nearly as large, “contains plaintext (i.e. unprotected) Facebook passwords for 22,000 users,” UpGuard said. The company appears to have ceased operation in 2014, but this “should offer little consolation to the app’s end users whose […]

The post Third-party Facebook apps left people’s data publicly exposed, researchers say appeared first on CyberScoop.

Continue reading Third-party Facebook apps left people’s data publicly exposed, researchers say→

Voting-machine vendors have some serious questions to answer, senators say

Posted on March 27, 2019 by Joe Warminsky

While the security of the 2020 election remains a prominent topic in Washington, a group of Democratic senators is raising alarms about longer-term issues that will resonate after voters are done choosing a president about 20 months from now. The three companies that make most of the voting technology used in the U.S. must be more transparent about their plans to improve their products to meet current expectations about security and performance, says a letter Wednesday by Sen. Amy Klobuchar of Minnesota and three other top Democrats. In particular, the senators say every machine should reliably produce paper records, and the companies should do far more to upgrade their products. “The integrity of our elections is directly tied to the machines we vote on — the products that you make,” says the letter from Klobuchar, Mark Warner of Virginia, Jack Reed of Rhode Island and Gary Peters of Michigan. “Despite shouldering such a massive responsibility, there has been […]

The post Voting-machine vendors have some serious questions to answer, senators say appeared first on CyberScoop.

Continue reading Voting-machine vendors have some serious questions to answer, senators say→

Firefox Lockbox app aims to reduce password management hassles for Android users

Posted on March 26, 2019 by Joe Warminsky

The makers of the Firefox web browser are putting their own spin on password manager software, launching a new app intended to help Android device users get broader access to the logins that already follow them around via their Firefox accounts. The new Firefox Lockbox is directly tied to whatever a user saves all day within their browser, meaning there is “no extra set-up necessary,” according to a blog post from Mozilla, the organization that maintains Firefox. The main selling point seems to be convenience: A classic password manager like LastPass or 1Password exists in its own ecosystem, requiring users to fill it up with information by hand or through features like browser extensions. “This makes Firefox Lockbox the perfect solution for people who want to secure their personal information, but may not have time (or the recall) to choose and transfer all of their passwords into a password manager,” Mozilla says. It’s […]

The post Firefox Lockbox app aims to reduce password management hassles for Android users appeared first on CyberScoop.

Continue reading Firefox Lockbox app aims to reduce password management hassles for Android users→

Tesla Model 3’s onboard browser attacked successfully at Pwn2Own

Posted on March 25, 2019 by Joe Warminsky

A prolific duo of white-hat hackers exploited a previously unknown flaw in the web browser for the Tesla Model 3’s infotainment system on the third and final day of the Pwn2Own competition in Vancouver, demonstrating the first automotive zero-day in the event’s history. Team “Flouroacetate” — aka Amat Cama and Richard Zhu — used the Tesla hack on Friday to cap off a dominant run in the competition, which takes place annually during the CanSecWest security conference. Cama and Zhu successfully demonstrated zero-day exploits on popular web browsers and widely used virtualization software during the first two days. The Zero Day Initiative (ZDI), the organization that runs Pwn2Own, didn’t release many details about the Tesla hack. Given the sensitivity of any flaws in automotive software, it’s hardly surprising. But the value of Cama and Zhu’s research to Tesla is clear: Not only did they win cash for their demonstration, they […]

The post Tesla Model 3’s onboard browser attacked successfully at Pwn2Own appeared first on CyberScoop.

Continue reading Tesla Model 3’s onboard browser attacked successfully at Pwn2Own→

Mozilla Firefox, Microsoft Edge succumb in web browser competition at Pwn2Own

Posted on March 22, 2019 by Joe Warminsky

The first day of this year’s Pwn2Own competition featured successful zero-day exploits on a popular web browser, and day two was no different, with the “Fluoroacetate” duo of Amat Cama and Richard Zhu turning their attention to Mozilla’s Firefox and Microsoft’s Edge. The team took home another $180,000 for their attacks, bringing their overall winnings to $340,000 for the competition, which highlights critical bugs in widely distributed software. Thursday’s winners also included Niklas Baumstark, who won $40,000 for a Firefox attack, and Arthur Gerkis of Exodus Intelligence, who won $50,000 for successfully targeting Edge. Competitors spend months preparing for the annual Pwn2Own hacking contest in Vancouver, which takes place during the CanSecWest security conference. Participants are tasked with trying to find vulnerabilities in widely used technology, and rewarded with cash prizes. They are only given a short amount of time to demonstrate their exploits for the crowd and judges. Team Flouroacetate’s attacks on […]

The post Mozilla Firefox, Microsoft Edge succumb in web browser competition at Pwn2Own appeared first on CyberScoop.

Continue reading Mozilla Firefox, Microsoft Edge succumb in web browser competition at Pwn2Own→

Apple, Oracle, VMware products successfully hacked at Pwn2Own

Posted on March 21, 2019 by Joe Warminsky

The white-hat hacking team of Amat Cama and Richard Zhu, together known as “Flouroacetate,” took home the majority of the prize money available on the first day of this year’s Pwn2Own competition in Vancouver, demonstrating zero-day exploits against Apple’s Safari browser as well as virtualization software from Oracle and VMware. Other winners on Wednesday included “anhdaden,” also known as Phạm Hồng Phi of Singapore-based cybersecurity company STAR Labs, who targeted the Oracle software; and the phoenhex & qwerty team — Bruno Keith, Niklas Baumstark and Luca Todesco — which targeted Safari. Flouracetate won $160,000 total, while anhdaden earned $35,000 and phoenhex & qwerty claimed $45,000 in prize money. Confirmed! @fluoroacetate leveraged a race condition leading to an out-of-bounds write to escalate from a #VMware client to execute code on the host OS. The effort brings them another $70,000 and 7 more Master of Pwn points. Their Day 1 total is $160,000 […]

The post Apple, Oracle, VMware products successfully hacked at Pwn2Own appeared first on CyberScoop.

Continue reading Apple, Oracle, VMware products successfully hacked at Pwn2Own→

Latest Pakistan bank-card fraud looks like an actual breach, researchers say

Posted on March 8, 2019 by Joe Warminsky

A spike in payment-card fraud in Pakistan over the past six months now appears to involve a possible breach of at least one bank’s internal systems, according to researchers with New York-based threat intelligence company Gemini Advisory. Previous reports — including research by Moscow-based cybersecurity company Group-IB — had noted two major dumps of Pakistani payment-card data on the dark web market Joker’s Stash in October and November, as well as further sales in January of this year. Gemini Advisory says it now appears that the card-information dumps point to a more aggressive level of hacking beyond point-of-sale attacks. “While fraudsters generally acquire card and PIN data with card skimmers and cameras or overlays, the January 24 and January 30, 2019 breach included such data in large quantities pertaining to a single bank – Meezan Bank Ltd.,” Gemini Advisory says. “Gemini analysts therefore assess with moderate confidence that the compromised records posted […]

The post Latest Pakistan bank-card fraud looks like an actual breach, researchers say appeared first on CyberScoop.

Continue reading Latest Pakistan bank-card fraud looks like an actual breach, researchers say→

Serious flaw found and patched in WordPress, but it might lurk in plugins

Posted on February 19, 2019 by Joe Warminsky

WordPress recently patched a long-running, potentially serious vulnerability in its core code. But a similar flaw in third-party plugins could still allow hackers to take over websites that use the popular publishing software, according to German web security company RIPS Technologies. Exploiting the vulnerability requires an attacker to have access to an account with “author” privileges for the target website — a common designation for WordPress users. Once logged in, a hacker could manipulate how WordPress reads and writes files in its image database, essentially tricking the software into saving a malicious script file into a directory that typically handles photos. “An attacker who gains access to an account with at least author privileges on a target WordPress site can execute arbitrary PHP code on the underlying server, leading to a full remote takeover,” RIPS researcher Simon Scannell wrote in a blog post Tuesday. The bug — which RIPS is categorizing as a “path traversal” vulnerability — is exploitable WordPress instances […]

The post Serious flaw found and patched in WordPress, but it might lurk in plugins appeared first on CyberScoop.

Continue reading Serious flaw found and patched in WordPress, but it might lurk in plugins→

With eyes squarely on the cloud, Symantec acquires Israeli network security firm Luminate

Posted on February 12, 2019 by Joe Warminsky

Symantec has acquired an Israeli company that specializes in protecting corporate networks that are based in the cloud — an area of competency that will only become more important as businesses continue to move their data and software to third-party cloud providers. The Silicon Valley cybersecurity giant said it is acquiring Luminate Security because of its strength in zero-trust security and “software defined perimeter” technology. Luminate’s zero-trust technology “securely connects any user from any device, anywhere in the world to corporate applications, on-premises and in the cloud, while all other corporate resources are cloaked without granting access to the entire network,” according to a release. Tel Aviv-based Luminate’s software defined perimeter technology helps customers protect the fringes of their networks by providing “full visibility of users’ actions as they access corporate resources, as well as real-time governance of these resources.” The idea is that the perimeter is no longer a desktop computer on the average […]

The post With eyes squarely on the cloud, Symantec acquires Israeli network security firm Luminate appeared first on CyberScoop.

Continue reading With eyes squarely on the cloud, Symantec acquires Israeli network security firm Luminate→