Author Archives: Zaid Shoorbajee

New flaw prompts Google to shut down Google+ for consumers within 90 days

Posted on by

Google will shut down the consumer version of Google+ months sooner than planned after discovering a security flaw that impacted the privacy of some 52.5 million users, the company announced Monday. Google said in October that it would shut down the social media platform in August 2019, while also disclosing a bug that exposed non-public profile information. Monday’s announcement brings the farewell date for Google+’s consumer platform up to March 2019. The company said that an update to the platform last month inadvertently included a bug that affected a Google+ application programming interface (API). The bug existed for six days, Google said, and there’s no indication it was exploited before the company discovered it during standard testing procedures. In comparison, Google said it discovered the last Google+ API bug in March and disclosed it in October. The API is called “People: get” and it allows for developers using Google+ to request basic information associated with a user profile, like name, […]

The post New flaw prompts Google to shut down Google+ for consumers within 90 days appeared first on Cyberscoop.

Continue reading New flaw prompts Google to shut down Google+ for consumers within 90 days

Kaspersky: Physical devices used to steal ‘tens of millions’ from Eastern Europe banks

Posted on by

Banks in Eastern Europe were targeted with cyberattacks that involved the planting of physical devices on premises, according to a report from Russian cybersecurity company Kaspersky Lab published Thursday. Researchers say the attacks have resulted in “tens of millions of dollars” in damage at at least eight banks. “In some cases, it was the central office, in others a regional office, sometimes located in another country,” the report says. Kaspersky says the attacks, dubbed “DarkVishnya,” were carried out by in-person by a third party who planted devices that connect directly to the banks’ networks. The attackers used one of three tools, the researchers say: a laptop, a Raspberry Pi computer or a Bash Bunny — a USB drive-looking device specifically designed to deliver a malicious payload. Sergey Golovanov, a security expert at Kaspersky, told CyberScoop in an email that the researchers realized that physical devices were being used because of a discrepancy between the number of authorized devices versus […]

The post Kaspersky: Physical devices used to steal ‘tens of millions’ from Eastern Europe banks appeared first on Cyberscoop.

Continue reading Kaspersky: Physical devices used to steal ‘tens of millions’ from Eastern Europe banks

Report: Adobe zero-day exploit similar to HackingTeam tool

Posted on by

Adobe issued a new patch for a zero-day security vulnerability that exploited a flaw in the company’s Flash Player. The flaw, uncovered by researchers from the security vendor Gigamon, was exploitable through Microsoft Word, according to a report published Wednesday. Researchers discovered the vulnerability after a Ukrainian IP address submitted the details to VirusTotal, a malware analysis site, the Gigamon report said. The document was made to look like a job application form for a Russian health clinic, but in fact was meant to deliver reconnaissance malware. Researchers also said the hacking technique was similar to tools used by HackingTeam, an Italian surveillance company that had much of its spyware leaked in 2015. Gigamon researchers did not attribute this malware to HackingTeam because many of the company’s tools have been publicly accessible online for three years, meaning other hackers could have replicated some of that malicious code. The researchers also did not prioritize attribution, arguing that […]

The post Report: Adobe zero-day exploit similar to HackingTeam tool appeared first on Cyberscoop.

Continue reading Report: Adobe zero-day exploit similar to HackingTeam tool

Mastercard and Microsoft say they’re developing a universal identity management solution

Posted on by

Identity management is one of the most cumbersome issues in information security today. How should organizations verify that people using a banking, e-commerce or other digital service are who they say they are? Mastercard and Microsoft are banding together to try to find a universal solution, the two companies announced Monday. Current identity management schemes are onerous for end users, Microsoft and Mastercard say. Organizations and individuals have to rely on things like a Social Security number, proof of address, a username and password or something else. “We believe that there is a huge need for a universally-recognized digital identity service the puts the individual in control. Right now, proving one’s identity online places a huge burden on individuals,” Charles Walton, Mastercard’s senior vice president of digital identity products, told CyberScoop in an email. “People have to successfully remember hundreds of passwords for various identities and are increasingly being subjected […]

The post Mastercard and Microsoft say they’re developing a universal identity management solution appeared first on Cyberscoop.

Continue reading Mastercard and Microsoft say they’re developing a universal identity management solution

New bipartisan bill proposes international election security cooperation

Posted on by

With the Election Day having passed without any apparent cybersecurity issues, a pair of senators have introduced a bill that would have the U.S. share election cybersecurity information and best practices with international allies. Under the Global Electoral Exchange Act, U.S. election officials would more closely collaborate with their foreign counterparts, and the State Department would have new authority to share information. A program would be created at the State Department to invite people from participating countries involved in election administration to exchange strategies on how to conduct audits, protect election infrastructure, fight disinformation campaigns and share ideas on other election security issues that have risen to prominence amid growing awareness about foreign interference in the democratic process. The bill would also let the State Department issue grants to nonprofits involved in election security seeking to exchange information about the issue with counterparts in other countries. Sens. Amy Klobuchar, D-Minn., and Dan Sullivan, R-Ak., introduced […]

The post New bipartisan bill proposes international election security cooperation appeared first on Cyberscoop.

Continue reading New bipartisan bill proposes international election security cooperation

Here’s how the private sector wants to fight botnets

Posted on by

In an effort protect the internet and its denizens from coordinated, automated cyberattacks, an industry group released an “International Anti-Botnet Guide” on Thursday. The guide offers best practices to collectively secure the digital ecosystem from botnets, the large networks of computer systems that malicious cyber actors use to automate and scale destructive online activity spreading malware like distributed denial of service (DDoS) attacks. The guide was put together by the Council to Secure the Digital Economy (CSDE), a group of trade associations that represent the technology industry, including USTelecom, Information Technology Industry Council (ITI) and Consumer Technology Association (CTA). At an event announcing the new guide in Washington, D.C., on Thursday, industry representatives touted the effort as a stepping stone for market self-regulation that will curb the cyber risks that organizations often face when acting alone. “The fact that our companies touch virtually every single country is proof-of-concept that we […]

The post Here’s how the private sector wants to fight botnets appeared first on Cyberscoop.

Continue reading Here’s how the private sector wants to fight botnets

Accenture: Russian hackers using Brexit talks to disguise phishing lures

Posted on by

A notorious Russian hacking group tried to exploit the latest flurry of Brexit-related news to spread malware to unsuspecting victims, according to a report from Accenture released Thursday. APT28, which Accenture refers to as SNAKEMACKEREL, used a malware-laced Microsoft Word document that appeared to be about the United Kingdom’s planned separation from the European Union to try breaching a wide variety of targets’ systems, researchers said. APT28 is widely believed to be the product of Russian intelligence services. Also known as Fancy Bear, Pawn Storm and other names, its the same group researchers have blamed for the 2016 breach on the Democratic National Committee, for leaks relating to the 2018 Winter Olympics and for the targeting of various government, political, critical infrastructure and other organizations. “Based on observed targeting by this threat group over the past few years, we assess with moderate confidence that they are likely to have targeted government, politics, think tanks and defense organizations in […]

The post Accenture: Russian hackers using Brexit talks to disguise phishing lures appeared first on Cyberscoop.

Continue reading Accenture: Russian hackers using Brexit talks to disguise phishing lures

U.S. indicts two over SamSam ransomware attacks that hit Atlanta, other cities

Posted on by

The Department of Justice unsealed indictments Wednesday against two Iranian men for conducting ransomware attacks against more than 200 organizations inside the United States, including municipalities, government agencies and hospitals. Prosecutors say that Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27, used SamSam ransomware to lock the victims’ systems and demand bitcoin in order to decrypt their data. Savandi and Masouri racked up more than $6 million in ransom payments and caused more than $30 million in damages, according to the indictment issued by a grand jury in New Jersey. SamSam’s damage has been a public ordeal. The indictment includes notable cases like the attacks on the city of Atlanta, the city of Newark, the Port of San Diego, the Colorado Department of Transportation, and others. Six of the victims were health care-related organizations, prosecutors said. “Many of the victims were public agencies with missions that involve saving lives and performing other critical […]

The post U.S. indicts two over SamSam ransomware attacks that hit Atlanta, other cities appeared first on Cyberscoop.

Continue reading U.S. indicts two over SamSam ransomware attacks that hit Atlanta, other cities

CyberGRX raises $30 million for collaborative risk auditing service

Posted on by

CyberGRX, a firm that helps companies assess the risk stemming from their third-party vendors, announced that it raised $30 million in a Series C funding round on Wednesday. The Denver-based company runs an “exchange” whereby its customers — larger enterprises and the smaller firms they do business with — share data meant to help in assessing and managing cyber risk. A number of recent data breaches occurred because of security shortfalls in products like web applications or point-of-sale systems, only to spread to corporate partners’ networks. The service is akin to a credit rating agency that assesses the risk of lending money to a particular entity. The company says it “unites third parties and their customers in the fight against cyber threats,” and that their ability to mitigate supply chain risks improves as more entities join CyberGRX’s exchange. “Rather than reacting to breaches after they occur, companies need to take […]

The post CyberGRX raises $30 million for collaborative risk auditing service appeared first on Cyberscoop.

Continue reading CyberGRX raises $30 million for collaborative risk auditing service

Uber fined $1.17 million by U.K., Dutch authorities for 2016 breach

Posted on by

Ridehailing company Uber drew fines totaling $1.17 million from British and Dutch authorities on Tuesday for its handling of a 2016 data breach that exposed the personal information of roughly 57 million passengers and drivers. The breach occurred in October 2016, revealing names, email addresses, phone numbers and driver’s license numbers belonging to many users. Uber paid hackers $100,000 to keep quiet and destroy the stolen data. Customers were first notified when the company’s new CEO announced the incident a year later. The United Kingdom’s Information Commissioner’s Office, in issuing a fine of £385,000 ($491,284) on Tuesday, said that a “series of avoidable data security flaws” led to the exposure of personal data of 2.7 million riders and 82,000 drivers in the country. The Dutch Data Protection Authority also issued a fine of €600,000 ($679,257) on Tuesday, saying that the breach affected 174,000 Dutch citizens and that Uber violated the […]

The post Uber fined $1.17 million by U.K., Dutch authorities for 2016 breach appeared first on Cyberscoop.

Continue reading Uber fined $1.17 million by U.K., Dutch authorities for 2016 breach