SSD Advisory – iOS/macOS Kernel task_inspect Information Leak

Credit to Author: SSD / Ori Nimron| Date: Mon, 17 Dec 2018 07:02:28 +0000

Vulnerabilities Summary The following advisory discusses a bug found in the kernel function task_inspect which a local user may exploit in order to read kernel memory due to an uninitialized variable. Vendor Response “Kernel: Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local user may be … Continue reading SSD Advisory – iOS/macOS Kernel task_inspect Information Leak

Read more

Spammed Bomb Threat Hoax Demands Bitcoin

Credit to Author: BrianKrebs| Date: Thu, 13 Dec 2018 20:24:32 +0000

A new email extortion scam is making the rounds, threatening that someone has planted bombs within the recipient’s building that will be detonated unless a hefty bitcoin ransom is paid by the end of the business day.

Read more

Android security audit: An easy-to-follow annual checklist

Credit to Author: JR Raphael| Date: Wed, 12 Dec 2018 13:35:00 -0800

Android security is always a hot topic on these here Nets of Inter — and almost always for the wrong reason.

As we’ve discussed ad nauseam over the years, most of the missives you read about this-or-that super-scary malware/virus/brain-eating-boogie-monster are overly sensationalized accounts tied to theoretical threats with practically zero chance of actually affecting you in the real world. If you look closely, in fact, you’ll start to notice that the vast majority of those stories stem from companies that — gasp! — make their money selling malware protection programs for Android phones. (Pure coincidence, right?)

To read this article in full, please click here

Read more

Scanning for Flaws, Scoring for Security

Credit to Author: BrianKrebs| Date: Wed, 12 Dec 2018 19:25:14 +0000

Is it fair to judge an organization’s information security posture simply by looking at its Internet-facing assets for weaknesses commonly sought after and exploited by attackers, such as outdated software or accidentally exposed data and devices? Fair or not, a number of nascent efforts are using just such an approach to derive security scores for companies and entire industries. What’s remarkable is how many organizations don’t make an effort to view their public online assets as the rest of the world sees them — until it’s too late.

Read more

Google Smart Lock: The complete guide

Credit to Author: JR Raphael| Date: Wed, 12 Dec 2018 03:00:00 -0800

Think fast: How many times a day do you pick up your phone to look at something? Unless you live in the tundra or have far more self-control than most, the answer probably falls somewhere between “quite a few” and “more than any sane person could count.” Assuming you keep your device properly secured, that means you’re doing an awful lot of unlocking — be it with your face, your fingerprint, or the code you tap or swipe onto your screen.

And that’s to say nothing of the number of times you type your password into your laptop or enter your credentials into an app or website during the day. Security’s important, but goodness gracious, it can be a real hassle.

To read this article in full, please click here

Read more

Patch Tuesday, December 2018 Edition

Credit to Author: BrianKrebs| Date: Tue, 11 Dec 2018 21:05:41 +0000

Adobe and Microsoft each released updates today to tackle critical security weaknesses in their software. Microsoft’s December patch batch is relatively light, addressing more than three dozen vulnerabilities in Windows and related applications. Adobe has issued security fixes for its Acrobat and PDF Reader products, and has a patch for yet another zero-day flaw in Flash Player that is already being exploited in the wild.

Read more

And that was actually the CLEAN version!

Credit to Author: Sharky| Date: Tue, 11 Dec 2018 03:00:00 -0800

It’s more than a few years back, and this oilfield services company is implementing a new email filter, says a pilot fish working there.

“It was part of an email security product,” fish says. “The filter could identify emails containing language that was not considered business appropriate.

“We’d had HR incidents involving inappropriate language in the past, especially from field hands emailing to office staff — it gave a new meaning to ‘crude oil workers’ — so it was decided we should enable the feature with its default settings and give it a run.

“Only a few hours later we received an alert that a message had been identified with inappropriate language.

To read this article in full, please click here

Read more

How Internet Savvy are Your Leaders?

Credit to Author: BrianKrebs| Date: Mon, 10 Dec 2018 20:40:05 +0000

Back in April 2015, I tweeted about receiving a letter via snail mail suggesting the search engine rankings for a domain registered in my name would suffer if I didn’t pay a bill for some kind of dubious-looking service I’d never heard of. But it wasn’t until the past week that it become clear how many organizations — including towns, cities and political campaigns — actually have fallen for this brazen scam.

Read more

Innovative anti-phishing app comes to iPhones

Credit to Author: Jonny Evans| Date: Mon, 10 Dec 2018 08:01:00 -0800

We’re always told never to click on a link we receive in an email in case doing so takes us to some dodgy phishing site where our account details are violated, but what if our email app warned us before we clicked malicious links?

Can this app offer you protection?

MetaCert isn’t fully available yet, but it does seem to be a promising solution that provides email users in enterprise and consumer markets an additional line of defence against clicking on malicious links received in email messages.

The solution emerged from the developer’s earlier work building an API to help app developers add a layer of security to WebView.

To read this article in full, please click here

Read more

Forbidden names, revisited

Credit to Author: Sharky| Date: Mon, 10 Dec 2018 03:00:00 -0800

Flashback a few decades to the glory days of online service CompuServe, when anyone could get an account — but not everyone could use their real names, according to a pilot fish in the know.

“You logged in with your account number, but to join a forum — a chatroom focused on a specific topic — you had to give a real name,” fish says. “The name on your billing record was the default.

“Of course there were fraudsters who used an official-sounding name to phish people for personal info and credit card data. So users were not allowed to have words like ‘billing’ as any part of their in-forum real name. This could only be overridden by the forum sysop. I was one.

To read this article in full, please click here

Read more

Bomb Threat Hoaxer, DDos Boss Gets 3 Years

Credit to Author: BrianKrebs| Date: Sat, 08 Dec 2018 01:38:49 +0000

The alleged ringleader of a gang of cyber hooligans that made bomb threats against hundreds of schools and launched debilitating denial-of-service attacks against Web sites (including KrebsOnSecurity on multiple occasions) has been sentenced to three years in a U.K. prison, and faces the possibility of additional charges from U.S.-based law enforcement officials. 

Read more