The Log4j code vulnerability has the media declaring the Internet in a state of crisis. Log4j is a Java-based logging framework developers use to track user activity within applications on the popular Apache web server. Security experts are rushing to patch the bug, which is being exploited to remotely assume control of vulnerable systems, stealing credentials, installing malware and launching other attacks that permeate consumer devices. Last week, the U.S. Cybersecurity and Infrastructure Security Agency issued a Log4j alert, as did Australia’s CERT emergency response team. Continue reading Major Security Vulnerability Triggers Worldwide Internet Crisis

The Biden administration ordered federal agencies to patch roughly 300 cybersecurity vulnerabilities believed to expose government computer systems to potentially damaging intrusions. About 200 of the threats were discovered by cybersecurity experts between 2017 and 2020, while another 90 flaws were found in 2021. All are known to be used by malicious cyber actors, said Cybersecurity and Infrastructure Security Agency director Jen Easterly in a statement accompanying the directive. The agencies have been given two weeks to patch the 2021 threats and six months to fix the older defects. Continue reading Biden Administration Orders Agencies to Repair Cyber Flaws

The U.S. Department of Justice has formed the National Cryptocurrency Enforcement Team (NCET) to investigate the use of cryptocurrency for criminal purposes. The new unit will examine cases involving virtual currency exchanges and money laundering. Members will also investigate so-called “mixing and tumbling” services, which involve charging a fee to send cryptocurrency to an address while obscuring the source of funds. The group, which include experts from the offices of U.S. Attorneys, will also work on tracing and recovery of assets lost to fraud, hacking or ransomware extortion. Continue reading Department of Justice Launches a Cryptocurrency Crime Unit

Video game streaming platform Twitch has suffered a data breach resulting in information about the revenue earned by the biggest game streamers leaked to online chat forum 4chan. “Find out how much your favorite streamer is really making!” the hacker wrote in a 4chan data dump labeled “part one.” The perpetrator claimed to have additional information about Twitch’s creator payouts, source code and internal security tools and creator payouts. Without confirming what data was taken, Twitch confirmed the breach, writing on Twitter, “Our teams are working with urgency to understand the extent of this.” Continue reading Twitch Hack Leaks App Code, Revenue from Streaming Stars

The “zero trust” policy envisioned by President Biden in May when he signed an executive order to improve cybersecurity has begun taking shape with the release last week of a draft blueprint by the White House Office of Management and Budget (OMB). While Biden’s order covers the public and private sectors “and ultimately the American people’s security and privacy,” zero trust focuses on identifying and implementing best practices for the federal government’s digital platforms and processes. Deployment will take years of investment and effort. To help jump-start the initiative, some primers have hit the news feeds. Continue reading Government Pursues ‘Zero Trust’ Approach to Cybersecurity

A Securities and Exchange Commission investigation into the 2020 Russian cyberattack of SolarWinds has corporate executives concerned over the possibility that information unearthed in the probe will expose them to liability. Companies suspected of or known to have been downloading compromised software updates from SolarWinds have received letters requesting records of all breaches since October 2019, raising fears that sensitive cyber incidents previously unreported and unrelated to SolarWinds may be revealed, providing the SEC with details that many companies may never have wanted to disclose. Continue reading SEC Probe of SolarWinds Attack Concerns Corporate Execs

In the security world, “bug bounty” programs are becoming more common, from Facebook to the Department of Defense. Hackers who can reveal the hidden vulnerabilities of a device, system or corporation can reap significant financial rewards. Apple launched its program in 2016 and offers payouts of up to $1 million for the most elusive flaws. The tech giant reportedly spent $3.7 million on such exercises in the 12-month period ending in July 2021, during which time Google shelled out $6.7 million and Microsoft spent $13.6 million. Such programs have become a valuable tool in security maintenance, putting hackers’ inquisitive natures to productive use.  Continue reading Tech Firms Raid Security Flaws with ‘Bug Bounty’ Programs

A consortium of media outlets dubbed the Pegasus Project found that Israeli surveillance firm NSO Group licensed its military-grade spyware Pegasus to governments that used it to hack 37 smartphones of business executives, human rights activists and journalists. Two women close to murdered Saudi journalist Jamal Khasghoggi were also reportedly targeted. Amnesty International and journalism non-profit Forbidden Stories shared a list of 50,000 phone numbers that dates to 2016 and included the 37 targets. New evidence also suggests that thousands of iPhones worldwide may have been compromised.  Continue reading Media Consortium Reveals Extent of Pegasus Spyware Reach

On Wednesday, scammers launched one of the most audacious attacks in recent memory, posting messages from the Twitter accounts of Joe Biden, Barack Obama, Kanye West, Bill Gates and Elon Musk that if people sent Bitcoin, the famous person would send back double the money. The first attack targeted high-profile cryptocurrency leaders and companies, but soon broadened to include a list of prominent U.S. politicians and entertainment and tech executives. It appears that an internal Twitter account was involved in the attacks, but it has yet to be determined whether an employee was willfully complicit. Continue reading Prominent Twitter Accounts Hacked for Cryptocurrency Fraud

K7 Labs malware researcher Dinesh Devadoss discovered a new form of malware aimed at Mac computers. ThiefQuest (originally dubbed EvilQuest, until researchers discovered that’s the name of a Steam game) isn’t simply ransomware but also contains spyware that allows it to exfiltrate an infected computer’s files, search it for passwords and cryptocurrency wallet data, and nab passwords and credit card numbers. Even after a computer reboots, the spyware lingers as a backdoor that could be used for a second-stage attack. Continue reading ThiefQuest Is New Ransomware and Spyware Aimed at Macs

Many cybersecurity experts believe the current anti-hacking law, the 1986 Computer Fraud and Abuse Act (CFAA), is woefully out of date and applied too broadly by prosecutors and law enforcement. The Supreme Court is now taking another look at the law with a case in which a former Georgia police officer, Nathan Van Buren, was convicted in 2017 after allegedly selling information from a police database to an acquaintance for $6,000. Stanford University law professor Jeffrey L. Fisher is the lead attorney in the case. Continue reading Supreme Court Will Review Computer Fraud and Abuse Act

More than 419 million records of Facebook users in the United States, United Kingdom and Vietnam — including Facebook IDs and user phone numbers — were recently found online (although Facebook disputes that number). The exposed server was reportedly not password-protected, which suggests the database was accessible to anyone. The server contained user data across multiple databases that could potentially enable spam calls and SIM-swapping attacks. According to Facebook, the breach involved user data collected prior to the introduction of new security measures. The company has since taken the exposed data set offline.  Continue reading Exposed Database of Facebook User Data Is Found Online

Industry insider Ming-Chi Kuo reported that Apple plans to introduce some significant changes in its 2020 iPhones, including 5G connectivity and design upgrades. But owners of iPhones and other iOS devices are likely concerned about the recent news that every one of the world’s current 1.4 billion iPhones and iPads can be hacked. Israel-based Cellebrite demonstrated that it can perform a “full file extraction” on any iOS device, as well as on high-end Android devices. Further, law enforcement can pay for that ability without having to send devices to Cellebrite. Continue reading Apple’s 2020 iPhones to Introduce 5G and Design Updates

The National Security Agency and security firm FireEye recently detected extensive attacks by Iran on U.S. banks, businesses and government agencies, prompting the Department of Homeland Security to declare an emergency during the government shutdown. The attacks from Iran took place at the same time that China renewed its efforts to steal trade and military secrets, from Boeing, General Electric Aviation and T-Mobile. Meanwhile, Microsoft detected a Russian government operation targeting think tanks critical of Russia. Continue reading Chinese, Iranian, Russian Hackers Honing Their Attack Skills

The Content Delivery & Security Association (CDSA), in collaboration with the Motion Picture Association of America (MPAA), are responding to next-gen threats with the Trusted Partner Network (TPN), “a voluntary process by which vendors can assess the security preparedness of their facilities, staffs and workflows against industry best practices.” CDSA executive director Guy Finley, who is also MESA president, and CDSA chairman of the board Ben Stanbury, Amazon’s chief security officer, described TPN at the HPA Tech Retreat. Continue reading HPA Tech Retreat: CDSA Promotes Trusted Partner Network