Joomla patches privilege elevation, account creation vulnerability

Joomla has patched a pair of vulnerabilities in its CMS platforms that if left unfixed would allow attackers to create admin accounts and elevate privileges, respectively.

Report: Mobile hacking firm Cellebrite's firmware made available to public by reseller

Israeli mobile forensics firm Celebrate could have some of their methods exposed after a reseller partner reportedly made the company's firmware and software publicly available to download.

Treating teen hackers like addicts could curb cybercrime

A recent study found that law enforcement may be able to deter teen cybercrime by treating hackers like addicts.

Thai computer crime law criticized for imposing criminal penalties on ISPs

Thai telecommunication companies are bristling at a proposed law that would criminally punish ISPs for computer crimes perpetrated by their users, and place the burden of proof on these providers to defend themselves.

Silver Creek Fitness & Physical Therapy patient info compromised

Silver Creek Fitness & Physical Therapy suffered a data breach through a third-part contractor that exposed their clients personally identifiable information to include Social Security and Medicare numbers.

Near-death experience: Hicurdismos tech support scam mimics Microsoft Blue Screen of Death

Microsoft on Friday warned of a malware threat called Hicurdismos that simulates the infamous Windows Blue Screen of Death as part of a tech support scam.

U.S. vigilante hacker takes over Russian Foreign Ministry site

A self-described patriotic American vigilante hacker named Jester reportedly took over the Russian Ministry of Foreign Affairs website on Friday in retaliation for alleged Russian cyberattacks on the United States.

NSA's Martin allegedly stole 50TB of data, boxes of documents and computers

U.S. federal prosecutors reportedly will charge former National Security Agency (NSA) staffer Harold Martin III not only removed 50 terabytes of data from NSA servers, but also removed "six full banker's boxes" of documents along with a host of computer hardware, according to published reports.

In a BIND: Third parties distributed outdated, vulnerable ISC Domain Name System software

The Internet Systems Consortium issued an advisory on Wednesday, warning that some third parties are distributing versions of ISC's BIND software that contain a high-severity vulnerability, which if exploited can trigger an assertion failure.

Mozilla patches two Firefox vulnerabilities

Mozilla pushed out two security patches for Firefox on Oct. 20 rated as potentially having a high impact on users of the popular browser.

Yahoo asks feds to declassify surveillance demand

Yahoo sent a letter to U.S. Director of National Intelligence James Clapper with a request to clear up the matter of whether Yahoo cooperated in a government request to scan its users' emails.

Russian arrested by Czech officials allegedly tied to 2012 LinkedIn hack

The Russian man that Czech authorities arrested on Oct. 5 in collaboration with the FBI is allegedly connected to the 2012 breach of LinkedIn.

Cisco releases five security patches

Cisco released security updates for several products, one of which fixes a flaw that could allow remote execution if exploited.

U.S. Officials claim U.S. election safe from Russian email hacks - for now

Officials are confident that defensive measures have blocked the cyber paths that Russian hackers have been using to steal emails.

"The cyber" security of Trump's emails isn't that secure

An independent researcher found gaping holes GOP presidential nominee Donald Trump's own email servers.

Geaux phishing: LSU students, faculty targeted in coordinated attack

Security pros at the school noticed an uptick in phishing attacks two weeks ago.

Poor password and username management leaves many home routers vulnerable

About 15 percent of all home routers are unsecure, according to a study recently released by ESET.

Stingrays disproportionately affect low-income/minority neighborhoods, report

The use of Stingray phone tracking technology is sweeping up a disproportionate number of low income and non-white citizens.

Czech police nab Russian suspected of hacking U.S. targets

The Police of the Czech Republic on Tuesday announced the arrest of an unnamed Russian citizen suspected of hacking U.S.-based targets.

On heels of exploding phone recall, NFC flaw lets attackers intercept Samsung Pay data

An independent research has found a second vulnerability in Samsung Pay that could allow attackers to intercept payment data.

Nearly 6K e-commerce sites hacked, including GOP group

Hackers exploited security vulnerabilities and weak passwords to burrow their way into a number of e-commerce sites, including that of the National Republican Senatorial Committee.

Report: Unprecedented warrant compels all occupants in residence to unlock phones with fingerprints

Federal law enforcement officials last May served a California residence with a warrant requiring any occupants on premises to use their fingerprints or thumbprints to open up their phone for investigators, reported Forbes on Sunday.

The Shadow Brokers drop auction, now asking for 10K bitcoins for NSA hacking tools

The Shadow Brokers is finding that its claim to have stolen the National Security Agency's (NSA) hacking tools is a tough sell with the hacking group being forced to change its sale methodology.

Researcher pressured to limit big reveal of Big Blue flaw

An Italian researcher who discovered a bug in IBM WebSphere and then worked with the company for two months on fixing the flaw, had his research censored by Big Blue.

Bluetooth POS skimmers hitting the wild

Some cybercriminals are updating their payment card skimmer devices to Bluetooth, enabling them to steal data in real time using nothing more than a smartphone.

An unadulterated scam: Adult video ruse compromises European Facebook users

An adult video scam that was discovered infecting Russian Facebook users back in April is now targeting Europeans, Kaspersky Lab reported via its Securelist blog.

Facebook bug bounty program doles out $5M in five years

Marking the fifth anniversary of its bug bounty program, Facebook this week announced that it has paid out more than $5 million since the initiative's inception in 2011.

Android trojan requests selfie after you've handed data over

Researchers have spotted a clever trojan designed to take advantage of both a person's vanity and new security verification methods now being introduced.

Blockchain hit with DNS attack, a popular Bitcoin wallet provider, was knocked offline for seven hours on Thursday after a domain name system (DNS) attack.

SMBs victims of phishing attacks 5x more than ransomware

Despite a glut of research into new ransomware families, low-tech threats like phishing attacks and viruses pose a more prevalent threat to small businesses than ransomware.

IAEA director: cyberattack against a nuclear power plant occurred years ago

International Atomic Energy Agency's (IAEA) director Yukiya Amano said there was a successful cyberattack of a nuclear power plant two to three years ago.

Tool monitoring minorities banned from Facebook, Twitter, Instagram

Police monitoring activists profiled by color will no longer be able to mine data on Facebook, Twitter or Instagram using a tool from Geofeedia.

Potter County, Texas voter website hacked

Potter County officials in Texas are assuring users that their voter information website is safe after learning that hackers gained access to it.

Malware behind payment card breach at University of Central Florida

A malware infection is to blame for a payment card data breach affecting at least 230 University of Central Florida students, according to Orlando, Florida NBC affiliate WESH, citing school officials.

US-CERT issues warning over potential Hurricane Matthew scams

Cyber scammers are out looking to make a buck using Hurricane Matthew as a lure, according to US-CERT.

Cyber cartels launder money via gamer currencies

Trend Micro researchers found that cybercriminals are using video game currency to launder real world money.

Cerber 4.0 spotted in EKs just a month after 3.0 release

Trend Micro researchers have spotted several exploit kits delivering Cerber 4.0 ransomware just a month after the release of version 3.

Matrix SSL patched for heap overflow and other bugs

Heap overflow, out-of-bounds read and unallocated memory free operation vulnerabilities were addressed with a patch.

Browser hijacker Youndoo switches victims to new Chrome profile

The browser hijacker Youndoo is now adding an extra Chrome profile to victims' machines, copying settings from users' current profiles so they don't notice the difference when their settings are switched, according to Malwarebytes.

Backdoor threatens Diffie-Hillman encryption used in hundreds of millions of messages

Researchers have found a way to place backdoors in the cryptographic keys that protect websites, virtual private networks and internet servers.

Clinton Foundation donors targeted in phishing scheme

The Clinton Foundation is again being discussed in cybersecurity circles, but this time it is phishing emails aimed at donors and not hacks that is .

Consumer cybersecurity concerns cost U.K. economy billions, study

New study found UK consumers use fewer mobile apps out of cybersecurity concerns.

Remote switch-on enlists Mac webcams as spies

Without users noticing, a new attack enables malware to switch on Apple webcams.

Google repairs 78 Android vulnerabilities, seven critical

Google this week made available patches addressing 78 vulnerabilities, including seven critical flaws, the most severe of which could enable kernel-level remote code execution, resulting in a total device takeover.

Microsoft fix-it script addresses Windows 10 Anniversary installation issues

Users had complained Windows 10 Anniversary wouldn't install on their computers.

NIST study warns of security fatigue among users

Most web users are overwhelmed with warning of online threats and suffer from "security fatigue," according to the National Institute of Standards and Technology (NIST).

BuzzFeed hacked by OurMine

Following its exposé accusing OurMine of web defacements, the website BuzzFeed was itself hit.

WordPress site hack highlights emerging 'Windows keys' redirect scam

Researchers at Sucuri are monitoring a rise in website compromises in which visitors are redirected to domains that offer to sell Windows product keys.

Oil 'slick': Sneaky OilRig malware campaign flows into new territory

A backdoor malware campaign dubbed OilRig that in May was discovered targeting organizations in Saudi Arabia is now trying to drill into government entities in Turkey, Israel and the U.S., as well as Qatari companies and organizations.

MasterCard debuts biometric app for online shopping

MasterCard on Wednesday rolled out Identity Check Mobile, a new app that allows cardholders to pay for online purchases using biometrics to authenticate their identity.

SANS calls for admins to secure IoT devices as manufacturers drag feet

SANS Institute researchers are calling on system admins to do their part in securing connected devices.

Spotify serving malicious ads to freemium users

Several Spotify users are reporting that the streaming music service is serving malware to its users through its advertiser network.

Facebook Messenger caught up to WhatApp security with opt-in encryption

Facebook Messenger quietly added the opt-in option to use encrypted messages in its latest update.

ALERT: Yahoo scanned all arriving customer email at gov't intel's behest, Reuters

Reuters is reporting that Yahoo complied with a government request for information by scanning Yahoo Mail accounts via custom-built software.

Al Jazeera game simulates journalists' risky role in Syrian cyber conflict

Al Jazeera has launched a new mobile game #Hacked - Syria's Electronic Armies, in which the player assumes the role of an investigative journalist tasked with discovering the identities of pro-Syrian government hackers.

No takers for stolen NSA tools, Shadow Brokers rant

The Shadow Brokers Saturday posted a rant to voice their discontent over the lack of bids for the stolen goods.

General says U.S. soldiers need better cyber training

The U.S. Army must begin training its soldiers to endure and then continue to fight after suffering a cyberattack on the battlefield.

Apple pushing out OS update automatically

Apple is pushing out its new macOS Sierra as an automatic download.

Google Chrome update corrects use-after-free vulnerability

Google last week announced the impending rollout of Chrome version 53.0.2785.143, which addresses three security issues affecting the Windows, Mac and Linux operating systems.

DressCode spotted in 3K Android apps, 400 in Google Play

DressCode malware spotted in thousands of apps and could pose a serious threat to enterprise networks.

Vast majority of Americans unsettled about data breaches

A new study found significant concerns around data breaches among 1,200 American survey participants.

Privacy orgs file brief against U.S., allies on bulk surveillance

A coalition of privacy organizations are suing the United States and its allies for involvement in a bulk data collection program, which they say violates the European Convention on Human Rights.

Zerodium offering $1.5 million for a Apple iOS 10 remote jailbreak

The security firm Zerodium announced an increase in bounty prices for zero-day exploits with the top prize now being $1.5 million for and Apple iOS 10 remote jailbreak, a $1 million increase.

Brad Pitt suicide scare used to steal Facebook user credentials

Proving there are few roads too low for a hacker to travel, a new Facebook scam has arisen spinning off the false reports that actor and former Angelina Jolie husband Brad Pitt committed suicide.

Popular Russian boxing website compromised

A cybercriminal could be risking a serious beating by compromising the popular Russian boxing site allboxing[.]ru with a redirect to a third-party site containing a Russian banking trojan.

Tech big dogs enrolling in Privacy Shield

Google and Dropbox are the latest U.S. tech giants to register with the Privacy Shield.

Cybercrime Blotter: Syrian Electronic Army hacker pleads guilty to hacking news sites and extortion

A hacker who was associated with the Syrian Electronic Army (SEA) pleaded guilty to conspiring to receive extortion proceeds and conspiring to unlawfully access computers.

SC Video: Cybereason CISO Israel Barak

SC Magazine Senior Reporter Jeremy Seth Davis discusses commodity malware with Cybereason CISO Israel Barak.

Russians suspected of cybercampaign against journalism site

A UK-based investigative journalism site has come under cyberattack, purportedly from Russia, for its articles critical of Russia's involvement in the shooting down of Malaysian Airlines Flight 17 and corruption.

FBI: Hackers sniffing around voter registration databases

FBI Director James Comey told the House Judiciary Committee on Wednesday that his agency has spotted outside entities attempting to hack voter registration sites in several states.

Cybercrime Blotter: Majerczyk pleads guilty to hacking celeb email accounts

Edward Majerczyk on September 27 pleaded guilty in a Chicago court to one count of unauthorized access to a protected computer to obtain information bringing to a close a case dubbed Celebgate.

Tesla security updates includes code signing feature

Tesla has releases a major firmware update in response to a video posted by a group of Chinese researchers that displayed a series of vulnerabilities the electric car company's vehicles.

Rep. Lieu questions federal CISO on cybersecurity plans

Rep. Ted Lieu (D-Calif.) quizzed newly appointed federal CIO Gen. Greg Touhill on why the General Accounting Office's cybersecurity recommendations have not implemented.

EFF slams HP for using security patch to thwart third-party ink purchases

The Electronic Frontier Foundation (EFF) is criticizing HP for using a security update to also install a function that when recognizing a non-HP printer cartridge triggers a printer to shut down.

How to sell RaaS: Petya and Mischa marketing tactics

Avast researchers examined some of the marketing tactics used by Janus Cybercrime Solution, the cybergang behind the Petya and Mischa

OpenSSL update creates new critical flaw

OpenSSL Project released a critical patch for a new flaw created as a result of a recent update to the cryptography library.

Android.Xiny trojan receives upgrade

A new version of the Andoid.Xiny trojan that can now root a device to gain admin privileges and that is harder to uninstall has been spotted by security researchers.

Voldemort ransomware rears its ugly head

Death Eaters, or perhaps just bad guys, with a taste for the Harry Potters franchise have unleashed a new strain of ransomware they've dubbed Voldemort, named for the villain of the book and movie series.

MarsJoke ransomware distributed via Kelihos, targets U.S. state, fed gov't agencies

A large-scale email campaign was spotted distributing a new ransomware variant called MarsJoke.

Former NSA Deputy Director pans Snowden film

"Not because it was revealing a truth that I want to put away, but because I was in a constant state of wonder about the misappropriation of the truth."

Cross border computer probes gets nod in Switzerland

The Swiss intelligence service received permission to begin tapping phones and monitoring emails following a vote in the nation's parliament and approval by a public referendum.

RTCA airline recs aim to strengthen aviation cybersecurity

A technical committee that provides guidance to the Federal Aviation Administration has reportedly developed drafting recommendations for strengthening the aviation industry's cybersecurity posture.

Discover Financial Services reports three data breaches to California AG

For the second time this year, Discover Financial Services reported a set of data breaches on the same day to the California Attorney General's Office.

Cybercrime Blotter: Romanian national gets 3 years for bank fraud

A Romanian national was sentenced to three years behind bars for stealing more than $900,000 from a variety of U.S, banks and financial institutions.

Hotel operation run by Donald Trump settles breach suit with $500K fine

In a settlement, the hotel chain operated by Republican presidential candidate Donald Trump will fork over $500K in fines and improve the security of its computer network.

Forensics firm says iOS 10 skips certain security authentications

A Russian mobile forensics company says the iPhone's most recent operating system has weaker password protection for manual iTunes backups than earlier operating systems.

Malware evades researchers' VM environments by looking up their Word doc history

One of the techniques malware can use to evade researchers' virtualized or sandbox environments is accessing recent documents to determine if the infected machine has a history of legitimate usage.

Cyber space wars may require new international regimes

While it might not include the Death Star cyber warfare among the stars is almost inevitable.

Cybercrime blotter: Kosovo native sentenced to 20 years for providing aid to ISIS

Kosovo native Ardit Ferizi was sentenced in federal court in Alexandria, Va. after pleading guilty to providing aid to the Islamic State.

Air Force reports making progess on cybersecurity without additional funding

The Air Force is reporting progress in its mission to secure its weapons against cyberattacks.

Rep. Johnson introduces bill designed to deter electoral hacking

A new bill before Congress would require that all voting machines leave a traceable paper trail and require a secure connection to the web for vote-tabulating machines to prevent electoral tampering.

Krebs website withstands historically large DDoS attack; enormous botnet suspected

Cybersecurity blog site KrebsOnSecurity was barraged Tuesday evening by an extraordinary DDoS attack boasting a bandwidth between 620 and 665 Gbps - one of the largest such attacks in history.

Drupal patches two critical vulnerabilities

The Drupal Security Team issued updates for a pair of critical flaws, one allowing remote code execution and another giving access to parts of the system without full administrative permissions.

Clapper: Russia has a long history of trying to interfere with elections

Director of National Intelligence James Clapper said there have been previous instances of Russian attempts to influence U.S. elections going back to the 1960s.

iSpy keylogger can be leased for the low, low price of $25

A new commercial keylogger nicknamed iSpy that is capable of snatching every keystroke and fully examining the data on an infected computer has been spotted by Zscaler being sold on underground forums for as little as $25.

North Korea has only 28 registered domains, leak shows

Security engineer Matt Bryant posted details of North Korea's registered domains after a misconfigured nameserver revealed details.

Google Play again used to host malware-laden apps; this time, Overseer

Google Play continues to be a playground for cybercriminals with Google recently having to remove four apps from the store because they were distributing a new form of malware dubbed Overseer.

HDDCryptor ransomware uses legit, off the shelf software

HDDCryptor is a ransomware variant with a couple of new twists added that makes it an effective tool for cybercriminals, a Trend Micro study found.

Following hacks, State Democrats warned Wikileaks may be a source of infection

The Association of State Democratic Chairs sent an email to its members advising them to avoid Wikileaks as a precaution against malware infection, especially after several state officials had their accounts hacked, Politico reported.

House plans vote on bill to improve small business cyber preparedness

The U.S. House of Representatives plans a vote on legislation that would task the SBA with assisting small businesses in improving preparedness against cyber threats.


Sign up to our newsletters