Security News > 2020 > August

Pl, has published a proof-of-concept exploit for stealing files from iOS and macOS devices via web application code that utilizes the Web Share API. The security flaw, which isn't too scary as it requires some user interaction, has not yet been repaired, though a patch is being worked on. The exploit involves getting someone to open in Safari a web page with a button that triggers the WebShareAPI in a way that launches native Mail or Gmail apps.

Facebook is pushing back on new Apple privacy rules for its mobile devices - and putting app developers in the middle. Apple will soon require apps to ask users for permission to collect data on what devices they are using and to let ads follow them around on the internet.

For several years beginning around 2010, a lone teenager in Vietnam named Hieu Minh Ngo ran one of the Internet's most profitable and popular services for selling "Fullz," stolen identity records that included a consumer's name, date of birth, Social Security number and email and physical address. O'Neill said he opened the investigation into Ngo's identity theft business after reading about it in a 2011 KrebsOnSecurity story, "How Much is Your Identity Worth?" According to O'Neill, what's remarkable about Ngo is that to this day his name is virtually unknown among the pantheon of infamous convicted cybercriminals, the majority of whom were busted for trafficking in huge quantities of stolen credit cards.

A man from the African country of Ghana was recently extradited to the United States over his role in various types of cybercrime schemes that authorities say caused millions of dollars in losses. The Ghanaian, 27-year-old Maxwell Peter, was charged along with several other individuals, back in 2017, by a federal grand jury with wire fraud, computer fraud, money laundering and identity theft.

The FBI has arrested a Russian national who recently traveled to the United States and offered $1 million in bribe to an employee of a targeted company for his help in installing malware into the company's computer network manually. Egor Igorevich Kriuchkov, 27-year-old, entered the United States as a tourist and was arrested in Los Angeles after meeting with the unnamed employee of an undisclosed Nevada-based company numerous times, between August 1 to August 21, to discuss the conspiracy.

An obvious example is for the purposes of security filtering, where a network security device or cloud service deliberately redirects known bad domains, such as malware repositories, thus heading off potentially malicious traffic right at the DNS level. Simply put, a DNS lookup for a server name that doesn't exist at all, and therefore can't be resolved, is supposed to come back with a DNS error 3, known as NXDOMAIN, short for non-exsistent domain.

A hacker crew targeted a luxury estate agency involved in multimillion-pound property deals by deploying malicious plugins for 3D design software Autodesk 3ds Max as part of a potential hacks-for-hire operation. "The Bitdefender investigation revealed the cybercriminal group infiltrated the company using a tainted and specially crafted plugin for Autodesk 3ds Max," the company said in a statement.

Threat actors exploited a vulnerability in the popular 3D computer graphics Autodesk software in order to launch a recent cyber-espionage attack against an international architectural and video production company. Researchers said that further analysis of the attack points to a sophisticated, APT-style group that had prior knowledge of the company's security systems and used software applications, carefully planning their attack to infiltrate the company and exfiltrate data undetected.

Application security testing company GrammaTech announced on Wednesday that it has released an open source tool designed to detect API usage errors. The tool, named SWAP Detector, was developed as part of a research project sponsored by the U.S. Department of Homeland Security and GrammaTech says it can be highly useful for DevOps application security testing.

Palantir Technologies Inc., a data-mining company with deep ties to U.S. intelligence and military agencies, has shed a good deal of its trademark secrecy about its business in filing for a Wall Street stock offering. The document indicated that Denver-based Palantir will sell stock some time this year but did not specify a date.