Security News

A new research has uncovered multiple critical reverse RDP vulnerabilities in Apache Guacamole, a popular remote desktop application used by system administrators to access and manage Windows and Linux machines remotely. The reported flaws could potentially let bad actors achieve full control over the Guacamole server, intercept, and control all other connected sessions.

A former Yahoo! employee who admitted to hacking into the accounts of thousands of users was sentenced last week to five years of probation. The man, Reyes Daniel Ruiz, 35, of Tracy, California, pleaded guilty in September 2019 to hacking roughly 6,000 Yahoo! accounts, looking for sexual photos and videos.

In a joint operation, European and British law enforcement agencies recently arrested hundreds of alleged drug dealers and other criminals after infiltrating into a global network of an encrypted chatting app that was used to plot drug deals, money laundering, extortions, and even murders. Dubbed EncroChat, the top-secret encrypted communication app comes pre-installed on a customized Android-based handset with GPS, camera, and microphone functionality removed for anonymity and security.

Bug bounty hunting is, at heart, a competitive market, and winner-takes-all is the easiest way for a vendor to avoid the problem of two researchers covertly colluding for extra money. Most bug bounty programs have a rule under which a reasonable timeframe is agreed for fixing the bug.

Mitsubishi Electric and its subsidiary ICONICS have released patches for the vulnerabilities disclosed earlier this year at the Pwn2Own Miami hacking competition, which focused on industrial control systems. White hat hackers earned a total of $280,000 for the exploits they demonstrated at the Zero Day Initiative's Pwn2Own contest in January, including $80,000 for vulnerabilities found in ICONICS's Genesis64 HMI/SCADA product.

The alleged hacker who breached the human resource databases of University of Pittsburgh Medical Center in 2014 was arrested this week in Detroit, the Department of Justice announced. The man, Justin Sean Johnson, aka "TDS" and "DS," 29, was indicted on charges of conspiracy, wire fraud and aggravated identity and is believed to have sold exfiltrated personally identifiable information and W-2 information on the dark web.

Citizen Lab has a new report on Dark Basin, a large hacking-for-hire company in India. Dark Basin is a hack-for-hire group that has targeted thousands of individuals and hundreds of institutions on six continents.

US federal authorities said they had arrested Justin Sean Johnson in Detroit, Michigan, on charges associated with the 2014 hacking of a human resources database at the University of Pittsburgh Medical Center and thrown the book at him. In a 43-count indictment returned last month and just unsealed [PDF], Johnson is charged with multiple counts of conspiracy, wire fraud, and aggravated identity theft for his alleged role in the theft of personal information associated with 65,000 employees from the medical center's PeopleSoft system.

The anti-secrecy group dubbed the release "Vault 7," and U.S. officials have said it was the biggest unauthorized disclosure of classified information in the CIA's history, causing the agency to shut down some intelligence operations and alerting foreign adversaries to the spy agency's techniques. The October 2017 report by the CIA's WikiLeaks Task Force, several pages of which were missing or redacted, portrays an agency more concerned with bulking up its cyber arsenal than keeping those tools secure.

The Department of Homeland Security and CISA ICS-CERT today issued a critical security advisory warning about over a dozen newly discovered vulnerabilities affecting billions of Internet-connected devices manufactured by many vendors across the globe. According to Israeli cybersecurity company JSOF-who discovered these flaws-the affected devices are in use across various industries, ranging from home/consumer devices to medical, healthcare, data centers, enterprises, telecom, oil, gas, nuclear, transportation, and many others across critical infrastructure.