Security News

There are more than 600 legitimate Microsoft subdomains that can be hijacked and abused for phishing, malware delivery and scams, researchers warned this week. Researchers at Vullnerability, a company that specializes in exploit and vulnerability alerting services, have created an automated system that scanned all the subdomains of some important Microsoft domains.

Qihoo 360, one of the most prominent cybersecurity firms, today published a new report accusing the U.S. Central Intelligence Agency to be behind an 11-year-long hacking campaign against several Chinese industries and government agencies. The claims made by the company are based on the evidential connection between tools, tactics, and procedures used by a hacking group, dubbed 'APT-C-39' against Chinese industries, and the 'Vault 7' hacking tools developed by the CIA. As you may remember, the massive collection of Vault 7 hacking tools was leaked to the public in 2017 by the whistleblower website Wikileaks, which it received from Joshua Adam Schulte, a former CIA employee who is currently facing charges for leaking classified information.

Attacks on cell phones aren't new, and researchers have previously shown that ultrasonic waves can be used to deliver a single command through the air. These waves, the researchers found, can propagate through many solid surfaces to activate voice recognition systems and - with the addition of some cheap hardware - the person initiating the attack can also hear the phone's response.

Researchers from Ben-Gurion University of the Negev's Cyber Security Research Center have found that they can trick the autopilot on an autonomous car to erroneously apply its brakes in response to "Phantom" images projected on a road or billboard. In a research paper the researchers demonstrated that autopilots and advanced driving-assistance systems in semi-autonomous or fully autonomous cars register depthless projections of objects as real objects.

These organizations must now not only defend IT infrastructures, but also manage risks caused by increased DDoS attacks on customer-facing services and applications, mobile networks, and unsecured IoT devices. "By weaponizing new attack vectors, leveraging mobile hotspots, and targeting compromised endpoint IoT devices, attackers are increasingly finding ways to infiltrate our internet-connected world. They are getting more sophisticated by using a minuscule portion of the available vulnerable devices to carry out a successful attack. The largest OpenVPN DDoS attack we observed used less than one percent of the available reflectors connected to the internet. Botmasters are waiting in the wings, since the risk will only increase in 2020 when an estimated 20.4 billion more devices are connected to the internet."

For the 2020 Webroot Threat Report, researchers analyzed samples from more than 37 billion URLs, 842 million domains, 4 billion IP addresses, 31 million active mobile apps, and 36 billion file behavior records. Surge in malware targeting Windows 7 93.6 percent of malware seen was unique to a single PC - the highest rate ever observed.

An unsecured database belonging to a French technology firm that supplies video and digital equipment to plastic surgery and dermatology clinics exposed content on 900,000 patients, according to a report from two independent security researchers. The database belongs to French tech firm NextMotion, according to Noam Rotem and Ran Locar, self-described security researchers and hacktivists, according to their blog post on the site vpnMentor.

Google has abruptly pulled over 500 Chrome extensions from its Web Store that researchers discovered were stealing browsing data and executing click fraud and malvertising after installing themselves on the computers of millions of users. Depending on which way you look at it, that's either a good result because they're no longer free to infect users, or an example of how easy it is for malicious extensions to sneak on the Web Store and stay there for years without Google noticing.

We've all shared the frustration when it comes to errors - software updates that are intended to make our applications run faster inadvertently end up doing just the opposite. These bugs, dubbed in the computer science field as performance regressions, are time-consuming to fix since locating software errors normally requires substantial human intervention.

Security researchers at the Massachusetts Institute of Technology have published a technical paper that describes several security flaws in Voatz, a smartphone app used for limited online voting during the 2018 U.S. midterm elections. In their paper, the MIT researchers note that they were unable to obtain complete information about how Voatz engineers developed the company's voting application, nor were they able to access the full backend of the company's infrastructure to investigate how the app checks and verifies identity.