• Google to pay up to $30,000 for security bugs
    Back in 2010 we created the Chrome Vulnerability Rewards Program which provides cash rewards to researchers for finding and reporting security bugs that help keep our users safe. Over the years we've expanded the program, including rewarding full chain exploits on Chrome OS, and the Chrome Fuzzer Program, where we run researchers' fuzzers on thousands of Google cores and automatically submit bugs they find for reward. Full details can be found on our program rules page but highlights include tripling the maximum baseline reward amount from $5,000 to $15,000 and doubling the maximum reward amount for high quality reports from $15,000 to $30,000. We've also clarified what we consider a high quality report, to help reporters get the highest possible reward, and we've updated the bug categories to better reflect the types of bugs that are reported and that we are most interested in. In other news, our friends over at the Google Play Security Reward Program have increased their rewards for remote code execution bugs from $5,000 to $20,000, theft of insecure private data from $1,000 to $3,000, and access to protected app components from $1,000 to $3,000.Read More
  • No man’s land: How a Magecart group is running a web skimming operation from a war zone
    The setup Using servers hosted in battle-scarred Luhansk (also known as Lugansk), Ukraine, Magecart operators are able to operate outside the long arm of the law to conduct their web-skimming business, collecting a slew of information in addition to credit card details before it is all sent to “exfiltration gates.” Those web servers are set up to receive the stolen data so that the cards can be processed and eventually resold in underground forums. We will take you through analysis of the skimmer, exfiltration gate, and hosting servers to show how this Magecart group operates, and which measures we are taking to protect our customers. Skimmer analysis The skimmer is injected into compromised Magento sites and trying to pass itself for Google Analytics (google-anaiytic[. It includes several additional shell scripts and perhaps skimmers as well (snif1.txt): In the next step of our analysis, we will be looking at the exfiltration gate used to send the stolen data back to the criminals. Panel and bulletproof hosting A closer look at the exfiltration gate reveals the login panel for this skimmer kit.Read More
  • Cyber security: Half of Manx people 'risk being hacked'
    Image copyright Getty Images Image caption Creating longer and more "complex" passwords can help keep online data safer, an expert said More than half of Manx people risk falling foul of online scams after admitting they use the same password for several accounts, a survey has found. The government survey revealed 53% of people used the same password for more than one account, while just 66% were confident they could protect themselves online adequately. Cyber security expert Bryan Beesley said while "everyone hates long passwords", making them more "complex" could make them harder to crack. Image copyright KPMG Image caption Cyber security expert Bryan Beesley said people should update software regularly He said people could also increase security by avoiding "attributable" words such as pet names and birthdays, and by using a "password manager" and two-factor authentication.Read More
  • Someone Hacked My T-Mobile Account and T-Mobile Won’t Talk About It
    When criminals hijack your phone number you usually get a text message alerting you of some change on your account. A representative told me that someone had reported my phone stolen, and asked my line to be suspended, which is why I didn’t have service. After she asked to verify my phone’s International Mobile Equipment Identity number, or IMEI, the representative restored service on my phone. After more than an hour on the phone with two different representatives, I learned that on that day in May, someone went to a store in New Jersey and somehow convinced the employees that they were me, and got them to not only suspend the line, but to also change the address on my account to that of a house in Massachusetts (where I’ve never been nor lived), change the name displayed as my caller ID to “Doctor Avila,” and put a different number as a contact phone. We don't want you calling that person and ultimately someone be harmed or anything like that,” the representative said. T-Mobile, like other providers, now encourages customers to set up a passcode or PIN that’s used to verify customers when they call in or go to a store.Read More
  • Phishing scam attempts to bilk Laurentian University donors
    Luc Roy, Laurentian's Chief Information Officer, said the university has investigated. Roy is also giving assurances that over the course of the phishing attempts, the university's systems were not breached. "There's no private information stolen, there's nothing that would actually compromise the users," he said. "But the potential compromise or issue is that they could actually fall victim of a phishing attempt." Roy added that the university will soon be implementing a new authentication system to protect its faculty, staff, and students. "We have what's called a two-factor authentication, so not only will it ask you for your password, but will ask you to also authenticate yourself in some other ways," Roy said. "We give [users] options on how to do that, so that really protects us." In 2017, a Laurentian student was charged after hacking the university to demonstrate vulnerabilities in its system. Read More
  • Researchers Easily Trick Cylance's AI-Based Antivirus Into Thinking Malware Is 'Goodware'
    One of its biggest proponents is the security firm BlackBerry Cylance, which has staked its business model on the artificial intelligence engine in its endpoint PROTECT detection system, which the company says has the ability to detect new malicious files two years before their authors even create them. The method works because Cylance’s machine-learning algorithm has a bias toward the benign file that causes it to ignore any malicious code and features in a malicious file if it also sees strings from the benign file attached to a malicious file—essentially overriding the correct conclusion the detection engine should otherwise make. They purchased a copy of the Cylance program and reverse-engineered it to figure out what features or data points the agent was looking at to determine if a file is benign or malicious and they also studied how these features are weighed to arrive at the score the program gives each files. The Cylance system analyzes each file based on these data points, and assigns a score to the file that ranges between -1,000 to 1,000 (with -1,000 being a file with the most or worst malicious features or data points in it).Read More
  • Cyberthreats bound to expand ahead of 2020 Games, experts warn
    Previous Olympic organizers have faced an enormous number of cyberattacks, with 500 million estimated during the 2016 Rio Games and 250 million during the 2012 London Games. Organizers faced such a threat last September when a group of hackers tried unsuccessfully to steal private information from people in the United States and Japan by emailing fake ticket offers. Toshio Nawa, executive director and senior security analyst at Tokyo-based security consultancy Cyber Defense Institute, warned that people must remain on guard for hackers who make use of a combination of virtual and real-world attacks. According to a 2018 report by think tank Rand Corp., the 2012 London Olympics was targeted by a 40-minute distributed denial of service attack on the venue’s power systems during its opening ceremony. Both Nakatani and the global policy think tank mentioned ransomware, where hackers hold an entity’s computer system or data “hostage” by encrypting the contents and then demanding money for the key, as another major threat for the Tokyo Games.Read More
  • The Truth About Vulnerabilities in Open Source Code
    Nearly 60% of all codebases used by enterprises contain at least one vulnerability from open source components, according to the "Open Source Security and Risk Analysis" (OSSRA) report, published by Black Duck by Synopsys. As worrisome as that might sound, the reality is that whether it's proprietary code or open source code, software will inevitably have vulnerabilities. Software vulnerabilities exist because writing secure code is very difficult — which is one reason why so many companies rely on open source projects. However, using open source also requires that companies remain as diligent about updating their open source dependencies as they would be about updating their own code." Worth repeating in any conversation about open source code vulnerabilities is that the bugs are from the software libraries, not the applications themselves. Regularly looking at the list of their open source inventory is a key risk mitigation strategy for organizations, as is knowing which open source components are in different products.Read More
  • Spam Campaign Targets Colombian Entities with Custom-made ‘Proyecto RAT,’ Uses Email Service YOPmail for C&C
    The infection starts with an email sent to a target, as seen in the screenshot below (Figure 1). The main payload is usually Imminent Monitor RAT; however, at the beginning of 2018, we also observed the use of LuminosityLink RAT, NetWire RAT, and NjRAT. Warzone RAT is the newer RAT from the list and supports keylogger, web browser-, and Outlook password-stealing features in addition to standard RAT functions. However, in Xpert RAT builder, we did not notice any reference to a disposable email, searches for banking website captions, or information written to the configuration file. It seems that the aforementioned Visual Basic malware is an old and limited version of the Xpert RAT — either a custom modification of Xpert RAT or a malware with source code based on Xpert RAT’s. Both projects share similarities, and it is likely that “Proyecto RAT” was inspiration for Xpert RAT and at least a few more malware projects, including the Visual Basic malware in the campaign we previously described.Read More
  • BEC Scams Average $301 Million Per Month In Illegal Transfers
    The frequency of business email compromise (BEC) scams has increased year over year and so did the value of attempted thefts, reaching a monthly average of more than $300 million. Statistics are dire FinCEN's analysis describes the broader picture of BEC scams stating that while scammers tried to steal in 2016 an average of $110 million per month the value in 2018 grew to $301 million. "In 2016, financial institutions filed nearly 6,000 BEC-related SARs with an average transaction total of $110 million per month. In 2017, the number of BEC-related SARs increased to over 11,000 with a monthly average of $241 million. In 2018, the number of BEC-related SARs rose to nearly 14,000 filings, averaging $301 million in suspicious transactions per month" - FinCEN Most common victims The organization's assessment shows that companies in the manufacturing or construction business were the most frequent targets of email account compromise attacks, accounting for 25% of the victims.Read More