Security daily (11-05-2020)

Twitter will flag tweets that contradict public health officials on coronavirus

Tweets containing false information about COVID-19 will now include a label or warning that the message contradicts messaging from public health experts, the company said Monday in its latest effort to slow disinformation around the pandemic. In a blog post, Twitter’s head of site integrity, Yoel Roth, and director of public policy strategy, Nick Pickles, said that depending on the severity of the erroneous information, tweets will be accompanied by a link encouraging readers to “Get the facts about COVID-19.” More obvious examples of wrong information will be hidden entirely behind a note saying “Some or all of the content shared in this Tweet conflicts with guidance from public health experts regarding COVID-19.” Here’s Twitter’s criteria for flagging specific claims. This announcement comes amid ongoing disinformation surrounding the coronavirus and its fallout. Conspiracy theorists affiliated with the pro-Trump group QAnon and Reopen America, a movement that’s used inauthentic techniques to […] The post Twitter will flag tweets that contradict public health officials on coronavirus appeared first on CyberScoop. (CyberScoop)

DHS memo: 'Significant' security risks presented by online voting

The Department of Homeland Security has told election officials and voting vendors that internet-connected voting is risky to the point that ballots returned online “could be manipulated at scale” by a malicious attacker. The advisory that DHS’s Cybersecurity and Infrastructure Security Agency sent states on Friday is perhaps the federal government’s sternest warning yet against online voting. It comes as officials weigh their options for conducting elections during a pandemic and as digital voting vendors see an opportunity to hawk their products. While the risk of election officials delivering ballots to voters via the internet can be managed, the return of those ballots by voters “faces significant security risks to the confidentiality, integrity, and availability of voted ballots,” CISA said in the guidance, which CyberScoop reviewed. “These risks can ultimately affect the tabulation and results and, can occur at scale.” The guidance, which is marked “For Official Use Only” and […] The post DHS memo: 'Significant' security risks presented by online voting appeared first on CyberScoop. (CyberScoop)

Chatbooks photo service confirms breach, days after 'Shiny Hunters' hacking claims went public

A photo-printing startup is alerting its users about a data breach in which hackers stole some customers’ personal information. Chatbooks, a Utah-based company that sells albums of digital photos, told customers on May 8 it was victimized on March 26 by attackers who accessed Chatbooks login credentials, including names, email addresses and individually salted and hashed passwords, and, for some customers, phone numbers and Facebook ID data. “We’ve hired a digital forensics firm and our investigation is ongoing, but as we learn more we will continue to communicate with our community and other stakeholders,” CEO Nate Quigley wrote in an email to CyberScoop. Chatbooks appears to be just one of a growing number of international companies victimized by a hacking group which calls itself “Shiny Hunters.” The same group of scammers claimed to steal 91 million usernames and passwords from Tokopedia, an Indonesian e-commerce company, as well as the food […] The post Chatbooks photo service confirms breach, days after 'Shiny Hunters' hacking claims went public appeared first on CyberScoop. (CyberScoop)

Hacking group puts millions of Zoosk dating profiles up for sale

If you have been trying to find love on the Zoosk app I’ve got some bad news for you. Hackers are offering for sale what they claim is the stolen account information of millions of online daters who have used the popular app. (Graham Cluley)

Chatbooks security breach. Users told to change their passwords

A hacking group known as ShinyHunters is claiming to be responsible for the security breach, and is offering to sell stolen customer records for US $3,500 via an underground web marketplace. Read more in my article on the Hot for Security blog. (Graham Cluley)

Celebrity personal data taken in ransomware attack

Ransomware crooks are apparently threatening to dump personal data for a long list of celebs including Lady Gaga, Madonna, Nicki Minaj and more. (Naked Security)

Clearview AI won’t sell vast faceprint collection to private companies

… nor to anybody, even law enforcement, in the place where privacy-oblivious biometrics companies are forced to their knees: Illinois. (Naked Security)

Microsoft opens IoT bug bounty program

Microsoft really wants to secure the Internet of Things (IoT), and it's enlisting citizen hackers' help to do it. (Naked Security)

Monday review – the hot 16 stories of the week

It's weekly roundup time! (Naked Security)

How to Gather Information on PostgreSQL Databases with Metasploit

Attacks against databases have become one of the most popular and lucrative activities for hackers recently. New data breaches seem to be popping up every week, but even with all of that attention, databases continue to be a prime target. All of these attacks have to start somewhere, and we'll be exploring a variety of methods to gather information on PostgreSQL databases with Metasploit.

PostgreSQL is an open-source relational database management system (RDBMS) that uses the SQL language, along with many other features, to handle a wide variety of data workloads. Initially developed for Unix... more (Null Byte « WonderHowTo)

Supercharge Your Excel Skills with This Expert-Led Bundle

We've already highlighted the importance of learning Microsoft Excel from a hacker's standpoint, but it's also just a good skill to have as you'll likely come across the number-crunching powerhouse at school and work, as well as in other areas of your life, such as budgeting.

Excel has earned its reputation as being one of the world's most versatile and ubiquitous workbook platforms due to its intuitive interface, expandable design, and easy-to-use formulas. But the tool can be used for much more than merely creating spreadsheets and sorting data. In the right hands, this platform can be a... more (Null Byte « WonderHowTo)

DEF-CON Is Cancelled... No, For Real. The In-Person Event Is Cancelled.

(News ≈ Packet Storm)

MobiFriends Data For 3.6 Million Users Gets Leaked

(News ≈ Packet Storm)

Zeus Sphinx Revamped As Coronavirus Scams Continue

(News ≈ Packet Storm)

Data Leak, Phishing Flaws Disclosed In Oracle iPlanet Web Server

(News ≈ Packet Storm)

An Undisclosed Critical Vulnerability Affect vBulletin Forums — Patch Now

If you are running an online discussion forum based on vBulletin software, make sure it has been updated to install a newly issued security patch that fixes a critical vulnerability.

Maintainers of the vBulletin project recently announced an important patch update but didn't reveal any information on the underlying security vulnerability, identified as CVE-2020-12720.

Written in PHP (The Hacker News)

7 New Flaws Affect All Thunderbolt-equipped Computers Sold in the Last 9 Years

A cybersecurity researcher today uncovers a set of 7 new unpatchable hardware vulnerabilities that affect all desktops and laptops sold in the past 9 years with Thunderbolt, or Thunderbolt-compatible USB-C ports.

Collectively dubbed 'ThunderSpy,' the vulnerabilities can be exploited in 9 realistic evil-maid attack scenarios, primarily to steal data or read/write all of the system memory of a (The Hacker News)

Astaroth’s New Evasion Tactics Make It ‘Painful to Analyze’

The infostealer has gone above and beyond in its new anti-analysis and obfuscation tactics. (Threatpost)

Unpatched Bugs in Oracle iPlanet Open Door to Info-Disclosure, Injection

CVE-2020-9315 and CVE-2020-9314 in iPlanet version 7 will not receive patches. (Threatpost)

Millions of Thunderbolt-Equipped Devices Open to ‘ThunderSpy’ Attack

If an attacker can get his hands on a Thunderbolt-equipped device for five minutes, he can launch a new data-stealing attack called "Thunderspy." (Threatpost)

Sphinx Malware Returns to Riddle U.S. Targets

The banking trojan has upgraded and is seeing a resurgence on the back of coronavirus stimulus payment themes. (Threatpost)


/security-daily/ 12-05-2020 23:44:22