The bug allows iPhone users to FaceTime other iOS users and eavesdrop on their conversations – even when the other end of the line doesn't pick up.

Source

A report found that a dozen connected devices are open to several security and privacy issues.

Source

image
Law-enforcement agencies across the world have taken aim at Dark Web denizens this week, with the takedown of a credentials marketplace as well as continued action against former users of the Webstresser.org DDoS-for-hire site. An international law-enforcement operation has dismantled the xDedic Marketplace, a website for the illicit sale of compromised computer credentials and personally identifiable information (PII). According to the FBI on Monday, buyers could search for compromised computer credentials on xDedic by desired criteria, such as price, geographic location and operating system. Authorities believe that the website facilitated more than $68 million in fraud over the course of its operation, with victims that span the globe and all industries, including local, state and federal government infrastructure, hospitals, 911 and emergency services, call centers, major metropolitan transit authorities, accounting and law firms, pension funds, and universities. On January 24, seizure orders were executed against the domain names for the xDedic Marketplace, effectively sinkholing it. The FBI noted that the market operated across a widely distributed network, using the anonymity of Bitcoin transactions to hide the locations of its underlying servers and the identities of its administrators, buyers and sellers. Because the xDedic administrators strategically maintained servers all over the world, the takedown operation was undertaken by the FBI in conjunction with Europol and various country-specific agencies in Belgium, Germany and the Ukraine. Meanwhile, the U.K.’s National Crime Agency (NCA), working with law enforcement partners from 14 countries, announced that it is actively going after the users of Webstresser.org, which was the most popular DDoS-for-hire service on the market until it was shut down last April. At its height, it had 136,000 international users, and is believed to be behind at least 4 million cyberattacks around the world. It sold the capability to knock websites offline and take down domains for as little as $18 per month. NCA has subsequently gone after a number of those users; in total, the NCA and regional departments have executed eight warrants and seized more than 60 personal computers, tablets and mobile phones since November 2018, while other users have received cease-and-desist notices. A further 400 users of the service are now being targeted by the NCA and partners, the agency said. This is the latest action in the “Operation Power Off” takedown of Webstresser.org. In April, a multi-national investigation led to the arrest of the administrators of the site. Investigators also shut down the service completely and seized its infrastructure, which was installed in the Netherlands, the U.S. and Germany. “Cybercrime is not constricted by borders,” said Jim Stokley, deputy director of the NCA’s National Cyber Crime Unit, in a statement Monday. “The coordinated international response to this threat shows how law enforcement works around the globe to combat criminally orchestrated disruption impacting the public sector, commerce and the public.” He added, “The action taken shows that although users think that they can hide behind usernames and cryptocurrency, these do not provide anonymity. We have already identified further suspects linked to the site, and we will continue to take action.” Interested in learning more about data breach trends? Watch the free, on-demand Threatpost webinar, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.

Source

image
Mozilla has unveiled new anti-tracking policies and redesigned privacy controls in tandem with the release of Firefox 65 on Tuesday. The company announced a new set of redesigned controls for the Content Blocking section, where users can choose their desired level of privacy protection. These are rolling out as part of Firefox 65, released on Tuesday. These newest steps up the ante on Mozilla’s long-standing initiative toward anti-tracking measures, a goal that it originally outlined in August. “We’ve always made privacy for our users a priority, and we saw the appetite for more privacy-focused features that protect our users’ data and put them in control,” said Nick Nguyen, vice president of Firefox Product at Mozilla, in a Tuesday post. “So, we knew it was a no-brainer for us to meet this need. It’s one of the reasons we broadened our approach to anti-tracking.” The new Content Blocking controls, outlined in the video below, enable a “standard” default setting, where users can block known trackers in Private Browsing Mode. In the future, this setting will also block third-party tracking cookies. Users can also pick from a “strict” setting that blocks all known trackers by Firefox in all windows; or a “custom” setting that enables users to pick and choose which trackers and cookies they would like to block. In addition to new redesigned controls, Mozilla on Monday also lifted the curtain on a new “Security/ Anti-Tracking policy” that describes the online tracking practices that Mozilla believes should be blocked by default by web browsers. “At a high level, this new policy will curtail tracking techniques that are used to build profiles of users’ browsing activity,” Steven Englehardt, privacy engineer with Mozilla, said in a post outlining the policy. “In the policy, we outline the types of tracking practices that users cannot meaningfully control. Firefox may apply technical restrictions to the parties found using each of these techniques.” Click to Expand. The policy breaks down the types of tracking that Mozilla plans to block or has already blocked as part of its larger anti-tracking initiative. That includes cross-site tracking with cookies, or URL parameter-based tracking. It also covers tracking via “unintended identification techniques” like browser fingerprinting, which can identify users over time, track them across websites and store data in their servers to build an advertising profile of them; or supercookies, which is a collection of methods that involve storing tracking identifiers in areas of the browser that are not cleared when the standards-defined locations are cleared. “The policy is in support of the anti-tracking plan we discussed here, specifically in regards to our Enhanced Tracking Protection, otherwise known as removing cross-site tracking,” a Mozilla spokesperson told Threatpost via email. Mozilla’s Privacy Initiative The newest privacy step stems from an announcement Mozilla made back in August regarding plans to release a slew of key initiatives aimed at anti-tracking efforts in Firefox. Click to Expand. That includes removing cross-site tracking by stripping cookies and blocking storage access from third-party tracking content, said Nguyen in a post at the time. “This is about more than protecting users — it’s about giving them a voice,” he said. “Some sites will continue to want user data in exchange for content, but now they will have to ask for it, a positive change for people who up until now had no idea of the value exchange they were asked to make.” In October, Firefox then rolled out (off-by-default) enhanced tracking protection features, which gives users the option to block cookies and storage access from third-party trackers. The feature will be eventually enabled by-default on systems after a “few more experiments,” Nguyen said. Mozilla’s privacy features have been lauded by security engineers and researchers like Matthias Ott, who praised the company’s stand against tracking techniques like super cookies and browser fingerprinting. Today, @mozilla released a new anti-tracking policy that outlines what @firefox will block by default: – third-party tracking cookies – query string tracking – browser fingerprinting – supercookies ✊ #teamFirefox#privacy #trackinghttps://t.co/QiIbGkDO5P — Matthias Ott (@m_ott) January 29, 2019 Other tech giants have found that privacy is steadily becoming a top issue for consumers. Google in September for instance sought to clarify its data privacy initiatives after several critics panned issues in Chrome 69 – including cryptographer and professor at Johns Hopkins University Matthew Green, who blasted Google for what he said were questionable privacy policies. He noted that Google automatically signs users into the Chrome browser when they sign into any other Google service. The Electronic Frontier Foundation in a report issued in June decried websites participating in sneaky tracking methods like browser fingerprinting, which the organization claimed were trying to skirt privacy regulations like GDPR.

Source

Have you ever lost your important files, like memories or official documents, accidentally or maliciously?

Adding more… when you even do not have any backup for the same.

Unfortunate, right? We've all been there.

Just last week I formatted my computer and later found that I didn’t have any backup for some recently saved important files. It was an absolute nightmare.

We have frequently

Source

image
Have you ever lost your important files, like memories or official documents, accidentally or maliciously? Adding more… when you even do not have any backup for the same. Unfortunate, right? We've all been there. Just last week I formatted my computer and later found that I didn’t have any backup for some recently saved important files. It was an absolute nightmare. We have frequently been asked, “All my files have been encrypted or deleted by malware, what should I do now? Is there any way I can recover them without paying a ransom?” Well, whether you lose your files due to a cyber-attack, ransomware, wiper malware, or even accidentally, fortunately, some data recovery software better your chances of recovering your deleted or lost files. There are many data recovery software available in the market that allows you to recover most of your accidentally deleted files as well as data from damaged or formatted hard drives. However, when we talk about an easy-to-use solution, I find Stellar Data Recovery Premium software as an obvious first choice among file recovery software due to its efficient and straightforward interface, which also makes it an excellent choice for non-technical users. Stellar Data Recovery Premium edition is available for Windows and macOS operating systems, including support for Window 10 & macOS Mojave, and supports a wide range of formatted drives, including APFS, HFS+, HFS, NTFS, FAT, and exFAT. The software offers users an effortless way to recover most of their valuable lost or deleted photos, emails, videos or any other type of data back from Hard Drives, SSD, USB Flash Drives, SD Card and others. How to Use Stellar Data Recovery Software and Its Features It's very simple actually. All you have to do is: 1.) Download and install the application and launch it. 2.) Move to ‘Recover Data' section and select what type of files you want to recover and from where. 3.) The software then quickly scans the selected folder or partitions for all recoverable deleted files. 4.) From there, you can select the files you are looking for and retrieve them to a folder of your choice. That's it. Besides file recovery, the Stellar Data Recovery software also supports in-depth scanning feature to help users find hidden or missing partitions on a drive that might have been lost due to corruption or accidental deletion. We prefer choosing Stellar Data Recovery Premium edition, as it also comes with a useful, specialized feature designed to repair corrupt or damaged videos and photographs, even when they appear distorted, split, blurred, or pixelated. The “Repair Video” and “Repair Photo” utilities can simultaneously repair multiple video or photo files in easy and simple steps, i.e. just add corrupted files and click repair. Stellar Data Recovery Premium also comes with “Monitor Drive” feature that has been designed to help regular users to monitor the health status of their hard drives continuously, scan for bad sectors, and it even provides a simple utility to create an exact replica of a failing drive by using the Clone Disk functionality. You can download the Windows or Mac version of the software from Stellar’s official website and if you find it useful, simply purchase a license key to take full benefit of all the features.

Source

image
If you were a buyer of any online DDoS-for-hire service, you might be in trouble. After taking down and arresting the operators of the world's biggest DDoS-for-hire service last year, the authorities are now in hunt for customers who bought the service that helped cyber criminals launch millions of attacks against several banks, government institutions, and gaming industry. Europol has announced that British police are conducting a number of live operations worldwide to track down the users of the infamous Webstresser.org service that the authorities dismantled in April 2018. Launched in 2015, Webstresser let its customers rent the service for about £10 to launch Distributed Denial of Service (DDoS) attacks against their targets with little to no technical knowledge, which resulted in more than 4 million DDoS attacks. According to the Europol announcement published on Monday, the agency gained access to the accounts of over 151,000 registered Webstresser users last year when it shut down the service and have now uncovered a “trove of information” against some users that could help the agency track them down. Europol said more than 250 users of Webstresser and other DDoS-for-hire services will soon face potential prosecution for the damage they have caused. “Size does not matter — all levels of users are under the radar of law enforcement, be it a gamer booting out the competition out of a game, or a high-level hacker carrying out DDoS attacks against commercial targets for financial gain,” Europol said. In the United Kingdom, several webstresser.org users have recently been visited by the police. In the Netherlands, the police are trying to link user profiles to the identities of Dutch people, while “a Dutch user of webstresser.org has already received this alternative sanction.” Other countries, including the United States, Belgium, Croatia, France, Germany, Greece, Denmark, Romania, Estonia, Hungary, Ireland, Switzerland, Norway, Lithuania, Portugal, Slovenia, Sweden, Australia, Colombia, Serbia, have also joined the fight against DDoS attacks. While some of these countries are focusing their actions specifically against the Webstresser users, some have intensified their activities against the users of any DDoS booter or stresser service. “To this effect, the FBI seized last December 15 other DDoS-for-hire websites, including the relatively well known Downthem and Quantum Stresser,” Europol said. “Similarly, the Romanian police has taken measures against the administrators of 2 smaller-scale DDoS platforms and has seized digital evidence, including information about the users.” So, users of all DDoS-for-Hire services are in danger of being prosecuted.

Source

If you were a buyer of any online DDoS-for-hire service, you might be in trouble.

After taking down and arresting the operators of the world's biggest DDoS-for-hire service last year, the authorities are now in hunt for customers who bought the service that helped cyber criminals launch millions of attacks against several banks, government institutions, and gaming industry.

Europol has

Source

image
Apple has made Group FaceTime temporarily unavailable following a major flaw discovered on Monday evening. The bug allows anyone with iOS to FaceTime other iOS users and listen in on their private conversations – without the user on other end rejecting or accepting the call. The bug makes use of a new function presented in FaceTime as part of iOS 12.1, called Group FaceTime. According to Apple’s System Status support page, Group FaceTime is temporarily unavailable following an issue ongoing since Monday night at 10:16 p.m. “We’re aware of this issue and we have identified a fix that will be released in a software update later this week,” an Apple spokesperson told Threatpost. Reports of the flaw first began to emerge on Reddit after users reported being able to hear others after FaceTiming them. In order to take advantage of the flaw, users can first start a FaceTime call with a contact in who also has iOS. While the call is dialing, they can then swipe up at the bottom of the screen, which lifts the panel and gives them the option to “Add Person.” Users can then click “Add Person” and add their own phone number. This then begins a FaceTime call that includes the phone user and the audio of the outgoing call – even if the person being called hasn’t accepted the call yet. Now you can answer for yourself on FaceTime even if they don’t answer🤒#Apple explain this.. pic.twitter.com/gr8llRKZxJ — Benji Mobb™ (@BmManski) January 28, 2019 The “Add Person” button is a result of a new feature presented in iOS 12.1 called Group Facetime, which was added Oct. 30th. The bug is believed to impact any pair of devices running iOS 12.1 or later, according to reports. The privacy and security implications of such a flaw are tremendous – a person could essentially make a FaceTime call to anyone with an iOS device and listen in to their private conversations. The discovery of the flaw led to social media backlash, and even a statement from New York Governor Andrew Cuomo urging Apple users to disable FaceTime: “The FaceTime bug is an egregious breach of privacy that puts New Yorkers at risk… In light of this bug, I advise New Yorkers to disable their FaceTime app until a fix is made available, and I urge Apple to release a fix without delay. Meanwhile, experts in the security space – like Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation – urged iOS users to delete their FaceTime function until a fix becomes available. The Facetime bug works in both iOS and MacOS, so now would be a good time to disable Facetime on everything and then pour out a 40 for the Apple security team. — Eva (@evacide) January 29, 2019 While it’s not clear how long the privacy bug has been around, one Twitter user on Jan. 20 said in a Tweet that the bug had been discovered and reported to Apple: “My teen found a major security flaw in Apple’s new iOS. He can listen in to your iPhone/iPad without your approval.” It’s not the first privacy-related security issue the phone giant has faced in the past year – in March 2018 Apple confirmed a privacy bug in its iPhone that allows the Siri voice assistant to read out messages from locked screens – even if the messages are hidden. Interested in learning more about privacy and data breach trends? Watch the free, on-demand Threatpost webinar, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.

Source

image
Researchers are highlighting the insecure nature of Internet of Things devices in a report released Tuesday alleging a bevy of popular consumer connected devices sold at major retailers such as Walmart and Best Buy and are riddled with security holes and privacy issues. In analyzing 12 different IoT devices, researchers with Dark Cubed and Pepper IoT reported security failures that ranged from a lack of encryption for data and missing encryption certificate validations. Dark Cubed told Threatpost that it did not reach out to the device manufacturers listed in the report before publication. Threatpost reached out separately to the makers of these IoT devices for comment and has not yet heard back. “IoT is a fast-growing market, however what we found is not just that these companies did not catch all of the security flaws, rather we found that the manufacturers and retailers are likely not even considering security at all,” researchers said in their report, “The State of IoT Security,” published Tuesday. “This has to change today if we have any hope of being secure tomorrow.” The researchers examined IoT devices, including smart cameras, plugs and security systems, from manufacturers: iHome, Merkury, Momentum, Oco, Practecol, TP-Link, Vivitar, Wyze and Zmodo. The devices were purchased from popular retailers Walmart, Best Buy, Amazon, and Micro Center. Readers may want to take the report with a grain of salt. The Dark Cubed and Pepper IoT includes an unusually broad disclaimer: “This entire report was written and designed by the technical team at Dark Cubed. This report was not composed or graphically designed by a marketing or advertising firm. As such, we accept full responsibility for any typos or errors. If any of our statements or findings are found to be in error, we will swiftly correct or retract such statements after confirming the error and will be certain to publicly accept responsibility for any such errors.” Researchers said they specifically analyzed devices’ privacy policy to understand where data is being shared; monitored traffic and communication patterns; collected full packet data for manual reviews of communications; and performed analyses of devices’ complementary Android applications. Security Issues Researchers allege that several of the devices they looked at were designed on platforms that either do not fully utilize encryption for the transmission of information or would allow anyone to bypass the encryption due to poor implementation. For instance, researchers assert Merkury devices that they reviewed did not encrypt traffic on the network, giving researchers full visibility to the names of the queues used by each device, as well as the username and password necessary to access those queues. The IoT devices tested in the “State of IoT Security” report Connected devices from Guardzilla and Zmodo did not confirm whether encryption certifications for encrypted communications were valid. Guardzilla devices contained default hardcoded passwords, according to the researchers. “We are certainly concerned about the devices themselves, however we strongly suspect that the security issues we found are representative of the fact that these companies have not considered security important enough to even conduct a single security review of these devices,” researchers wrote. These types of design flaws have dangerous implications. In fact, of the nine IoT manufacturers analyzed, six of them allegedly featured devices that were vulnerable to man-in-the-middle attacks, where data transmitted between two parties can be intercepted and manipulated. Not all products were rendered insecure. In fact, researchers stressed that the iHome Smart Outlet, the Momentum Axel Camera, and the TP-Link Kasa Smart Outlet were all “well developed, secure, and straighforward devices with no identified communications of concern.” Privacy Flaws Data privacy collected and transmitted between the IoT devices and their complementary applications was another cause for concern highlighted by researchers. For instance, though the Merkury lightbulb does very little – this IoT device only turns on and off the lights. However, its complementary app itself reportedly requires “a significant number of permissions such as knowing your location at all times, recording audio, and reading and writing to external storage on your phone,” researchers said. The Merkury app also features hard coded links to 40 third-party websites within the application code to include both U.S. and China-based entities such as Alibaba, Taobao, QQ, Facebook, Twitter, and Weibo – presumably for advertising purposes, researchers reported. “Many of the applications required or at least requested location permissions in order to use the app,” Vince Crisler, CEO of Dark Cubed, told Threatpost. “For example, the Android application with the Merkury lightbulb requires location permissions to even function. And the application was observed sending data to servers in China, but we aren’t clear on what information was being sent due to encryption.” In the case of the home security cameras made by Zmodo Camera, researchers were able to observe communication made to and from the camera including images, video, birthdates, e-mail addresses and phone numbers. While examining smart outlets and lightbulbs made by Merkury, researchers were able to observe all actions taken to turn on and off devices. Privacy policy guides were another aspect: According to researchers, companies such as Merkury and Vivitar had “overly broad and non-restrictive” privacy policies. Pepper IoT researchers stressed that these issues are systemic and cannot be fixed merely by patching. “While companies can undoubtedly patch their devices to fix many of the issues we found, the problem is much more severe: many product companies do not care about security and only act when outsiders find issues,” they said. “This reactive approach does not work, security must be proactive.” The Future of IoT While issues have persisted for years, IoT security were highlighted when the 2016 Mirai botnet mounted a distributed denial of service (DDoS) attack through 300,000 vulnerable IoT devices. More recently, potential attack vectors is proliferating. For instance, Google Home devices, smart plugs and smart padlocks have all recently been in the spotlight for security flaws. Researchers point out IoT security issues are only getting worse – not better. In the first half of 2018, researchers at Kaspersky Lab said they picked up three times as many malware samples targeting IoT devices as they did for the entirety of 2017. An internet of things bill that would mandate unique passwords for connected devices was approved in September by the California state legislature. The bill (SB-327) requires “reasonable security feature or features that are appropriate to the nature and function of the device” – however, researchers say more needs to be done to regulate and control IoT security. Interested in learning more about privacy and data breach trends? Watch the free, on-demand Threatpost webinar, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.

Source