iOS 13: Here are the new security and privacy features you might’ve missed


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




In just a few weeks Apple’s new iOS 13, the thirteenth major iteration of its popular iPhone software, will be out — along with new iPhones and a new iPad version, the aptly named iPadOS. We’ve taken iOS 13 for a spin over the past few weeks — with a focus on the new security and privacy features — to see what’s new and how it all works.

Here’s what you need to know.

You’ll start to see reminders about apps that track your location

1 location track

Ever wonder which apps track your location? Wonder no more. iOS 13 will periodically remind you about apps that are tracking your location in the background. Every so often it will tell you how many times an app has tracked where you’ve been in a recent period of time, along with a small map of the location points. From this screen you can “always allow”

2 location ask
Screen Shot 2019 07 18 at 12.18.38 PM
5 find my
8 contact snoop
6 sign in
4 block callers
7 strip location
9 safari improvements

Continue reading “iOS 13: Here are the new security and privacy features you might’ve missed”

Slack resets user passwords after 2015 data breach


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




Slack will reset the passwords of users it believes are affected by a historical data breach that affected the company more than four years ago.

In 2015, the company said it was hit by hackers who gained access to its user profile database, including their scrambled passwords. But the hackers inserted code that scraped the user’s plaintext password as it was entered by users at the time.

Slack said it was recently contacted through its bug bounty about a list of allegedly compromised Slack account passwords. The company believes the case may relate to the 2015 data breach incident.

Slack said the security incident does not apply to “the approximately 99% who joined Slack after March 2015” or those who changed their password since.

Accounts that require single sign-on through a company’s network are not affected.

The company also said it has no reason to believe accounts were compromised but

Continue reading “Slack resets user passwords after 2015 data breach”

Microsoft has warned 10,000 victims of state-sponsored hacking


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




Microsoft said it has notified close to 10,000 people in the past year that they have been targeted by state-sponsored hackers.

The tech giant said Wednesday that the victims were either targeted or compromised by hackers working for a foreign government. In almost all cases, Microsoft said, enterprise customers were the primary targets — such as businesses and corporations. About one in ten victims are consumer personal accounts, the company said.

Microsoft said its new data, revealed at the Aspen Security Forum in Colorado, demonstrates the “significant extent to which nation-states continue to rely on cyberattacks as a tool to gain intelligence, influence geopolitics, or achieve other objectives.”

On top of that the company also said it has made 781 notifications of state-sponsored attacks on organizations using its AccountGuard technology, designed for political campaigns, parties and government institutions.

Almost all of the attacks targeted U.S.-based organizations,

Continue reading “Microsoft has warned 10,000 victims of state-sponsored hacking”

Another 2.2 million patients affected by AMCA data breach


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




Another clinical lab ensnared in the AMCA data breach has come forward.

Clinical Pathology Laboratories (CPL) says 2.2 million patients may have had their names, addresses, phone numbers, dates of birth, dates of service, balance information and treatment provider information stolen in the previously-reported breach.

Another 34,500 patients had their credit card or banking information compromised.

The breach was limited to U.S. residents, the company said.

CPL blamed the AMCA, which it and other labs used to process payments for their patients, for not providing more details on the breach when it was disclosed in June.

“At the time of AMCA’s initial notification, AMCA did not provide CPL with enough information for CPL to identify potentially affected patients or confirm the nature of patient information potentially involved in the incident, and CPL’s investigation is on-going,” said the company in a statement.

LabCorp was first hit with 7.7

Continue reading “Another 2.2 million patients affected by AMCA data breach”

Aavgo security lapse exposed hotel bookings


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




A security lapse at a hotel management startup has exposed hotel bookings and guests’ personal information.

The security lapse was resolved Monday after TechCrunch reached out to Aavgo, a hospitality tech company based in San Francisco, which secured a server it had left online without a password.

The server was open for three weeks — long enough for security researcher Daniel Brown to find the database.

He shared his findings exclusively with TechCrunch, then published them.

Aavgo bills itself as a way for hotels to organize their operations by using several connected apps — one for use by guests using tablets installed in their hotel rooms for entertainment, ordering room service and checking out, and another for staff to communicate with each other, file maintenance tickets and manage housekeeping.

Several large hotel chains, including Holiday Inn Express and Zenique Hotels, use Aavgo’s technology in their properties.

The database contained daily

Continue reading “Aavgo security lapse exposed hotel bookings”

TrickBot malware learns how to spam, ensnares 250M email addresses


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




Old bot, new tricks.

TrickBot, a financially motivated malware in wide circulation, has been observed infecting victims’ computers to steal email passwords and address books to spread malicious emails from their compromised email accounts.

The TrickBot malware was first spotted in 2016 but has since developed new capabilities and techniques to spread and invade computers in an effort to grab passwords and credentials — eventually with an eye on stealing money. It’s highly adaptable and modular, allowing its creators to add in new components. In the past few months it’s adapted for tax season to try to steal tax documents for making fraudulent returns. More recently the malware gained cookie stealing capabilities, allowing attackers to log in as their victims without needing their passwords.

With these new spamming capabilities, the malware — which researchers are calling “TrickBooster” — sends malicious from a victim’s account then removes the sent messages from

Continue reading “TrickBot malware learns how to spam, ensnares 250M email addresses”

TrickBot malware learns how to spam, ensnares 250M email addresses


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




Old bot, new tricks.

TrickBot, a financially motivated malware in wide circulation, has been observed infecting victims’ computers to steal email passwords and address books to spread malicious emails from their compromised email accounts.

The TrickBot malware was first spotted in 2016 but has since developed new capabilities and techniques to spread and invade computers in an effort to grab passwords and credentials — eventually with an eye on stealing money. It’s highly adaptable and modular, allowing its creators to add in new components. In the past few months it’s adapted for tax season to try to steal tax documents for making fraudulent returns. More recently the malware gained cookie stealing capabilities, allowing attackers to log in as their victims without needing their passwords.

With these new spamming capabilities, the malware — which researchers are calling “TrickBooster” — sends malicious from a victim’s account then removes the sent messages from

Continue reading “TrickBot malware learns how to spam, ensnares 250M email addresses”

TrickBot malware learns how to spam, ensnares 250M email addresses


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




Old bot, new tricks.

TrickBot, a financially motivated malware in wide circulation, has been observed infecting victims’ computers to steal email passwords and address books to spread malicious emails from their compromised email accounts.

The TrickBot malware was first spotted in 2016 but has since developed new capabilities and techniques to spread and invade computers in an effort to grab passwords and credentials — eventually with an eye on stealing money. It’s highly adaptable and modular, allowing its creators to add in new components. In the past few months it’s adapted for tax season to try to steal tax documents for making fraudulent returns. More recently the malware gained cookie stealing capabilities, allowing attackers to log in as their victims without needing their passwords.

With these new spamming capabilities, the malware — which researchers are calling “TrickBooster” — sends malicious from a victim’s account then removes the sent messages from

Continue reading “TrickBot malware learns how to spam, ensnares 250M email addresses”

T-Mobile quietly reported a sharp rise in police demands for cell tower data


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




T-Mobile has reported a small decline in the number of government data requests it receives, according to its latest transparency report, quietly published this week.

The third-largest cell giant in the U.S. reported 459,989 requests during 2018, down by a little over 1 percent on the year earlier. That includes an overall drop in subpoenas, court orders, and pen registers and trap and trace devices used to record the incoming and outgoing callers; however, the number of search warrants issues went up by 27 percent and wiretaps increased by almost 3 percent.

The company rejected 85,201 requests, an increase of 7 percent on the year prior.

But the number of requests for historical call detail records and cell site information, which can be used to infer a subscriber’s location, has risen significantly.

For 2018, the company received 70,224 demands for historical call data, up by more than 9 percent

Screen Shot 2019 07 12 at 1.24.52 PM

Continue reading “T-Mobile quietly reported a sharp rise in police demands for cell tower data”

FEC says political campaigns can now get discounted cybersecurity help


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




In a long awaited decision, the Federal Elections Commission will now allow political campaigns to appoint cybersecurity helpers to protect political campaigns from cyberthreats and malicious attackers.

The FEC, which regulates political campaigns and contributions, was initially poised to block the effort under existing rules that disallow campaigns to receive discounted services for federal candidates because it’s treated as an “in kind donation.”

For now the ruling allows just one firm, Area 1 Security, which brought the case to the FEC, to assist federal campaigns to fight disinformation campaigns and hacking efforts, both of which were prevalent during the 2016 presidential election.

Campaigns had fought in favor of the proposal, fearing a re-run of 2016 in the upcoming presidential and lawmaker elections in 2020.

FBI director Christopher Wray said last in April that the recent disinformation efforts were “a dress rehearsal for the big show in 2020.”

In

Continue reading “FEC says political campaigns can now get discounted cybersecurity help”

It’s not just you, Twitter is down


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




Twitter is currently down across the web.

At about 2:50 pm ET, the desktop and mobile site were down, displaying a “Something is technically wrong” error. The app was also not working.

At the time of writing, Twitter’s status page confirmed there was an “active incident,” adding: “We are currently investigating dependencies for Twitter data. Scope of affected APIs is undetermined at this time.”

A spokesperson for Twitter did not immediately comment.

It’s not the first time Twitter’s had a hiccup in the past few weeks. The social media giant was hit by a direct message outage earlier this month. In fact between June and July, most of the major internet companies had some form of outage, knocking themselves or other sites offline in the process.

With regards to today’s incident, we’ll have more when we get it.

‘World’s first Bluetooth hair straighteners’ can be easily hacked


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




Here’s a thing that should have never been a thing: Bluetooth-connected hair straighteners.

Glamoriser, a U.K. firm that bills itself as the maker of the “world’s first Bluetooth hair straighteners“, allows users to link the device to an app, which lets the owner set certain heat and style settings. The app can also be used to remotely switch off the straighteners within Bluetooth range.

Big problem, though. These straighteners can be hacked.

Security researchers at Pen Test Partners bought a pair and tested them out. They found that it was easy to send malicious Bluetooth commands within range to remotely control an owner’s straighteners.

The researchers demonstrated that they could send one of several commands over Bluetooth, such as the upper and lower temperature limit of the device — 122°F and 455°F respectively — as well as the shut-down time. Because the straighteners have no authentication, an

Continue reading “‘World’s first Bluetooth hair straighteners’ can be easily hacked”

Apple has pushed a silent Mac update to remove hidden Zoom web server


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




Apple has released a silent update for Mac users removing a vulnerable component in Zoom, the popular video conferencing app, which allowed websites to automatically add a user to a video call without their permission.

The Cupertino, Calif.-based tech giant told TechCrunch that the update — now released — removes the hidden web server, which Zoom quietly installed on users’ Macs when they installed the app.

Apple said the update does not require any user interaction and is deployed automatically.

The video conferencing giant took flack from users following a public vulnerability disclosure on Monday by Jonathan Leitschuh, in which he described how “any website [could] forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.” The undocumented web server remained installed even if a user uninstalled Zoom. Leitschuh said this allowed Zoom to reinstall the app without requiring any user

Continue reading “Apple has pushed a silent Mac update to remove hidden Zoom web server”

Apple has pushed a silent Mac update to remove hidden Zoom web server


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




Apple has released a silent update for Mac users removing a vulnerable component in Zoom, the popular video conferencing app, which allowed websites to automatically add a user to a video call without their permission.

The Cupertino, Calif.-based tech giant told TechCrunch that the update — now released — removes the hidden web server, which Zoom quietly installed on users’ Macs when they installed the app.

Apple said the update does not require any user interaction and is deployed automatically.

The video conferencing giant took flack from users following a public vulnerability disclosure on Monday by Jonathan Leitschuh, in which he described how “any website [could] forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.” The undocumented web server remained installed even if a user uninstalled Zoom. Leitschuh said this allowed Zoom to reinstall the app without requiring any user

Continue reading “Apple has pushed a silent Mac update to remove hidden Zoom web server”

What CISOs need to learn from WannaCry


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




In 2017 — for the first time in over a decade — a computer worm ran rampage across the internet, threatening to disrupt businesses, industries, governments and national infrastructure across several continents.

The WannaCry ransomware attack became the biggest threat to the internet since the Mydoom worm in 2004. On May 12, 2017, the worm infected millions of computers, encrypting their files and holding them hostage to a bitcoin payment.

Train stations, government departments, and Fortune 500 companies were hit by the surprise attack. The U.K.’s National Health Service (NHS) was one of the biggest organizations hit, forcing doctors to turn patients away and emergency rooms to close.

Earlier this week we reported a deep-dive story into the 2017 cyberattack that’s never been told before.

British security researchers — Marcus Hutchins and Jamie Hankins — registered a domain name found in WannaCry’s code in order to track the

Continue reading “What CISOs need to learn from WannaCry”

What CISOs need to learn from WannaCry


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




In 2017 — for the first time in over a decade — a computer worm ran rampage across the internet, threatening to disrupt businesses, industries, governments and national infrastructure across several continents.

The WannaCry ransomware attack became the biggest threat to the internet since the Mydoom worm in 2004. On May 12, 2017, the worm infected millions of computers, encrypting their files and holding them hostage to a bitcoin payment.

Train stations, government departments, and Fortune 500 companies were hit by the surprise attack. The U.K.’s National Health Service (NHS) was one of the biggest organizations hit, forcing doctors to turn patients away and emergency rooms to close.

Earlier this week we reported a deep-dive story into the 2017 cyberattack that’s never been told before.

British security researchers — Marcus Hutchins and Jamie Hankins — registered a domain name found in WannaCry’s code in order to track the

Continue reading “What CISOs need to learn from WannaCry”

Flaws in hospital anesthesia and respiratory devices allow remote tampering


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




Security researchers have found a vulnerability in a networking protocol used in popular hospital anesthesia and respiratory machines, which they say if exploited could be used to maliciously tamper with the devices.

Researchers at healthcare security firm CyberMDX said that the protocol used in the GE Aestiva and GE Aespire devices can be used to send commands if they are connected to a terminal server on the hospital network. Those commands can silence alarms, alter records — and can be abused to change the composition of aspirated gases used in both the respirator and the anesthesia devices, the researchers say.

Homeland Security is expected to release an advisory later on Tuesday.

“The devices use a proprietary protocol,” said Elad Luz, CyberMDX’s head of research. “It’s pretty straightforward to figure out the commands.”

One of those commands forces the device to use an older version of the protocol — which

Continue reading “Flaws in hospital anesthesia and respiratory devices allow remote tampering”

Mozilla blocks spy firm DarkMatter from Firefox citing ‘significant risk’ to users


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




Firefox maker Mozilla said it will not trust certificates from surveillance maker DarkMatter, ending a months-long effort to be whitelisted by the popular browser.

Months earlier, the United Arab Emirates-based DarkMatter had asked Mozilla to formally trust its root certificates in the Firefox certificate store, a place in the browser reserved for certificate authorities that are trusted and approved to issue HTTPS certificates. Mozilla and other browser makers use this store to know which HTTPS certificates to trust, effectively allowing these certificate authorities to confirm a website’s identity and certify that data going to and from it is secure.

But a rogue or malicious certificate authority could allow the interception of encrypted internet traffic by faking or impersonating websites.

DarkMatter has a history of controversial and shady operations, including developing malware and spyware to be used in surveillance operations, as well as the alleged targeting of journalists critical of

Continue reading “Mozilla blocks spy firm DarkMatter from Firefox citing ‘significant risk’ to users”

Marriott to face $123 million fine by UK authorities over data breach


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




The U.K. data protection authority said it will serve hotel giant Marriott with a £99 million ($123M) fine for a data breach that exposed up to 383 million guests.

Marriott revealed last year that its acquired Starwood properties had its central reservation database hacked, including five million unencrypted passport numbers and eight million credit card records. The breach dated back to 2014 but was not discovered until November 2018. Marriott later pulled the hacked reservation system from its operations.

The U.K.’s Information Commissioner’s Office (ICO) said its investigation found that Marriott “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”

The breach affected about 30 million residents of European Union, according to the ICO, which confirmed the proposed fine in a statement Tuesday.

But Marriott said it “has the right to respond” before a

Continue reading “Marriott to face $123 million fine by UK authorities over data breach”

The sinkhole that saved the internet


This post is by Zack Whittaker from TechCrunch


Click here to view on the original site: Original Post




It was late afternoon on May 12, 2017. Two exhausted security researchers could barely unpack the events of what had just happened.

Marcus Hutchins and Jamie Hankins, who were working from their homes in the U.K. for Los Angeles-based cybersecurity company Kryptos Logic, had just stopped a global cyberattack dead in its tracks. Hours earlier, WannaCry ransomware began to spread like wildfire, encrypting systems and crippling businesses and transport hubs across Europe. It was the first time in a decade a computer worm began attacking computers on a massive scale. The U.K.’s National Health Service (NHS) was one of the biggest organizations hit, forcing doctors to turn patients away and emergency rooms to close.

Hours after the disruption began to break on broadcast news networks, Hutchins — who at the time was only known by his online handle @MalwareTech — became an “accidental hero” for inadvertently stopping

wannacry mid image
2017 06 06 NHS

Continue reading “The sinkhole that saved the internet”