By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

40.8% of smart homes have at least one device vulnerable to remote attacks, a third of them being vulnerable because of outdated software with unpatched security issues, while more than two-thirds are exposed by weak credentials. The security exposure risk is quite significant considering that roughly 40.3% of all smart households come with at least five devices connected to the Internet. As discovered by Avast, out of all devices exposed directly to the Internet, routers are the ones most targeted because they're the ones which act as a central hub for all other Internet-connected electronics in smart homes. Avast says in their report that "a router that is vulnerable to attack poses a risk for the whole home, much like leaving your front door unlocked. Cybercriminals can redirect compromised routers to access exactly what they want, including phones, computers or any other connected device." "It only takes one weak device to let in a bad hacker and once they are on the network, they can access other devices, and the personal data they stream or store, including live videos and voice recordings," said Avast President Ondrej Vlcek. "Simple security steps like setting strong, unique passwords and two-factor authentication for all device access, and ensuring software patches and firmware updates are applied when available, will significantly improve digital home integrity. Complete details posted on OUR FORUM.

Financial software company Intuit discovered that tax return info was accessed by an unauthorized party after an undisclosed number of TurboTax tax preparation software accounts were breached in a credential stuffing attack. A credential stuffing attack is when attackers compile username and passwords that were leaked from previous security breaches and use those credentials to try and gain access to accounts at other sites. This type of attack works particularly well against users who use the same password at every site. Intuit also states that the breach was discovered during a security review of its systems in the TurboTax data breach notification which was filed with the Office of the Vermont Attorney General. Following the discovery of the security breach, Intuit decided to temporarily disable the TurboTax accounts which were breached in the credential stuffing attack. TurboTax users who had their accounts temporarily deactivated have to contact Intuit using the company's Customer Care department and say "Security" when prompted, after which Intuit employees will walk them through an identity verification procedure designed to help them reactivate their accounts. More details can be found posted on OUR FORUM.

New York Governor Andrew M. Cuomo stated that a number of state agencies including the Department of State and the Department of Financial Services will investigate Facebook health data acquisition practices exposed by The Wall Street Journal. According to the WSJ report, 11 of the most popular 70 applications from the Apple and Google app stores are sending sensitive personal information of tens of millions of users to Facebook, even when they weren't logged into their Facebook accounts. Governor Cuomo's press release condemns the iOS and Android apps' health data mining behavior recently uncovered by the WSJ, calling it "an outrageous abuse of privacy." However, in a statement sent by a Facebook spokesperson to The Hill, the social network says that the ones that should be under investigation are the app developers who haven't properly configured what data their apps share with the social network's mobile advertising platform. As the Facebook spokesperson said, "Sharing information across apps on your iPhone or Android device is how mobile advertising works and is industry standard practice. The issue is how apps use information for online advertising." Additionally, "We require app developers to be clear with their users about the information they are sharing with us, and we prohibit app developers from sending us sensitive data. We also take steps to detect and remove data that should not be shared with us." More trouble for Facebook visit OUR FORUM for more.

People who visit adult websites are being exposed on a daily basis to malware, phishing, and malicious spam campaigns, with premium accounts used on these websites that get stolen ending up on dark web markets. While visitors of adult websites being targeted by threat actors is definitely not something new, during 2018 cybercriminals increased their activity dramatically, with attacks targeting adult website credentials, for example, increasing by 300%. Users who were looking around the web for adult content have been safer during 2018, with the number of attacks dropping by roughly 36% from more than a million in 2017 to around 650,000 last year. However, while malware targeting adult content viewers declined in diversity, cybercriminals still managed to push out a larger amount of malware samples throughout 2018. Credential-stealing attacks saw a 300% boost in numbers. According to Kaspersky Lab's year in review report of cyber threats targeting online adult content viewers, credential stealing malware now focuses on a smaller number of websites, cutting down the list from  Brazzers, Chaturbate, Pornhub, Myfreecams, Youporn, Wilshing, Motherless, XNXX, and XVideos, down two only two websites: PornHub and XNXX. To drop malware payloads on their targets' computers, threat actors disguised them as videos on malicious websites they control and used search query results manipulation as the main technique to make sure that their victims were funneled to their first stage infection vectors. In total, in 2018 87,227 users downloaded malware disguised as adult content in 2018, 8% of them have used their company's network instead of using a personal Internet connection. For facts and figures visit OUR FORUM.

Microsoft's Edge web browser comes with a hidden whitelist file designed to allow Facebook to circumvent the built-in click-to-play security policy to autorun Flash content without having to ask for user consent. According to the initial bug report filed by Google Project Zero's Ivan Fratric on November 26: In Microsoft Windows, there is a file edgehtmlpluginpolicy.bin that contains the default whitelist of domains that can bypass Flash click2play and load Flash content without getting user confirmation in Microsoft Edge. The current version of the previously secret Edge whitelist will only allow Facebook to bypass the Flash click-to-play policy on its facebook.com and apps.facebook.com domains, a policy which is currently enforced for all other domains not present on this list. In his bug report, the security researcher also highlighted the security implications of having a Flash autorun whitelist bundled with a web browser, especially given the number of Flash security patches issued by Adobe almost every month. However, back in November, the security researcher initially found in the whitelist the sha256 hashes of 58 domains on Windows 10 v1803, which he was able to decrypt and obtain the names of 56 sites. The choice to encrypt the entries added to the whitelist and the decision to keep Facebook's domains whitelisted even after this month's Patch Tuesday are two other questions that only Microsoft can answer. While Microsoft managed to get around to partially address the issue reported by Fratric back in November 2018, the security researcher is still dumbfounded by Redmond's choice to use a Flash whitelist in the first place. We have the contents of the hidden whitelist posted on OUR FORUM.

At the Galaxy Unpacked event, the South Korean smartphone maker Samsung announced the highly anticipated foldable phone, the Galaxy Fold. Samsung Galaxy Fold packs a large 7.3-inch Infinity Flex Display that allows the device to switch between the tablet and phone mode. At the event, Samsung showed off the Galaxy Fold switching flawlessly between phone and tablet mode. The foldable device can run three apps at once and Samsung’s app continuity system will adjust these apps when you unfold or fold the device. Samsung has worked with Google and the community developers to optimize the apps for its foldable phone. At the event, Samsung revealed that its Galaxy Fold device is configured to work with all popular apps and even the Microsoft Office suite. The software and hardware have been optimized to work with apps like Google Maps WhatsApp, as well as the Microsoft Office productivity suite. Microsoft Office apps have been specially adapted to work with the 7.3-inch display and it will be able to adjust the interface quickly when you move between the two form factors. Samsung’s first foldable is simply called the Galaxy Fold. It has a 7.3-inch Infinity Flex screen when opened and it switches to a 4.6-inch screen when it’s folded. The resolution of the giant display is 1536 x 2152 and it reduces to 840 x 1960 when it’s folded. Samsung Galaxy Fold uses two batteries and while they are separated by the fold, they are combined when you boot the operating system. Full details can be found on OUR FORUM.

 

GTranslate