Author: Zack Whittaker

Most of the Fortune 100 still use flawed software that led to the Equifax breach

Almost two years after Equifax’s massive hack, the majority of Fortune 500 companies still aren’t learning the lessons of using vulnerable software. In the last six months of 2018, two-thirds of the Fortune 500 companies downloaded a vulnerable version of Apache Struts, the same vulnerable server software that was used by hackers to steal the personal data on close to 150 million consumers, according to data shared by Sonatype, an open-source automation firm. That’s despite almost two years’ worth of patched Struts versions being released since the attack. Sonatype wouldn’t name the Fortune 100 firms that had downloaded the vulnerable software, nor was it clear what the software was used for. Sonatype did say that the companies included more than half of the 26 financial and 19 energy companies, and more than half of all healthcare and technology companies. In all, more than 18,000 businesses downloaded vulnerable versions of Struts, the company said. Sonatype’s technology monitors millions of open-source commits per day, Sonatype’s chief executive Wayne Jackson told TechCrunch last year. In doing so, it can see what’s new and updated, and can advise and update vulnerable software with newer, patched versions. The company, which already works with Fannie Mae and Tomitribe, announced Tuesday a new working relationship with Equifax to monitor the use of the credit agency’s open-source libraries across its network to help prevent another breach. It’s a stark turnaround...

Read More

Researchers find a new malware-friendly hosting site after a spike in attacks

Security researchers have traced a recent spike in FormBook infections to a new file-hosting service that’s been billed as a place for hackers to host their malware. Deep Insight analysts say in new findings out Tuesday that the resurgence in FormBook malware, used as part of password and information stealing campaigns currently targeting the retail and hospitality sectors, can be traced back to the newly discovered malware-friendly site that hosts the second-stage dropper used to infect a computer with malicious code after the user opens a booby-trapped document. The researchers say the site, DropMyBin, was created just over a week ago, and is protected by Cloudflare, masking its real-world location. “Within days of going live it became a hornets nest of malware,” said Shimon Noam Oren, head of threat research at Deep Instinct, in an email to TechCrunch. FormBook goes back to 2016 when it was first used to target aerospace and defense contractors in the U.S. and South Korea. Since then, the malware has continued to infect sporadically but has remained largely under the radar. The team also found several other families of malware hosted on the site, including other trojans like AZORult, and the Lokibot trojan for Android devices. “We wouldn’t be surprised to find more info-stealers and spyware there,” said Oren. DropMyBin, a hosting service that threat actors are using to host malware (Screenshot: TechCrunch) The researchers say...

Read More

To fight election meddling, Google’s cyber unit Jigsaw extends its anti-DDoS protections to European politicos

Jigsaw, the cybersecurity-focused division owned by Google parent Alphabet, is now allowing political organizations in Europe to sign up for its anti-web-flooding technology for free. Until now, the free-to-use technology designed to protect political campaigns and websites against distributed denial-of-service (DDoS) attacks — dubbed Project Shield — was only available to news sites and journalists, human rights sites and elections monitoring sites in the U.S. Now, Jigsaw is extending those protections to European political operators ahead of contentious parliamentary elections later this year. The anti-DDoS technology aims to protect websites and services from being pummeled with tons of junk internet...

Read More

After seizing a major DDoS-for-hire site, Europol goes after its users

Last year, Europol and its many law enforcement partners took down and seized webstresser.org, one of the most notorious “booter” sites for launching distributed denial-of-service (DDoS) attacks, which was claimed to have launched millions of attacks. But the coalition of feds isn’t stopping there. Now, Europol wants to go after its thousands of users. As part of the collective law enforcement effort from the U.K., U.S., and many European partners in Operation Power Off, Europol obtained a list of its 151,000 registered users. With help from British and Dutch police, “actions are currently underway worldwide to track down the...

Read More

Without proof, is Huawei really a national security threat?

It’s Huawei vs. the U.S., the U.K., Canada, Australia, New Zealand, and most of Europe and Japan. It’s almost as if the world’s biggest surveillance superpowers don’t want Huawei cell tower and networking router equipment inside critical networks in their countries, amid concerns of the company’s links to the Chinese military. Huawei, they say, could be spying for the Chinese — and that presents a national security risk. But there’s a problem. Years of congressional hearings and “inconclusive” hardware inspections have presented a mixed picture on the threat that Huawei may, or may not pose. Despite the fact that the company’s founder and president is a former officer in China’s People’s Liberation Army and the company remains heavily funded by the Chinese government, there’s also no public, direct evidence that Huawei is using its equipment to spy on network traffic inside the U.S. or any other country. In any case, Huawei can’t prove a negative, so all it can do is allow governments to assess its devices — which has so far found some issues but nothing conclusive to tie it to Chinese espionage actors. That’s the crux of the argument: nobody thinks Huawei is spying now. To get caught would be too dangerous. But nobody knows that it won’t spy in the future. The worst case nightmare scenario is that telcos will snap up Huawei’s technology and install...

Read More

Facebook to encrypt Instagram messages ahead of integration with WhatsApp, Facebook Messenger

Facebook is planning to roll out end-to-end encryption for Instagram messages, as part of a broader integration effort across company’s messaging platforms, including WhatsApp and Facebook Messenger. First reported by The New York Times, the social media giant said reworking the underlying infrastructure of its three messaging apps to allow users to talk to each other more easily. The apps will reportedly remain independent of one another — with Instagram and WhatsApp bringing in 1 billion and 1.5 billion respectively. In doing so, Facebook is adding end-to-end encryption to Instagram messages. That will bring a new level of security and privacy to...

Read More

Massive mortgage and loan data leak gets worse as original documents also exposed

Remember that massive data leak of mortgage and loan data we reported on Wednesday? In case you missed it, millions of documents were found leaking after an exposed Elasticsearch server was found without a password. The data contained highly sensitive financial data on tens of thousands of individuals who took out loans or mortgages over the past decade with U.S. financial institutions. The documents were converted using a technology called OCR from their original paper documents to a computer readable format and stored in the database, but they weren’t easy to read. That said, it was possible to discern...

Read More

To fight election meddling, Google’s cyber unit Jigsaw extends its anti-DDoS protections to European politicos

Jigsaw, the cybersecurity-focused division owned by Google parent Alphabet, is now allowing political organizations in Europe to sign up for its anti-web flooding technology for free. Until now, the free-to-use technology designed to protect political campaigns and websites against distributed denial-of-service (DDoS) attacks — dubbed Project Shield — was only available to news sites and journalists, human rights, and elections monitoring sites in the U.S. Now, Jigsaw is extending those protections to European political operators ahead of contentious parliamentary elections later this year. The anti-DDoS technology aims to protect websites and services from being pummeled with tons of junk internet...

Read More

Right Now in Politics and Business