Security

An increasingly sophisticated hacking group is exploiting a zero-day vulnerability in Adobe's Flash Player that lets them take full control of infected machines, researchers said Friday.

Despite widespread awareness of the physical and data-related danger inherent in exposing critical infrastructure to cyberattack, the number of internet-accessible industrial control systems (ICS) is increasing every year.

ATM “jackpotting” — a sophisticated crime in which thieves install malicious software and/or hardware at ATMs that forces the machines to spit out huge volumes of cash on demand — has long been a threat for banks in Europe and Asia, yet these attacks somehow have eluded U.S. ATM operators. But all that changed this week after the U.S. Secret Service quietly began warning financial institutions that jackpotting attacks have now been spotted targeting cash machines here in the United States.

In initial disclosures about critical security flaws discovered in its processors, Intel Corp. notified a small group of customers, including Chinese technology companies, but left out the U.S. government, according to people familiar with the matter and some of the companies involved.

The travel and hospitality industry suffers billions of losses each year due to fraud.

“With the right combination of other underground services (compromised accounts, credit cards, etc.) it is possible to cover almost every aspect of the holidays, including food and restaurants, shopping, entertainment, guided tours and more – way beyond flights and hotels,” Vladimir Kropotov, Researcher at Trend Micro, told Help Net Security.

Intel CEO Brian Krzanich opened his fourth-quarter earnings call with comments on the newly discovered Spectre and Meltdown security flaws in nearly all of Intel’s processors.

He said that the company was working “around the clock with our customers and partners” to address the flaws, and he was “acutely aware that we have more to do” beyond issuing software fixes to deal with the problems.

Yesterday, Siemens issued an update to a year-old product vulnerability warning for its SIMATIC S7-300 and S7-400 families of programmable logic controllers (PLCs)—industrial control systems used to remotely monitor and operate manufacturing equipment. The alert, originally issued in December of 2016, was updated on Wednesday to include another version of the S7-400 line. The Department of Homeland Security pushed out an alert through the Industrial Control Systems Computer Emergency Response Team (ICS-CERT) today.

Alphabet—the parent company of Google, Nest, Waymo, and a million other companies—is launching a new company under the Alphabet umbrella. It's called "Chronicle," and the new company wants to apply the usual Google tenets of machine learning and cloud computing to cybersecurity.

Cryptocurrency miners have begun using two older and already patched vulnerabilities to compromise servers to mine the Monero digital currency.

Trend Micro researcher Hubert Lin reported a significant increase in the use of Apache Struts (CVE-2017-5638) and DotNetNuke (CVE-2017-9822) starting in December. So far it's estimated the malicious actor behind the attacks has netted about $12,000 or 30XMR.

Sega has said it is looking into claims that a trio of its Sonic games for Android are leaking personal data.

Security company Pradeo said late last week that it had discovered the Android games -- Sonic Dash, Sonic the Hedgehog Classic, and Sonic Dash 2: Sonic Boom -- were leaking user location data and device info. Based on the download ranges offered by the Play Store, collectively the leaks could impact between 120 million and 600 million users.