Security

Being able to find web vulnerabilities as soon as they emerge, before attackers can exploit them, is critical for organizations wanting to stay on top of web application security.

Saas security specialist Detectify is launching a new stand-alone application security tool that's specifically tailored for ethical hackers, making it easier for them to share their latest findings.

An employee for the city of Oldsmar, Florida, visited a malicious website targeting water utilities just hours before someone broke into the computer system for the city’s water treatment plant and tried to poison drinking water, security firm Dragos said Tuesday. Ultimately, the site likely played no role in the intrusion, but the incident remains unsettling, the security firm said.

A new Android trojan has been identified by security researchers, who said on Monday that once it is successfully installed in the victim's device, those behind it can obtain a live stream of the device screen and also interact with it via its Accessibility Services.

The malware, dubbed "Teabot" by security researchers with Cleafy, has been used to hijack users' credentials and SMS messages to facilitate fraudulent activities against banks in Spain, Germany, Italy, Belgium, and the Netherlands.

Microsoft's May Patch Tuesday dump included patches for 55 CVEs with four rated critical. There were also three zero-day bugs but none have been exploited.

Products impacted includes Internet Explorer, .NET Core and Visual Studio, Windows 10 and Office to name a few. You can find the updates for May here.

The fixed zero day bugs include:

If there's one thing an organisation should do to protect its network from cyber attacks, it's turn on automatic updates for security patches so cyber criminals and other malicious hackers can't exploit vulnerabilities which have already been fixed.

The advice comes from the UK's National Cyber Security Centre – the cyber arm of GCHQ – which recommends applying security patches as soon as they're available as one of the simplest things an organisation can do to prevent intruders entering their networks.

The FBI blamed a hacking group on Monday for a cyberattack that took down the main pipeline carrying gas to the East Coast, raising concerns about the vulnerability of critical systems.

The law enforcement agency, which is investigating the May 7 hack, pinned responsibility on Darkside, a group that reportedly develops ransomware and sells it to other outfits.  

The Russia-linked hackers that compromised popular software by the Texas-based firm SolarWinds Corp. last year broke into email accounts and likely took data from the firm.

SolarWinds said it “found evidence that causes us to believe the threat actor exfiltrated certain information as part of its research and surveillance,” according to a regulatory filing on Friday. The hackers “accessed email accounts of certain personnel, some of which contained information related to current or former employees and customers,” the company said.

Details of the industry-hobbling Colonial Pipeline cyberattack are starting to emerge. Reuters and Bloomberg say the hack was likely the work of a cybercriminal group, and that the ransomware gang DarkSide appears to be the primary suspect. Bloomberg claims DarkSide stole almost 100GB of data in two hours on May 6th as part of a "double-extortion scheme" where intruders threatened to both leak company data and lock Colonial out of its information.

In September 2015, Apple managers had a dilemma on their hands: should, or should they not, notify 128 million iPhone users of what remains the worst mass iOS compromise on record? Ultimately, all evidence shows, they chose to keep quiet.

The mass hack first came to light when researchers uncovered 40 malicious App Store apps, a number that mushroomed to 4,000 as more researchers poked around. The apps contained code that made iPhones and iPads part of a botnet that stole potentially sensitive user information.

“Turn on two-factor authentication” is solid advice, and WIRED has repeated it for years. Doing so ensures that your password isn't the only line of defense against unauthorized access to your accounts. The only problem? The onus was always on you to figure out how to make it happen. Now, Google is taking its first steps toward enabling two-factor by default for all its users—and where Google goes in web security, the rest of the industry often follows.