Security

In the spring of last year, cybersecurity researcher Takeshi Suguwara walked into the lab of Kevin Fu, a professor he was visiting at the University of Michigan. He wanted to show off a strange trick he'd discovered. Suguwara pointed a high-powered laser at the microphone of his iPad—all inside of a black metal box, to avoid burning or blinding anyone—and had Fu put on a pair of earbuds to listen to the sound the iPad's mic picked up.

A recently patched security flaw in modern versions of the PHP programming language is being exploited in the wild to take over servers, ZDNet has learned from threat intelligence firm Bad Packets.

The vulnerability is a remote code execution (RCE) in PHP 7, the newer branch of PHP, the most common programming language used to build websites.

The personal data of nearly 7.5 million Adobe Creative Cloud users was exposed earlier this month when an unsecured database was discovered online.

The database, which could be accessed by anyone without the need for a username or password, included information such as email addresses, member IDs and payment status. People accessing the database were also able to see which Adobe products were used by individuals, the country they live in, and whether they are Adobe employees.

A lawsuit against AT&T alleges that the carrier's employees helped hackers perform SIM-swap attacks on a customer and rob him of $1.8 million worth of cryptocurrency.

Plaintiff Seth Shapiro of Torrance, California, says that AT&T is liable for the acts of its employees and failed to implement systems and procedures to prevent them from pulling off the scheme. The complaint, filed on October 17 in US District Court for the Central District of California, says:

The team over at Cisco Talos has spotted a clever bit of trickery being used by an iOS click fraud operation. Researchers say a piece of malware called "Checkrain" has been making the rounds spoofing a popular iOS jailbreaking tool called "checkra1n".

"The site even claims to be working with popular jailbreaking researchers such as “CoolStar” and Google Project Zero’s Ian Beer," Talos explains.

When the Pixel 4 ships this week, it will be releasing to consumers with a face-unlock security issue that will apparently stick around for some time. Unlike the iPhone's FaceID (and Google's earlier face-unlock system on Android 4.1), the Pixel 4's face unlock doesn't look for the user's eyes, so the phone could be pointed at a sleeping or unconscious owner and unlocked without their consent. This weekend, Google said in a statement that a fix "will be delivered in a software update in the coming months."

Hackers breached a server used by popular virtual network provider NordVPN and stole encryption keys that could be used to mount decryption attacks on segments of its customer base.

Researchers have found a new piece of malware, likely from an advanced threat group, that can patch Chrome and Firefox browsers to identify the encrypted traffic from a victim's computer.

The threat adds to the victim host Transport Layer Security (TLS) certificates, which help carry out man-in-the-middle (MitM) attacks on encrypted traffic.

The October 2019 security patch is now rolling out to the Samsung Galaxy S10, S10+, Note 10 and Note 10+.

We’ve seen information that confirms Google will not grant Android licenses to phones launching without Android 10 from 2020. No doubt that is awesome for any new phones you pick up at the turn of the decade but it’s the current crop of devices that need the bump to the latest OS update.

Attacks on Microsoft user accounts that are capable of bypassing multi-factor authentication (MFA) protections are so rare that the Redmond-based company doesn't even have stats for them.

"Compared to password attacks, attacks which target non-password authenticators are extremely rare," said Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft.