Security

Penetration testers have long gone to great lengths to demonstrate the potential chinks in their clients' networks before less friendly attackers exploit them. But in recent tests by IBM's X-Force Red, the penetration testers never had to leave home to get in the door at targeted sites, and the targets weren't aware they were exposed until they got the bad news in report form. That's because the people at X-Force Red put a new spin on sneaking in—something they've dubbed "warshipping."

Privacy has been a renewed focus with Apple’s next operating system update. One new feature in iOS 13 that seems centered on user privacy could have sweeping consequences for messaging and online call apps.

Late one night last September, security researcher Ruben Santamarta sat in his home office in Madrid and partook in some creative googling, searching for technical documents related to his years-long obsession: the cybersecurity of airplanes. He was surprised to discover a fully unprotected server on Boeing's network, seemingly full of code designed to run on the company's giant 737 and 787 passenger jets, left publicly accessible and open to anyone who found it. So he downloaded everything he could see.

When you think about how hackers could break into your smartphone, you probably imagine it would start with clicking a malicious link in a text, downloading a fraudulent app, or some other way you accidentally let them in. It turns out that's not necessarily so—not even on the iPhone, where simply receiving an iMessage could be enough to get yourself hacked.

A dramatic saga that began with a civil lawsuit between AT&T and former employees has resulted in a high-profile arrest. Muhammad Fahd, 34, and his co-conspirators allegedly paid AT&T employees more than $1 million in bribes over five years to install malware and spying devices at their offices in Washington, according to a Department of Justice indictment unsealed Monday. He was first arrested in Hong Kong in February 2018, and was extradited to the United States Friday.

Developing and maintaining secure firmware for tablets, cars, and IoT devices is hard. Often, the firmware is initially developed by a third party rather than in-house. And it can be tough as projects move from inception and prototyping to full-force engineering and finally to deployment and production.

Earlier today, disgruntled security researcher Vasily Kravets released a zero-day vulnerability in the Windows version of the ubiquitous gaming service Steam. The vulnerability allows any user to run arbitrary code with LOCALSYSTEM privileges using just a very few simple commands.

Hoping to raise awareness about blockchain vulnerabilities, cybersecurity firm  Kudelski Security next week plans to launch the industry’s first "purposefully vulnerable" blockchain – and will demo it at next month's Black Hat conference.

Kudelski Security’s FumbleChain project is aimed at highlighting vulnerabilities in blockchain ecosystems, according to Nathan Hamiel, head of cybersecurity research at Kudelski.

A group of anonymous researchers have outed the APT17 cyber-attack group (aka DeputyDog) as a Chinese Ministry of State Security (MSS) operation, potentially paving the way for more US indictments.

Intrusion Truth have been right before, when they identified APT3 and APT10 as MSS groups: the former operated by a contractor known as Boyusec. These revelations led to Department of Justice indictments against some of the groups’ members in 2017 and 2018.

Louisiana Governor John Bel Edwards has activated a state-wide state of emergency in response to a wave of ransomware infections that have hit multple school districts.

The ransomware infections took place this week and have impacted the school districts of three North Louisiana parishes -- Sabine, Morehouse, and Ouachita.