A third-party vulnerability exposed admission records, essays, transcripts and sensitive personal information of Stanford University students, including Social Security numbers, ethnicity, legacy status, home address, citizenship, criminal record and financial situation, writes The Stanford Daily. The university has been using NolijWeb, the vulnerable content management system, for about 10 years but now plans to find another platform to host its files. NolijWeb is a highly popular platform among schools and universities to let students access school files, and other institutions could be dealing with the same vulnerability. The glitch has apparently has leaked student files since 2015. Students who submitted requests under the Family Educational Rights and Privacy Act (FERPA) could not only see their own education records, but those of other students as well. The vulnerability was detected and investigated by a student who gained access to the data by simply changing numeric IDs i..
Ransomware attacks have been increasing steadily for a few years, and operators gain confidence with every new strike. While cyber-experts burn the midnight oil coming up with solutions to thwart this dangerous form of malware, lawmakers in the U.S. state of Maryland are trying a shortcut – they aim to increase prison time for ransomware operators. Experts have long insisted that caving in to ransomware operators’ demands not only encourages them to strike again, but it also doesn’t ensure you get your data back. Using a security solution to prevent attacks undoubtedly helps, but the best defences against ransomware remain vigilance and offline backups. Because of the way ransomware works, though, operators often remain at large. That’s why legislators in Maryland have decided to give future cyber-crooks a scare, by increasing slammer time to 10 years for any ransomware attack resulting in losses greater than $1,000. Via DelmarvaNow: Maryland Senate bill 151, cross-filed with House..
Torrent sites are banning CracksNow, a popular source of torrent uploads, after discovering that the uploader of cracks and keygens was distributing ransomware. CracksNow was labeled as “trusted” before a number of users started noticing bad things happening to their computers. Torrentfreak shows one of the more recent examples in a screenshot depicting comments to a now-removed torrent. According to the thread, the resulted download contained GandCrab version 5.1, the latest version of a nasty ransomware family. As any ransomware, GandCrab encrypts users’ files and demands a crypto-ransom in exchange for the keys. An administrator at torrent site 1337x.to told the publication, “He was banned by myself because I found ransomware in his uploads.” “I also checked the same uploads from him on a couple other torrent sites and got the same results. I immediately alerted their staff about it so they could investigate and take appropriate action, which they did,” he said. Several torrent ..
2018 alone has seen billions of accounts hacked across a wide range of applications and services, proving once more that even the biggest Internet players can’s always keep users’ accounts under lock and key. Hackers are increasingly apt at flying under the radar, making life hard for everyone in their crosshairs. While big companies have regulations like GDPR to fear, end users are finding it increasingly necessary to arm themselves with good password hygiene and best practices. Some vendors are more diligent than others, security-wise, but most give users plenty of options to deploy additional security layers, like two-factor authentication (2FA), recovery email, or printed security codes. As the biggest aggregator of user-generated data on the web, Google offers a wide range of security layers that users can opt in and out of, depending on their privacy needs, security awareness, or convenience. This guide offers a comprehensive look at these out-of-view options that every user sh..
A popular browser extension has been removed by Google from the Chrome Web Store after it started spamming users with irritating pop-up advertisements. The “Automatic 4K/HD for Youtube” extension, used by over 4 million Chrome users to force YouTube into playing videos at high quality, was recently updated to display ads for another Chrome extension. Ironically, as ZDNet describes, the Chrome extension it began to aggressively advertise was one that purported to be an ad-blocker.The unwanted ads took advantage of Chrome’s desktop notification feature, in breach of Google’s developer policies. Disgruntled users left poor reviews on the extension’s page on the Chrome Web Store, warning others who might be considering installing the code, and turned to social media as they attempted to discover the source of the unwanted ads. Eventually they identified that the “Automatic 4K/HD for Youtube” extension was responsible for the nuisance pop-up ads. The inevitable concern, whenever a b..
The Swiss government has just announced a CHF250,000 investment in a new bug bounty program to prevent voting manipulation. Swiss Post will let professional ethical hackers attack its system for a month to ensure the e-voting system is secure, glitch free and can be made available across the country, reads a press release on the Swiss Post website. Once the system is considered bug free, Swiss citizens will get their voting cards in the mail. A pen test to check security has already been performed by “an accredited body.” Swiss security company SCRT will receive CHF100,000 for helping with the program. The project, to run from February 25 to March 24, is open to global applicants who could win up to CHF50,000, depending on the front-end or back-end weaknesses detected. The financial prizes will be decided by Swiss Post, not the federal government. Participants will give it their best to alter server security, steal data and influence votes. So far more than 1,000 participants are re..
Last week a bug became such big news that it broke out of the technology press, and into the mainstream media – generating headlines around the globe. The reason? A bizarre bug had been discovered in the way iPhones and iPads handled Group FaceTime calls meant that someone could potentially listen and even see you *before* you answered an incoming call. Now you can answer for yourself on FaceTime even if they don’t answer#Apple explain this.. pic.twitter.com/gr8llRKZxJ — Benji Mobb (@BmManski) January 28, 2019 As news of the flaw spread like wildfire on social media, Apple said it would fix the problem “later in the week” and made a change server-side that temporarily disabled all Group Facetime calls to prevent others from being at risk (much to the irritation of those hoping to prank their friends.) The bad news for Apple grew as it not only failed to release a patch within its original estimate, but it was also revealed that a 14-year-old boy had separately discovered the probl..
Huawei’s been having a rough time recently. After the US, New Zealand and Australia prevented the telecom company from working on their 5G mobile networks for fear it would spy for the Chinese government, the European Commission expressed concern over potential backdoors that could threaten national security and lead to a ban. Then, Huawei’s CFO was arrested in Canada over alleged Iran sanctions violations. Huawei may now face another blow: even though the company committed to invest some $2 billion to assuage UK government security concerns over issues with Huawei products, it may take the company years to get everything in place, writes The Guardian. Ryan Ding, Huawei’s carrier business group president, said measures needed to ease the concerns, raised in a 2018 Huawei Cyber Security Evaluation Centre Oversight Board annual report mandated by the UK, constitute “a complicated and involved process and will take at least three to five years to see tangible results. We hope the UK g..
Apple is not getting off so easily with the FaceTime privacy violation incident. Two members of the US Congress are “deeply troubled” that the company didn’t immediately address the software glitch end demand further explanations for an issue they think could easily create “ultimate spying machines,” writes Reuters. House Energy and Commerce Committee Chairman Frank Pallone and Representative Jan Schakowsky, both Democrats, wrote a letter to Apple CEO Tim Cook demanding to know when the company was first made aware of the privacy intrusion, how consumer privacy may have been affected and “whether there are other undisclosed bugs that currently exist and have not been addressed.” They are calling for transparency with the outcome of the investigation and a written response to their questions. The FaceTime privacy violation was detected by a 14-year-old and his mom who were trying to use the group call feature, but found that strangers could easily eavesdrop on their conversation eve..
The financial services industry registered three times more security incidents than any other industry in 2018. According to data released under Freedom of Information legislation, UK government organization The Student Loans Company (SLC) experienced close to a million cyberattacks in the 2017 – 2018 fiscal year. The information was made public upon written request from the Parliament Street think tank. While most attacks were categorized as malware (323), Denial-of-Service, and malicious emails or calls (235), they all failed, except for a cryptojacking attack. Manipulating a third-party plugin, hackers injected Monero mining software into the company’s network. This was attributed to third-party incidents. Dealing with student grants and loans, SLC had access to a high volume of confidential personal and financial information. According to its annual report, the company has 8.1 million customers and a loan book value of £117.8 billion, and it processed about 1.8 million applicat..