A few days ago, investigators were alerted to a group of hackers with access to a username and password to the Law Enforcement Inquiry and Alerts (LEIA) system, which allows the search for information internally and in external database repositories, including data classified as “sensitive to law enforcement.” This report was shared with the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ). In total, LEIA enables federated search of 16 federal law enforcement databases in the U.S.

The report received by KerbsOnSecurity includes some screenshots indicating that hackers may have accessed the El Paso Intelligence Center (EPIC), one of the databases accessible from LEIA. In this database, threat actors would have searched for all kinds of records on seized assets, including cars, boats, weapons and even drones.

Strangely, this information was reported to KerbsOnSecurity by “KT”, administrator of an alleged online cybercriminal community known as Doxbin. This same threat actor has been identified as the leader of Lapsus$, a hacking group that recently carried out high-profile attacks against well-known companies such as Microsoft, NVIDIA and Samsung.

This hacker is also blamed for operating a service that offers fake Emergency Data Requests (EDR), using compromised email accounts from law enforcement agencies to ask tech companies for access to their users’ confidential information posing as police officers.  

Although this activity has been linked to some alleged members of Lapsus$, at the moment it is unknown exactly who is behind these attacks, and even the possibility of a hacking group sponsored by national states is still being considered. DEA will continue to investigate the reports, so it only remains to wait for new details to be officially announced.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Threat actors could have hacked the U.S. Drug Enforcement Administration (DEA) and other related law enforcement agencies. Investigation still ongoing appeared first on Information Security Newspaper | Hacking News.

While it was already possible to make these requests in cases of doxing or leaking of bank details, the update will allow users to request the removal of other content that appears in search results, including personal contact information. Google will also allow the removal of additional information that may pose a risk of identity theft, such as access credentials to online platforms.

According to the report, the following records may be considered personal contact information:

• Government identification numbers, including social security numbers, tax identification keys and the like depending on the country in question
• Bank account numbers and credit cards
• Images of handwritten signatures
• Images of identity documents
• Medical records
• Physical addresses, phone numbers and email addresses

On the processes that are implemented when receiving one of these requests, Google ensures that they evaluate all the content of websites that may incur in the exposure of confidential data, trying not to limit the availability of other useful data for users. The company also looks at whether content users want to remove is part of public or government records; if so, the request is inadmissible.

Although this is undoubtedly good news, users should remember that removing this content from the results in Google Search, this will not remove the content from the Internet. To do this, it is necessary to communicate directly with the administrators of the website in question.

Google continues to implement changes to its policies in order to improve the privacy experience of its users. In recent days it was revealed the application of a new measure to allow users under the age of 18 to request the removal of any image of theirs from image search results. The parents and guardians of minors may also carry out this procedure.

Full information about these requests and other security and privacy measures implemented by Google is available on the company’s official communication channels.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Now you can ask Google to remove your phone number, email address, physical address and other personal contact data from Search Results. Learn how to do it appeared first on Information Security Newspaper | Hacking News.

All kinds of Java implementations could be compromised if this flaw is exploited, including fields such as encrypted communications, authentication tokens, code updates and others. Oracle fixed the bug, tracked as CVE-2022-21449, in its code in its quarterly security patch.

While Oracle had initially assigned this flaw a severity score of 7.5/10, cybersecurity specialists analyzed the report and concluded that the flaw merited a critical score of 10/10. In this regard, the researcher Thomas Ptacek considers this report as the “cryptographic error of the year”, given its exploitation conditions and problems derived from the attack.

The most surprising thing about this flaw is the easy exploitation, plus it is a mistake that is very obvious and that Oracle took a long time to address. This vulnerability reportedly arose when some of the shape verification code in Java 15 was rewritten from C++ to Java, including the ECDSA verification code.

ECDSA signatures are composed of a pair of numbers, called r and s. To verify a signature, the code performs some calculations involving a hash of the data, the public key of any organization or person who has used your digital signature, and the r and s numbers; one side of the equation uses r, the other r and s.

Both sides of this calculation must be equal for the signature to be properly verified; that implies that the data was digitally signed by the signer’s private key. If signature verification fails, that probably means whoever signed the data is not who they say they are, so the data shouldn’t be verified.

In theory, for a signature to be valid, the value of r and s cannot be 0, 0, since in the process these numbers are multiplied with other values. The error arose because, while the original C++ code verified that both r and s were not zero, the new Java code did not verify this condition. As you may know, any quantity multiplied by zero equals zero. When s has to divide a value by 0, the verification failure is triggered.

The flaw has already been addressed, so it is recommended to update as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Critical vulnerability in Java allows forgery of certificates, signatures, WebAuthn messages and evade authentication mechanisms: Update immediately appeared first on Information Security Newspaper | Hacking News.

In 2017, LinkedIn demanded that hiQ stop collecting LinkedIn data, starting to block hiQ’s access and its ability to extract data from public profiles. At the time, LinkedIn argued that hiQ’s actions violated several laws, primarily the Computer Fraud and Abuse Act (CFAA) and LinkedIn’s own terms of use.

In this regard, the courts in the U.S. determined that LinkedIn could not block access to the public data of its users for HiQ; in her ruling, Circuit Judge Marsha Berzon said, “There is little evidence that LinkedIn users who choose to make their profiles public maintain an expectation of privacy with respect to the information they post.”

For LinkedIn, this decision was not enough to desist from their plans, so they took the case to the U.S. Supreme Court. However, in a previous case the Court had already decided not to penalize the extraction of publicly available information on Internet platforms, so the LinkedIn case was returned to the circuit court.

Upon receiving the case back, the Ninth Circuit ruled that the concept of access authorization will not apply to public websites. Not only can this prove useful for companies like hiQ, but it will also ensure access to relevant sources of information for journalists, researchers and companies for legitimate purposes.

Despite all the setbacks, LinkedIn doesn’t seem to have given up. In a statement, spokesman Greg Snapper said: “We are disappointed with the court’s decision. This is a preliminary decision and the case is far from over.” Snapper says LinkedIn will continue to fight to protect its users’ information.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post It’s now legal to scrap LinkedIn users’ data for marketing purposes without their permission appeared first on Information Security Newspaper | Hacking News.

The UK-based firm has confirmed that this is not a legitimate offer and users of the messaging app should ignore this alleged promotion: “We have been informed about social media posts claiming to offer consumers a basket of free Easter chocolate… We can confirm that this has not been generated by us and we urge consumers not to interact.”

Some users responded to one of the company’s posts on Twitter, confirming that they had received the text message and even with testimonies from victims who fell into the trap by clicking on the attached link.

British authorities also issued a warning about this phishing campaign, asking users to ignore these messages in the face of the potential risk of handing over their personal information to individuals with questionable intentions. Mersyside Police say they are aware of how difficult it is to refuse a free chocolate, but strongly ask users not to interact with those messages.

This seems to be clearly a phishing scam in which criminals create attractive messages in order to trick users into handing over their personal information, mainly through a link to a fraudulent website with forms for data registration.

Finally, the UK’s National Cyber Security Centre advised users in general to think twice before clicking on any similar links, opening unsolicited messages or downloading suspicious attachments. Indicators such as misspellings, shortened URLs, and low-resolution images can help identify a potential phishing attack.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Do not open this WhatsApp message offering Free Cadbury Chocolates; hackers can empty your bank accounts appeared first on Information Security Newspaper | Hacking News.

Siobhan Smyth, director of information security at Mailchimp, said its security teams detected malicious activity on its systems on March 26, when they discovered that a tool employed by its customer support systems was being used by hackers.

“We acted quickly to address the situation, canceling access to compromised accounts and taking steps to prevent other employees from being affected,” Smyth said.

Although the company claims that the incident was adequately addressed, it was confirmed that the hackers had access to about 300 Mailchimp accounts, extracting dozens of records. Although Mailchimp did not add more details about the compromised information, it was unofficially mentioned that this data belongs to cryptocurrency and financial analysis firms.

In addition to viewing accounts and exporting data, threat actors gained access to API keys for an undisclosed number of customers, allowing hackers to send spoofed emails that have already been disabled. Smyth said Mailchimp received some reports of hackers using the information they obtained from users’ accounts to send phishing campaigns to thousands of users.

Reports about this incident began circulating this weekend, after cryptocurrency wallet maker Trezor confirmed that its users had received emails as a result of the attack on Mailchimp.

In these malicious messages, the hackers incited Trezor users to reset their hardware wallet PINs by downloading malicious software that, had it been installed, could have allowed hackers to steal millions of dollars in cryptocurrency.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Email marketing company Mailchimp was hacked. Customer accounts control taken over by attackers appeared first on Information Security Newspaper | Hacking News.

Below are brief descriptions of the reported flaws, in addition to their tracking keys and scores according to the Common Vulnerability Scoring System (CVSS).

CVE-2021-27796: The excessive data output by the application would allow remote users to read the contents of any file on the filesystem only by using a few available binaries.

This is a medium severity flaw and resides in all of the following solutions:

• Lenovo ThinkSystem DB800D FC Switch: All versions
• Lenovo ThinkSystem DB720S FC Switch: All versions
• Lenovo ThinkSystem DB630S FC Switch: All versions
• Lenovo ThinkSystem DB620S FC Switch: All versions
• Lenovo ThinkSystem DB610S FC Switch: All versions
• Lenovo ThinkSystem DB400D FC Switch: All versions
• Lenovo – B6510 FC SAN Switch: All versions
• Lenovo – B6505 FC SAN Switch: All versions
• Lenovo – B300 FC SAN Switch: All versions
• Brocade – 6505 FC SAN Switch: All versions

CVE-2021-27797: On the other hand, this flaw exists due to presence of hard-coded credentials in application code, which would allow remote unauthenticated attackers to access the affected system using the hard-coded credentials.

This is a high-severity flaw and received a CVSS score of 8.5/10 and resides in the following Lenovo switches:

• Lenovo ThinkSystem DB800D FC Switch: All versions
• Lenovo ThinkSystem DB720S FC Switch: All versions
• Lenovo ThinkSystem DB630S FC Switch: All versions
• Lenovo ThinkSystem DB620S FC Switch: All versions
• Lenovo ThinkSystem DB610S FC Switch: All versions
• Lenovo ThinkSystem DB400D FC Switch: All versions
• Lenovo – B6510 FC SAN Switch: All versions
• Lenovo – B6505 FC SAN Switch: All versions
• Lenovo – B300 FC SAN Switch: All versions
• Brocade – 6505 FC SAN Switch: All versions

Even though these flaws can be exploited by remote non-authenticated attackers using specially crafted requests, there is no evidence of active exploitation attempts. Still, cybersecurity specialists recommend users of affected implementations update as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Hard-coded credentials vulnerabilities in 10 models of Lenovo Networking Switches appeared first on Information Security Newspaper | Hacking News.

End-to-end encryption in WhatsApp protects users’ messages from being read by intermediaries, although you can never have enough security, especially considering that things can change when users turn to the web version of the messaging app.

The extension was dubbed Code Verify and, according to Meta software engineer Richard Hansen, is based on a browser security feature called “subsource integrity,” which allows browsers to check if the files obtained have been altered in any way.

Code Verify analyzes the JavaScript code in WhatsApp Web, a process for which Cloudflare’s collaboration is required, since the high amount of resources required for a complete verification exceeds the capabilities of WhatsApp: “Cloudflare has a hash of the code that WhatsApp users should execute,” says the report on this extension.

When users run WhatsApp in their browser, WhatsApp’s code verification extension compares a hash of that code running in their browser to Cloudflare’s hash, allowing you to easily check if the code you’re running is the correct code.

At the moment, Code Verify is available for Google Chrome, Microsoft Edge, and Mozilla Firefox, with plans to expand to Safari in the short term. The tool runs immediately after installation to start validating WhatsApp JavaScript libraries. The green indicator confirms that everything is valid, orange if the page needs to be updated or another extension interferes with Code Verify, and red if a hash discrepancy has been detected, indicating a possible compromise.

This integrity verification extension could make users of WhatsApp and other services that implement Code Verity less likely to install extensions that alter social media functions and raise potential security issues, strengthening the user experience in terms of cybersecurity.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Check the integrity of the browser extension using this WhatsApp tool before running WhatsApp web appeared first on Information Security Newspaper | Hacking News.

According to the report, the email appeared legitimate and appeared to be sent from the school district’s official accounts. Specifically, the message claimed that Pollard Middle School officials had decided to suspend activities until further notice.

Melissa Stein, mother of a child registered at the school, mentioned that she noticed something strange when reading the message a couple of times. “That’s not how the director would have written a message; there are a lot of punctuation errors,” she said.

Daniel Gutekanst, superintendent of Needham County, sent an email early Tuesday to the families of Pollard Middle School providing the correct information and denying what was mentioned in the previous message. Separately, Police Department Representative Chris Baker confirmed that there is an ongoing investigation along with the school department.

More information on this is not known at the moment, although cybersecurity specialists believe that everything is related to a cyberattack. This could be confirmed in the following days.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Hacker took control of US school district systems and mailed every student cancelling all classes appeared first on Information Security Newspaper | Hacking News.

The reports began in late 2021, so Zoom released an update to fix what they described as “an issue related to the microphone indicator light, which is activated when the user is not in a meeting.” However, reports of this unexpected behavior continue to pile up.

A forum for Zoom users on Apple PCs continues to publish reports about the persistence of the problem even after the installation is applied: “The most recent update has not made a difference; I just noticed the light activated again; when I left Zoom, Timing.app told me that he had been on a 2-hour video call,” says one of the users.

So far, the company has not issued any message about these new reports, although a new update is expected to be released. At the moment, users of Mac devices are recommended to disable the Zoom application if they do not use it assiduously as a temporary security measure, or to resort to some additional software to know if any intruder is spying on our computers.

Zoom has become a very popular platform, especially during the pandemic and the need to work remotely, so privacy reports have also increased. Previously, the firm installed a hidden web server on its customers’ Mac devices to enable automatic call handling. Apple had to issue a macOS update to remove the hidden program.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Why is the Zoom app on Apple devices listening to your microphone when not in a meeting? appeared first on Information Security Newspaper | Hacking News.

The good news is that, so far, the company has not identified indications of access to or compromise of its customers’ confidential information, although the investigation is still ongoing: “The in-depth investigation will continue indefinitely with the participation of the competent authorities,” the company notes.

This incident comes a month after the hacking of the websites of one of Portugal’s largest newspapers and a major broadcaster was confirmed; to date, both media organizations remain unable to access their websites.

Finally, Vodafone Portugal said its teams are determined to restore all affected services, as well as confirming that phone call systems were already in the process of recovery. The 4G network is still unavailable but customers in most parts of the country can still turn to the use of 3G technology.

The company did not add further details about the attackers and the possible hacking variants used during the attack.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Vodafone Portugal telecom services disrupted by a cyber attack appeared first on Information Security Newspaper | Hacking News.

As you may already know, a macro is a series of commands to automate a repeated task and that can be executed when you have to perform the specific task. These macros can be used for malicious purposes and do not need to be manually enabled to view or edit a file.

Using macros, cybercriminals will try to trick unsuspecting users into enabling macros and then use that functionality as part of the attack.

This move is an attempt by the company to counter a spike in ransomware and other malware variants infections that abuse Excel 4.0 macros as part of an initial infection. Hackers, mainly nation-state sponsored groups, began experimenting with legacy Excel 4.0 macros in response to Microsoft’s 2018 crackdown on macro scripts written in VBA.

Previously, Excel Trust Center configurations were aimed at organizations that wanted VBA and legacy macros to run through the “Enable Excel 4.0 macros when VBA macros are enabled” setting, thus allowing administrators to control macro behavior without affecting VBA macros.

Macros are now disabled by default in Excel, including builds 16.0.14427.10000 and later. Users will also be able to modify settings in the Microsoft 365 app policy control.

In addition to these settings, Microsoft added the option to manage policy settings in the Office Cloud Policy Service, which applies to users who access Office applications from any device using Active Azure Directory accounts.

Finally, to block XLM across the board, administrators can configure Group Policy to prevent Excel from running XLM. Implementing these measures should help administrators mitigate VBA and XLM malware threats through the policy.

Microsoft addressed the antivirus aspect of defense through an integration between Antimalware Scan Interface (AMSI) and Office 365 for additional protection of antivirus solutions.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Microsoft to turn off macros en Excel 4.0 by default to protect users from ransomware attacks appeared first on Information Security Newspaper | Hacking News.