Cyber Bites

Nineteen-year-old Santiago Lopez, who goes by the handle @try_to_hack, has become the world’s first hacker to make $1m from hacking legally. He started reporting security weaknesses to companies through HackerOne bug bounty programmes in 2015, and has since reported more than 1,600 security flaws to organisations, including Twitter and Verizon Media Company, as well as private corporate and government initiatives. A bug bounty is an award given to a hacker who reports a valid security weakness to an organisation, and is becoming a...

A Dow Jones watchlist containing records of individuals who are of interest to financial companies due to their potential high risk as customers has been leaked online. Prominent security researcher Bob Diachenko found a public Elasticsearch cluster containing the sensitive records of these individuals, brought together in a list compiled by Dow Jones, on February 22, 2019. The cluster contained a database which was open to any member of the public who is able to use an...

State-sponsored attackers continued to be extremely active in 2018 with major groups from at least a dozen countries involved in operations targeting government, business, and civilian targets throughout the year, according to analyses by two security firms. While advanced persistent threat (APT) groups have, in the past, often used custom frameworks to help compromise systems and exfiltrate data, current groups are just as likely to use open-source malware and legitimate administration tools as a way...

Last week, the sports trading card and collectible company Topps issued a data breach notification stating that it was affected by an attack, which possibly exposed the payment and address information of its customers. This type of attack is called a MageCart attack, which is when attackers hack a site to inject a malicious script into a site's checkout or cart pages. When a visitor enters their payment and address information, this script will copy the submitted data...

A Russian media outlet said it was the target of an alleged cyberattack by the U.S. military that “failed completely” to disrupt operations. The Federal News Agency, or FAN, which the U.S. says is linked to indicted Russian oligarch Yevgeny Prigozhin, said in a website statement that the “unprofessional” attack was focused on its English-language media project called USA Really. Source: Bloomberg

A US judge this week sentenced website hacker Billy Anderson to three months behind bars, refusing his lawyer's request not to put him in jail, in order to "send a message" to others. Anderson, 42, of Torrance, California, targeted thousands of websites under the hacker name AlfabetoVirtual, and boasted about his efforts on a hacking forum. But it was when he brought down the website of New York City's comptroller for nearly two days in...

Short-form video sharing app TikTok has been handed the largest ever fine for a US case involving children's data privacy. The company has agreed to pay $5.7m (£4.3m) and implement new measures to handle users who say they are under 13. The Federal Trade Commission (FTC) said the Musical.ly app, which was later acquired and incorporated into TikTok, knowingly hosted content published by underage users. Source: BBC

Children's charity the NSPCC has accused YouTube of failing to tackle dangerous content on its youth channel. YouTube Kids, dubbed as a safer, child-friendly version of the video-sharing site, has been criticised by parents for failing to remove cartoons that contain clips depicting suicide methods on its platform. The clips show a YouTuber demonstrating a suicide method. Google told the BBC it works hard to remove such content. Source: BBC

Spectre – the security vulnerabilities in modern CPUs' speculative execution engines that can be exploited to steal sensitive data – just won't quietly die in the IT world. Its unwelcome persistence isn't merely a consequence of the long lead time required to implement mitigations in chip architecture; it's also sustained by its ability to inspire novel attack techniques. The latest of these appeared in a paper presented at the Network and Distributed Systems Security (NDSS) Symposium 2019...

Social media platforms are a major conduit for malware and a highly effective marketplace for black hat resources, generating cybercrime worth over $3.2bn every year, according to Bromium. The security vendor’s latest report, Social Media Platforms and the Cybercrime Economy, is the result of a six-month study by Mike McGuire, senior lecturer in criminology at the University of Surrey. It follows a previous Into the Web of Profit report written by McGuire which estimated annual global cybercrime revenues at $1.5tr. The...