Top 10 Stories

Vevo, the multinational video service, was just hacked. Roughly 3.12TB worth of internal files have been posted online, and a couple of the documents reviewed by Gizmodo appear sensitive. The OurMine hacker squad has claimed responsibility for the breach. View Full Story ORIGINAL SOURCE: Gizmodo

New research has found that the popular Fitbit devices are vulnerable to hackers.  A study looked into how personal information can be stolen from the fitness brands. Computer researchers at the University of Edinburgh intercepted messages from the Fitbit One and Fitbit Flex wristbands, which calculate activity including steps, distance travelled, calories burned and sleep duration. The team accessed personal information from the devices as it was sent to the company's cloud servers for analysis. The researchers said...

LinkedIn has bit the target of a new phishing campaign which has spread through users via direct messages and the LinkedIn InMail feature. They are sent from legitimate LinkedIn Premium accounts that have been hijacked by the phishers, thus increasing the likelihood that recipients will trust the message and click on the link. View Full Story ORIGINAL SOURCE: Helpnetsecurity

A WordPress plugin named Display Widgets has been used to install a backdoor on WordPress sites and has been installed more than 200,000 times. The backdoor  code was found between Display Widgets version 2.6.1 (released June 30) and version 2.6.3 (released September 2). The WordPress.org team has intervened and removed the plugin from the official WordPress Plugins repository. Despite the number of downloads, it is not known how many of these were updated to a...

Federal agencies have been banned from using Kaspersky Lab security software, a Russian company, by the US government over concerns it may be tied to state-sponsored espionage. Acting Homeland Security Secretary Elaine Duke has issued a directive given at least six federal agencies a timeline to get rid of the software from government networks. The move comes amid parallel investigations by Congress, and the FBI under Special Prosecutor Robert Mueller into Russian interference in the 2016 presidential election and...

It has been discovered that more apps on Google's Play Store are carrying the malicious BankBot Android banking malware. The malware, which surfaced back in January, targets legitimate banking apps and uses fake overlay screens to trick unsuspecting users into providing their credentials. The malware is even able to hijack and intercept SMS messages, allowing it to bypass the SMS-based two-factor authentication security feature. View Full Story ORIGINAL SOURCE: IB Times UK

A flaw that should have been patched weeks before, is what has been revealed as the root cause for the Equifax data breach. The company has updated its www.equifaxsecurity2017.com/ site with a new “A Progress Update for Consumers”. As the Apache Foundation pointed out earlier this week, it reported CVE-2017-5638 in March 2017. View Full Story ORIGINAL SOURCE: The Register

Adobe has announced its monthly security updates which include patched vulnerabilities in three products — Adobe Flash Player, Adobe ColdFusion, and Adobe RoboHelp, the company's lesser known help authoring tool (HAT), used for the creation of online or offline documentation and help files. In total, Adobe patched eight security bugs — two in Flash Player, four in ColdFusion, and two in RoboHelp. The company did not receive reports of public exploits or in-the-wild attacks for...

It has been reported that over 4,000 ElasticSearch servers were found hosting PoS (Point of Sale) malware strains. The infections detected data as far back as 2016, with the latest infections observed as recently as August 2017. Nearly 99% of the infected servers are hosted in Amazon Web Services (AWS), according to security experts. The two malware strains – AlinaPOS and JackPOS – are very popular among cybercriminals and have been around since 2012. However, Kromtech security researchers, who uncovered the...

A system bug has been located within a SAP E-Recruiting system which is blocking people from registering their e-mail. The problem is that a registration URL provided to job-seekers is predictable, meaning an attacker could put other peoples' e-mails into the system and guess the “e-mail confirmation” link. It could be blocked by adding a pre-registration nonce to the confirmation link, but that wasn't done in release versions 605, 606, 616 or 617. View Full...