IT Security Newsletter- 8/27/2019
IRS Impersonation Attacks Spread Malware Nationwide
The Internal Revenue Service (IRS) is warning taxpayers about a snowballing email attack that uses messages pretending to be legitimate IRS communications. The end game for the effort is malware being installed on unsuspecting users’ machines; imposters may gain control of the taxpayer’s computer or secretly download software that tracks every keystroke, eventually giving them passwords to sensitive accounts, such as financial accounts.
Apple Releases iOS 12.4.1 to Patch Security Flaw Behind Jailbreak
Apple released iOS 12.4.1 today to fix a security flaw reintroduced with the release of iOS 12.4, and used by security researcher Pwn20wnd to develop and release a jailbreak tool for up-to-date iOS devices. The vulnerability patched today by Apple is a use after free tracked as CVE-2019-8605 targeted by the Sock Puppet exploit that was used to create jailbreak tools for iOS devices.
ThreatList: Half of All Social Media Logins Are Fraud
More than half of logins (53 percent) on social-media sites are fraudulent; and 25 percent of all new account applications on social media are fake, according to a recent analysis. Those numbers far outstrip the overall rate of 10 percent of interactions being fraudulent.
The Growing Threat of Deepfake Videos
Deepfakes are a growing threat. They are primarily a social engineering tool. That means they will increasingly be used in phishing attacks, BEC attacks, reputation attacks, and public opinion attacks (such as election meddling). Existing methods in all these areas are already successful; but the arrival of deepfake videos will take them to a different level.
You need a password manager -- right now
Who loves dealing with passwords? No one, that's who. Making them, remembering them, having to create a new one when they expire and all you want to do is log in. Then there's the dreaded breach-of-the-week, whern we find out about the latest major hack attack or big-data snafu, meaning we have to reset our passwords again.
Hacker Finds Instagram Account Takeover Flaw Worth $10,000
A researcher says he has received $10,000 from Facebook after finding another critical vulnerability that could have been exploited to hack Instagram accounts. India-based white hat hacker Laxman Muthiyah identified the flaw while looking at Instagram’s password recovery system for mobile devices, a process in which users receive a six-digit code on their phone and they have to enter it within 10 minutes to be allowed to change their password.
Code Execution Flaw in QEMU Mostly Impacts Development, Test VMs
The open source machine emulator QEMU is affected by a vulnerability that can lead to a denial-of-service (DoS) condition or arbitrary code execution, but developers say users should not be too concerned about its impact. The vulnerability, tracked as CVE-2019-14378 with a CVSS score that puts it in the “high severity” category, was discovered by India-based researcher Vishnu Dev.