Instagram is growing quickly—and with the second most popular social media network in the world (behind just Facebook), the photo-sharing network absolutely dominates when it comes to user interactions.

And with great success comes great responsibility—responsibility to keep users’ accounts safe, responsibility to fight fake accounts and news, and responsibility of being transparent.

You might know that the Facebook-owned photo-sharing network has recently been a victim of a widespread hacking campaign that has affected thousands of Instagram users, leaving them locked out of their accounts.

In the wake of the security mis-happening, Instagram has announced a trio of security updates intended to discourage trolls, stop misinformation, and make the platform a little safer for its one billion users.

In an official blog post, titled “New Tools to Keep Instagram Safe,” published by Instagram Co-Founder & CTO Mike Krieger on August 28, the company announced three features—support for Third-Party Two Factor Authenticator Apps, About This Account, and Request Verification.

images from Hacker News

Google was in the news last week for a misleading claim that “with Location History off, the places you go are no longer stored,” which is not true.

Now, the search engine giant is once again in the news after a San Diego man has filed the first lawsuit against Google over this issue.

Last week, the Associated Press investigation revealed that the search engine giant tracks movements of millions of iPhone and Android device users, even if they have disabled the “Location History” setting to prevent it.

However, it turned out that to fully opt-out of having your location activities stored by Google, you also have to disable the ‘Web and App Activity’ control as well, about which the company has mentioned deep into its product documentation.

In response to the AP investigation, Google defended itself by saying, “there are a number of different ways that Google may use location to improve people’s experience,” and that “we provide clear descriptions of these tools, and robust controls so people can turn them on or off, and delete their histories at any time.”

On Friday, the company even slightly changed its location policy, making it clear that even after turning off the Location History option, some Google services would continue collecting location information on you.

images from Hacker News

Security researchers at Kaspersky Labs have uncovered a new, complex malware campaign that has been targeting customers of several Mexican banking institutions since at least 2013.

Dubbed Dark Tequila, the campaign delivers an advanced keylogger malware that managed to stay under the radar for five years due to its highly targeted nature and a few evasion techniques.

Dark Tequila has primarily been designed to steal victims’ financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars.

The list of targeted sites includes “Cpanels, Plesk, online flight reservation systems, Microsoft Office 365, IBM Lotus Notes clients, Zimbra email, Bitbucket, Amazon, GoDaddy, Register, Namecheap, Dropbox, Softlayer, Rackspace, and other services,” the researchers say in a blog post.

The malware gets delivered to the victims’ computers in the first place either via spear-phishing or infected USB devices.

Once executed, a multi-stage payload infects the victim’s computer only after certain conditions are met, which includes checking if the infected computer has any antivirus or security suite installed or is running in an analysis environment.

Besides this, “the threat actor behind it strictly monitors and controls all operations. If there is a casual infection, which is not in Mexico or is not of interest, the malware is uninstalled remotely from the victim’s machine,” the researchers say.

images from Hacker News

Google Project Zero’s security researcher has discovered a critical remote code execution (RCE) vulnerability in Ghostscript—an open source interpreter for Adobe Systems’ PostScript and PDF page description languages.

Written entirely in C, Ghostscript is a package of software that runs on different platforms, including Windows, macOS, and a wide variety of Unix systems, offering software the ability to convert PostScript language files (or EPS) to many raster formats, such as PDF, XPS, PCL or PXL.

A lot of popular PDF and image editing software, including ImageMagick and GIMP, use Ghostscript library to parse the content and convert file formats.

Ghostscript suite includes a built-in -dSAFER sandbox protection option that handles untrusted documents, preventing unsafe or malicious PostScript operations from being executed.

However, Google Project Zero team researcher Tavis Ormandy discovered that Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities, which could allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.

To exploit this vulnerability, all an attacker needs to do is sending a specially crafted malicious file (which could be a PDF, PS, EPS, or XPS) to a victim, which, if opened with an application leveraging vulnerable Ghostscript, could allow the attacker to completely take over the targeted system.

At the time of writing, Artifex Software, the maintainers of Ghostscript, have not released any patch to fix the vulnerability.

images from Hacker News

Adobe released an out-of-band security update earlier today to address two critical remote code execution vulnerabilities impacting Adobe Photoshop CC for Microsoft Windows and Apple macOS machines.

According to the security advisory published Wednesday by Adobe, its Photoshop CC software is vulnerable to two critical memory corruption vulnerabilities, which could allow a remote attacker to execute arbitrary code in the context of the targeted user.

The vulnerabilities, identified as CVE-2018-12810 and CVE-2018-12811, impact Adobe Photoshop CC 2018 version 19.1.5 and earlier 19.x versions, as well as Adobe Photoshop CC 2017 version 18.1.5 and earlier 18.x versions.

The critical security flaws were discovered and reported by Kushal Arvind Shah of Fortinet’s FortiGuard Labs, and have now been addressed by Adobe with the release of Photoshop CC versions 19.1.6 and 18.1.6.

images from Hacker News