Nearly all Android phones come with useless applications pre-installed by manufacturers or carriers, usually called bloatware, and there's nothing you can do if any of them has a backdoor built-in—even if you're careful about avoiding sketchy apps.

Researchers disclosed details of 47 different vulnerabilities deep inside the firmware and default apps (pre-installed and mostly non-removable) of 25 Android handsets that could allow hackers to spy on users and factory reset their devices, putting millions of Android devices at risk of hacking.

Some vulnerabilities discovered by researchers could even allow hackers to execute arbitrary commands as the system user, wipe all user data from a device, lock users out of their devices, access device's microphone and other functions, access all their data, including their emails and messages, read and modify text messages, sending text messages, and more—all without the users' knowledge.

"All of these are vulnerabilities that are prepositioned. They come as you get the phone out the box," Kryptowire CEO Angelos Stavrou said in a statement. "That's important because consumers think they're only exposed if they download something that's bad."

For example, vulnerabilities in Asus ZenFone V Live could allow an entire system takeover, allowing attackers to take screenshots and record user’s screen, make phone calls, spying on text messages, and more.

Kryptowire has responsibly reported the vulnerabilities to Google and the respective affected Android partners, some of which have patched the issues while others are working diligently and swiftly to address these issues with a patch.

However, it should be noted that since the Android operating system itself is not vulnerable to any of the disclosed issues, Google can't do much about this, as it has no control over the third apps pre-installed by manufacturers and carriers.

phishing attacks have been around for years, but today’s cybercriminals are adept at using them in an ever-increasing variety of ways to get what they want. According to the most recent FBI figures, phishing and its variants was the third most popular cybercrime type in 2017, representing nearly $30m in victim losses.

The bad guys want your personal information to commit ID theft, or else they need you to click on a malicious link/open a malware-laden attachment to hijack your bank account, lock your PC with ransomware, bombard your screen with ads and more.  So how do you fight back?

The answer lies with a combination of technology and user awareness. There are tools you can use to filter a great volume of phishing attempts, but a few will always sneak through, and it only takes one misplaced click to land yourself in trouble. That’s why the frontline in the war on phishing messages ultimately lies with improved user awareness.

Don’t get caught out

So, what should users look out for? Phishing messages come in a variety of flavors, but here’s a typical email scam purporting to come from the IRS:

Tell-tale signs of a scam:

• From field: is the ‘sender’s’ email address familiar? Does it look made up? Is it consistent with the purported sender of the email? Does it appear different if you hover over it with your cursor? All of these could indicate a phishing attempt. To field: If the sender addresses you generically as ‘user’ or ‘customer’ or ‘recipients,’ in this case, this should be a warning sign.
• Date and time: Was it sent at an unusual time; that is, not during normal ‘business’ hours?
• Subject line: Phishing emails often try to create a sense of urgency to hurry you into making a rash decision. Words like “urgent,” “immediate” and “important” are not uncommon.
• Body: The content of the message often contains spelling and grammatical mistakes and continues with the sense of urgency to get you to click without thinking.
• Link/attachment: Phishing emails will try to trick you into clicking on one of these, as with ‘Update Now,’ either to begin a covert malware download or to take you to a legitimate-looking phishing site to fill-in your details.

How do I stay safe?

• Learn to recognize all the tell-tale signs of a phishing message. Avoid clicking on any links or opening attachments from unsolicited emails.
• If you need to double-check, contact the company that supposedly ‘sent’ you the email to see if it’s genuine or not, or go directly to the website (e.g., online banking) to log-in. Again, do not use the links provided to go there.
• Your default attitude when you’re online should be “suspicious.”
• To learn more about phishing, you can also go to org. The site provides a wealth of more information on the types of phishing you may encounter, what you can do to prevent being taken-in, and includes further resources for study.

We’re all exposed to phishing attacks on a near daily basis, whether at work, out and about, or at home. But armed with an understanding of what to look out for and the right tools in place, you can keep your data under lock and key, and your identity and finances safe from harm.

To a large portion of the general populace, the idea of autonomous vehicles still draws a lot of skepticism and even flak - considering the incident where Uber’s self-driving car killed a pedestrian a few months back in Tempe, Arizona. A widely talked about accident, it raised concerns on the safety of letting machines run their own course on the roads, with people voicing the need to always have a human behind the wheel to stop such untoward accidents.

Unfortunately, there aren’t enough data points on autonomous driving incidents to conclude on the validity of the claims, especially when the statistics of road accident-related deaths and injuries are taking a turn for the worse every year. The National Highway Traffic Safety Administration (NHTSA) estimated that 37,461 people were killed on the road in 2016, which averages out to 102 people per day. Companies working in the autonomous driving realm believe that technology could help alleviate this.

The sentiment seems to have rubbed off on the Arizona government, which has mostly been welcoming of companies looking to test their autonomous cars. Waymo, an Alphabet-owned self-driving startup has been running fully autonomous tests in Phoenix, Arizona since March, and has successfully stayed away from gaffes over the course of these tests. Last week, the company announced its plans on tying up with Valley Metro, the Phoenix region’s public transportation authority to drive people to bus stops and train and light-rail stations.

Of all the autonomous driving companies out there, Waymo is by far the most sophisticated of the lot, as it has a lot more self-driving miles than its competition and also defines a clear-cut strategy to take the technology to the masses. The curve to autonomy has been arduous, but rewarding - Waymo took more than six years to reach its milestone of driving 1 million miles in 2015, but has racked up 7 million more since then.

Waymo has a four-pronged strategy for approaching the self-driving market - ride-hailing, trucking, personal vehicles, and public transportation - with attention given to each of the verticals. Waymo has inked deals to transform 62,000 hybrid Pacifica minivans and 20,000 electric I-Pace SUVs into self-driving vehicles over the next few years and then add them to its growing fleet. Similarly, it also runs its self-driving fleet of Peterbilt Class 8 semi trucks across Alphabet facilities in Atlanta, albeit with backup drivers in them - a situation which might soon change.

Ground zero at Phoenix, Waymo’s cars would be shuttling Valley Metro’s staff to and from public transportation stops nearby. Waymo believes that the ‘first-and-last mile’ transit facilities would be in sync with the already available public transportation, making the transition seamless for the public.

The unit-economics of self-driving cars are also a revelation. On average, a ride-hailing service costs around $2 per mile which could be reduced to around 70 cents per mile, as self-driving fleets would negate the need to sustain human drivers. Over time, with improvements in route optimization, intelligent fleet management, and reducing human observers in the backend, the costs could reduce further.

However, all this envisioning of self-driving fleets replacing human-driven cars is idealistic at best. Case in point, the reasoning behind autonomous driving companies showing a concerted interest in testing their vehicles on the roads of Arizona. Though it could be interpreted as the state of Arizona’s resolve to bringing in cutting-edge technology to its streets, the environmental and demographic conditions at play in the state cannot be ignored.

Arizona, with its sunny climate, idyllic roads, and a grid-shaped housing topology provides a near utopian-level of cushioning to testing, when considering the fact that self-driving cars need to be trained in radically different and robust environments to attain the goal of full autonomy. Regardless of this, autonomous vehicles would still be a reality in certain locations around the U.S., and if Waymo’s ingenuity sustains over time, we still might end up sighting self-driving cars around us sooner than we thought.

Another day, another significant data breach!

Reddit social media network today announced that it suffered a security breach in June that exposed some of its users' data, including their current email addresses and an old 2007 database backup containing usernames and hashed passwords.

According to Reddit, the unknown hacker(s) managed to gain read-only access to some of its systems that contained its users' backup data, source code, internal logs, and other files.

In a post published to the platform Wednesday, Reddit Chief Technology Officer Christopher Slowe admitted that the hack was a serious one, but assured its users that the hackers did not gain access to Reddit systems.

"[The attackers] were not able to alter Reddit information, and we have taken steps since the event to further lock down and rotate all production secrets and API keys, and to enhance our logging and monitoring systems."

According to Slowe, the most significant data contained in the backup was account credentials (usernames and their corresponding salted and hashed passwords), email addresses and all content including private messages.
 

Attacker Bypassed SMS-based Two-Factor Authentication

Reddit learned about the data breach on June 19 and said that the attacker compromised a few of the Reddit employees' accounts with its cloud and source code hosting providers between June 14 and June 18.

The hack was accomplished by intercepting SMS messages that were meant to reach Reddit employees with one-time passcodes, eventually circumventing the two-factor authentication (2FA) Reddit had in place attacks.

The security breach should be a wake-up call to those who still rely on SMS-based authentication and believes it is secure. It's time for you to move on from this method and switch to other non-SMS-based two-factor authentication.

Reddit is also encouraging users to move to token-based two-factor authentication, which involves your mobile phone generating a unique one-time passcode over an app.

Reddit said that users can follow a few steps mentioned on the breach announcement page to check if their accounts were involved.

Moreover, Reddit will reset passwords for users who may have had their login credentials stolen in the breach, and also directly notify all affected users with tips on how they can protect themselves.

Using stolen passwords to get a victim's attention, a new sexploitation scam threatens victims with exposing them "doing nasty things." In an emailed threat, the hacker claims to have downloaded malware on the victim's computer that enabled the scammer to take over the victim's webcam.

The scammer also claims to have pilfered email and social media contacts and to have a recording of the victim, filmed from the victim's own webcam, watching porn. Demanding a ransom in bitcoin, the scammer says if the victim doesn't send $1,000 to $2,000 within 24 hours, the crook will share compromising images of the victim with all of the victim's contacts.

"I think $1,400 is a fair price for our little secret," the con artist's email says.

In reality, the crook doesn't have your contacts or access to your webcam, according to Brian Krebs, who operates a top technology security site. However, the scammer does have a password that the victim once used -- or may still use -- with one or more websites.

The email reads as follows:

“I’m aware that <substitute password formerly used by recipient here> is your password,” reads the salutation.

You don’t know me and you’re thinking why you received this e mail, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google).

BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
(It is cAsE sensitive, so copy and paste it)

Important:

You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.

Sending bitcoin if you get this email is, of course, a bad idea. However, if you received one, changing your passwords is wise. In fact, it might be smart to change passwords for all important accounts even if you don't get targeted.

Why? A series of massive data breaches have exposed password information on hundreds of millions of consumers. These passwords are now floating around the dark web, available to purchase for scammers like this one, as well as those with even more nefarious intent.

Consumers who want to find out whether their passwords have been compromised can go to security website Have I Been Pwned, which has collected data on the email addresses and passwords that were involved in data breaches. Frequently, consumers will find that their email has been subject to many breaches, which means that multiple passwords may be at risk.