Archive for the ‘Security’ Category

Internet of Babies – 52000 baby monitors open for public viewing

Earlier this month, we published our first article of our Internet of Things series, “IoD – Internet of Dildos“. As promised, we expanded our research and would like to present you with the first results of our “IoB – Internet of Babies” research. Baby monitors serve an important purpose in securing and monitoring our loved […]

IBM Finds Fortune 500 Companies will lose $9 billion to phishing scams in 2018 – this is what these attacks look like

IBM X-Force Incident Response and Intelligence Services (IRIS) assesses that threat groups of likely Nigerian origin are engaged in a widespread credential harvesting, phishing and social engineering campaign designed to steal financial assets. Beginning in the fall of 2017, X-Force IRIS experienced a significant increase in clients reporting instances of fraud or attempted fraud via […]

uTorrent file-swappers urged to upgrade after PC hijack flaws sort of fixed

Users of uTorrent should grab the latest versions of the popular torrenting tools: serious security bugs, which malicious websites can exploit to commandeer PCs, were squashed this week in the software. If you’re running a vulnerable Windows build of the pira, er, file-sharing applications while browsing the web, devious JavaScript code on an evil site […]

Hey, you. App dev. You like secure software? Let’s learn from Tinder, Facebook’s blunders

When a horny netizen logs into their Tinder profile using their phone number as a username, the hookup app relies on the Facebook-built AccountKit.com to check the person is legit owner of that account. Facebook’s system texts a confirmation code to the punter, they receive it on their phone, and type the code into Account […]

A phishing attack scored credentials for more than 50,000 Snapchat users

In late July, Snap’s director of engineering emailed the company’s team in response to an unfolding privacy threat. A government official from Dorset in the United Kingdom had provided Snap with information about a recent attack on the company’s users: a publicly available list, embedded in a phishing website named klkviral.org, that listed 55,851 Snapchat […]

Facebook admits SMS notifications sent using two-factor number was caused by bug

The issue, which may have persisted for months or perhaps even longer, was flagged by Bay Area software engineer Gabriel Lewi, who tweeted about it earlier this week. Prominent technology critic and sociologist Zeynep Tufekci then used the situation as a springboard to criticize Facebook’s alleged unethical behavior, thinking the 2FA notifications may have been […]

Consumers prefer security over convenience for the first time ever, IBM Security report finds

“We always talk about the ease of use, and not impacting user experience, etc, but it turns out that when it comes to their financial accounts…people actually would go the extra mile and will use extra security,” Kessem said. Whether it’s using two factor authentication, an SMS message on top of their password, or any […]

Do Not, I Repeat, Do Not Download Onavo, Facebook’s Vampiric VPN Service

There’s a new menu item in the Facebook app, first reported by TechCrunch on Monday, labeled “Protect.” Clicking it will send you to the App Store and prompt you to download a Virtual Private Network (VPN) service called Onavo. (“Protect” shows up in the iOS app. Gizmodo looked for it on an Android device and […]

Fiat Chrysler Pushed A UConnect Update That Causes Constant Reboots With No Announced Fix

It appears that the over-the-air update to the UConnect system went out on Friday, and many, many owners have not had working center-stack systems since then. Many of these vehicles are nearly brand-new, which makes the issue even more maddening. […] The failure of the UConnect system isn’t just limited to not having a radio; […]

IBM Notes Privilege escalation in IBM Notes Smart Update Service

IBM iNotes SUService can be misguided into running malicious code from a DLL masquerading as a windows DLL in the temp directory. IBM Plans to address this vulnerability by providing a fix. Source: IBM Security Bulletin: IBM Notes Privilege escalation in IBM Notes Smart Update Service – United States

US state’s pot dealer database pwned after security goes up in smoke

The US state of Washington says a miscreant was able to access the system it uses to track the manufacturing and sale of marijuana. The Evergreen State’s Liquor and Cannabis Board – a job that sounds way cooler than it actually is – yesterday admitted that last weekend someone was able to exploit a vulnerability […]

You can resurrect any deleted GitHub account name. If you depend on that account you may find yourself in trouble

The individual identifying himself as Jim Teeuwen, who maintained GitHub repository for a tool called go-bindata for embedded data in Go binaries, recently deleted his GitHub account, taking with it a resource that other Go developers had included in their projects. The incident echoes the more widely noted 2016 disappearance of around 250 modules maintained […]

Wish you could log into someone’s Netgear box without a password? Summon a &genie=1 – get patching!

Some 17 Netgear routers have a remote authentication bypass, meaning malware or miscreants on your network, or able to reach the device’s web-based configuration interface from the internet, can gain control without having to provide a password. Just stick &genie=1 in the URL, and bingo. That’s pretty bad news for any vulnerable gateways with remote […]

PinMe: Tracking a Smartphone User around the World with GPS and WiFi off

We describe PinMe, a novel user-location mechanism that exploits non-sensory/sensory data stored on the smartphone, e.g., the environment’s air pressure, along with publicly-available auxiliary information, e.g., elevation maps, to estimate the user’s location when all location services, e.g., GPS, are turned off. Source: [1802.01468] PinMe: Tracking a Smartphone User around the World

Maybe you should’ve stuck with NetWare: Hijackers can bypass Active Directory controls

“The idea of a rogue domain controller is not new and has been mentioned multiple times in previous security publications but required invasive techniques (like installing a virtual machine with Windows Server) and to log on a regular domain controller (DC) to promote the VM into a DC for the targeted domain.”That’s easily spotted, so […]

Lenovo Fingerprint Manager Pro for Windows has a hardcoded password

A vulnerability has been identified in Lenovo Fingerprint Manager Pro. Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in. Source: Lenovo Fingerprint Manager Pro […]

Heat Map Released by Fitness Tracker Reveals Location of Secret Military Bases

Strava which markets itself as a “social-networking app for athletes” publicly made available the global heat map, showing the location of all the rides, runs, swims, and downhills taken by its users, as collected by their smartphones and wearable devices like Fitbit. Since Strava has been designed to track users’ routes and locations, IUCA analyst […]

Dutch agencies provide crucial intel about Russia’s interference in US-elections, US burns the Dutch source

The Cozy Bear hackers are in a space in a university building near the Red Square. The group’s composition varies, usually about ten people are active. The entrance is in a curved hallway. A security camera records who enters and who exits the room. The AIVD hackers manage to gain access to that camera. Not […]

Researchers find a way to link TOR / Silk Road BTC expenditure to people using two datasets

To do so, the Qatari researchers first collected dozens of bitcoin addresses used for donations and dealmaking by websites protected by the anonymity software Tor, run by everyone from WikiLeaks to the now-defunct Silk Road. Then they scraped thousands of more widely visible bitcoin addresses from the public accounts of users on Twitter and the […]

Easy to watch over your shoulder at your Tindering

Checkmarx researchers disclosed two flaws (CVE-2018-6017, CVE-2018-6018) and a proof of concept (see video below) for an app that could sit on the wireless network of, say, an airport or hotel and observe actions including profile views, swipes, and likes. The first issue, CVE-2018-6017, results from the Tinder’s app’s use of insecure HTTP connections to […]

It’s 2018 and your Macs, iPhones can be pwned by playing evil music: lots of patches

Apple has released security patches for iOS and macOS that include, among other things, Meltdown and Spectre fixes. The new versions should be installed as soon as possible. […] Less-hyped, but still serious, are vulnerabilities in the macOS kernel that include an exploitable race condition (CVE-2018-4092), a validation issue (CVE-2018-4093), and memory initialization bug (CVE-2018-4090) […]

Skype, Signal, Slack, other apps inherit Electron vuln

Electron is a node.js and Chromium framework that lets developers use Web technologies (JavaScript, HTML and CSS) to build desktop apps. It’s widely-used: Skype, Slack, Signal, a Basecamp implementation and a desktop WordPress app all count themselves as adopters. Slack users should update to version 3.0.3 or better, and the latest version of Skype for […]

Intel patches for Spectre cause reboots, Intel tells people to stop installing them and also please help test for them

As we start the week, I want to provide an update on the reboot issues we reported Jan. 11. We have now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it. Over the weekend, we began rolling out an early version of the updated […]

OnePlus say 40,000 customers credit card details breached

Someone is touting a mobile, PC spyware platform called Dark Caracal to governments

Dark Caracal [PDF] appears to be controlled from the Lebanon General Directorate of General Security in Beirut – an intelligence agency – and has slurped hundreds of gigabytes of information from devices. It shares its backend infrastructure with another state-sponsored surveillance campaign, Operation Manul, which the EFF claims was operated by the Kazakhstan government last […]

 
Skip to toolbar