European police hacked encrypted phones used by thousands of criminals

In one of the largest law enforcement busts ever, European police and crime agencies hacked an encrypted communications platform used by thousands of criminals and drug traffickers. By infiltrating the platform, Encrochat, police across Europe gained access to a hundred million encrypted messages. In the UK, those messages helped officials arrest 746 suspects, seize £54 Read more about European police hacked encrypted phones used by thousands of criminals[…]

Three words you do not want to hear regarding a ‘secure browser’ called SafePay… Remote. Code. Execution

Folks running Bitdefender’s Total Security 2020 package should check they have the latest version installed following the disclosure of a remote code execution bug. Wladimir Palant, cofounder of Adblock-Plus-maker Eyeo, tipped off Bitdefender about the flaw, CVE-2020-8102, after discovering what he called “seemingly small weaknesses” that could be exploited by a hostile website to take Read more about Three words you do not want to hear regarding a ‘secure browser’ called SafePay… Remote. Code. Execution[…]

Netgear was told in January its routers can be hacked and hijacked. This week, first patches released – after exploits, details made public

Netgear has issued patches to squash security vulnerabilities in two router models that can be exploited to, for instance, open a superuser-level telnet backdoor. Those two devices are the R6400v2 and R6700v3, and you can get hot-fixes for the holes here. However, some 77 models remain reportedly vulnerable, and no fixes are available. For the Read more about Netgear was told in January its routers can be hacked and hijacked. This week, first patches released – after exploits, details made public[…]

Massive spying on users of Google’s Chrome shows new security weakness

A newly discovered spyware effort attacked users through 32 million downloads of extensions to Google’s market-leading Chrome web browser, researchers at Awake Security told Reuters, highlighting the tech industry’s failure to protect browsers as they are used more for email, payroll and other sensitive functions. Alphabet Inc’s (GOOGL.O) Google said it removed more than 70 Read more about Massive spying on users of Google’s Chrome shows new security weakness[…]

Zoom will offer proper end-to-end encryption to free vid-chat accounts – not just paid-up bods – once you verify your phone number…

Zoom today said it will make end-to-end (E2E) encryption available to all of its users, regardless of whether they pay for it or not. The videoconferencing overnight-sensation has walked back its initial plan to limit E2E cryptography to schools and paid-for accounts, after facing a storm of criticism for the restriction. It will, from next Read more about Zoom will offer proper end-to-end encryption to free vid-chat accounts – not just paid-up bods – once you verify your phone number…[…]

845GB of racy dating app records exposed to entire internet via leaky AWS buckets

Hundreds of thousands of sensitive dating app profiles – including images of “a graphic, sexual nature” – were exposed online for anyone stumbling across them to download. Word of the uncontrolled emission burst forth from vpnMentor this week, which claims it found a misconfigured AWS S3 bucket containing 845GB of private dating app records. Data Read more about 845GB of racy dating app records exposed to entire internet via leaky AWS buckets[…]

Keepnet fires legal threats at bloggers for exposing their 876GB unsecured database with years of leaked credentials, backfires

UK-based infosec outfit Keepnet Labs left an 867GB database of previously compromised website login details accessible to world+dog earlier this year – then sent lawyers’ letters to bloggers in a bid to erase their reports of its blunder. A contractor left the Keepnet Elasticsearch database unsecured back in March after disabling a firewall, exposing around Read more about Keepnet fires legal threats at bloggers for exposing their 876GB unsecured database with years of leaked credentials, backfires[…]

Hospital-busting hacker crew may be behind ransomware attack that made Honda halt car factories, say researchers

Japanese car maker Honda has been hit by ransomware that disrupted its production of vehicles and also affected internal communications, according to reports. The ransomware, of an as-yet unidentified strain, appeared to have spread through the multinational firm’s network. A Honda spokesman told the media it appeared to have “hit the company’s internal servers.” Some Read more about Hospital-busting hacker crew may be behind ransomware attack that made Honda halt car factories, say researchers[…]

WhatsApp was exposing users’ phone numbers in Google search

WhatsApp claims it fixed an issue that was showing users’ phone numbers in Google search results, TechCrunch reports. The change comes after security researcher Athul Jayaram revealed that phone numbers of WhatsApp users who used the Click to Chat feature were being indexed in search. Click to Chat allows users to create a link with Read more about WhatsApp was exposing users’ phone numbers in Google search[…]

From off-prem to just off: IBM Cloud goes down planet-wide so hard even the status page didn’t work – and outside of US business hours

IBM’s cloud has gone down hard across the world. We’d love to tell you just how hard the service has hit the dirt, but even the Big Blue status page is intermittently unavailable: IBM Cloud status page … Click to enlarge Your humble hack has an IBM Cloud account, and when attempting to login in Read more about From off-prem to just off: IBM Cloud goes down planet-wide so hard even the status page didn’t work – and outside of US business hours[…]

Bug bounty platforms buy researcher silence, violate labor laws, critics say

Used properly, bug bounty platforms connect security researchers with organizations wanting extra scrutiny. In exchange for reporting a security flaw, the researcher receives payment (a bounty) as a thank you for doing the right thing. However, CSO’s investigation shows that the bug bounty platforms have turned bug reporting and disclosure on its head, what multiple Read more about Bug bounty platforms buy researcher silence, violate labor laws, critics say[…]

Smart fridges are cool, but after a few short years you could be stuck with a big frosty brick in the kitchen

A report from consumer advocates Which? highlights the shockingly short lifespan of “smart” appliances, with some losing software support after just a few years, despite costing vastly more than “dumb” alternatives. That lifespan varies between manufacturers: Most vendors were vague, with Beko offering “up to 10 years” and LG saying patches would be issued as Read more about Smart fridges are cool, but after a few short years you could be stuck with a big frosty brick in the kitchen[…]

Have I Been Pwned breach report email pwned entire firm’s helldesk ticket system

A hapless IT bod found the Have I Been Pwned service (HIBP) answering its own question in a way he really didn’t want – after a breach report including a SQL string KO’d his company’s helpdesk ticket system. A pseudonymous blogger posting under the name Matt published a tortured account of what happened when a Read more about Have I Been Pwned breach report email pwned entire firm’s helldesk ticket system[…]

Photostopped: Adobe Cloud evaporates in mass outage. Hope none of you are on a deadline, eh? – yay cloud!

Adobe technicians scrambled on Wednesday to restore multiple cloud services after a severe outage left customers stranded. Starting around 0600 PDT (1300 UTC) Adobe’s status board began lighting up with red outage notifications. At the time this article was written, 13 major issues were ongoing and five had been resolved. By issues, Adobe means people Read more about Photostopped: Adobe Cloud evaporates in mass outage. Hope none of you are on a deadline, eh? – yay cloud![…]

Qatar’s contact tracing app put over one million people’s info at risk

Contact tracing apps have the potential to slow the spread of COVID-19. But without proper security safeguards, some fear they could put users’ data and sensitive info at risk. Until now, that threat has been theoretical. Today, Amnesty International reports that a flaw in Qatar’s contact tracing app put the personal information of more than Read more about Qatar’s contact tracing app put over one million people’s info at risk[…]

Samsung launches stand alone mobile security chip

Samsung will launch a new standalone turnkey security chip to protect mobile devices, the company announced today. The chip, which has the said-once-never-forgotten name “S3FV9RR” – aka the Mobile SE Guardian 4 – is a follow-up to the dedicated security silicon baked into the Galaxy S20 smartphone series launched in February 2020. The new chip Read more about Samsung launches stand alone mobile security chip[…]

New Spectra attack breaks the separation between Wi-Fi and Bluetooth

Called Spectra, this attack works against “combo chips,” specialized chips that handle multiple types of radio wave-based wireless communications, such as Wi-Fi, Bluetooth, LTE, and others. “Spectra, a new vulnerability class, relies on the fact that transmissions happen in the same spectrum, and wireless chips need to arbitrate the channel access,” the research team said Read more about New Spectra attack breaks the separation between Wi-Fi and Bluetooth[…]

Nextdoor Building Relationships With Law Enforcement whilst racially profiling

Community platform Nextdoor is courting police across the country, creating concerns among civil rights and privacy advocates who worry about possible conflicts of interest, over-reporting of crime, and the platform’s record of racial profiling, per a Thursday report by CityLab. That effort included an all-expenses-paid meeting in San Francisco with members of Nextdoor’s Public Agencies Read more about Nextdoor Building Relationships With Law Enforcement whilst racially profiling[…]

DNS this week stands for Drowning Needed Services: Design flaw in name server system can be exploited to flood machines offline

Dubbed NXNSAttack, the flaw [PDF] can be abused to pull off a classic amplification attack: you send a small amount of specially crafted data to a DNS server, which responds by sending a lot of data to a victim’s server. If you have an army of hacked PCs or devices – a botnet – at Read more about DNS this week stands for Drowning Needed Services: Design flaw in name server system can be exploited to flood machines offline[…]

Rogue ADT tech spied on hundreds of customers in their homes via CCTV – teen girls, young mums repeatedly watched

A technician at ADT remotely accessed hundreds of customers’ CCTV cameras to spy on people in their own homes, the burglar-alarm biz has admitted. At least one of the victims was a teenage girl, and another a young mother, according to court filings. Last month, an ADT customer in Dallas, Texas, spotted and reported an Read more about Rogue ADT tech spied on hundreds of customers in their homes via CCTV – teen girls, young mums repeatedly watched[…]

EasyJet admits data of nine million hacked

EasyJet has admitted that a “highly sophisticated cyber-attack” has affected approximately nine million customers. It said email addresses and travel details had been stolen and that 2,208 customers had also had their credit and debit card details “accessed”. The firm has informed the UK’s Information Commissioner’s Office while it investigates the breach. EasyJet first became Read more about EasyJet admits data of nine million hacked[…]

Social Security numbers, banking information left unprotected on Arkansas Unemployement Assistance website

A computer programmer applying for unemployment on Arkansas’s Pandemic Unemployment Assistance program discovered a vulnerability in the system that exposed the Social Security numbers, bank account and routing numbers and other sensitive information of some 30,000 applicants. Anyone with basic computer knowledge could have accessed personal information for malicious purposes. Alarmed, the computer programmer called Read more about Social Security numbers, banking information left unprotected on Arkansas Unemployement Assistance website[…]

Samsung Surprise As World’s First Smartphone With Quantum Hardware Technology Launches May 22

an announcement from Samsung and Korean provider SK Telecom that the world’s first 5G smartphone complete with a quantum random number generator (QRNG) is due to launch next week. The current Samsung Galaxy flagship S20 series all come with a new secure element security solution including a dedicated security chip that can prevent hackers from Read more about Samsung Surprise As World’s First Smartphone With Quantum Hardware Technology Launches May 22[…]

Brit defense contractor Interserve hacked, up to 100,000 past and present employees’ details siphoned off

Britain’s Ministry of Defence contractor Interserve has been hacked, reportedly leaking the details of up to 100,000 of past and current employees, including payment information and details of their next of kin. The Daily Telegraph reports that up to 100,000 employee details were stolen, dating back across a number of years. Interserve currently employs around Read more about Brit defense contractor Interserve hacked, up to 100,000 past and present employees’ details siphoned off[…]

Researchers spot thousands of Android apps leaking user data through misconfigured Firebase databases

Security researchers at Comparitech have reported that an estimated 24,000 Android apps are leaking user data because of misconfigured Firebase databases. Firebase is a popular backend service with SDKs for multiple platforms, including Android, iOS, web, C++ and Unity (for games). Features include two NoSQL database managers, Cloud Firestore and the older Realtime Database. Data Read more about Researchers spot thousands of Android apps leaking user data through misconfigured Firebase databases[…]