Bumble Left Daters’ Location Data Up For Grabs For Over Six Months

Bumble, the dating app behemoth that’s allegedly headed to a major IPO as soon as next year, apparently took over half a year to deal with major security flaws that left sensitive information its millions of users vulnerable. That’s according to new research posted over the weekend by cybersecurity firm Independent Security Evaluators (ISE) detailing Read more about Bumble Left Daters’ Location Data Up For Grabs For Over Six Months[…]

Microsoft: Russian, North Korean Hackers Attacked Covid-19 Labs

Microsoft researchers have found evidence that Russian and North Korean hackers have systematically attacked covid-19 labs and vaccine makers in an effort to steal data and initiate ransomware attacks. “Among the targets, the majority are vaccine makers that have Covid-19 vaccines in various stages of clinical trials, clinical research organization involved in trials, and one Read more about Microsoft: Russian, North Korean Hackers Attacked Covid-19 Labs[…]

Microsoft warns against SMS, voice calls for multi-factor authentication: Try something that can’t be SIM swapped

In a blog post, Alex Weinert, director of identity security at Microsoft, says people should definitely use MFA. He claims that accounts using any type of MFA get compromised at a rate that’s less than 0.1 per cent of the general population. At the same time, he argues people should avoid relying on SMS messages Read more about Microsoft warns against SMS, voice calls for multi-factor authentication: Try something that can’t be SIM swapped[…]

Swiss spies knew about Crypto AG compromise – and kept it from govt overseers for nearly 30 years

Swiss politicians only found out last year that cipher machine company Crypto AG was (quite literally) owned by the US and Germany during the Cold War, a striking report from its parliament has revealed. The company, which supplied high-grade encryption machines to governments and corporations around the world, was in fact owned by the US Read more about Swiss spies knew about Crypto AG compromise – and kept it from govt overseers for nearly 30 years[…]

EU Takes Another Small Step Towards Trying To Ban Encryption; New Paper Argues Tech Can Backdoor Encryption Safely. It can’t.

In September, we noted that officials in the EU were continuing an effort to try to ban end-to-end encryption. Of course, that’s not how they put it. They say they just want “lawful access” to encrypted content, not recognizing that any such backdoor effectively obliterates the protections of end-to-end encryption. A new “Draft Council Resolution Read more about EU Takes Another Small Step Towards Trying To Ban Encryption; New Paper Argues Tech Can Backdoor Encryption Safely. It can’t.[…]

Hotels.com, Booking.com Expedia provider exposed data from 2013 for millions of guests on open AWS bucket

Website Planet reports that Prestige Software, the company behind hotel reservation platforms for Hotels.com, Booking.com and Expedia, left data exposed for “millions” of guests on an Amazon Web Services S3 bucket. The 10 million-plus log files dated as far back as 2013 and included names, credit card details, ID numbers and reservation details. It’s not Read more about Hotels.com, Booking.com Expedia provider exposed data from 2013 for millions of guests on open AWS bucket[…]

UK Company House Demands Company Stop Using Name Which Includes an HTML Closing Tag

A British software engineer came up with “a fun playful name” for his consulting business. He’d named it: “”> Unfortunately, this did not amuse the official registrar of companies in the United Kingdom (known as Companies House). The Guardian reports that the U.K. agency “has forced the company to change its name after it belatedly Read more about UK Company House Demands Company Stop Using Name Which Includes an HTML Closing Tag[…]

Android v 7.1.1 and lower Won’t Support Many Secure Certificates in 2021

One of the world’s top certificate authorities warns that phones running versions of Android prior to 7.1.1 Nougat will be cut off from large portions of the secure web starting in 2021, Android Police reported Saturday. The Mozilla-partnered nonprofit Let’s Encrypt said that its partnership with fellow certificate authority IdenTrust will expire on Sept. 1, Read more about Android v 7.1.1 and lower Won’t Support Many Secure Certificates in 2021[…]

Physical Security Blueprints of Many Companies Leaked in Hack of Swedish Firm Gunnebo

In March 2020, KrebsOnSecurity alerted Swedish security giant Gunnebo Group that hackers had broken into its network and sold the access to a criminal group which specializes in deploying ransomware. In August, Gunnebo said it had successfully thwarted a ransomware attack, but this week it emerged that the intruders stole and published online tens of Read more about Physical Security Blueprints of Many Companies Leaked in Hack of Swedish Firm Gunnebo[…]

In a first, researchers extract secret key used to encrypt Intel CPU code

Researchers have extracted the secret key that encrypts updates to an assortment of Intel CPUs, a feat that could have wide-ranging consequences for the way the chips are used and, possibly, the way they’re secured. The key makes it possible to decrypt the microcode updates Intel provides to fix security vulnerabilities and other types of Read more about In a first, researchers extract secret key used to encrypt Intel CPU code[…]

NSA: foreign spies used one of our crypto backdoors – we learnt some lessons but we lost them

It’s said the NSA drew up a report on what it learned after a foreign government exploited a weak encryption scheme, championed by the US spying agency, in Juniper firewall software. However, curiously enough, the NSA has been unable to find a copy of that report. On Wednesday, Reuters reporter Joseph Menn published an account Read more about NSA: foreign spies used one of our crypto backdoors – we learnt some lessons but we lost them[…]

‘Classified knots’: Researchers create optical framed knots to encode information

In a world first, researchers from the University of Ottawa in collaboration with Israeli scientists have been able to create optical framed knots in the laboratory that could potentially be applied in modern technologies. Their work opens the door to new methods of distributing secret cryptographic keys—used to encrypt and decrypt data, ensure secure communication Read more about ‘Classified knots’: Researchers create optical framed knots to encode information[…]

Facebook Login Issues Are Locking Oculus Quest 2 Owners Out of Their Devices, turning them into paperweights

Owners of the brand-new Oculus Quest 2—the first VR headset which requires a Facebook account to use—are finding themselves screwed out of their new purchases by Facebook’s account verification system. As first reported by UploadVR this week, some Oculus 2 owners are finding that Facebook’s reportedly AI-powered account verification system is demanding some users upload Read more about Facebook Login Issues Are Locking Oculus Quest 2 Owners Out of Their Devices, turning them into paperweights[…]

Backdoorer the Xplora: Kids’ smart-watches can secretly take pics, record audio on command by encrypted texts

The Xplora 4 smartwatch, made by Chinese outfit Qihoo 360 Technology Co, and marketed to children under the Xplora brand in the US and Europe, can covertly take photos and record audio when activated by an encrypted SMS message, says Norwegian security firm Mnemonic. This backdoor is not a bug, the finders insist, but a Read more about Backdoorer the Xplora: Kids’ smart-watches can secretly take pics, record audio on command by encrypted texts[…]

Apple’s T2 custom secure boot chip is not only insecure, it cannot be fixed without replacing the silicon

Apple’s T2 security chip is insecure and cannot be fixed, a group of security researchers report. Over the past three years, a handful of hackers have delved into the inner workings of the custom silicon, fitted inside recent Macs, and found that they can use an exploit developed for iPhone jailbreaking, checkm8, in conjunction with Read more about Apple’s T2 custom secure boot chip is not only insecure, it cannot be fixed without replacing the silicon[…]

Listening in on your XR11 remote from 20m away

Guardicore discovered a new attack vector on Comcast’s XR11 voice remote that would have allowed attackers to turn it into a listening device – potentially invading your privacy in your living room. Prior to its remediation by Comcast, the attack, dubbed WarezTheRemote, was a very real security threat: with more than 18 million units deployed Read more about Listening in on your XR11 remote from 20m away[…]

Smart male chastity hack could lock all dicks up permanently, require grinder to unlock. Also tells anyone where you are

Smart Bluetooth male chastity lock, designed for user to give remote control to a trusted 3rd party using mobile app/API Multiple API flaws meant anyone could remotely lock all devices and prevent users from releasing themselves Removal then requires an angle grinder or similar, used in close proximity to delicate and sensitive areas Precise user Read more about Smart male chastity hack could lock all dicks up permanently, require grinder to unlock. Also tells anyone where you are[…]

Grindr security flaw let anyone take over any accounts easily

Grindr, one of the world’s largest dating and social networking apps for gay, bi, trans, and queer people, has fixed a security vulnerability that allowed anyone to hijack and take control of any user’s account using only their email address. Wassime Bouimadaghene, a French security researcher, found the vulnerability and reported the issue to Grindr. Read more about Grindr security flaw let anyone take over any accounts easily[…]

Google App Engine feature abused to create unlimited phishing pages

A newly discovered technique by a researcher shows how Google’s App Engine domains can be abused to deliver phishing and malware while remaining undetected by leading enterprise security products. Google App Engine is a cloud-based service platform for developing and hosting web apps on Google’s servers. While reports of phishing campaigns leveraging enterprise cloud domains are nothing Read more about Google App Engine feature abused to create unlimited phishing pages[…]

Twitter warns of possible API keys leak through browser caching

Twitter is notifying developers today about a possible security incident that may have impacted their accounts. The incident was caused by incorrect instructions that the developer.twitter.com website sent to users’ browsers. The developer.twitter.com website is the portal where developers manage their Twitter apps and attached API keys, but also the access token and secret key for their Read more about Twitter warns of possible API keys leak through browser caching[…]

Some managed Netgear switches suddenly need a cloud account to use its full UI. Also may not update security. Time to change vendor.

Netgear has decided that users of some of its managed network switches don’t need access to the equipment’s full user interface – unless they register their details with Netgear first. For instance, owners of its 64W Power-over-Ethernet eight-port managed gigabit switch GC108P, and its 126W variant GC108PP, need to hand over information about themselves to Read more about Some managed Netgear switches suddenly need a cloud account to use its full UI. Also may not update security. Time to change vendor.[…]

Microsoft Sysmon now logs data copied to the Windows Clipboard

Microsoft has released Sysmon 12, and it comes with a useful feature that logs and captures any data added to the Windows Clipboard. This feature can help system administrators and incident responders track the activities of malicious actors who compromised a system. Those not familiar with Sysmon, otherwise known as System Monitor, it is a Read more about Microsoft Sysmon now logs data copied to the Windows Clipboard[…]

Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472)

Last month, Microsoft patched a very interesting vulnerability that would allow an attacker with a foothold on your internal network to essentially become Domain Admin with one click. All that is required is for a connection to the Domain Controller to be possible from the attacker’s viewpoint. Secura’s security expert Tom Tervoort previously discovered a Read more about Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472)[…]

Private data gone public: Razer leaks 100,000+ gamers’ personal info

In August, security researcher Volodymyr Diachenko discovered a misconfigured Elasticsearch cluster, owned by gaming hardware vendor Razer, exposing customers’ PII (Personal Identifiable Information). The cluster contained records of customer orders and included information such as item purchased, customer email, customer (physical) address, phone number, and so forth—basically, everything you’d expect to see from a credit Read more about Private data gone public: Razer leaks 100,000+ gamers’ personal info[…]

Shenzhen Zhenua Data Leak – high profile international contacts database kept by Chinese leaked

The database built by Shenzhen Zhenhua from a variety of sources is technically complex using very advanced language, targeting, and classification tools. Shenzhen Zhenhua claims to work with, and our research supports, Chinese intelligence, military, and security agencies use the open information environment we in open liberal democracies take for granted to target individuals and Read more about Shenzhen Zhenua Data Leak – high profile international contacts database kept by Chinese leaked[…]