Here’s a top tip: Don’t trust the new guy – block web domains less than a month old. They are bound to be dodgy

IT admins could go a long way towards protecting their users from malware and other dodgy stuff on the internet if they ban access to any web domain less than a month old. This advice comes from Unit 42, the security branch of networking house Palo Alto Networks. To be exact, the recommendation is that Read more about Here’s a top tip: Don’t trust the new guy – block web domains less than a month old. They are bound to be dodgy[…]

Moscow’s blockchain voting system cracked a month before election, will be fixed due to responsible disclosure, open source and bug bounties

A French security researcher has found a critical vulnerability in the blockchain-based voting system Russian officials plan to use next month for the 2019 Moscow City Duma election. Pierrick Gaudry, an academic at Lorraine University and a researcher for INRIA, the French research institute for digital sciences, found that he could compute the voting system’s Read more about Moscow’s blockchain voting system cracked a month before election, will be fixed due to responsible disclosure, open source and bug bounties[…]

Bug-hunter finds local privilege escalation in Steam. Valve refuses to acknowledge and so he’s dropped it on the internet.

The way Kravets tells is (Valve did not respond to a request for comment), the whole saga started earlier this month when he went to report a separate elevation of privilege flaw in Steam Client, the software gamers use to purchase and run games from the games service. Valve declined to recognize and pay out Read more about Bug-hunter finds local privilege escalation in Steam. Valve refuses to acknowledge and so he’s dropped it on the internet.[…]

Cut off your fingers: Data Breach in Biometric Security Platform Affecting Millions of Users over thousands of countries – yes unencrypted and yes, editable

Led by internet privacy researchers Noam Rotem and Ran Locar, vpnMentor’s team recently discovered a huge data breach in security platform BioStar 2.   BioStar 2 is a web-based biometric security smart lock platform. A centralized application, it allows admins to control access to secure areas of facilities, manage user permissions, integrate with 3rd party security Read more about Cut off your fingers: Data Breach in Biometric Security Platform Affecting Millions of Users over thousands of countries – yes unencrypted and yes, editable[…]

Researchers Bypass Apple FaceID Using glasses to fool liveness detection

Researchers on Wednesday during Black Hat USA 2019 demonstrated an attack that allowed them to bypass a victim’s FaceID and log into their phone simply by putting a pair of modified glasses on their face. By merely placing tape carefully over the lenses of a pair glasses and placing them on the victim’s face the researchers Read more about Researchers Bypass Apple FaceID Using glasses to fool liveness detection[…]

A reminder why Open Source is so important: Someone audited Kubernetes

The Cloud Native Computing Foundation (CNCF) today released a security audit of Kubernetes, the widely used container orchestration software, and the findings are about what you’d expect for a project with about two million lines of code: there are plenty of flaws that need to be addressed. The CNCF engaged two security firms, Trail of Read more about A reminder why Open Source is so important: Someone audited Kubernetes[…]

Democratic Senate campaign group exposed 6.2 million Americans’ emails

Data breach researchers at security firm UpGuard found the data in late July, and traced the storage bucket back to a former staffer at the Democratic Senatorial Campaign Committee, an organization that seeks grassroots donations and contributions to help elect Democratic candidates to the U.S. Senate. Following the discovery, UpGuard researchers reached out to the Read more about Democratic Senate campaign group exposed 6.2 million Americans’ emails[…]

We’ve, um, changed our password policy, says CafePress amid reports of 23m pwned accounts

Twee T-shirts ‘n’ merch purveyor CafePress had 23 million user records swiped – reportedly back in February – and this morning triggered a mass password reset, calling it a change in internal policy. Details of the security breach emerged when infosec researcher Troy Hunt’s Have I Been Pwned service – which lists websites known to Read more about We’ve, um, changed our password policy, says CafePress amid reports of 23m pwned accounts[…]

You Can’t Trust Companies to Tell the Truth About Data Breaches

Last week, online sneaker-trading platform StockX asked its users to reset their passwords due to “recently completed system updates on the StockX platform.” In actuality, the company suffered a large data breach back in May, and only finally came clean about it when pressed by reporters who had access to some of the leaked data. Read more about You Can’t Trust Companies to Tell the Truth About Data Breaches[…]

Monzo online bank stored bank card codes in log files as plain text

Trendy online-only Brit bank Monzo is telling hundreds of thousands of its customers to pick a new PIN – after it discovered it was storing their codes as plain-text in log files. As a result, 480,000 folks, a fifth of the bank’s customers, now have to go to a cash machine, and reset their PINs. Read more about Monzo online bank stored bank card codes in log files as plain text[…]

It’s 2019 – and you can completely pwn a Qualcomm-powered Android over the air

It is possible to thoroughly hijack a nearby vulnerable Qualcomm-based Android phone, tablet, or similar gadget, via Wi-Fi, we learned on Monday. This likely affects millions of Android devices. Specifically, the following two security holes, dubbed Qualpwn and found by Tencent’s Blade Team, can be leveraged one after the other to potentially take over a Read more about It’s 2019 – and you can completely pwn a Qualcomm-powered Android over the air[…]

E3 Expo Leaks The Personal Information Of Over 2,000 Journalists

A spreadsheet containing the contact information and personal addresses of over 2,000 games journalists, editors, and other content creators was recently found to have been published and publicly accessible on the website of the E3 Expo. The Entertainment Software Association, the organization that runs E3, has since removed the link to the file, as well Read more about E3 Expo Leaks The Personal Information Of Over 2,000 Journalists[…]

Small aircraft can be quite easily hacked to present wrong readings, change trim and autopilot settings – if someone has physical access to it.

Modern aircraft systems are becoming increasingly reliant on networked communications systems to display information to the pilot as well as control various systems aboard aircraft. Small aircraft typically maintain the direct mechanical linkage between the flight controls and the flight surface. However, electronic controls for flaps, trim, engine controls, and autopilot systems are becoming more Read more about Small aircraft can be quite easily hacked to present wrong readings, change trim and autopilot settings – if someone has physical access to it.[…]

Facebook’s answer to the encryption debate: install spyware with content filters! (updated: maybe not)

The encryption debate is typically framed around the concept of an impenetrable link connecting two services whose communications the government wishes to monitor. The reality, of course, is that the security of that encryption link is entirely separate from the security of the devices it connects. The ability of encryption to shield a user’s communications Read more about Facebook’s answer to the encryption debate: install spyware with content filters! (updated: maybe not)[…]

Robinhood fintech app admits to storing some passwords in cleartext

Stock trading service Robinhood has admitted today to storing some customers’ passwords in cleartext, according to emails the company has been sending to impacted customers, and seen by ZDNet. “On Monday night, we discovered that some user credentials were stored in a readable format within our internal system,” the company said. “We resolved the issue, Read more about Robinhood fintech app admits to storing some passwords in cleartext[…]

Cyberlaw wonks squint at NotPetya insurance smackdown: Should ‘war exclusion’ clauses apply to network hacks?

In June 2017, the notorious file-scrambling software nasty NotPetya caused global havoc that affected government agencies, power suppliers, healthcare providers and big biz. The ransomware sought out vulnerabilities and used a modified version of the NSA’s leaked EternalBlue SMB exploit, generating one of the most financially costly cyber-attacks to date. Among the victims was US Read more about Cyberlaw wonks squint at NotPetya insurance smackdown: Should ‘war exclusion’ clauses apply to network hacks?[…]

Apple removes Zoom’s dodgy hidden web server on your Mac without telling you – shows who really pwns your machine

Apple has pushed a silent update to Macs, disabling the hidden web server installed by the popular Zoom web-conferencing software. A security researcher this week went public with his finding that the mechanism used to bypass a Safari prompt before entering a Zoom conference was a hidden local web server. Jonathan Leitschuh focused largely on Read more about Apple removes Zoom’s dodgy hidden web server on your Mac without telling you – shows who really pwns your machine[…]

Apple disables Walkie Talkie app due to vulnerability that could allow iPhone eavesdropping

Apple has disabled the Apple Watch Walkie Talkie app due to an unspecified vulnerability that could allow a person to listen to another customer’s iPhone without consent, the company told TechCrunch this evening. Apple has apologized for the bug and for the inconvenience of being unable to use the feature while a fix is made. Read more about Apple disables Walkie Talkie app due to vulnerability that could allow iPhone eavesdropping[…]

Over 90 Million Records Leaked by Chinese Public Security Department

A publicly accessible and unsecured ElasticSearch server owned by the Jiangsu Provincial Public Security Department of the Chinese province Jiangsu leaked two databases containing over 90 million people and business records. Jiangsu (江苏省) is an eastern-central coastal Chinese province with a population of over 80 million and an urban population of more than 55 million accounting for 68.76% of Read more about Over 90 Million Records Leaked by Chinese Public Security Department[…]

Magento webshop Automated Magecart Campaign Hits Over 960 Breached Stores

A large-scale payment card skimming campaign that successfully breached 962 e-commerce stores was discovered today by Magento security research company Sanguine Security. The campaign seems to be automated according to Sanguine Security researcher Willem de Groot who told BleepingComputer that the card skimming script was added within a 24-hour timeframe. “It would be nearly impossible to breach 960+ Read more about Magento webshop Automated Magecart Campaign Hits Over 960 Breached Stores[…]

Serious Security Flaw With Teleconferencing App Zoom Allows Websites to Hijack Mac Webcams – and you can’t fix it by uninstalling

On Monday, security researcher Jonathan Leitschuh publicly disclosed a serious zero-day vulnerability in conferencing software Zoom—which apparently achieves its click-to-join feature, which allows users to go directly to a video meeting from a browser link, on Mac computers by installing a local web server running as a background process that “accepts requests regular browsers wouldn’t,” Read more about Serious Security Flaw With Teleconferencing App Zoom Allows Websites to Hijack Mac Webcams – and you can’t fix it by uninstalling[…]

More than 1,000 Android apps harvest data even after you deny permissions

Permissions on Android apps are intended to be gatekeepers for how much data your device gives up. If you don’t want a flashlight app to be able to read through your call logs, you should be able to deny that access. But even when you say no, many apps find a way around: Researchers discovered Read more about More than 1,000 Android apps harvest data even after you deny permissions[…]

Fake Samsung firmware update app tricks more than 10 million Android users

Over ten million users have been duped in installing a fake Samsung app named “Updates for Samsung” that promises firmware updates, but, in reality, redirects users to an ad-filled website and charges for firmware downloads. “I have contacted the Google Play Store and asked them to consider removing this app,” Aleksejs Kuprins, malware analyst at Read more about Fake Samsung firmware update app tricks more than 10 million Android users[…]

OpenPGP Certificate Attack Worries Experts, due to same symptoms bothering other Open Source projects – not enough contributors

There’s an interesting and troubling attack happening to some people involved in the OpenPGP community that makes their certificates unusable and can essentially break the OpenPGP implementation of anyone who tries to import one of the certificates. The attack is quite simple and doesn’t exploit any technical vulnerabilities in the OpenPGP software, but instead takes Read more about OpenPGP Certificate Attack Worries Experts, due to same symptoms bothering other Open Source projects – not enough contributors[…]

Microsoft Issues Warning For 50M Windows 10 Users – VPNs are now broken

Windows 10 continues to be a danger zone. Not only have problems been piling up in recent weeks, Microsoft has also been worryingly deceptive about the operation of key services. And now the company has warned millions about another problem. Spotted by the always excellent Windows Latest, Microsoft has told tens of millions of Windows Read more about Microsoft Issues Warning For 50M Windows 10 Users – VPNs are now broken[…]