The Samsung Galaxy S10’s Fingerprint Lock works for everyone if you put a piece of transparent plastic on the sensor

It was recently discovered that the Samsung Galaxy S10 and S10+ have a major security flaw that makes it easy to bypass their fingerprint locks. On a scale of “one” to “not good,” we are definitely towards the right on this one. To be fair, fingerprint sensors and other biometric security features aren’t ironclad; hackers Read more about The Samsung Galaxy S10’s Fingerprint Lock works for everyone if you put a piece of transparent plastic on the sensor[…]

Germany’s cyber-security agency recommends Firefox as most secure browser

Firefox is the only browser that received top marks in a recent audit carried out by Germany’s cyber-security agency — the German Federal Office for Information Security (or the Bundesamt für Sicherheit in der Informationstechnik — BSI). The BSI tested Mozilla Firefox 68 (ESR), Google Chrome 76, Microsoft Internet Explorer 11, and Microsoft Edge 44. Read more about Germany’s cyber-security agency recommends Firefox as most secure browser[…]

White-hat hacks Muhstik ransomware gang and releases decryption keys

A user got his revenge on the ransomware gang who encrypted his files by hacking their server and releasing the decryption keys for all other victims. This happened earlier today and involved the Muhstik gang. Muhstik is a recent strain of ransomware that has been active since late September, according to reports [1, 2, 3]. Read more about White-hat hacks Muhstik ransomware gang and releases decryption keys[…]

Twitter: No, really, we’re very sorry we sold your security info for a boatload of cash

Twitter says it was just an accident that caused the microblogging giant to let advertisers use private information to better target their marketing materials at users. The social networking giant on Tuesday admitted to an “error” that let advertisers have access to the private information customers had given Twitter in order to place additional security Read more about Twitter: No, really, we’re very sorry we sold your security info for a boatload of cash[…]

FBI warns about attacks that bypass multi-factor authentication (MFA)

Basically sim swapping, man in the middle attacks and poor URL protections FBI warns about SIM swapping and tools like Muraen and NecroBrowser. “The FBI has observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks,” the FBI wrote in a Private Industry Notification (PIN) sent out on September 17. Past incidents Read more about FBI warns about attacks that bypass multi-factor authentication (MFA)[…]

Attackers exploit 0-day vulnerability that gives full control of Android phones

Attackers are exploiting a zero-day vulnerability in Google’s Android mobile operating system that can give them full control of at least 18 different phone models, including four different Pixel models, a member of Google’s Project Zero research group said on Thursday night. There’s evidence the vulnerability is being actively exploited, either by exploit developer NSO Read more about Attackers exploit 0-day vulnerability that gives full control of Android phones[…]

Facebook, WhatsApp Will Have to Share Messages With U.K. Police, breaking encryption. Don’t they realises this gives criminals access too?

Social media platforms based in the U.S. including Facebook and WhatsApp will be forced to share users’ encrypted messages with British police under a new treaty between the two countries, according to a person familiar with the matter. The accord, which is set to be signed by next month, will compel social media firms to Read more about Facebook, WhatsApp Will Have to Share Messages With U.K. Police, breaking encryption. Don’t they realises this gives criminals access too?[…]

Several months after the fact, and after public reporting, CafePress finally acknowledges huge data theft to its customers

T-shirt flogger CafePress has finally informed its customers about a serious data loss dating back to February and first reported last month. Several CafePress punters told us they had received an email this morning warning them the company had lost customer names, emails, physical addresses, phone numbers and unencrypted passwords. Some customers have also had Read more about Several months after the fact, and after public reporting, CafePress finally acknowledges huge data theft to its customers[…]

Critical Vulnerability in Harbor (container security!) Enables Privilege Escalation from Zero to Admin (CVE-2019-16097)

Aviv Sasson, a security researcher from the cloud division of Unit 42, has identified a critical vulnerability in a widespread cloud native registry called Harbor. The vulnerability allows attackers to take over Harbor registries by sending them a malicious request. The maintainers of Harbor released a patch that closes this critical security hole. Versions 1.7.6 Read more about Critical Vulnerability in Harbor (container security!) Enables Privilege Escalation from Zero to Admin (CVE-2019-16097)[…]

When were you at Tesco? Let’s have a look. parking app hauled offline after exposing 10s of millions of Automatic Number Plate Recognition images by Ranger Services and NCP

Tesco has shuttered its parking validation web app after The Register uncovered tens of millions of unsecured ANPR images sitting in a Microsoft Azure blob. The images consisted of photos of cars taken as they entered and left 19 Tesco car parks spread across Britain. Visible and highlighted were the cars’ numberplates, though drivers were Read more about When were you at Tesco? Let’s have a look. parking app hauled offline after exposing 10s of millions of Automatic Number Plate Recognition images by Ranger Services and NCP[…]

Scotiabank slammed for ‘muppet-grade security’ after internal source code and credentials spill onto open internet

Scotiabank leaked online a trove of its internal source code, as well as some of its private login keys to backend systems, The Register can reveal. Over the past 24 hours, the Canadian financial giant has torn down GitHub repositories, inadvertently left open to the public, that contained this sensitive information, after The Register raised Read more about Scotiabank slammed for ‘muppet-grade security’ after internal source code and credentials spill onto open internet[…]

Windows 7’s July 2019 Security Patch Includes Telemetry – but you can disable it in task scheduler

To the surprise of Windows watchers, the latest Windows 7 “security-only” update includes telemetry. The telemetry in question is Microsoft’s “Compatibility Appraiser,” which checks PCs for problems that could prevent upgrading to Windows 10. As Woody Leonhard points out on Computerworld, this is pretty odd on Microsoft’s part—the telemetry code was previously available and is Read more about Windows 7’s July 2019 Security Patch Includes Telemetry – but you can disable it in task scheduler[…]

Report: Massive Fraud Network Uncovered, Targeting Groupon & Online Ticket Vendors

vpnMentor’s research team, led by Noam Rotem and Ran Locar, recently exposed a massive criminal operation that has been defrauding Groupon and other major online ticket vendors at least since 2016. As part of a larger web mapping research project, we discovered a cache of 17 million emails on an unsecured database. Our initial research Read more about Report: Massive Fraud Network Uncovered, Targeting Groupon & Online Ticket Vendors[…]

Weakness in Intel chips DDIO lets researchers steal encrypted SSH keystrokes through side channel attacks

In late 2011, Intel introduced a performance enhancement to its line of server processors that allowed network cards and other peripherals to connect directly to a CPU’s last-level cache, rather than following the standard (and significantly longer) path through the server’s main memory. By avoiding system memory, Intel’s DDIO—short for Data-Direct I/O—increased input/output bandwidth and Read more about Weakness in Intel chips DDIO lets researchers steal encrypted SSH keystrokes through side channel attacks[…]

D-Link, Comba network gear leave passwords open for potentially whole world to see

DSL modems and Wi-Fi routers from D-Link and Comba have been found to be leaving owners’ passwords out in the open. Simon Kenin, a security researcher with Trustwave SpiderLabs, took credit for the discovery of five bugs that leave user credentials accessible to attackers. For D-Link gear, two bugs were discovered in the firmware for Read more about D-Link, Comba network gear leave passwords open for potentially whole world to see[…]

Cheap GPS kiddie trackers have default password 123456 and send all information unencrypted

GPS trackers are designed to bring you greater peace of mind by helping you to locate your kids, your pets, and even your car. They can help keep the elderly or disabled safe by providing them with a simple SOS button to call for immediate help. Many devices are marketed for these purposes on common Read more about Cheap GPS kiddie trackers have default password 123456 and send all information unencrypted[…]

Tesla Malfunction Locks Out Owners Who Depended on App for Entry, Forces Them to Scramble for ‘Keys’

Some Tesla users who rely on the app to gain entry to their Model 3 were temporarily unable to get into their electric cars on Labor Day. The Next Web reported that a number of people tweeted out their frustrations on Monday when they were “locked out” of their car due to phone app issues. Read more about Tesla Malfunction Locks Out Owners Who Depended on App for Entry, Forces Them to Scramble for ‘Keys’[…]

Hundreds of Millions of Facebook Users Phone Numbers Exposed

Facebook is staring down yet another security blunder, this time with an incident involving an exposed server containing hundreds of millions of phone numbers that were previously associated with accounts on its platform. The situation appears to be pinned to a feature no longer enabled on the platform but allowed users to search for someone Read more about Hundreds of Millions of Facebook Users Phone Numbers Exposed[…]

Nextdoor app full of holes

Dutch researchers found it easy to download the names and addresses of people in neighbourhoods they weren’t a part of and to discover who was on holidays when. Source: Buurtapp Nextdoor ‘zo lek als een mandje’ – Emerce

Don’t fly with your Explody MacBook!

Following an Apple notice that a “limited number” of 15-inch MacBook Pros may have faulty batteries that could potentially create a fire safety risk, multiple airlines have barred transporting Apple laptops in their checked luggage—in some cases, regardless of whether they fall under the recall. Bloomberg reported Wednesday that Qantas Airways and Virgin Australia had Read more about Don’t fly with your Explody MacBook![…]

Lenovo Solution Centre can turn users into Admins – Lenovo changes end of life for LSC until before the last release in response.

Not only has a vulnerability been found in Lenovo Solution Centre (LSC), but the laptop maker fiddled with end-of-life dates to make it seem less important – and is now telling the world it EOL’d the vulnerable monitoring software before its final version was released. The LSC privilege-escalation vuln (CVE-2019-6177) was found by Pen Test Read more about Lenovo Solution Centre can turn users into Admins – Lenovo changes end of life for LSC until before the last release in response.[…]

London Transport asked people to write down their Oyster passwords – but don’t worry

London-dwelling Alfie Fresta wanted a National Rail travelcard discount added to his London Oyster card so the discount would work automatically with his pay-as-you-go smartcard. He was startled when London Overground staff at New Cross Gate station handed him a paper form with a box on it asking for his online Oyster account password. “I Read more about London Transport asked people to write down their Oyster passwords – but don’t worry[…]

Here’s a top tip: Don’t trust the new guy – block web domains less than a month old. They are bound to be dodgy

IT admins could go a long way towards protecting their users from malware and other dodgy stuff on the internet if they ban access to any web domain less than a month old. This advice comes from Unit 42, the security branch of networking house Palo Alto Networks. To be exact, the recommendation is that Read more about Here’s a top tip: Don’t trust the new guy – block web domains less than a month old. They are bound to be dodgy[…]

Moscow’s blockchain voting system cracked a month before election, will be fixed due to responsible disclosure, open source and bug bounties

A French security researcher has found a critical vulnerability in the blockchain-based voting system Russian officials plan to use next month for the 2019 Moscow City Duma election. Pierrick Gaudry, an academic at Lorraine University and a researcher for INRIA, the French research institute for digital sciences, found that he could compute the voting system’s Read more about Moscow’s blockchain voting system cracked a month before election, will be fixed due to responsible disclosure, open source and bug bounties[…]

Bug-hunter finds local privilege escalation in Steam. Valve refuses to acknowledge and so he’s dropped it on the internet.

The way Kravets tells is (Valve did not respond to a request for comment), the whole saga started earlier this month when he went to report a separate elevation of privilege flaw in Steam Client, the software gamers use to purchase and run games from the games service. Valve declined to recognize and pay out Read more about Bug-hunter finds local privilege escalation in Steam. Valve refuses to acknowledge and so he’s dropped it on the internet.[…]