NHS Digital booking website had unexpected side effect: It leaked people’s jab status

An NHS Digital-run vaccine-booking website exposed just how many vaccines individual people had received – and did so with no authentication, according to the Guardian. The booking page, aimed at English NHS patients wanting to book first and second coronavirus jabs, would tell anyone at all whether a named person had had zero, one or Read more about NHS Digital booking website had unexpected side effect: It leaked people’s jab status[…]

Russian cyber-spies changed tactics after the UK and US outed their techniques – so here’s a list of those changes

Russian spies from APT29 responded to Western agencies outing their tactics by adopting a red-teaming tool to blend into targets’ networks as a legitimate pentesting exercise. Now, the UK’s National Cyber Security Centre (NCSC) and the US warn, the SVR is busy exploiting a dozen critical-rated vulns (including RCEs) in equipment ranging from Cisco routers Read more about Russian cyber-spies changed tactics after the UK and US outed their techniques – so here’s a list of those changes[…]

Peloton’s leaky API let anyone grab riders’ private account data – and only fixed the issue after repeated prodding

[…] Peloton, the at-home fitness brand synonymous with its indoor stationary bike and beleaguered treadmills, has more than three million subscribers. Even President Biden is said to own one. The exercise bike alone costs upwards of $1,800, but anyone can sign up for a monthly subscription to join a broad variety of classes. As Biden Read more about Peloton’s leaky API let anyone grab riders’ private account data – and only fixed the issue after repeated prodding[…]

Experian API Exposed Credit Scores of Most Americans

Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he Read more about Experian API Exposed Credit Scores of Most Americans[…]

BadAlloc: Microsoft looked at memory allocation code in tons of devices and found this one common security flaw

Microsoft has taken a look at memory management code used in a wide range of equipment, from industrial control systems to healthcare gear, and found it can be potentially exploited to hijack devices. […] Drilling down to the nitty-gritty: Microsoft’s Azure Defender for IoT security research group looked at memory allocation functions, such as malloc(), Read more about BadAlloc: Microsoft looked at memory allocation code in tons of devices and found this one common security flaw[…]

Fraudulent orders via Afterpay stupidly easy. To resolve Afterpay wants to breach victims privacy, cost them lots of time.

Online shoppen en de rekening naar iemand anders sturen, blijkt kinderlijk eenvoudig met Afterpay. Dat constateert de Consumentenbond, die de beveiliging van de achterafbetaaldienst heeft onderzocht. Honderden consumenten kregen spookfacturen van Afterpay en Klarna, betaaldiensten waarmee consumenten online aankopen pas na ontvangst hoeven te betalen. De bedragen varieren van enkele tientjes tot honderden euro’s. Met Read more about Fraudulent orders via Afterpay stupidly easy. To resolve Afterpay wants to breach victims privacy, cost them lots of time.[…]

Study finds GAEN Google Apple contact tracing apps allow user + contact location tracking. NL stops use of tracking app.

A study describes the data transmitted to backend servers by the Google/Apple based contact tracing (GAEN) apps in use in Germany, Italy, Switzerland, Austria, and Denmark and finds that the health authority client apps are generally well-behaved from a privacy point of view, although the Irish, Polish, Danish, and Latvian apps could be improved in Read more about Study finds GAEN Google Apple contact tracing apps allow user + contact location tracking. NL stops use of tracking app.[…]

Pentagon doesn’t really explain odd transfer of 175 million IP addresses to obscure company starting 5 minutes before Trump left office

The US Department of Defense puzzled Internet experts by apparently transferring control of tens of millions of dormant IP addresses to an obscure Florida company just before President Donald Trump left the White House, but the Pentagon has finally offered a partial explanation for why it happened. The Defense Department says it still owns the Read more about Pentagon doesn’t really explain odd transfer of 175 million IP addresses to obscure company starting 5 minutes before Trump left office[…]

Signal maker exploits Cellebrite – authoritarian govt phone spying software – to create false reports on phones scanned by them and then forever after

Cellebrite makes software to automate physically extracting and indexing data from mobile devices. They exist within the grey – where enterprise branding joins together with the larcenous to be called “digital intelligence.” Their customer list has included authoritarian regimes in Belarus, Russia, Venezuela, and China; death squads in Bangladesh; military juntas in Myanmar; and those Read more about Signal maker exploits Cellebrite – authoritarian govt phone spying software – to create false reports on phones scanned by them and then forever after[…]

If you have a QNAP NAS, stop what you’re doing right now and install latest updates before Qlocker gets you

Two file-scrambling nasties, Qlocker and eCh0raix, are said to be tearing through vulnerable QNAP storage equipment, encrypting data and demanding ransoms to restore the information. In response, QNAP said on Thursday users should do the following to avoid falling victim: Install the latest software updates for the Multimedia Console, Media Streaming Add-on, and Hybrid Backup Read more about If you have a QNAP NAS, stop what you’re doing right now and install latest updates before Qlocker gets you[…]

Deere John: Researcher Warns Ag Giant’s Site Provides a Map to Customers, Equipment

Web sites for customers of agricultural equipment maker John Deere contained vulnerabilities that could have allowed a remote attacker to harvest sensitive information on the company’s customers including their names, physical addresses and information on the Deere equipment they own and operate. The researcher known as “Sick Codes” (@sickcodes) published two advisories on Thursday warning Read more about Deere John: Researcher Warns Ag Giant’s Site Provides a Map to Customers, Equipment[…]

Apple AirDrop Security Flaw Exposes iPhone Numbers, Emails: Researchers

Apple’s AirDrop feature is a convenient way to share files between the company’s devices, but security researchers from Technische Universitat Darmstadt in Germany are warning that you might be sharing way more than just a file. According to the researchers, it’s possible for strangers to discover the phone number and email of any nearby AirDrop Read more about Apple AirDrop Security Flaw Exposes iPhone Numbers, Emails: Researchers[…]

How to Keep Attackers From Locking You Out of WhatsApp

[…] WhatsApp representatives told Forbes that the easiest way to protect yourself against this kind of an attack is to make sure you’ve associated an email address with your two-step verification process so the attacker won’t be able to spoof your identity. You can do that right now by pulling up WhatsApp, loading its Settings, Read more about How to Keep Attackers From Locking You Out of WhatsApp[…]

Stolen Data of 533 Million Facebook Users Leaked Online

A user in a low level hacking forum on Saturday published the phone numbers and personal data of hundreds of millions of Facebook users for free online. The exposed data includes personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on Read more about Stolen Data of 533 Million Facebook Users Leaked Online[…]

Wi-Fi devices set to become object sensors by 2024 under planned 802.11bf standard – no, they haven’t thought of security and privacy

In three years or so, the Wi-Fi specification is scheduled to get an upgrade that will turn wireless devices into sensors capable of gathering data about the people and objects bathed in their signals. “When 802.11bf will be finalized and introduced as an IEEE standard in September 2024, Wi-Fi will cease to be a communication-only Read more about Wi-Fi devices set to become object sensors by 2024 under planned 802.11bf standard – no, they haven’t thought of security and privacy[…]

Wi-Fi slinger Ubiquiti hints at source code leak after claim of ‘catastrophic’ cloud intrusion emerges

News that Ubiquiti’s cloud servers had been breached emerged on January 11, 2021, when the company emailed customers the text found in this support forum post. That missive stated: “We recently became aware of unauthorized access to certain of our information technology systems hosted by a third-party cloud provider.” That announcement continued, “We have no Read more about Wi-Fi slinger Ubiquiti hints at source code leak after claim of ‘catastrophic’ cloud intrusion emerges[…]

OpenSSL fixes high-severity flaw that allows hackers to crash huge amount servers globally

OpenSSL, the most widely used software library for implementing website and email encryption, has patched a high-severity vulnerability that makes it easy for hackers to completely shut down huge numbers of servers. […] On Thursday, OpenSSL maintainers disclosed and patched a vulnerability that causes servers to crash when they receive a maliciously crafted request from Read more about OpenSSL fixes high-severity flaw that allows hackers to crash huge amount servers globally[…]

Cloudflare debuts zero-trust browsing service for remote enterprise workforce

[…] Working from home, whether as a permanent option or as part of hybrid models, may become standard, and so the corporate world needs to consider how best to keep their networks protected whilst also catering to a remote workforce. To this end, Cloudflare has contributed a new zero-trust solution for browser sessions. On Tuesday, Read more about Cloudflare debuts zero-trust browsing service for remote enterprise workforce[…]

Ticketcounter leaks data for millions of people, didn’t delete sensitive data and was outed

Data of visitors to Diergaarde Blijdorp, Apenheul, Dierenpark Amersfoort and dozens of other theme parks are on the street. Ticket seller Ticketcounter is also extorted for 3 tons. An employee accidentally posted data online where they didn’t have to. As a result, the data could be found there for months (from 5 August 2020 to Read more about Ticketcounter leaks data for millions of people, didn’t delete sensitive data and was outed[…]

1Password has none, KeePass has none… So why are there seven embedded trackers in the LastPass Android app?

A security researcher has recommended against using the LastPass password manager Android app after noting seven embedded trackers. The software’s maker says users can opt out if they want. […] The Exodus report on LastPass shows seven trackers in the Android app, including four from Google for the purpose of analytics and crash reporting, as Read more about 1Password has none, KeePass has none… So why are there seven embedded trackers in the LastPass Android app?[…]

Half a million stolen French medical records, lab results, feeble excuses

[…] Here in France, we’ve just experienced the country’s biggest ever data breach of customer records, involving some half a million medical patients. Worse, the data wasn’t even sold or held to ransom by dark web criminals: it was just given away so that anyone could download it. Up to 60 fields of personal data Read more about Half a million stolen French medical records, lab results, feeble excuses[…]

Why You Should Switch From LastPass to Bitward’s Password Manager

Whether you’re looking to make a change in your password management just because, or you’re a LastPass user annoyed with the service’s recent changes to its free tier, switching to the much-loved (and free) Bitwarden service is a good choice. Bitwarden is now the best free password manager for most people—since it works across all Read more about Why You Should Switch From LastPass to Bitward’s Password Manager[…]

France has been suffering A Very ‘Solar Winds’-Like Cyberattack since 2017

As the U.S. continues to chart the damage from the sweeping “SolarWinds” hack, France has announced that it too has suffered a large supply chain cyberattack. The news comes via a recently released technical report published by the Agence Nationale de la sécurité des systèmes d’information—or simply ANSSI—the French government’s chief cybersecurity agency. Like the Read more about France has been suffering A Very ‘Solar Winds’-Like Cyberattack since 2017[…]

Apple new M1 chip specific Malware Has Arrived

Now that Apple has officially begun the transition to Apple Silicon, so has malware. Security researcher Patrick Wardle published a blog detailing that he’d found a malicious program dubbed GoSearch22, a Safari browser extension that’s been reworked for Apple’s M1 processor. (The extension is a variant of the Pirrit adware family, which is notorious on Read more about Apple new M1 chip specific Malware Has Arrived[…]