WhatsApp begins rolling out end-to-end encryption for chat backups

The wait is over. It’s now possible to encrypt your WhatsApp chat history on both Android and iOS, Facebook CEO Mark Zuckerberg announced on Thursday. The company plans to roll out the feature slowly to ensure it can deliver a consistent and reliable experience to all users. However, once you can access the feature, it Read more about WhatsApp begins rolling out end-to-end encryption for chat backups[…]

How Apple Can Read Your Encrypted iMessages

If you have an iPhone, and your friends mostly have iPhones, you probably use Apple’s Messages app to communicate with them. That’s the nature of things. And aside from the platform’s convenience and ubiquity, one of the iMessage platform’s selling points is that its end-to-end encryption should theoretically ensure that only you and those you Read more about How Apple Can Read Your Encrypted iMessages[…]

Telegraph newspaper exposes 10TB of server, user data online

The Telegraph newspaper managed to leak 10TB of subscriber data and server logs after leaving an Elasticsearch cluster unsecured for most of September, according to the researcher who found it online. The blunder was uncovered by well-known security researcher Bob Diachenko, who said that the cluster had been freely accessible “without a password or any Read more about Telegraph newspaper exposes 10TB of server, user data online[…]

Millions of AMD PCs affected by new CPU driver flaw need to be patched ASAP

After finding several security flaws in Intel’s System Guard Extensions (SGX), security researchers have now revealed a flaw in AMD’s Platform Security Processor (PSP) chipset driver that makes it easy for attackers to steal sensitive data from Ryzen-powered systems. On the upside, there’s already patches available from both Microsoft and AMD to shut the exploit. Read more about Millions of AMD PCs affected by new CPU driver flaw need to be patched ASAP[…]

Millions Experience Browser Problems After Long-Anticipated Expiration of IdentTrust DST Root CA X3 SSL Certificate

“The expiration of a key digital encryption service on Thursday sent major tech companies nationwide scrambling to deal with internet outages that affected millions of online users,” reports the Washington Examiner. The expiring certificate was issued by Let’s Encrypt — though ZDNet notes there’s been lots of warnings about its pending expiration: Digital Shadows senior Read more about Millions Experience Browser Problems After Long-Anticipated Expiration of IdentTrust DST Root CA X3 SSL Certificate[…]

Unpatched flaw creates ‘weaponised’ Apple AirTags

[…] Should your AirTag-equipped thing not be where you thought it was, you can enable Lost Mode. When in Lost Mode, an AirTag scanned via NFC provides a unique URL which lets the finder get in contact with the loser – and it’s this page where security researcher Bobby Rauch discovered a concerning vulnerability. “An Read more about Unpatched flaw creates ‘weaponised’ Apple AirTags[…]

Microsoft Exchange protocol can leak credentials cleartext

A flaw in Microsoft’s Autodiscover protocol, used to configure Exchange clients like Outlook, can cause user credentials to leak to miscreants in certain circumstances. The upshot is that your Exchange-connected email client may give away your username and password to a stranger, if the flaw is successfully exploited. In a report scheduled to be published Read more about Microsoft Exchange protocol can leak credentials cleartext[…]

Ministry of Defence: Another huge Afghanistan email blunder

A second leak of personal data was reportedly committed by the Ministry of Defence, raising further questions about the ministry’s commitment to the safety of people in Afghanistan, some of whom are its own former employees. The BBC reported overnight that the details of a further 55 Afghans  – claimed to be candidates for potential relocation Read more about Ministry of Defence: Another huge Afghanistan email blunder[…]

Database containing 106m Thailand travelers’ details over the past decade leaked

A database containing personal information on 106 million international travelers to Thailand was exposed to the public internet this year, a Brit biz claimed this week. Bob Diachenko, head of cybersecurity research at product-comparison website Comparitech, said the Elasticsearch data store contained visitors’ full names, passport numbers, arrival dates, visa types, residency status, and more. Read more about Database containing 106m Thailand travelers’ details over the past decade leaked[…]

MoD apologises after Afghan interpreters’ personal data exposed (yes the ones still in Afghanistan)

The UK’s Ministry of Defence has launched an internal investigation after committing the classic CC-instead-of-BCC email error – but with the names and contact details of Afghan interpreters trapped in the Taliban-controlled nation. The horrendous data breach took place yesterday, with Defence Secretary Ben Wallace promising an immediate investigation, according to the BBC. Included in Read more about MoD apologises after Afghan interpreters’ personal data exposed (yes the ones still in Afghanistan)[…]

Glowworm Attack Captures Audio From Power LED Light Flickers

Researchers from Ben-Gurion University have come up with a way to listen in on a speaker from afar by just monitoring the subtle changes in brightness of its power status LED. The Glowworm Attack, as the discovery is called, follows similar research from the university published in 2020 that found an electro-optical sensor paired with Read more about Glowworm Attack Captures Audio From Power LED Light Flickers[…]

Samsung Smart TVs Can Be Remotely Disabled

QLED-loving thieves, beware: Samsung revealed on Tuesday that its TVs can be remotely disabled if the company finds out they’ve been stolen, so long as the sets in question are connected to the internet. Known as “Samsung TV Block,” the feature was first announced in a press release earlier this month after the company deployed Read more about Samsung Smart TVs Can Be Remotely Disabled[…]

European Commission airs out new IoT device security draft law – interested parties have a week to weigh in

Infosec pros and other technically minded folk have just under a week left to comment on EU plans to introduce new regulations obligating consumer IoT device makers to address online security issues, data protection, privacy and fraud prevention. Draft regulations applying to “internet-connected radio equipment and wearable radio equipment” are open for public comment until Read more about European Commission airs out new IoT device security draft law – interested parties have a week to weigh in[…]

A Misused Microsoft Tool Leaked Data from 47 Organizations

New research shows that misconfigurations of a widely used web tool have led to the leaking of tens of millions of data records. Microsoft’s Power Apps, a popular development platform, allows organizations to quickly create web apps, replete with public facing websites and related backend data management. A lot of governments have used Power Apps Read more about A Misused Microsoft Tool Leaked Data from 47 Organizations[…]

Sensitive Data On Afghan Allies Collected By The US Military Is Now In The Hands Of The Taliban

The problem with harvesting reams of sensitive data is that it presents a very tempting target for malicious hackers, enemy governments, and other wrongdoers. That hasn’t prevented anyone from collecting and storing all of this data, secure only in the knowledge this security will ultimately be breached. […] The Taliban is getting everything we left Read more about Sensitive Data On Afghan Allies Collected By The US Military Is Now In The Hands Of The Taliban[…]

Zoom to pay $85M for lying about encryption and sending data to Facebook and Google

Zoom has agreed to pay $85 million to settle claims that it lied about offering end-to-end encryption and gave user data to Facebook and Google without the consent of users. The settlement between Zoom and the filers of a class-action lawsuit also covers security problems that led to rampant “Zoombombings.” The proposed settlement would generally give Read more about Zoom to pay $85M for lying about encryption and sending data to Facebook and Google[…]

>83 million Web Cams, Baby Monitor Feeds and other IoT devices using Kalay backend Exposed

a vulnerability is lurking in numerous types of smart devices—including security cameras, DVRs, and even baby monitors—that could allow an attacker to access live video and audio streams over the internet and even take full control of the gadgets remotely. What’s worse, it’s not limited to a single manufacturer; it shows up in a software Read more about >83 million Web Cams, Baby Monitor Feeds and other IoT devices using Kalay backend Exposed[…]

China orders annual security reviews for all critical information infrastructure operators

An announcement by the Cyberspace Administration of China (CAC) said that cyber attacks are currently frequent in the Middle Kingdom, and the security challenges facing critical information infrastructure are severe. The announcement therefore defines infosec regulations and and responsibilities. The CAC referred to critical infrastructure as “the nerve center of economic and social operations and Read more about China orders annual security reviews for all critical information infrastructure operators[…]

Senators ask Amazon how it will use palm print data from its stores

If you’re concerned that Amazon might misuse palm print data from its One service, you’re not alone. TechCrunch reports that Senators Amy Klobuchar, Bill Cassidy and Jon Ossoff have sent a letter to new Amazon chief Andy Jassy asking him to explain how the company might expand use of One’s palm print system beyond stores Read more about Senators ask Amazon how it will use palm print data from its stores[…]

Researchers Say They’ve Found a ‘Master Face’ to Bypass Face Rec Tech

[…] computer scientists at Tel Aviv University in Israel say they have discovered a way to bypass a large percentage of facial recognition systems by basically faking your face. The team calls this method the “master face” (like a “master key,” harhar), which uses artificial intelligence technologies to create a facial template—one that can consistently Read more about Researchers Say They’ve Found a ‘Master Face’ to Bypass Face Rec Tech[…]

100s of (war)ships are having their positions falsely reported in AIS

Analysis of tracking data from Automatic Identification System broadcasts reveals vessel locations have been simulated for a number of ships, including military vessels. This false information could compromise vessel safety, decrease confidence in a crucial collision avoidance system and potentially spark international conflict. Over the years, data analysts working with Global Fishing Watch and SkyTruth Read more about 100s of (war)ships are having their positions falsely reported in AIS[…]

16-Year-Old HP Printer-Driver Bug Impacts Millions of Windows Machines

Researchers have released technical details on a high-severity privilege-escalation flaw in HP printer drivers (also used by Samsung and Xerox), which impacts hundreds of millions of Windows machines. If exploited, cyberattackers could bypass security products; install programs; view, change, encrypt or delete data; or create new accounts with more extensive user rights. The bug (CVE-2021-3438) Read more about 16-Year-Old HP Printer-Driver Bug Impacts Millions of Windows Machines[…]

You, too, can be a Windows domain controller and do whatever you like, with this trick which requires no authentication at all

The security shortcoming can be exploited using the wonderfully named PetitPotam technique. It involves abusing Redmond’s MS-EFSRPC (Encrypting File System Remote Protocol) to take over a corporate Windows network. It seems ideal for penetration testers, and miscreants who have gained a foothold in a Windows network. Specifically, security researcher Gilles Lionel found it was possible Read more about You, too, can be a Windows domain controller and do whatever you like, with this trick which requires no authentication at all[…]

Thinking about selling your Echo Dot—or any IoT device? Turns out passwords and other data remain even after a reset

Like most Internet-of-things (IoT) devices these days, Amazon’s Echo Dot gives users a way to perform a factory reset so, as the corporate behemoth says, users can “remove any… personal content from the applicable device(s)” before selling or discarding them. But researchers have recently found that the digital bits that remain on these reset devices Read more about Thinking about selling your Echo Dot—or any IoT device? Turns out passwords and other data remain even after a reset[…]

Another Exploit Hits WD My Book Live Owners – wipes could be rival hacker groups fighting for botnet control

While it will come as no comfort to those who had their Western Digital My Book Live NAS drives wiped last week, it seems they were attacked by a combination of two exploits, and possibly caught in the fallout of a rivalry between two different teams of hackers. (Image credit: Western Digital) Initially, after the Read more about Another Exploit Hits WD My Book Live Owners – wipes could be rival hacker groups fighting for botnet control[…]