Sorry to be blunt about this… Open AWS S3 storage bucket just made 30,000 potheads’ privacy go up in smoke

Personal records, including scans of ID cards and purchase details, for more than 30,000 people were exposed to the public internet from this unsecured cloud silo, we’re told. In addition to full names and pictures of customer ID cards, the 85,000 file collection is said to include email and mailing address, phone numbers, dates of Read more about Sorry to be blunt about this… Open AWS S3 storage bucket just made 30,000 potheads’ privacy go up in smoke[…]

Netgear leaves admin interface’s TLS cert and private key router firmware

Netgear left in its router firmware key ingredients needed to intercept and tamper with secure connections to its equipment’s web-based admin interfaces. Specifically, valid, signed TLS certificates with private keys were embedded in the software, which was available to download for free by anyone, and also shipped with Netgear devices. This data can be used Read more about Netgear leaves admin interface’s TLS cert and private key router firmware[…]

BlackVue dashcam shows anyone everywhere you are in real time and where you have been in the past

An app that is supposed to be a fun activity for dashcam users to broadcast their camera feeds and drives is actually allowing people to scrape and store the real-time location of drivers across the world. BlackVue is a dashcam company with its own social network. With a small, internet-connected dashcam installed inside their vehicle, Read more about BlackVue dashcam shows anyone everywhere you are in real time and where you have been in the past[…]

PGP keys, software security, and much more threatened by new SHA1 exploit

Three years ago, Ars declared the SHA1 cryptographic hash algorithm officially dead after researchers performed the world’s first known instance of a fatal exploit known as a “collision” on it. On Tuesday, the dead SHA1 horse got clobbered again as a different team of researchers unveiled a new attack that’s significantly more powerful. The new Read more about PGP keys, software security, and much more threatened by new SHA1 exploit[…]

More than 600 million users installed Android ‘fleeceware’ apps from the Play Store – where they don’t cancel your trial after uninstalling

Security researchers from Sophos say they’ve discovered a new set of “fleeceware” apps that appear to have been downloaded and installed by more than 600 million Android users. The term fleeceware is a recent addition to the cyber-security jargon. It was coined by UK cyber-security firm Sophos last September following an investigation that discovered a Read more about More than 600 million users installed Android ‘fleeceware’ apps from the Play Store – where they don’t cancel your trial after uninstalling[…]

Skype and Cortana audio listened in on by workers in China with ‘no security measures’

A Microsoft programme to transcribe and vet audio from Skype and Cortana, its voice assistant, ran for years with “no security measures”, according to a former contractor who says he reviewed thousands of potentially sensitive recordings on his personal laptop from his home in Beijing over the two years he worked for the company. The Read more about Skype and Cortana audio listened in on by workers in China with ‘no security measures’[…]

Checkpeople, why is a 22GB database containing 56 million US folks’ aggregated personal details sitting on the open internet using a Chinese IP address?

A database containing the personal details of 56.25m US residents – from names and home addresses to phone numbers and ages – has been found on the public internet, served from a computer with a Chinese IP address, bizarrely enough. The information silo appears to belong to Florida-based CheckPeople.com, which is a typical people-finder website: Read more about Checkpeople, why is a 22GB database containing 56 million US folks’ aggregated personal details sitting on the open internet using a Chinese IP address?[…]

Government exposes addresses of > 1000 new year honours recipients

More than 1,000 celebrities, government employees and politicians who have received honours had their home and work addresses posted on a government website, the Guardian can reveal. The accidental disclosure of the tranche of personal details is likely to be considered a significant security breach, particularly as senior police and Ministry of Defence staff were Read more about Government exposes addresses of > 1000 new year honours recipients[…]

Wyze data leak may have exposed personal data of millions of users

Security camera startup Wyze has confirmed it suffered a data leak this month that may have left the personal information of millions of its customers exposed on the internet. No passwords or financial information were exposed, but email addresses, Wi-Fi network IDs and body metrics were left unprotected from Dec. 4 through Dec. 26, the Read more about Wyze data leak may have exposed personal data of millions of users[…]

Twitter Warns Millions of Android App Users to Update Immediately

This week, Twitter confirmed a vulnerability in its Android app that could let hackers see your “nonpublic account information” and commandeer your account to send tweets and direct messages. According to a Twitter Privacy Center blog posted Friday, the (recently patched) security issue could allow hackers to gain control of an account and access data Read more about Twitter Warns Millions of Android App Users to Update Immediately[…]

Chinese hacker group caught bypassing 2FA

Security researchers say they found evidence that a Chinese government-linked hacking group has been bypassing two-factor authentication (2FA) in a recent wave of attacks. The attacks have been attributed to a group the cyber-security industry is tracking as APT20, believed to operate on the behest of the Beijing government, Dutch cyber-security firm Fox-IT said in Read more about Chinese hacker group caught bypassing 2FA[…]

267 Million Phone Numbers & Facebook User IDs Exposed Online

A database containing more than 267 million Facebook user IDs, phone numbers, and names was left exposed on the web for anyone to access without a password or any other authentication. Comparitech partnered with security researcher Bob Diachenko to uncover the Elasticsearch cluster. Diachenko believes the trove of data is most likely the result of Read more about 267 Million Phone Numbers & Facebook User IDs Exposed Online[…]

A Data Leak Exposed The Personal Information Of Over 3,000 Ring Users – Really, just don’t get one of these things!

The log-in credentials for 3,672 Ring camera owners were compromised this week, exposing log-in emails, passwords, time zones, and the names people give to specific Ring cameras, which are often the same as camera locations, such as “bedroom” or “front door.” Using the log-in email and password, an intruder could access a Ring customer’s home Read more about A Data Leak Exposed The Personal Information Of Over 3,000 Ring Users – Really, just don’t get one of these things![…]

IoT gear is generating easy-to-crack keys because they repeat the key once every 172 times

A preponderance of weak keys is leaving IoT devices at risk of being hacked, and the problem won’t be an easy one to solve. This was the conclusion reached by the team at security house Keyfactor, which analyzed a collection of 75 million RSA certificates gathered from the open internet and determined that number combinations Read more about IoT gear is generating easy-to-crack keys because they repeat the key once every 172 times[…]

New Plundervolt attack impacts Intel CPUs SGX

Academics from three universities across Europe have disclosed today a new attack that impacts the integrity of data stored inside Intel SGX, a highly-secured area of Intel CPUs. The attack, which researchers have named Plundervolt, exploits the interface through which an operating system can control an Intel processor’s voltage and frequency — the same interface Read more about New Plundervolt attack impacts Intel CPUs SGX[…]

Budget Energy and NLE leak 29000 customer records – names, adresses, possibly phone numbers and bank accounts

De persoonsgegevens van mogelijk 29.000 klanten van energiebedrijven Budget Energie en NLE liggen op straat. Naast namen en adressen is er kans dat er ook telefoonnummers en bankrekeningnummers zijn gelekt. De data is niet per ongeluk gelekt, het gaat volgens het bedrijf om een moedwillige diefstal. Moederbedrijf Nuts Groep heeft klanten van Budget Energie en NLE Read more about Budget Energy and NLE leak 29000 customer records – names, adresses, possibly phone numbers and bank accounts[…]

Vulnerability in fully patched Android phones under active attack by bank thieves – watch out for permissions being asked from apps you have installed

A vulnerability in millions of fully patched Android phones is being actively exploited by malware that’s designed to drain the bank accounts of infected users, researchers said on Monday. The vulnerability allows malicious apps to masquerade as legitimate apps that targets have already installed and come to trust, researchers from security firm Promon reported in Read more about Vulnerability in fully patched Android phones under active attack by bank thieves – watch out for permissions being asked from apps you have installed[…]

TrueDialog leaks tens of millions of US SMS messages and user data

Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a breached database belonging to the American communications company, TrueDialog. TrueDialog provides SMS texting solutions to companies in the USA and the database in question was linked to many aspects of their business. This was a huge discovery, with a massive amount of private Read more about TrueDialog leaks tens of millions of US SMS messages and user data[…]

SMS Replacement is Exposing Users to Text, Call Interception Thanks to Sloppy Telecos

A standard used by phone carriers around the world can leave users open to all sorts of attacks, like text message and call interception, spoofed phone numbers, and leaking their coarse location, new research reveals. The Rich Communication Services (RCS) standard is essentially the replacement for SMS. The news shows how even as carriers move Read more about SMS Replacement is Exposing Users to Text, Call Interception Thanks to Sloppy Telecos[…]

NextCry Ransomware Targets NextCloud Linux Servers and Remains Undetected Features

The ransom note that NextCry victims receive reads ““READ_FOR_DECRYPT”, and demands 0.025 BTC for a victim’s files to be unlocked. One NextCloud user, xact64, shared his experience with the malware on a Bleeping Computer forum in an effort to find a way to decrypt personal files which had been instantaneously locked in a NextCry attack: Read more about NextCry Ransomware Targets NextCloud Linux Servers and Remains Undetected Features[…]

1.2 Billion Records Found Exposed Online in a Single Server, contain social media profiles

In October, dark web researcher Vinny Troia found one such trove sitting exposed and easily accessible on an unsecured server, comprising 4 terabytes of personal information—about 1.2 billion records in all. While the collection is impressive for its sheer volume, the data doesn’t include sensitive information like passwords, credit card numbers, or Social Security numbers. Read more about 1.2 Billion Records Found Exposed Online in a Single Server, contain social media profiles[…]

Monero Wallet downloads compromised for 35 minutes

Some users noticed the hash of the binaries they downloaded did not match the expected one: https://github.com/monero-project/monero/issues/6151 It appears the box has been indeed compromised and different CLI binaries served for 35 minutes. Downloads are now served from a safe fallback source. Always check the integrity of the binaries you download! If you downloaded binaries Read more about Monero Wallet downloads compromised for 35 minutes[…]

Android Users: Check Now to See If a Rogue App Can Control Your Phone’s Camera

According to an investigation by Checkmarx security researchers, some Android devices may have an unpatched security flaw that an app could use to record you without your knowledge using your device’s camera and mic. No attacks that exploit the bug have been reported so far, thankfully. Still, the Checkmarx researchers were able to successfully create Read more about Android Users: Check Now to See If a Rogue App Can Control Your Phone’s Camera[…]

Shopped online at Macy’s last month? Might want to toss, or at least check, that card

A notice (PDF) posted by the long-operating department store chain said that, between October 7 and October 15 of this year, a Magecart script was running on the checkout page of its retail website. The script was able to capture payment card details in two different ways: as it was being entered through the checkout Read more about Shopped online at Macy’s last month? Might want to toss, or at least check, that card[…]