The Xplora 4 smartwatch, made by Chinese outfit Qihoo 360 Technology Co, and marketed to children under the Xplora brand in the US and Europe, can covertly take photos and record audio when activated by an encrypted SMS message, says Norwegian security firm Mnemonic. This backdoor is not a bug, the finders insist, but a Read more about Backdoorer the Xplora: Kids’ smart-watches can secretly take pics, record audio on command by encrypted texts[…]

Apple’s T2 security chip is insecure and cannot be fixed, a group of security researchers report. Over the past three years, a handful of hackers have delved into the inner workings of the custom silicon, fitted inside recent Macs, and found that they can use an exploit developed for iPhone jailbreaking, checkm8, in conjunction with Read more about Apple’s T2 custom secure boot chip is not only insecure, it cannot be fixed without replacing the silicon[…]

Guardicore discovered a new attack vector on Comcast’s XR11 voice remote that would have allowed attackers to turn it into a listening device – potentially invading your privacy in your living room. Prior to its remediation by Comcast, the attack, dubbed WarezTheRemote, was a very real security threat: with more than 18 million units deployed Read more about Listening in on your XR11 remote from 20m away[…]

Smart Bluetooth male chastity lock, designed for user to give remote control to a trusted 3rd party using mobile app/API Multiple API flaws meant anyone could remotely lock all devices and prevent users from releasing themselves Removal then requires an angle grinder or similar, used in close proximity to delicate and sensitive areas Precise user Read more about Smart male chastity hack could lock all dicks up permanently, require grinder to unlock. Also tells anyone where you are[…]

Grindr, one of the world’s largest dating and social networking apps for gay, bi, trans, and queer people, has fixed a security vulnerability that allowed anyone to hijack and take control of any user’s account using only their email address. Wassime Bouimadaghene, a French security researcher, found the vulnerability and reported the issue to Grindr. Read more about Grindr security flaw let anyone take over any accounts easily[…]

A newly discovered technique by a researcher shows how Google’s App Engine domains can be abused to deliver phishing and malware while remaining undetected by leading enterprise security products. Google App Engine is a cloud-based service platform for developing and hosting web apps on Google’s servers. While reports of phishing campaigns leveraging enterprise cloud domains are nothing Read more about Google App Engine feature abused to create unlimited phishing pages[…]

Twitter is notifying developers today about a possible security incident that may have impacted their accounts. The incident was caused by incorrect instructions that the developer.twitter.com website sent to users’ browsers. The developer.twitter.com website is the portal where developers manage their Twitter apps and attached API keys, but also the access token and secret key for their Read more about Twitter warns of possible API keys leak through browser caching[…]

Microsoft has released Sysmon 12, and it comes with a useful feature that logs and captures any data added to the Windows Clipboard. This feature can help system administrators and incident responders track the activities of malicious actors who compromised a system. Those not familiar with Sysmon, otherwise known as System Monitor, it is a Read more about Microsoft Sysmon now logs data copied to the Windows Clipboard[…]

Last month, Microsoft patched a very interesting vulnerability that would allow an attacker with a foothold on your internal network to essentially become Domain Admin with one click. All that is required is for a connection to the Domain Controller to be possible from the attacker’s viewpoint. Secura’s security expert Tom Tervoort previously discovered a Read more about Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472)[…]

In August, security researcher Volodymyr Diachenko discovered a misconfigured Elasticsearch cluster, owned by gaming hardware vendor Razer, exposing customers’ PII (Personal Identifiable Information). The cluster contained records of customer orders and included information such as item purchased, customer email, customer (physical) address, phone number, and so forth—basically, everything you’d expect to see from a credit Read more about Private data gone public: Razer leaks 100,000+ gamers’ personal info[…]

The database built by Shenzhen Zhenhua from a variety of sources is technically complex using very advanced language, targeting, and classification tools. Shenzhen Zhenhua claims to work with, and our research supports, Chinese intelligence, military, and security agencies use the open information environment we in open liberal democracies take for granted to target individuals and Read more about Shenzhen Zhenua Data Leak – high profile international contacts database kept by Chinese leaked[…]

Three “grumpy old hackers” in the Netherlands managed to access Donald Trump’s Twitter account in 2016 by extracting his password from the 2012 Linkedin hack. The pseudonymous, middle-aged chaps, named only as Edwin, Mattijs and Victor, told reporters they had lifted Trump’s particulars from a database that was being passed about hackers, and tried it Read more about Three middle-aged Dutch hackers slipped into Donald Trump’s Twitter account days before 2016 US election[…]

Boffins in America, the Netherlands, and Switzerland have devised a Spectre-style attack on modern processors that can defeat defenses that are supposed to stop malicious software from hijacking a computer’s operating system. The end result is exploit code able to bypass a crucial protection mechanism and take over a device to hand over root access. Read more about BlindSide: Watch speculative memory probing bypass kernel defenses, give malware root control[…]

Windows 10 users can customize their desktops with unique themes, and are able to create and share those themes with others. Hackers can also use them to steal your credentials. A flaw in Windows 10’s theme-creation feature lets hackers modify custom themes that, once installed, trick users into passing over their Microsoft account name and Read more about Hacked Windows 10 Themes Can Swipe Your Microsoft Login[…]

The coronavirus pandemic has forced people around the globe to temporarily modify the ways they go about activities. Activities like these include political elections and campaigning. Since the virus hit in an election year, it’s highly likely new measures will be taken to prevent mass gatherings during voting. Infection rates aren’t likely to drop any Read more about Security Risks Revolving the 2020 US Presidential Elections | Techwarn.com[…]

Facebook has published its first Vulnerability Disclosure Policy and given itself grounds to blab the existence of bugs to the world if it thinks that’s the right thing to do. “Facebook may occasionally find critical security bugs or vulnerabilities in third-party code and systems, including open source software,” the company writes. “When that happens, our Read more about Facebook finally joins responsible disclosure for bugs they find[…]

Can’t send something on Gmail? If so then you’re in good company, ever since about midnight ET, people have been complaining about issues connecting to many of the G suite services, but especially Gmail. The Google apps status page just updated to confirm they’ve received reports of an issue with Gmail and Google Drive, while Read more about A Gmail and Google Drive outage is causing errors around the world – yay cloud![…]

A security researcher has detailed how an artificial intelligence company in possession of nearly 2.6 million medical records allowed them to be publicly visible on the internet. It’s a clear reminder that our personal health data is not safe. As Secure Thoughts reports, on July 7 security researcher Jeremiah Fowler discovered two folders of medical Read more about AI Company Leaks Over 2.5M Medical Records[…]

Boffins testing the security of OpenPGP and S/MIME, two end-to-end encryption schemes for email, recently found multiple vulnerabilities in the way email client software deals with certificates and key exchange mechanisms. They found that five out of 18 OpenPGP-capable email clients and six out of 18 S/MIME-capable clients are vulnerable to at least one attack. Read more about Trusting OpenPGP and S/Mime with your email secrets? You might want to rethink that[…]

More than 3.7 million. That’s the latest number of surveillance cameras, baby monitors, doorbells with webcams, and other internet-connected devices found left open to hijackers via two insecure communications protocols globally, we’re told. This is up from estimates of a couple of million last year. The protocols are CS2 Network P2P, used by more than Read more about Peer-to-peer takes on a whole new meaning when used to spy on 3.7 million or more cameras, other IoT gear[…]

Misconfigured AWS S3 storage buckets exposing massive amounts of data to the internet are like an unexploded bomb just waiting to go off, say experts. The team at Truffle Security said its automated search tools were able to stumble across some 4,000 open Amazon-hosted S3 buckets that included data companies would not want public – Read more about Leaky AWS S3 buckets are so common, they’re being found by the thousands now – with lots of buried secrets[…]

With over 3 billion users globally, smartphones are an integral, almost inseparable part of our day-to-day lives. As the mobile market continues to grow, vendors race to provide new features, new capabilities and better technological innovations in their latest devices. To support this relentless drive for innovation, vendors often rely on third parties to provide Read more about 400 faults found in Qualcomm chips powering your mobile phone with big implications[…]