Boffins testing the security of OpenPGP and S/MIME, two end-to-end encryption schemes for email, recently found multiple vulnerabilities in the way email client software deals with certificates and key exchange mechanisms. They found that five out of 18 OpenPGP-capable email clients and six out of 18 S/MIME-capable clients are vulnerable to at least one attack. Read more about Trusting OpenPGP and S/Mime with your email secrets? You might want to rethink that[…]

More than 3.7 million. That’s the latest number of surveillance cameras, baby monitors, doorbells with webcams, and other internet-connected devices found left open to hijackers via two insecure communications protocols globally, we’re told. This is up from estimates of a couple of million last year. The protocols are CS2 Network P2P, used by more than Read more about Peer-to-peer takes on a whole new meaning when used to spy on 3.7 million or more cameras, other IoT gear[…]

Misconfigured AWS S3 storage buckets exposing massive amounts of data to the internet are like an unexploded bomb just waiting to go off, say experts. The team at Truffle Security said its automated search tools were able to stumble across some 4,000 open Amazon-hosted S3 buckets that included data companies would not want public – Read more about Leaky AWS S3 buckets are so common, they’re being found by the thousands now – with lots of buried secrets[…]

With over 3 billion users globally, smartphones are an integral, almost inseparable part of our day-to-day lives. As the mobile market continues to grow, vendors race to provide new features, new capabilities and better technological innovations in their latest devices. To support this relentless drive for innovation, vendors often rely on third parties to provide Read more about 400 faults found in Qualcomm chips powering your mobile phone with big implications[…]

Netgear has quietly decided not to patch more than 40 home routers to plug a remote code execution vulnerability – despite security researchers having published proof-of-concept exploit code. The vuln was revealed publicly in June by Trend Micro’s Zero Day Initiative (ZDI) following six months spent chivvying Netgear behind the scenes to take it seriously. Read more about If you own one of these 45 Netgear devices, replace it: Firm won’t patch vulnerable gear despite live proof-of-concept code[…]

Waydev, a San Francisco-based company, runs a platform that can be used to track software engineers’ work output by analyzing Git-based codebases. To do this, Waydev runs a special app listed on the GitHub and GitLab app stores. When users install the app, Waydev receives an OAuth token that it can use to access its Read more about Hackers stole GitHub and GitLab OAuth tokens from Git analytics firm Waydev – this is why you don’t give cloud access to your crown jewels[…]

An annoying vulnerability in the widely used GRUB2 bootloader can be potentially exploited by malware or a rogue insider already on a machine to thoroughly compromise the operating system or hypervisor while evading detection by users and security tools. […] Designated CVE-2020-10713, the vulnerability allows a miscreant to achieve code execution within the open-source bootloader, Read more about GRUB2, you’re getting too bug for your boots: Config file buffer overflow is a boon for malware seeking to drill deeper into a system[…]

Garmin is reportedly being asked to pay a $10 million ransom to free its systems from a cyberattack that has taken down many of its services for two days. The navigation company was hit by a ransomware attack on Thursday, leaving customers unable to log fitness sessions in Garmin apps and pilots unable to download Read more about Will Garmin Pay $10 Million Ransom To End Two-Day Outage?[…]

Twitter said on Saturday that the perpetrators “manipulated a small number of employees and used their credentials” to log into tools and turn over access to 45 accounts. here On Wednesday, it said that the hackers could have read direct messages to and from 36 accounts but did not identify the affected users. The former Read more about More than 1,000 people at Twitter had ability to aid hack of accounts[…]

More than 1,000 unsecured databases so far have been permanently deleted in an ongoing attack that leaves the word “meow” as its only calling card, according to Internet searches over the past day. The attack first came to the attention of researcher Bob Diachenko on Tuesday, when he discovered a database that stored user details Read more about Ongoing Meow attack has nuked >4,000 MongoDB and Elastic databases with default settings left on[…]

Garmin’s Connect service has been down for more than seven hours today to the frustration of fitness enthusiasts keen to upload running times or synchronise with other services such as Strava. So, too, is the company’s web shop and support forums. Users have expressed obvious concern that such an extended outage is indicative of a Read more about Fitness freaks flummoxed as massive global Garmin outage leaves them high and dry for hours[…]

The personal information of what could be hundreds of thousands of Instacart customers is being sold on the dark web. This data includes names, the last four digits of credit card numbers, and order histories, and appears to have affected customers who used the grocery delivery service as recently as yesterday. As of Wednesday, sellers Read more about Instacart Customers’ Data Is Being Sold Online, but Instacart has it’s fingers in it’s ears, pretends nothing is wrong[…]

A string of “zero logging” VPN providers have some explaining to do after more than a terabyte of user logs were found on their servers unprotected and facing the public internet. This data, we are told, included in at least some cases clear-text passwords, personal information, and lists of websites visited, all for anyone to Read more about Seven ‘no log’ VPN providers accused of leaking – yup, you guessed it – 1.2TB of user logs onto the internet[…]

Zoom says it has fixed a security issue that would have let hackers manipulate organizations’ custom URLs for the service and send legitimate-seeming meeting invitations. If a victim accepted the invitation and attended the meeting, the phony caller may have been able to inject malware into their device or carry out a phishing attack. Hackers Read more about Zoom fixed a vanity URL issue that could have led to phishing attacks[…]

Dubbed RECON, aka Remotely Exploitable Code On NetWeaver, by its discoverers, security shop Onapsis, the bug in SAP’s NetWeaver AS JAVA (LM Configuration Wizard) allows a remote unathenticated hacker to take over a vulnerable NetWeaver-based system by creating admin accounts without any authorization. The bug, CVE-2020-6287, is a lack of proper authentication in NetWeaver. This Read more about So kind of SAP NetWeaver to hand out admin accounts to anyone who can reach it. You’ll want to patch this[…]

In one of the largest law enforcement busts ever, European police and crime agencies hacked an encrypted communications platform used by thousands of criminals and drug traffickers. By infiltrating the platform, Encrochat, police across Europe gained access to a hundred million encrypted messages. In the UK, those messages helped officials arrest 746 suspects, seize £54 Read more about European police hacked encrypted phones used by thousands of criminals[…]

Folks running Bitdefender’s Total Security 2020 package should check they have the latest version installed following the disclosure of a remote code execution bug. Wladimir Palant, cofounder of Adblock-Plus-maker Eyeo, tipped off Bitdefender about the flaw, CVE-2020-8102, after discovering what he called “seemingly small weaknesses” that could be exploited by a hostile website to take Read more about Three words you do not want to hear regarding a ‘secure browser’ called SafePay… Remote. Code. Execution[…]

Netgear has issued patches to squash security vulnerabilities in two router models that can be exploited to, for instance, open a superuser-level telnet backdoor. Those two devices are the R6400v2 and R6700v3, and you can get hot-fixes for the holes here. However, some 77 models remain reportedly vulnerable, and no fixes are available. For the Read more about Netgear was told in January its routers can be hacked and hijacked. This week, first patches released – after exploits, details made public[…]

A newly discovered spyware effort attacked users through 32 million downloads of extensions to Google’s market-leading Chrome web browser, researchers at Awake Security told Reuters, highlighting the tech industry’s failure to protect browsers as they are used more for email, payroll and other sensitive functions. Alphabet Inc’s (GOOGL.O) Google said it removed more than 70 Read more about Massive spying on users of Google’s Chrome shows new security weakness[…]

Zoom today said it will make end-to-end (E2E) encryption available to all of its users, regardless of whether they pay for it or not. The videoconferencing overnight-sensation has walked back its initial plan to limit E2E cryptography to schools and paid-for accounts, after facing a storm of criticism for the restriction. It will, from next Read more about Zoom will offer proper end-to-end encryption to free vid-chat accounts – not just paid-up bods – once you verify your phone number…[…]

Hundreds of thousands of sensitive dating app profiles – including images of “a graphic, sexual nature” – were exposed online for anyone stumbling across them to download. Word of the uncontrolled emission burst forth from vpnMentor this week, which claims it found a misconfigured AWS S3 bucket containing 845GB of private dating app records. Data Read more about 845GB of racy dating app records exposed to entire internet via leaky AWS buckets[…]

UK-based infosec outfit Keepnet Labs left an 867GB database of previously compromised website login details accessible to world+dog earlier this year – then sent lawyers’ letters to bloggers in a bid to erase their reports of its blunder. A contractor left the Keepnet Elasticsearch database unsecured back in March after disabling a firewall, exposing around Read more about Keepnet fires legal threats at bloggers for exposing their 876GB unsecured database with years of leaked credentials, backfires[…]

Japanese car maker Honda has been hit by ransomware that disrupted its production of vehicles and also affected internal communications, according to reports. The ransomware, of an as-yet unidentified strain, appeared to have spread through the multinational firm’s network. A Honda spokesman told the media it appeared to have “hit the company’s internal servers.” Some Read more about Hospital-busting hacker crew may be behind ransomware attack that made Honda halt car factories, say researchers[…]