UK becomes first country to ban default bad passwords on IoT devices

[…] On Monday, the United Kingdom became the first country in the world to ban default guessable usernames and passwords from these IoT devices. Unique passwords installed by default are still permitted. The Product Security and Telecommunications Infrastructure Act 2022 (PSTI) introduces new minimum-security standards for manufacturers, and demands that these companies are open with Read more about UK becomes first country to ban default bad passwords on IoT devices[…]

Apple’s ‘incredibly private’ Safari not so private in Europe, allows

Apple’s grudging accommodation of European antitrust rules by allowing third-party app stores on iPhones has left users of its Safari browser exposed to potential web activity tracking. Developers Talal Haj Bakry and Tommy Mysk looked into the way Apple implemented the installation process for third-party software marketplaces on iOS with Safari, and concluded Cupertino’s approach Read more about Apple’s ‘incredibly private’ Safari not so private in Europe, allows[…]

CSS allows HTML emails to change their content after they have been forwarded

[…] The email your manager received and forwarded to you was something completely innocent, such as a potential customer asking a few questions. All that email was supposed to achieve was being forwarded to you. However, the moment the email appeared in your inbox, it changed. The innocent pretext disappeared and the real phishing email Read more about CSS allows HTML emails to change their content after they have been forwarded[…]

Intel CPUs still vulnerable to Spectre attack

[…] We’re told mitigations put in place at the software and silicon level by the x86 giant to thwart Spectre-style exploitation of its processors’ speculative execution can be bypassed, allowing malware or rogue users on a vulnerable machine to steal sensitive information – such as passwords and keys – out of kernel memory and other Read more about Intel CPUs still vulnerable to Spectre attack[…]

Critical bugs in LG TVs could allow complete device takeover

A handful of bugs in LG smart TVs running WebOS could allow an attacker to bypass authorization and gain root access on the device. Once they have gained root, your TV essentially belongs to the intruder who can use that access to do all sorts of nefarious things including moving laterally through your home network, Read more about Critical bugs in LG TVs could allow complete device takeover[…]

In-app browsers still a privacy, security, and choice issue

[…] Open Web Advocacy (OWA), a group that supports open web standards and fair competition, said in a post on Tuesday that representatives “recently met with both the [EU’s] Digital Markets Act team and the UK’s Market Investigation Reference into Cloud Gaming and Browsers team to discuss how tech giants are subverting users’ choice of Read more about In-app browsers still a privacy, security, and choice issue[…]

GitHub’s new AI-powered tool auto-fixes vulnerabilities in your code

GitHub introduced a new AI-powered feature capable of speeding up vulnerability fixes while coding. This feature is in public beta and automatically enabled on all private repositories for GitHub Advanced Security (GHAS) customers. Known as Code Scanning Autofix and powered by GitHub Copilot and CodeQL, it helps deal with over 90% of alert types in JavaScript, Read more about GitHub’s new AI-powered tool auto-fixes vulnerabilities in your code[…]

Italy’s Piracy Shield Blocks Innocent Web Sites, Makes It Hard For Them To Appeal so ISPs are ignoring the law because it’s stupid

Italy’s newly-installed Piracy Shield system, put in place by the country’s national telecoms regulator, Autorità per le Garanzie nelle Comunicazioni (Authority for Communications Guarantees, AGCOM), is already failing in significant ways. One issue became evident in February, when the VPN provider AirVPN announced that it would no longer accept users resident in Italy because of the “burdensome” requirements Read more about Italy’s Piracy Shield Blocks Innocent Web Sites, Makes It Hard For Them To Appeal so ISPs are ignoring the law because it’s stupid[…]

Commercial Bank of Ethiopia glitch lets customers withdraw millions

Ethiopia’s biggest commercial bank is scrambling to recoup large sums of money withdrawn by customers after a “systems glitch”. The customers discovered early on Saturday that they could take out more cash than they had in their accounts at the Commercial Bank of Ethiopia (CBE). More than $40m (£31m) was withdrawn or transferred to other Read more about Commercial Bank of Ethiopia glitch lets customers withdraw millions[…]

VPN Demand Surges 234.8% After Adult Site Restriction on Texas-Based Users

VPN demand in Texas skyrocketed by 234.8% on March 15, 2024, after state authorities enacted a law requiring adult sites to verify users’ ages before granting them access to the websites’ content. Texas’ age verification law was passed in June 2023 and was set to take effect in September of the same year. However, a Read more about VPN Demand Surges 234.8% After Adult Site Restriction on Texas-Based Users[…]

Under New Management Detects when your extensions have changed owners

Intermittenty checks your installed extensions to see if the developer information listed on the Chrome Web Store or Firefox Addons store has changed. If anything is different, the extension icon will display a red badge, alerting you to the change. Why is this needed? Extension developers are constantly getting offers to buy their extensions. In Read more about Under New Management Detects when your extensions have changed owners[…]

How to Prevent X’s Audio and Video Calls Feature From Revealing Your IP Address – wait it reveals your IP address :O – wait… of course, it’s a Musk thing

[…] X began rolling out the audio and video calling feature, which was previously restricted to paid users, to everyone last week. However, hawk-eyed sleuths quickly noticed that the feature was automatically turned on, meaning that users had to manually go to their settings to turn it off. Only your mutuals or someone you’ve exchanged Read more about How to Prevent X’s Audio and Video Calls Feature From Revealing Your IP Address – wait it reveals your IP address :O – wait… of course, it’s a Musk thing[…]

Hackers exploited Windows 0-day for 6 months after Microsoft knew of it

[…] Even after Microsoft patched the vulnerability last month, the company made no mention that the North Korean threat group Lazarus had been using the vulnerability since at least August to install a stealthy rootkit on vulnerable computers. The vulnerability provided an easy and stealthy means for malware that had already gained administrative system rights Read more about Hackers exploited Windows 0-day for 6 months after Microsoft knew of it[…]

VMware sandbox escape bugs are so critical, patches are released for end-of-life products – also, remove all your USB products now

VMware is urging customers to patch critical vulnerabilities that make it possible for hackers to break out of sandbox and hypervisor protections in all versions, including out-of-support ones, of VMware ESXi, Workstation, Fusion, and Cloud Foundation products. A constellation of four vulnerabilities—two carrying severity ratings of 9.3 out of a possible 10—are serious because they Read more about VMware sandbox escape bugs are so critical, patches are released for end-of-life products – also, remove all your USB products now[…]

Vietnam to collect biometrics – even DNA – for new ID cards. Centralised databases never leak.

The Vietnamese government will begin collecting biometric information from its citizens for identification purposes beginning in July this year. Prime minister Pham Minh Chinh instructed the nation’s Ministry of Public Security to collect the data in the form of iris scans, voice samples and actual DNA, in accordance with amendments to Vietnam’s Law on Citizen Read more about Vietnam to collect biometrics – even DNA – for new ID cards. Centralised databases never leak.[…]

Wyze says camera breach let 13,000 customers briefly see into other people’s homes

Last week, co-founder David Crosby said that “so far” the company had identified 14 people who were able to briefly see into a stranger’s property because they were shown an image from someone else’s Wyze camera. Now we’re being told that number of affected customers has ballooned to 13,000. The revelation came from an email Read more about Wyze says camera breach let 13,000 customers briefly see into other people’s homes[…]

livall smart helmets

Whoops: ‘Smart’ Livall Helmet Allowed Real Time Surveillance And Location Tracking Of A Million Customers

[,,,] a company named Livall makes “smart” bike helmets for skiers and cyclists that includes features like auto-fall detection, GPS location monitoring, and integrated braking lights. The problem: the company apparently didn’t spend enough time securing the company’s app, allowing pretty much anybody to listen in on and track the precise location data of a Read more about Whoops: ‘Smart’ Livall Helmet Allowed Real Time Surveillance And Location Tracking Of A Million Customers[…]

‘World’s biggest casino’ app Winstar exposed customers’ personal data: developer Dexia didn’t secure the db.

Oklahoma-based WinStar bills itself as the “world’s biggest casino” by square footage. The casino and hotel resort also offers an app, My WinStar, in which guests can access self-service options during their hotel stay, their rewards points and loyalty benefits, and casino winnings. The app is developed by a Nevada software startup called Dexiga. The Read more about ‘World’s biggest casino’ app Winstar exposed customers’ personal data: developer Dexia didn’t secure the db.[…]

Canada Moves to Ban the Flipper Zero Over Car Hacking Fears – instead of requiring good security on Cars

On Thursday, following a summit that focused on “the growing challenge of auto theft in Canada,” the country’s Minister of Innovation, Science and Industry posted a statement on X, saying “Criminals have been using sophisticated tools to steal cars…Today, I announced we are banning the importation, sale and use of consumer hacking devices, like flippers, Read more about Canada Moves to Ban the Flipper Zero Over Car Hacking Fears – instead of requiring good security on Cars[…]

Mercedes-Benz source code exposed by leaving private key online

Mercedes-Benz accidentally exposed a trove of internal data after leaving a private key online that gave “unrestricted access” to the company’s source code, according to the security research firm that discovered it. Shubham Mittal, co-founder and chief technology officer of RedHunt Labs, alerted TechCrunch to the exposure and asked for help in disclosing to the Read more about Mercedes-Benz source code exposed by leaving private key online[…]

Dutch COVID-19 testing firm Coronalab exposed 1.3 million patient records

A password-less database containing an estimated 1.3 million sets of Dutch COVID-19 testing records was left exposed to the open internet, and it’s not clear if anyone is taking responsibility. Among the information revealed in the publicly accessible and seemingly insecurely configured database were 118,441 coronavirus test certificates, 506,663 appointment records, 660,173 testing samples and Read more about Dutch COVID-19 testing firm Coronalab exposed 1.3 million patient records[…]

triangulation exploit chain

All Apples Wide open for 4 years, Kaspersky security company and many others in Moscow opened wide – photos, location, mic, etc – just by sending them an imessage. Shows how dangerous closed source is.

[…] after about 12 months of intensive investigation. Besides how the attackers learned of the hardware feature, the researchers still don’t know what, precisely, its purpose is. Also unknown is if the feature is a native part of the iPhone or enabled by a third-party hardware component such as ARM’s CoreSight   Further Reading “Clickless” Read more about All Apples Wide open for 4 years, Kaspersky security company and many others in Moscow opened wide – photos, location, mic, etc – just by sending them an imessage. Shows how dangerous closed source is.[…]

1M non-profit donors PII exposed by unsecured DonorView database

Close to a million records containing personally identifiable information belonging to donors that sent money to non-profits were found exposed in an online database. The database is owned and operated by DonorView – provider of a cloud-based fundraising platform used by schools, charities, religious institutions, and other groups focused on charitable or philanthropic goals. Infosec Read more about 1M non-profit donors PII exposed by unsecured DonorView database[…]

Bad genes: 23andMe leak highlights a possible future of genetic discrimination

23andMe is a terrific concept. In essence, the company takes a sample of your DNA and tells you about your genetic makeup. For some of us, this is the only way to learn about our heritage. Spotty records, diaspora, mistaken family lore and slavery can make tracing one’s roots incredibly difficult by traditional methods. What Read more about Bad genes: 23andMe leak highlights a possible future of genetic discrimination[…]

Your mobile password manager might be exposing your credentials because of Webview

A number of popular mobile password managers are inadvertently spilling user credentials due to a vulnerability in the autofill functionality of Android apps. The vulnerability, dubbed “AutoSpill,” can expose users’ saved credentials from mobile password managers by circumventing Android’s secure autofill mechanism, according to university researchers at the IIIT Hyderabad, who discovered the vulnerability and Read more about Your mobile password manager might be exposing your credentials because of Webview[…]