Facebook’s answer to the encryption debate: install spyware with content filters! (updated: maybe not)

The encryption debate is typically framed around the concept of an impenetrable link connecting two services whose communications the government wishes to monitor. The reality, of course, is that the security of that encryption link is entirely separate from the security of the devices it connects. The ability of encryption to shield a user’s communications Read more about Facebook’s answer to the encryption debate: install spyware with content filters! (updated: maybe not)[…]

Robinhood fintech app admits to storing some passwords in cleartext

Stock trading service Robinhood has admitted today to storing some customers’ passwords in cleartext, according to emails the company has been sending to impacted customers, and seen by ZDNet. “On Monday night, we discovered that some user credentials were stored in a readable format within our internal system,” the company said. “We resolved the issue, Read more about Robinhood fintech app admits to storing some passwords in cleartext[…]

Cyberlaw wonks squint at NotPetya insurance smackdown: Should ‘war exclusion’ clauses apply to network hacks?

In June 2017, the notorious file-scrambling software nasty NotPetya caused global havoc that affected government agencies, power suppliers, healthcare providers and big biz. The ransomware sought out vulnerabilities and used a modified version of the NSA’s leaked EternalBlue SMB exploit, generating one of the most financially costly cyber-attacks to date. Among the victims was US Read more about Cyberlaw wonks squint at NotPetya insurance smackdown: Should ‘war exclusion’ clauses apply to network hacks?[…]

Apple removes Zoom’s dodgy hidden web server on your Mac without telling you – shows who really pwns your machine

Apple has pushed a silent update to Macs, disabling the hidden web server installed by the popular Zoom web-conferencing software. A security researcher this week went public with his finding that the mechanism used to bypass a Safari prompt before entering a Zoom conference was a hidden local web server. Jonathan Leitschuh focused largely on Read more about Apple removes Zoom’s dodgy hidden web server on your Mac without telling you – shows who really pwns your machine[…]

Apple disables Walkie Talkie app due to vulnerability that could allow iPhone eavesdropping

Apple has disabled the Apple Watch Walkie Talkie app due to an unspecified vulnerability that could allow a person to listen to another customer’s iPhone without consent, the company told TechCrunch this evening. Apple has apologized for the bug and for the inconvenience of being unable to use the feature while a fix is made. Read more about Apple disables Walkie Talkie app due to vulnerability that could allow iPhone eavesdropping[…]

Over 90 Million Records Leaked by Chinese Public Security Department

A publicly accessible and unsecured ElasticSearch server owned by the Jiangsu Provincial Public Security Department of the Chinese province Jiangsu leaked two databases containing over 90 million people and business records. Jiangsu (江苏省) is an eastern-central coastal Chinese province with a population of over 80 million and an urban population of more than 55 million accounting for 68.76% of Read more about Over 90 Million Records Leaked by Chinese Public Security Department[…]

Magento webshop Automated Magecart Campaign Hits Over 960 Breached Stores

A large-scale payment card skimming campaign that successfully breached 962 e-commerce stores was discovered today by Magento security research company Sanguine Security. The campaign seems to be automated according to Sanguine Security researcher Willem de Groot who told BleepingComputer that the card skimming script was added within a 24-hour timeframe. “It would be nearly impossible to breach 960+ Read more about Magento webshop Automated Magecart Campaign Hits Over 960 Breached Stores[…]

Serious Security Flaw With Teleconferencing App Zoom Allows Websites to Hijack Mac Webcams – and you can’t fix it by uninstalling

On Monday, security researcher Jonathan Leitschuh publicly disclosed a serious zero-day vulnerability in conferencing software Zoom—which apparently achieves its click-to-join feature, which allows users to go directly to a video meeting from a browser link, on Mac computers by installing a local web server running as a background process that “accepts requests regular browsers wouldn’t,” Read more about Serious Security Flaw With Teleconferencing App Zoom Allows Websites to Hijack Mac Webcams – and you can’t fix it by uninstalling[…]

More than 1,000 Android apps harvest data even after you deny permissions

Permissions on Android apps are intended to be gatekeepers for how much data your device gives up. If you don’t want a flashlight app to be able to read through your call logs, you should be able to deny that access. But even when you say no, many apps find a way around: Researchers discovered Read more about More than 1,000 Android apps harvest data even after you deny permissions[…]

Fake Samsung firmware update app tricks more than 10 million Android users

Over ten million users have been duped in installing a fake Samsung app named “Updates for Samsung” that promises firmware updates, but, in reality, redirects users to an ad-filled website and charges for firmware downloads. “I have contacted the Google Play Store and asked them to consider removing this app,” Aleksejs Kuprins, malware analyst at Read more about Fake Samsung firmware update app tricks more than 10 million Android users[…]

OpenPGP Certificate Attack Worries Experts, due to same symptoms bothering other Open Source projects – not enough contributors

There’s an interesting and troubling attack happening to some people involved in the OpenPGP community that makes their certificates unusable and can essentially break the OpenPGP implementation of anyone who tries to import one of the certificates. The attack is quite simple and doesn’t exploit any technical vulnerabilities in the OpenPGP software, but instead takes Read more about OpenPGP Certificate Attack Worries Experts, due to same symptoms bothering other Open Source projects – not enough contributors[…]

Microsoft Issues Warning For 50M Windows 10 Users – VPNs are now broken

Windows 10 continues to be a danger zone. Not only have problems been piling up in recent weeks, Microsoft has also been worryingly deceptive about the operation of key services. And now the company has warned millions about another problem. Spotted by the always excellent Windows Latest, Microsoft has told tens of millions of Windows Read more about Microsoft Issues Warning For 50M Windows 10 Users – VPNs are now broken[…]

Facebook, Instragram, Whatsapp, Oculus, Google Cloud go down and Cloudflare reroutes large portions of the internet to nothing – twice

Facebook resolves day-long outages across Instagram, WhatsApp, and Messenger Facebook had problems loading images, videos, and other data across its apps today, leaving some people unable to load photos in the Facebook News Feed, view stories on Instagram, or send messages in WhatsApp. Facebook said earlier today it was aware of the issues and was Read more about Facebook, Instragram, Whatsapp, Oculus, Google Cloud go down and Cloudflare reroutes large portions of the internet to nothing – twice[…]

Cop a load of this: 1TB of police body camera videos found lounging around public databases

In yet another example of absent security controls, troves of police body camera footage were left open to the world for anyone to siphon off, according to an infosec biz. Jasun Tate, CEO of Black Alchemy Solutions Group, told The Register on Monday he and his team had identified about a terabyte of officer body Read more about Cop a load of this: 1TB of police body camera videos found lounging around public databases[…]

Sting Catches Another Ransomware Firm Negotiating With “Hackers” when claiming to decrypt

ProPublica recently reported that two U.S. firms, which professed to use their own data recovery methods to help ransomware victims regain access to infected files, instead paid the hackers. Now there’s new evidence that a U.K. firm takes a similar approach. Fabian Wosar, a cyber security researcher, told ProPublica this month that, in a sting Read more about Sting Catches Another Ransomware Firm Negotiating With “Hackers” when claiming to decrypt[…]

8 of worlds top tech companies pwned for years by China

Eight of the world’s biggest technology service providers were hacked by Chinese cyber spies in an elaborate and years-long invasion, Reuters found. The invasion exploited weaknesses in those companies, their customers, and the Western system of technological defense. […] The hacking campaign, known as “Cloud Hopper,” was the subject of a U.S. indictment in December that Read more about 8 of worlds top tech companies pwned for years by China[…]

BGP super-blunder: How Verizon today sparked a ‘cascading catastrophic failure’ that knackered Cloudflare, Amazon, etc

Verizon sent a big chunk of the internet down a black hole this morning – and caused outages at Cloudflare, Facebook, Amazon, and others – after it wrongly accepted a network misconfiguration from a small ISP in Pennsylvania, USA. For nearly three hours, web traffic that was supposed to go to some of the biggest Read more about BGP super-blunder: How Verizon today sparked a ‘cascading catastrophic failure’ that knackered Cloudflare, Amazon, etc[…]

When Myspace Was King, Employees Abused a Tool Called ‘Overlord’ to Spy on Users

During the social network’s heyday, multiple Myspace employees abused an internal company tool to spy on users, in some cases including ex-partners, Motherboard has learned. Named ‘Overlord,’ the tool allowed employees to see users’ passwords and their messages, according to multiple former employees. While the tool was originally designed to help moderate the platform and Read more about When Myspace Was King, Employees Abused a Tool Called ‘Overlord’ to Spy on Users[…]

Meds prescriptions for 78,000 patients left in a database with no password

A MongoDB database was left open on the internet without a password, and by doing so, exposed the personal details and prescription information for more than 78,000 US patients. The leaky database was discovered by the security team at vpnMentor, led by Noam Rotem and Ran Locar, who shared their findings exclusively with ZDNet earlier Read more about Meds prescriptions for 78,000 patients left in a database with no password[…]

Hack of U.S. Border Surveillance Contractor Is Way Bigger Than the Government Lets On

Even as Homeland Security officials have attempted to downplay the impact of a security intrusion that reached deep into the network of a federal surveillance contractor, secret documents, handbooks, and slides concerning surveillance technology deployed along U.S. borders are being widely and openly shared online. A terabyte of torrents seeded by Distributed Denial of Secrets Read more about Hack of U.S. Border Surveillance Contractor Is Way Bigger Than the Government Lets On[…]

Millions of Dell PCs Vulnerable to Flaw in SupportAssist software

Millions of PCs made by Dell and other OEMs are vulnerable to a flaw stemming from a component in pre-installed SupportAssist software. The flaw could enable a remote attacker to completely takeover affected devices. The high-severity vulnerability (CVE-2019-12280) stems from a component in SupportAssist, a proactive monitoring software pre-installed on PCs with automatic failure detection and Read more about Millions of Dell PCs Vulnerable to Flaw in SupportAssist software[…]

Google Calendar was down for hours after major outage

Google Calendar was down for users around the world for nearly three hours earlier today. Calendar users trying to access the service were met with a 404 error message through a browser from around 10AM ET until around 12:40PM ET. Google’s Calendar service dashboard now reveals that issues should be resolved for everyone within the Read more about Google Calendar was down for hours after major outage[…]

HackerOne Reveals Which Security Bugs Are Making Its Army of Hackers the Most Bank

As far back as 2015, major companies like Sony and Intel have sought to crowdsource efforts to secure their systems and applications through the San Francisco startup HackerOne. Through the “bug bounty” program offered by the company, hackers once viewed as a nuisance—or worse, as criminals—can identify security vulnerabilities and get paid for their work. Read more about HackerOne Reveals Which Security Bugs Are Making Its Army of Hackers the Most Bank[…]

The Biggest Data Breach Archive on the Internet Is for Sale

The well-known and respected data breach notification website “Have I Been Pwned” is up for sale. Troy Hunt, its founder and sole operator, announced the sale on Tuesday in a blog post where he explained why the time has come for Have I Been Pwned to become part of something bigger and more organized. “To Read more about The Biggest Data Breach Archive on the Internet Is for Sale[…]

You won’t guess where European mobile data was rerouted for two hours. Oh. You can. Yes, it was China Telecom

On June 6, more than 70,000 BGP routes were leaked from Swiss colocation company Safe Host to China Telecom in Frankfurt, Germany, which then announced them on the global internet. This resulted in a massive rerouting of internet traffic via China Telecom systems in Europe, disrupting connectivity for netizens: a lot of data that should Read more about You won’t guess where European mobile data was rerouted for two hours. Oh. You can. Yes, it was China Telecom[…]