In a first, researchers extract secret key used to encrypt Intel CPU code

Researchers have extracted the secret key that encrypts updates to an assortment of Intel CPUs, a feat that could have wide-ranging consequences for the way the chips are used and, possibly, the way they’re secured. The key makes it possible to decrypt the microcode updates Intel provides to fix security vulnerabilities and other types of Read more about In a first, researchers extract secret key used to encrypt Intel CPU code[…]

NSA: foreign spies used one of our crypto backdoors – we learnt some lessons but we lost them

It’s said the NSA drew up a report on what it learned after a foreign government exploited a weak encryption scheme, championed by the US spying agency, in Juniper firewall software. However, curiously enough, the NSA has been unable to find a copy of that report. On Wednesday, Reuters reporter Joseph Menn published an account Read more about NSA: foreign spies used one of our crypto backdoors – we learnt some lessons but we lost them[…]

‘Classified knots’: Researchers create optical framed knots to encode information

In a world first, researchers from the University of Ottawa in collaboration with Israeli scientists have been able to create optical framed knots in the laboratory that could potentially be applied in modern technologies. Their work opens the door to new methods of distributing secret cryptographic keys—used to encrypt and decrypt data, ensure secure communication Read more about ‘Classified knots’: Researchers create optical framed knots to encode information[…]

Facebook Login Issues Are Locking Oculus Quest 2 Owners Out of Their Devices, turning them into paperweights

Owners of the brand-new Oculus Quest 2—the first VR headset which requires a Facebook account to use—are finding themselves screwed out of their new purchases by Facebook’s account verification system. As first reported by UploadVR this week, some Oculus 2 owners are finding that Facebook’s reportedly AI-powered account verification system is demanding some users upload Read more about Facebook Login Issues Are Locking Oculus Quest 2 Owners Out of Their Devices, turning them into paperweights[…]

Backdoorer the Xplora: Kids’ smart-watches can secretly take pics, record audio on command by encrypted texts

The Xplora 4 smartwatch, made by Chinese outfit Qihoo 360 Technology Co, and marketed to children under the Xplora brand in the US and Europe, can covertly take photos and record audio when activated by an encrypted SMS message, says Norwegian security firm Mnemonic. This backdoor is not a bug, the finders insist, but a Read more about Backdoorer the Xplora: Kids’ smart-watches can secretly take pics, record audio on command by encrypted texts[…]

Apple’s T2 custom secure boot chip is not only insecure, it cannot be fixed without replacing the silicon

Apple’s T2 security chip is insecure and cannot be fixed, a group of security researchers report. Over the past three years, a handful of hackers have delved into the inner workings of the custom silicon, fitted inside recent Macs, and found that they can use an exploit developed for iPhone jailbreaking, checkm8, in conjunction with Read more about Apple’s T2 custom secure boot chip is not only insecure, it cannot be fixed without replacing the silicon[…]

Listening in on your XR11 remote from 20m away

Guardicore discovered a new attack vector on Comcast’s XR11 voice remote that would have allowed attackers to turn it into a listening device – potentially invading your privacy in your living room. Prior to its remediation by Comcast, the attack, dubbed WarezTheRemote, was a very real security threat: with more than 18 million units deployed Read more about Listening in on your XR11 remote from 20m away[…]

Smart male chastity hack could lock all dicks up permanently, require grinder to unlock. Also tells anyone where you are

Smart Bluetooth male chastity lock, designed for user to give remote control to a trusted 3rd party using mobile app/API Multiple API flaws meant anyone could remotely lock all devices and prevent users from releasing themselves Removal then requires an angle grinder or similar, used in close proximity to delicate and sensitive areas Precise user Read more about Smart male chastity hack could lock all dicks up permanently, require grinder to unlock. Also tells anyone where you are[…]

Grindr security flaw let anyone take over any accounts easily

Grindr, one of the world’s largest dating and social networking apps for gay, bi, trans, and queer people, has fixed a security vulnerability that allowed anyone to hijack and take control of any user’s account using only their email address. Wassime Bouimadaghene, a French security researcher, found the vulnerability and reported the issue to Grindr. Read more about Grindr security flaw let anyone take over any accounts easily[…]

Google App Engine feature abused to create unlimited phishing pages

A newly discovered technique by a researcher shows how Google’s App Engine domains can be abused to deliver phishing and malware while remaining undetected by leading enterprise security products. Google App Engine is a cloud-based service platform for developing and hosting web apps on Google’s servers. While reports of phishing campaigns leveraging enterprise cloud domains are nothing Read more about Google App Engine feature abused to create unlimited phishing pages[…]

Twitter warns of possible API keys leak through browser caching

Twitter is notifying developers today about a possible security incident that may have impacted their accounts. The incident was caused by incorrect instructions that the developer.twitter.com website sent to users’ browsers. The developer.twitter.com website is the portal where developers manage their Twitter apps and attached API keys, but also the access token and secret key for their Read more about Twitter warns of possible API keys leak through browser caching[…]

Some managed Netgear switches suddenly need a cloud account to use its full UI. Also may not update security. Time to change vendor.

Netgear has decided that users of some of its managed network switches don’t need access to the equipment’s full user interface – unless they register their details with Netgear first. For instance, owners of its 64W Power-over-Ethernet eight-port managed gigabit switch GC108P, and its 126W variant GC108PP, need to hand over information about themselves to Read more about Some managed Netgear switches suddenly need a cloud account to use its full UI. Also may not update security. Time to change vendor.[…]

Microsoft Sysmon now logs data copied to the Windows Clipboard

Microsoft has released Sysmon 12, and it comes with a useful feature that logs and captures any data added to the Windows Clipboard. This feature can help system administrators and incident responders track the activities of malicious actors who compromised a system. Those not familiar with Sysmon, otherwise known as System Monitor, it is a Read more about Microsoft Sysmon now logs data copied to the Windows Clipboard[…]

Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472)

Last month, Microsoft patched a very interesting vulnerability that would allow an attacker with a foothold on your internal network to essentially become Domain Admin with one click. All that is required is for a connection to the Domain Controller to be possible from the attacker’s viewpoint. Secura’s security expert Tom Tervoort previously discovered a Read more about Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472)[…]

Private data gone public: Razer leaks 100,000+ gamers’ personal info

In August, security researcher Volodymyr Diachenko discovered a misconfigured Elasticsearch cluster, owned by gaming hardware vendor Razer, exposing customers’ PII (Personal Identifiable Information). The cluster contained records of customer orders and included information such as item purchased, customer email, customer (physical) address, phone number, and so forth—basically, everything you’d expect to see from a credit Read more about Private data gone public: Razer leaks 100,000+ gamers’ personal info[…]

Shenzhen Zhenua Data Leak – high profile international contacts database kept by Chinese leaked

The database built by Shenzhen Zhenhua from a variety of sources is technically complex using very advanced language, targeting, and classification tools. Shenzhen Zhenhua claims to work with, and our research supports, Chinese intelligence, military, and security agencies use the open information environment we in open liberal democracies take for granted to target individuals and Read more about Shenzhen Zhenua Data Leak – high profile international contacts database kept by Chinese leaked[…]

Three middle-aged Dutch hackers slipped into Donald Trump’s Twitter account days before 2016 US election

Three “grumpy old hackers” in the Netherlands managed to access Donald Trump’s Twitter account in 2016 by extracting his password from the 2012 Linkedin hack. The pseudonymous, middle-aged chaps, named only as Edwin, Mattijs and Victor, told reporters they had lifted Trump’s particulars from a database that was being passed about hackers, and tried it Read more about Three middle-aged Dutch hackers slipped into Donald Trump’s Twitter account days before 2016 US election[…]

BlindSide: Watch speculative memory probing bypass kernel defenses, give malware root control

Boffins in America, the Netherlands, and Switzerland have devised a Spectre-style attack on modern processors that can defeat defenses that are supposed to stop malicious software from hijacking a computer’s operating system. The end result is exploit code able to bypass a crucial protection mechanism and take over a device to hand over root access. Read more about BlindSide: Watch speculative memory probing bypass kernel defenses, give malware root control[…]

Hacked Windows 10 Themes Can Swipe Your Microsoft Login

Windows 10 users can customize their desktops with unique themes, and are able to create and share those themes with others. Hackers can also use them to steal your credentials. A flaw in Windows 10’s theme-creation feature lets hackers modify custom themes that, once installed, trick users into passing over their Microsoft account name and Read more about Hacked Windows 10 Themes Can Swipe Your Microsoft Login[…]

Security Risks Revolving the 2020 US Presidential Elections | Techwarn.com

The coronavirus pandemic has forced people around the globe to temporarily modify the ways they go about activities. Activities like these include political elections and campaigning. Since the virus hit in an election year, it’s highly likely new measures will be taken to prevent mass gatherings during voting. Infection rates aren’t likely to drop any Read more about Security Risks Revolving the 2020 US Presidential Elections | Techwarn.com[…]

7 years later, US court deems NSA bulk phone-call snooping illegal, possibly unconstitutional, and probably pointless anyway

The United States Court of Appeals for the Ninth Circuit has ruled [PDF] that the National Security Agency’s phone-call slurping was indeed naughty, seven years after former contractor Edward Snowden blew the whistle on the tawdry affair. It’s been a long time coming, and while some might view the decision as a slap for officials Read more about 7 years later, US court deems NSA bulk phone-call snooping illegal, possibly unconstitutional, and probably pointless anyway[…]

Facebook finally joins responsible disclosure for bugs they find

Facebook has published its first Vulnerability Disclosure Policy and given itself grounds to blab the existence of bugs to the world if it thinks that’s the right thing to do. “Facebook may occasionally find critical security bugs or vulnerabilities in third-party code and systems, including open source software,” the company writes. “When that happens, our Read more about Facebook finally joins responsible disclosure for bugs they find[…]

A Gmail and Google Drive outage is causing errors around the world – yay cloud!

Can’t send something on Gmail? If so then you’re in good company, ever since about midnight ET, people have been complaining about issues connecting to many of the G suite services, but especially Gmail. The Google apps status page just updated to confirm they’ve received reports of an issue with Gmail and Google Drive, while Read more about A Gmail and Google Drive outage is causing errors around the world – yay cloud![…]

AI Company Leaks Over 2.5M Medical Records

A security researcher has detailed how an artificial intelligence company in possession of nearly 2.6 million medical records allowed them to be publicly visible on the internet. It’s a clear reminder that our personal health data is not safe. As Secure Thoughts reports, on July 7 security researcher Jeremiah Fowler discovered two folders of medical Read more about AI Company Leaks Over 2.5M Medical Records[…]

Trusting OpenPGP and S/Mime with your email secrets? You might want to rethink that

Boffins testing the security of OpenPGP and S/MIME, two end-to-end encryption schemes for email, recently found multiple vulnerabilities in the way email client software deals with certificates and key exchange mechanisms. They found that five out of 18 OpenPGP-capable email clients and six out of 18 S/MIME-capable clients are vulnerable to at least one attack. Read more about Trusting OpenPGP and S/Mime with your email secrets? You might want to rethink that[…]