Have I Been Pwned breach report email pwned entire firm’s helldesk ticket system

A hapless IT bod found the Have I Been Pwned service (HIBP) answering its own question in a way he really didn’t want – after a breach report including a SQL string KO’d his company’s helpdesk ticket system. A pseudonymous blogger posting under the name Matt published a tortured account of what happened when a Read more about Have I Been Pwned breach report email pwned entire firm’s helldesk ticket system[…]

Photostopped: Adobe Cloud evaporates in mass outage. Hope none of you are on a deadline, eh? – yay cloud!

Adobe technicians scrambled on Wednesday to restore multiple cloud services after a severe outage left customers stranded. Starting around 0600 PDT (1300 UTC) Adobe’s status board began lighting up with red outage notifications. At the time this article was written, 13 major issues were ongoing and five had been resolved. By issues, Adobe means people Read more about Photostopped: Adobe Cloud evaporates in mass outage. Hope none of you are on a deadline, eh? – yay cloud![…]

Qatar’s contact tracing app put over one million people’s info at risk

Contact tracing apps have the potential to slow the spread of COVID-19. But without proper security safeguards, some fear they could put users’ data and sensitive info at risk. Until now, that threat has been theoretical. Today, Amnesty International reports that a flaw in Qatar’s contact tracing app put the personal information of more than Read more about Qatar’s contact tracing app put over one million people’s info at risk[…]

Samsung launches stand alone mobile security chip

Samsung will launch a new standalone turnkey security chip to protect mobile devices, the company announced today. The chip, which has the said-once-never-forgotten name “S3FV9RR” – aka the Mobile SE Guardian 4 – is a follow-up to the dedicated security silicon baked into the Galaxy S20 smartphone series launched in February 2020. The new chip Read more about Samsung launches stand alone mobile security chip[…]

New Spectra attack breaks the separation between Wi-Fi and Bluetooth

Called Spectra, this attack works against “combo chips,” specialized chips that handle multiple types of radio wave-based wireless communications, such as Wi-Fi, Bluetooth, LTE, and others. “Spectra, a new vulnerability class, relies on the fact that transmissions happen in the same spectrum, and wireless chips need to arbitrate the channel access,” the research team said Read more about New Spectra attack breaks the separation between Wi-Fi and Bluetooth[…]

Nextdoor Building Relationships With Law Enforcement whilst racially profiling

Community platform Nextdoor is courting police across the country, creating concerns among civil rights and privacy advocates who worry about possible conflicts of interest, over-reporting of crime, and the platform’s record of racial profiling, per a Thursday report by CityLab. That effort included an all-expenses-paid meeting in San Francisco with members of Nextdoor’s Public Agencies Read more about Nextdoor Building Relationships With Law Enforcement whilst racially profiling[…]

DNS this week stands for Drowning Needed Services: Design flaw in name server system can be exploited to flood machines offline

Dubbed NXNSAttack, the flaw [PDF] can be abused to pull off a classic amplification attack: you send a small amount of specially crafted data to a DNS server, which responds by sending a lot of data to a victim’s server. If you have an army of hacked PCs or devices – a botnet – at Read more about DNS this week stands for Drowning Needed Services: Design flaw in name server system can be exploited to flood machines offline[…]

Rogue ADT tech spied on hundreds of customers in their homes via CCTV – teen girls, young mums repeatedly watched

A technician at ADT remotely accessed hundreds of customers’ CCTV cameras to spy on people in their own homes, the burglar-alarm biz has admitted. At least one of the victims was a teenage girl, and another a young mother, according to court filings. Last month, an ADT customer in Dallas, Texas, spotted and reported an Read more about Rogue ADT tech spied on hundreds of customers in their homes via CCTV – teen girls, young mums repeatedly watched[…]

EasyJet admits data of nine million hacked

EasyJet has admitted that a “highly sophisticated cyber-attack” has affected approximately nine million customers. It said email addresses and travel details had been stolen and that 2,208 customers had also had their credit and debit card details “accessed”. The firm has informed the UK’s Information Commissioner’s Office while it investigates the breach. EasyJet first became Read more about EasyJet admits data of nine million hacked[…]

Social Security numbers, banking information left unprotected on Arkansas Unemployement Assistance website

A computer programmer applying for unemployment on Arkansas’s Pandemic Unemployment Assistance program discovered a vulnerability in the system that exposed the Social Security numbers, bank account and routing numbers and other sensitive information of some 30,000 applicants. Anyone with basic computer knowledge could have accessed personal information for malicious purposes. Alarmed, the computer programmer called Read more about Social Security numbers, banking information left unprotected on Arkansas Unemployement Assistance website[…]

Samsung Surprise As World’s First Smartphone With Quantum Hardware Technology Launches May 22

an announcement from Samsung and Korean provider SK Telecom that the world’s first 5G smartphone complete with a quantum random number generator (QRNG) is due to launch next week. The current Samsung Galaxy flagship S20 series all come with a new secure element security solution including a dedicated security chip that can prevent hackers from Read more about Samsung Surprise As World’s First Smartphone With Quantum Hardware Technology Launches May 22[…]

Brit defense contractor Interserve hacked, up to 100,000 past and present employees’ details siphoned off

Britain’s Ministry of Defence contractor Interserve has been hacked, reportedly leaking the details of up to 100,000 of past and current employees, including payment information and details of their next of kin. The Daily Telegraph reports that up to 100,000 employee details were stolen, dating back across a number of years. Interserve currently employs around Read more about Brit defense contractor Interserve hacked, up to 100,000 past and present employees’ details siphoned off[…]

Researchers spot thousands of Android apps leaking user data through misconfigured Firebase databases

Security researchers at Comparitech have reported that an estimated 24,000 Android apps are leaking user data because of misconfigured Firebase databases. Firebase is a popular backend service with SDKs for multiple platforms, including Android, iOS, web, C++ and Unity (for games). Features include two NoSQL database managers, Cloud Firestore and the older Realtime Database. Data Read more about Researchers spot thousands of Android apps leaking user data through misconfigured Firebase databases[…]

PrintDemon vulnerability impacts all Windows versions | ZDNet

Two security researchers have published today details about a vulnerability in the Windows printing service that they say impacts all Windows versions going back to Windows NT 4, released in 1996. The vulnerability, which they codenamed PrintDemon, is located in Windows Print Spooler, the primary Windows component responsible for managing print operations. The service can Read more about PrintDemon vulnerability impacts all Windows versions | ZDNet[…]

Cognizant expects to lose between $50m and $70m following ransomware attack

IT services provider Cognizant said in an earnings call this week that a ransomware incident that took place last month in April 2020 will negatively impact its Q2 revenue. “While we anticipate that the revenue impact related to this issue will be largely resolved by the middle of the quarter, we do anticipate the revenue Read more about Cognizant expects to lose between $50m and $70m following ransomware attack[…]

One malicious MMS is all it takes to pwn a Samsung smartphone: Bug squashed amid Android patch batch

Samsung has patched a serious security hole in its smartphones that can be exploited by maliciously crafted text messages to hijack devices. It appears no user interaction is required: if Samsung’s messaging app bundled with phones since 2015 receives a booby-trapped MMS, it will parse it automatically before the user even opens it. This will Read more about One malicious MMS is all it takes to pwn a Samsung smartphone: Bug squashed amid Android patch batch[…]

GitHub blasts code-scanning tool into all open-source projects

GitHub has made its automated code-scanning tools available to all open-source projects free of charge. The aim, said the code repo house, is to help developers suss out potential security vulnerabilities ahead of time, and to do so at a scale that will work for both small and large projects. The feature, based on the Read more about GitHub blasts code-scanning tool into all open-source projects[…]

Researcher Discovers That Old Tesla Media Control Units Are Full Of Owner’s Private Data Even After A Factory Reset

There’s a hacker/security researcher with the Twitter handle GreenTheOnly that has been doing some interesting work with used Tesla parts. This time specifically, he’s acquired three Tesla Model 3 integrated media control units (MCU) and Autopilot (HW) units (known as the ICE computer, just for Models 3 and Y), and a Model X MCU unit. Read more about Researcher Discovers That Old Tesla Media Control Units Are Full Of Owner’s Private Data Even After A Factory Reset[…]

Sweet TCAS! We can make airliners go up-diddly-up whenever we want, say infosec researchers

Not only can malicious people make airliners climb and dive without pilot input – they can also control where and when they do so, research from Pen Test Partners (PTP) has found. TCAS spoofing, the practice of fooling collision detection systems aboard airliners, can be controlled to precisely determine whether an airliner fitted with TCAS Read more about Sweet TCAS! We can make airliners go up-diddly-up whenever we want, say infosec researchers[…]

OK, so you’ve air-gapped that PC. Cut the speakers. Covered the LEDs. Disconnected the monitor. Now, about the data-leaking power supply unit…

Israeli cyber-security side-channel expert Mordechai Guri has devised a way to pilfer data from devices that have been air-gapped and silenced. Organizations with extreme security needs may keep certain computer hardware disconnected from any network, a practice known as air-gapping, to preclude the possibility of miscreants hacking in from compromised systems on the network, or Read more about OK, so you’ve air-gapped that PC. Cut the speakers. Covered the LEDs. Disconnected the monitor. Now, about the data-leaking power supply unit…[…]

Antwerpen Uni bans video app Zoom – city of Antwerp is stupid enough to keep using it

De Universiteit Antwerpen verbiedt het gebruik van videobelapp Zoom. De applicatie zou niet veilig genoeg en de universiteit wil geen risico’s nemen nadat men vorig jaar al eens het slachtoffer is geworden van een cyberaanval. Ook Google en de Amerikaanse ruimtevaartorganisatie NASA namen onlangs het besluit om Zoom niet meer te gebruiken. Bij de stad Read more about Antwerpen Uni bans video app Zoom – city of Antwerp is stupid enough to keep using it[…]

annoying Netsweeper internet filter comes with a pre-auth remote-command execution hole and there’s no patch

Netsweeper’s internet filter has a nasty security vulnerability that can be exploited to hijack the host server and tamper with lists of blocked websites. There are no known fixes right now. For those unfamiliar, Netsweeper makes software that monitors and blocks connections to undesirable websites and servers. It’s aimed at parents, schools, government offices, and Read more about annoying Netsweeper internet filter comes with a pre-auth remote-command execution hole and there’s no patch[…]

NSO Employee Abused Phone Hacking Tech to Target a Love Interest

An employee of controversial surveillance vendor NSO Group abused access to the company’s powerful hacking technology to target a love interest, Motherboard has learned. The previously unreported news is a serious abuse of NSO’s products, which are typically used by law enforcement and intelligence agencies. The episode also highlights that potent surveillance technology such as Read more about NSO Employee Abused Phone Hacking Tech to Target a Love Interest[…]

We could have pwned Microsoft Teams with a GIF, claims Israeli infosec outfit

A vulnerability existed in Microsoft’s Slack for Suits tool, Teams, that could have let a remote attacker take over accounts by simply sending a malicious GIF, infosec researchers claim. The pwn-with-GIF vuln was possible, said Cyberark, thanks to two compromisable Microsoft subdomains along with a carefully crafted animated image file. Although it was a responsibly Read more about We could have pwned Microsoft Teams with a GIF, claims Israeli infosec outfit[…]

Nine million logs of Brits’ road journeys spill onto the internet from password-less number-plate camera dashboard

In a blunder described as “astonishing and worrying,” Sheffield City Council’s automatic number-plate recognition (ANPR) system exposed to the internet 8.6 million records of road journeys made by thousands of people, The Register can reveal. The ANPR camera system’s internal management dashboard could be accessed by simply entering its IP address into a web browser. Read more about Nine million logs of Brits’ road journeys spill onto the internet from password-less number-plate camera dashboard[…]