1M non-profit donors PII exposed by unsecured DonorView database

Close to a million records containing personally identifiable information belonging to donors that sent money to non-profits were found exposed in an online database. The database is owned and operated by DonorView – provider of a cloud-based fundraising platform used by schools, charities, religious institutions, and other groups focused on charitable or philanthropic goals. Infosec Read more about 1M non-profit donors PII exposed by unsecured DonorView database[…]

Bad genes: 23andMe leak highlights a possible future of genetic discrimination

23andMe is a terrific concept. In essence, the company takes a sample of your DNA and tells you about your genetic makeup. For some of us, this is the only way to learn about our heritage. Spotty records, diaspora, mistaken family lore and slavery can make tracing one’s roots incredibly difficult by traditional methods. What Read more about Bad genes: 23andMe leak highlights a possible future of genetic discrimination[…]

Your mobile password manager might be exposing your credentials because of Webview

A number of popular mobile password managers are inadvertently spilling user credentials due to a vulnerability in the autofill functionality of Android apps. The vulnerability, dubbed “AutoSpill,” can expose users’ saved credentials from mobile password managers by circumventing Android’s secure autofill mechanism, according to university researchers at the IIIT Hyderabad, who discovered the vulnerability and Read more about Your mobile password manager might be exposing your credentials because of Webview[…]

Attacks abuse Microsoft DHCP to spoof DNS records and steal secrets

A series of attacks against Microsoft Active Directory domains could allow miscreants to spoof DNS records, compromise Active Directory and steal all the secrets it stores, according to Akamai security researchers. We’re told the attacks – which are usable against servers running the default configuration of Microsoft Dynamic Host Configuration Protocol (DHCP) servers – don’t Read more about Attacks abuse Microsoft DHCP to spoof DNS records and steal secrets[…]

Nearly Every Windows and Linux Device Vulnerable To New LogoFAIL Firmware Attack

“Researchers have identified a large number of bugs to do with the processing of images at boot time,” writes longtime Slashdot reader jd. “This allows malicious code to be installed undetectably (since the image doesn’t have to pass any validation checks) by appending it to the image. None of the current secure boot mechanisms are Read more about Nearly Every Windows and Linux Device Vulnerable To New LogoFAIL Firmware Attack[…]

3 Vulns expose ownCloud admin passwords, sensitive data

ownCloud has disclosed three critical vulnerabilities, the most serious of which leads to sensitive data exposure and carries a maximum severity score. The open source file-sharing software company said containerized deployments of ownCloud could expose admin passwords, mail server credentials, and license keys. Tracked as CVE-2023-49103, the vulnerability carries a maximum severity rating of 10 Read more about 3 Vulns expose ownCloud admin passwords, sensitive data[…]

Windows users report appearance of unwanted HP app – shows you how secure automatic updating is (with no real information about what is in the updates)

Windows users are reporting that Hewlett Packard’s HP Smart application is appearing on their systems, despite them not having any of the manufacturer’s hardware attached. While Microsoft has remained tight-lipped on what is happening, folks on various social media platforms noted the app’s appearance, which seems to afflict both Windows 10 and Windows 11. The Read more about Windows users report appearance of unwanted HP app – shows you how secure automatic updating is (with no real information about what is in the updates)[…]

In a first, cryptographic keys protecting SSH connections stolen in new attack

For the first time, researchers have demonstrated that a large portion of cryptographic keys used to protect data in computer-to-server SSH traffic are vulnerable to complete compromise when naturally occurring computational errors occur while the connection is being established. Underscoring the importance of their discovery, the researchers used their findings to calculate the private portion Read more about In a first, cryptographic keys protecting SSH connections stolen in new attack[…]

European digital identity: Council and Parliament reach a provisional agreement on eID

[…] Under the new law, member states will offer citizens and businesses digital wallets that will be able to link their national digital identities with proof of other personal attributes (e.g., driving licence, diplomas, bank account). Citizens will be able to prove their identity and share electronic documents from their digital wallets with a click Read more about European digital identity: Council and Parliament reach a provisional agreement on eID[…]

Cisco Can’t Stop Using Hard-Coded Passwords

There’s a new Cisco vulnerability in its Emergency Responder product: This vulnerability is due to the presence of static user credentials for the root account that are typically reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow Read more about Cisco Can’t Stop Using Hard-Coded Passwords[…]

Troy Hunt scours the dark web for your stolen data – a look at HaveIBeenPwned: a 1 man operation

[…] Have I Been Pwned started life as a hobby project. In fact, Troy wasn’t working in the cybersecurity industry until a chance encounter tweaked his curiosity. […] Hackers had stolen the email addresses and passwords of 152 million of Adobe’s customers in November 2013 — including, as it turned out, Troy’s. Only, he wasn’t Read more about Troy Hunt scours the dark web for your stolen data – a look at HaveIBeenPwned: a 1 man operation[…]

Sourcegraph published admin token, someone creates API endpoint with free access

An unknown hacker gained administrative control of Sourcegraph, an AI-driven service used by developers at Uber, Reddit, Dropbox, and other companies, and used it to provide free access to resources that normally would have required payment. In the process, the hacker(s) may have accessed personal information belonging to Sourcegraph users, Diego Comas, Sourcegraph’s head of Read more about Sourcegraph published admin token, someone creates API endpoint with free access[…]

Windows feature that resets system clocks based on random data is wreaking havoc

A few months ago, an engineer in a data center in Norway encountered some perplexing errors that caused a Windows server to suddenly reset its system clock to 55 days in the future. The engineer relied on the server to maintain a routing table that tracked cell phone numbers in real time as they moved Read more about Windows feature that resets system clocks based on random data is wreaking havoc[…]

Nearly every AMD CPU since 2017 vulnerable to Inception bug

AMD processor users, you have another data-leaking vulnerability to deal with: like Zenbleed, this latest hole can be to steal sensitive data from a running vulnerable machine. The flaw (CVE-2023-20569), dubbed Inception in reference to the Christopher Nolan flick about manipulating a person’s dreams to achieve a desired outcome in the real world, was disclosed Read more about Nearly every AMD CPU since 2017 vulnerable to Inception bug[…]

AI listens to keyboards on video conferences – decodes passwords

[…] a new paper from the UK that shows how researchers trained an AI to decode keystrokes from noise on conference calls. The researchers point out that people don’t expect sound-based exploits. The paper reads, “For example, when typing a password, people will regularly hide their screen but will do little to obfuscate their keyboard’s Read more about AI listens to keyboards on video conferences – decodes passwords[…]

Microsoft Comes Under Blistering Criticism For ‘Grossly Irresponsible’ Azure Security

An anonymous reader quotes a report from Ars Technica: Microsoft has once again come under blistering criticism for the security practices of Azure and its other cloud offerings, with the CEO of security firm Tenable saying Microsoft is “grossly irresponsible” and mired in a “culture of toxic obfuscation.” The comments from Amit Yoran, chairman and Read more about Microsoft Comes Under Blistering Criticism For ‘Grossly Irresponsible’ Azure Security[…]

Cult of Dead Cow hacktivists design distributed encryption system for mobile apps

Once known for distributing hacking tools and shaming software companies into improving their security, a famed group of technology activists is now working to develop a system that will allow the creation of messaging and social networking apps that won’t keep hold of users’ personal data. The group, Cult of the Dead Cow, has developed Read more about Cult of Dead Cow hacktivists design distributed encryption system for mobile apps[…]

Android phones can now tell you if there’s an AirTag following you

When Google announced that trackers would be able to tie in to its 3 billion-device Bluetooth tracking network at its Google I/O 2023 conference, it also said that it would make it easier for people to avoid being tracked by trackers they don’t know about, like Apple AirTags. Now Android users will soon get these Read more about Android phones can now tell you if there’s an AirTag following you[…]

Firmware vulnerabilities in millions of servers could give hackers superuser status

[…] The vulnerabilities reside inside firmware that Duluth, Georgia-based AMI makes for BMCs (baseboard management controllers). These tiny computers soldered into the motherboard of servers allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of computers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control Read more about Firmware vulnerabilities in millions of servers could give hackers superuser status[…]

Google Urges Gmail Users to Enable ‘Enhanced Safe Browsing’ for Faster, More Proactive Protection – but also takes screenshots of your browsing habits

The Washington Post’s “Tech Friend” newsletter has the latest on Google’s “Enhanced Safe Browsing” for Chrome and Gmail, which “monitors the web addresses of sites that you visit and compares them to constantly updated Google databases of suspected scam sites.” You’ll see a red warning screen if Google believes you’re on a website that is, Read more about Google Urges Gmail Users to Enable ‘Enhanced Safe Browsing’ for Faster, More Proactive Protection – but also takes screenshots of your browsing habits[…]

TETRA Military and Police Radio Code Encryption Has a Flaw: A built in Backdoor

For more than 25 years, a technology used for critical data and voice radio communications around the world has been shrouded in secrecy to prevent anyone from closely scrutinizing its security properties for vulnerabilities […] The backdoor, known for years by vendors that sold the technology but not necessarily by customers, exists in an encryption Read more about TETRA Military and Police Radio Code Encryption Has a Flaw: A built in Backdoor[…]

AMD ‘Zenbleed’ bug allows Meltdown-like data leakage

AMD has started issuing some patches for its processors affected by a serious silicon-level bug dubbed Zenbleed that can be exploited by rogue users and malware to steal passwords, cryptographic keys, and other secrets from software running on a vulnerable system. Zenbleed affects Ryzen and Epyc Zen 2 chips, and can be abused to swipe Read more about AMD ‘Zenbleed’ bug allows Meltdown-like data leakage[…]

VanMoof ebike should be bricked if servers go down – fortunately security is so bad a rival has an app to allow you to unlock it

[…] an app is required to use many of the smart features of its bikes – and that app relies on communication with VanMoof servers. If the company goes under, and the servers go offline, that could leave ebike owners unable to even unlock their bikes […] While unlocking is activated by Bluetooth when your Read more about VanMoof ebike should be bricked if servers go down – fortunately security is so bad a rival has an app to allow you to unlock it[…]

Brave to stop websites from port scanning visitors – wait that hasn’t been done by everyone yet?!

The Brave browser will take action against websites that snoop on visitors by scanning their open Internet ports or accessing other network resources that can expose personal information. Starting in version 1.54, Brave will automatically block website port scanning, a practice that a surprisingly large number of sites were found engaging in a few years Read more about Brave to stop websites from port scanning visitors – wait that hasn’t been done by everyone yet?![…]