400 faults found in Qualcomm chips powering your mobile phone with big implications

With over 3 billion users globally, smartphones are an integral, almost inseparable part of our day-to-day lives. As the mobile market continues to grow, vendors race to provide new features, new capabilities and better technological innovations in their latest devices. To support this relentless drive for innovation, vendors often rely on third parties to provide Read more about 400 faults found in Qualcomm chips powering your mobile phone with big implications[…]

Google offers refunds after North smart glasses stop working or why cloud sucks and you want things running locally

Smart glasses company North has told customers that their $600 (£460) purchases will stop working in a few days’ time. The Canadian company, recently purchased by Google, says its Focals glasses will cease functioning on Friday. From then, owners will not be able to use “any features” of the glasses, or connect to the companion Read more about Google offers refunds after North smart glasses stop working or why cloud sucks and you want things running locally[…]

If you own one of these 45 Netgear devices, replace it: Firm won’t patch vulnerable gear despite live proof-of-concept code

Netgear has quietly decided not to patch more than 40 home routers to plug a remote code execution vulnerability – despite security researchers having published proof-of-concept exploit code. The vuln was revealed publicly in June by Trend Micro’s Zero Day Initiative (ZDI) following six months spent chivvying Netgear behind the scenes to take it seriously. Read more about If you own one of these 45 Netgear devices, replace it: Firm won’t patch vulnerable gear despite live proof-of-concept code[…]

Hackers stole GitHub and GitLab OAuth tokens from Git analytics firm Waydev – this is why you don’t give cloud access to your crown jewels

Waydev, a San Francisco-based company, runs a platform that can be used to track software engineers’ work output by analyzing Git-based codebases. To do this, Waydev runs a special app listed on the GitHub and GitLab app stores. When users install the app, Waydev receives an OAuth token that it can use to access its Read more about Hackers stole GitHub and GitLab OAuth tokens from Git analytics firm Waydev – this is why you don’t give cloud access to your crown jewels[…]

GRUB2, you’re getting too bug for your boots: Config file buffer overflow is a boon for malware seeking to drill deeper into a system

An annoying vulnerability in the widely used GRUB2 bootloader can be potentially exploited by malware or a rogue insider already on a machine to thoroughly compromise the operating system or hypervisor while evading detection by users and security tools. […] Designated CVE-2020-10713, the vulnerability allows a miscreant to achieve code execution within the open-source bootloader, Read more about GRUB2, you’re getting too bug for your boots: Config file buffer overflow is a boon for malware seeking to drill deeper into a system[…]

Will Garmin Pay $10 Million Ransom To End Two-Day Outage?

Garmin is reportedly being asked to pay a $10 million ransom to free its systems from a cyberattack that has taken down many of its services for two days. The navigation company was hit by a ransomware attack on Thursday, leaving customers unable to log fitness sessions in Garmin apps and pilots unable to download Read more about Will Garmin Pay $10 Million Ransom To End Two-Day Outage?[…]

More than 1,000 people at Twitter had ability to aid hack of accounts

Twitter said on Saturday that the perpetrators “manipulated a small number of employees and used their credentials” to log into tools and turn over access to 45 accounts. here On Wednesday, it said that the hackers could have read direct messages to and from 36 accounts but did not identify the affected users. The former Read more about More than 1,000 people at Twitter had ability to aid hack of accounts[…]

Ongoing Meow attack has nuked >4,000 MongoDB and Elastic databases with default settings left on

More than 1,000 unsecured databases so far have been permanently deleted in an ongoing attack that leaves the word “meow” as its only calling card, according to Internet searches over the past day. The attack first came to the attention of researcher Bob Diachenko on Tuesday, when he discovered a database that stored user details Read more about Ongoing Meow attack has nuked >4,000 MongoDB and Elastic databases with default settings left on[…]

Fitness freaks flummoxed as massive global Garmin outage leaves them high and dry for hours

Garmin’s Connect service has been down for more than seven hours today to the frustration of fitness enthusiasts keen to upload running times or synchronise with other services such as Strava. So, too, is the company’s web shop and support forums. Users have expressed obvious concern that such an extended outage is indicative of a Read more about Fitness freaks flummoxed as massive global Garmin outage leaves them high and dry for hours[…]

Instacart Customers’ Data Is Being Sold Online, but Instacart has it’s fingers in it’s ears, pretends nothing is wrong

The personal information of what could be hundreds of thousands of Instacart customers is being sold on the dark web. This data includes names, the last four digits of credit card numbers, and order histories, and appears to have affected customers who used the grocery delivery service as recently as yesterday. As of Wednesday, sellers Read more about Instacart Customers’ Data Is Being Sold Online, but Instacart has it’s fingers in it’s ears, pretends nothing is wrong[…]

Firefox on Android: Camera remains active when phone is locked or the user switches apps after streaming

Mozilla says it’s working on fixing a bug in Firefox for Android that keeps the smartphone camera active even after users have moved the browser in the background or the phone screen was locked. A Mozilla spokesperson told ZDNet in an email this week that a fix is expected for later this year in October. Read more about Firefox on Android: Camera remains active when phone is locked or the user switches apps after streaming[…]

Seven ‘no log’ VPN providers accused of leaking – yup, you guessed it – 1.2TB of user logs onto the internet

A string of “zero logging” VPN providers have some explaining to do after more than a terabyte of user logs were found on their servers unprotected and facing the public internet. This data, we are told, included in at least some cases clear-text passwords, personal information, and lists of websites visited, all for anyone to Read more about Seven ‘no log’ VPN providers accused of leaking – yup, you guessed it – 1.2TB of user logs onto the internet[…]

Zoom fixed a vanity URL issue that could have led to phishing attacks

Zoom says it has fixed a security issue that would have let hackers manipulate organizations’ custom URLs for the service and send legitimate-seeming meeting invitations. If a victim accepted the invitation and attended the meeting, the phony caller may have been able to inject malware into their device or carry out a phishing attack. Hackers Read more about Zoom fixed a vanity URL issue that could have led to phishing attacks[…]

So kind of SAP NetWeaver to hand out admin accounts to anyone who can reach it. You’ll want to patch this

Dubbed RECON, aka Remotely Exploitable Code On NetWeaver, by its discoverers, security shop Onapsis, the bug in SAP’s NetWeaver AS JAVA (LM Configuration Wizard) allows a remote unathenticated hacker to take over a vulnerable NetWeaver-based system by creating admin accounts without any authorization. The bug, CVE-2020-6287, is a lack of proper authentication in NetWeaver. This Read more about So kind of SAP NetWeaver to hand out admin accounts to anyone who can reach it. You’ll want to patch this[…]

European police hacked encrypted phones used by thousands of criminals

In one of the largest law enforcement busts ever, European police and crime agencies hacked an encrypted communications platform used by thousands of criminals and drug traffickers. By infiltrating the platform, Encrochat, police across Europe gained access to a hundred million encrypted messages. In the UK, those messages helped officials arrest 746 suspects, seize £54 Read more about European police hacked encrypted phones used by thousands of criminals[…]

Three words you do not want to hear regarding a ‘secure browser’ called SafePay… Remote. Code. Execution

Folks running Bitdefender’s Total Security 2020 package should check they have the latest version installed following the disclosure of a remote code execution bug. Wladimir Palant, cofounder of Adblock-Plus-maker Eyeo, tipped off Bitdefender about the flaw, CVE-2020-8102, after discovering what he called “seemingly small weaknesses” that could be exploited by a hostile website to take Read more about Three words you do not want to hear regarding a ‘secure browser’ called SafePay… Remote. Code. Execution[…]

Netgear was told in January its routers can be hacked and hijacked. This week, first patches released – after exploits, details made public

Netgear has issued patches to squash security vulnerabilities in two router models that can be exploited to, for instance, open a superuser-level telnet backdoor. Those two devices are the R6400v2 and R6700v3, and you can get hot-fixes for the holes here. However, some 77 models remain reportedly vulnerable, and no fixes are available. For the Read more about Netgear was told in January its routers can be hacked and hijacked. This week, first patches released – after exploits, details made public[…]

Massive spying on users of Google’s Chrome shows new security weakness

A newly discovered spyware effort attacked users through 32 million downloads of extensions to Google’s market-leading Chrome web browser, researchers at Awake Security told Reuters, highlighting the tech industry’s failure to protect browsers as they are used more for email, payroll and other sensitive functions. Alphabet Inc’s (GOOGL.O) Google said it removed more than 70 Read more about Massive spying on users of Google’s Chrome shows new security weakness[…]

Zoom will offer proper end-to-end encryption to free vid-chat accounts – not just paid-up bods – once you verify your phone number…

Zoom today said it will make end-to-end (E2E) encryption available to all of its users, regardless of whether they pay for it or not. The videoconferencing overnight-sensation has walked back its initial plan to limit E2E cryptography to schools and paid-for accounts, after facing a storm of criticism for the restriction. It will, from next Read more about Zoom will offer proper end-to-end encryption to free vid-chat accounts – not just paid-up bods – once you verify your phone number…[…]

845GB of racy dating app records exposed to entire internet via leaky AWS buckets

Hundreds of thousands of sensitive dating app profiles – including images of “a graphic, sexual nature” – were exposed online for anyone stumbling across them to download. Word of the uncontrolled emission burst forth from vpnMentor this week, which claims it found a misconfigured AWS S3 bucket containing 845GB of private dating app records. Data Read more about 845GB of racy dating app records exposed to entire internet via leaky AWS buckets[…]

Keepnet fires legal threats at bloggers for exposing their 876GB unsecured database with years of leaked credentials, backfires

UK-based infosec outfit Keepnet Labs left an 867GB database of previously compromised website login details accessible to world+dog earlier this year – then sent lawyers’ letters to bloggers in a bid to erase their reports of its blunder. A contractor left the Keepnet Elasticsearch database unsecured back in March after disabling a firewall, exposing around Read more about Keepnet fires legal threats at bloggers for exposing their 876GB unsecured database with years of leaked credentials, backfires[…]

Hospital-busting hacker crew may be behind ransomware attack that made Honda halt car factories, say researchers

Japanese car maker Honda has been hit by ransomware that disrupted its production of vehicles and also affected internal communications, according to reports. The ransomware, of an as-yet unidentified strain, appeared to have spread through the multinational firm’s network. A Honda spokesman told the media it appeared to have “hit the company’s internal servers.” Some Read more about Hospital-busting hacker crew may be behind ransomware attack that made Honda halt car factories, say researchers[…]

WhatsApp was exposing users’ phone numbers in Google search

WhatsApp claims it fixed an issue that was showing users’ phone numbers in Google search results, TechCrunch reports. The change comes after security researcher Athul Jayaram revealed that phone numbers of WhatsApp users who used the Click to Chat feature were being indexed in search. Click to Chat allows users to create a link with Read more about WhatsApp was exposing users’ phone numbers in Google search[…]

From off-prem to just off: IBM Cloud goes down planet-wide so hard even the status page didn’t work – and outside of US business hours

IBM’s cloud has gone down hard across the world. We’d love to tell you just how hard the service has hit the dirt, but even the Big Blue status page is intermittently unavailable: IBM Cloud status page … Click to enlarge Your humble hack has an IBM Cloud account, and when attempting to login in Read more about From off-prem to just off: IBM Cloud goes down planet-wide so hard even the status page didn’t work – and outside of US business hours[…]

Bug bounty platforms buy researcher silence, violate labor laws, critics say

Used properly, bug bounty platforms connect security researchers with organizations wanting extra scrutiny. In exchange for reporting a security flaw, the researcher receives payment (a bounty) as a thank you for doing the right thing. However, CSO’s investigation shows that the bug bounty platforms have turned bug reporting and disclosure on its head, what multiple Read more about Bug bounty platforms buy researcher silence, violate labor laws, critics say[…]