Half of Oracle E-Business customers open to months-old bank fraud flaw

Security company Onapsis estimates that roughly half of all companies using the Oracle EBS software have not yet patched CVE-2019-2648 and CVE-2019-2633, despite Big Red having pushed out fixes for both bugs back in April. The two vulnerabilities are found in the Thin Client Framework API and are described as reflected SQL injections. An attacker Read more about Half of Oracle E-Business customers open to months-old bank fraud flaw[…]

Lessons from the cyberattack on India’s largest nuclear power plant – Bulletin of the Atomic Scientists

Indian officials acknowledged on October 30th that a cyberattack occurred at the country’s Kudankulam nuclear power plant. An Indian private cybersecurity researcher had tweeted about the breach three days earlier, prompting Indian authorities to initially deny that it had occurred before admitting that the intrusion had been discovered in early September and that efforts were Read more about Lessons from the cyberattack on India’s largest nuclear power plant – Bulletin of the Atomic Scientists[…]

Intels’ Trusted Platform Module can’t be trusted. TPM-FAIL

Trusted Platform Module (TPM) serves as a root of trust for the operating system. TPM is supposed to protect our security keys from malicious adversaries like malware and rootkits. Most laptop and desktop computers nowadays come with a dedicated TPM chip, or they use the Intel firmware-based TPM (fTPM) which runs on a separate microprocessor Read more about Intels’ Trusted Platform Module can’t be trusted. TPM-FAIL[…]

Your Apple Mac Makes Plain-Text Copies of Your Encrypted Emails. Here’s how to stop it.

IT guru Bob Gendler took to Medium last week to share a startling discovery about Apple Mail. If you have the application configured to send and receive encrypted email—messages that should be unreadable for anyone without the right decryption keys—Apple’s digital assistant goes ahead and stores your emails in plain text on your Mac’s drive. Read more about Your Apple Mac Makes Plain-Text Copies of Your Encrypted Emails. Here’s how to stop it.[…]

Sure, we made your Wi-Fi routers phone home with telemetry, says Ubiquiti. What of it?

Ubiquiti Networks is fending off customer complaints after emitting a firmware update that caused its UniFi wireless routers to quietly phone HQ with telemetry. It all kicked off when the US-based manufacturer confirmed that a software update released this month programmed the devices to establish secure connections back to Ubiquiti servers and report information on Read more about Sure, we made your Wi-Fi routers phone home with telemetry, says Ubiquiti. What of it?[…]

Amazon Ring doorbells exposed home Wi-Fi passwords over cleartext

Security researchers have discovered a vulnerability in Ring doorbells that exposed the passwords for the Wi-Fi networks to which they were connected. Bitdefender said the Amazon-owned doorbell was sending owners’ Wi-Fi passwords in cleartext as the doorbell joins the local network, allowing nearby hackers to intercept the Wi-Fi password and gain access to the network Read more about Amazon Ring doorbells exposed home Wi-Fi passwords over cleartext[…]

A network of ‘camgirl’ sites exposed millions of users and sex workers data

A number of popular “camgirl” sites have exposed millions of sex workers and users after the company running the sites left the back-end database unprotected. The sites, run by Barcelona-based VTS Media, include amateur.tv, webcampornoxxx.net, and placercams.com. Most of the sites’ users are based in Spain and Europe, but we found evidence of users across Read more about A network of ‘camgirl’ sites exposed millions of users and sex workers data[…]

Use a laser to command voice assistants such as lexa, google assistant, siri

Light Commands is a vulnerability of MEMS microphones that allows attackers to remotely inject inaudible and invisible commands into voice assistants, such as Google assistant, Amazon Alexa, Facebook Portal, and Apple Siri using light. In our paper we demonstrate this effect, successfully using light to inject malicious commands into several voice controlled devices such as Read more about Use a laser to command voice assistants such as lexa, google assistant, siri[…]

Android bug lets hackers plant malware via NFC beaming

Google patched last month an Android bug that can let hackers spread malware to a nearby phone via a little-known Android OS feature called NFC beaming. NFC beaming works via an internal Android OS service known as Android Beam. This service allows an Android device to send data such as images, files, videos, or even Read more about Android bug lets hackers plant malware via NFC beaming[…]

Facebook, Mozilla, and Cloudflare announce new TLS Delegated Credentials standard

The new standard will work as an extension to TLS, a cryptographic protocol that underpins the more widely-known HTTPS protocol, used for loading websites inside browsers via an encrypted connection. The TLS Delegate Credentials extension was specifically developed for large website setups, such as Facebook, or for website using content delivery networks (CDNs), such as Read more about Facebook, Mozilla, and Cloudflare announce new TLS Delegated Credentials standard[…]

NordVPN users’ passwords exposed in mass credential-stuffing attacks

As many as 2,000 users of NordVPN, the virtual private network service that recently disclosed a server hack that leaked crypto keys, have fallen victim to credential-stuffing attacks that allow unauthorized access to their accounts. In recent weeks, credentials for NordVPN users have circulated on Pastebin and other online forums. They contain the email addresses, Read more about NordVPN users’ passwords exposed in mass credential-stuffing attacks[…]

xHelper Android Malware Can Survive a Factory Reset

Though this somewhat-new “xHelper” malware has affected a low number of Android users so far (around 45,000, estimates Symantec), the fact that nobody has any clear advice on how to remove it is a worrisome fact. While the odds are good that you won’t get hit with this malware, given its low installation rate so Read more about xHelper Android Malware Can Survive a Factory Reset[…]

NHS Pagers Are Leaking Sensitive Medical Data – wait, pagers still exist?

Pagers used within the United Kingdom’s National Health Service are leaking sensitive patient information, and an amateur radio enthusiast has been broadcasting some of that medical data on a webcam livestream, a security researcher has found. TechCrunch reports that Florida-based security researcher Daley Borda stumbled upon the strange confluence of archaic tech that flowed together Read more about NHS Pagers Are Leaking Sensitive Medical Data – wait, pagers still exist?[…]

Government officials around the globe targeted for hacking through WhatsApp – FB fingers Israeli NSO group

WASHINGTON (Reuters) – Senior government officials in multiple U.S.-allied countries were targeted earlier this year with hacking software that used Facebook Inc’s (FB.O) WhatsApp to take over users’ phones, according to people familiar with the messaging company’s investigation. Sources familiar with WhatsApp’s internal investigation into the breach said a “significant” portion of the known victims Read more about Government officials around the globe targeted for hacking through WhatsApp – FB fingers Israeli NSO group[…]

Open database leaked 179GB in customer, US government, and military records

An open database exposing records containing the sensitive data of hotel customers as well as US military personnel and officials has been disclosed by researchers. On Monday, vpnMentor’s cybersecurity team, led by Noam Rotem and Ran Locar, said the database belonged to Autoclerk, a service owned by Best Western Hotels and Resorts group. Autoclerk is Read more about Open database leaked 179GB in customer, US government, and military records[…]

Mercedes-Benz app glitch exposed car owners’ information to other users

Mercedes-Benz car owners have said that the app they used to remotely locate, unlock and start their cars was displaying other people’s account and vehicle information. TechCrunch spoke to two customers who said the Mercedes-Benz’ connected car app was pulling in information from other accounts and not their own, allowing them to see other car Read more about Mercedes-Benz app glitch exposed car owners’ information to other users[…]

Japanese hotel chain sorry that hackers may have watched guests through bedside robots

Japanese hotel chain HIS Group has apologised for ignoring warnings that its in-room robots were hackable to allow pervs to remotely view video footage from the devices. The Henn na Hotel is staffed by robots: guests can be checked in by humanoid or dinosaur reception bots before proceeding to their room. Facial recognition tech will Read more about Japanese hotel chain sorry that hackers may have watched guests through bedside robots[…]

Your Smart Speaker’s Skills Might Be a Huge Privacy Problem

As with browser add-ons, you’re entirely at the mercy of a developer. And should they use their powers for evil, you could be giving up everything you’re saying to your device to some random person. At least, that’s the scenario presented by Germany’s Security Research Labs (SRLabs), who built a number of dummy Skills (Amazon) Read more about Your Smart Speaker’s Skills Might Be a Huge Privacy Problem[…]

The Samsung Galaxy S10’s Fingerprint Lock works for everyone if you put a piece of transparent plastic on the sensor

It was recently discovered that the Samsung Galaxy S10 and S10+ have a major security flaw that makes it easy to bypass their fingerprint locks. On a scale of “one” to “not good,” we are definitely towards the right on this one. To be fair, fingerprint sensors and other biometric security features aren’t ironclad; hackers Read more about The Samsung Galaxy S10’s Fingerprint Lock works for everyone if you put a piece of transparent plastic on the sensor[…]

Germany’s cyber-security agency recommends Firefox as most secure browser

Firefox is the only browser that received top marks in a recent audit carried out by Germany’s cyber-security agency — the German Federal Office for Information Security (or the Bundesamt für Sicherheit in der Informationstechnik — BSI). The BSI tested Mozilla Firefox 68 (ESR), Google Chrome 76, Microsoft Internet Explorer 11, and Microsoft Edge 44. Read more about Germany’s cyber-security agency recommends Firefox as most secure browser[…]

White-hat hacks Muhstik ransomware gang and releases decryption keys

A user got his revenge on the ransomware gang who encrypted his files by hacking their server and releasing the decryption keys for all other victims. This happened earlier today and involved the Muhstik gang. Muhstik is a recent strain of ransomware that has been active since late September, according to reports [1, 2, 3]. Read more about White-hat hacks Muhstik ransomware gang and releases decryption keys[…]

Twitter: No, really, we’re very sorry we sold your security info for a boatload of cash

Twitter says it was just an accident that caused the microblogging giant to let advertisers use private information to better target their marketing materials at users. The social networking giant on Tuesday admitted to an “error” that let advertisers have access to the private information customers had given Twitter in order to place additional security Read more about Twitter: No, really, we’re very sorry we sold your security info for a boatload of cash[…]

FBI warns about attacks that bypass multi-factor authentication (MFA)

Basically sim swapping, man in the middle attacks and poor URL protections FBI warns about SIM swapping and tools like Muraen and NecroBrowser. “The FBI has observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks,” the FBI wrote in a Private Industry Notification (PIN) sent out on September 17. Past incidents Read more about FBI warns about attacks that bypass multi-factor authentication (MFA)[…]

Attackers exploit 0-day vulnerability that gives full control of Android phones

Attackers are exploiting a zero-day vulnerability in Google’s Android mobile operating system that can give them full control of at least 18 different phone models, including four different Pixel models, a member of Google’s Project Zero research group said on Thursday night. There’s evidence the vulnerability is being actively exploited, either by exploit developer NSO Read more about Attackers exploit 0-day vulnerability that gives full control of Android phones[…]

Facebook, WhatsApp Will Have to Share Messages With U.K. Police, breaking encryption. Don’t they realises this gives criminals access too?

Social media platforms based in the U.S. including Facebook and WhatsApp will be forced to share users’ encrypted messages with British police under a new treaty between the two countries, according to a person familiar with the matter. The accord, which is set to be signed by next month, will compel social media firms to Read more about Facebook, WhatsApp Will Have to Share Messages With U.K. Police, breaking encryption. Don’t they realises this gives criminals access too?[…]