A Russian online mapping company was trying to obscure foreign military bases. But in doing so, it accidentally confirmed their locations—many of which were secret. Yandex Maps, Russia’s leading online map service, blurred the precise locations of Turkish and Israeli military bases, pinpointing their location. The bases host sensitive surface-to-air missile sites and facilities housing Read more about Russian Mapping Service Accidentally Locates Secret Military Bases[…]

Ericsson has confirmed that a fault with its software was the source of yesterday’s massive network outage, which took millions of smartphones offline across the UK and Japan and created issues in almost a dozen countries. In a statement, Ericsson said that the root cause was an expired certificate, and that “the faulty software that Read more about Millions of smartphones were taken offline by an expired certificate[…]

Crafty infosec researchers have figured out how to remotely set answers to Windows 10’s password reset questions “without even executing code on the targeted machine”. Thanks to some alarmingly straightforward registry tweaks allied with a simple Python script, Illusive Networks’ Magal Baz and Tom Sela were not only able to remotely define their own choice Read more about Windows 10 security question: How do miscreants use these for post-hack persistence?[…]

Last Friday, Marriott sent out millions of emails warning of a massive data breach — some 500 million guest reservations had been stolen from its Starwood database. One problem: the email sender’s domain didn’t look like it came from Marriott at all. Marriott sent its notification email from “email-marriott.com,” which is registered to a third Read more about Marriott’s breach response is so bad, security experts are filling in the gaps[…]

Three academics from Northeastern University and three researchers from IBM Research have discovered a new variation of the Spectre CPU vulnerability that can be exploited via browser-based code. The research team says this new CPU vulnerability is, too, a design flaw in the microarchitecture of modern processors that can be exploited by attacking the process Read more about Researchers discover SplitSpectre, a new Spectre-like CPU attack via Javascript[…]

Oh, you tease It is OneDrive’s turn to get a beating with the stick of fail as the service took a tumble this morning. Issues first began appearing at around 08:00 GMT as users around Europe logged in, expecting to find their files, and found instead a picture of a bicycle with a flat tyre Read more about OneDrive is broken: Microsoft’s cloudy storage drops from the sky for EU users[…]

On the same day that certain types of British state-backed hacking now need a judge-issued warrant to carry out, GCHQ has lifted the veil and given the infosec world a glimpse inside its vuln-hoarding policies. The spying agency’s internal Equities Process is the way by which it decides whether or not to tell tech vendors Read more about GCHQ vulnerability disclosure process and cops hacking you now need a judge to decide if it’s legal in the UK[…]

Happy Monday, everyone! Azure Multi-Factor Authentication is struggling, meaning that some users with the functionality enabled are now super secure. And, er, locked out. Microsoft confirmed that there were problems from 04:39 UTC with a subset of customers in Europe, the Americas, and Asia-Pacific experiencing “difficulties signing into Azure resources” such as the, er, little Read more about Azure, Office 365 go super-secure: Multi-factor auth borked in Europe, Asia, USA – > 6 hour outage from MS – yay![…]

LastPass’s cloud service suffered a five-hour outage today that left some people unable to use the password manager to log into their internet accounts. Its makers said offline mode wasn’t affected – and that only its cloud-based password storage fell offline – although some Twitter folks disagreed. One claimed to be unable to log into Read more about LastPass Five-hour outage drives netizens bonkers[…]

An extensive testing session carried out by bank security experts at Positive Technologies has revealed that most ATMs can be hacked in under 20 minutes, and even less, in certain types of attacks. Experts tested ATMs from NCR, Diebold Nixdorf, and GRGBanking, and detailed their findings in a 22-page report published this week. The attacks Read more about Most ATMs can be hacked in under 20 minutes[…]

A recently discovered botnet has taken control of an eye-popping 100,000 home and small-office routers made from a range of manufacturers, mainly by exploiting a critical vulnerability that has remained unaddressed on infected devices more than five years after it came to light. Researchers from Netlab 360, who reported the mass infection late last week, Read more about A 100,000-router botnet is feeding on a 5-year-old UPnP bug in Broadcom chips (lots of different routers have this chip!)[…]

Microsoft’s activation servers appear to be on the blink this morning – some Windows 10 users woke up to find their Pro systems have, er, gone Home. Twitter user Matt Wadley was one of the first out of the gate, complaining that following an update to the freshly released Insider build of next year’s Windows, Read more about Windows 10 Pro goes Home as Microsoft fires up downgrade server[…]

Apple’s new-generation Macs come with a new so-called Apple T2 security chip that’s supposed to provide a secure enclave co-processor responsible for powering a series of security features, including Touch ID. At the same time, this security chip enables the secure boot feature on Apple’s computers, and by the looks of things, it’s also responsible Read more about Apple Blocks Linux From Booting and makes Windows hard to boot On New Hardware With T2 Security Chip[…]

I like VirtualBox and it has nothing to do with why I publish a 0day vulnerability. The reason is my disagreement with contemporary state of infosec, especially of security research and bug bounty: Wait half a year until a vulnerability is patched is considered fine. In the bug bounty field these are considered fine: Wait Read more about Virtualbox 0-day posted because Oracle won’t update, allows you to execute on the underlying server[…]

As we have passed the three-year anniversary of the US EMV migration deadline, it is evident that the majority of financial institutions were successful in providing their customers with new EMV enabled cards. However, contrary to the prevailing logic, migration to the EMV did not eradicate the card-present fraud. Of more than 60 million payment Read more about Card Fraud on the Rise, Despite on card chip Adoption[…]

Dutch police claim to have snooped on more than a quarter of a million encrypted messages sent between alleged miscreants using BlackBox IronPhones. The extraordinary claim was made in a press conference on Tuesday, in which officers working on a money-laundering investigation reckoned they had been able to see crims chatting “live for some time.” Read more about Dutch cops hope to cuff ‘hundreds’ of suspects after snatching server, snooping on 250,000+ encrypted IronChat texts[…]

Most modern browsers—such as Chrome, Firefox, and Edge, and even browsers such as FuzzyFox and DeterFox (different, security-focused versions of Firefox)—have vulnerabilities that allow hosts of malicious websites to extract hundreds to thousands of URLs in a user’s web history, per new research from the University of California San Diego. What’s worse, the vulnerabilities are Read more about Old School ‘Sniffing’ Attacks Can Still Reveal Your Browsing History to any old website[…]

Fundamental flaws in the encryption system used by popular solid-state drives (SSDs) can be exploited by miscreants to easily decrypt data, once they’ve got their hands on the equipment. A paper [PDF] drawn up by researchers Carlo Meijer and Bernard van Gastel at Radboud University in the Netherlands, and made public today, describes these critical Read more about Solid state of fear: Euro boffins bust open SSD, Bitlocker encryption (it’s really, really dumb)[…]

From around 2009 to 2013, the U.S. intelligence community experienced crippling intelligence failures related to the secret internet-based communications system, a key means for remote messaging between CIA officers and their sources on the ground worldwide. The previously unreported global problem originated in Iran and spiderwebbed to other countries, and was left unrepaired — despite Read more about The CIA’s communications suffered a catastrophic compromise through Google scraping, killing ~30 agents[…]

Microsoft’s Office 365 has been giving some users cold sweats. No matter how hard they try to log in, they simply can’t access the service and haven’t been able to for hours – others say it has wobbled for days. Sporadic reports of unrest began to emerge on Down Detector on Friday (26 October) in Read more about Unsure why you can’t log into Office 365? So is Microsoft[…]

For at least three years, hackers have abused a zero-day in one of the most popular jQuery plugins to plant web shells and take over vulnerable web servers, ZDNet has learned. The vulnerability impacts the jQuery File Upload plugin authored by prodigious German developer Sebastian Tschan, most commonly known as Blueimp. The plugin is the Read more about Zero-day in popular jQuery File Upload plugin actively exploited for at least three years[…]

The UK’s Information Commissioner has formally fined Facebook £500,000 – the maximum available – over the Cambridge Analytica scandal. In a monetary penalty notice issued this morning, the Information Commissioner’s Office (ICO) stated that the social media network had broken two of the UK’s legally binding data protection principles by allowing Cambridge academic Aleksandr Kogan Read more about UK data watchdog fines Facebook 17 minutes of net profit for Cambridge Analytica brouhaha[…]

A security bug in Systemd can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box. The flaw therefore puts Systemd-powered Linux computers – specifically those using systemd-networkd – at risk of remote hijacking: maliciously crafted DHCPv6 packets can try to exploit Read more about DHCPv6 packet can pwn a vulnerable Linux box with systemd[…]