So: Oddly enough, if you make a QR code that tells you to go somewhere, the camera will take you to where the QR code tells you to go, even if you tell someone that the QR code goes someplace else. This trend of ‘reporting’ security problems that are not security problems at all is Read more about IOS QR ‘bug’ isn’t a bug: trend in pointing out things working as intended as a security advisory continues[…]

Cisco’s Elastic Services Controller’s release 3.0.0 software has a critical vulnerability: it accepts an empty admin password. The Controller (ESC) is Cisco’s automation environment for network function virtualisation (NFV), providing VM and service monitors, automated recovery and dynamic scaling. Cisco’s advisory about the flaw explains the bug is in ESC’s Web service portal: “An attacker Read more about Cisco NFV elastic services controller accepts empty admin password[…]

Researchers from German security firm Kromtech Security allege that until recently, MBM Company was improperly handling customer details. On February 6, they identified an unsecured Amazon S3 storage bucket, containing a MSSQL database backup file. According to Kromtech Security’s head of communications, Bob Diachenko, further analysis of the file revealed it held the personal information Read more about Jewelry site accidentally leaks personal details (and plaintext passwords!) of 1.3M users[…]

More than 1,000 security employees in as many as 17 countries participated in the survey. Most said the biggest hurdle to mounting an adequate defense against cyber threats today is the lack of skilled personnel. (Poor security awareness and an inability to sift through enormous piles of data tied for second place.) The survey, which Read more about Major Survey of IT Pros Reveals Why Everything Gets Hacked All the Damn Time, paying for ransomware is like flipping a coin[…]

On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users’ passwords, including administrative users and privileged service accounts (eg Domain Controllers). The LDAP server incorrectly validates certain LDAP password modifications against the Read more about Samba allows anyone to change everyone’s password[…]

The hardcoded password issue affects Cisco’s Prime Collaboration Provisioning (PCP), a software application that can be used for the remote installation and maintenance of other Cisco voice and video products. Cisco PCP is often installed on Linux servers. Cisco says that an attacker could exploit this vulnerability (CVE-2018-0141) by connecting to the affected system via Read more about Hardcoded Password Found in Cisco Software[…]

Tal Be’ery and Amichai Shulman found that the always-listening Cortana agent responds to some voice commands even when computers are asleep and locked, allowing someone with physical access to plug a USB with a network adapter into the computer, then verbally instruct Cortana to launch the computer’s browser and go to a web address that Read more about Researchers Bypassed Windows Password Locks With Cortana Voice Commands[…]

When the mysterious entity known as the “Shadow Brokers” released a tranche of stolen NSA hacking tools to the internet a year ago, most experts who studied the material homed in on the most potent tools, so-called zero-day exploits that could be used to install malware and take over machines. But a group of Hungarian Read more about Leaked Files Show How the NSA Tracks Other Countries’ Hackers[…]

Earlier this month, we published our first article of our Internet of Things series, “IoD – Internet of Dildos“. As promised, we expanded our research and would like to present you with the first results of our “IoB – Internet of Babies” research. Baby monitors serve an important purpose in securing and monitoring our loved Read more about Internet of Babies – 52000 baby monitors open for public viewing[…]

IBM X-Force Incident Response and Intelligence Services (IRIS) assesses that threat groups of likely Nigerian origin are engaged in a widespread credential harvesting, phishing and social engineering campaign designed to steal financial assets. Beginning in the fall of 2017, X-Force IRIS experienced a significant increase in clients reporting instances of fraud or attempted fraud via Read more about IBM Finds Fortune 500 Companies will lose $9 billion to phishing scams in 2018 – this is what these attacks look like[…]

Users of uTorrent should grab the latest versions of the popular torrenting tools: serious security bugs, which malicious websites can exploit to commandeer PCs, were squashed this week in the software. If you’re running a vulnerable Windows build of the pira, er, file-sharing applications while browsing the web, devious JavaScript code on an evil site Read more about uTorrent file-swappers urged to upgrade after PC hijack flaws sort of fixed[…]

When a horny netizen logs into their Tinder profile using their phone number as a username, the hookup app relies on the Facebook-built AccountKit.com to check the person is legit owner of that account. Facebook’s system texts a confirmation code to the punter, they receive it on their phone, and type the code into Account Read more about Hey, you. App dev. You like secure software? Let’s learn from Tinder, Facebook’s blunders[…]

In late July, Snap’s director of engineering emailed the company’s team in response to an unfolding privacy threat. A government official from Dorset in the United Kingdom had provided Snap with information about a recent attack on the company’s users: a publicly available list, embedded in a phishing website named klkviral.org, that listed 55,851 Snapchat Read more about A phishing attack scored credentials for more than 50,000 Snapchat users[…]

The issue, which may have persisted for months or perhaps even longer, was flagged by Bay Area software engineer Gabriel Lewi, who tweeted about it earlier this week. Prominent technology critic and sociologist Zeynep Tufekci then used the situation as a springboard to criticize Facebook’s alleged unethical behavior, thinking the 2FA notifications may have been Read more about Facebook admits SMS notifications sent using two-factor number was caused by bug[…]

“We always talk about the ease of use, and not impacting user experience, etc, but it turns out that when it comes to their financial accounts…people actually would go the extra mile and will use extra security,” Kessem said. Whether it’s using two factor authentication, an SMS message on top of their password, or any Read more about Consumers prefer security over convenience for the first time ever, IBM Security report finds[…]

It appears that the over-the-air update to the UConnect system went out on Friday, and many, many owners have not had working center-stack systems since then. Many of these vehicles are nearly brand-new, which makes the issue even more maddening. […] The failure of the UConnect system isn’t just limited to not having a radio; Read more about Fiat Chrysler Pushed A UConnect Update That Causes Constant Reboots With No Announced Fix[…]

IBM iNotes SUService can be misguided into running malicious code from a DLL masquerading as a windows DLL in the temp directory. IBM Plans to address this vulnerability by providing a fix. Source: IBM Security Bulletin: IBM Notes Privilege escalation in IBM Notes Smart Update Service – United States

The US state of Washington says a miscreant was able to access the system it uses to track the manufacturing and sale of marijuana. The Evergreen State’s Liquor and Cannabis Board – a job that sounds way cooler than it actually is – yesterday admitted that last weekend someone was able to exploit a vulnerability Read more about US state’s pot dealer database pwned after security goes up in smoke[…]

The individual identifying himself as Jim Teeuwen, who maintained GitHub repository for a tool called go-bindata for embedded data in Go binaries, recently deleted his GitHub account, taking with it a resource that other Go developers had included in their projects. The incident echoes the more widely noted 2016 disappearance of around 250 modules maintained Read more about You can resurrect any deleted GitHub account name. If you depend on that account you may find yourself in trouble[…]

Some 17 Netgear routers have a remote authentication bypass, meaning malware or miscreants on your network, or able to reach the device’s web-based configuration interface from the internet, can gain control without having to provide a password. Just stick &genie=1 in the URL, and bingo. That’s pretty bad news for any vulnerable gateways with remote Read more about Wish you could log into someone’s Netgear box without a password? Summon a &genie=1 – get patching![…]

We describe PinMe, a novel user-location mechanism that exploits non-sensory/sensory data stored on the smartphone, e.g., the environment’s air pressure, along with publicly-available auxiliary information, e.g., elevation maps, to estimate the user’s location when all location services, e.g., GPS, are turned off. Source: [1802.01468] PinMe: Tracking a Smartphone User around the World

“The idea of a rogue domain controller is not new and has been mentioned multiple times in previous security publications but required invasive techniques (like installing a virtual machine with Windows Server) and to log on a regular domain controller (DC) to promote the VM into a DC for the targeted domain.”That’s easily spotted, so Read more about Maybe you should’ve stuck with NetWare: Hijackers can bypass Active Directory controls[…]