Criminals Are Tapping into the Phone Network Backbone using known insecure SS7 to Empty Bank Accounts

Sophisticated hackers have long exploited flaws in SS7, a protocol used by telecom companies to coordinate how they route texts and calls around the world. Those who exploit SS7 can potentially track phones across the other side of the planet, and intercept text messages and phone calls without hacking the phone itself. This activity was Read more about Criminals Are Tapping into the Phone Network Backbone using known insecure SS7 to Empty Bank Accounts[…]

Don’t Toss That Bulb, It Knows Your Password

As it turns out, giving every gadget you own access to your personal information and Internet connection can lead to unintended consequences. Who knew, right? But if you need yet another example of why trusting your home appliances with your secrets is potentially a bad idea, [Limited Results] is here to make sure you spend Read more about Don’t Toss That Bulb, It Knows Your Password[…]

Data Leak in Singapore Exposes HIV Status of 14,000 Locals and Foreign Visitors

Medical records and contact information belonging to thousands of HIV-positive Singaporeans and foreign visitors to the southeast Asian city state have been leaked online, according to an alert issued by the country’s Ministry of Health (MOH). In a statement on its website, the ministry said the confidential health information of some 14,200 individuals diagnosed with Read more about Data Leak in Singapore Exposes HIV Status of 14,000 Locals and Foreign Visitors[…]

Apple temporarily disables group FaceTime to fix a bug that lets you eavesdrop on your contacts

There was chaos on the internet late last night after 9to5Mac discovered a bug in Apple’s FaceTime video calling app that let you hear other person’s voice even before they answered your call. According to the report, a user running iOS 12.1 could potentially exploit the vulnerability to eavesdrop on others through a group FaceTime call. Read more about Apple temporarily disables group FaceTime to fix a bug that lets you eavesdrop on your contacts[…]

Tikkie: IBAN-numbers users exposed (Dutch)

De populaire betaal-app Tikkie biedt de mogelijkheid om geld over te boeken naar andere Tikkie-gebruikers op basis van hun 06-nummer. Daardoor was het mogelijk om de IBAN-nummers van vele nietsvermoedende Tikkie-gebruikers te achterhalen, met het gevaar voor identiteitsfraude en phishing. Dat blijkt uit onderzoek van RTL Nieuws. ABN Amro bevestigt de kwetsbaarheid en heeft de Read more about Tikkie: IBAN-numbers users exposed (Dutch)[…]

Heads up: Debian’s package manager is APT for root-level malware injection… Fix out now to thwart MITM hijacks

The Debian Project has patched a security flaw in its software manager Apt that can be exploited by network snoops to execute commands as root on victims’ boxes as they update or install packages. The Linux distro’s curators have pushed out an fix to address CVE-2019-3462, a vulnerability uncovered and reported by researcher Max Justicz. Read more about Heads up: Debian’s package manager is APT for root-level malware injection… Fix out now to thwart MITM hijacks[…]

Massive Oklahoma Government Data Leak Exposes 7 Years of FBI Investigations – unsecured rsync

Last December, a whopping 3 terabytes of unprotected data from the Oklahoma Securities Commission was uncovered by Greg Pollock, a researcher with cybersecurity firm UpGuard. It amounted to millions of files, many on sensitive FBI investigations, all of which were left wide open on a server with no password, accessible to anyone with an internet Read more about Massive Oklahoma Government Data Leak Exposes 7 Years of FBI Investigations – unsecured rsync[…]

Let’s Encrypt ends TLS-SNI-01 validation support

Let’s Encrypt allows subscribers to validate domain control using any one of a few different validation methods. For much of the time Let’s Encrypt has been operating, the options were “DNS-01”, “HTTP-01”, and “TLS-SNI-01”. We recently introduced the “TLS-ALPN-01” method. Today we are announcing that we will end all support for the TLS-SNI-01 validation method Read more about Let’s Encrypt ends TLS-SNI-01 validation support[…]

Online casino group leaks information on 108 million bets, including winner personal details

An online casino group has leaked information on over 108 million bets, including details about customers’ personal information, deposits, and withdrawals, ZDNet has learned. The data leaked from an ElasticSearch server that was left exposed online without a password, Justin Paine, the security researcher who discovered the server, told ZDNet. ElasticSearch is a portable, high-grade Read more about Online casino group leaks information on 108 million bets, including winner personal details[…]

Yes, you can remotely hack factory, building site cranes more easily than a garage door

Did you know that the manufacturing and construction industries use radio-frequency remote controllers to operate cranes, drilling rigs, and other heavy machinery? Doesn’t matter: they’re alarmingly vulnerable to being hacked, according to Trend Micro. Available attack vectors for mischief-makers include the ability to inject commands, malicious re-pairing and even the ability to create one’s own Read more about Yes, you can remotely hack factory, building site cranes more easily than a garage door[…]

Amazon’s Ring Security Cameras Allow Anyone to Watch Easily – And They Do!

But for some who’ve welcomed in Amazon’s Ring security cameras, there have been more than just algorithms watching through the lens, according to sources alarmed by Ring’s dismal privacy practices. Ring has a history of lax, sloppy oversight when it comes to deciding who has access to some of the most precious, intimate data belonging Read more about Amazon’s Ring Security Cameras Allow Anyone to Watch Easily – And They Do![…]

Welcome to 2019: Your Exchange server can be pwned by an email (and other bugs need fixing)

Among the 49 bug fixes were patches for remote code execution flaws in DHCP (CVE-2019-0547) and an Exchange memory corruption flaw (CVE-2019-0586) that Trend Micro ZDI researcher Dustin Childs warns is particularly dangerous as it can be exploited simply by sending an email to a vulnerable server. “That’s a bit of a problem, as receiving Read more about Welcome to 2019: Your Exchange server can be pwned by an email (and other bugs need fixing)[…]

At Blind – a whistleblower site -, a security lapse revealed private complaints from Silicon Valley employees. Turns out it’s not very safe to blow your whistle there after all.

Thousands of people trusted Blind, an app-based “anonymous social network,” as a safe way to reveal malfeasance, wrongdoing and improper conduct at their companies.But Blind left one of its database servers exposed without a password, making it possible (for anyone who knew where to look) to access each user’s account information and identify would-be whistleblowers. Read more about At Blind – a whistleblower site -, a security lapse revealed private complaints from Silicon Valley employees. Turns out it’s not very safe to blow your whistle there after all.[…]

EU Diplomatic Comms Network, Which the NSA Reportedly Warned Could Be Easily Hacked, Was Hacked. But contents were boring.

The European Union’s network used for diplomatic communications, COREU, was infiltrated “for years” by hackers, the New York Times reported on Tuesday, with the unknown rogues behind the attack reportedly reposting the stolen communiqués to an “open internet site.” The network in question connects EU leadership with other EU organizations, as well as the foreign Read more about EU Diplomatic Comms Network, Which the NSA Reportedly Warned Could Be Easily Hacked, Was Hacked. But contents were boring.[…]

NASA fears internal server hacked, staff personal info swiped by miscreants

A server containing personal information, including social security numbers, of current and former NASA workers may have been hacked, and its data stolen, it emerged today. According to an internal memo circulated among staff on Tuesday, in mid-October the US space agency investigated whether or not two of its machines holding employee records had been Read more about NASA fears internal server hacked, staff personal info swiped by miscreants[…]

Lenovo tells Asia-Pacific staff: Work lappy with your unencrypted data on it has been nicked

A corporate-issued laptop lifted from a Lenovo employee in Singapore contained a cornucopia of unencrypted payroll data on staff based in the Asia Pacific region, The Register can exclusively reveal. Details of the massive screw-up reached us from Lenovo staffers, who are simply bewildered at the monumental mistake. Lenovo has sent letters of shame to Read more about Lenovo tells Asia-Pacific staff: Work lappy with your unencrypted data on it has been nicked[…]

US Border Agents Keep Personal Data of 29000 Travelers on USBs, fail to delete them.

Last year, U.S. Customs and Border Protection (CBP) searched through the electronic devices of more than 29,000 travelers coming into the country. CBP officers sometimes upload personal data from those devices to Homeland Security servers by first transferring that data onto USB drives—drives that are supposed to be deleted after every use. But a new Read more about US Border Agents Keep Personal Data of 29000 Travelers on USBs, fail to delete them.[…]

Russian Mapping Service Accidentally Locates Secret Military Bases

A Russian online mapping company was trying to obscure foreign military bases. But in doing so, it accidentally confirmed their locations—many of which were secret. Yandex Maps, Russia’s leading online map service, blurred the precise locations of Turkish and Israeli military bases, pinpointing their location. The bases host sensitive surface-to-air missile sites and facilities housing Read more about Russian Mapping Service Accidentally Locates Secret Military Bases[…]

Millions of smartphones were taken offline by an expired certificate

Ericsson has confirmed that a fault with its software was the source of yesterday’s massive network outage, which took millions of smartphones offline across the UK and Japan and created issues in almost a dozen countries. In a statement, Ericsson said that the root cause was an expired certificate, and that “the faulty software that Read more about Millions of smartphones were taken offline by an expired certificate[…]

Windows 10 security question: How do miscreants use these for post-hack persistence?

Crafty infosec researchers have figured out how to remotely set answers to Windows 10’s password reset questions “without even executing code on the targeted machine”. Thanks to some alarmingly straightforward registry tweaks allied with a simple Python script, Illusive Networks’ Magal Baz and Tom Sela were not only able to remotely define their own choice Read more about Windows 10 security question: How do miscreants use these for post-hack persistence?[…]

Marriott’s breach response is so bad, security experts are filling in the gaps

Last Friday, Marriott sent out millions of emails warning of a massive data breach — some 500 million guest reservations had been stolen from its Starwood database. One problem: the email sender’s domain didn’t look like it came from Marriott at all. Marriott sent its notification email from “email-marriott.com,” which is registered to a third Read more about Marriott’s breach response is so bad, security experts are filling in the gaps[…]

Researchers discover SplitSpectre, a new Spectre-like CPU attack via Javascript

Three academics from Northeastern University and three researchers from IBM Research have discovered a new variation of the Spectre CPU vulnerability that can be exploited via browser-based code. The research team says this new CPU vulnerability is, too, a design flaw in the microarchitecture of modern processors that can be exploited by attacking the process Read more about Researchers discover SplitSpectre, a new Spectre-like CPU attack via Javascript[…]

OneDrive is broken: Microsoft’s cloudy storage drops from the sky for EU users

Oh, you tease It is OneDrive’s turn to get a beating with the stick of fail as the service took a tumble this morning. Issues first began appearing at around 08:00 GMT as users around Europe logged in, expecting to find their files, and found instead a picture of a bicycle with a flat tyre Read more about OneDrive is broken: Microsoft’s cloudy storage drops from the sky for EU users[…]

GCHQ vulnerability disclosure process and cops hacking you now need a judge to decide if it’s legal in the UK

On the same day that certain types of British state-backed hacking now need a judge-issued warrant to carry out, GCHQ has lifted the veil and given the infosec world a glimpse inside its vuln-hoarding policies. The spying agency’s internal Equities Process is the way by which it decides whether or not to tell tech vendors Read more about GCHQ vulnerability disclosure process and cops hacking you now need a judge to decide if it’s legal in the UK[…]

Azure, Office 365 go super-secure: Multi-factor auth borked in Europe, Asia, USA – > 6 hour outage from MS – yay!

Happy Monday, everyone! Azure Multi-Factor Authentication is struggling, meaning that some users with the functionality enabled are now super secure. And, er, locked out. Microsoft confirmed that there were problems from 04:39 UTC with a subset of customers in Europe, the Americas, and Asia-Pacific experiencing “difficulties signing into Azure resources” such as the, er, little Read more about Azure, Office 365 go super-secure: Multi-factor auth borked in Europe, Asia, USA – > 6 hour outage from MS – yay![…]