Have you been to Mexico in the last year as a tourist and applied for a tax refund on the money you spent while shopping there? If you have, chances are your passport, credit card, or other identification might have been leaked online. The Kromtech Security Research Center has discovered a misconfigured database with nearly Read more about Moneyback leaks 500k tourists to Mexico customer records: passports, credit cards, IDs.[…]

September 7, 2017 — Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized Read more about Equifax loses 143 million US, UK and Canadian customer records in data breach.[…]

Servers and data stored by dozens of Fortune 100 companies are at risk, including airlines, banks and financial institutions, and social media sites. A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server — putting sensitive corporate data at risk. The vulnerability allows an attacker to remotely Read more about Apache REST / Struts easily exploitable through browser[…]

Researchers with security company Kromtech said freelancers who handled web applications for TWC and other companies had left one of its AWS S3 storage bins containing seven years’ worth of subscriber data wide open on the ‘net. That data included addresses and contact numbers, information about their home gateways, and account settings. Just before the Read more about Yet another AWS config fumble: Time Warner Cable exposes 4 million subscriber records[…]

The Rabobank has started warning users when the name doesn’t match an IBAN account. A trivial function that used to work before IBAN but apparently was so hard to implement that users have had to wait for years to get. If you put in the wrong number – then sorry, you were screwed! Now for Read more about After years of IBAN, only 1 NL bank has just figured out how to check the name with an account.[…]

Thousands of files containing the personal information and expertise of Americans with classified and up to Top Secret security clearances have been exposed by an unsecured Amazon server, potentially for most of the year. […] Thousands of files containing the personal information and expertise of Americans with classified and up to Top Secret security clearances Read more about Data Breach Exposes Thousands of Job Seeker CVs Citing Top Secret Government Work[…]

Roughly four million records containing the personal details of Time Warner Cable (TWC) customers were discovered stored on an Amazon server without a password late last month. The files, more than 600GB in size, were discovered on August 24 by the Kromtech Security Center while its researchers were investigating an unrelated data breach at World Read more about Millions of Time Warner Cable Customer Records Exposed in Third-Party Data Leak[…]

Security researchers at Moscow-based Positive Technologies have identified an undocumented configuration setting that disables Intel Management Engine 11, a CPU control mechanism that has been described as a security risk. Intel’s ME consists of a microcontroller that works with the Platform Controller Hub chip, in conjunction with integrated peripherals. It handles much of the data Read more about Intel ME controller chip can be disabled after all – for governments[…]

Last week I was contacted by someone alerting me to the presence of a spam list. A big one. That’s a bit of a relative term though because whilst I’ve loaded “big” spam lists into Have I been pwned (HIBP) before, the largest to date has been a mere 393m records and belonged to River Read more about Inside the Massive 711 Million Record Onliner Spambot Dump[…]

The Internet of Things Cybersecurity Improvement Act would require that IoT devices purchased by the American government must not have any known security vulnerabilities, must have the ability to be patched, and may not have hardcoded passwords built in. It mandates that every government department inventory all IoT devices on their networks. […] The bill Read more about US Congress dreams of IoT and gets it right! Except it won’t protect consumers, only gov.[…]

In a new study that will be presented next week at the 26th USENIX Security Symposium in Vancouver, University of Washington researchers analyzed the security practices of common, open-source DNA processing programs and found that they were, in general, lacking. That means all that super-sensitive information those programs are processing is potentially vulnerable to hackers. Read more about DNA Testing Data Is Disturbingly Vulnerable to Hackers[…]

Currently, the infosec community and former Hansa vendors themselves have spotted two ways in which Dutch authorities are going after former Hansa vendors. Police gain access to Dream accounts via password reuse In the first, Dutch investigators have taken the passwords of vendors who have the same usernames on both the old Hansa Market and Read more about Crooks Reused Passwords on Hansa and Dream, so Dutch Police Hijacked Their Accounts after running Hansa for a month[…]

This year at the DEF CON hacking conference in Las Vegas, 30 computer-powered ballot boxes used in American elections were set up in a simulated national White House race – and hackers got to work physically breaking the gear open to find out what was hidden inside. In less than 90 minutes, the first cracks Read more about It took DEF CON hackers minutes to pwn these US voting machines[…]

Want to control over 270,000 websites? That’ll be $96 and a handover cockup, please Late Friday, Matthew Bryant noticed an unusual response to some test code he was using to map top-level domains: several of the .io authoritative name servers were available to register. Out of interest, he tried to buy them and was amazed Read more about Bloke takes over every .io domain by snapping up crucial name servers[…]

To obtain root privileges on a Linux distribution that utilizes systemd for initialization, start with an invalid user name in the systemd.unit file. Linux usernames are not supposed to begin with numbers, to avoid ambiguity between numeric UIDs and alphanumeric user names. Nevertheless, some modern Linux distributions, like RHEL7 and CentOS, allow this. The systemd Read more about Create a user called ‘0day’, get bonus root privs – thanks, Systemd![…]

The Royal Navy’s brand new £3.5bn aircraft carrier HMS Queen Elizabeth is currently* running Windows XP in her flying control room, according to reports. Defence correspondents from The Times and The Guardian, when being given a tour of the carrier’s aft island – the rear of the two towers protruding above the ship’s main deck Read more about HMS QE: Britain’s newest Aircraft Carrier runs Windows XP[…]

The White House debated various options to punish Russia, but facing obstacles and potential risks, it ultimately failed to exact a heavy toll on the Kremlin for its election meddling. Source: Obama’s secret struggle to punish Russia for Putin’s election assault

The Password Reset Man in the Middle (PRMITM) attack exploits the similarity of the registration and password reset processes. To launch such an attack, the attacker only needs to control a website. To entice victims to make an account on the malicious website, the attacker can offer free access to a wanted resource (e.g. free Read more about Password Reset man in the middle attack[…]

A huge trove of voter data, including personal information and voter profiling data on what’s thought to be every registered US voter dating back more than a decade, has been found on an exposed and unsecured server, ZDNet has learned. It’s believed to be the largest ever known exposure of voter information to date. The Read more about Personal data on 198 million voters, including analytics data that suggests who a person is likely to vote for and why, was stored on an unsecured Amazon server.[…]

A security lapse that affected more than 1,000 workers forced one moderator into hiding – and he still lives in constant fear for his safety Source: Revealed: Facebook exposed identities of moderators to suspected terrorists Facebook moderators like him first suspected there was a problem when they started receiving friend requests from people affiliated with Read more about Revealed: Facebook exposed identities of moderators to suspected terrorists[…]

A team of researchers from French company P1 Security has detailed a long list of issues with the 4G VoLTE telephony, a protocol that has become quite popular all over the world in recent years and is currently in use in the US, Asia, and most European countries. […] Researchers say that an attacker on Read more about Hackers Can Spoof Phone Numbers, Track Users via 4G VoLTE Mobile Technology[…]

A new test conducted by CCC hackers shows that this promise cannot be kept: With a simple to make dummy-eye the phone can be fooled into believing that it sees the eye of the legitimate owner. A video shows the simplicity of the method. [0] Iris recognition may be barely sufficient to protect a phone Read more about CCC | Chaos Computer Clubs breaks iris recognition system of the Samsung Galaxy S8[…]

Millions of people risk having their devices and systems compromised by malicious subtitles, Check Point researchers revealed today. The threat comes from a previously undocumented vulnerability which affects users of popular streaming software, including Kodi, Popcorn-Time, and VLC. Developers of the applications have already applied fixes or will do so soon. […] By conducting attacks Read more about Malicious Subtitles Threaten Kodi, VLC and Popcorn Time Users[…]