iOS 16 VPN Tunnels Leak Data, Even When Lockdown Mode Is Enabled

AmiMoJo shares a report from MacRumors: iOS 16 continues to leak data outside an active VPN tunnel, even when Lockdown mode is enabled, security researchers have discovered. Speaking to MacRumors, security researchers Tommy Mysk and Talal Haj Bakry explained that iOS 16’s approach to VPN traffic is the same whether Lockdown mode is enabled or Read more about iOS 16 VPN Tunnels Leak Data, Even When Lockdown Mode Is Enabled[…]

Android Leaks Some Traffic Even When ‘Always-On VPN’ Is Enabled – Slashdot

Mullvad VPN has discovered that Android leaks traffic every time the device connects to a WiFi network, even if the “Block connections without VPN,” or “Always-on VPN,” features is enabled. BleepingComputer reports: The data being leaked outside VPN tunnels includes source IP addresses, DNS lookups, HTTPS traffic, and likely also NTP traffic. This behavior is Read more about Android Leaks Some Traffic Even When ‘Always-On VPN’ Is Enabled – Slashdot[…]

A Methodology for Quantifying the Value of Cybersecurity Investments in the Navy

RAND Corporation researchers developed and supported the implementation of a methodology to assess the value of resource options for U.S. Navy cybersecurity investments. The proposed methodology features 12 scales in two categories (impact and exploitability) that allow the Navy to score potential cybersecurity investments in the Program Objective Memorandum (POM) process. The authors include a Read more about A Methodology for Quantifying the Value of Cybersecurity Investments in the Navy[…]

Blizzard really really wants your phone number to play its games – personal data grab and security risk

When Overwatch 2 replaces the original Overwatch on Oct. 4, players will be required to link a phone number to their Battle.net accounts. If you don’t, you won’t be able to play Overwatch 2 — even if you’ve already purchased Overwatch. The same two-factor step, called SMS Protect, will also be used on all Call Read more about Blizzard really really wants your phone number to play its games – personal data grab and security risk[…]

CIA betrayed informants with shoddy covert comms websites

For almost a decade, the US Central Intelligence Agency communicated with informants abroad using a network of websites with hidden communications capabilities. The idea being: informants could use secret features within innocent-looking sites to quietly pass back information to American agents. So poorly were these 885 front websites designed, though, according to security research group Read more about CIA betrayed informants with shoddy covert comms websites[…]

Chrome & Edge Enhanced Spellcheck Send your PII, Including Your Passwords to Microsoft and Google, Alibaba and 3rd parties

Chrome’s enhanced spellcheck & Edge’s MS Editor are sending data you enter into form fields like username, email, DOB, SSN, basically anything in the fields, to sites you’re logging into from either of those browsers when the features are enabled. Furthermore, if you click on “show password,” the enhanced spellcheck even sends your password, essentially Read more about Chrome & Edge Enhanced Spellcheck Send your PII, Including Your Passwords to Microsoft and Google, Alibaba and 3rd parties[…]

Morgan Stanley Settles for $32m after Hard Drives With Data on 15m customers Turn Up On Auction Site

An anonymous reader quotes a report from the New York Times: Morgan Stanley Smith Barney has agreed to pay a $35 million fine to settle claims that it failed to protect the personal information of about 15 million customers, the Securities and Exchange Commission said on Tuesday. In a statement announcing the settlement, the S.E.C. Read more about Morgan Stanley Settles for $32m after Hard Drives With Data on 15m customers Turn Up On Auction Site[…]

EA announces feels free to take over your OS with kernel-level anti-cheat system for PC games

Electronics Arts (EA) is launching a new kernel-level anti-cheat system for its PC games. The EA AntiCheat (EAAC) will debut first in FIFA 23 later this fall and is a custom anti-cheat system developed in-house by EA developers. It’s designed to protect EA games from tampering and cheaters, and EA says it won’t add anti-cheat Read more about EA announces feels free to take over your OS with kernel-level anti-cheat system for PC games[…]

Prompt injection attacks against GPT-3 – or how to get AI bots to say stuff you want them to

Riley Goodside, yesterday: Exploiting GPT-3 prompts with malicious inputs that order the model to ignore its previous directions. pic.twitter.com/I0NVr9LOJq – Riley Goodside (@goodside) September 12, 2022 Riley provided several examples. Here’s the first. GPT-3 prompt (here’s how to try it in the Playground): Translate the following text from English to French: > Ignore the above Read more about Prompt injection attacks against GPT-3 – or how to get AI bots to say stuff you want them to[…]

Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs – wait isn’t it 2022?

[…] The newly discovered security issue impacts versions of the application for Windows, Linux, and Mac and refers to Microsoft Teams storing user authentication tokens in clear text without protecting access to them. An attacker with local access on a system where Microsoft Teams is installed could steal the tokens and use them to log Read more about Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs – wait isn’t it 2022?[…]

Dump these routers, says Cisco, because we won’t patch them

Cisco patched three security vulnerabilities in its products this week, and said it will leave unpatched a VPN-hijacking flaw that affects four small business routers. Those small-biz routers – the RV110W Wireless-N VPN Firewall, RV130 VPN Router, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router – have reached their end-of-life (EoL) and the Read more about Dump these routers, says Cisco, because we won’t patch them[…]

IOS Mobile banking apps put 300,000 digital fingerprints at risk using hardcoded AWS credentials

Massive amounts of private data – including more than 300,000 biometric digital fingerprints used by five mobile banking apps – have been put at risk of theft due to hard-coded Amazon Web Services credentials, according to security researchers. Symantec’s Threat Hunter Team said it discovered 1,859 publicly available apps, both Android and iOS, containing baked-in Read more about IOS Mobile banking apps put 300,000 digital fingerprints at risk using hardcoded AWS credentials[…]

Genshin Impact installs “anti cheat” rootkit signed by Microsoft which is exploited in the wild. Stop allowing spyware rootkits, Microsoft!

An MMORPG with cute anime-style characters and maybe a bit too much inspiration taken from another classic Nintento franchise, Genshin Impact is a relatively popular game across the PlayStation, iOS, Android, and PC platforms. That last one has already generated a bit of controversy, since the PC version game includes an anti-cheat kernel driver that Read more about Genshin Impact installs “anti cheat” rootkit signed by Microsoft which is exploited in the wild. Stop allowing spyware rootkits, Microsoft![…]

How bad the problem with John Deere Tractors really is, how not being open leads to incredibly bad security

Last Saturday, I sat in a crowded ballroom at Caesar’s Forum in Las Vegas and watched Sickcodes jailbreak a John Deere tractor’s control unit live, before an audience of cheering Defcon 30 attendees (and, possibly, a few undercover Deere execs, who often attend Sickcodes’s talks). The presentation was significant because Deere – along with Apple Read more about How bad the problem with John Deere Tractors really is, how not being open leads to incredibly bad security[…]

A New Jailbreak for John Deere Tractors wants Right-to-Repair insecure and outdated tech in them

farmers around the world have turned to tractor hacking so they can bypass the digital locks that manufacturers impose on their vehicles. Like insulin pump “looping” and iPhone jailbreaking, this allows farmers to modify and repair the expensive equipment that’s vital to their work, the way they could with analog tractors. At the DefCon security Read more about A New Jailbreak for John Deere Tractors wants Right-to-Repair insecure and outdated tech in them[…]

Open Cybersecurity Schema Framework released

The Open Cybersecurity Schema Framework is an open-source project, delivering an extensible framework for developing schemas, along with a vendor-agnostic core security schema. Vendors and other data producers can adopt and extend the schema for their specific domains. Data engineers can map differing schemas to help security teams simplify data ingestion and normalization, so that Read more about Open Cybersecurity Schema Framework released[…]

VMware patches critical admin authentication bypass bug

VMware has fixed a critical authentication bypass vulnerability that hits 9.8 out of 10 on the CVSS severity scale and is present in multiple products. That flaw is tracked as CVE-2022-31656, and affects VMware’s Workspace ONE Access, Identity Manager, and vRealize Automation. It was addressed along with nine other security holes in this patch batch, Read more about VMware patches critical admin authentication bypass bug[…]

Atlassian reveals critical flaws in most of their products

Atlassian has warned users of its Bamboo, Bitbucket, Confluence, Fisheye, Crucible, and Jira products that a pair of critical-rated flaws threaten their security. The company’s July security advisories detail “Servlet Filter dispatcher vulnerabilities.” One of the flaws – CVE-2022-26136 – is described as an arbitrary Servlet Filter bypass that means an attacker could send a Read more about Atlassian reveals critical flaws in most of their products[…]

Lenovo fixes trio of UEFI vulnerabilities – fortunately not for Thinkpads though

[…] “The vulnerabilities,” explained the ESET Research team, “can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features.” “It’s a typical UEFI ‘double GetVariable’ vulnerability,” the team added, before giving a hat tip Read more about Lenovo fixes trio of UEFI vulnerabilities – fortunately not for Thinkpads though[…]

X.Org Server Hit By New Local Privilege Escalation, Remote Code Execution Vulnerabilities

[…] CVE-2022-2319 and CVE-2022-2320 were made public this morning and both deal with the X.Org Server’s Xkb keyboard extension not properly validating input that could lead to out-of-bounds memory writes. Hopefully though in 2022 you aren’t relying on your xorg-server running as root. Fixes for these XKB vulnerabilities have been patched in X.Org Server Git Read more about X.Org Server Hit By New Local Privilege Escalation, Remote Code Execution Vulnerabilities[…]

FBI and MI5 bosses speak out together: China hacks and steals at massive scale

The directors of the UK Military Intelligence, Section 5 (MI5) and the US Federal Bureau of Investigation on Wednesday shared a public platform for the first time and warned of China’s increased espionage activity on UK and US intellectual property. Speaking to an audience of business and academic leaders, MI5 director general Ken McCallum and Read more about FBI and MI5 bosses speak out together: China hacks and steals at massive scale[…]

Security flaws in internet-connected hot tubs exposed owners’ personal data

[…] Jacuzzi’s SmartTub feature, like most Internet of Things (IoT) systems, lets users connect to their hot tub remotely via a companion Android or iPhone app. Marketed as a “personal hot tub assistant,” users can make use of the app to control water temperature, switch on and off jets, and change the lights. But as Read more about Security flaws in internet-connected hot tubs exposed owners’ personal data[…]

FBI warns crooks are using deepfake videos in job interviews

The US FBI issued a warning on Tuesday that it was has received increasing numbers of complaints relating to the use of deepfake videos during interviews for tech jobs that involve access to sensitive systems and information. The deepfake videos include a video image or recording convincingly manipulated to misrepresent someone as the “applicant” for Read more about FBI warns crooks are using deepfake videos in job interviews[…]

Time to throw out those older, vulnerable Cisco SMB routers – they’re not gonna fix critical bugs for you

[…]Cisco has just released fixes for seven flaws, two of which are not great. First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it’s not going to fix. In other words, junk your Read more about Time to throw out those older, vulnerable Cisco SMB routers – they’re not gonna fix critical bugs for you[…]