Pharmaceutical giant AstraZeneca has blamed “user error” for leaving a list of credentials online for more than a year that exposed access to sensitive patient data. Mossab Hussein, chief security officer at cybersecurity startup SpiderSilk, told TechCrunch that a developer left the credentials for an AstraZeneca internal server on code sharing site GitHub in 2021. Read more about AstraZeneca puts username and password on Github, exposes patient data in test environment for a year[…]

We present Wi-Peep – a new location-revealing privacy attack on non-cooperative Wi-Fi devices. Wi-Peep exploits loopholes in the 802.11 protocol to elicit responses from Wi-Fi devices on a network that we do not have access to. It then uses a novel time-of-flight measurement scheme to locate these devices. Wi-Peep works without any hardware or software Read more about Wi-Peep drone locates all your wifi devices and maps them in your home, can tell if your watch is moving around[…]

The United Kingdom’s National Cyber Security Centre (NCSC), the government agency that leads the country’s cyber security mission, is now scanning all Internet-exposed devices hosted in the UK for vulnerabilities. The goal is to assess UK’s vulnerability to cyber-attacks and to help the owners of Internet-connected systems understand their security posture. “These activities cover any Read more about British govt is scanning all Internet devices hosted in UK[…]

The September cyberattack on ride-hailing service Uber began when a criminal bought the stolen credentials of a company contractor on the dark web. The miscreant then repeatedly tried to log into the contractor’s Uber account, triggering the two-factor login approval request that the contractor initially denied, blocking access. However, eventually the contractor accepted one of Read more about Multi-factor authentication bombing fatigue can blow open security[…]

Amazon didn’t protect one of its internal servers, allowing anyone to view a database named “Sauron” which was full of Prime Video viewing habits. As TechCrunch reports(Opens in a new window), the unprotected Elasticsearch database was discovered by security researcher Anurag Sen(Opens in a new window). Contained within the database, which anyone who knew the Read more about Whoops! Amazon Left Prime Video DB with viewing habits (Named ‘Sauron’) Unprotected – yup Elasticsearch[…]

The Cybernews research team found that Thomson Reuters left at least three of its databases accessible for anyone to look at. One of the open instances, the 3TB public-facing ElasticSearch database, contains a trove of sensitive, up-to-date information from across the company’s platforms. The company recognized the issue and fixed it immediately. Thomson Reuters provides Read more about Thomson Reuters leaked at least 3TB of sensitive data – yes, open elasticsearch instances[…]

A hospital network in Wisconsin and Illinois fears visitor tracking code on its websites may have transmitted personal information on as many as 3 million patients to Meta, Google, and other third parties. Advocate Aurora Health (AAH) reported the potential breach to the US government’s Health and Human Services. As well as millions of patients, Read more about Advocate Aurora Health leaks 3 million patient’s data to big tech through webtracker installation[…]

For almost a decade, the US Central Intelligence Agency communicated with informants abroad using a network of websites with hidden communications capabilities. The idea being: informants could use secret features within innocent-looking sites to quietly pass back information to American agents. So poorly were these 885 front websites designed, though, according to security research group Read more about CIA betrayed informants with shoddy covert comms websites[…]

Chrome’s enhanced spellcheck & Edge’s MS Editor are sending data you enter into form fields like username, email, DOB, SSN, basically anything in the fields, to sites you’re logging into from either of those browsers when the features are enabled. Furthermore, if you click on “show password,” the enhanced spellcheck even sends your password, essentially Read more about Chrome & Edge Enhanced Spellcheck Send your PII, Including Your Passwords to Microsoft and Google, Alibaba and 3rd parties[…]

An anonymous reader quotes a report from the New York Times: Morgan Stanley Smith Barney has agreed to pay a $35 million fine to settle claims that it failed to protect the personal information of about 15 million customers, the Securities and Exchange Commission said on Tuesday. In a statement announcing the settlement, the S.E.C. Read more about Morgan Stanley Settles for $32m after Hard Drives With Data on 15m customers Turn Up On Auction Site[…]

Electronics Arts (EA) is launching a new kernel-level anti-cheat system for its PC games. The EA AntiCheat (EAAC) will debut first in FIFA 23 later this fall and is a custom anti-cheat system developed in-house by EA developers. It’s designed to protect EA games from tampering and cheaters, and EA says it won’t add anti-cheat Read more about EA announces feels free to take over your OS with kernel-level anti-cheat system for PC games[…]

[…] The newly discovered security issue impacts versions of the application for Windows, Linux, and Mac and refers to Microsoft Teams storing user authentication tokens in clear text without protecting access to them. An attacker with local access on a system where Microsoft Teams is installed could steal the tokens and use them to log Read more about Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs – wait isn’t it 2022?[…]

Cisco patched three security vulnerabilities in its products this week, and said it will leave unpatched a VPN-hijacking flaw that affects four small business routers. Those small-biz routers – the RV110W Wireless-N VPN Firewall, RV130 VPN Router, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router – have reached their end-of-life (EoL) and the Read more about Dump these routers, says Cisco, because we won’t patch them[…]

Massive amounts of private data – including more than 300,000 biometric digital fingerprints used by five mobile banking apps – have been put at risk of theft due to hard-coded Amazon Web Services credentials, according to security researchers. Symantec’s Threat Hunter Team said it discovered 1,859 publicly available apps, both Android and iOS, containing baked-in Read more about IOS Mobile banking apps put 300,000 digital fingerprints at risk using hardcoded AWS credentials[…]

An MMORPG with cute anime-style characters and maybe a bit too much inspiration taken from another classic Nintento franchise, Genshin Impact is a relatively popular game across the PlayStation, iOS, Android, and PC platforms. That last one has already generated a bit of controversy, since the PC version game includes an anti-cheat kernel driver that Read more about Genshin Impact installs “anti cheat” rootkit signed by Microsoft which is exploited in the wild. Stop allowing spyware rootkits, Microsoft![…]

Last Saturday, I sat in a crowded ballroom at Caesar’s Forum in Las Vegas and watched Sickcodes jailbreak a John Deere tractor’s control unit live, before an audience of cheering Defcon 30 attendees (and, possibly, a few undercover Deere execs, who often attend Sickcodes’s talks). The presentation was significant because Deere – along with Apple Read more about How bad the problem with John Deere Tractors really is, how not being open leads to incredibly bad security[…]

farmers around the world have turned to tractor hacking so they can bypass the digital locks that manufacturers impose on their vehicles. Like insulin pump “looping” and iPhone jailbreaking, this allows farmers to modify and repair the expensive equipment that’s vital to their work, the way they could with analog tractors. At the DefCon security Read more about A New Jailbreak for John Deere Tractors wants Right-to-Repair insecure and outdated tech in them[…]

The Open Cybersecurity Schema Framework is an open-source project, delivering an extensible framework for developing schemas, along with a vendor-agnostic core security schema. Vendors and other data producers can adopt and extend the schema for their specific domains. Data engineers can map differing schemas to help security teams simplify data ingestion and normalization, so that Read more about Open Cybersecurity Schema Framework released[…]

[…] The issue occurred when a user created or revoked a shared invitation link for their workspace. The good news is that the password wasn’t plaintext, and it wasn’t visible in any Slack clients. The bad news is that it could be picked up by monitoring encrypted traffic from Slack’s servers, and it appears that Read more about Slack exposed hashed passwords for years[…]

VMware has fixed a critical authentication bypass vulnerability that hits 9.8 out of 10 on the CVSS severity scale and is present in multiple products. That flaw is tracked as CVE-2022-31656, and affects VMware’s Workspace ONE Access, Identity Manager, and vRealize Automation. It was addressed along with nine other security holes in this patch batch, Read more about VMware patches critical admin authentication bypass bug[…]