European Commission airs out new IoT device security draft law – interested parties have a week to weigh in

Infosec pros and other technically minded folk have just under a week left to comment on EU plans to introduce new regulations obligating consumer IoT device makers to address online security issues, data protection, privacy and fraud prevention. Draft regulations applying to “internet-connected radio equipment and wearable radio equipment” are open for public comment until Read more about European Commission airs out new IoT device security draft law – interested parties have a week to weigh in[…]

A Misused Microsoft Tool Leaked Data from 47 Organizations

New research shows that misconfigurations of a widely used web tool have led to the leaking of tens of millions of data records. Microsoft’s Power Apps, a popular development platform, allows organizations to quickly create web apps, replete with public facing websites and related backend data management. A lot of governments have used Power Apps Read more about A Misused Microsoft Tool Leaked Data from 47 Organizations[…]

Sensitive Data On Afghan Allies Collected By The US Military Is Now In The Hands Of The Taliban

The problem with harvesting reams of sensitive data is that it presents a very tempting target for malicious hackers, enemy governments, and other wrongdoers. That hasn’t prevented anyone from collecting and storing all of this data, secure only in the knowledge this security will ultimately be breached. […] The Taliban is getting everything we left Read more about Sensitive Data On Afghan Allies Collected By The US Military Is Now In The Hands Of The Taliban[…]

Zoom to pay $85M for lying about encryption and sending data to Facebook and Google

Zoom has agreed to pay $85 million to settle claims that it lied about offering end-to-end encryption and gave user data to Facebook and Google without the consent of users. The settlement between Zoom and the filers of a class-action lawsuit also covers security problems that led to rampant “Zoombombings.” The proposed settlement would generally give Read more about Zoom to pay $85M for lying about encryption and sending data to Facebook and Google[…]

>83 million Web Cams, Baby Monitor Feeds and other IoT devices using Kalay backend Exposed

a vulnerability is lurking in numerous types of smart devices—including security cameras, DVRs, and even baby monitors—that could allow an attacker to access live video and audio streams over the internet and even take full control of the gadgets remotely. What’s worse, it’s not limited to a single manufacturer; it shows up in a software Read more about >83 million Web Cams, Baby Monitor Feeds and other IoT devices using Kalay backend Exposed[…]

China orders annual security reviews for all critical information infrastructure operators

An announcement by the Cyberspace Administration of China (CAC) said that cyber attacks are currently frequent in the Middle Kingdom, and the security challenges facing critical information infrastructure are severe. The announcement therefore defines infosec regulations and and responsibilities. The CAC referred to critical infrastructure as “the nerve center of economic and social operations and Read more about China orders annual security reviews for all critical information infrastructure operators[…]

Senators ask Amazon how it will use palm print data from its stores

If you’re concerned that Amazon might misuse palm print data from its One service, you’re not alone. TechCrunch reports that Senators Amy Klobuchar, Bill Cassidy and Jon Ossoff have sent a letter to new Amazon chief Andy Jassy asking him to explain how the company might expand use of One’s palm print system beyond stores Read more about Senators ask Amazon how it will use palm print data from its stores[…]

Researchers Say They’ve Found a ‘Master Face’ to Bypass Face Rec Tech

[…] computer scientists at Tel Aviv University in Israel say they have discovered a way to bypass a large percentage of facial recognition systems by basically faking your face. The team calls this method the “master face” (like a “master key,” harhar), which uses artificial intelligence technologies to create a facial template—one that can consistently Read more about Researchers Say They’ve Found a ‘Master Face’ to Bypass Face Rec Tech[…]

100s of (war)ships are having their positions falsely reported in AIS

Analysis of tracking data from Automatic Identification System broadcasts reveals vessel locations have been simulated for a number of ships, including military vessels. This false information could compromise vessel safety, decrease confidence in a crucial collision avoidance system and potentially spark international conflict. Over the years, data analysts working with Global Fishing Watch and SkyTruth Read more about 100s of (war)ships are having their positions falsely reported in AIS[…]

16-Year-Old HP Printer-Driver Bug Impacts Millions of Windows Machines

Researchers have released technical details on a high-severity privilege-escalation flaw in HP printer drivers (also used by Samsung and Xerox), which impacts hundreds of millions of Windows machines. If exploited, cyberattackers could bypass security products; install programs; view, change, encrypt or delete data; or create new accounts with more extensive user rights. The bug (CVE-2021-3438) Read more about 16-Year-Old HP Printer-Driver Bug Impacts Millions of Windows Machines[…]

You, too, can be a Windows domain controller and do whatever you like, with this trick which requires no authentication at all

The security shortcoming can be exploited using the wonderfully named PetitPotam technique. It involves abusing Redmond’s MS-EFSRPC (Encrypting File System Remote Protocol) to take over a corporate Windows network. It seems ideal for penetration testers, and miscreants who have gained a foothold in a Windows network. Specifically, security researcher Gilles Lionel found it was possible Read more about You, too, can be a Windows domain controller and do whatever you like, with this trick which requires no authentication at all[…]

Thinking about selling your Echo Dot—or any IoT device? Turns out passwords and other data remain even after a reset

Like most Internet-of-things (IoT) devices these days, Amazon’s Echo Dot gives users a way to perform a factory reset so, as the corporate behemoth says, users can “remove any… personal content from the applicable device(s)” before selling or discarding them. But researchers have recently found that the digital bits that remain on these reset devices Read more about Thinking about selling your Echo Dot—or any IoT device? Turns out passwords and other data remain even after a reset[…]

Another Exploit Hits WD My Book Live Owners – wipes could be rival hacker groups fighting for botnet control

While it will come as no comfort to those who had their Western Digital My Book Live NAS drives wiped last week, it seems they were attacked by a combination of two exploits, and possibly caught in the fallout of a rivalry between two different teams of hackers. (Image credit: Western Digital) Initially, after the Read more about Another Exploit Hits WD My Book Live Owners – wipes could be rival hacker groups fighting for botnet control[…]

700 Million LinkedIn Records Leaked June 2021 – again

Things are not looking good for LinkedIn right now. Just two months after a jaw-dropping 500 million profiles from the networking site were put up for sale on a popular hacker forum, a new posting with 700 million LinkedIn records has appeared. The seller, “GOD User” TomLiner, stated they were in possession of the 700 Read more about 700 Million LinkedIn Records Leaked June 2021 – again[…]

Bombshell Report Finds Phone Network Encryption Was Deliberately Weakened

It was a closed source backdoored system. This goes to show that weakening encryption for political reasons and trusting software that can’t be audited independently is a Bad Idea ™ A weakness in the algorithm used to encrypt cellphone data in the 1990s and 2000s allowed hackers to spy on some internet traffic, according to Read more about Bombshell Report Finds Phone Network Encryption Was Deliberately Weakened[…]

Volkswagen says a vendor’s security lapse exposed 3.3 million drivers’ details

Volkswagen says more than 3.3 million customers had their information exposed after one of its vendors left a cache of customer data unsecured on the internet. The car maker said in a letter that the vendor, used by Volkswagen, its subsidiary Audi and authorized dealers in the U.S. and Canada, left the customer data spanning Read more about Volkswagen says a vendor’s security lapse exposed 3.3 million drivers’ details[…]

Indonesia’s national health insurance scheme leaks at least a million citizens’ records

Indonesia’s government has admitted to leaks of personal data from the agency that runs its national health insurance scheme On May 20th Kominfo, Indonesia’s Ministry of Communication and Information Technology, acknowledged it was aware of a post on notorious stolen-data-mart Raidforums offering to sell a million records leaked from the Badan Penyelenggara Jaminan Sosial (BPJS), Read more about Indonesia’s national health insurance scheme leaks at least a million citizens’ records[…]

Mobile app developers’ misconfiguration of third party services leave personal data of over 100 million exposed – Check Point Research

[…] Check Point Research (CPR) recently discovered that in the last few months, many application developers put their data and users’ data at risk. By not following best practices when configuring and integrating 3rd party cloud services into applications, millions of users’ private data was exposed. In some cases, this type of misuse only affects Read more about Mobile app developers’ misconfiguration of third party services leave personal data of over 100 million exposed – Check Point Research[…]

NHS Digital booking website had unexpected side effect: It leaked people’s jab status

An NHS Digital-run vaccine-booking website exposed just how many vaccines individual people had received – and did so with no authentication, according to the Guardian. The booking page, aimed at English NHS patients wanting to book first and second coronavirus jabs, would tell anyone at all whether a named person had had zero, one or Read more about NHS Digital booking website had unexpected side effect: It leaked people’s jab status[…]

Russian cyber-spies changed tactics after the UK and US outed their techniques – so here’s a list of those changes

Russian spies from APT29 responded to Western agencies outing their tactics by adopting a red-teaming tool to blend into targets’ networks as a legitimate pentesting exercise. Now, the UK’s National Cyber Security Centre (NCSC) and the US warn, the SVR is busy exploiting a dozen critical-rated vulns (including RCEs) in equipment ranging from Cisco routers Read more about Russian cyber-spies changed tactics after the UK and US outed their techniques – so here’s a list of those changes[…]

Peloton’s leaky API let anyone grab riders’ private account data – and only fixed the issue after repeated prodding

[…] Peloton, the at-home fitness brand synonymous with its indoor stationary bike and beleaguered treadmills, has more than three million subscribers. Even President Biden is said to own one. The exercise bike alone costs upwards of $1,800, but anyone can sign up for a monthly subscription to join a broad variety of classes. As Biden Read more about Peloton’s leaky API let anyone grab riders’ private account data – and only fixed the issue after repeated prodding[…]

Experian API Exposed Credit Scores of Most Americans

Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he Read more about Experian API Exposed Credit Scores of Most Americans[…]

BadAlloc: Microsoft looked at memory allocation code in tons of devices and found this one common security flaw

Microsoft has taken a look at memory management code used in a wide range of equipment, from industrial control systems to healthcare gear, and found it can be potentially exploited to hijack devices. […] Drilling down to the nitty-gritty: Microsoft’s Azure Defender for IoT security research group looked at memory allocation functions, such as malloc(), Read more about BadAlloc: Microsoft looked at memory allocation code in tons of devices and found this one common security flaw[…]

Fraudulent orders via Afterpay stupidly easy. To resolve Afterpay wants to breach victims privacy, cost them lots of time.

Online shoppen en de rekening naar iemand anders sturen, blijkt kinderlijk eenvoudig met Afterpay. Dat constateert de Consumentenbond, die de beveiliging van de achterafbetaaldienst heeft onderzocht. Honderden consumenten kregen spookfacturen van Afterpay en Klarna, betaaldiensten waarmee consumenten online aankopen pas na ontvangst hoeven te betalen. De bedragen varieren van enkele tientjes tot honderden euro’s. Met Read more about Fraudulent orders via Afterpay stupidly easy. To resolve Afterpay wants to breach victims privacy, cost them lots of time.[…]

Study finds GAEN Google Apple contact tracing apps allow user + contact location tracking. NL stops use of tracking app.

A study describes the data transmitted to backend servers by the Google/Apple based contact tracing (GAEN) apps in use in Germany, Italy, Switzerland, Austria, and Denmark and finds that the health authority client apps are generally well-behaved from a privacy point of view, although the Irish, Polish, Danish, and Latvian apps could be improved in Read more about Study finds GAEN Google Apple contact tracing apps allow user + contact location tracking. NL stops use of tracking app.[…]