As the U.S. continues to chart the damage from the sweeping “SolarWinds” hack, France has announced that it too has suffered a large supply chain cyberattack. The news comes via a recently released technical report published by the Agence Nationale de la sécurité des systèmes d’information—or simply ANSSI—the French government’s chief cybersecurity agency. Like the Read more about France has been suffering A Very ‘Solar Winds’-Like Cyberattack since 2017[…]

Now that Apple has officially begun the transition to Apple Silicon, so has malware. Security researcher Patrick Wardle published a blog detailing that he’d found a malicious program dubbed GoSearch22, a Safari browser extension that’s been reworked for Apple’s M1 processor. (The extension is a variant of the Pirrit adware family, which is notorious on Read more about Apple new M1 chip specific Malware Has Arrived[…]

Personal information of more than 243 million Brazilians was exposed for more than six months thanks to weakly encoded credentials stored in the source code of the Brazilian Ministry of Health’s website. The data leak exposed both living and deceased Brazilians’ medical records to possible unauthorized access. The incident was the second reported by Brazilian Read more about Brazil’s Health Ministry’s Website Data Leak Exposed 243 Million Medical Records for More Than 6 Months[…]

German software designer Jonas Strehle has published a proof of concept on GitHub that he says demonstrates a method in which the favicon’s cache can be used to store a unique identifier for a user that is readable “in the browser’s incognito mode and is not cleared by flushing the cache, closing the browser or Read more about Researchers Say Favicons Can Track You Across the Web[…]

Do you have an iPhone or iPad? You should update your device right now to iOS 14.4. No, not later today or after lunch or whatever. Update now.Why is it so crucial to update your iOS software as soon as possible? As TechCrunch first reported, Apple is reporting three security vulnerabilities that “may have been Read more about Update Your iPhone and iPad Right Now[…]

Security researchers from Qualys have identified a critical heap buffer overflow vulnerability in sudo that can be exploited by rogue users to take over the host system. Sudo is an open-source command-line utility widely used on Linux and other Unix-flavored operating systems. It is designed to give selected, trusted users administrative control when needed. The Read more about Decade-old bug in Linux world’s sudo can be abused by any logged-in user to gain root privileges[…]

Dutch police have arrested two individuals on Friday for allegedly selling data from the Dutch health ministry’s COVID-19 systems on the criminal underground. The arrests came after an investigation by RTL Nieuws reporter Daniel Verlaan who discovered ads for Dutch citizen data online, advertised on instant messaging apps like Telegram, Snapchat, and Wickr. The ads consisted of Read more about Dutch COVID-19 patient and testing data sold on the criminal underground[…]

The JSOF research labs are reporting 7 vulnerabilities found in dnsmasq, an open-source DNS forwarding software in common use. Dnsmasq is very popular, and we have identified approximately 40 vendors whom we believe use dnsmasq in their products, as well as major Linux distributions. The DNS protocol has a history of vulnerabilities dating back to Read more about DNSPOOQ breaks dnsmasq allowing for cache poisoning, remote code execution and more[…]

WhatsApp groups are showing up on Google search yet again. As a result, anyone could discover and join a private WhatsApp group by simply searching on Google. This was first discovered in 2019, and was apparently fixed last year after becoming public. Another old issue, which also appeared to have been fixed but seems to Read more about WhatsApp Private Groups + user phone numbers Were Accessible Again to Anyone Searching on Google – a yearly event now[…]

High-flying and rapidly growing Chinese social media management company Socialarks has suffered a huge data leak leading to the exposure of over 400GB of personal data including several high-profile celebrities and social media influencers. The company’s unsecured ElasticSearch database contained personally identifiable information (PII) from at least 214 million social media users from around the Read more about Socialarcs 400GB of scraped data exposing 200+ million Facebook, Instagram and LinkedIn users. Again.[…]

Ring, the Amazon-owned friend to nosy police departments everywhere, has suffered another embarrassing security stumble. The surveillance company’s Neighbors app—which was launched in 2018 as a kind of “neighborhood watch” feature—apparently left users exact geographical data and home address information exposed to the internet. Neighbors is Ring’s online forum where users can share public safety Read more about Amazon Ring Neighbors App Left User Data Exposed, incl addresses, lat + long[…]

TL;DR: If you have a Zyxel USG, ATP, VPN, ZyWALL or USG FLEX you should update to the latest firmware version today. You can find the full list of affected devices here and the Zyxel advisory here. Zyxel is a popular brand for firewalls that are marketed towards small and medium businesses. Their Unified Security Read more about Zyxel products have a hardcoded root user you can access from internet[…]

Spotify said it has reset an undisclosed number of user passwords after blaming a software vulnerability in its systems for exposing private account information to its business partners. In a data breach notification filed with the California attorney general’s office, the music streaming giant said the data exposed “may have included email address, your preferred Read more about Spotify resets passwords after a security bug exposed users’ private account information – for 6 months[…]

The personal information of more than 243 million Brazilians, including alive and deceased, has been exposed online after web developers left the password for a crucial government database inside the source code of an official Brazilian Ministry of Health’s website for at least six months. The security snafu was discovered by reporters from Brazilian newspaper Estadao, Read more about Data of 243 million Brazilians exposed online via govt website source code[…]

Bumble, the dating app behemoth that’s allegedly headed to a major IPO as soon as next year, apparently took over half a year to deal with major security flaws that left sensitive information its millions of users vulnerable. That’s according to new research posted over the weekend by cybersecurity firm Independent Security Evaluators (ISE) detailing Read more about Bumble Left Daters’ Location Data Up For Grabs For Over Six Months[…]

Microsoft researchers have found evidence that Russian and North Korean hackers have systematically attacked covid-19 labs and vaccine makers in an effort to steal data and initiate ransomware attacks. “Among the targets, the majority are vaccine makers that have Covid-19 vaccines in various stages of clinical trials, clinical research organization involved in trials, and one Read more about Microsoft: Russian, North Korean Hackers Attacked Covid-19 Labs[…]

In a blog post, Alex Weinert, director of identity security at Microsoft, says people should definitely use MFA. He claims that accounts using any type of MFA get compromised at a rate that’s less than 0.1 per cent of the general population. At the same time, he argues people should avoid relying on SMS messages Read more about Microsoft warns against SMS, voice calls for multi-factor authentication: Try something that can’t be SIM swapped[…]

Swiss politicians only found out last year that cipher machine company Crypto AG was (quite literally) owned by the US and Germany during the Cold War, a striking report from its parliament has revealed. The company, which supplied high-grade encryption machines to governments and corporations around the world, was in fact owned by the US Read more about Swiss spies knew about Crypto AG compromise – and kept it from govt overseers for nearly 30 years[…]

In September, we noted that officials in the EU were continuing an effort to try to ban end-to-end encryption. Of course, that’s not how they put it. They say they just want “lawful access” to encrypted content, not recognizing that any such backdoor effectively obliterates the protections of end-to-end encryption. A new “Draft Council Resolution Read more about EU Takes Another Small Step Towards Trying To Ban Encryption; New Paper Argues Tech Can Backdoor Encryption Safely. It can’t.[…]

Website Planet reports that Prestige Software, the company behind hotel reservation platforms for Hotels.com, Booking.com and Expedia, left data exposed for “millions” of guests on an Amazon Web Services S3 bucket. The 10 million-plus log files dated as far back as 2013 and included names, credit card details, ID numbers and reservation details. It’s not Read more about Hotels.com, Booking.com Expedia provider exposed data from 2013 for millions of guests on open AWS bucket[…]

A British software engineer came up with “a fun playful name” for his consulting business. He’d named it: “”> Unfortunately, this did not amuse the official registrar of companies in the United Kingdom (known as Companies House). The Guardian reports that the U.K. agency “has forced the company to change its name after it belatedly Read more about UK Company House Demands Company Stop Using Name Which Includes an HTML Closing Tag[…]

One of the world’s top certificate authorities warns that phones running versions of Android prior to 7.1.1 Nougat will be cut off from large portions of the secure web starting in 2021, Android Police reported Saturday. The Mozilla-partnered nonprofit Let’s Encrypt said that its partnership with fellow certificate authority IdenTrust will expire on Sept. 1, Read more about Android v 7.1.1 and lower Won’t Support Many Secure Certificates in 2021[…]

In March 2020, KrebsOnSecurity alerted Swedish security giant Gunnebo Group that hackers had broken into its network and sold the access to a criminal group which specializes in deploying ransomware. In August, Gunnebo said it had successfully thwarted a ransomware attack, but this week it emerged that the intruders stole and published online tens of Read more about Physical Security Blueprints of Many Companies Leaked in Hack of Swedish Firm Gunnebo[…]

Researchers have extracted the secret key that encrypts updates to an assortment of Intel CPUs, a feat that could have wide-ranging consequences for the way the chips are used and, possibly, the way they’re secured. The key makes it possible to decrypt the microcode updates Intel provides to fix security vulnerabilities and other types of Read more about In a first, researchers extract secret key used to encrypt Intel CPU code[…]