Archive for the ‘Security’ Category

Attacking Private Networks from the Internet with DNS Rebinding – Following the wrong link could allow remote attackers to control your WiFi router, Google Home, Roku, Sonos speakers, home thermostats, eat your etherium coins and more.

The home WiFi network is a sacred place; your own local neighborhood of cyberspace. There we connect our phones, laptops, and “smart” devices to each other and to the Internet and in turn we improve our lives, or so we are told. By the late twenty teens, our local networks have become populated by a […]

Significant Vulnerabilities in Axis Cameras – patch now!

One of the vendors for which we found vulnerable devices was Axis Communications. Our team discovered a critical chain of vulnerabilities in Axis security cameras. The vulnerabilities allow an adversary that obtained the camera’s IP address to remotely take over the cameras (via LAN or internet). In total, VDOO has responsibly disclosed seven vulnerabilities to […]

Blockchain’s Once-Feared 51% Attack Is Now Becoming Regular among smaller coins

Monacoin, bitcoin gold, zencash, verge and now, litecoin cash. At least five cryptocurrencies have recently been hit with an attack that used to be more theoretical than actual, all in the last month. In each case, attackers have been able to amass enough computing power to compromise these smaller networks, rearrange their transactions and abscond […]

Cisco Removes Backdoor Account, Fourth in the Last Four Months

For the fourth time in as many months, Cisco has removed hardcoded credentials that were left inside one of its products, which an attacker could have exploited to gain access to devices and inherently to customer networks. This time around, the hardcoded password was found in Cisco’s Wide Area Application Services (WAAS), which is a […]

Epyc fail? We can defeat AMD’s virtual machine encryption, say boffins

German researchers reckon they have devised a method to thwart the security mechanisms AMD’s Epyc server chips use to automatically encrypt virtual machines in memory. So much so, they said they can exfiltrate plaintext data from an encrypted guest via a hijacked hypervisor and simple HTTP or HTTPS requests. […] a technique dubbed SEVered can, […]

Over 900,000 personal records of South Africans leaked online

Barely a year after South Africa’s largest data leak was revealed in 2017, the country has suffered yet another data leak as 934,000 personal records of South Africans have been leaked publicly online. The data includes, among others, national identity numbers (ID numbers), e-mail addresses, full names, as well as plain text passwords to what […]

Spectre comes back to haunt Processor Makers Confirm New Security Flaws, So Update Now

Intel is finally confirming that its computer processors are vulnerable to an additional variant of Spectre, the nasty security vulnerability that affects nearly every CPU currently in devices and in the marketplace. German computing magazine C’t first reported the additional flaws, which can be exploited in a browser setting using a runtime (think Javascript), on […]

Seriously, Cisco? Another hard-coded password? Sheesh

Cisco’s issued 16 patches, the silliest of which is CVE-2018-0222 because it’s a hard-coded password in Switchzilla’s Digital Network Architecture (DNA) Center. “The vulnerability is due to the presence of undocumented, static user credentials for the default administrative account for the affected software,” Cisco’s admitted. As you’d expect, “An attacker could exploit this vulnerability by […]

Entire Nest ecosystem of smart home devices goes offline

For at least a few hours overnight, owners of Nest products were unable to access their devices via the Nest app or web browsers, according to Nest Support on Twitter. Other devices like Nest Secure and Nest x Yale Locks behaved erratically. The as of yet unexplained issues affected the entire lineup of Nest devices, […]

Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices

On April 19, 2018, an industry partner notified NCCIC and the FBI of malicious cyber activity that aligns with the techniques, tactics, and procedures (TTPs) and network indicators listed in this Alert. Specifically, the industry partner reported the actors redirected DNS queries to their own infrastructure by creating GRE tunnels and obtained sensitive information, which […]

Many Satellites run Windows 95 – and are ripe for hacking

Hundreds of multi-ton liabilities—soaring faster than the speed of sound, miles above the surface of the earth—are operating on Windows-95.They’re satellites, responsible for everything from GPS positioning, to taking weather measurements, to carrying cell signals, to providing television and internet. For the countries that own these satellites, they’re invaluable resources. Even though they’re old, it’s […]

Hackers Steal Data on 14 Million Users From Ride-Hail App Careem

Careem, a ride-hail startup based in Dubai and operating in 14 countries, announced today that hackers stole data belonging to 14 million riders and drivers. The company discovered the breach on January 14 but waited to notify its customers because the investigation was ongoing. “Cybercrime investigations are immensely complicated and take time. We wanted to […]

Yahoo! fined! $35m! for! covering! up! massive! IT! security! screwup!

The Disaster Formerly Known as Yahoo! has been fined $35m by US financial watchdog, the SEC, for failing to tell anyone about one of the world’s largest ever computer security breaches. Now known as Altaba following its long, slow and painful descent in irrelevance, Yahoo! knew that its entire user database – including billions of […]

Cops Around the Country Can Now Unlock iPhones, Records Show

Police forces and federal agencies around the country have bought relatively cheap tools to unlock up-to-date iPhones and bypass their encryption, according to a Motherboard investigation based on several caches of internal agency documents, online records, and conversations with law enforcement officials. Many of the documents were obtained by Motherboard using public records requests.   […]

Data exfiltrators send info over PCs’ power supply cables

If you want your computer to be really secure, disconnect its power cable. So says Mordechai Guri and his team of side-channel sleuths at the Ben-Gurion University of the Negev. The crew have penned a paper titled PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines that explains how attackers could install malware that regulates […]

Under Armour Data Breach: 150 Million MyFitnessPal Accounts Hacked

Under Armour Inc., joining a growing list of corporate victims of hacker attacks, said about 150 million user accounts tied to its MyFitnessPal nutrition-tracking app were breached earlier this year. An unauthorized party stole data from the accounts in late February, Under Armour said on Thursday. It became aware of the breach earlier this week […]

Trustwave Global IT Security Report Summarised

Hackers have moved away from simple point-of-sale (POS) terminal attacks to more refined assaults on corporations’ head offices. An annual report from security firm Trustwave out today highlighted increased sophistication of web app hacking and social engineering tactics on the part of miscreants. Half of the incidents investigated involved corporate and internal networks (up from […]

T-Mobile Austria stores passwords as plain text

A customer was questioning if rumors that T-Mobile Austria was storing customer passwords in plain text, leaving the credentials like sitting ducks for hackers. Whoever was manning T-Mobile Austria’s Twitter account confirmed that this was the case, but that there was no need to worry because “our security is amazingly good.” Hello Claudia! The customer […]

NUC, NUC! Who’s there? Intel, warning you to kill a buggy keyboard app

Intel has made much of its NUC and Compute Stick mini-PCs as a way to place computers to out-of-the-way places like digital signage. Such locations aren’t the kind of spots where keyboards and pointing devices can be found, so Intel sweetened the deal by giving the world an Android and iOS app called the “Intel […]

Rise in Ransomware Attacks Actually Led to Fewer Exposed Records, IBM Discovers

It seems as if last year’s data breaches were characterized by increased regularity, yet somehow, according to the latest research from IBM Security, fewer records were actually exposed. The year saw a 25 percent dip in exposed records—2.5 billion down from 4 billion the previous year—according to IBM’s latest X-Force report. The cause: Cybercriminals have […]

1.5 BEEELLION sensitive files found exposed online dwarf Panama Papers leak

Security researchers have uncovered 1.5 billion business and consumer files exposed online – just a month before Europe’s General Data Protection Regulation comes into force. During the first three months of 2018, threat intel firm Digital Shadows detected 1,550,447,111 publicly available files across open Amazon Simple Storage Service (S3) buckets, rsync, Server Message Block (SMB), […]

Hacker Uses Exploit to Generate Verge Cryptocurrency out of Thin Abir

An unknown attacker has exploited a bug in the Verge cryptocurrency network code to mine Verge coins at a very rapid pace and generate funds almost out of thin air. The Verge development team is preparing a hard-fork of the entire cryptocurrency code to fix the issue and revert the blockchain to a previous state […]

Secret Service Warns of Chip Card Scheme: replacing the chip and then draining after activation

The U.S. Secret Service is warning financial institutions about a new scam involving the temporary theft of chip-based debit cards issued to large corporations. In this scheme, the fraudsters intercept new debit cards in the mail and replace the chips on the cards with chips from old cards. When the unsuspecting business receives and activates […]

DronesForLess leaks customer purchasing data

The DronesForLess.co.uk site was left wide open by its operators, who failed to protect critical parts of its web infrastructure from curious people, as spotted by Alan at secret-bases.co.uk, who told The Register. We discovered more than 10,000 online purchase receipts had been saved to its web servers without any encryption or even password protection […]

IOS QR ‘bug’ isn’t a bug: trend in pointing out things working as intended as a security advisory continues

So: Oddly enough, if you make a QR code that tells you to go somewhere, the camera will take you to where the QR code tells you to go, even if you tell someone that the QR code goes someplace else. This trend of ‘reporting’ security problems that are not security problems at all is […]

 
Skip to toolbar