Archive for the ‘Security’ Category

SVR Tracking leaks info for hundreds of thousands of vehicles. Turns out they have been tracking you even when your car wasn’t stolen.

Researchers discovered a misconfigured Amazon AWS S3 bucket that was left publically available. The breach has exposed information about their customers and re-seller network and also the physical device that is attached to the cars. The repository contained over a half of a million records with logins / passwords, emails, VIN (vehicle identification number), IMEI […]

Equifax fooled again! Blundering credit biz directs hack attack victims to parody site

When news of the hack was published on September 7, over a month after its scale had been discovered, Equifax set up a website for worried customers to check if they had been affected – equifaxsecurity2017.com – rather than setting it up on the equifax.com domain. As a bit of fun security researcher Nick Sweeting […]

Popular GO Android alternate Keyboard is spying on millions of Android users

Security researchers from Adguard have issued a warning that the popular GO Keyboard app is spying on users. Produced by Chinese developers GOMO Dev Team, GO Keyboard was found to be transmitting personal information about users back to remote servers, as well as “using a prohibited technique to download dangerous executable code.” Adguard made the […]

Equifax another breach: had ‘admin’ as login and password in Argentina

Cyber-crime blogger Brian Krebs said that an online employee tool used in the country could be accessed by typing “admin” as both a login and password. He added that this gave access to records that included thousands of customers’ national identity numbers. Last week, the firm revealed a separate attack affecting millions in the US. […]

Moneyback leaks 500k tourists to Mexico customer records: passports, credit cards, IDs.

Have you been to Mexico in the last year as a tourist and applied for a tax refund on the money you spent while shopping there? If you have, chances are your passport, credit card, or other identification might have been leaked online. The Kromtech Security Research Center has discovered a misconfigured database with nearly […]

Equifax loses 143 million US, UK and Canadian customer records in data breach.

September 7, 2017 — Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized […]

Apache REST / Struts easily exploitable through browser

Servers and data stored by dozens of Fortune 100 companies are at risk, including airlines, banks and financial institutions, and social media sites. A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server — putting sensitive corporate data at risk. The vulnerability allows an attacker to remotely […]

Yet another AWS config fumble: Time Warner Cable exposes 4 million subscriber records

Researchers with security company Kromtech said freelancers who handled web applications for TWC and other companies had left one of its AWS S3 storage bins containing seven years’ worth of subscriber data wide open on the ‘net. That data included addresses and contact numbers, information about their home gateways, and account settings. Just before the […]

After years of IBAN, only 1 NL bank has just figured out how to check the name with an account.

The Rabobank has started warning users when the name doesn’t match an IBAN account. A trivial function that used to work before IBAN but apparently was so hard to implement that users have had to wait for years to get. If you put in the wrong number – then sorry, you were screwed! Now for […]

Data Breach Exposes Thousands of Job Seeker CVs Citing Top Secret Government Work

Thousands of files containing the personal information and expertise of Americans with classified and up to Top Secret security clearances have been exposed by an unsecured Amazon server, potentially for most of the year. […] Thousands of files containing the personal information and expertise of Americans with classified and up to Top Secret security clearances […]

Millions of Time Warner Cable Customer Records Exposed in Third-Party Data Leak

Roughly four million records containing the personal details of Time Warner Cable (TWC) customers were discovered stored on an Amazon server without a password late last month. The files, more than 600GB in size, were discovered on August 24 by the Kromtech Security Center while its researchers were investigating an unrelated data breach at World […]

Intel ME controller chip can be disabled after all – for governments

Security researchers at Moscow-based Positive Technologies have identified an undocumented configuration setting that disables Intel Management Engine 11, a CPU control mechanism that has been described as a security risk. Intel’s ME consists of a microcontroller that works with the Platform Controller Hub chip, in conjunction with integrated peripherals. It handles much of the data […]

Inside the Massive 711 Million Record Onliner Spambot Dump

Last week I was contacted by someone alerting me to the presence of a spam list. A big one. That’s a bit of a relative term though because whilst I’ve loaded “big” spam lists into Have I been pwned (HIBP) before, the largest to date has been a mere 393m records and belonged to River […]

Bitcoin-accepting sites leave cookie trail that crumbles anonymity

Of the 130 sites the researchers checked: In total, 107 sites leaked some kind of transaction information; 31 allowed third-party scripts to access users’ Bitcoin addresses; 104 shared the non-BTC denominated price of a transaction; and 30 shared the transaction price in Bitcoin. It doesn’t help that even for someone running tracking protection, a substantial […]

UK Home Secretary calls people who use encryption not ‘real’ and Daesh sympathisers

In an article in the Daily Telegraph timed to coincide with Rudd’s appearance at a closed event in San Francisco, Rudd argued: “Real people often prefer ease of use and a multitude of features to perfect, unbreakable security.” She continued: “Who uses WhatsApp because it is end-to-end encrypted, rather than because it is an incredibly […]

US Congress dreams of IoT and gets it right! Except it won’t protect consumers, only gov.

The Internet of Things Cybersecurity Improvement Act would require that IoT devices purchased by the American government must not have any known security vulnerabilities, must have the ability to be patched, and may not have hardcoded passwords built in. It mandates that every government department inventory all IoT devices on their networks. […] The bill […]

DNA Testing Data Is Disturbingly Vulnerable to Hackers

In a new study that will be presented next week at the 26th USENIX Security Symposium in Vancouver, University of Washington researchers analyzed the security practices of common, open-source DNA processing programs and found that they were, in general, lacking. That means all that super-sensitive information those programs are processing is potentially vulnerable to hackers. […]

Crooks Reused Passwords on Hansa and Dream, so Dutch Police Hijacked Their Accounts after running Hansa for a month

Currently, the infosec community and former Hansa vendors themselves have spotted two ways in which Dutch authorities are going after former Hansa vendors. Police gain access to Dream accounts via password reuse In the first, Dutch investigators have taken the passwords of vendors who have the same usernames on both the old Hansa Market and […]

It took DEF CON hackers minutes to pwn these US voting machines

This year at the DEF CON hacking conference in Las Vegas, 30 computer-powered ballot boxes used in American elections were set up in a simulated national White House race – and hackers got to work physically breaking the gear open to find out what was hidden inside. In less than 90 minutes, the first cracks […]

Bloke takes over every .io domain by snapping up crucial name servers

Want to control over 270,000 websites? That’ll be $96 and a handover cockup, please Late Friday, Matthew Bryant noticed an unusual response to some test code he was using to map top-level domains: several of the .io authoritative name servers were available to register. Out of interest, he tried to buy them and was amazed […]

Create a user called ‘0day’, get bonus root privs – thanks, Systemd!

To obtain root privileges on a Linux distribution that utilizes systemd for initialization, start with an invalid user name in the systemd.unit file. Linux usernames are not supposed to begin with numbers, to avoid ambiguity between numeric UIDs and alphanumeric user names. Nevertheless, some modern Linux distributions, like RHEL7 and CentOS, allow this. The systemd […]

HMS QE: Britain’s newest Aircraft Carrier runs Windows XP

The Royal Navy’s brand new £3.5bn aircraft carrier HMS Queen Elizabeth is currently* running Windows XP in her flying control room, according to reports. Defence correspondents from The Times and The Guardian, when being given a tour of the carrier’s aft island – the rear of the two towers protruding above the ship’s main deck […]

Obama’s secret struggle to punish Russia for Putin’s election assault

The White House debated various options to punish Russia, but facing obstacles and potential risks, it ultimately failed to exact a heavy toll on the Kremlin for its election meddling. Source: Obama’s secret struggle to punish Russia for Putin’s election assault

Password Reset man in the middle attack

The Password Reset Man in the Middle (PRMITM) attack exploits the similarity of the registration and password reset processes. To launch such an attack, the attacker only needs to control a website. To entice victims to make an account on the malicious website, the attacker can offer free access to a wanted resource (e.g. free […]

Personal data on 198 million voters, including analytics data that suggests who a person is likely to vote for and why, was stored on an unsecured Amazon server.

A huge trove of voter data, including personal information and voter profiling data on what’s thought to be every registered US voter dating back more than a decade, has been found on an exposed and unsecured server, ZDNet has learned. It’s believed to be the largest ever known exposure of voter information to date. The […]

 
Skip to toolbar