The September cyberattack on ride-hailing service Uber began when a criminal bought the stolen credentials of a company contractor on the dark web. The miscreant then repeatedly tried to log into the contractor’s Uber account, triggering the two-factor login approval request that the contractor initially denied, blocking access. However, eventually the contractor accepted one of Read more about Multi-factor authentication bombing fatigue can blow open security[…]

Amazon didn’t protect one of its internal servers, allowing anyone to view a database named “Sauron” which was full of Prime Video viewing habits. As TechCrunch reports(Opens in a new window), the unprotected Elasticsearch database was discovered by security researcher Anurag Sen(Opens in a new window). Contained within the database, which anyone who knew the Read more about Whoops! Amazon Left Prime Video DB with viewing habits (Named ‘Sauron’) Unprotected – yup Elasticsearch[…]

The Cybernews research team found that Thomson Reuters left at least three of its databases accessible for anyone to look at. One of the open instances, the 3TB public-facing ElasticSearch database, contains a trove of sensitive, up-to-date information from across the company’s platforms. The company recognized the issue and fixed it immediately. Thomson Reuters provides Read more about Thomson Reuters leaked at least 3TB of sensitive data – yes, open elasticsearch instances[…]

A hospital network in Wisconsin and Illinois fears visitor tracking code on its websites may have transmitted personal information on as many as 3 million patients to Meta, Google, and other third parties. Advocate Aurora Health (AAH) reported the potential breach to the US government’s Health and Human Services. As well as millions of patients, Read more about Advocate Aurora Health leaks 3 million patient’s data to big tech through webtracker installation[…]

For almost a decade, the US Central Intelligence Agency communicated with informants abroad using a network of websites with hidden communications capabilities. The idea being: informants could use secret features within innocent-looking sites to quietly pass back information to American agents. So poorly were these 885 front websites designed, though, according to security research group Read more about CIA betrayed informants with shoddy covert comms websites[…]

Chrome’s enhanced spellcheck & Edge’s MS Editor are sending data you enter into form fields like username, email, DOB, SSN, basically anything in the fields, to sites you’re logging into from either of those browsers when the features are enabled. Furthermore, if you click on “show password,” the enhanced spellcheck even sends your password, essentially Read more about Chrome & Edge Enhanced Spellcheck Send your PII, Including Your Passwords to Microsoft and Google, Alibaba and 3rd parties[…]

An anonymous reader quotes a report from the New York Times: Morgan Stanley Smith Barney has agreed to pay a $35 million fine to settle claims that it failed to protect the personal information of about 15 million customers, the Securities and Exchange Commission said on Tuesday. In a statement announcing the settlement, the S.E.C. Read more about Morgan Stanley Settles for $32m after Hard Drives With Data on 15m customers Turn Up On Auction Site[…]

Electronics Arts (EA) is launching a new kernel-level anti-cheat system for its PC games. The EA AntiCheat (EAAC) will debut first in FIFA 23 later this fall and is a custom anti-cheat system developed in-house by EA developers. It’s designed to protect EA games from tampering and cheaters, and EA says it won’t add anti-cheat Read more about EA announces feels free to take over your OS with kernel-level anti-cheat system for PC games[…]

[…] The newly discovered security issue impacts versions of the application for Windows, Linux, and Mac and refers to Microsoft Teams storing user authentication tokens in clear text without protecting access to them. An attacker with local access on a system where Microsoft Teams is installed could steal the tokens and use them to log Read more about Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs – wait isn’t it 2022?[…]

Cisco patched three security vulnerabilities in its products this week, and said it will leave unpatched a VPN-hijacking flaw that affects four small business routers. Those small-biz routers – the RV110W Wireless-N VPN Firewall, RV130 VPN Router, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router – have reached their end-of-life (EoL) and the Read more about Dump these routers, says Cisco, because we won’t patch them[…]

Massive amounts of private data – including more than 300,000 biometric digital fingerprints used by five mobile banking apps – have been put at risk of theft due to hard-coded Amazon Web Services credentials, according to security researchers. Symantec’s Threat Hunter Team said it discovered 1,859 publicly available apps, both Android and iOS, containing baked-in Read more about IOS Mobile banking apps put 300,000 digital fingerprints at risk using hardcoded AWS credentials[…]

An MMORPG with cute anime-style characters and maybe a bit too much inspiration taken from another classic Nintento franchise, Genshin Impact is a relatively popular game across the PlayStation, iOS, Android, and PC platforms. That last one has already generated a bit of controversy, since the PC version game includes an anti-cheat kernel driver that Read more about Genshin Impact installs “anti cheat” rootkit signed by Microsoft which is exploited in the wild. Stop allowing spyware rootkits, Microsoft![…]

Last Saturday, I sat in a crowded ballroom at Caesar’s Forum in Las Vegas and watched Sickcodes jailbreak a John Deere tractor’s control unit live, before an audience of cheering Defcon 30 attendees (and, possibly, a few undercover Deere execs, who often attend Sickcodes’s talks). The presentation was significant because Deere – along with Apple Read more about How bad the problem with John Deere Tractors really is, how not being open leads to incredibly bad security[…]

farmers around the world have turned to tractor hacking so they can bypass the digital locks that manufacturers impose on their vehicles. Like insulin pump “looping” and iPhone jailbreaking, this allows farmers to modify and repair the expensive equipment that’s vital to their work, the way they could with analog tractors. At the DefCon security Read more about A New Jailbreak for John Deere Tractors wants Right-to-Repair insecure and outdated tech in them[…]

The Open Cybersecurity Schema Framework is an open-source project, delivering an extensible framework for developing schemas, along with a vendor-agnostic core security schema. Vendors and other data producers can adopt and extend the schema for their specific domains. Data engineers can map differing schemas to help security teams simplify data ingestion and normalization, so that Read more about Open Cybersecurity Schema Framework released[…]

[…] The issue occurred when a user created or revoked a shared invitation link for their workspace. The good news is that the password wasn’t plaintext, and it wasn’t visible in any Slack clients. The bad news is that it could be picked up by monitoring encrypted traffic from Slack’s servers, and it appears that Read more about Slack exposed hashed passwords for years[…]

VMware has fixed a critical authentication bypass vulnerability that hits 9.8 out of 10 on the CVSS severity scale and is present in multiple products. That flaw is tracked as CVE-2022-31656, and affects VMware’s Workspace ONE Access, Identity Manager, and vRealize Automation. It was addressed along with nine other security holes in this patch batch, Read more about VMware patches critical admin authentication bypass bug[…]

Atlassian has warned users of its Bamboo, Bitbucket, Confluence, Fisheye, Crucible, and Jira products that a pair of critical-rated flaws threaten their security. The company’s July security advisories detail “Servlet Filter dispatcher vulnerabilities.” One of the flaws – CVE-2022-26136 – is described as an arbitrary Servlet Filter bypass that means an attacker could send a Read more about Atlassian reveals critical flaws in most of their products[…]

[…] “The vulnerabilities,” explained the ESET Research team, “can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features.” “It’s a typical UEFI ‘double GetVariable’ vulnerability,” the team added, before giving a hat tip Read more about Lenovo fixes trio of UEFI vulnerabilities – fortunately not for Thinkpads though[…]

[…] CVE-2022-2319 and CVE-2022-2320 were made public this morning and both deal with the X.Org Server’s Xkb keyboard extension not properly validating input that could lead to out-of-bounds memory writes. Hopefully though in 2022 you aren’t relying on your xorg-server running as root. Fixes for these XKB vulnerabilities have been patched in X.Org Server Git Read more about X.Org Server Hit By New Local Privilege Escalation, Remote Code Execution Vulnerabilities[…]