Vulnerabilities

It’s going to be like a whole bunch of mini Y2K bombs going off, especially hitting devices that never get updates.

5 Likes

845GB of racy dating app records exposed to entire internet via leaky AWS buckets

Hundreds of thousands of sensitive dating app profiles – including images of “a graphic, sexual nature” – were exposed online for anyone stumbling across them to download.

Word of the uncontrolled emission burst forth from vpnMentor this week, which claims it found a misconfigured AWS S3 bucket containing 845GB of private dating app records.

Hooray for the Magic Cloud! I see a lot of articles on how to write serverless apps. Bullcrap! It has a server and it’s somebody else’s computer.

5 Likes

Ain’t that the truth…

And seriously, how hard can it be to set up AWS buckets with at least minimum protection? I was given to understand that even using the default settings would offer at a teensy-weensy bit of security.

1 Like

Tens of millions of Internet-of-Things, network-connected gizmos at risk of remote hijacking? Computer, engage shocked mode

A bunch of flaws in a commonly used TCP/IP software stack have put potentially tens of millions of Internet-of-Things devices, healthcare equipment, industrial control systems, and other network-connected gear at risk of remote attack, it is claimed.

Boffins find that over nine out of ten ‘ethical’ hackers are being a bit naughty when it comes to cloud services

Chrome extensions are ‘the new rootkit’ say researchers linking surveillance campaign to Israeli registrar Galcomm

Updated Researchers at Awake Security have published a report on malicious extensions in the Chrome web store, making both specific claims of over 32 million downloads of one malware family, and general claims of weak security in both domain registration and Google’s store.

The researchers said they have been tracking a “massive global surveillance campaign that affects almost every enterprise we have investigated” linked to a specific Israel-based domain registrar called Communigal Communication Ltd (Galcomm).

2 Likes

The Maze ransomware gang has screwed up by targeting a New York design and construction firm instead of the Canadian Standards Association it was intending to hit.

1 Like

Three words you do not want to hear regarding a ‘secure browser’ called SafePay… Remote. Code. Execution

Folks running Bitdefender’s Total Security 2020 package should check they have the latest version installed following the disclosure of a remote code execution bug.

Wladimir Palant, cofounder of Adblock-Plus-maker Eyeo, tipped off Bitdefender about the flaw, CVE-2020-8102, after discovering what he called “seemingly small weaknesses” that could be exploited by a hostile website to take control of a computer running Bitdefender’s antivirus package. The bug, privately reported in April, was patched in May.

Chrome extensions are ‘the new rootkit’

Just in time to round out my discussion with my teenage daughter about why Chrome is not on any of our computers at home.

:smile: Thank you

2 Likes

Hundreds of forgotten corners of mega-corp websites fall into the hands of spammers and malware slingers

Exclusive More than 240 website subdomains belonging to organizations large and small, including household names, were hijacked to redirect netizens to malware, X-rated material, online gambling, and other unexpected content.

These big names are said to include Chevron, the Red Cross, UNESCO, 3M, Getty Images, Hawaiian Airlines, Arm, Warner Brothers, Honeywell, Autodesk, Toshiba, Xerox, the NHS, Siemens, Volvo, Clear Channel, Total, and more.

And it’s all due to the way they were hosted in Microsoft’s Azure cloud.

2 Likes

Shopped recently in a small online store? Check this list to see if it was one of 570 websites infected with card-skimming Magecart

The payment-card-skimming Magecart malware has turned up on yet more websites, this time 570 spanning 55 countries, it emerged this week.

The team at security biz Gemini Advisory said a long-running criminal gang dubbed Keeper compromised hundreds of online shopping sites over the past three years to install the software nasty.

Seven ‘no log’ VPN providers accused of leaking – yup, you guessed it – 1.2TB of user logs onto the internet

A string of “zero logging” VPN providers have some explaining to do after more than a terabyte of user logs were found on their servers unprotected and facing the public internet.

This data, we are told, included in at least some cases clear-text passwords, personal information, and lists of websites visited, all for anyone to stumble upon.

It all came to light this week after Comparitech’s Bob Diachenko spotted 894GB of records in an unsecured Elasticsearch cluster that belonged to UFO VPN.

4 Likes

I bought a new Western Digital NAS to replace my ailing LaCie NAS. As I was setting it up, I was absolutely baffled by its archaic and ridiculous security requirements.

First I generate a password for it using my password manager and I see this shit:

image

Dafuq?

Ok, whatever, I’ll generate a password with only alphanumeric characters:

image

What the hell kind of shit is this?

7 Likes

NSA warns that mobile device location services constantly compromise snoops and soldiers

The United States National Security Agency has issued new advice on securing mobile devices that says location services create a security risk for staff who work in defence or national security.

The new guide [PDF], titled “Limiting Location Data Exposure”, notes that smartphones, tablets and fitness trackers “store and share device geolocation data by design.”
 

3 Likes

NSA warns that mobile device location services constantly compromise snoops and soldiers

What drives me nuts is that short of owning a phone with verifiable, physical switches to power down the radios, the location settings mean nothing. “Turning location settings off” just means “making the pretty picture that says it’s my location settings tell me they are off”.

I’m hanging on to my ancient bento-box Lenovo because it has hardware kill switches for the radios…

Treat anything commercial as an extension of the manufacturing company’s national spy services and you’ll have the right attitude. “Selling ads” based on “AI” is a 4% improvement; I see it as a cover for the more high-paying jobs like stealing elections.

This sounds paranoid, but I keep getting my paranoia confirmed in the press, usually a year or two after someone shakes their head and tells me I’m being paranoid…

4 Likes

This NSA, FBI security advisory has four words you never want to see together: Fancy Bear Linux rootkit

The NSA and FBI are sounding the alarm over a dangerous new strain of Linux malware being employed by Russian government hackers often dubbed the Fancy Bear crew.

4 Likes

Shine on: Boffins bedazzle Alexa and her voice-controlled assistant kin with silent laser-injected commands

Boffins affiliated with the University of Electro-Communications in Japan and America’s University of Michigan have devised a way to use lasers to inject audio commands into mic-equipped devices.

Thus you can wordlessly hijack someone’s voice-controlled smart speaker, just by shining a laser onto its microphone.

2 Likes

a dangerous new strain of Linux malware

The new/alarming danger here is that it has a rather slick loadable kernel module in your I/O subsystem, and makes itself rather hard to spot. A zero-day or social hack/spy with root/pipe-wrench decryption is needed to get it into your systems.

:thinking: OpenBSD’s lack of graphics card support can be a no-go for some of my work, but at the least I’ve been thinking once again of rolling my own kernels and disabling run-time module loading. It has been a while (20 years) since I did that. Probably time to start enforcing FIDO/2FA on my systems as well. I’m starting to think that being able to use these tools and Linux is going to be a basic intelligence test before I hire people. :neutral_face: That, and using Greek letters in my source code… :grin:

1 Like

CREST cancels UK infosec accreditation exams after fresh round of ‘cheat sheets’ are leaked online

Exclusive British infosec accreditation body CREST has suspended all of its accreditation exams after The Register revealed a published cache of files including what appeared to be internal exam sheets as well as docs apparently tied to key industry player NCC Group.

1 Like