It looks like you can attribute contributions on github.com to anyone you feel like, without having their password.
For a project that’s been around for a while, it’s a real shitshow at identity verification. Or… is this a way to get people to pay for the enterprise edition?
Impersonating users of ‘protest’ app Bridgefy was as simple as sniffing Bluetooth handshakes for identifiers
An instant messaging app whose creators promoted it as secure and end-to-end encrypted was in fact no such thing, according to researchers at Royal Holloway.
The University of London college found, according to a paper it published yesterday, that the app “permits its users to be tracked, offers no authenticity, no effective confidentiality protections and lacks resilience against adversarially crafted messages”.
Feeling bad about your last security audit? Check out what just happened to the US Department of Interior
The US Department of the Interior (DoI) spectacularly failed its latest computer security assessment, mostly for a lack of Wi-Fi defenses.
This is according to a report [PDF] from the department’s inspector general (via NextGov) which found that, among other failings, the DoI internal wireless network could be broken into over the air using a smartphone and less than $200 of gear stuffed into a backpack.
Woman dies after hospital is unable to treat her during crippling ransomware infection, cops launch probe
A woman in Germany died after a ransomware infection prevented her hospital from giving emergency treatment.
The unnamed patient died en route to a hospital in another city after she was unable to get treatment in Düsseldorf due to the malware affecting computer systems. A manslaughter investigation is now underway against the ransomware’s operators, who have yet to be identified.
In their very, very thin defense, the crooks behind the file-scrambling nasty turned over the decryption key to the cops when they were informed they had hit a hospital with their crimeware. Since then, the operators have gone dark. Chances are they are not in Germany and there’s not much hope for an arrest and extradition.
Doppelpaymer ransomware crew fingered over attack on German hospital that allegedly caused death of a patient
The Doppelpaymer ransomware gang were behind the cyber-attack on a German hospital that allegedly led to one patient’s death, according to local sources.
The Aachener Zeitung newspaper carried a report from the German Press Association (DPA) that Doppelpaymer’s eponymous ransomware had been introduced to the University Hospital Düsseldorf’s network through a vulnerable Citrix product.
Your latest security headache? Ed from accounting using his kid as an unpaid helpdesk
Parents are turning to their kids for tech support rather than the company IT department while working from home, we’re told.
A survey by consultants Prolifics Testing set out to determine what it would cost for the tech support services the average teen provides their parents, and it concluded this month kids will, on average, do about £4,200 a year in IT work.
Microsoft leaks 6.5TB in Bing search data via unsecured Elastic server. Insert ‘Wow… that much?’ joke here
Microsoft earlier this month exposed a 6.5TB Elastic server to the world that included search terms, location coordinates, device ID data, and a partial list of which URLs were visited.
According to a report from cyber-security outfit WizCase, the server was password-protected until around 10 September, when “the authentication was removed,” we’re told.
Big US election coming up, security is vital and, oh look… a federal agency just got completely pwned for real
An unspecified US government agency was hacked by a miscreant who appears to have made off with archives of information.
This is according to Uncle Sam’s Cybersecurity and Infrastructure Security Agency (CISA), which on Thursday went into technical detail on how an intruder: broke into staffers’ Office 365 accounts; gained access the agency’s internal network via its VPN; and installed malware and exfiltrated data.
EFF off: Privacy Badger disables by default anti-tracking safeguard that can be abused to track you online
The EFF has disabled by default an anti-tracking feature in its Privacy Badger browser extension – after Googlers warned it could be abused to track people.
Backdoorer the Xplora: Kids’ smartwatches can secretly take pics, record audio on command by encrypted texts
The Xplora 4 smartwatch, made by Chinese outfit Qihoo 360 Technology Co, and marketed to children under the Xplora brand in the US and Europe, can covertly take photos and record audio when activated by an encrypted SMS message, says Norwegian security firm Mnemonic.
This backdoor is not a bug, the finders insist, but a deliberate, hidden feature. Around 350,000 watches have been sold so far, Xplora said. Exploiting this security hole is essentially non-trivial, we note, though it does reveal the kind of remotely accessible stuff left in the firmware of today’s gizmos.
The seven deadly sins letting hackers hijack America’s govt networks: These unpatched bugs leave systems open
If you’re wondering which bugs in particular miscreants are exploiting to break into, or attempt to break into, US government networks, wonder no more. And then make sure you’ve patched them.
I read this as the “Red Unlock” service mode being a backdoor that is supposedly only accessible by Intel for their own purposes. And by extension as an excellent example why backdoors are never a good idea in the long run.
Kids’ gaming website Animal Jam breached after miscreants spot private AWS key on pwned Slack channel
Child-friendly games website Animal Jam suffered a hack that exposed 46 million user records after a staff Slack channel was compromised by malicious people who discovered a private AWS key.
Animal Jam chief exec Clary Stacey confirmed the hack after Bleeping Computer spotted information from the compromised AWS server being posted on stolen data bazaar raidforums[.]com.
At the time of writing, users of the forum were claiming to have decrypted at least part of the encrypted databases stolen.
Imagine things are bad enough that you need a payday loan. Then imagine flaws in systems of loan lead generators leave your records in the open… for years
Two separate internet affiliate networks have closed vulnerabilities that exposed potentially millions of records in one of the most sensitive areas: payday loans.