Vulnerabilities

UK Special Forces soldiers’ personal data was floating around WhatsApp in a leaked Army spreadsheet

An astonishing data security blunder saw the personal data of Special Forces soldiers circulating around WhatsApp in a leaked British Army spreadsheet.
The document, seen by The Register , contained details of all 1,182 British soldiers recently promoted from corporal to sergeant – including those in sensitive units such as the Special Air Service, Special Boat Service and the Special Reconnaissance Regiment.
Special Forces soldiers’ identities are supposed to be protected from public disclosure in case terrorists target them or their families. Yet yesterday an Excel file was freely being passed around on WhatsApp groups after being leaked from inside the Ministry of Defence.
[…]

3 Likes
2 Likes
8 Likes

Alibaba’s Chinese shopping operation Taobao has suffered a data breach of over a billion data points including usernames and mobile phone numbers. The info was lifted from the site by a crawler developed by an affiliate marketer.
[…]

4 Likes

The info was lifted from the site by a crawler developed by an affiliate marketer.

I’ve been called names for my rather unfashionably conservative views on how networks should be run… however…

From my experience both as an independent entrepreneur and at major banks, it’s the inside threats that are the worst. Both heads of security at the international banks I worked for admitted to being vulnerable (indeed, blind) to inside exfiltration of data. My experiences since those days, particularly now where any cell phone, blu-ray player, factory configured laptop, can be the instrument of an adversarial (state or criminal) actor on your internal networks, have only increased my (I’d call it “paranoia” but it keeps getting confirmed as) “justified caution”.

3 Likes

It’s an older code, but it checks out…

tl;dr GPRS encryption algos GEA-1 and GEA-2 were ( p→1) backdoored, and are still supported in modern handsets as a fall-back.

So if the adversary wants to decrypt the conversation, I suppose they have to trigger the tower to force your handset to fall back to the 90’s algos it probably still supports.

4 Likes

Sure looks like someone’s pirating the REvil ransomware, tweaking the binary in a hex editor for their own crimes

Pull your Western Digital My Book Live NAS off the internet now if you value your files

Western Digital has alerted customers to a critical bug on its My Book Live storage drives, warning them to disconnect the devices from the internet to protect the units from being remotely wiped.

In an advisory, the storage firm said My Book Live and My Book Live Duo devices were being “compromised through exploitation of a remote command execution vulnerability” CVE-2018-18472. The exploit is described as a root remote command execution bug which can be triggered by anyone who knows the IP address of the affected device – and is currently being “exploited in the wild in June 2021 for factory reset commands.”

[…]

6 Likes
2 Likes

We need a “Supply Chain Attack” thread… and maybe even :notes: a theme song :notes: to play, :thinking: something earwormy… because we’ll hear it a lot! :man_facepalming:

2 Likes

OpenBSD’s authpf at the firewall for access would solve this, would it not? SSHFS does a good job too…

Edit: I say this because it annoys me when a big company rolls its own solution to a well solved problem, and then that solution has horrific bugs. Wrap a GUI around well debugged tools, and at least your bugs will be in the GUI, not the infrastructure.

1 Like
3 Likes
2 Likes

The controversy has been sizeable enough to make it to BBC News.

I’m going to stick with an older version which is perfectly fine for the rare occasions i use it but there are FOSS alternatives and new forks being planned.

5 Likes
2 Likes

Kaspersky Password Manager’s random password generator was about as random as your wall clock

5 Likes

Ransomware-hit law firm gets court order asking crooks not to publish the data they stole

A barristers’ chambers hit by a ransomware attack has responded by getting a court order demanding the criminals do not share stolen data.

4 New Square chambers, which counts IT dispute experts among its ranks, obtained a privacy injunction from the High Court at the end of June against “person or persons unknown” who were “blackmailing” the firm.

[…]

Problem solved!

5 Likes

Matthew Green did a good thread on this:

7 Likes

Audacity fork maintainer quits over harassment allegations after 4chan losers took issue with ‘Tenacity’ name

Efforts to wrest control of the open-source Audacity audio editing project from corporate owner Muse Group have hit a stumbling block after the maintainer of one of the more popular forks stepped down over alleged physical harassment.

[…]