Items tagged with security

Imagine hitting it off with a love (or lust) interest, and then finding out the person who grabbed your attention never existed, at least not in the way you thought. Such a situation recently happened to hundreds of Israeli soldiers who fell prey to a "honey trap" campaign and contracted digital infections on their mobile phones. Hamas cyber militants made a bunch of fake profiles on various social media sites and chat services, including Facebook, Instagram, WhatsApp, and Telegram, and used pictures of teenage girls for the profile photos to lure soldiers into the scam. Through instant messaging exchanges, soldiers were duped into downloading dating apps containing malware. Hamas created fake... Read more...
Nearly every device on the market relies on firmware and many devices include multiple components with their own firmware. Manufacturers and developers have begun to focus on protecting system firmware from potential attackers, but peripheral firmware often receives very little attention. Security researchers at Eclypsium recently uncovered unsigned or unverified firmware in devices by companies such as Lenovo, HP, and Dell and were able to successfully attack a server. Many have been aware for quite some time of the dangers of unsigned firmware, but this recent study emphasizes how frequently manufacturers tend to ignore peripherals. Katie Teitler, Senior Analyst at TAG Cyber, remarked, “Software... Read more...
It's all fun and games until a nasty bit of malware infiltrates your PC and wreaks havoc, right? To quote the late, great Bill Paxton, at that point it's "Game over man! Game over!" Fortunately, common sense computing habits are highly effective. Malware writers can be a clever, however, and security researchers are warning of a particular strain posing as a popular games launcher. The malware in question is called LokiBot. If infected, it can swipe personal data from your PC, including passwords and cryptocurrency information (in case you're still into mining or collecting cryptocurrencies). LokiBot is not new—it's shown up through various means in the past, including a variant that used... Read more...
The contentious relationship between the United States government and Huawei, the second largest smartphone maker in the world behind Apple, is not easing up. Just the opposite, US government officials reportedly claim to have evidence that Huawei is able to spy on users through "backdoors" installed on its mobile devices. In tech parlance, a backdoor is a method of bypassing authentication and encryption schemes. It has been a bit of a hot topic, with the U.S. government urging Apple on numerous occasions to build backdoors into iOS to make it easier for law enforcement to crack iPhone devices that are linked to criminal suspects. Apple has so far resisted, saying that such a backdoor would... Read more...
Android users need to apply the latest round of security updates to their devices as one of them is meant to address a critical vulnerability in the Bluetooth subsystem. The flaw is known as CVE-2020-0022, and when exploited, it could allow arbitrary code to be run on the device with the elevated privileges of the Bluetooth daemon when the wireless module is active. A security update released on Monday addressed this flaw. CVE-2020-0022 was discovered and reported by the Technische Universität Darmstadt, Secure Mobile Networking Lab, and is considered critical on Android Oreo 8.0 and 8.1 as well as Android Pie 9.0. Attackers could leverage CVE-2020-0022 to spread malware from one vulnerable... Read more...
Hackers need physical access to a computer or need to trick a user into installing malware to steal data from an air-gapped PC (one that is not physically connected to a network). Air-gapped computers can have malware installed to steal data, but getting the data out is harder. That may not be the case with new research shared by The Hacker News that claims hackers can exfiltrate sensitive data from a PC by changing the brightness of the screen. This hack allegedly works on air-gapped computers. The hack is said to play an important role in stealing sensitive data from an infected, but an air-gapped computer. Details of the process come from Mordechai Guri, head of cybersecurity research center... Read more...
Well, this is disturbing. Russian security researcher Vladislav Yarmak is warning of a backdoor that exists in firmware for digital video recorder (DVR) and network video recorder (NVR) powered by HiSilicon system-on-chip (SoC) hardware. This is a zero-day vulnerability that could allow an attacker to gain root access to a compromised device, thereby giving them full control of the gadget. Yarmak says he discovered the vulnerability in firmware made by Hangzhou Xiongmai Technology, a Chinese firm based in Hangzhou. This is an unsettling trend with Xiongmai—back in late 2018, it was reported that over 9 million cameras and DVRs built by Xiongmail (and rebranded by several other companies)... Read more...
Security researchers are warning of an exploit in the ZigBee low-power wireless power protocol that could allow an attacker to infiltrate a home network through smart lighting. The researches focused primarily on Philips Hue smart bulbs because of their market popularity in the smart lighting segment, though the ZigBee protocol is actually used on a wide range of Internet of Things (IoT) devices. "Continuing from where the previous research left off, Check Point’s researchers showed how a threat actor could exploit an IoT network (smart lightbulbs and their control bridge) to launch attacks on conventional computer networks in homes, businesses or even smart cities," Check Point stated... Read more...
Another day, another data privacy flub, and this time it's from Google. Google Takeout is a service that allows users to download their data from Google apps as a backup or to use it with another service. That sounds good on the surface until, somehow, Google managed to send backed up videos to unrelated users. Google began warning users of impacted accounts this week. Google is calling sending videos to the wrong person a "technical issue," and the letter sent to users notes that between November 21-25, 2019, anyone who requested a backup could have had videos in Google Photos "incorrectly exported to unrelated users' archives." A letter sent out to some users didn't specify how many videos... Read more...
Earlier this week, we reported that Avast was under fire for its data privacy policies (or lack thereof) for its free antivirus software. Through its subsidiary Jumpshot, Avast sold vast amounts of user data to big name customers like Google and Microsoft (among others). Although Avast claimed that the data that it obtained and transmitted to these companies via Jumpshot was "fully de-identified and aggregated", it was rather easy to piece the data together including a user's device ID, time stamps, and other pertinent details to track a person across the web. "Maybe the (Jumpshot) data itself is not identifying people," said privacy researcher Gunes Acar earlier this week in reference... Read more...
LabCorp is one of the largest medical laboratory companies in the country. Chances are high that anyone who has had lab tests run at the doctor's office or hospital has used LabCorp at some point. The company had a major security flaw with its website that exposed confidential medical documents, including lab test results. The breach is reportedly the result of a vulnerability on the LabCorp website that has to do with its internal customer relationship management system. The system was apparently misconfigured, and the website component designed to pull patient files from the back-end was left exposed. The system appeared to be protected with a password. The unprotected web address for the back-end... Read more...
Researchers have dubbed a newly discovered vulnerability affecting Intel CPUs as CacheOut (how bout dah?), noting it can "violate nearly every hardware-based security domain, leaking data from the OS kernel, co-resident virtual machines, and even SGX enclaves." As you might have guessed, this is yet another speculative execution flaw somewhat similar to Spectre and Meltdown. What all these side channel exploits have in common is they potentially allow an attacker to essentially trick hardware into exposing privileged data by leveraging flaws in Intel's architecture. Spectre and Meltdown sort of opened the floodgates for other similar vulnerabilities to follow, and unfortunately, mitigations for... Read more...
For the most part, Microsoft will not be pushing out a critical patch to Windows 7 users to address a security flaw in Internet Explorer. Microsoft confirmed its plans in a statement, saying the only Windows 7 users who will received the security update are those who are paying for extended support, as businesses are welcome to do. Let's not feign surprise at the decision. Windows 7 enjoyed a nice, long run before it was finally retired last week, a decade and a half after it first released to the public. Microsoft provided plenty of warning leading up to last day of support, including nag screens urging hold outs to upgrade their PCs to Windows 10. The bug in question is a zero-day remote code... Read more...
Microsoft is coming under fire for a breach in customer privacy after it was revealed that the records of 250 million customers were exposed late last year. The data leak was initially reported on by security firm Comparitech, which found the information spread across five Elasticsearch servers. According to Comparitech, all five servers contained identical information from the 250 million customer records. The scope of the data unearthed was vast, covering a time period spanning from 2005 through December 2019. And what's even more unsettling is that this information was publicly indexed, meaning that anyone could access the information. Information that was exposed included customer email addresses,... Read more...
1 2 3 4 5 Next ... Last