Items tagged with security

The contentious relationship between the United States government and Huawei, the second largest smartphone maker in the world behind Apple, is not easing up. Just the opposite, US government officials reportedly claim to have evidence that Huawei is able to spy on users through "backdoors" installed on its mobile devices. In tech parlance, a backdoor is a method of bypassing authentication and encryption schemes. It has been a bit of a hot topic, with the U.S. government urging Apple on numerous occasions to build backdoors into iOS to make it easier for law enforcement to crack iPhone devices that are linked to criminal suspects. Apple has so far resisted, saying that such a backdoor would... Read more...
Android users need to apply the latest round of security updates to their devices as one of them is meant to address a critical vulnerability in the Bluetooth subsystem. The flaw is known as CVE-2020-0022, and when exploited, it could allow arbitrary code to be run on the device with the elevated privileges of the Bluetooth daemon when the wireless module is active. A security update released on Monday addressed this flaw. CVE-2020-0022 was discovered and reported by the Technische Universität Darmstadt, Secure Mobile Networking Lab, and is considered critical on Android Oreo 8.0 and 8.1 as well as Android Pie 9.0. Attackers could leverage CVE-2020-0022 to spread malware from one vulnerable... Read more...
Hackers need physical access to a computer or need to trick a user into installing malware to steal data from an air-gapped PC (one that is not physically connected to a network). Air-gapped computers can have malware installed to steal data, but getting the data out is harder. That may not be the case with new research shared by The Hacker News that claims hackers can exfiltrate sensitive data from a PC by changing the brightness of the screen. This hack allegedly works on air-gapped computers. The hack is said to play an important role in stealing sensitive data from an infected, but an air-gapped computer. Details of the process come from Mordechai Guri, head of cybersecurity research center... Read more...
Well, this is disturbing. Russian security researcher Vladislav Yarmak is warning of a backdoor that exists in firmware for digital video recorder (DVR) and network video recorder (NVR) powered by HiSilicon system-on-chip (SoC) hardware. This is a zero-day vulnerability that could allow an attacker to gain root access to a compromised device, thereby giving them full control of the gadget. Yarmak says he discovered the vulnerability in firmware made by Hangzhou Xiongmai Technology, a Chinese firm based in Hangzhou. This is an unsettling trend with Xiongmai—back in late 2018, it was reported that over 9 million cameras and DVRs built by Xiongmail (and rebranded by several other companies)... Read more...
Security researchers are warning of an exploit in the ZigBee low-power wireless power protocol that could allow an attacker to infiltrate a home network through smart lighting. The researches focused primarily on Philips Hue smart bulbs because of their market popularity in the smart lighting segment, though the ZigBee protocol is actually used on a wide range of Internet of Things (IoT) devices. "Continuing from where the previous research left off, Check Point’s researchers showed how a threat actor could exploit an IoT network (smart lightbulbs and their control bridge) to launch attacks on conventional computer networks in homes, businesses or even smart cities," Check Point stated... Read more...
Another day, another data privacy flub, and this time it's from Google. Google Takeout is a service that allows users to download their data from Google apps as a backup or to use it with another service. That sounds good on the surface until, somehow, Google managed to send backed up videos to unrelated users. Google began warning users of impacted accounts this week. Google is calling sending videos to the wrong person a "technical issue," and the letter sent to users notes that between November 21-25, 2019, anyone who requested a backup could have had videos in Google Photos "incorrectly exported to unrelated users' archives." A letter sent out to some users didn't specify how many videos... Read more...
Earlier this week, we reported that Avast was under fire for its data privacy policies (or lack thereof) for its free antivirus software. Through its subsidiary Jumpshot, Avast sold vast amounts of user data to big name customers like Google and Microsoft (among others). Although Avast claimed that the data that it obtained and transmitted to these companies via Jumpshot was "fully de-identified and aggregated", it was rather easy to piece the data together including a user's device ID, time stamps, and other pertinent details to track a person across the web. "Maybe the (Jumpshot) data itself is not identifying people," said privacy researcher Gunes Acar earlier this week in reference... Read more...
LabCorp is one of the largest medical laboratory companies in the country. Chances are high that anyone who has had lab tests run at the doctor's office or hospital has used LabCorp at some point. The company had a major security flaw with its website that exposed confidential medical documents, including lab test results. The breach is reportedly the result of a vulnerability on the LabCorp website that has to do with its internal customer relationship management system. The system was apparently misconfigured, and the website component designed to pull patient files from the back-end was left exposed. The system appeared to be protected with a password. The unprotected web address for the back-end... Read more...
Researchers have dubbed a newly discovered vulnerability affecting Intel CPUs as CacheOut (how bout dah?), noting it can "violate nearly every hardware-based security domain, leaking data from the OS kernel, co-resident virtual machines, and even SGX enclaves." As you might have guessed, this is yet another speculative execution flaw somewhat similar to Spectre and Meltdown. What all these side channel exploits have in common is they potentially allow an attacker to essentially trick hardware into exposing privileged data by leveraging flaws in Intel's architecture. Spectre and Meltdown sort of opened the floodgates for other similar vulnerabilities to follow, and unfortunately, mitigations for... Read more...
For the most part, Microsoft will not be pushing out a critical patch to Windows 7 users to address a security flaw in Internet Explorer. Microsoft confirmed its plans in a statement, saying the only Windows 7 users who will received the security update are those who are paying for extended support, as businesses are welcome to do. Let's not feign surprise at the decision. Windows 7 enjoyed a nice, long run before it was finally retired last week, a decade and a half after it first released to the public. Microsoft provided plenty of warning leading up to last day of support, including nag screens urging hold outs to upgrade their PCs to Windows 10. The bug in question is a zero-day remote code... Read more...
Microsoft is coming under fire for a breach in customer privacy after it was revealed that the records of 250 million customers were exposed late last year. The data leak was initially reported on by security firm Comparitech, which found the information spread across five Elasticsearch servers. According to Comparitech, all five servers contained identical information from the 250 million customer records. The scope of the data unearthed was vast, covering a time period spanning from 2005 through December 2019. And what's even more unsettling is that this information was publicly indexed, meaning that anyone could access the information. Information that was exposed included customer email addresses,... Read more...
President Donald Trump has butted heads with the US Federal Bureau of Investigation (FBI) in the past, but when it comes to  use of encryption on iPhone handsets, he is squarely in the FBI's corner. Both he and the FBI want Apple to build a backdoor into iOS that would allow law enforcement officials to access locked iPhone devices, a notion he reiterated in a recent interview. Apple has so far resisted appeasing the FBI in such a manner, due to concerns that such a backdoor would compromise the security of every iPhone and iPad owner on the planet. In lieu of relenting on its stance, Apple helps law enforcement in other ways during criminal investigations where iPhones come into play, such... Read more...
Microsoft has issued a security bulletin warning Internet Explorer users of a zero day vulnerability that is actively being exploited in the wild, and unfortunately there is no patch available at this time. Microsoft is working on a fix, though the company hinted it may not arrive until the next Patch Tuesday roll out, which is still three weeks away (February 11, 2020). It's been a bit of a tough week for Microsoft, in terms of major vulnerabilities rearing their ugly heads. As part of last week's Patch Tuesday roll out, Microsoft issued a fix for a major Windows cryptographic security flaw discovered by the US National Security Agency (NSA). Incidentally, it was the first time the NSA reported... Read more...
It is estimated that there are over 50,000 WordPress plugins and more than 1.25 billion total plugin downloads. However, not all plugins are created equal. Security researchers recently discovered plugin vulnerabilities that could affect over 400,000 WordPress-based sites. These vulnerabilities were found in the InfiniteWP, WP Time Capsule, and WP Database Reset plugins. The vulnerabilities were fortunately not discovered by attackers. At least 300,000 InfiniteWP Client plugin users could have been affected by one particularly aggravating vulnerability. The plugin is used by administrators who need to oversee several websites. Attackers simply needed to know the username of a site administrator... Read more...
Prev 1 2 3 4 5 Next ... Last