Items tagged with security

LabCorp is one of the largest medical laboratory companies in the country. Chances are high that anyone who has had lab tests run at the doctor's office or hospital has used LabCorp at some point. The company had a major security flaw with its website that exposed confidential medical documents, including lab test results. The breach is reportedly the result of a vulnerability on the LabCorp website that has to do with its internal customer relationship management system. The system was apparently misconfigured, and the website component designed to pull patient files from the back-end was left exposed. The system appeared to be protected with a password. The unprotected web address for the back-end... Read more...
Researchers have dubbed a newly discovered vulnerability affecting Intel CPUs as CacheOut (how bout dah?), noting it can "violate nearly every hardware-based security domain, leaking data from the OS kernel, co-resident virtual machines, and even SGX enclaves." As you might have guessed, this is yet another speculative execution flaw somewhat similar to Spectre and Meltdown. What all these side channel exploits have in common is they potentially allow an attacker to essentially trick hardware into exposing privileged data by leveraging flaws in Intel's architecture. Spectre and Meltdown sort of opened the floodgates for other similar vulnerabilities to follow, and unfortunately, mitigations for... Read more...
For the most part, Microsoft will not be pushing out a critical patch to Windows 7 users to address a security flaw in Internet Explorer. Microsoft confirmed its plans in a statement, saying the only Windows 7 users who will received the security update are those who are paying for extended support, as businesses are welcome to do. Let's not feign surprise at the decision. Windows 7 enjoyed a nice, long run before it was finally retired last week, a decade and a half after it first released to the public. Microsoft provided plenty of warning leading up to last day of support, including nag screens urging hold outs to upgrade their PCs to Windows 10. The bug in question is a zero-day remote code... Read more...
Microsoft is coming under fire for a breach in customer privacy after it was revealed that the records of 250 million customers were exposed late last year. The data leak was initially reported on by security firm Comparitech, which found the information spread across five Elasticsearch servers. According to Comparitech, all five servers contained identical information from the 250 million customer records. The scope of the data unearthed was vast, covering a time period spanning from 2005 through December 2019. And what's even more unsettling is that this information was publicly indexed, meaning that anyone could access the information. Information that was exposed included customer email addresses,... Read more...
President Donald Trump has butted heads with the US Federal Bureau of Investigation (FBI) in the past, but when it comes to  use of encryption on iPhone handsets, he is squarely in the FBI's corner. Both he and the FBI want Apple to build a backdoor into iOS that would allow law enforcement officials to access locked iPhone devices, a notion he reiterated in a recent interview. Apple has so far resisted appeasing the FBI in such a manner, due to concerns that such a backdoor would compromise the security of every iPhone and iPad owner on the planet. In lieu of relenting on its stance, Apple helps law enforcement in other ways during criminal investigations where iPhones come into play, such... Read more...
Microsoft has issued a security bulletin warning Internet Explorer users of a zero day vulnerability that is actively being exploited in the wild, and unfortunately there is no patch available at this time. Microsoft is working on a fix, though the company hinted it may not arrive until the next Patch Tuesday roll out, which is still three weeks away (February 11, 2020). It's been a bit of a tough week for Microsoft, in terms of major vulnerabilities rearing their ugly heads. As part of last week's Patch Tuesday roll out, Microsoft issued a fix for a major Windows cryptographic security flaw discovered by the US National Security Agency (NSA). Incidentally, it was the first time the NSA reported... Read more...
It is estimated that there are over 50,000 WordPress plugins and more than 1.25 billion total plugin downloads. However, not all plugins are created equal. Security researchers recently discovered plugin vulnerabilities that could affect over 400,000 WordPress-based sites. These vulnerabilities were found in the InfiniteWP, WP Time Capsule, and WP Database Reset plugins. The vulnerabilities were fortunately not discovered by attackers. At least 300,000 InfiniteWP Client plugin users could have been affected by one particularly aggravating vulnerability. The plugin is used by administrators who need to oversee several websites. Attackers simply needed to know the username of a site administrator... Read more...
Here we go again, the United States Federal Bureau of Investigation (FBI) is exerting pressure on Apple to help unlock an older iPhone model as part of a crime investigation, and just like before, there's another layer to the story. On the surface, it might seem reasonable to pressure a device maker to thwart its own creations, in the name of public safety and all that jazz. But that's a bulls**t excuse. I'll tell you why. We saw this play out before. At the tail end of 2015, a pair of terrorists went on a shooting spree in San Bernardino, killing 14 people and wounding 22 others. It was awful. Both terrorists died in a shootout with police, and authorities subsequently recovered an iPhone 5C... Read more...
Field of Dreams taught us, "If you build it, he will come," referring to a deceased baseball legend wandering out of a corn field in Iowa. When it comes to PC security, though, if you discover it ("it" being a vulnerability), the proof of concepts will come, and that is precisely what has happened with a "CurveBall" flaw the National Security Agency (NSA) recently discovered. I wrote about this earlier in the week, noting a report that Microsoft's Patch Tuesday update would plug up a cryptography security hole discovered by the NSA. Part of the reason it was notable (and still is) is because this is the first time the NSA has reported a major bug in Windows to Microsoft (you know, as opposed... Read more...
A government program designed to help low income individuals own a smartphone might be dealing participants more than they bargained for. Or more specifically, security researchers warn that the government-subsidized smartphone provided by Virgin Mobile's Lifeline Assurance Wireless program contains multiple instances of malware. At the heart of the controversy is the Unimax (UMX) U686CL. It is a low-end Android device that is said to cost just $35 to qualifying participants, though at the time of this writing, I can't find the handset at the Assurance Wireless online store. The next closest model is the Unimax U683CL, listed for $39. Researchers at Malwarebytes say they obtained the U686CL to... Read more...
Mozilla is pushing out an incremental update to its Firefox browser to mitigate a critical security vulnerability. If left unpatched, the zero day threat could allow an attacker to gain full control of PC. Indeed, Mozilla is aware of malicious actors leveraging the flaw in the wild, so if you use Firefox, it is in your best interest to update right away. "Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw," Mozilla stated in a security document. A type confusion attack consists of accessing data in memory that is supposed be out of bounds. This could lead to a crash, or... Read more...
Ring has faced challenges of late with hackers taking over accounts, among other things. Ring responded earlier this week to questions that five senators had sent to the company in the form of a letter about measures that it is taking to secure its line of video recording devices. The measures the company planned to take weren't good enough for at least one senator. Ring has had several high profile incidents with security, including one where the login credentials of 3,600 Ring Camera owners were leaked. In another incident in December, a hacker took control of a Ring security camera and used it to yell obscenities at an 8-year-old girl in her home. Ring CEO Jamie Siminoff says video of that... Read more...
Through its Project Zero division, Google has tasked itself with motivating technology companies to push out timely patches for zero day vulnerabilities. It does this by giving companies 90 days to patch a security flaw before going public with the details. There are differing opinions on whether this is the right approach, and as we embark on a brand new year, Project Zero is updating its policy and disclosure for zero day threats. The big change for 2020 is that Project Zero will wait the full 90 days before disclosing details of a zero day threat, regardless of whether a company has already issued a patch or not. Up to this point, Project Zero's policy was to disclose the threat as soon as... Read more...
It's been a rough couple months for makers of IP security cameras as no one seems to be able to keep user data secure. The latest issue that has sprung up involves Xiaomi cameras that are linked to a Google account. An owner has posted to Reddit that his Xiaomi Mijia camera and Nest Hub setup is receiving still images from the homes of random people.  Images that the user claims to have found, and has offered photographic evidence of (seen here), includes a sleeping man in a room and an infant sleeping in their bed. The Reddit user goes by /r/Dio-V and says that the camera in use is a Xiaomi Mijia 1080p Smart IP Security Camera that is linked to a Google account to use with Google/Nest through... Read more...
First ... Prev 2 3 4 5 6 Next ... Last