Swiss politicians only found out last year that cipher machine company Crypto AG was (quite literally) owned by the US and Germany during the Cold War, a striking report from its parliament has revealed. The company, which supplied high-grade encryption machines to governments and corporations around the world, was in fact owned by the US Read more about Swiss spies knew about Crypto AG compromise – and kept it from govt overseers for nearly 30 years[…]

In September, we noted that officials in the EU were continuing an effort to try to ban end-to-end encryption. Of course, that’s not how they put it. They say they just want “lawful access” to encrypted content, not recognizing that any such backdoor effectively obliterates the protections of end-to-end encryption. A new “Draft Council Resolution Read more about EU Takes Another Small Step Towards Trying To Ban Encryption; New Paper Argues Tech Can Backdoor Encryption Safely. It can’t.[…]

Website Planet reports that Prestige Software, the company behind hotel reservation platforms for Hotels.com, Booking.com and Expedia, left data exposed for “millions” of guests on an Amazon Web Services S3 bucket. The 10 million-plus log files dated as far back as 2013 and included names, credit card details, ID numbers and reservation details. It’s not Read more about Hotels.com, Booking.com Expedia provider exposed data from 2013 for millions of guests on open AWS bucket[…]

A British software engineer came up with “a fun playful name” for his consulting business. He’d named it: “”> Unfortunately, this did not amuse the official registrar of companies in the United Kingdom (known as Companies House). The Guardian reports that the U.K. agency “has forced the company to change its name after it belatedly Read more about UK Company House Demands Company Stop Using Name Which Includes an HTML Closing Tag[…]

One of the world’s top certificate authorities warns that phones running versions of Android prior to 7.1.1 Nougat will be cut off from large portions of the secure web starting in 2021, Android Police reported Saturday. The Mozilla-partnered nonprofit Let’s Encrypt said that its partnership with fellow certificate authority IdenTrust will expire on Sept. 1, Read more about Android v 7.1.1 and lower Won’t Support Many Secure Certificates in 2021[…]

In March 2020, KrebsOnSecurity alerted Swedish security giant Gunnebo Group that hackers had broken into its network and sold the access to a criminal group which specializes in deploying ransomware. In August, Gunnebo said it had successfully thwarted a ransomware attack, but this week it emerged that the intruders stole and published online tens of Read more about Physical Security Blueprints of Many Companies Leaked in Hack of Swedish Firm Gunnebo[…]

Researchers have extracted the secret key that encrypts updates to an assortment of Intel CPUs, a feat that could have wide-ranging consequences for the way the chips are used and, possibly, the way they’re secured. The key makes it possible to decrypt the microcode updates Intel provides to fix security vulnerabilities and other types of Read more about In a first, researchers extract secret key used to encrypt Intel CPU code[…]

It’s said the NSA drew up a report on what it learned after a foreign government exploited a weak encryption scheme, championed by the US spying agency, in Juniper firewall software. However, curiously enough, the NSA has been unable to find a copy of that report. On Wednesday, Reuters reporter Joseph Menn published an account Read more about NSA: foreign spies used one of our crypto backdoors – we learnt some lessons but we lost them[…]

In a world first, researchers from the University of Ottawa in collaboration with Israeli scientists have been able to create optical framed knots in the laboratory that could potentially be applied in modern technologies. Their work opens the door to new methods of distributing secret cryptographic keys—used to encrypt and decrypt data, ensure secure communication Read more about ‘Classified knots’: Researchers create optical framed knots to encode information[…]

Owners of the brand-new Oculus Quest 2—the first VR headset which requires a Facebook account to use—are finding themselves screwed out of their new purchases by Facebook’s account verification system. As first reported by UploadVR this week, some Oculus 2 owners are finding that Facebook’s reportedly AI-powered account verification system is demanding some users upload Read more about Facebook Login Issues Are Locking Oculus Quest 2 Owners Out of Their Devices, turning them into paperweights[…]

The Xplora 4 smartwatch, made by Chinese outfit Qihoo 360 Technology Co, and marketed to children under the Xplora brand in the US and Europe, can covertly take photos and record audio when activated by an encrypted SMS message, says Norwegian security firm Mnemonic. This backdoor is not a bug, the finders insist, but a Read more about Backdoorer the Xplora: Kids’ smart-watches can secretly take pics, record audio on command by encrypted texts[…]

Apple’s T2 security chip is insecure and cannot be fixed, a group of security researchers report. Over the past three years, a handful of hackers have delved into the inner workings of the custom silicon, fitted inside recent Macs, and found that they can use an exploit developed for iPhone jailbreaking, checkm8, in conjunction with Read more about Apple’s T2 custom secure boot chip is not only insecure, it cannot be fixed without replacing the silicon[…]

Guardicore discovered a new attack vector on Comcast’s XR11 voice remote that would have allowed attackers to turn it into a listening device – potentially invading your privacy in your living room. Prior to its remediation by Comcast, the attack, dubbed WarezTheRemote, was a very real security threat: with more than 18 million units deployed Read more about Listening in on your XR11 remote from 20m away[…]

Smart Bluetooth male chastity lock, designed for user to give remote control to a trusted 3rd party using mobile app/API Multiple API flaws meant anyone could remotely lock all devices and prevent users from releasing themselves Removal then requires an angle grinder or similar, used in close proximity to delicate and sensitive areas Precise user Read more about Smart male chastity hack could lock all dicks up permanently, require grinder to unlock. Also tells anyone where you are[…]

Grindr, one of the world’s largest dating and social networking apps for gay, bi, trans, and queer people, has fixed a security vulnerability that allowed anyone to hijack and take control of any user’s account using only their email address. Wassime Bouimadaghene, a French security researcher, found the vulnerability and reported the issue to Grindr. Read more about Grindr security flaw let anyone take over any accounts easily[…]

A newly discovered technique by a researcher shows how Google’s App Engine domains can be abused to deliver phishing and malware while remaining undetected by leading enterprise security products. Google App Engine is a cloud-based service platform for developing and hosting web apps on Google’s servers. While reports of phishing campaigns leveraging enterprise cloud domains are nothing Read more about Google App Engine feature abused to create unlimited phishing pages[…]

Twitter is notifying developers today about a possible security incident that may have impacted their accounts. The incident was caused by incorrect instructions that the developer.twitter.com website sent to users’ browsers. The developer.twitter.com website is the portal where developers manage their Twitter apps and attached API keys, but also the access token and secret key for their Read more about Twitter warns of possible API keys leak through browser caching[…]

Microsoft has released Sysmon 12, and it comes with a useful feature that logs and captures any data added to the Windows Clipboard. This feature can help system administrators and incident responders track the activities of malicious actors who compromised a system. Those not familiar with Sysmon, otherwise known as System Monitor, it is a Read more about Microsoft Sysmon now logs data copied to the Windows Clipboard[…]

Last month, Microsoft patched a very interesting vulnerability that would allow an attacker with a foothold on your internal network to essentially become Domain Admin with one click. All that is required is for a connection to the Domain Controller to be possible from the attacker’s viewpoint. Secura’s security expert Tom Tervoort previously discovered a Read more about Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472)[…]

In August, security researcher Volodymyr Diachenko discovered a misconfigured Elasticsearch cluster, owned by gaming hardware vendor Razer, exposing customers’ PII (Personal Identifiable Information). The cluster contained records of customer orders and included information such as item purchased, customer email, customer (physical) address, phone number, and so forth—basically, everything you’d expect to see from a credit Read more about Private data gone public: Razer leaks 100,000+ gamers’ personal info[…]

The database built by Shenzhen Zhenhua from a variety of sources is technically complex using very advanced language, targeting, and classification tools. Shenzhen Zhenhua claims to work with, and our research supports, Chinese intelligence, military, and security agencies use the open information environment we in open liberal democracies take for granted to target individuals and Read more about Shenzhen Zhenua Data Leak – high profile international contacts database kept by Chinese leaked[…]

Three “grumpy old hackers” in the Netherlands managed to access Donald Trump’s Twitter account in 2016 by extracting his password from the 2012 Linkedin hack. The pseudonymous, middle-aged chaps, named only as Edwin, Mattijs and Victor, told reporters they had lifted Trump’s particulars from a database that was being passed about hackers, and tried it Read more about Three middle-aged Dutch hackers slipped into Donald Trump’s Twitter account days before 2016 US election[…]

Boffins in America, the Netherlands, and Switzerland have devised a Spectre-style attack on modern processors that can defeat defenses that are supposed to stop malicious software from hijacking a computer’s operating system. The end result is exploit code able to bypass a crucial protection mechanism and take over a device to hand over root access. Read more about BlindSide: Watch speculative memory probing bypass kernel defenses, give malware root control[…]

Windows 10 users can customize their desktops with unique themes, and are able to create and share those themes with others. Hackers can also use them to steal your credentials. A flaw in Windows 10’s theme-creation feature lets hackers modify custom themes that, once installed, trick users into passing over their Microsoft account name and Read more about Hacked Windows 10 Themes Can Swipe Your Microsoft Login[…]