Ring, the Amazon-owned friend to nosy police departments everywhere, has suffered another embarrassing security stumble. The surveillance company’s Neighbors app—which was launched in 2018 as a kind of “neighborhood watch” feature—apparently left users exact geographical data and home address information exposed to the internet. Neighbors is Ring’s online forum where users can share public safety Read more about Amazon Ring Neighbors App Left User Data Exposed, incl addresses, lat + long[…]

TL;DR: If you have a Zyxel USG, ATP, VPN, ZyWALL or USG FLEX you should update to the latest firmware version today. You can find the full list of affected devices here and the Zyxel advisory here. Zyxel is a popular brand for firewalls that are marketed towards small and medium businesses. Their Unified Security Read more about Zyxel products have a hardcoded root user you can access from internet[…]

Spotify said it has reset an undisclosed number of user passwords after blaming a software vulnerability in its systems for exposing private account information to its business partners. In a data breach notification filed with the California attorney general’s office, the music streaming giant said the data exposed “may have included email address, your preferred Read more about Spotify resets passwords after a security bug exposed users’ private account information – for 6 months[…]

The personal information of more than 243 million Brazilians, including alive and deceased, has been exposed online after web developers left the password for a crucial government database inside the source code of an official Brazilian Ministry of Health’s website for at least six months. The security snafu was discovered by reporters from Brazilian newspaper Estadao, Read more about Data of 243 million Brazilians exposed online via govt website source code[…]

Bumble, the dating app behemoth that’s allegedly headed to a major IPO as soon as next year, apparently took over half a year to deal with major security flaws that left sensitive information its millions of users vulnerable. That’s according to new research posted over the weekend by cybersecurity firm Independent Security Evaluators (ISE) detailing Read more about Bumble Left Daters’ Location Data Up For Grabs For Over Six Months[…]

Microsoft researchers have found evidence that Russian and North Korean hackers have systematically attacked covid-19 labs and vaccine makers in an effort to steal data and initiate ransomware attacks. “Among the targets, the majority are vaccine makers that have Covid-19 vaccines in various stages of clinical trials, clinical research organization involved in trials, and one Read more about Microsoft: Russian, North Korean Hackers Attacked Covid-19 Labs[…]

In a blog post, Alex Weinert, director of identity security at Microsoft, says people should definitely use MFA. He claims that accounts using any type of MFA get compromised at a rate that’s less than 0.1 per cent of the general population. At the same time, he argues people should avoid relying on SMS messages Read more about Microsoft warns against SMS, voice calls for multi-factor authentication: Try something that can’t be SIM swapped[…]

Swiss politicians only found out last year that cipher machine company Crypto AG was (quite literally) owned by the US and Germany during the Cold War, a striking report from its parliament has revealed. The company, which supplied high-grade encryption machines to governments and corporations around the world, was in fact owned by the US Read more about Swiss spies knew about Crypto AG compromise – and kept it from govt overseers for nearly 30 years[…]

In September, we noted that officials in the EU were continuing an effort to try to ban end-to-end encryption. Of course, that’s not how they put it. They say they just want “lawful access” to encrypted content, not recognizing that any such backdoor effectively obliterates the protections of end-to-end encryption. A new “Draft Council Resolution Read more about EU Takes Another Small Step Towards Trying To Ban Encryption; New Paper Argues Tech Can Backdoor Encryption Safely. It can’t.[…]

Website Planet reports that Prestige Software, the company behind hotel reservation platforms for Hotels.com, Booking.com and Expedia, left data exposed for “millions” of guests on an Amazon Web Services S3 bucket. The 10 million-plus log files dated as far back as 2013 and included names, credit card details, ID numbers and reservation details. It’s not Read more about Hotels.com, Booking.com Expedia provider exposed data from 2013 for millions of guests on open AWS bucket[…]

A British software engineer came up with “a fun playful name” for his consulting business. He’d named it: “”> Unfortunately, this did not amuse the official registrar of companies in the United Kingdom (known as Companies House). The Guardian reports that the U.K. agency “has forced the company to change its name after it belatedly Read more about UK Company House Demands Company Stop Using Name Which Includes an HTML Closing Tag[…]

One of the world’s top certificate authorities warns that phones running versions of Android prior to 7.1.1 Nougat will be cut off from large portions of the secure web starting in 2021, Android Police reported Saturday. The Mozilla-partnered nonprofit Let’s Encrypt said that its partnership with fellow certificate authority IdenTrust will expire on Sept. 1, Read more about Android v 7.1.1 and lower Won’t Support Many Secure Certificates in 2021[…]

In March 2020, KrebsOnSecurity alerted Swedish security giant Gunnebo Group that hackers had broken into its network and sold the access to a criminal group which specializes in deploying ransomware. In August, Gunnebo said it had successfully thwarted a ransomware attack, but this week it emerged that the intruders stole and published online tens of Read more about Physical Security Blueprints of Many Companies Leaked in Hack of Swedish Firm Gunnebo[…]

Researchers have extracted the secret key that encrypts updates to an assortment of Intel CPUs, a feat that could have wide-ranging consequences for the way the chips are used and, possibly, the way they’re secured. The key makes it possible to decrypt the microcode updates Intel provides to fix security vulnerabilities and other types of Read more about In a first, researchers extract secret key used to encrypt Intel CPU code[…]

It’s said the NSA drew up a report on what it learned after a foreign government exploited a weak encryption scheme, championed by the US spying agency, in Juniper firewall software. However, curiously enough, the NSA has been unable to find a copy of that report. On Wednesday, Reuters reporter Joseph Menn published an account Read more about NSA: foreign spies used one of our crypto backdoors – we learnt some lessons but we lost them[…]

In a world first, researchers from the University of Ottawa in collaboration with Israeli scientists have been able to create optical framed knots in the laboratory that could potentially be applied in modern technologies. Their work opens the door to new methods of distributing secret cryptographic keys—used to encrypt and decrypt data, ensure secure communication Read more about ‘Classified knots’: Researchers create optical framed knots to encode information[…]

Owners of the brand-new Oculus Quest 2—the first VR headset which requires a Facebook account to use—are finding themselves screwed out of their new purchases by Facebook’s account verification system. As first reported by UploadVR this week, some Oculus 2 owners are finding that Facebook’s reportedly AI-powered account verification system is demanding some users upload Read more about Facebook Login Issues Are Locking Oculus Quest 2 Owners Out of Their Devices, turning them into paperweights[…]

The Xplora 4 smartwatch, made by Chinese outfit Qihoo 360 Technology Co, and marketed to children under the Xplora brand in the US and Europe, can covertly take photos and record audio when activated by an encrypted SMS message, says Norwegian security firm Mnemonic. This backdoor is not a bug, the finders insist, but a Read more about Backdoorer the Xplora: Kids’ smart-watches can secretly take pics, record audio on command by encrypted texts[…]

Apple’s T2 security chip is insecure and cannot be fixed, a group of security researchers report. Over the past three years, a handful of hackers have delved into the inner workings of the custom silicon, fitted inside recent Macs, and found that they can use an exploit developed for iPhone jailbreaking, checkm8, in conjunction with Read more about Apple’s T2 custom secure boot chip is not only insecure, it cannot be fixed without replacing the silicon[…]

Guardicore discovered a new attack vector on Comcast’s XR11 voice remote that would have allowed attackers to turn it into a listening device – potentially invading your privacy in your living room. Prior to its remediation by Comcast, the attack, dubbed WarezTheRemote, was a very real security threat: with more than 18 million units deployed Read more about Listening in on your XR11 remote from 20m away[…]

Smart Bluetooth male chastity lock, designed for user to give remote control to a trusted 3rd party using mobile app/API Multiple API flaws meant anyone could remotely lock all devices and prevent users from releasing themselves Removal then requires an angle grinder or similar, used in close proximity to delicate and sensitive areas Precise user Read more about Smart male chastity hack could lock all dicks up permanently, require grinder to unlock. Also tells anyone where you are[…]

Grindr, one of the world’s largest dating and social networking apps for gay, bi, trans, and queer people, has fixed a security vulnerability that allowed anyone to hijack and take control of any user’s account using only their email address. Wassime Bouimadaghene, a French security researcher, found the vulnerability and reported the issue to Grindr. Read more about Grindr security flaw let anyone take over any accounts easily[…]

A newly discovered technique by a researcher shows how Google’s App Engine domains can be abused to deliver phishing and malware while remaining undetected by leading enterprise security products. Google App Engine is a cloud-based service platform for developing and hosting web apps on Google’s servers. While reports of phishing campaigns leveraging enterprise cloud domains are nothing Read more about Google App Engine feature abused to create unlimited phishing pages[…]

Twitter is notifying developers today about a possible security incident that may have impacted their accounts. The incident was caused by incorrect instructions that the developer.twitter.com website sent to users’ browsers. The developer.twitter.com website is the portal where developers manage their Twitter apps and attached API keys, but also the access token and secret key for their Read more about Twitter warns of possible API keys leak through browser caching[…]