A string of “zero logging” VPN providers have some explaining to do after more than a terabyte of user logs were found on their servers unprotected and facing the public internet. This data, we are told, included in at least some cases clear-text passwords, personal information, and lists of websites visited, all for anyone to Read more about Seven ‘no log’ VPN providers accused of leaking – yup, you guessed it – 1.2TB of user logs onto the internet[…]

Zoom says it has fixed a security issue that would have let hackers manipulate organizations’ custom URLs for the service and send legitimate-seeming meeting invitations. If a victim accepted the invitation and attended the meeting, the phony caller may have been able to inject malware into their device or carry out a phishing attack. Hackers Read more about Zoom fixed a vanity URL issue that could have led to phishing attacks[…]

Dubbed RECON, aka Remotely Exploitable Code On NetWeaver, by its discoverers, security shop Onapsis, the bug in SAP’s NetWeaver AS JAVA (LM Configuration Wizard) allows a remote unathenticated hacker to take over a vulnerable NetWeaver-based system by creating admin accounts without any authorization. The bug, CVE-2020-6287, is a lack of proper authentication in NetWeaver. This Read more about So kind of SAP NetWeaver to hand out admin accounts to anyone who can reach it. You’ll want to patch this[…]

In one of the largest law enforcement busts ever, European police and crime agencies hacked an encrypted communications platform used by thousands of criminals and drug traffickers. By infiltrating the platform, Encrochat, police across Europe gained access to a hundred million encrypted messages. In the UK, those messages helped officials arrest 746 suspects, seize £54 Read more about European police hacked encrypted phones used by thousands of criminals[…]

Folks running Bitdefender’s Total Security 2020 package should check they have the latest version installed following the disclosure of a remote code execution bug. Wladimir Palant, cofounder of Adblock-Plus-maker Eyeo, tipped off Bitdefender about the flaw, CVE-2020-8102, after discovering what he called “seemingly small weaknesses” that could be exploited by a hostile website to take Read more about Three words you do not want to hear regarding a ‘secure browser’ called SafePay… Remote. Code. Execution[…]

Netgear has issued patches to squash security vulnerabilities in two router models that can be exploited to, for instance, open a superuser-level telnet backdoor. Those two devices are the R6400v2 and R6700v3, and you can get hot-fixes for the holes here. However, some 77 models remain reportedly vulnerable, and no fixes are available. For the Read more about Netgear was told in January its routers can be hacked and hijacked. This week, first patches released – after exploits, details made public[…]

A newly discovered spyware effort attacked users through 32 million downloads of extensions to Google’s market-leading Chrome web browser, researchers at Awake Security told Reuters, highlighting the tech industry’s failure to protect browsers as they are used more for email, payroll and other sensitive functions. Alphabet Inc’s (GOOGL.O) Google said it removed more than 70 Read more about Massive spying on users of Google’s Chrome shows new security weakness[…]

Zoom today said it will make end-to-end (E2E) encryption available to all of its users, regardless of whether they pay for it or not. The videoconferencing overnight-sensation has walked back its initial plan to limit E2E cryptography to schools and paid-for accounts, after facing a storm of criticism for the restriction. It will, from next Read more about Zoom will offer proper end-to-end encryption to free vid-chat accounts – not just paid-up bods – once you verify your phone number…[…]

Hundreds of thousands of sensitive dating app profiles – including images of “a graphic, sexual nature” – were exposed online for anyone stumbling across them to download. Word of the uncontrolled emission burst forth from vpnMentor this week, which claims it found a misconfigured AWS S3 bucket containing 845GB of private dating app records. Data Read more about 845GB of racy dating app records exposed to entire internet via leaky AWS buckets[…]

UK-based infosec outfit Keepnet Labs left an 867GB database of previously compromised website login details accessible to world+dog earlier this year – then sent lawyers’ letters to bloggers in a bid to erase their reports of its blunder. A contractor left the Keepnet Elasticsearch database unsecured back in March after disabling a firewall, exposing around Read more about Keepnet fires legal threats at bloggers for exposing their 876GB unsecured database with years of leaked credentials, backfires[…]

Japanese car maker Honda has been hit by ransomware that disrupted its production of vehicles and also affected internal communications, according to reports. The ransomware, of an as-yet unidentified strain, appeared to have spread through the multinational firm’s network. A Honda spokesman told the media it appeared to have “hit the company’s internal servers.” Some Read more about Hospital-busting hacker crew may be behind ransomware attack that made Honda halt car factories, say researchers[…]

WhatsApp claims it fixed an issue that was showing users’ phone numbers in Google search results, TechCrunch reports. The change comes after security researcher Athul Jayaram revealed that phone numbers of WhatsApp users who used the Click to Chat feature were being indexed in search. Click to Chat allows users to create a link with Read more about WhatsApp was exposing users’ phone numbers in Google search[…]

IBM’s cloud has gone down hard across the world. We’d love to tell you just how hard the service has hit the dirt, but even the Big Blue status page is intermittently unavailable: IBM Cloud status page … Click to enlarge Your humble hack has an IBM Cloud account, and when attempting to login in Read more about From off-prem to just off: IBM Cloud goes down planet-wide so hard even the status page didn’t work – and outside of US business hours[…]

Used properly, bug bounty platforms connect security researchers with organizations wanting extra scrutiny. In exchange for reporting a security flaw, the researcher receives payment (a bounty) as a thank you for doing the right thing. However, CSO’s investigation shows that the bug bounty platforms have turned bug reporting and disclosure on its head, what multiple Read more about Bug bounty platforms buy researcher silence, violate labor laws, critics say[…]

A report from consumer advocates Which? highlights the shockingly short lifespan of “smart” appliances, with some losing software support after just a few years, despite costing vastly more than “dumb” alternatives. That lifespan varies between manufacturers: Most vendors were vague, with Beko offering “up to 10 years” and LG saying patches would be issued as Read more about Smart fridges are cool, but after a few short years you could be stuck with a big frosty brick in the kitchen[…]

A hapless IT bod found the Have I Been Pwned service (HIBP) answering its own question in a way he really didn’t want – after a breach report including a SQL string KO’d his company’s helpdesk ticket system. A pseudonymous blogger posting under the name Matt published a tortured account of what happened when a Read more about Have I Been Pwned breach report email pwned entire firm’s helldesk ticket system[…]

Adobe technicians scrambled on Wednesday to restore multiple cloud services after a severe outage left customers stranded. Starting around 0600 PDT (1300 UTC) Adobe’s status board began lighting up with red outage notifications. At the time this article was written, 13 major issues were ongoing and five had been resolved. By issues, Adobe means people Read more about Photostopped: Adobe Cloud evaporates in mass outage. Hope none of you are on a deadline, eh? – yay cloud![…]

Samsung will launch a new standalone turnkey security chip to protect mobile devices, the company announced today. The chip, which has the said-once-never-forgotten name “S3FV9RR” – aka the Mobile SE Guardian 4 – is a follow-up to the dedicated security silicon baked into the Galaxy S20 smartphone series launched in February 2020. The new chip Read more about Samsung launches stand alone mobile security chip[…]

Called Spectra, this attack works against “combo chips,” specialized chips that handle multiple types of radio wave-based wireless communications, such as Wi-Fi, Bluetooth, LTE, and others. “Spectra, a new vulnerability class, relies on the fact that transmissions happen in the same spectrum, and wireless chips need to arbitrate the channel access,” the research team said Read more about New Spectra attack breaks the separation between Wi-Fi and Bluetooth[…]

Community platform Nextdoor is courting police across the country, creating concerns among civil rights and privacy advocates who worry about possible conflicts of interest, over-reporting of crime, and the platform’s record of racial profiling, per a Thursday report by CityLab. That effort included an all-expenses-paid meeting in San Francisco with members of Nextdoor’s Public Agencies Read more about Nextdoor Building Relationships With Law Enforcement whilst racially profiling[…]

Dubbed NXNSAttack, the flaw [PDF] can be abused to pull off a classic amplification attack: you send a small amount of specially crafted data to a DNS server, which responds by sending a lot of data to a victim’s server. If you have an army of hacked PCs or devices – a botnet – at Read more about DNS this week stands for Drowning Needed Services: Design flaw in name server system can be exploited to flood machines offline[…]

A technician at ADT remotely accessed hundreds of customers’ CCTV cameras to spy on people in their own homes, the burglar-alarm biz has admitted. At least one of the victims was a teenage girl, and another a young mother, according to court filings. Last month, an ADT customer in Dallas, Texas, spotted and reported an Read more about Rogue ADT tech spied on hundreds of customers in their homes via CCTV – teen girls, young mums repeatedly watched[…]

EasyJet has admitted that a “highly sophisticated cyber-attack” has affected approximately nine million customers. It said email addresses and travel details had been stolen and that 2,208 customers had also had their credit and debit card details “accessed”. The firm has informed the UK’s Information Commissioner’s Office while it investigates the breach. EasyJet first became Read more about EasyJet admits data of nine million hacked[…]