This week, Twitter confirmed a vulnerability in its Android app that could let hackers see your “nonpublic account information” and commandeer your account to send tweets and direct messages. According to a Twitter Privacy Center blog posted Friday, the (recently patched) security issue could allow hackers to gain control of an account and access data Read more about Twitter Warns Millions of Android App Users to Update Immediately[…]

Security researchers say they found evidence that a Chinese government-linked hacking group has been bypassing two-factor authentication (2FA) in a recent wave of attacks. The attacks have been attributed to a group the cyber-security industry is tracking as APT20, believed to operate on the behest of the Beijing government, Dutch cyber-security firm Fox-IT said in Read more about Chinese hacker group caught bypassing 2FA[…]

A database containing more than 267 million Facebook user IDs, phone numbers, and names was left exposed on the web for anyone to access without a password or any other authentication. Comparitech partnered with security researcher Bob Diachenko to uncover the Elasticsearch cluster. Diachenko believes the trove of data is most likely the result of Read more about 267 Million Phone Numbers & Facebook User IDs Exposed Online[…]

The log-in credentials for 3,672 Ring camera owners were compromised this week, exposing log-in emails, passwords, time zones, and the names people give to specific Ring cameras, which are often the same as camera locations, such as “bedroom” or “front door.” Using the log-in email and password, an intruder could access a Ring customer’s home Read more about A Data Leak Exposed The Personal Information Of Over 3,000 Ring Users – Really, just don’t get one of these things![…]

It’s not so much being watched. It’s that I don’t really know if I’m being watched or not. From across the other side of the world, a colleague has just accessed my Ring account, and in turn, a live-feed of a Ring camera in my apartment. He sent a screenshot of me stretching, getting ready Read more about We Tested Ring’s Security. It’s Awful[…]

A preponderance of weak keys is leaving IoT devices at risk of being hacked, and the problem won’t be an easy one to solve. This was the conclusion reached by the team at security house Keyfactor, which analyzed a collection of 75 million RSA certificates gathered from the open internet and determined that number combinations Read more about IoT gear is generating easy-to-crack keys because they repeat the key once every 172 times[…]

Academics from three universities across Europe have disclosed today a new attack that impacts the integrity of data stored inside Intel SGX, a highly-secured area of Intel CPUs. The attack, which researchers have named Plundervolt, exploits the interface through which an operating system can control an Intel processor’s voltage and frequency — the same interface Read more about New Plundervolt attack impacts Intel CPUs SGX[…]

De persoonsgegevens van mogelijk 29.000 klanten van energiebedrijven Budget Energie en NLE liggen op straat. Naast namen en adressen is er kans dat er ook telefoonnummers en bankrekeningnummers zijn gelekt. De data is niet per ongeluk gelekt, het gaat volgens het bedrijf om een moedwillige diefstal. Moederbedrijf Nuts Groep heeft klanten van Budget Energie en NLE Read more about Budget Energy and NLE leak 29000 customer records – names, adresses, possibly phone numbers and bank accounts[…]

A vulnerability in millions of fully patched Android phones is being actively exploited by malware that’s designed to drain the bank accounts of infected users, researchers said on Monday. The vulnerability allows malicious apps to masquerade as legitimate apps that targets have already installed and come to trust, researchers from security firm Promon reported in Read more about Vulnerability in fully patched Android phones under active attack by bank thieves – watch out for permissions being asked from apps you have installed[…]

Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a breached database belonging to the American communications company, TrueDialog. TrueDialog provides SMS texting solutions to companies in the USA and the database in question was linked to many aspects of their business. This was a huge discovery, with a massive amount of private Read more about TrueDialog leaks tens of millions of US SMS messages and user data[…]

A standard used by phone carriers around the world can leave users open to all sorts of attacks, like text message and call interception, spoofed phone numbers, and leaking their coarse location, new research reveals. The Rich Communication Services (RCS) standard is essentially the replacement for SMS. The news shows how even as carriers move Read more about SMS Replacement is Exposing Users to Text, Call Interception Thanks to Sloppy Telecos[…]

The ransom note that NextCry victims receive reads ““READ_FOR_DECRYPT”, and demands 0.025 BTC for a victim’s files to be unlocked. One NextCloud user, xact64, shared his experience with the malware on a Bleeping Computer forum in an effort to find a way to decrypt personal files which had been instantaneously locked in a NextCry attack: Read more about NextCry Ransomware Targets NextCloud Linux Servers and Remains Undetected Features[…]

In October, dark web researcher Vinny Troia found one such trove sitting exposed and easily accessible on an unsecured server, comprising 4 terabytes of personal information—about 1.2 billion records in all. While the collection is impressive for its sheer volume, the data doesn’t include sensitive information like passwords, credit card numbers, or Social Security numbers. Read more about 1.2 Billion Records Found Exposed Online in a Single Server, contain social media profiles[…]

Some users noticed the hash of the binaries they downloaded did not match the expected one: https://github.com/monero-project/monero/issues/6151 It appears the box has been indeed compromised and different CLI binaries served for 35 minutes. Downloads are now served from a safe fallback source. Always check the integrity of the binaries you download! If you downloaded binaries Read more about Monero Wallet downloads compromised for 35 minutes[…]

According to an investigation by Checkmarx security researchers, some Android devices may have an unpatched security flaw that an app could use to record you without your knowledge using your device’s camera and mic. No attacks that exploit the bug have been reported so far, thankfully. Still, the Checkmarx researchers were able to successfully create Read more about Android Users: Check Now to See If a Rogue App Can Control Your Phone’s Camera[…]

A notice (PDF) posted by the long-operating department store chain said that, between October 7 and October 15 of this year, a Magecart script was running on the checkout page of its retail website. The script was able to capture payment card details in two different ways: as it was being entered through the checkout Read more about Shopped online at Macy’s last month? Might want to toss, or at least check, that card[…]

Security company Onapsis estimates that roughly half of all companies using the Oracle EBS software have not yet patched CVE-2019-2648 and CVE-2019-2633, despite Big Red having pushed out fixes for both bugs back in April. The two vulnerabilities are found in the Thin Client Framework API and are described as reflected SQL injections. An attacker Read more about Half of Oracle E-Business customers open to months-old bank fraud flaw[…]

Indian officials acknowledged on October 30th that a cyberattack occurred at the country’s Kudankulam nuclear power plant. An Indian private cybersecurity researcher had tweeted about the breach three days earlier, prompting Indian authorities to initially deny that it had occurred before admitting that the intrusion had been discovered in early September and that efforts were Read more about Lessons from the cyberattack on India’s largest nuclear power plant – Bulletin of the Atomic Scientists[…]

Trusted Platform Module (TPM) serves as a root of trust for the operating system. TPM is supposed to protect our security keys from malicious adversaries like malware and rootkits. Most laptop and desktop computers nowadays come with a dedicated TPM chip, or they use the Intel firmware-based TPM (fTPM) which runs on a separate microprocessor Read more about Intels’ Trusted Platform Module can’t be trusted. TPM-FAIL[…]

IT guru Bob Gendler took to Medium last week to share a startling discovery about Apple Mail. If you have the application configured to send and receive encrypted email—messages that should be unreadable for anyone without the right decryption keys—Apple’s digital assistant goes ahead and stores your emails in plain text on your Mac’s drive. Read more about Your Apple Mac Makes Plain-Text Copies of Your Encrypted Emails. Here’s how to stop it.[…]

Ubiquiti Networks is fending off customer complaints after emitting a firmware update that caused its UniFi wireless routers to quietly phone HQ with telemetry. It all kicked off when the US-based manufacturer confirmed that a software update released this month programmed the devices to establish secure connections back to Ubiquiti servers and report information on Read more about Sure, we made your Wi-Fi routers phone home with telemetry, says Ubiquiti. What of it?[…]

Security researchers have discovered a vulnerability in Ring doorbells that exposed the passwords for the Wi-Fi networks to which they were connected. Bitdefender said the Amazon-owned doorbell was sending owners’ Wi-Fi passwords in cleartext as the doorbell joins the local network, allowing nearby hackers to intercept the Wi-Fi password and gain access to the network Read more about Amazon Ring doorbells exposed home Wi-Fi passwords over cleartext[…]

A number of popular “camgirl” sites have exposed millions of sex workers and users after the company running the sites left the back-end database unprotected. The sites, run by Barcelona-based VTS Media, include amateur.tv, webcampornoxxx.net, and placercams.com. Most of the sites’ users are based in Spain and Europe, but we found evidence of users across Read more about A network of ‘camgirl’ sites exposed millions of users and sex workers data[…]

Light Commands is a vulnerability of MEMS microphones that allows attackers to remotely inject inaudible and invisible commands into voice assistants, such as Google assistant, Amazon Alexa, Facebook Portal, and Apple Siri using light. In our paper we demonstrate this effect, successfully using light to inject malicious commands into several voice controlled devices such as Read more about Use a laser to command voice assistants such as lexa, google assistant, siri[…]

Google patched last month an Android bug that can let hackers spread malware to a nearby phone via a little-known Android OS feature called NFC beaming. NFC beaming works via an internal Android OS service known as Android Beam. This service allows an Android device to send data such as images, files, videos, or even Read more about Android bug lets hackers plant malware via NFC beaming[…]