The new standard will work as an extension to TLS, a cryptographic protocol that underpins the more widely-known HTTPS protocol, used for loading websites inside browsers via an encrypted connection. The TLS Delegate Credentials extension was specifically developed for large website setups, such as Facebook, or for website using content delivery networks (CDNs), such as Read more about Facebook, Mozilla, and Cloudflare announce new TLS Delegated Credentials standard[…]

As many as 2,000 users of NordVPN, the virtual private network service that recently disclosed a server hack that leaked crypto keys, have fallen victim to credential-stuffing attacks that allow unauthorized access to their accounts. In recent weeks, credentials for NordVPN users have circulated on Pastebin and other online forums. They contain the email addresses, Read more about NordVPN users’ passwords exposed in mass credential-stuffing attacks[…]

Though this somewhat-new “xHelper” malware has affected a low number of Android users so far (around 45,000, estimates Symantec), the fact that nobody has any clear advice on how to remove it is a worrisome fact. While the odds are good that you won’t get hit with this malware, given its low installation rate so Read more about xHelper Android Malware Can Survive a Factory Reset[…]

Pagers used within the United Kingdom’s National Health Service are leaking sensitive patient information, and an amateur radio enthusiast has been broadcasting some of that medical data on a webcam livestream, a security researcher has found. TechCrunch reports that Florida-based security researcher Daley Borda stumbled upon the strange confluence of archaic tech that flowed together Read more about NHS Pagers Are Leaking Sensitive Medical Data – wait, pagers still exist?[…]

WASHINGTON (Reuters) – Senior government officials in multiple U.S.-allied countries were targeted earlier this year with hacking software that used Facebook Inc’s (FB.O) WhatsApp to take over users’ phones, according to people familiar with the messaging company’s investigation. Sources familiar with WhatsApp’s internal investigation into the breach said a “significant” portion of the known victims Read more about Government officials around the globe targeted for hacking through WhatsApp – FB fingers Israeli NSO group[…]

An open database exposing records containing the sensitive data of hotel customers as well as US military personnel and officials has been disclosed by researchers. On Monday, vpnMentor’s cybersecurity team, led by Noam Rotem and Ran Locar, said the database belonged to Autoclerk, a service owned by Best Western Hotels and Resorts group. Autoclerk is Read more about Open database leaked 179GB in customer, US government, and military records[…]

Mercedes-Benz car owners have said that the app they used to remotely locate, unlock and start their cars was displaying other people’s account and vehicle information. TechCrunch spoke to two customers who said the Mercedes-Benz’ connected car app was pulling in information from other accounts and not their own, allowing them to see other car Read more about Mercedes-Benz app glitch exposed car owners’ information to other users[…]

Japanese hotel chain HIS Group has apologised for ignoring warnings that its in-room robots were hackable to allow pervs to remotely view video footage from the devices. The Henn na Hotel is staffed by robots: guests can be checked in by humanoid or dinosaur reception bots before proceeding to their room. Facial recognition tech will Read more about Japanese hotel chain sorry that hackers may have watched guests through bedside robots[…]

As with browser add-ons, you’re entirely at the mercy of a developer. And should they use their powers for evil, you could be giving up everything you’re saying to your device to some random person. At least, that’s the scenario presented by Germany’s Security Research Labs (SRLabs), who built a number of dummy Skills (Amazon) Read more about Your Smart Speaker’s Skills Might Be a Huge Privacy Problem[…]

It was recently discovered that the Samsung Galaxy S10 and S10+ have a major security flaw that makes it easy to bypass their fingerprint locks. On a scale of “one” to “not good,” we are definitely towards the right on this one. To be fair, fingerprint sensors and other biometric security features aren’t ironclad; hackers Read more about The Samsung Galaxy S10’s Fingerprint Lock works for everyone if you put a piece of transparent plastic on the sensor[…]

Firefox is the only browser that received top marks in a recent audit carried out by Germany’s cyber-security agency — the German Federal Office for Information Security (or the Bundesamt für Sicherheit in der Informationstechnik — BSI). The BSI tested Mozilla Firefox 68 (ESR), Google Chrome 76, Microsoft Internet Explorer 11, and Microsoft Edge 44. Read more about Germany’s cyber-security agency recommends Firefox as most secure browser[…]

A user got his revenge on the ransomware gang who encrypted his files by hacking their server and releasing the decryption keys for all other victims. This happened earlier today and involved the Muhstik gang. Muhstik is a recent strain of ransomware that has been active since late September, according to reports [1, 2, 3]. Read more about White-hat hacks Muhstik ransomware gang and releases decryption keys[…]

Basically sim swapping, man in the middle attacks and poor URL protections FBI warns about SIM swapping and tools like Muraen and NecroBrowser. “The FBI has observed cyber actors circumventing multi-factor authentication through common social engineering and technical attacks,” the FBI wrote in a Private Industry Notification (PIN) sent out on September 17. Past incidents Read more about FBI warns about attacks that bypass multi-factor authentication (MFA)[…]

Attackers are exploiting a zero-day vulnerability in Google’s Android mobile operating system that can give them full control of at least 18 different phone models, including four different Pixel models, a member of Google’s Project Zero research group said on Thursday night. There’s evidence the vulnerability is being actively exploited, either by exploit developer NSO Read more about Attackers exploit 0-day vulnerability that gives full control of Android phones[…]

Social media platforms based in the U.S. including Facebook and WhatsApp will be forced to share users’ encrypted messages with British police under a new treaty between the two countries, according to a person familiar with the matter. The accord, which is set to be signed by next month, will compel social media firms to Read more about Facebook, WhatsApp Will Have to Share Messages With U.K. Police, breaking encryption. Don’t they realises this gives criminals access too?[…]

T-shirt flogger CafePress has finally informed its customers about a serious data loss dating back to February and first reported last month. Several CafePress punters told us they had received an email this morning warning them the company had lost customer names, emails, physical addresses, phone numbers and unencrypted passwords. Some customers have also had Read more about Several months after the fact, and after public reporting, CafePress finally acknowledges huge data theft to its customers[…]

Aviv Sasson, a security researcher from the cloud division of Unit 42, has identified a critical vulnerability in a widespread cloud native registry called Harbor. The vulnerability allows attackers to take over Harbor registries by sending them a malicious request. The maintainers of Harbor released a patch that closes this critical security hole. Versions 1.7.6 Read more about Critical Vulnerability in Harbor (container security!) Enables Privilege Escalation from Zero to Admin (CVE-2019-16097)[…]

Scotiabank leaked online a trove of its internal source code, as well as some of its private login keys to backend systems, The Register can reveal. Over the past 24 hours, the Canadian financial giant has torn down GitHub repositories, inadvertently left open to the public, that contained this sensitive information, after The Register raised Read more about Scotiabank slammed for ‘muppet-grade security’ after internal source code and credentials spill onto open internet[…]

To the surprise of Windows watchers, the latest Windows 7 “security-only” update includes telemetry. The telemetry in question is Microsoft’s “Compatibility Appraiser,” which checks PCs for problems that could prevent upgrading to Windows 10. As Woody Leonhard points out on Computerworld, this is pretty odd on Microsoft’s part—the telemetry code was previously available and is Read more about Windows 7’s July 2019 Security Patch Includes Telemetry – but you can disable it in task scheduler[…]

vpnMentor’s research team, led by Noam Rotem and Ran Locar, recently exposed a massive criminal operation that has been defrauding Groupon and other major online ticket vendors at least since 2016. As part of a larger web mapping research project, we discovered a cache of 17 million emails on an unsecured database. Our initial research Read more about Report: Massive Fraud Network Uncovered, Targeting Groupon & Online Ticket Vendors[…]

In late 2011, Intel introduced a performance enhancement to its line of server processors that allowed network cards and other peripherals to connect directly to a CPU’s last-level cache, rather than following the standard (and significantly longer) path through the server’s main memory. By avoiding system memory, Intel’s DDIO—short for Data-Direct I/O—increased input/output bandwidth and Read more about Weakness in Intel chips DDIO lets researchers steal encrypted SSH keystrokes through side channel attacks[…]

DSL modems and Wi-Fi routers from D-Link and Comba have been found to be leaving owners’ passwords out in the open. Simon Kenin, a security researcher with Trustwave SpiderLabs, took credit for the discovery of five bugs that leave user credentials accessible to attackers. For D-Link gear, two bugs were discovered in the firmware for Read more about D-Link, Comba network gear leave passwords open for potentially whole world to see[…]

GPS trackers are designed to bring you greater peace of mind by helping you to locate your kids, your pets, and even your car. They can help keep the elderly or disabled safe by providing them with a simple SOS button to call for immediate help. Many devices are marketed for these purposes on common Read more about Cheap GPS kiddie trackers have default password 123456 and send all information unencrypted[…]