Scotiabank leaked online a trove of its internal source code, as well as some of its private login keys to backend systems, The Register can reveal. Over the past 24 hours, the Canadian financial giant has torn down GitHub repositories, inadvertently left open to the public, that contained this sensitive information, after The Register raised Read more about Scotiabank slammed for ‘muppet-grade security’ after internal source code and credentials spill onto open internet[…]

To the surprise of Windows watchers, the latest Windows 7 “security-only” update includes telemetry. The telemetry in question is Microsoft’s “Compatibility Appraiser,” which checks PCs for problems that could prevent upgrading to Windows 10. As Woody Leonhard points out on Computerworld, this is pretty odd on Microsoft’s part—the telemetry code was previously available and is Read more about Windows 7’s July 2019 Security Patch Includes Telemetry – but you can disable it in task scheduler[…]

vpnMentor’s research team, led by Noam Rotem and Ran Locar, recently exposed a massive criminal operation that has been defrauding Groupon and other major online ticket vendors at least since 2016. As part of a larger web mapping research project, we discovered a cache of 17 million emails on an unsecured database. Our initial research Read more about Report: Massive Fraud Network Uncovered, Targeting Groupon & Online Ticket Vendors[…]

In late 2011, Intel introduced a performance enhancement to its line of server processors that allowed network cards and other peripherals to connect directly to a CPU’s last-level cache, rather than following the standard (and significantly longer) path through the server’s main memory. By avoiding system memory, Intel’s DDIO—short for Data-Direct I/O—increased input/output bandwidth and Read more about Weakness in Intel chips DDIO lets researchers steal encrypted SSH keystrokes through side channel attacks[…]

DSL modems and Wi-Fi routers from D-Link and Comba have been found to be leaving owners’ passwords out in the open. Simon Kenin, a security researcher with Trustwave SpiderLabs, took credit for the discovery of five bugs that leave user credentials accessible to attackers. For D-Link gear, two bugs were discovered in the firmware for Read more about D-Link, Comba network gear leave passwords open for potentially whole world to see[…]

GPS trackers are designed to bring you greater peace of mind by helping you to locate your kids, your pets, and even your car. They can help keep the elderly or disabled safe by providing them with a simple SOS button to call for immediate help. Many devices are marketed for these purposes on common Read more about Cheap GPS kiddie trackers have default password 123456 and send all information unencrypted[…]

Some Tesla users who rely on the app to gain entry to their Model 3 were temporarily unable to get into their electric cars on Labor Day. The Next Web reported that a number of people tweeted out their frustrations on Monday when they were “locked out” of their car due to phone app issues. Read more about Tesla Malfunction Locks Out Owners Who Depended on App for Entry, Forces Them to Scramble for ‘Keys’[…]

Facebook is staring down yet another security blunder, this time with an incident involving an exposed server containing hundreds of millions of phone numbers that were previously associated with accounts on its platform. The situation appears to be pinned to a feature no longer enabled on the platform but allowed users to search for someone Read more about Hundreds of Millions of Facebook Users Phone Numbers Exposed[…]

Dutch researchers found it easy to download the names and addresses of people in neighbourhoods they weren’t a part of and to discover who was on holidays when. Source: Buurtapp Nextdoor ‘zo lek als een mandje’ – Emerce

Following an Apple notice that a “limited number” of 15-inch MacBook Pros may have faulty batteries that could potentially create a fire safety risk, multiple airlines have barred transporting Apple laptops in their checked luggage—in some cases, regardless of whether they fall under the recall. Bloomberg reported Wednesday that Qantas Airways and Virgin Australia had Read more about Don’t fly with your Explody MacBook![…]

Not only has a vulnerability been found in Lenovo Solution Centre (LSC), but the laptop maker fiddled with end-of-life dates to make it seem less important – and is now telling the world it EOL’d the vulnerable monitoring software before its final version was released. The LSC privilege-escalation vuln (CVE-2019-6177) was found by Pen Test Read more about Lenovo Solution Centre can turn users into Admins – Lenovo changes end of life for LSC until before the last release in response.[…]

London-dwelling Alfie Fresta wanted a National Rail travelcard discount added to his London Oyster card so the discount would work automatically with his pay-as-you-go smartcard. He was startled when London Overground staff at New Cross Gate station handed him a paper form with a box on it asking for his online Oyster account password. “I Read more about London Transport asked people to write down their Oyster passwords – but don’t worry[…]

IT admins could go a long way towards protecting their users from malware and other dodgy stuff on the internet if they ban access to any web domain less than a month old. This advice comes from Unit 42, the security branch of networking house Palo Alto Networks. To be exact, the recommendation is that Read more about Here’s a top tip: Don’t trust the new guy – block web domains less than a month old. They are bound to be dodgy[…]

A French security researcher has found a critical vulnerability in the blockchain-based voting system Russian officials plan to use next month for the 2019 Moscow City Duma election. Pierrick Gaudry, an academic at Lorraine University and a researcher for INRIA, the French research institute for digital sciences, found that he could compute the voting system’s Read more about Moscow’s blockchain voting system cracked a month before election, will be fixed due to responsible disclosure, open source and bug bounties[…]

The way Kravets tells is (Valve did not respond to a request for comment), the whole saga started earlier this month when he went to report a separate elevation of privilege flaw in Steam Client, the software gamers use to purchase and run games from the games service. Valve declined to recognize and pay out Read more about Bug-hunter finds local privilege escalation in Steam. Valve refuses to acknowledge and so he’s dropped it on the internet.[…]

Led by internet privacy researchers Noam Rotem and Ran Locar, vpnMentor’s team recently discovered a huge data breach in security platform BioStar 2.   BioStar 2 is a web-based biometric security smart lock platform. A centralized application, it allows admins to control access to secure areas of facilities, manage user permissions, integrate with 3rd party security Read more about Cut off your fingers: Data Breach in Biometric Security Platform Affecting Millions of Users over thousands of countries – yes unencrypted and yes, editable[…]

Researchers on Wednesday during Black Hat USA 2019 demonstrated an attack that allowed them to bypass a victim’s FaceID and log into their phone simply by putting a pair of modified glasses on their face. By merely placing tape carefully over the lenses of a pair glasses and placing them on the victim’s face the researchers Read more about Researchers Bypass Apple FaceID Using glasses to fool liveness detection[…]

The Cloud Native Computing Foundation (CNCF) today released a security audit of Kubernetes, the widely used container orchestration software, and the findings are about what you’d expect for a project with about two million lines of code: there are plenty of flaws that need to be addressed. The CNCF engaged two security firms, Trail of Read more about A reminder why Open Source is so important: Someone audited Kubernetes[…]

Data breach researchers at security firm UpGuard found the data in late July, and traced the storage bucket back to a former staffer at the Democratic Senatorial Campaign Committee, an organization that seeks grassroots donations and contributions to help elect Democratic candidates to the U.S. Senate. Following the discovery, UpGuard researchers reached out to the Read more about Democratic Senate campaign group exposed 6.2 million Americans’ emails[…]

Twee T-shirts ‘n’ merch purveyor CafePress had 23 million user records swiped – reportedly back in February – and this morning triggered a mass password reset, calling it a change in internal policy. Details of the security breach emerged when infosec researcher Troy Hunt’s Have I Been Pwned service – which lists websites known to Read more about We’ve, um, changed our password policy, says CafePress amid reports of 23m pwned accounts[…]

Last week, online sneaker-trading platform StockX asked its users to reset their passwords due to “recently completed system updates on the StockX platform.” In actuality, the company suffered a large data breach back in May, and only finally came clean about it when pressed by reporters who had access to some of the leaked data. Read more about You Can’t Trust Companies to Tell the Truth About Data Breaches[…]

Trendy online-only Brit bank Monzo is telling hundreds of thousands of its customers to pick a new PIN – after it discovered it was storing their codes as plain-text in log files. As a result, 480,000 folks, a fifth of the bank’s customers, now have to go to a cash machine, and reset their PINs. Read more about Monzo online bank stored bank card codes in log files as plain text[…]

It is possible to thoroughly hijack a nearby vulnerable Qualcomm-based Android phone, tablet, or similar gadget, via Wi-Fi, we learned on Monday. This likely affects millions of Android devices. Specifically, the following two security holes, dubbed Qualpwn and found by Tencent’s Blade Team, can be leveraged one after the other to potentially take over a Read more about It’s 2019 – and you can completely pwn a Qualcomm-powered Android over the air[…]

A spreadsheet containing the contact information and personal addresses of over 2,000 games journalists, editors, and other content creators was recently found to have been published and publicly accessible on the website of the E3 Expo. The Entertainment Software Association, the organization that runs E3, has since removed the link to the file, as well Read more about E3 Expo Leaks The Personal Information Of Over 2,000 Journalists[…]