Apache HTTP Server has been given a patch to address a potentially serious elevation of privilege vulnerability. Designated CVE-2019-0211, the flaw allows a “worker” process to change its privileges when the host server resets itself, potentially allowing anyone with a local account to run commands with root clearance, essentially giving them complete control over the Read more about A patchy Apache a-patchin: HTTP server gets fix for worrying root access hole[…]

Researchers at cybersecurity firm Kaspersky Lab say that ASUS, one of the world’s largest computer makers, was used to unwittingly install a malicious backdoor on thousands of its customers’ computers last year after attackers compromised a server for the company’s live software update tool. The malicious file was signed with legitimate ASUS digital certificates to Read more about Hackers Hijacked ASUS Software Updates to Install Backdoors on half a million Computers[…]

The Federal Emergency Management Agency may have put the personally identifying information of millions of disaster survivors at risk of fraud and identity theft, according to a recent report from the Department of Homeland Security’s Office of Inspector General. The March 15 report said that during an audit of FEMA’s Transitional Sheltering Assistance program, it Read more about FEMA Breach Exposes Personal Data and Banking Information of 2.3 Million Disaster Survivors[…]

An undisclosed number of Nokia 7 Plus smartphones have been caught sending their identification numbers to a domain owned by a Chinese telecom firm. The handsets spaffed the data in clear text over the internet to a server behind the domain vnet.cn, which appears to be owned by China Telecom. The HTTP POST requests from Read more about Nokia phones caught spewing device IDs to China, software blunder blamed[…]

Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data. Facebook is probing a Read more about Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years and were searched by FB engineers[…]

Two popular smart alarm systems for cars had major security flaws that allowed potential hackers to track the vehicles, unlock their doors and, in some cases, cut off the engine. The vulnerabilities could be exploited with two simple steps, security researchers from Pen Test Partners, who discovered the flaw, said Friday. The problems were found Read more about Smart alarms left 3 million cars vulnerable to hackers who could turn off motors, unlock doors remotely[…]

Freelance developers hired to implement password-based security systems do so about as effectively as computer science students, which is to say not very well at all. Boffins at the University of Bonn in Germany set out to expand on research in 2017 and 2018 that found computer science students asked to implement a user registration Read more about Freelance devs: Oh, you wanted the app to be secure? The job spec didn’t mention that[…]

Eggheads at the University of Michigan in the US, and Zhejiang University in China, have found that hard disk drives (HDDs) can be turned into listening devices, using malicious firmware and signal processing calculations. For a study titled “Hard Drive of Hearing: Disks that Eavesdrop with a Synthesized Microphone,” computer scientists Andrew Kwong, Wenyuan Xu, Read more about From hard drive to over-heard drive: Boffins convert spinning rust into eavesdropping mic, if you shout![…]

Further demonstrating the computational risks of looking into the future, boffins have found another way to abuse speculative execution in Intel CPUs to steal secrets and other data from running applications. This security shortcoming can be potentially exploited by malicious JavaScript within a web browser tab, or malware running on a system, or rogue logged-in Read more about SPOILER alert, literally: Intel CPUs afflicted with simple data-spewing spec-exec vulnerability[…]

The World Wide Web Consortium (W3C) today declared that the Web Authentication API (WebAuthn) is now an official web standard. First announced by the W3C and the FIDO Alliance in November 2015, WebAuthn is now an open standard for password-free logins on the web. It is supported by W3C contributors, including Airbnb, Alibaba, Apple, Google, Read more about W3C approves WebAuthn as the web standard for password-free logins using FIDO2[…]

Co-authored by three computer science boffins from the University of Colorado, Boulder in the US – Jack Wampler, Ian Martiny, and Eric Wustrow – the paper, “ExSpectre: Hiding Malware in Speculative Execution,” describes a way to compile malicious code into a seemingly innocuous payload binary, so it can be executed through speculative execution without detection. Read more about Ready for another fright? Spectre flaws in today’s computer chips can be exploited to hide, run stealthy malware[…]

Plaintext transmission of audio/video footage to the Ring application allows for arbitrary surveillance and injection of counterfeit traffic, effectively compromising home security (CVE-2019-9483). […] We moved over to sniffing the application. Here we see a more sensible SIP/TLS approach, with pretty much all notifications, updates and information being passed via HTTPS. However, the actual RTP Read more about Amazon Ring Doorbell allows people to eavesdrop with video and even insert footage[…]

In September of 2018, an anonymous independent security researcher (who we’ll call X) noticed that their power company’s website was offering to email—not reset!—lost account passwords to forgetful users. Startled, X fed the online form the utility account number and the last four phone number digits it was asking for. Sure enough, a few minutes Read more about Plain wrong: Millions of utility customers’ passwords stored in plain text by website builder SEDC[…]

A bad security decision by Comcast on the company’s mobile phone service made it easier for attackers to port victims’ cell phone numbers to different carriers. Comcast in 2017 launched Xfinity Mobile, a cellular service that uses the Verizon Wireless network and Comcast Wi-Fi hotspots. Comcast has signed up 1.2 million mobile subscribers but took Read more about Comcast set mobile pins to “0000,” helping attackers steal phone numbers[…]

Switzerland made headlines this month for the transparency of its internet voting system when it launched a public penetration test and bug bounty program to test the resiliency of the system to attack. But after source code for the software and technical documentation describing its architecture were leaked online last week, critics are already expressing Read more about Experts Find Serious Problems With Switzerland’s Online Voting System[…]

In a Twitter post on Wednesday, those behind the software project said a hand-tuned build of the version 6.0.0 HashCat beta, utilizing eight Nvidia GTX 2080Ti GPUs in an offline attack, exceeded the NTLM cracking speed benchmark of 100GH/s (gigahashes per second). “Current password cracking benchmarks show that the minimum eight character password, no matter Read more about Use an 8-char Windows NTLM password? Don’t. Every single one can be cracked in under 2.5hrs[…]

Network attached storage maker QNAP’s customers have reported being hit by a mystery issue that disables software updates by hijacking entries in host machines’ hosts file. The full effects are, as yet, unknown – but users have reported that the most visible symptom is that some 700 entries are added to the /etc/hosts file that Read more about QNAP NAS user? You’d better check your hosts file for mystery anti-antivirus entries[…]

Your Android could be pwned by simply viewing an innocent-looking image – be it from browsing the internet or an image received via text – according to the Android Security Bulletin issued this month. While this certainly doesn’t apply to all images, Google discovered that a maliciously crafted PNG image could be used to hijack Read more about Android phones can be hacked remotely by viewing malicious PNG image[…]

A Dutch security researcher has stumbled upon the Kremlin’s backdoor account that the government had been using to access the servers of local and foreign businesses operating in Russia. The backdoor account was found inside thousands of MongoDB databases that had been left exposed online without a password. Any hacker who noticed the account could Read more about Unsecured MongoDB databases expose Kremlin’s single username / password backdoor into Russian businesses[…]

The latest weekly report includes German firm Enox’s Safe-KID-One watch, which is marketed to parents as a way of keeping tabs on their little ones – ostensibly to keep them safe – and comes with one-click buttons for speed-dialling family members. However, the commission said the device does not comply with the Radio Equipment Directive Read more about European Commission orders mass recall of creepy, leaky child-tracking Enox smartwatch[…]

Dating-slash-hook-up app Jack’d is exposing to the public internet intimate snaps privately swapped between its users, allowing miscreants to download countless X-rated selfies without permission. The phone application, installed more than 110,000 times on Android devices and also available for iOS, lets primarily gay and bi men chat each other up, exchange private and public Read more about Hi, Jack’d: A little PSA for anyone using this dating-hook-up app… Anyone can slurp your private, public snaps • The Register[…]

The cyber tool allowed the small Gulf country to monitor hundreds of targets beginning in 2016, from the Emir of Qatar and a senior Turkish official to a Nobel Peace laureate human-rights activist in Yemen, according to five former operatives and program documents reviewed by Reuters. The sources interviewed by Reuters were not Emirati citizens. Read more about UAE used cyber super-weapon to spy on iPhones of foes[…]

In mid-January, Qualys, another security firm, released details about three flaws affecting systemd-journald, a systemd component that handles the collection and storage of log data. Patches for the vulnerabilities – CVE-2018-16864, CVE-2018-16865, and CVE-2018-16866 – have been issued by various Linux distributions. Exploitation of these code flaws allows an attacker to alter system memory in Read more about Defanged SystemD exploit code for security holes now out in the wild[…]

Sophisticated hackers have long exploited flaws in SS7, a protocol used by telecom companies to coordinate how they route texts and calls around the world. Those who exploit SS7 can potentially track phones across the other side of the planet, and intercept text messages and phone calls without hacking the phone itself. This activity was Read more about Criminals Are Tapping into the Phone Network Backbone using known insecure SS7 to Empty Bank Accounts[…]

As it turns out, giving every gadget you own access to your personal information and Internet connection can lead to unintended consequences. Who knew, right? But if you need yet another example of why trusting your home appliances with your secrets is potentially a bad idea, [Limited Results] is here to make sure you spend Read more about Don’t Toss That Bulb, It Knows Your Password[…]