A huge MongoDB database exposing 275,265,298 records of Indian citizens containing detailed personally identifiable information (PII) was left unprotected on the Internet for more than two weeks. Security Discovery researcher Bob Diachenko discovered the publicly accessible MongoDB database hosted on Amazon AWS using Shodan, and as historical data provided by the platform showed, the huge cache Read more about Over 275 Million Indian Personal Records Exposed by Unsecured MongoDB Database[…]

The hacker, who goes by the name L&M, told Motherboard he hacked into more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts, two apps that companies use to monitor and manage fleets of vehicles through GPS tracking devices. The hacker was able to track vehicles in a handful of countries around the world, Read more about Hacker Finds He Can Remotely Kill Car Engines, take location and personal data After Breaking Into Fleet GPS Tracking Apps, because default account password is 123456[…]

the addresses and demographic details of more than 80 million US households were exposed on an unsecured database stored on the cloud, independent security researchers have found. The details included names, ages and genders as well as income levels and marital status. The researchers, led by Noam Rotem and Ran Locar, were unable to identify Read more about Unsecured MS cloud database removed after exposing details on 80 million US households[…]

Right on cue, Cisco on Wednesday patched a security vulnerability in some of its network switches that can be exploited by miscreants to commandeer the IT equipment and spy on people. This comes immediately after panic this week over a hidden Telnet-based diagnostic interface was found in Huawei gateways. Although that vulnerability was real, irritating, Read more about Sinister secret backdoor found in networking gear perfect for government espionage: The Chinese are – oh no, wait, it’s Cisco again[…]

A vulnerability in the Dell SupportAssist utility exposes Dell laptops and personal computers to a remote attack that can allow hackers to execute code with admin privileges on devices using an older version of this tool and take over users’ systems. Dell has released a patch for this security flaw on April 23; however, many Read more about Dell laptops and computers vulnerable to remote hijacks via Dell admin tool[…]

On Thursday, at just about the same time as the most highly anticipated government document of the decade was released in Washington D.C., Facebook updated a month-old blog post to note that actually a security incident impacted “millions” of Instagram users and not “tens of thousands” as they said at first. Last month, Facebook announced Read more about ‘Millions’ of Instagram Passwords Were Exposed to Facebook Employees In Plaintext[…]

Microsoft says miscreants accessed some of its customers’ webmail inboxes and account data after a support rep’s administrative account was hijacked. The Redmond software giant has sent Hotmail, MSN, and Outlook cloud users notifications that the unnamed customer support rep’s account was compromised by hackers who would have subsequently gained “limited access” to certain parts Read more about Microsoft admits: Yes, miscreants leafed through some Hotmail, MSN, Outlook inboxes after support rep pwned[…]

Finally stopped using Internet Explorer? Good! But, now it’s time to completely delete it from your computer, too. Security researcher John Page has discovered a new security flaw that allows hackers to steal Windows users’ data thanks to Internet Explorer. The craziest part: Windows users don’t ever even have to open the now-obsolete web browser Read more about Internet Explorer exploit is trouble even if you never use the browser[…]

Two out of three hotel websites inadvertently leak guests’ booking details and personal data to third-party sites, including advertisers and analytics companies, according to research released by Symantec Corp on Wednesday. The study, which looked at more than 1,500 hotel websites in 54 countries that ranged from two-star to five-star properties, comes several months after Read more about Two out of three hotels accidentally leak guests’ personal data to third parties[…]

because WPA2 is more than 14 years old, the Wi-Fi Alliance recently announced the new and more secure WPA3 protocol. One of the main advantages of WPA3 is that, thanks to its underlying Dragonfly handshake, it’s near impossible to crack the password of a network. Unfortunately, we found that even with WPA3, an attacker within Read more about Serious flaws found in WPA3’s wifi Handshake[…]

Researchers at the cybersecurity firm UpGuard on Wednesday said they had discovered the existence of two datasets together containing the personal data of hundreds of millions of Facebook users. Both were left publicly accessible. In a blog post, UpGuard connected one of the leaky databases to a Mexico-based media company called Cultura Colectiva. The data Read more about 540 Million Facebook User Records Exposed Online, Plus Passwords, Comments, and More[…]

Apache HTTP Server has been given a patch to address a potentially serious elevation of privilege vulnerability. Designated CVE-2019-0211, the flaw allows a “worker” process to change its privileges when the host server resets itself, potentially allowing anyone with a local account to run commands with root clearance, essentially giving them complete control over the Read more about A patchy Apache a-patchin: HTTP server gets fix for worrying root access hole[…]

Researchers at cybersecurity firm Kaspersky Lab say that ASUS, one of the world’s largest computer makers, was used to unwittingly install a malicious backdoor on thousands of its customers’ computers last year after attackers compromised a server for the company’s live software update tool. The malicious file was signed with legitimate ASUS digital certificates to Read more about Hackers Hijacked ASUS Software Updates to Install Backdoors on half a million Computers[…]

The Federal Emergency Management Agency may have put the personally identifying information of millions of disaster survivors at risk of fraud and identity theft, according to a recent report from the Department of Homeland Security’s Office of Inspector General. The March 15 report said that during an audit of FEMA’s Transitional Sheltering Assistance program, it Read more about FEMA Breach Exposes Personal Data and Banking Information of 2.3 Million Disaster Survivors[…]

An undisclosed number of Nokia 7 Plus smartphones have been caught sending their identification numbers to a domain owned by a Chinese telecom firm. The handsets spaffed the data in clear text over the internet to a server behind the domain vnet.cn, which appears to be owned by China Telecom. The HTTP POST requests from Read more about Nokia phones caught spewing device IDs to China, software blunder blamed[…]

Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012, KrebsOnSecurity has learned. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data. Facebook is probing a Read more about Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years and were searched by FB engineers[…]

Two popular smart alarm systems for cars had major security flaws that allowed potential hackers to track the vehicles, unlock their doors and, in some cases, cut off the engine. The vulnerabilities could be exploited with two simple steps, security researchers from Pen Test Partners, who discovered the flaw, said Friday. The problems were found Read more about Smart alarms left 3 million cars vulnerable to hackers who could turn off motors, unlock doors remotely[…]

Freelance developers hired to implement password-based security systems do so about as effectively as computer science students, which is to say not very well at all. Boffins at the University of Bonn in Germany set out to expand on research in 2017 and 2018 that found computer science students asked to implement a user registration Read more about Freelance devs: Oh, you wanted the app to be secure? The job spec didn’t mention that[…]

Eggheads at the University of Michigan in the US, and Zhejiang University in China, have found that hard disk drives (HDDs) can be turned into listening devices, using malicious firmware and signal processing calculations. For a study titled “Hard Drive of Hearing: Disks that Eavesdrop with a Synthesized Microphone,” computer scientists Andrew Kwong, Wenyuan Xu, Read more about From hard drive to over-heard drive: Boffins convert spinning rust into eavesdropping mic, if you shout![…]

Further demonstrating the computational risks of looking into the future, boffins have found another way to abuse speculative execution in Intel CPUs to steal secrets and other data from running applications. This security shortcoming can be potentially exploited by malicious JavaScript within a web browser tab, or malware running on a system, or rogue logged-in Read more about SPOILER alert, literally: Intel CPUs afflicted with simple data-spewing spec-exec vulnerability[…]

The World Wide Web Consortium (W3C) today declared that the Web Authentication API (WebAuthn) is now an official web standard. First announced by the W3C and the FIDO Alliance in November 2015, WebAuthn is now an open standard for password-free logins on the web. It is supported by W3C contributors, including Airbnb, Alibaba, Apple, Google, Read more about W3C approves WebAuthn as the web standard for password-free logins using FIDO2[…]

Co-authored by three computer science boffins from the University of Colorado, Boulder in the US – Jack Wampler, Ian Martiny, and Eric Wustrow – the paper, “ExSpectre: Hiding Malware in Speculative Execution,” describes a way to compile malicious code into a seemingly innocuous payload binary, so it can be executed through speculative execution without detection. Read more about Ready for another fright? Spectre flaws in today’s computer chips can be exploited to hide, run stealthy malware[…]

Plaintext transmission of audio/video footage to the Ring application allows for arbitrary surveillance and injection of counterfeit traffic, effectively compromising home security (CVE-2019-9483). […] We moved over to sniffing the application. Here we see a more sensible SIP/TLS approach, with pretty much all notifications, updates and information being passed via HTTPS. However, the actual RTP Read more about Amazon Ring Doorbell allows people to eavesdrop with video and even insert footage[…]

In September of 2018, an anonymous independent security researcher (who we’ll call X) noticed that their power company’s website was offering to email—not reset!—lost account passwords to forgetful users. Startled, X fed the online form the utility account number and the last four phone number digits it was asking for. Sure enough, a few minutes Read more about Plain wrong: Millions of utility customers’ passwords stored in plain text by website builder SEDC[…]

A bad security decision by Comcast on the company’s mobile phone service made it easier for attackers to port victims’ cell phone numbers to different carriers. Comcast in 2017 launched Xfinity Mobile, a cellular service that uses the Verizon Wireless network and Comcast Wi-Fi hotspots. Comcast has signed up 1.2 million mobile subscribers but took Read more about Comcast set mobile pins to “0000,” helping attackers steal phone numbers[…]