A recently discovered botnet has taken control of an eye-popping 100,000 home and small-office routers made from a range of manufacturers, mainly by exploiting a critical vulnerability that has remained unaddressed on infected devices more than five years after it came to light. Researchers from Netlab 360, who reported the mass infection late last week, Read more about A 100,000-router botnet is feeding on a 5-year-old UPnP bug in Broadcom chips (lots of different routers have this chip!)[…]

Microsoft’s activation servers appear to be on the blink this morning – some Windows 10 users woke up to find their Pro systems have, er, gone Home. Twitter user Matt Wadley was one of the first out of the gate, complaining that following an update to the freshly released Insider build of next year’s Windows, Read more about Windows 10 Pro goes Home as Microsoft fires up downgrade server[…]

Apple’s new-generation Macs come with a new so-called Apple T2 security chip that’s supposed to provide a secure enclave co-processor responsible for powering a series of security features, including Touch ID. At the same time, this security chip enables the secure boot feature on Apple’s computers, and by the looks of things, it’s also responsible Read more about Apple Blocks Linux From Booting and makes Windows hard to boot On New Hardware With T2 Security Chip[…]

I like VirtualBox and it has nothing to do with why I publish a 0day vulnerability. The reason is my disagreement with contemporary state of infosec, especially of security research and bug bounty: Wait half a year until a vulnerability is patched is considered fine. In the bug bounty field these are considered fine: Wait Read more about Virtualbox 0-day posted because Oracle won’t update, allows you to execute on the underlying server[…]

As we have passed the three-year anniversary of the US EMV migration deadline, it is evident that the majority of financial institutions were successful in providing their customers with new EMV enabled cards. However, contrary to the prevailing logic, migration to the EMV did not eradicate the card-present fraud. Of more than 60 million payment Read more about Card Fraud on the Rise, Despite on card chip Adoption[…]

Dutch police claim to have snooped on more than a quarter of a million encrypted messages sent between alleged miscreants using BlackBox IronPhones. The extraordinary claim was made in a press conference on Tuesday, in which officers working on a money-laundering investigation reckoned they had been able to see crims chatting “live for some time.” Read more about Dutch cops hope to cuff ‘hundreds’ of suspects after snatching server, snooping on 250,000+ encrypted IronChat texts[…]

Most modern browsers—such as Chrome, Firefox, and Edge, and even browsers such as FuzzyFox and DeterFox (different, security-focused versions of Firefox)—have vulnerabilities that allow hosts of malicious websites to extract hundreds to thousands of URLs in a user’s web history, per new research from the University of California San Diego. What’s worse, the vulnerabilities are Read more about Old School ‘Sniffing’ Attacks Can Still Reveal Your Browsing History to any old website[…]

Fundamental flaws in the encryption system used by popular solid-state drives (SSDs) can be exploited by miscreants to easily decrypt data, once they’ve got their hands on the equipment. A paper [PDF] drawn up by researchers Carlo Meijer and Bernard van Gastel at Radboud University in the Netherlands, and made public today, describes these critical Read more about Solid state of fear: Euro boffins bust open SSD, Bitlocker encryption (it’s really, really dumb)[…]

From around 2009 to 2013, the U.S. intelligence community experienced crippling intelligence failures related to the secret internet-based communications system, a key means for remote messaging between CIA officers and their sources on the ground worldwide. The previously unreported global problem originated in Iran and spiderwebbed to other countries, and was left unrepaired — despite Read more about The CIA’s communications suffered a catastrophic compromise through Google scraping, killing ~30 agents[…]

Microsoft’s Office 365 has been giving some users cold sweats. No matter how hard they try to log in, they simply can’t access the service and haven’t been able to for hours – others say it has wobbled for days. Sporadic reports of unrest began to emerge on Down Detector on Friday (26 October) in Read more about Unsure why you can’t log into Office 365? So is Microsoft[…]

For at least three years, hackers have abused a zero-day in one of the most popular jQuery plugins to plant web shells and take over vulnerable web servers, ZDNet has learned. The vulnerability impacts the jQuery File Upload plugin authored by prodigious German developer Sebastian Tschan, most commonly known as Blueimp. The plugin is the Read more about Zero-day in popular jQuery File Upload plugin actively exploited for at least three years[…]

The UK’s Information Commissioner has formally fined Facebook £500,000 – the maximum available – over the Cambridge Analytica scandal. In a monetary penalty notice issued this morning, the Information Commissioner’s Office (ICO) stated that the social media network had broken two of the UK’s legally binding data protection principles by allowing Cambridge academic Aleksandr Kogan Read more about UK data watchdog fines Facebook 17 minutes of net profit for Cambridge Analytica brouhaha[…]

A security bug in Systemd can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box. The flaw therefore puts Systemd-powered Linux computers – specifically those using systemd-networkd – at risk of remote hijacking: maliciously crafted DHCPv6 packets can try to exploit Read more about DHCPv6 packet can pwn a vulnerable Linux box with systemd[…]

A startup that claims to sell surveillance and hacking technologies to governments around the world left nearly all its data—including information taken from infected targets and victims—exposed online, according to a security firm who found the data. Wolf Intelligence, a Germany-based spyware company that made headlines for sending a bodyguard to Mauritania and prompting an Read more about Wolf Data, Government Spyware Vendor Left Customer, Victim Data Online for Everyone to See[…]

When President Trump calls old friends on one of his iPhones to gossip, gripe or solicit their latest take on how he is doing, American intelligence reports indicate that Chinese spies are often listening — and putting to use invaluable insights into how to best work the president and affect administration policy, current and former Read more about When Trump Phones Friends, the Chinese and the Russians Listen and Learn[…]

Yahoo has agreed to pay $50 million in damages and provide two years of free credit-monitoring services to 200 million people whose email addresses and other personal information were stolen as part of the biggest security breach in history. The restitution hinges on federal court approval of a settlement filed late Monday in a 2-year-old Read more about Yahoo to pay $50M, other costs for massive security breach[…]

Printer maker Epson is under fire this month from activist groups after a software update prevented customers from using cheaper, third party ink cartridges. It’s just the latest salvo in a decades-long effort by printer manufacturers to block consumer choice, often by disguising printer downgrades as essential product improvements. For several decades now printer manufacturers Read more about Printer Makers Are Crippling Cheap Ink Cartridges Via Bogus ‘Security Updates’ – endangering networks because people stop updating[…]

There have been a few too many stories lately of AirBnB hosts caught spying on their guests with WiFi cameras, using DropCam cameras in particular. Here’s a quick script that will detect two popular brands of WiFi cameras during your stay and disconnect them in turn. It’s based on glasshole.sh. It should do away with Read more about Detect and disconnect WiFi cameras in that AirBnB you’re staying in[…]

A security researcher from Colombia has found a way of assigning admin rights and gaining boot persistence on Windows PCs that’s simple to execute and hard to stop –all the features that hackers and malware authors are looking for from an exploitation technique. What’s more surprising, is that the technique was first detailed way back Read more about Researcher finds simple way of elevating user privileges on Windows PCs and nobody notices for ten months[…]

Bug-hunters have told how they uncovered a significant security flaw that affected the likes of Tinder, Yelp, Shopify, and Western Union – and potentially hundreds of millions of folks using these sites and apps. The software sniffers said they first came across the exploitable programming blunder while digging into webpage code on dating websites. After Read more about Branch.io bug left ‘685 million’ netizens open to website hacks[…]

3 GOP senators want Google to give answers over data leak that affected 500,000 users. Source: Senators to Google: Why didn’t you disclose Google+ vulnerability sooner? It’s only three senators and chances are you haven’t heard of the massive, millions affected data breach suffered by Google, that they didn’t report. Interestingly, if you try to Read more about Senators to Google: Why didn’t you disclose massive Google+ vulnerability sooner? Oh, and Why can’t you Google the breach itself?[…]

The vuln (CVE-2018-6977) allows an attacker with normal local user privileges to trigger an infinite loop in a 3D-rendering shader. According to VMware, a “specially crafted 3D shader may loop for an infinite amount of time and lock up a VM’s virtual graphics device”. If that happens, VMware warned, the hypervisor may rely on the Read more about Slow your roll: VMware urges admins to apply workarounds to DoS-inducing 3D render vuln[…]

FitMetrix, a fitness technology and performance tracking company owned by gym booking giant Mindbody, has exposed millions of user records because it left several of its servers without a password. The company builds fitness tracking software for gyms and group classes — like CrossFit and SoulCycle — that displays heart rate and other fitness metric Read more about MindBody-owned FitMetrix exposed millions of user records — thanks to servers without passwords – AWS strikes again[…]

New computerized weapons systems currently under development by the US Department of Defense (DOD) can be easily hacked, according to a new report published today. The report was put together by the US Government Accountability Office (GAO), an agency that provides auditing, evaluation, and investigative services for Congress. Congress ordered the GAO report in preparation Read more about Pentagon’s weapons systems are laughably easy to hack[…]