German researchers reckon they have devised a method to thwart the security mechanisms AMD’s Epyc server chips use to automatically encrypt virtual machines in memory. So much so, they said they can exfiltrate plaintext data from an encrypted guest via a hijacked hypervisor and simple HTTP or HTTPS requests. […] a technique dubbed SEVered can, Read more about Epyc fail? We can defeat AMD’s virtual machine encryption, say boffins[…]

Barely a year after South Africa’s largest data leak was revealed in 2017, the country has suffered yet another data leak as 934,000 personal records of South Africans have been leaked publicly online. The data includes, among others, national identity numbers (ID numbers), e-mail addresses, full names, as well as plain text passwords to what Read more about Over 900,000 personal records of South Africans leaked online[…]

Intel is finally confirming that its computer processors are vulnerable to an additional variant of Spectre, the nasty security vulnerability that affects nearly every CPU currently in devices and in the marketplace. German computing magazine C’t first reported the additional flaws, which can be exploited in a browser setting using a runtime (think Javascript), on Read more about Spectre comes back to haunt Processor Makers Confirm New Security Flaws, So Update Now[…]

Cisco’s issued 16 patches, the silliest of which is CVE-2018-0222 because it’s a hard-coded password in Switchzilla’s Digital Network Architecture (DNA) Center. “The vulnerability is due to the presence of undocumented, static user credentials for the default administrative account for the affected software,” Cisco’s admitted. As you’d expect, “An attacker could exploit this vulnerability by Read more about Seriously, Cisco? Another hard-coded password? Sheesh[…]

For at least a few hours overnight, owners of Nest products were unable to access their devices via the Nest app or web browsers, according to Nest Support on Twitter. Other devices like Nest Secure and Nest x Yale Locks behaved erratically. The as of yet unexplained issues affected the entire lineup of Nest devices, Read more about Entire Nest ecosystem of smart home devices goes offline[…]

On April 19, 2018, an industry partner notified NCCIC and the FBI of malicious cyber activity that aligns with the techniques, tactics, and procedures (TTPs) and network indicators listed in this Alert. Specifically, the industry partner reported the actors redirected DNS queries to their own infrastructure by creating GRE tunnels and obtained sensitive information, which Read more about Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices[…]

Careem, a ride-hail startup based in Dubai and operating in 14 countries, announced today that hackers stole data belonging to 14 million riders and drivers. The company discovered the breach on January 14 but waited to notify its customers because the investigation was ongoing. “Cybercrime investigations are immensely complicated and take time. We wanted to Read more about Hackers Steal Data on 14 Million Users From Ride-Hail App Careem[…]

The Disaster Formerly Known as Yahoo! has been fined $35m by US financial watchdog, the SEC, for failing to tell anyone about one of the world’s largest ever computer security breaches. Now known as Altaba following its long, slow and painful descent in irrelevance, Yahoo! knew that its entire user database – including billions of Read more about Yahoo! fined! $35m! for! covering! up! massive! IT! security! screwup![…]

Police forces and federal agencies around the country have bought relatively cheap tools to unlock up-to-date iPhones and bypass their encryption, according to a Motherboard investigation based on several caches of internal agency documents, online records, and conversations with law enforcement officials. Many of the documents were obtained by Motherboard using public records requests.   Read more about Cops Around the Country Can Now Unlock iPhones, Records Show[…]

If you want your computer to be really secure, disconnect its power cable. So says Mordechai Guri and his team of side-channel sleuths at the Ben-Gurion University of the Negev. The crew have penned a paper titled PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines that explains how attackers could install malware that regulates Read more about Data exfiltrators send info over PCs’ power supply cables[…]

Under Armour Inc., joining a growing list of corporate victims of hacker attacks, said about 150 million user accounts tied to its MyFitnessPal nutrition-tracking app were breached earlier this year. An unauthorized party stole data from the accounts in late February, Under Armour said on Thursday. It became aware of the breach earlier this week Read more about Under Armour Data Breach: 150 Million MyFitnessPal Accounts Hacked[…]

Hackers have moved away from simple point-of-sale (POS) terminal attacks to more refined assaults on corporations’ head offices. An annual report from security firm Trustwave out today highlighted increased sophistication of web app hacking and social engineering tactics on the part of miscreants. Half of the incidents investigated involved corporate and internal networks (up from Read more about Trustwave Global IT Security Report Summarised[…]

A customer was questioning if rumors that T-Mobile Austria was storing customer passwords in plain text, leaving the credentials like sitting ducks for hackers. Whoever was manning T-Mobile Austria’s Twitter account confirmed that this was the case, but that there was no need to worry because “our security is amazingly good.” Hello Claudia! The customer Read more about T-Mobile Austria stores passwords as plain text[…]

Intel has made much of its NUC and Compute Stick mini-PCs as a way to place computers to out-of-the-way places like digital signage. Such locations aren’t the kind of spots where keyboards and pointing devices can be found, so Intel sweetened the deal by giving the world an Android and iOS app called the “Intel Read more about NUC, NUC! Who’s there? Intel, warning you to kill a buggy keyboard app[…]

It seems as if last year’s data breaches were characterized by increased regularity, yet somehow, according to the latest research from IBM Security, fewer records were actually exposed. The year saw a 25 percent dip in exposed records—2.5 billion down from 4 billion the previous year—according to IBM’s latest X-Force report. The cause: Cybercriminals have Read more about Rise in Ransomware Attacks Actually Led to Fewer Exposed Records, IBM Discovers[…]

Security researchers have uncovered 1.5 billion business and consumer files exposed online – just a month before Europe’s General Data Protection Regulation comes into force. During the first three months of 2018, threat intel firm Digital Shadows detected 1,550,447,111 publicly available files across open Amazon Simple Storage Service (S3) buckets, rsync, Server Message Block (SMB), Read more about 1.5 BEEELLION sensitive files found exposed online dwarf Panama Papers leak[…]

The U.S. Secret Service is warning financial institutions about a new scam involving the temporary theft of chip-based debit cards issued to large corporations. In this scheme, the fraudsters intercept new debit cards in the mail and replace the chips on the cards with chips from old cards. When the unsuspecting business receives and activates Read more about Secret Service Warns of Chip Card Scheme: replacing the chip and then draining after activation[…]

The DronesForLess.co.uk site was left wide open by its operators, who failed to protect critical parts of its web infrastructure from curious people, as spotted by Alan at secret-bases.co.uk, who told The Register. We discovered more than 10,000 online purchase receipts had been saved to its web servers without any encryption or even password protection Read more about DronesForLess leaks customer purchasing data[…]

So: Oddly enough, if you make a QR code that tells you to go somewhere, the camera will take you to where the QR code tells you to go, even if you tell someone that the QR code goes someplace else. This trend of ‘reporting’ security problems that are not security problems at all is Read more about IOS QR ‘bug’ isn’t a bug: trend in pointing out things working as intended as a security advisory continues[…]

Cisco’s Elastic Services Controller’s release 3.0.0 software has a critical vulnerability: it accepts an empty admin password. The Controller (ESC) is Cisco’s automation environment for network function virtualisation (NFV), providing VM and service monitors, automated recovery and dynamic scaling. Cisco’s advisory about the flaw explains the bug is in ESC’s Web service portal: “An attacker Read more about Cisco NFV elastic services controller accepts empty admin password[…]

Researchers from German security firm Kromtech Security allege that until recently, MBM Company was improperly handling customer details. On February 6, they identified an unsecured Amazon S3 storage bucket, containing a MSSQL database backup file. According to Kromtech Security’s head of communications, Bob Diachenko, further analysis of the file revealed it held the personal information Read more about Jewelry site accidentally leaks personal details (and plaintext passwords!) of 1.3M users[…]