Users of uTorrent should grab the latest versions of the popular torrenting tools: serious security bugs, which malicious websites can exploit to commandeer PCs, were squashed this week in the software. If you’re running a vulnerable Windows build of the pira, er, file-sharing applications while browsing the web, devious JavaScript code on an evil site Read more about uTorrent file-swappers urged to upgrade after PC hijack flaws sort of fixed[…]

When a horny netizen logs into their Tinder profile using their phone number as a username, the hookup app relies on the Facebook-built AccountKit.com to check the person is legit owner of that account. Facebook’s system texts a confirmation code to the punter, they receive it on their phone, and type the code into Account Read more about Hey, you. App dev. You like secure software? Let’s learn from Tinder, Facebook’s blunders[…]

In late July, Snap’s director of engineering emailed the company’s team in response to an unfolding privacy threat. A government official from Dorset in the United Kingdom had provided Snap with information about a recent attack on the company’s users: a publicly available list, embedded in a phishing website named klkviral.org, that listed 55,851 Snapchat Read more about A phishing attack scored credentials for more than 50,000 Snapchat users[…]

The issue, which may have persisted for months or perhaps even longer, was flagged by Bay Area software engineer Gabriel Lewi, who tweeted about it earlier this week. Prominent technology critic and sociologist Zeynep Tufekci then used the situation as a springboard to criticize Facebook’s alleged unethical behavior, thinking the 2FA notifications may have been Read more about Facebook admits SMS notifications sent using two-factor number was caused by bug[…]

“We always talk about the ease of use, and not impacting user experience, etc, but it turns out that when it comes to their financial accounts…people actually would go the extra mile and will use extra security,” Kessem said. Whether it’s using two factor authentication, an SMS message on top of their password, or any Read more about Consumers prefer security over convenience for the first time ever, IBM Security report finds[…]

It appears that the over-the-air update to the UConnect system went out on Friday, and many, many owners have not had working center-stack systems since then. Many of these vehicles are nearly brand-new, which makes the issue even more maddening. […] The failure of the UConnect system isn’t just limited to not having a radio; Read more about Fiat Chrysler Pushed A UConnect Update That Causes Constant Reboots With No Announced Fix[…]

IBM iNotes SUService can be misguided into running malicious code from a DLL masquerading as a windows DLL in the temp directory. IBM Plans to address this vulnerability by providing a fix. Source: IBM Security Bulletin: IBM Notes Privilege escalation in IBM Notes Smart Update Service – United States

The US state of Washington says a miscreant was able to access the system it uses to track the manufacturing and sale of marijuana. The Evergreen State’s Liquor and Cannabis Board – a job that sounds way cooler than it actually is – yesterday admitted that last weekend someone was able to exploit a vulnerability Read more about US state’s pot dealer database pwned after security goes up in smoke[…]

The individual identifying himself as Jim Teeuwen, who maintained GitHub repository for a tool called go-bindata for embedded data in Go binaries, recently deleted his GitHub account, taking with it a resource that other Go developers had included in their projects. The incident echoes the more widely noted 2016 disappearance of around 250 modules maintained Read more about You can resurrect any deleted GitHub account name. If you depend on that account you may find yourself in trouble[…]

Some 17 Netgear routers have a remote authentication bypass, meaning malware or miscreants on your network, or able to reach the device’s web-based configuration interface from the internet, can gain control without having to provide a password. Just stick &genie=1 in the URL, and bingo. That’s pretty bad news for any vulnerable gateways with remote Read more about Wish you could log into someone’s Netgear box without a password? Summon a &genie=1 – get patching![…]

We describe PinMe, a novel user-location mechanism that exploits non-sensory/sensory data stored on the smartphone, e.g., the environment’s air pressure, along with publicly-available auxiliary information, e.g., elevation maps, to estimate the user’s location when all location services, e.g., GPS, are turned off. Source: [1802.01468] PinMe: Tracking a Smartphone User around the World

“The idea of a rogue domain controller is not new and has been mentioned multiple times in previous security publications but required invasive techniques (like installing a virtual machine with Windows Server) and to log on a regular domain controller (DC) to promote the VM into a DC for the targeted domain.”That’s easily spotted, so Read more about Maybe you should’ve stuck with NetWare: Hijackers can bypass Active Directory controls[…]

A vulnerability has been identified in Lenovo Fingerprint Manager Pro. Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in. Source: Lenovo Fingerprint Manager Pro Read more about Lenovo Fingerprint Manager Pro for Windows has a hardcoded password[…]

Strava which markets itself as a “social-networking app for athletes” publicly made available the global heat map, showing the location of all the rides, runs, swims, and downhills taken by its users, as collected by their smartphones and wearable devices like Fitbit. Since Strava has been designed to track users’ routes and locations, IUCA analyst Read more about Heat Map Released by Fitness Tracker Reveals Location of Secret Military Bases[…]

The Cozy Bear hackers are in a space in a university building near the Red Square. The group’s composition varies, usually about ten people are active. The entrance is in a curved hallway. A security camera records who enters and who exits the room. The AIVD hackers manage to gain access to that camera. Not Read more about Dutch agencies provide crucial intel about Russia’s interference in US-elections, US burns the Dutch source[…]

To do so, the Qatari researchers first collected dozens of bitcoin addresses used for donations and dealmaking by websites protected by the anonymity software Tor, run by everyone from WikiLeaks to the now-defunct Silk Road. Then they scraped thousands of more widely visible bitcoin addresses from the public accounts of users on Twitter and the Read more about Researchers find a way to link TOR / Silk Road BTC expenditure to people using two datasets[…]

Checkmarx researchers disclosed two flaws (CVE-2018-6017, CVE-2018-6018) and a proof of concept (see video below) for an app that could sit on the wireless network of, say, an airport or hotel and observe actions including profile views, swipes, and likes. The first issue, CVE-2018-6017, results from the Tinder’s app’s use of insecure HTTP connections to Read more about Easy to watch over your shoulder at your Tindering[…]

Apple has released security patches for iOS and macOS that include, among other things, Meltdown and Spectre fixes. The new versions should be installed as soon as possible. […] Less-hyped, but still serious, are vulnerabilities in the macOS kernel that include an exploitable race condition (CVE-2018-4092), a validation issue (CVE-2018-4093), and memory initialization bug (CVE-2018-4090) Read more about It’s 2018 and your Macs, iPhones can be pwned by playing evil music: lots of patches[…]

Electron is a node.js and Chromium framework that lets developers use Web technologies (JavaScript, HTML and CSS) to build desktop apps. It’s widely-used: Skype, Slack, Signal, a Basecamp implementation and a desktop WordPress app all count themselves as adopters. Slack users should update to version 3.0.3 or better, and the latest version of Skype for Read more about Skype, Signal, Slack, other apps inherit Electron vuln[…]

As we start the week, I want to provide an update on the reboot issues we reported Jan. 11. We have now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it. Over the weekend, we began rolling out an early version of the updated Read more about Intel patches for Spectre cause reboots, Intel tells people to stop installing them and also please help test for them[…]

Dark Caracal [PDF] appears to be controlled from the Lebanon General Directorate of General Security in Beirut – an intelligence agency – and has slurped hundreds of gigabytes of information from devices. It shares its backend infrastructure with another state-sponsored surveillance campaign, Operation Manul, which the EFF claims was operated by the Kazakhstan government last Read more about Someone is touting a mobile, PC spyware platform called Dark Caracal to governments[…]

Lenovo has patched an ancient vulnerability in switches that it acquired along with IBM’s hardware businesses and which Big Blue itself acquired when it slurped parts of Nortel. The bug, which Lenovo refers to as “HP backdoor”, for reasons it has not explained, has been in present in ENOS (Enterprise network operating system) since at Read more about Lenovo inherited a switch authentication bypass[…]