F-Secure reports a security issue affecting most corporate laptops that allows an attacker with physical access to backdoor a device in less than 30 seconds. The issue allows the attacker to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and to gain remote access for later exploitation. It exists Read more about All Intel laptops open to unlocking with ctrl-P and “admin”. Another fatal flaw in Intel Management Engine.[…]

Let’s Encrypt – a SSL/TLS certificate authority run by the non-profit Internet Security Research Group (ISRG) to programmatically provide websites with free certs for their HTTPS websites – on Thursday said it is discontinuing TLS-SNI validation because it’s insecure in the context of many shared hosting providers. TLS-SNI is one of three ways Let’s Encrypt’s Read more about Let’s Encrypt plugs hole that let miscreants grab HTTPS web certs for strangers’ domains[…]

Researchers at the firm Digital Interruption on Tuesday warned that an adult-themed virtual reality application, SinVR, exposes the names, email and other personal information via an insecure desktop application – a potentially embarrassing security lapse. The company decided to go public with the information after being frustrated in multiple efforts to responsibly disclose the vulnerability Read more about Adult Themed Virtual Reality App spills Names, Emails of Thousands[…]

Spare a thought for Jasper Spaans, who hosts the Linux Kernel Mailing List archive from a single PC that lives in his home. And since things always happen this way the home machine died while he was on holiday. The archive was therefore unavailable for much of the weekend, although Linux developers could still use Read more about Wait, what? The Linux Kernel Mailing List archives lived on ONE PC? One BROKEN PC?[…]

While everyone was screaming about Meltdown and Spectre, another urgent security fix was already in progress for many corporate data centers and cloud providers who use products from Dell’s EMC and VMware units. A trio of critical, newly reported vulnerabilities in EMC and VMware backup and recovery tools—EMC Avamar, EMC NetWorker, EMC Integrated Data Protection Read more about EMC, VMware security bugs throw gasoline on cloud security fire[…]

Wi-Fi router vendors have started issuing patches to defend their products against Google Chromecast devices.TP-Link and Linksys were first out of the blocks with firmware fixes, and TP-Link has posted this explanation of the issue. The bug is not in the routers, but in Google’s “Cast” feature, used in Chromecast, Google Home, and other devices. Read more about Okay, Google: why does Chromecast clobber Wi-Fi connections?[…]

Only admins can add new members to private groups. But the researchers found that anyone in control of the server can spoof the authentication process, essentially granting themselves the privileges necessary to add new members who can snoop on private conversations. The obvious examples that come to mind are hackers who manage to gain access Read more about WhatsApp Security Design Could Let an Infiltrator Add Members to Group Chats[…]

An Apple developer has uncovered another embarrassing vulnerability in macOS High Sierra, aka version 10.13, that lets someone bypass part of the operating system’s password protections.This time, a vulnerable dialog box was found in the System Preferences panel for the App Store settings. The bug, reported by developer Eric Holtam to the Open Radar bug Read more about Stop us if you’ve heard this one: Apple’s password protection in macOS can be thwarted[…]

Yahoo! Mail – yes, amazingly it is still a thing – is today taking a break from business as usual norms with the service down for almost the past seven hours.Since circa 9am, the email service has received hundreds of complaints an hour on downdetector.co.uk, with users moaning about persistant “error 15” messages, and others Read more about Yahooooo! says! its! email! is! scrahoooo-ed![…]

Today, yet another security blunder becomes publicized, and it is really bad. You see, many Western Digital My Cloud NAS drives have a hardcoded backdoor, meaning anyone can access them — your files could be at risk. It isn’t even hard to take advantage of it — the username is “mydlinkBRionyg” and the password is Read more about Western Digital ‘My Cloud’ devices have a hardcoded backdoor — stop using these NAS drives NOW![…]

My disk is encrypted, but all it takes to bypass this protection is for an attacker — a malicious hotel housekeeper, or “evil maid,” for example — to spend a few minutes physically tampering with it without my knowledge. If I come back and continue to use my compromised computer, the attacker could gain access Read more about Edward Snowden’s New App Uses Your Smartphone to Physically Guard Your Laptop[…]

You can bypass Windows Hello with a low-res printed photoIn a report published yesterday, German pen-testing company SySS GmbH says it discovered that Windows Hello is vulnerable to the simplest and most common attack against facial recognition biometrics software — the doomsday scenario of using a printed photo of the device’s owner.Researchers say that by Read more about Windows 10 Facial Recognition Feature Can Be Bypassed with a low res Photo[…]

a prototype tool created by researchers from the University of California San Diego (UCSD) aims to bring greater transparency to such breaches. The system, called Tripwire, detects websites that were hacked, as is detailed in this study. Here’s here how it works: To detect breaches, the researchers created a bot that automatically registered accounts on Read more about Tripwire detects hacks companies haven’t told us about by creating accounts with unique emails on thousands of servers. If the email account is accessed, the site has been breached. No-one knows or cares that there has been a breach in vast majority of cases.[…]

A Google security researcher has found and helped patch a severe vulnerability in Keeper, a password manager application that Microsoft has been bundling with some Windows 10 distributions this year.”I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages,” said Tavis Ormandy, the Google Read more about Windows 10 Password Manager Keeper allows sites to steal any password.[…]

According to a blog post published Wednesday by Internet monitoring service BGPMon, the hijack lasted a total of six minutes and affected 80 separate address blocks. It started at 4:43 UTC and continued for three minutes. A second hijacking occurred at 7:07 UTC and also lasted three minutes. Meanwhile, a second monitoring service, Qrator Labs, Read more about “Suspicious” event routes traffic for big-name sites through Russia[…]

Tens of thousands, perhaps millions, of Google Chromebooks, widely prized by schools due to their low cost and ease of configuration, were reported to be offline for several hours on Tuesday. The apparent cause? A seemingly botched WiFi policy update pushed out by Google that caused many Chromebooks to forget their approved network connection, leaving Read more about Apparent Google update glitch disconnects student Chromebooks in schools across the U.S. – GeekWire[…]

System76 is one a handful of companies that sells computers that run Linux software out of the box. But like most PCs that have shipped with Intel’s Core processors in the past few years, System76 laptops include Intel’s Management Engine firmware. Intel recently confirmed a major security vulnerability affecting those chips and it’s working with Read more about System76 will disable Intel Management engine on its Linux laptops via firmware update[…]

High-Tech Bridge used its free mobile app analysis software, called Mobile X-Ray, to peek under the hood of the top 30 cryptocurrency apps in the Google Play store at three different popularity levels: apps with up to 100,000 downloads, up to 500,000 downloads, and apps with more than 500,000 downloads. So, a total of 90 Read more about 66 Percent of Popular Android Cryptocurrency Apps Don’t Use Encryption[…]

The sensitive personal information of 246,000 Department of Homeland Security employees was found on the home computer server of a DHS employee in May, according to documents obtained by USA TODAY. Also discovered on the server was a copy of 159,000 case files from the inspector general’s investigative case management system, which suspects in an Read more about Former DHS employee had 246000 DHS employee records at home to sell. DHS waits 3 months(!) to notify employees.[…]

The patch addresses a flaw in its operating system that allows anyone sitting at a Mac to gain administrator access by entering “root” as the username and leaving the password box blank in authentication prompts. This works when altering system settings, logging into the machine, and accessing it remotely via VNC, RDP, screen sharing, and Read more about As Apple fixes macOS root password hole, here’s what went wrong (note: get patching!)[…]

Forget fingerprint computer identification or retinal scanning. A University at Buffalo-led team has developed a computer security system using the dimensions of your heart as your identifier. The system uses low-level Doppler radar to measure your heart, and then continually monitors your heart to make sure no one else has stepped in to run your Read more about Using heart size by scanning using doppler radar as a biometric[…]

On November 23, Imgur was notified of a potential security breach that occurred in 2014 that affected the email addresses and passwords of 1.7 million user accounts. Imgur

Thanks to an investigation by third-party researchers into Intel’s hidden firmware in certain chips, Intel decided to audit its firmware and on Monday confirmed it had found 11 severe bugs that affect millions of computers and servers. The flaws affect Management Engine (ME), Trusted Execution Engine (TXE), and Server Platform Services (SPS). Intel discovered the Read more about Intel: We’ve found severe bugs in secretive unpatchable Management Engine, affecting millions[…]