How to Prevent X’s Audio and Video Calls Feature From Revealing Your IP Address – wait it reveals your IP address :O – wait… of course, it’s a Musk thing

[…] X began rolling out the audio and video calling feature, which was previously restricted to paid users, to everyone last week. However, hawk-eyed sleuths quickly noticed that the feature was automatically turned on, meaning that users had to manually go to their settings to turn it off. Only your mutuals or someone you’ve exchanged Read more about How to Prevent X’s Audio and Video Calls Feature From Revealing Your IP Address – wait it reveals your IP address :O – wait… of course, it’s a Musk thing[…]

Hackers exploited Windows 0-day for 6 months after Microsoft knew of it

[…] Even after Microsoft patched the vulnerability last month, the company made no mention that the North Korean threat group Lazarus had been using the vulnerability since at least August to install a stealthy rootkit on vulnerable computers. The vulnerability provided an easy and stealthy means for malware that had already gained administrative system rights Read more about Hackers exploited Windows 0-day for 6 months after Microsoft knew of it[…]

VMware sandbox escape bugs are so critical, patches are released for end-of-life products – also, remove all your USB products now

VMware is urging customers to patch critical vulnerabilities that make it possible for hackers to break out of sandbox and hypervisor protections in all versions, including out-of-support ones, of VMware ESXi, Workstation, Fusion, and Cloud Foundation products. A constellation of four vulnerabilities—two carrying severity ratings of 9.3 out of a possible 10—are serious because they Read more about VMware sandbox escape bugs are so critical, patches are released for end-of-life products – also, remove all your USB products now[…]

Vietnam to collect biometrics – even DNA – for new ID cards. Centralised databases never leak.

The Vietnamese government will begin collecting biometric information from its citizens for identification purposes beginning in July this year. Prime minister Pham Minh Chinh instructed the nation’s Ministry of Public Security to collect the data in the form of iris scans, voice samples and actual DNA, in accordance with amendments to Vietnam’s Law on Citizen Read more about Vietnam to collect biometrics – even DNA – for new ID cards. Centralised databases never leak.[…]

Wyze says camera breach let 13,000 customers briefly see into other people’s homes

Last week, co-founder David Crosby said that “so far” the company had identified 14 people who were able to briefly see into a stranger’s property because they were shown an image from someone else’s Wyze camera. Now we’re being told that number of affected customers has ballooned to 13,000. The revelation came from an email Read more about Wyze says camera breach let 13,000 customers briefly see into other people’s homes[…]

livall smart helmets

Whoops: ‘Smart’ Livall Helmet Allowed Real Time Surveillance And Location Tracking Of A Million Customers

[,,,] a company named Livall makes “smart” bike helmets for skiers and cyclists that includes features like auto-fall detection, GPS location monitoring, and integrated braking lights. The problem: the company apparently didn’t spend enough time securing the company’s app, allowing pretty much anybody to listen in on and track the precise location data of a Read more about Whoops: ‘Smart’ Livall Helmet Allowed Real Time Surveillance And Location Tracking Of A Million Customers[…]

‘World’s biggest casino’ app Winstar exposed customers’ personal data: developer Dexia didn’t secure the db.

Oklahoma-based WinStar bills itself as the “world’s biggest casino” by square footage. The casino and hotel resort also offers an app, My WinStar, in which guests can access self-service options during their hotel stay, their rewards points and loyalty benefits, and casino winnings. The app is developed by a Nevada software startup called Dexiga. The Read more about ‘World’s biggest casino’ app Winstar exposed customers’ personal data: developer Dexia didn’t secure the db.[…]

Canada Moves to Ban the Flipper Zero Over Car Hacking Fears – instead of requiring good security on Cars

On Thursday, following a summit that focused on “the growing challenge of auto theft in Canada,” the country’s Minister of Innovation, Science and Industry posted a statement on X, saying “Criminals have been using sophisticated tools to steal cars…Today, I announced we are banning the importation, sale and use of consumer hacking devices, like flippers, Read more about Canada Moves to Ban the Flipper Zero Over Car Hacking Fears – instead of requiring good security on Cars[…]

Mercedes-Benz source code exposed by leaving private key online

Mercedes-Benz accidentally exposed a trove of internal data after leaving a private key online that gave “unrestricted access” to the company’s source code, according to the security research firm that discovered it. Shubham Mittal, co-founder and chief technology officer of RedHunt Labs, alerted TechCrunch to the exposure and asked for help in disclosing to the Read more about Mercedes-Benz source code exposed by leaving private key online[…]

Dutch COVID-19 testing firm Coronalab exposed 1.3 million patient records

A password-less database containing an estimated 1.3 million sets of Dutch COVID-19 testing records was left exposed to the open internet, and it’s not clear if anyone is taking responsibility. Among the information revealed in the publicly accessible and seemingly insecurely configured database were 118,441 coronavirus test certificates, 506,663 appointment records, 660,173 testing samples and Read more about Dutch COVID-19 testing firm Coronalab exposed 1.3 million patient records[…]

triangulation exploit chain

All Apples Wide open for 4 years, Kaspersky security company and many others in Moscow opened wide – photos, location, mic, etc – just by sending them an imessage. Shows how dangerous closed source is.

[…] after about 12 months of intensive investigation. Besides how the attackers learned of the hardware feature, the researchers still don’t know what, precisely, its purpose is. Also unknown is if the feature is a native part of the iPhone or enabled by a third-party hardware component such as ARM’s CoreSight   Further Reading “Clickless” Read more about All Apples Wide open for 4 years, Kaspersky security company and many others in Moscow opened wide – photos, location, mic, etc – just by sending them an imessage. Shows how dangerous closed source is.[…]

1M non-profit donors PII exposed by unsecured DonorView database

Close to a million records containing personally identifiable information belonging to donors that sent money to non-profits were found exposed in an online database. The database is owned and operated by DonorView – provider of a cloud-based fundraising platform used by schools, charities, religious institutions, and other groups focused on charitable or philanthropic goals. Infosec Read more about 1M non-profit donors PII exposed by unsecured DonorView database[…]

Bad genes: 23andMe leak highlights a possible future of genetic discrimination

23andMe is a terrific concept. In essence, the company takes a sample of your DNA and tells you about your genetic makeup. For some of us, this is the only way to learn about our heritage. Spotty records, diaspora, mistaken family lore and slavery can make tracing one’s roots incredibly difficult by traditional methods. What Read more about Bad genes: 23andMe leak highlights a possible future of genetic discrimination[…]

Your mobile password manager might be exposing your credentials because of Webview

A number of popular mobile password managers are inadvertently spilling user credentials due to a vulnerability in the autofill functionality of Android apps. The vulnerability, dubbed “AutoSpill,” can expose users’ saved credentials from mobile password managers by circumventing Android’s secure autofill mechanism, according to university researchers at the IIIT Hyderabad, who discovered the vulnerability and Read more about Your mobile password manager might be exposing your credentials because of Webview[…]

Attacks abuse Microsoft DHCP to spoof DNS records and steal secrets

A series of attacks against Microsoft Active Directory domains could allow miscreants to spoof DNS records, compromise Active Directory and steal all the secrets it stores, according to Akamai security researchers. We’re told the attacks – which are usable against servers running the default configuration of Microsoft Dynamic Host Configuration Protocol (DHCP) servers – don’t Read more about Attacks abuse Microsoft DHCP to spoof DNS records and steal secrets[…]

Nearly Every Windows and Linux Device Vulnerable To New LogoFAIL Firmware Attack

“Researchers have identified a large number of bugs to do with the processing of images at boot time,” writes longtime Slashdot reader jd. “This allows malicious code to be installed undetectably (since the image doesn’t have to pass any validation checks) by appending it to the image. None of the current secure boot mechanisms are Read more about Nearly Every Windows and Linux Device Vulnerable To New LogoFAIL Firmware Attack[…]

3 Vulns expose ownCloud admin passwords, sensitive data

ownCloud has disclosed three critical vulnerabilities, the most serious of which leads to sensitive data exposure and carries a maximum severity score. The open source file-sharing software company said containerized deployments of ownCloud could expose admin passwords, mail server credentials, and license keys. Tracked as CVE-2023-49103, the vulnerability carries a maximum severity rating of 10 Read more about 3 Vulns expose ownCloud admin passwords, sensitive data[…]

Windows users report appearance of unwanted HP app – shows you how secure automatic updating is (with no real information about what is in the updates)

Windows users are reporting that Hewlett Packard’s HP Smart application is appearing on their systems, despite them not having any of the manufacturer’s hardware attached. While Microsoft has remained tight-lipped on what is happening, folks on various social media platforms noted the app’s appearance, which seems to afflict both Windows 10 and Windows 11. The Read more about Windows users report appearance of unwanted HP app – shows you how secure automatic updating is (with no real information about what is in the updates)[…]

In a first, cryptographic keys protecting SSH connections stolen in new attack

For the first time, researchers have demonstrated that a large portion of cryptographic keys used to protect data in computer-to-server SSH traffic are vulnerable to complete compromise when naturally occurring computational errors occur while the connection is being established. Underscoring the importance of their discovery, the researchers used their findings to calculate the private portion Read more about In a first, cryptographic keys protecting SSH connections stolen in new attack[…]

European digital identity: Council and Parliament reach a provisional agreement on eID

[…] Under the new law, member states will offer citizens and businesses digital wallets that will be able to link their national digital identities with proof of other personal attributes (e.g., driving licence, diplomas, bank account). Citizens will be able to prove their identity and share electronic documents from their digital wallets with a click Read more about European digital identity: Council and Parliament reach a provisional agreement on eID[…]

Cisco Can’t Stop Using Hard-Coded Passwords

There’s a new Cisco vulnerability in its Emergency Responder product: This vulnerability is due to the presence of static user credentials for the root account that are typically reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow Read more about Cisco Can’t Stop Using Hard-Coded Passwords[…]

Troy Hunt scours the dark web for your stolen data – a look at HaveIBeenPwned: a 1 man operation

[…] Have I Been Pwned started life as a hobby project. In fact, Troy wasn’t working in the cybersecurity industry until a chance encounter tweaked his curiosity. […] Hackers had stolen the email addresses and passwords of 152 million of Adobe’s customers in November 2013 — including, as it turned out, Troy’s. Only, he wasn’t Read more about Troy Hunt scours the dark web for your stolen data – a look at HaveIBeenPwned: a 1 man operation[…]

Sourcegraph published admin token, someone creates API endpoint with free access

An unknown hacker gained administrative control of Sourcegraph, an AI-driven service used by developers at Uber, Reddit, Dropbox, and other companies, and used it to provide free access to resources that normally would have required payment. In the process, the hacker(s) may have accessed personal information belonging to Sourcegraph users, Diego Comas, Sourcegraph’s head of Read more about Sourcegraph published admin token, someone creates API endpoint with free access[…]

Windows feature that resets system clocks based on random data is wreaking havoc

A few months ago, an engineer in a data center in Norway encountered some perplexing errors that caused a Windows server to suddenly reset its system clock to 55 days in the future. The engineer relied on the server to maintain a routing table that tracked cell phone numbers in real time as they moved Read more about Windows feature that resets system clocks based on random data is wreaking havoc[…]