Using your favourite BLE sniffing hardware (we used a Bluefruit but an Ubertooth is just as great) you can visualise the BLE packets in Wireshark. In this case we can see the app has caused the Hush to start vibrating when the handle 0x000e has “Vibrate:5” written to it. We can also start to replay Read more about BLE is weak and can be used to map and hack sex toys, hearing aids. The rise of screwdriving[…]

Yes, that’s Gartner’s security consultancy of the year […] On Tuesday, what seemed to be a collection of Deloitte’s corporate VPN passwords, user names, and operational details were found lurking within a public-facing GitHub-hosted repository. These have since been removed in the past hour or so. In addition, it appears that a Deloitte employee uploaded Read more about Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy ‘login details leaked’[…]

Armis Labs revealed a new attack vector endangering major mobile, desktop, and IoT operating systems, including Android, iOS, Windows, and Linux, and the devices using them. The new vector is dubbed “BlueBorne”, as it spread through the air (airborne) and attacks devices via Bluetooth. Armis has also disclosed eight related zero-day vulnerabilities, four of which Read more about BlueBorne: Turn off your bluetooth[…]

Microsoft’s email services got hit with not one but two bugs today: in addition to an earlier blip with Exchange Online, Microsoft confirmed it is now probing “issues” with “some” Outlook.com users in Europe. According to downdetector.com, more than a thousand users have reported problems such as trouble receiving messages and logging in to their Read more about Outlook.com looking more like an outage outbreak for Europe[…]

One of the world’s “big four” accountancy firms has been targeted by a sophisticated hack that compromised the confidential emails and plans of some of its blue-chip clients, the Guardian can reveal. […] One of the largest private firms in the US, which reported a record $37bn (£27.3bn) revenue last year, Deloitte provides auditing, tax Read more about Deloitte hit by cyber-attack revealing clients’ secret emails[…]

When news of the hack was published on September 7, over a month after its scale had been discovered, Equifax set up a website for worried customers to check if they had been affected – equifaxsecurity2017.com – rather than setting it up on the equifax.com domain. As a bit of fun security researcher Nick Sweeting Read more about Equifax fooled again! Blundering credit biz directs hack attack victims to parody site[…]

Security researchers from Adguard have issued a warning that the popular GO Keyboard app is spying on users. Produced by Chinese developers GOMO Dev Team, GO Keyboard was found to be transmitting personal information about users back to remote servers, as well as “using a prohibited technique to download dangerous executable code.” Adguard made the Read more about Popular GO Android alternate Keyboard is spying on millions of Android users[…]

Cyber-crime blogger Brian Krebs said that an online employee tool used in the country could be accessed by typing “admin” as both a login and password. He added that this gave access to records that included thousands of customers’ national identity numbers. Last week, the firm revealed a separate attack affecting millions in the US. Read more about Equifax another breach: had ‘admin’ as login and password in Argentina[…]

Have you been to Mexico in the last year as a tourist and applied for a tax refund on the money you spent while shopping there? If you have, chances are your passport, credit card, or other identification might have been leaked online. The Kromtech Security Research Center has discovered a misconfigured database with nearly Read more about Moneyback leaks 500k tourists to Mexico customer records: passports, credit cards, IDs.[…]

September 7, 2017 — Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017. The company has found no evidence of unauthorized Read more about Equifax loses 143 million US, UK and Canadian customer records in data breach.[…]

Servers and data stored by dozens of Fortune 100 companies are at risk, including airlines, banks and financial institutions, and social media sites. A critical security vulnerability in open-source server software enables hackers to easily take control of an affected server — putting sensitive corporate data at risk. The vulnerability allows an attacker to remotely Read more about Apache REST / Struts easily exploitable through browser[…]

Researchers with security company Kromtech said freelancers who handled web applications for TWC and other companies had left one of its AWS S3 storage bins containing seven years’ worth of subscriber data wide open on the ‘net. That data included addresses and contact numbers, information about their home gateways, and account settings. Just before the Read more about Yet another AWS config fumble: Time Warner Cable exposes 4 million subscriber records[…]

The Rabobank has started warning users when the name doesn’t match an IBAN account. A trivial function that used to work before IBAN but apparently was so hard to implement that users have had to wait for years to get. If you put in the wrong number – then sorry, you were screwed! Now for Read more about After years of IBAN, only 1 NL bank has just figured out how to check the name with an account.[…]

Thousands of files containing the personal information and expertise of Americans with classified and up to Top Secret security clearances have been exposed by an unsecured Amazon server, potentially for most of the year. […] Thousands of files containing the personal information and expertise of Americans with classified and up to Top Secret security clearances Read more about Data Breach Exposes Thousands of Job Seeker CVs Citing Top Secret Government Work[…]

Roughly four million records containing the personal details of Time Warner Cable (TWC) customers were discovered stored on an Amazon server without a password late last month. The files, more than 600GB in size, were discovered on August 24 by the Kromtech Security Center while its researchers were investigating an unrelated data breach at World Read more about Millions of Time Warner Cable Customer Records Exposed in Third-Party Data Leak[…]

Security researchers at Moscow-based Positive Technologies have identified an undocumented configuration setting that disables Intel Management Engine 11, a CPU control mechanism that has been described as a security risk. Intel’s ME consists of a microcontroller that works with the Platform Controller Hub chip, in conjunction with integrated peripherals. It handles much of the data Read more about Intel ME controller chip can be disabled after all – for governments[…]

Last week I was contacted by someone alerting me to the presence of a spam list. A big one. That’s a bit of a relative term though because whilst I’ve loaded “big” spam lists into Have I been pwned (HIBP) before, the largest to date has been a mere 393m records and belonged to River Read more about Inside the Massive 711 Million Record Onliner Spambot Dump[…]

The Internet of Things Cybersecurity Improvement Act would require that IoT devices purchased by the American government must not have any known security vulnerabilities, must have the ability to be patched, and may not have hardcoded passwords built in. It mandates that every government department inventory all IoT devices on their networks. […] The bill Read more about US Congress dreams of IoT and gets it right! Except it won’t protect consumers, only gov.[…]

In a new study that will be presented next week at the 26th USENIX Security Symposium in Vancouver, University of Washington researchers analyzed the security practices of common, open-source DNA processing programs and found that they were, in general, lacking. That means all that super-sensitive information those programs are processing is potentially vulnerable to hackers. Read more about DNA Testing Data Is Disturbingly Vulnerable to Hackers[…]

Currently, the infosec community and former Hansa vendors themselves have spotted two ways in which Dutch authorities are going after former Hansa vendors. Police gain access to Dream accounts via password reuse In the first, Dutch investigators have taken the passwords of vendors who have the same usernames on both the old Hansa Market and Read more about Crooks Reused Passwords on Hansa and Dream, so Dutch Police Hijacked Their Accounts after running Hansa for a month[…]

This year at the DEF CON hacking conference in Las Vegas, 30 computer-powered ballot boxes used in American elections were set up in a simulated national White House race – and hackers got to work physically breaking the gear open to find out what was hidden inside. In less than 90 minutes, the first cracks Read more about It took DEF CON hackers minutes to pwn these US voting machines[…]

Want to control over 270,000 websites? That’ll be $96 and a handover cockup, please Late Friday, Matthew Bryant noticed an unusual response to some test code he was using to map top-level domains: several of the .io authoritative name servers were available to register. Out of interest, he tried to buy them and was amazed Read more about Bloke takes over every .io domain by snapping up crucial name servers[…]