The Internet of Things Cybersecurity Improvement Act would require that IoT devices purchased by the American government must not have any known security vulnerabilities, must have the ability to be patched, and may not have hardcoded passwords built in. It mandates that every government department inventory all IoT devices on their networks. […] The bill Read more about US Congress dreams of IoT and gets it right! Except it won’t protect consumers, only gov.[…]

In a new study that will be presented next week at the 26th USENIX Security Symposium in Vancouver, University of Washington researchers analyzed the security practices of common, open-source DNA processing programs and found that they were, in general, lacking. That means all that super-sensitive information those programs are processing is potentially vulnerable to hackers. Read more about DNA Testing Data Is Disturbingly Vulnerable to Hackers[…]

Currently, the infosec community and former Hansa vendors themselves have spotted two ways in which Dutch authorities are going after former Hansa vendors. Police gain access to Dream accounts via password reuse In the first, Dutch investigators have taken the passwords of vendors who have the same usernames on both the old Hansa Market and Read more about Crooks Reused Passwords on Hansa and Dream, so Dutch Police Hijacked Their Accounts after running Hansa for a month[…]

This year at the DEF CON hacking conference in Las Vegas, 30 computer-powered ballot boxes used in American elections were set up in a simulated national White House race – and hackers got to work physically breaking the gear open to find out what was hidden inside. In less than 90 minutes, the first cracks Read more about It took DEF CON hackers minutes to pwn these US voting machines[…]

Want to control over 270,000 websites? That’ll be $96 and a handover cockup, please Late Friday, Matthew Bryant noticed an unusual response to some test code he was using to map top-level domains: several of the .io authoritative name servers were available to register. Out of interest, he tried to buy them and was amazed Read more about Bloke takes over every .io domain by snapping up crucial name servers[…]

To obtain root privileges on a Linux distribution that utilizes systemd for initialization, start with an invalid user name in the systemd.unit file. Linux usernames are not supposed to begin with numbers, to avoid ambiguity between numeric UIDs and alphanumeric user names. Nevertheless, some modern Linux distributions, like RHEL7 and CentOS, allow this. The systemd Read more about Create a user called ‘0day’, get bonus root privs – thanks, Systemd![…]

The Royal Navy’s brand new £3.5bn aircraft carrier HMS Queen Elizabeth is currently* running Windows XP in her flying control room, according to reports. Defence correspondents from The Times and The Guardian, when being given a tour of the carrier’s aft island – the rear of the two towers protruding above the ship’s main deck Read more about HMS QE: Britain’s newest Aircraft Carrier runs Windows XP[…]

The White House debated various options to punish Russia, but facing obstacles and potential risks, it ultimately failed to exact a heavy toll on the Kremlin for its election meddling. Source: Obama’s secret struggle to punish Russia for Putin’s election assault

The Password Reset Man in the Middle (PRMITM) attack exploits the similarity of the registration and password reset processes. To launch such an attack, the attacker only needs to control a website. To entice victims to make an account on the malicious website, the attacker can offer free access to a wanted resource (e.g. free Read more about Password Reset man in the middle attack[…]

A huge trove of voter data, including personal information and voter profiling data on what’s thought to be every registered US voter dating back more than a decade, has been found on an exposed and unsecured server, ZDNet has learned. It’s believed to be the largest ever known exposure of voter information to date. The Read more about Personal data on 198 million voters, including analytics data that suggests who a person is likely to vote for and why, was stored on an unsecured Amazon server.[…]

A security lapse that affected more than 1,000 workers forced one moderator into hiding – and he still lives in constant fear for his safety Source: Revealed: Facebook exposed identities of moderators to suspected terrorists Facebook moderators like him first suspected there was a problem when they started receiving friend requests from people affiliated with Read more about Revealed: Facebook exposed identities of moderators to suspected terrorists[…]

A team of researchers from French company P1 Security has detailed a long list of issues with the 4G VoLTE telephony, a protocol that has become quite popular all over the world in recent years and is currently in use in the US, Asia, and most European countries. […] Researchers say that an attacker on Read more about Hackers Can Spoof Phone Numbers, Track Users via 4G VoLTE Mobile Technology[…]

A new test conducted by CCC hackers shows that this promise cannot be kept: With a simple to make dummy-eye the phone can be fooled into believing that it sees the eye of the legitimate owner. A video shows the simplicity of the method. [0] Iris recognition may be barely sufficient to protect a phone Read more about CCC | Chaos Computer Clubs breaks iris recognition system of the Samsung Galaxy S8[…]

Millions of people risk having their devices and systems compromised by malicious subtitles, Check Point researchers revealed today. The threat comes from a previously undocumented vulnerability which affects users of popular streaming software, including Kodi, Popcorn-Time, and VLC. Developers of the applications have already applied fixes or will do so soon. […] By conducting attacks Read more about Malicious Subtitles Threaten Kodi, VLC and Popcorn Time Users[…]

Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: $ cat /proc/self/attr/current Expected Read more about Ubuntu: Guest session processes are not confined in 16.10[…]

At least tens of thousands, if not millions of medical records of New York patients were until recently readily accessible online to just about anyone who knew how to look. Patient demographic information, social security numbers, records of medical diagnoses and treatments, along with a plethora of other highly-sensitive records were left completely undefended by Read more about Huge Trove of Confidential Medical Records Discovered on Unsecured Server Accessible to Anyone[…]

“An ‘accidental hero’ has halted the global spread of the WannaCry ransomware that has wreaked havoc on organizations…” writes The Guardian. An anonymous reader quotes their report: A cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and implemented a “kill switch” in the malicious software that was Read more about ‘Accidental Hero’ Finds Kill Switch To Stop Wana Decrypt0r Ransomware[…]

The audio driver installed on some HP laptops includes a feature that could best be described as a keylogger, which records all the user’s keystrokes and saves the information to a local file, accessible to anyone or any third-party software or malware that knows where to look. Swiss cyber-security firm modzero discovered the keylogger on Read more about Keylogger Found in Audio Driver of HP Laptops[…]

“Non tech savvy users will have issues reporting or getting the problem fixed,” he explained. “To regain web access you have to disable Web Shield or disable Avast or uninstall Avast. To fix the issue you have to do a clean install of the latest version of software.” It’s unclear how widespread the problem is. Read more about Avast blocks the entire internet – again[…]

Emmanuel Macron’s digital team responded to cyberattacks with a “cyber-blurring” strategy that involved fake email accounts loaded with false documents. […] “We created false accounts, with false content, as traps. We did this massively, to create the obligation for them to verify, to determine whether it was a real account,” Mr. Mahjoubi said. “I don’t Read more about Macron defeats Russian hackers and puts leakers at a disadvantage[…]

TITSUP: Total Inability To Stand Up Products Loads of people reported that, at around 1245 PT, access to the service went out. Microsoft confirmed shortly after it was having problems, and said it was looking into the matter. Subscribers in New York, Denver, Texas, and Portland, in the US, were, for example, unable to access Read more about Well this is awkward. As Microsoft was bragging about Office at Build, Office 365 went down[…]

Malware has infected backend systems used by Brit high street chain Debenhams – and swiped 26,000 people’s personal information in the process. The cyber-break-in targeted the online portal for the retailer’s florist arm, Debenhams Flowers. Miscreants had access to the internal systems at Ecomnova, the biz that runs the Debenhams Flowers business, for more than Read more about Debenhams Flowers shoppers stung by bank card-stealing tech pest[…]

A remote hijacking flaw that lurked in Intel chips for seven years was more severe than many people imagined, because it allowed hackers to remotely gain administrative control over huge fleets of computers without entering a password. This is according to technical analyses published Friday… AMT makes it possible to log into a computer and Read more about Intel chip remote auth fail worse than thought – authentication doesn’t work at all![…]

WikiLeaks isn’t done exposing the CIA’s arsenal of hacking tools used to infiltrate computer systems around the globe. Last month, we told you about Weeping Angel, which targeted select Samsung Smart TVs for surveillance purposes. Today, we’re learning about Archimedes, which attacks computers attached to a Local Area Network (LAN). Although we have no way Read more about WikiLeaks Reveals CIA Man-in-the-Middle LAN Hacking Tool Archimedes[…]