Nearly every AMD CPU since 2017 vulnerable to Inception bug

AMD processor users, you have another data-leaking vulnerability to deal with: like Zenbleed, this latest hole can be to steal sensitive data from a running vulnerable machine. The flaw (CVE-2023-20569), dubbed Inception in reference to the Christopher Nolan flick about manipulating a person’s dreams to achieve a desired outcome in the real world, was disclosed Read more about Nearly every AMD CPU since 2017 vulnerable to Inception bug[…]

AI listens to keyboards on video conferences – decodes passwords

[…] a new paper from the UK that shows how researchers trained an AI to decode keystrokes from noise on conference calls. The researchers point out that people don’t expect sound-based exploits. The paper reads, “For example, when typing a password, people will regularly hide their screen but will do little to obfuscate their keyboard’s Read more about AI listens to keyboards on video conferences – decodes passwords[…]

Microsoft Comes Under Blistering Criticism For ‘Grossly Irresponsible’ Azure Security

An anonymous reader quotes a report from Ars Technica: Microsoft has once again come under blistering criticism for the security practices of Azure and its other cloud offerings, with the CEO of security firm Tenable saying Microsoft is “grossly irresponsible” and mired in a “culture of toxic obfuscation.” The comments from Amit Yoran, chairman and Read more about Microsoft Comes Under Blistering Criticism For ‘Grossly Irresponsible’ Azure Security[…]

Cult of Dead Cow hacktivists design distributed encryption system for mobile apps

Once known for distributing hacking tools and shaming software companies into improving their security, a famed group of technology activists is now working to develop a system that will allow the creation of messaging and social networking apps that won’t keep hold of users’ personal data. The group, Cult of the Dead Cow, has developed Read more about Cult of Dead Cow hacktivists design distributed encryption system for mobile apps[…]

Android phones can now tell you if there’s an AirTag following you

When Google announced that trackers would be able to tie in to its 3 billion-device Bluetooth tracking network at its Google I/O 2023 conference, it also said that it would make it easier for people to avoid being tracked by trackers they don’t know about, like Apple AirTags. Now Android users will soon get these Read more about Android phones can now tell you if there’s an AirTag following you[…]

Firmware vulnerabilities in millions of servers could give hackers superuser status

[…] The vulnerabilities reside inside firmware that Duluth, Georgia-based AMI makes for BMCs (baseboard management controllers). These tiny computers soldered into the motherboard of servers allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of computers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control Read more about Firmware vulnerabilities in millions of servers could give hackers superuser status[…]

Google Urges Gmail Users to Enable ‘Enhanced Safe Browsing’ for Faster, More Proactive Protection – but also takes screenshots of your browsing habits

The Washington Post’s “Tech Friend” newsletter has the latest on Google’s “Enhanced Safe Browsing” for Chrome and Gmail, which “monitors the web addresses of sites that you visit and compares them to constantly updated Google databases of suspected scam sites.” You’ll see a red warning screen if Google believes you’re on a website that is, Read more about Google Urges Gmail Users to Enable ‘Enhanced Safe Browsing’ for Faster, More Proactive Protection – but also takes screenshots of your browsing habits[…]

TETRA Military and Police Radio Code Encryption Has a Flaw: A built in Backdoor

For more than 25 years, a technology used for critical data and voice radio communications around the world has been shrouded in secrecy to prevent anyone from closely scrutinizing its security properties for vulnerabilities […] The backdoor, known for years by vendors that sold the technology but not necessarily by customers, exists in an encryption Read more about TETRA Military and Police Radio Code Encryption Has a Flaw: A built in Backdoor[…]

AMD ‘Zenbleed’ bug allows Meltdown-like data leakage

AMD has started issuing some patches for its processors affected by a serious silicon-level bug dubbed Zenbleed that can be exploited by rogue users and malware to steal passwords, cryptographic keys, and other secrets from software running on a vulnerable system. Zenbleed affects Ryzen and Epyc Zen 2 chips, and can be abused to swipe Read more about AMD ‘Zenbleed’ bug allows Meltdown-like data leakage[…]

VanMoof ebike should be bricked if servers go down – fortunately security is so bad a rival has an app to allow you to unlock it

[…] an app is required to use many of the smart features of its bikes – and that app relies on communication with VanMoof servers. If the company goes under, and the servers go offline, that could leave ebike owners unable to even unlock their bikes […] While unlocking is activated by Bluetooth when your Read more about VanMoof ebike should be bricked if servers go down – fortunately security is so bad a rival has an app to allow you to unlock it[…]

Brave to stop websites from port scanning visitors – wait that hasn’t been done by everyone yet?!

The Brave browser will take action against websites that snoop on visitors by scanning their open Internet ports or accessing other network resources that can expose personal information. Starting in version 1.54, Brave will automatically block website port scanning, a practice that a surprisingly large number of sites were found engaging in a few years Read more about Brave to stop websites from port scanning visitors – wait that hasn’t been done by everyone yet?![…]

JP Morgan “accidentally” deletes 47 million comms records related to Chase bank

JP Morgan has been fined $4 million by America’s securities watchdog, the SEC, for deleting millions of email records dating from 2018 relating to its Chase Bank subsidiary. The financial services giant apparently deleted somewhere in the region of 47 million electronic communications records from about 8,700 electronic mailboxes covering the period January 1 through Read more about JP Morgan “accidentally” deletes 47 million comms records related to Chase bank[…]

Millions of Gigabyte Motherboards Were Sold With a Firmware Backdoor for updates

[…] Researchers at firmware-focused cybersecurity company Eclypsium revealed today that they’ve discovered a hidden mechanism in the firmware of motherboards sold by the Taiwanese manufacturer Gigabyte, […] the hidden code is meant to be an innocuous tool to keep the motherboard’s firmware updated, researchers found that it’s implemented insecurely, potentially allowing the mechanism to be Read more about Millions of Gigabyte Motherboards Were Sold With a Firmware Backdoor for updates[…]

Fake scientific papers are alarmingly common and becoming more so

When neuropsychologist Bernhard Sabel put his new fake-paper detector to work, he was “shocked” by what it found. After screening some 5000 papers, he estimates up to 34% of neuroscience papers published in 2020 were likely made up or plagiarized; in medicine, the figure was 24%. Both numbers, which he and colleagues report in a Read more about Fake scientific papers are alarmingly common and becoming more so[…]

WhatsApp, Signal Threaten to Leave UK Over ‘Online Safety Bill’ – which wants big brother reading all your messages. So online snooping bill, really.

Meta’s WhatsApp is threatening to leave the UK if the government passes the Online Safety Bill, saying it will essentially eliminate its encryption methods. Alongside its rival company Signal and five other apps, the company said that, by passing the bill, users will no longer be protected by end-to-end encryption, which ensures no one but Read more about WhatsApp, Signal Threaten to Leave UK Over ‘Online Safety Bill’ – which wants big brother reading all your messages. So online snooping bill, really.[…]

International Partners Publish Secure-by-Design and -Default Principles and Approaches   Guide – but don’t link to guide in press release

 The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, Netherlands, and New Zealand (CERT NZ, NCSC-NZ ) published today “Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default.” This joint guidance urges Read more about International Partners Publish Secure-by-Design and -Default Principles and Approaches   Guide – but don’t link to guide in press release[…]

Disabling Intel and AMD’s Backdoors On Modern computers

Despite some companies making strides with ARM, for the most part, the desktop and laptop space is still dominated by x86 machines. For all their advantages, they have a glaring flaw for anyone concerned with privacy or security in the form of a hardware backdoor that can access virtually any part of the computer even Read more about Disabling Intel and AMD’s Backdoors On Modern computers[…]

Google debuts deps.dev API to check security status of dependencies

[…] On Tuesday, Google – which has answered the government’s call to secure the software supply chain with initiatives like the Open Source Vulnerabilities (OSV) database and Software Bills of Materials (SBOMs) – announced an open source software vetting service, its deps.dev API. The API, accessible in a more limited form via the web, aims Read more about Google debuts deps.dev API to check security status of dependencies[…]

Google’s free Assured Open Source Software service hits GA

About a year ago, Google announced its Assured Open Source Software (Assured OSS) service, a service that helps developers defend against supply chain security attacks by regularly scanning and analyzing for vulnerabilities some of the world’s most popular software libraries. Today, Google is launching Assured OSS into general availability with support for well over a Read more about Google’s free Assured Open Source Software service hits GA[…]

Google announces GUAC open source project on software supply chains

Google unveiled a new open source security project on Thursday centered around software supply chain management. Given the acronym GUAC – which stands for Graph for Understanding Artifact Composition – the project is focused on creating sets of data about a software’s build, security and dependency. Google worked with Purdue University, Citibank and supply chain Read more about Google announces GUAC open source project on software supply chains[…]

Microsoft’s new Security Copilot will help network admins respond to threats in minutes, not day

[…] with Microsoft’s unveiling of the new Security Copilot AI at its inaugural Microsoft Secure event. The automated enterprise-grade security system is powered by OpenAI’s GPT-4, runs on the Azure infrastructure and promises admins the ability “to move at the speed and scale of AI.” Security Copilot is similar to the large language model (LLM) Read more about Microsoft’s new Security Copilot will help network admins respond to threats in minutes, not day[…]

GitHub.com rotates its exposed private SSH key

GitHub has rotated its private SSH key for GitHub.com after the secret was was accidentally published in a public GitHub repository. The software development and version control service says, the private RSA key was only “briefly” exposed, but that it took action out of “an abundance of caution.” Unclear window of exposure In a succinct blog post published today, GitHub acknowledged discovering this Read more about GitHub.com rotates its exposed private SSH key[…]

Planting Undetectable Backdoors in Machine Learning Models

[…] We show how a malicious learner can plant an undetectable backdoor into a classifier. On the surface, such a backdoored classifier behaves normally, but in reality, the learner maintains a mechanism for changing the classification of any input, with only a slight perturbation. Importantly, without the appropriate “backdoor key,” the mechanism is hidden and Read more about Planting Undetectable Backdoors in Machine Learning Models[…]

Whistleblowers Take Note: Don’t Trust Cropping Tools – you can often uncrop them

[…] It is, in fact, possible to uncrop images and documents across a variety of work-related computer apps. Among the suites that include the ability are Google Workspace, Microsoft Office, and Adobe Acrobat. Being able to uncrop images and documents poses risks for sources who may be under the impression that cropped materials don’t contain Read more about Whistleblowers Take Note: Don’t Trust Cropping Tools – you can often uncrop them[…]

DNA Diagnostics Center DCC Forgot About 2.1m Clients’ Data, Leaked It

A prominent DNA testing firm has settled a pair of lawsuits with the attorney generals of Pennsylvania and Ohio after a 2021 episode that saw cybercriminals steal data on 2.1 million people, including the social security numbers of 45,000 customers from both states. As a result of the lawsuits, the company in question, DNA Diagnostics Center Read more about DNA Diagnostics Center DCC Forgot About 2.1m Clients’ Data, Leaked It[…]