Last November, The Verge discovered that Anker, the maker of popular USB chargers and the Eufy line of “smart” cameras, had a bit of a security issue. Despite the fact the company advertised its Eufy cameras as having “end-to-end” military-grade encryption, security researcher Paul Moore and a hacker named Wasabi found it was pretty easy to intercept Read more about It Took Months For Anker To Finally Admit Its Eufy Cameras Weren’t Really Secure[…]

European police arrested 42 suspects and seized guns, drugs and millions in cash, after cracking another encrypted online messaging service used by criminals, Dutch law enforcement said Friday. Police launched raids on 79 premises in Belgium, Germany and the Netherlands following an investigation that started back in September 2020 and led to the shutting down Read more about European Police Arrest 42 After Cracking another Covert comms App: Exclu[…]

Officials are still trying to figure out exactly what led to the Federal Aviation Administration system outage on Wednesday but have traced it to a corrupt file, which was first reported by CNN. In a statement late Wednesday, the FAA said it was continuing to investigate the outage and “take all needed steps to prevent Read more about Corrupt NOTAM database file and backup led to the FAA ground stoppage.[…]

Citizen, the provocative crime-reporting app formerly known as Vigilante, is in the news again for all the wrong reasons. On Thursday evening, it doxxed singer Billie Eilish, publishing her address to thousands of people after an alleged burglary at her home. Shortly after the break-in, the app notified users of a break-in in Los Angeles’ Read more about Citizen’s volunteer ‘safety’ app accidentally doxxes singer Billie Eilish[…]

Multiple bugs affecting millions of vehicles from almost all major car brands could allow miscreants to perform any manner of mischief — in some cases including full takeovers —  by exploiting vulnerabilities in the vehicles’ telematic systems, automotive APIs and supporting infrastructure, according to security researchers. Specifically, the vulnerabilities affect Mercedes-Benz, BMW, Rolls Royce, Ferrari, Read more about Connected car security is very poor – fortunately they do actually take it seriously, fix bugs quickly[…]

[…] According to the class action complaint filed in a Massachusetts court, names, usernames, billing addresses, email addresses, telephone numbers, and even the IP addresses used to access the service were all made available to wrongdoers. The final straw in the hat could have been the leak of customers’ unencrypted vault data, which includes all Read more about LastPass is being sued following major cyberattack[…]

The FBI is warning the public that cyber criminals are using search engine advertisement services to impersonate brands and direct users to malicious sites that host ransomware and steal login credentials and other financial information. […] Cyber criminals purchase advertisements that appear within internet search results using a domain that is similar to an actual Read more about FBI warns of fake shopping sites – recommends to use an ad blocker[…]

In keeping with our commitment to transparency, I wanted to inform you of a security incident that our team is currently investigating.  We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo. We immediately launched an investigation, engaged Mandiant, a leading security firm, Read more about LastPass breached again[…]

[…] Recently, the Microsoft Detection and Response Team (DART) has seen an increase in attackers utilizing token theft for this purpose. By compromising and replaying a token issued to an identity that has already completed multifactor authentication, the threat actor satisfies the validation of MFA and access is granted to organizational resources accordingly. This poses Read more about Token tactics: How to prevent, detect, and respond to cloud token theft[…]

[…] If an attacker inserts their own SIM into a target’s Android, then enters the wrong SIM PIN three times, they can enter their SIM’s PUK to be able to create a new SIM PIN. Once they do, they bypass the lock screen entirely and access the phone. You can watch the hypothetical attack play Read more about Fix the Android Security Flaw That Lets Anyone Unlock Your Phone[…]

Today we are excited to release Shufflecake, a tool aimed at helping people whose freedom of expression is threatened by repressive authorities or dangerous criminal organizations, in particular: whistleblowers, investigative journalists, and activists for human rights in oppressive regimes. Shufflecake is FLOSS (Free/Libre, Open Source Software). Source code in C is available and released under Read more about Introducing Shufflecake: plausible deniability for multiple hidden filesystems on Linux[…]

More than two dozen Lenovo notebook models are vulnerable to malicious hacks that disable the UEFI secure-boot process and then run unsigned UEFI apps or load bootloaders that permanently backdoor a device, researchers warned on Wednesday. At the same time that researchers from security firm ESET disclosed the vulnerabilities, the notebook maker released security updates Read more about Lenovo driver goof poses security risk for users of 25 notebook models[…]

Western security advisers are warning delegates at the COP27 climate summit not to download the host Egyptian government’s official smartphone app, amid fears it could be used to hack their private emails, texts and even voice conversations. […] The potential vulnerability from the Android app, which has been downloaded thousands of times and provides a Read more about Egypt’s COP27 summit app can read your emails and encrypted messages, scan your device, send your location[…]

Pharmaceutical giant AstraZeneca has blamed “user error” for leaving a list of credentials online for more than a year that exposed access to sensitive patient data. Mossab Hussein, chief security officer at cybersecurity startup SpiderSilk, told TechCrunch that a developer left the credentials for an AstraZeneca internal server on code sharing site GitHub in 2021. Read more about AstraZeneca puts username and password on Github, exposes patient data in test environment for a year[…]

We present Wi-Peep – a new location-revealing privacy attack on non-cooperative Wi-Fi devices. Wi-Peep exploits loopholes in the 802.11 protocol to elicit responses from Wi-Fi devices on a network that we do not have access to. It then uses a novel time-of-flight measurement scheme to locate these devices. Wi-Peep works without any hardware or software Read more about Wi-Peep drone locates all your wifi devices and maps them in your home, can tell if your watch is moving around[…]

The United Kingdom’s National Cyber Security Centre (NCSC), the government agency that leads the country’s cyber security mission, is now scanning all Internet-exposed devices hosted in the UK for vulnerabilities. The goal is to assess UK’s vulnerability to cyber-attacks and to help the owners of Internet-connected systems understand their security posture. “These activities cover any Read more about British govt is scanning all Internet devices hosted in UK[…]

The September cyberattack on ride-hailing service Uber began when a criminal bought the stolen credentials of a company contractor on the dark web. The miscreant then repeatedly tried to log into the contractor’s Uber account, triggering the two-factor login approval request that the contractor initially denied, blocking access. However, eventually the contractor accepted one of Read more about Multi-factor authentication bombing fatigue can blow open security[…]

Amazon didn’t protect one of its internal servers, allowing anyone to view a database named “Sauron” which was full of Prime Video viewing habits. As TechCrunch reports(Opens in a new window), the unprotected Elasticsearch database was discovered by security researcher Anurag Sen(Opens in a new window). Contained within the database, which anyone who knew the Read more about Whoops! Amazon Left Prime Video DB with viewing habits (Named ‘Sauron’) Unprotected – yup Elasticsearch[…]

The Cybernews research team found that Thomson Reuters left at least three of its databases accessible for anyone to look at. One of the open instances, the 3TB public-facing ElasticSearch database, contains a trove of sensitive, up-to-date information from across the company’s platforms. The company recognized the issue and fixed it immediately. Thomson Reuters provides Read more about Thomson Reuters leaked at least 3TB of sensitive data – yes, open elasticsearch instances[…]

A hospital network in Wisconsin and Illinois fears visitor tracking code on its websites may have transmitted personal information on as many as 3 million patients to Meta, Google, and other third parties. Advocate Aurora Health (AAH) reported the potential breach to the US government’s Health and Human Services. As well as millions of patients, Read more about Advocate Aurora Health leaks 3 million patient’s data to big tech through webtracker installation[…]

For almost a decade, the US Central Intelligence Agency communicated with informants abroad using a network of websites with hidden communications capabilities. The idea being: informants could use secret features within innocent-looking sites to quietly pass back information to American agents. So poorly were these 885 front websites designed, though, according to security research group Read more about CIA betrayed informants with shoddy covert comms websites[…]