As much as 38 percent of the Internet’s domain name lookup servers are vulnerable to a new attack that allows hackers to send victims to maliciously spoofed addresses masquerading as legitimate domains, like bankofamerica.com or gmail.com. The exploit, unveiled in research presented today, revives the DNS cache-poisoning attack that researcher Dan Kaminsky disclosed in 2008. Read more about Linux has a serious security problem that once again enables DNS cache poisoning using ICMP / ping information[…]

If there’s one thing we learned it’s that no one learns anything. Here’s the top 9 Source: Top 200 Most Common Password List 2021 | NordPass

Thousands of Firefox cookie databases containing sensitive data are available on request from GitHub repositories, data potentially usable for hijacking authenticated sessions. These cookies.sqlite databases normally reside in the Firefox profiles folder. They’re used to store cookies between browsing sessions. And they’re findable by searching GitHub with specific query parameters, what’s known as a search Read more about Thousands of Firefox users accidentally commit login cookies on GitHub[…]

The EU is at it again. Recently Mozilla put out a position paper highlighting the latest dangerous move by busybody EU regulators who seem to think that they can magically regulate the internet without (1) understanding it, or (2) bothering to talk to people who do understand it. The issue is the Digital Identity Framework, Read more about EU’s Latest Internet Regulatory Madness: Destroying Internet Security With Its Digital Identity Framework[…]

it’s also one of the few apps that offer end-to-end encryption by default. This means that no one other than you the other party can read your conversations. Even WhatsApp can’t read your conversations because it doesn’t have the key to un-encrypt your chats. This was all true, except for one scenario: WhatsApp chats backed Read more about Why You Should Encrypt Your WhatsApp Backups in iCloud[…]

Rowhammer exploits that allow unprivileged attackers to change or corrupt data stored in vulnerable memory chips are now possible on virtually all DDR4 modules due to a new approach that neuters defenses chip manufacturers added to make their wares more resistant to such attacks. Rowhammer attacks work by accessing—or hammering—physical rows inside vulnerable chips millions Read more about DDR4 memory protections are broken wide open by new Rowhammer technique[…]

Intel has disclosed two high-severity vulnerabilities that affect a wide range of Intel processor families, allowing threat actors and malware to gain higher privilege levels on the device. The flaws were discovered by SentinelOne and are tracked as CVE-2021-0157 and CVE-2021-0158, and both have a CVSS v3 score of 8.2 (high). The former concerns the Read more about High severity BIOS flaws affect numerous Intel processors[…]

[…] Even those who consider themselves well educated about cyber crime and security threats—and who do everything they’ve been taught to do—can (and do!) still end up as victims. The truth is that, with enough time, resources, and skill, everything can be hacked. The key to protecting your digital life is to make it as Read more about Securing your digital life, part one: The basics[…]

[…] In a paper titled, The Security Risk of Lacking Compiler Protection in WebAssembly, distributed via ArXiv, the technical trio say that when a C program is compiled to WASM, it may lack anti-exploit defenses that the programmer takes for granted on native architectures. The reason for this, they explain, is that security protections available Read more about Code compiled to WASM may lack standard security defenses[…]

Surveillance software developer NSO Group may have a very tough road ahead. The US Commerce Department has added NSO to its Entity List, effectively banning trade with the firm. The move bars American companies from doing business with NSO unless they receive explicit permission. That’s unlikely, too, when the rule doesn’t allow license exceptions for Read more about US bans trade with security firm NSO Group over Pegasus spyware[…]

The wait is over. It’s now possible to encrypt your WhatsApp chat history on both Android and iOS, Facebook CEO Mark Zuckerberg announced on Thursday. The company plans to roll out the feature slowly to ensure it can deliver a consistent and reliable experience to all users. However, once you can access the feature, it Read more about WhatsApp begins rolling out end-to-end encryption for chat backups[…]

If you have an iPhone, and your friends mostly have iPhones, you probably use Apple’s Messages app to communicate with them. That’s the nature of things. And aside from the platform’s convenience and ubiquity, one of the iMessage platform’s selling points is that its end-to-end encryption should theoretically ensure that only you and those you Read more about How Apple Can Read Your Encrypted iMessages[…]

The Telegraph newspaper managed to leak 10TB of subscriber data and server logs after leaving an Elasticsearch cluster unsecured for most of September, according to the researcher who found it online. The blunder was uncovered by well-known security researcher Bob Diachenko, who said that the cluster had been freely accessible “without a password or any Read more about Telegraph newspaper exposes 10TB of server, user data online[…]

After finding several security flaws in Intel’s System Guard Extensions (SGX), security researchers have now revealed a flaw in AMD’s Platform Security Processor (PSP) chipset driver that makes it easy for attackers to steal sensitive data from Ryzen-powered systems. On the upside, there’s already patches available from both Microsoft and AMD to shut the exploit. Read more about Millions of AMD PCs affected by new CPU driver flaw need to be patched ASAP[…]

“The expiration of a key digital encryption service on Thursday sent major tech companies nationwide scrambling to deal with internet outages that affected millions of online users,” reports the Washington Examiner. The expiring certificate was issued by Let’s Encrypt — though ZDNet notes there’s been lots of warnings about its pending expiration: Digital Shadows senior Read more about Millions Experience Browser Problems After Long-Anticipated Expiration of IdentTrust DST Root CA X3 SSL Certificate[…]

[…] Should your AirTag-equipped thing not be where you thought it was, you can enable Lost Mode. When in Lost Mode, an AirTag scanned via NFC provides a unique URL which lets the finder get in contact with the loser – and it’s this page where security researcher Bobby Rauch discovered a concerning vulnerability. “An Read more about Unpatched flaw creates ‘weaponised’ Apple AirTags[…]

A flaw in Microsoft’s Autodiscover protocol, used to configure Exchange clients like Outlook, can cause user credentials to leak to miscreants in certain circumstances. The upshot is that your Exchange-connected email client may give away your username and password to a stranger, if the flaw is successfully exploited. In a report scheduled to be published Read more about Microsoft Exchange protocol can leak credentials cleartext[…]

A second leak of personal data was reportedly committed by the Ministry of Defence, raising further questions about the ministry’s commitment to the safety of people in Afghanistan, some of whom are its own former employees. The BBC reported overnight that the details of a further 55 Afghans  – claimed to be candidates for potential relocation Read more about Ministry of Defence: Another huge Afghanistan email blunder[…]

A database containing personal information on 106 million international travelers to Thailand was exposed to the public internet this year, a Brit biz claimed this week. Bob Diachenko, head of cybersecurity research at product-comparison website Comparitech, said the Elasticsearch data store contained visitors’ full names, passport numbers, arrival dates, visa types, residency status, and more. Read more about Database containing 106m Thailand travelers’ details over the past decade leaked[…]

The UK’s Ministry of Defence has launched an internal investigation after committing the classic CC-instead-of-BCC email error – but with the names and contact details of Afghan interpreters trapped in the Taliban-controlled nation. The horrendous data breach took place yesterday, with Defence Secretary Ben Wallace promising an immediate investigation, according to the BBC. Included in Read more about MoD apologises after Afghan interpreters’ personal data exposed (yes the ones still in Afghanistan)[…]

Researchers from Ben-Gurion University have come up with a way to listen in on a speaker from afar by just monitoring the subtle changes in brightness of its power status LED. The Glowworm Attack, as the discovery is called, follows similar research from the university published in 2020 that found an electro-optical sensor paired with Read more about Glowworm Attack Captures Audio From Power LED Light Flickers[…]

QLED-loving thieves, beware: Samsung revealed on Tuesday that its TVs can be remotely disabled if the company finds out they’ve been stolen, so long as the sets in question are connected to the internet. Known as “Samsung TV Block,” the feature was first announced in a press release earlier this month after the company deployed Read more about Samsung Smart TVs Can Be Remotely Disabled[…]

Infosec pros and other technically minded folk have just under a week left to comment on EU plans to introduce new regulations obligating consumer IoT device makers to address online security issues, data protection, privacy and fraud prevention. Draft regulations applying to “internet-connected radio equipment and wearable radio equipment” are open for public comment until Read more about European Commission airs out new IoT device security draft law – interested parties have a week to weigh in[…]

New research shows that misconfigurations of a widely used web tool have led to the leaking of tens of millions of data records. Microsoft’s Power Apps, a popular development platform, allows organizations to quickly create web apps, replete with public facing websites and related backend data management. A lot of governments have used Power Apps Read more about A Misused Microsoft Tool Leaked Data from 47 Organizations[…]