After finding several security flaws in Intel’s System Guard Extensions (SGX), security researchers have now revealed a flaw in AMD’s Platform Security Processor (PSP) chipset driver that makes it easy for attackers to steal sensitive data from Ryzen-powered systems. On the upside, there’s already patches available from both Microsoft and AMD to shut the exploit. Read more about Millions of AMD PCs affected by new CPU driver flaw need to be patched ASAP[…]

“The expiration of a key digital encryption service on Thursday sent major tech companies nationwide scrambling to deal with internet outages that affected millions of online users,” reports the Washington Examiner. The expiring certificate was issued by Let’s Encrypt — though ZDNet notes there’s been lots of warnings about its pending expiration: Digital Shadows senior Read more about Millions Experience Browser Problems After Long-Anticipated Expiration of IdentTrust DST Root CA X3 SSL Certificate[…]

[…] Should your AirTag-equipped thing not be where you thought it was, you can enable Lost Mode. When in Lost Mode, an AirTag scanned via NFC provides a unique URL which lets the finder get in contact with the loser – and it’s this page where security researcher Bobby Rauch discovered a concerning vulnerability. “An Read more about Unpatched flaw creates ‘weaponised’ Apple AirTags[…]

A flaw in Microsoft’s Autodiscover protocol, used to configure Exchange clients like Outlook, can cause user credentials to leak to miscreants in certain circumstances. The upshot is that your Exchange-connected email client may give away your username and password to a stranger, if the flaw is successfully exploited. In a report scheduled to be published Read more about Microsoft Exchange protocol can leak credentials cleartext[…]

A second leak of personal data was reportedly committed by the Ministry of Defence, raising further questions about the ministry’s commitment to the safety of people in Afghanistan, some of whom are its own former employees. The BBC reported overnight that the details of a further 55 Afghans  – claimed to be candidates for potential relocation Read more about Ministry of Defence: Another huge Afghanistan email blunder[…]

A database containing personal information on 106 million international travelers to Thailand was exposed to the public internet this year, a Brit biz claimed this week. Bob Diachenko, head of cybersecurity research at product-comparison website Comparitech, said the Elasticsearch data store contained visitors’ full names, passport numbers, arrival dates, visa types, residency status, and more. Read more about Database containing 106m Thailand travelers’ details over the past decade leaked[…]

The UK’s Ministry of Defence has launched an internal investigation after committing the classic CC-instead-of-BCC email error – but with the names and contact details of Afghan interpreters trapped in the Taliban-controlled nation. The horrendous data breach took place yesterday, with Defence Secretary Ben Wallace promising an immediate investigation, according to the BBC. Included in Read more about MoD apologises after Afghan interpreters’ personal data exposed (yes the ones still in Afghanistan)[…]

Researchers from Ben-Gurion University have come up with a way to listen in on a speaker from afar by just monitoring the subtle changes in brightness of its power status LED. The Glowworm Attack, as the discovery is called, follows similar research from the university published in 2020 that found an electro-optical sensor paired with Read more about Glowworm Attack Captures Audio From Power LED Light Flickers[…]

QLED-loving thieves, beware: Samsung revealed on Tuesday that its TVs can be remotely disabled if the company finds out they’ve been stolen, so long as the sets in question are connected to the internet. Known as “Samsung TV Block,” the feature was first announced in a press release earlier this month after the company deployed Read more about Samsung Smart TVs Can Be Remotely Disabled[…]

Infosec pros and other technically minded folk have just under a week left to comment on EU plans to introduce new regulations obligating consumer IoT device makers to address online security issues, data protection, privacy and fraud prevention. Draft regulations applying to “internet-connected radio equipment and wearable radio equipment” are open for public comment until Read more about European Commission airs out new IoT device security draft law – interested parties have a week to weigh in[…]

New research shows that misconfigurations of a widely used web tool have led to the leaking of tens of millions of data records. Microsoft’s Power Apps, a popular development platform, allows organizations to quickly create web apps, replete with public facing websites and related backend data management. A lot of governments have used Power Apps Read more about A Misused Microsoft Tool Leaked Data from 47 Organizations[…]

a vulnerability is lurking in numerous types of smart devices—including security cameras, DVRs, and even baby monitors—that could allow an attacker to access live video and audio streams over the internet and even take full control of the gadgets remotely. What’s worse, it’s not limited to a single manufacturer; it shows up in a software Read more about >83 million Web Cams, Baby Monitor Feeds and other IoT devices using Kalay backend Exposed[…]

An announcement by the Cyberspace Administration of China (CAC) said that cyber attacks are currently frequent in the Middle Kingdom, and the security challenges facing critical information infrastructure are severe. The announcement therefore defines infosec regulations and and responsibilities. The CAC referred to critical infrastructure as “the nerve center of economic and social operations and Read more about China orders annual security reviews for all critical information infrastructure operators[…]

[…] computer scientists at Tel Aviv University in Israel say they have discovered a way to bypass a large percentage of facial recognition systems by basically faking your face. The team calls this method the “master face” (like a “master key,” harhar), which uses artificial intelligence technologies to create a facial template—one that can consistently Read more about Researchers Say They’ve Found a ‘Master Face’ to Bypass Face Rec Tech[…]

Analysis of tracking data from Automatic Identification System broadcasts reveals vessel locations have been simulated for a number of ships, including military vessels. This false information could compromise vessel safety, decrease confidence in a crucial collision avoidance system and potentially spark international conflict. Over the years, data analysts working with Global Fishing Watch and SkyTruth Read more about 100s of (war)ships are having their positions falsely reported in AIS[…]

Researchers have released technical details on a high-severity privilege-escalation flaw in HP printer drivers (also used by Samsung and Xerox), which impacts hundreds of millions of Windows machines. If exploited, cyberattackers could bypass security products; install programs; view, change, encrypt or delete data; or create new accounts with more extensive user rights. The bug (CVE-2021-3438) Read more about 16-Year-Old HP Printer-Driver Bug Impacts Millions of Windows Machines[…]

The security shortcoming can be exploited using the wonderfully named PetitPotam technique. It involves abusing Redmond’s MS-EFSRPC (Encrypting File System Remote Protocol) to take over a corporate Windows network. It seems ideal for penetration testers, and miscreants who have gained a foothold in a Windows network. Specifically, security researcher Gilles Lionel found it was possible Read more about You, too, can be a Windows domain controller and do whatever you like, with this trick which requires no authentication at all[…]

Like most Internet-of-things (IoT) devices these days, Amazon’s Echo Dot gives users a way to perform a factory reset so, as the corporate behemoth says, users can “remove any… personal content from the applicable device(s)” before selling or discarding them. But researchers have recently found that the digital bits that remain on these reset devices Read more about Thinking about selling your Echo Dot—or any IoT device? Turns out passwords and other data remain even after a reset[…]

While it will come as no comfort to those who had their Western Digital My Book Live NAS drives wiped last week, it seems they were attacked by a combination of two exploits, and possibly caught in the fallout of a rivalry between two different teams of hackers. (Image credit: Western Digital) Initially, after the Read more about Another Exploit Hits WD My Book Live Owners – wipes could be rival hacker groups fighting for botnet control[…]

Things are not looking good for LinkedIn right now. Just two months after a jaw-dropping 500 million profiles from the networking site were put up for sale on a popular hacker forum, a new posting with 700 million LinkedIn records has appeared. The seller, “GOD User” TomLiner, stated they were in possession of the 700 Read more about 700 Million LinkedIn Records Leaked June 2021 – again[…]

It was a closed source backdoored system. This goes to show that weakening encryption for political reasons and trusting software that can’t be audited independently is a Bad Idea ™ A weakness in the algorithm used to encrypt cellphone data in the 1990s and 2000s allowed hackers to spy on some internet traffic, according to Read more about Bombshell Report Finds Phone Network Encryption Was Deliberately Weakened[…]

Volkswagen says more than 3.3 million customers had their information exposed after one of its vendors left a cache of customer data unsecured on the internet. The car maker said in a letter that the vendor, used by Volkswagen, its subsidiary Audi and authorized dealers in the U.S. and Canada, left the customer data spanning Read more about Volkswagen says a vendor’s security lapse exposed 3.3 million drivers’ details[…]