Items tagged with security

A security researcher has discovered an Apple AirTags vulnerability that can effectively turn an affordable tracker into a cheap phishing lure. This is made possible through the tracker's "Lost Mode," where the intention is that if a user loses their AirTag, they can mark it as missing. Supposing an honest individual comes across the lost tracker, a custom link will send them to a website with the owner's phone number and whatever message they might want to leave. Good intentions can lead to bad deeds, however, and this same feature can be used against people who are trying to do the right thing. In what seems like a glaring oversight on Apple's part, it is entirely possible for an unscrupulous... Read more...
Like many big tech companies including Microsoft and Google, Apple has a bug bounty program that pays big bucks for newly-discovered security vulnerabilities. The fees for confirmed reports of issues range from $25,000 for "limited" unauthorized control of an iCloud account, to a cool million bucks for a zero-click remote chain with full kernel access without requiring user interaction. Of course companies build good will by following through on their promises of payment in these programs. When a researcher feels ignored, however, that can break trust in the program and leave vulnerabilities unpatched and exposed.  In a recent Washington Post article, several security researchers shared... Read more...
Back in June of this year, Hyundai Motor Group acquired a controlling interest in Boston Dynamics, the robotics experts who have put out several entertaining videos highlighting some remarkable robot capabilities (laugh now, cry later when the robot overlords flip the script). One of their more popular creations is Spot, the goodest-of-boys in the robot realm. What is Spot up to these days? Patrolling a Kia plant in South Korea. Hyundai has kicked off a pilot program called "Factory Safety Service Robot," which is based on Spot, the quadruped robot that has seen plenty of action (even in French military exercises). It's basically Spot with a new role and some new tricks, and a special task—patrol... Read more...
Heads up for anyone running an AMD build, there is a new chipset driver update available, and you're going to want to install it. The update patches a vulnerability that could allow a user with low privileges to access uninitialized physical memory pages that potential contain sensitive information, including passwords. The vulnerability is tracked as CVE-2021-26333. In a security advisory, AMD explained that the flaw resides in the Platform Security Processor (PSP) chipset driver, and recommends either updating through Windows Update (which bumps the PSP driver to 5.17.0.0) or applying a newer chipset driver (version 3.08.17.735 or later). Security researcher Kyriakos Economou discovered the... Read more...
For some, Microsoft's insistence that PCs be equipped with Trusted Platform Module (TPM) 2.0 support is irritating, especially since the company has done a poor job explaining why it is suddenly such a big deal. Installing a virtual machine (VM) won't necessarily escape the requirement, either. As users in the Windows Insider program have discovered, the latest preview build in the beta channel—version 22000.194—enforces the TPM 2.0 requirement. Applying the latest cumulative update in Windows 11 bumps the OS up to the latest preview build. Up to this point, VMs have been able to test Insider builds without issue related to the TPM 2.0 requirement. But hey, today is a new day, and... Read more...
Tired of juggling and trying to remember multiple passwords for different sites and services? Microsoft feels your pain, and more than that, it believes the time has come to leave traditional password input in the past. This is something Microsoft has talked at length about numerous times before, and putting action to words, it announced today that "anyone with a consumer Microsoft account can go completely passwordless!" No, Microsoft is not leaving users exposed to hackers and online miscreants by leaving accounts wide open. Instead, it is nudging account holders to what it says are "more secure and convenient authentication methods," which include Windows Hello, using the Microsoft Authenticator... Read more...
Heads up, Microsoft has issued a patch for what security researchers had dubbed a "highly sophisticated" zero-day vulnerability in Windows that hackers could use to target Office 365 and Office 2019 users. It is available as a standalone release, and also as part of this month's cumulative Patch Tuesday update, which rolled out to PCs yesterday. Tracked as CVE-2021-40444, the zero-day flaw is described as a Microsoft MSHTML remote code execution vulnerability. Prior to releasing the patch, Microsoft said it was aware of targeted attacks against potential victims, by way of specially crafted Microsoft Office documents. "An attacker could craft a malicious ActiveX control to be used by a Microsoft... Read more...
Have you updated your Chrome browser lately? Assuming you use Chrome, now would be a good time to force the issue, as the latest update brings with it patches for nearly a dozen security flaws, including a pair of zero-day vulnerabilities that Google says are actively being exploited in the wild. So, yeah, take two seconds to update your browser. The latest Chrome release for Windows, Mac, and Linux is 93.0.4577.82. Chrome does a good job of updating itself, and in this case, Google says the latest version will roll out to PCs over the coming days and weeks. You don't necessarily have to wait, however, you can have Chrome manually fetch the update right now. Click to Enlarge To do that, click... Read more...
On the eve of its big iPhone 13 unveil, Apple was forced to issue a new software update for its iPhone, iPad, and Mac product lines. As a result, iOS 14.8 and iPadOS 14.8 are now available for the iPhone and iPad, respectively, while Apple issued macOS 11.6 for Macs. One of the driving factors behind the release of the software updates is a so-called "zero-click" security exploit developed by NSO Group. Citizen Lab has labeled the exploit FORCEDENTRY, and it uses iMessage as an attack vector. Victims were sent files with a .gif extension through iMessage that were actually "maliciously crafted" PDF files that could result in arbitrary code execution. FORCEDENTRY is so dangerous because it's considered... Read more...
Security researchers say they discovered and reported to Microsoft a "highly sophisticated" zero-day attack vector in Windows that targets Office 365 and Office 2019 users. In some cases, simply opening an infected document would be enough to compromise a PC. Furthermore, there does not yet exist a patch, though one is on the way. In a Twitter post, cybersecurity outfit EXPMON said it notified Microsoft of the flaw over on Sunday and has been "working tirelessly over the holiday weekend to protect users." EXPMON also said it was able to reproduce the attack method on a typical user environment. Microsoft released a security bulletin (CVD-2021-40444) saying it is investigation the situation, and... Read more...
When it comes to the convergence of convenience and technology, Bluetooth is right up there with the advent of USB, which is why there are billions of devices that support the wireless standard. Frighteningly, they could all be at risk of more than a dozen vulnerabilities discovered by security researchers Matheus E. Garbelini, Sudipta Chattopadhyay, Vaibhav Bedi, Sumei Sun, and Ernest Kurniawan. The researchers outlined 16 Bluetooth vulnerabilities found on 13 system-on-chip boards from nearly a dozen vendors, including Intel and Qualcomm. Those are just the ones they specifically looked at—they believe the vulnerabilities affect more than 1,400 Bluetooth chips, potentially exposing billions... Read more...
Hidden cameras in a private space, such as a bedroom or bathroom in an unfamiliar place like an Airbnb or other rental property, are a nightmare for most people. However, hacker and cybersecurity researcher Marcus Hutchins, better known as MalwareTech, posted a short video to TikTok explaining how to detect hidden cameras within an Airbnb or hotel. Using his simple tricks along with some of our own, it is easy to keep your privacy at home and away. Earlier this week, Hutchins posted a short video explaining “How to find hidden cameras in AirBnBs” as part of his TikTok Q&A series. The first tip Hutchins mentions in this video is that you should keep an eye out for devices... Read more...
Getting fired from a job is something that many people have dealt with at some point and can be devastating emotionally and financially. Some people take being fired in stride and move on to the next venture, while others go off the deep with violence or other criminal acts. Such is the case of Juliana Barile, an employee for a New York Credit Union working remotely due to COVID-19 restrictions. She had access to credit union systems via her work-issued username and password. Although her dismissal details weren’t provided in court documents [PDF], Barile was fired on May 19th, 2021. At that time, someone should have revoked her access to credit union systems, but this action was not taken... Read more...
Security researchers have discovered a side-channel vulnerability in a similar vein to Meltdown, except this one is present in AMD's processors. AMD confirmed the finding, and has offered guidance to software developers, saying they should take precautions to avoid leaving the security hole open to attackers (suggesting this is not something AMD can simply patch out via firmware). Ever since Spectre and Meltdown made waves a few years ago, additional side-channel exploits have been discovered, with varying degrees of complexity. In all reality, many of these techniques are not cause for panic for the typical user, especially with different mitigations that have been rolled out (both by CPU makers... Read more...
T-Mobile came under fire after a recent data breach exposed the private data of nearly 50 million customers. Shortly after the attack was made public, T-Mobile issued a boilerplate public response confirming many of the incident's details. "We take our customers' protection very seriously and we will continue to work around the clock on this forensic investigation to ensure we are taking care of our customers in light of this malicious attack," said T-Mobile in a post to its website last week. "While our investigation is ongoing, we wanted to share these initial findings even as we may learn additional facts through our investigation that cause the details above to change or evolve." Now, CEO... Read more...
Researchers at a cybersecurity firm headquartered in Israel say they recently alerted Microsoft to a startling vulnerability in its Azure Cosmos DB database service. Multiple flaws could allow an attack to "gain complete unrestricted access" to accounts and databases of several thousand companies, including Fortune 500 outfits like Coca-Cola, Exxon-Mobil, Citrix, and more. The researchers have dubbed the vulnerability #ChaosDB, noting that it consists of a series of flaws that effectively create a loophole for any user to access a customer's data. This flaw left more than 3,300 companies exposed to potential hacks, whereby a malicious actor (or anyone) could "download, delete, or manipulate"... Read more...
We often cover vulnerabilities in Windows 10 that involve convoluted methods of gaining admin access to systems using privilege escalation. However, the latest exploit involving software for Razer products is facepalm-worthy in its sheer simplicity. In this case, the problem stems from Razer's Synapse software, which configures its peripherals like gaming mice and keyboards. This software can adjust macros, program mouse buttons, and control your RGB lighting. However, security researcher jonhat revealed via Twitter that an unscrupulous person with a Razer mouse or keyboard could gain SYSTEM access to a Windows 10 (or Windows 11) PC simply by plugging the device into the target PC. Need... Read more...
Earlier this week, it was alleged that T-Mobile suffered a devastating data breach that resulted in the leak of personal data from over 100 million customers. Today, T-Mobile confirmed the breach, but the number of affected individuals is less than half of what was previously reported. The confirmed 47 million records is still a significant number, as it represents nearly half of the 104 million customers that T-Mobile claimed during its Q2 2021 earning report. "Yesterday, we were able to verify that a subset of T-Mobile data had been accessed by unauthorized individuals," said T-Mobile in a statement posted to its website. "We also began coordination with law enforcement as our forensic investigation... Read more...
T-Mobile is now investigating a massive customer data breach claim that could affect up to 100 million users. The leak, which appeared on a leak and database selling forums on Saturday, claimed to have 30 million unique social security numbers and driver's license information. In the samples provided, it also appears that birthdates, phone numbers, state, and zip codes are included. The asking price for these records began at a whopping 6 Bitcoin (~$277K), but has since dropped to only $200 for everything. After the data was checked, Vice reached out to the alleged data thief, who explained that the data was "T-Mobile USA. Full customer info." It was also mentioned that the remaining 70... Read more...
Following call center company Teleperformance allegedly forcing employees to undergo AI camera surveillance, Amazon wants to monitor its own customer service employees. Soon, Amazon could use a system that captures all workers' keystrokes to run behavioral analysis and prevent malicious hackers or imposters from stealing data. In a confidential document acquired by Motherboard, Amazon reports that there have been several cases of customer data being accessed around the world. India ranks at the top of the list, with 120 security incidents, followed by the Philippines with just under 70, and the U.S. with approximately 40 security incidents. While each of these incidents are not explained,... Read more...
Not everything has to be high-tech to perform dastardly deeds these days, and the same is true of malware. However, malware can slip by conventional security solutions using some email tricks and social engineering and still infect end-users, as Microsoft reports. This Tuesday, the Microsoft Security Intelligence reported on Twitter that several “active email campaigns that use BazarLoader to deliver a wide range of payloads” are being tracked. These campaigns have been found to use some interesting techniques to get around what Microsoft describes as “conventional email security solutions and best practices.” The first reported campaign is called “BazaCall,”... Read more...
Hey, good news, in case you missed it—Microsoft earlier this week announced it has completed its investigation of an annoyingly persistent printer exploit, and issued a series of patches to get rid of the problem. Ready for the bad news? Another similar security vulnerability has reared its ugly head, and Microsoft doesn't have a patch for it just yet. This latest vulnerability is another so-called PrintNightmare bug. These affect the Windows Print Spooler service, and if exploited, and attacker could run malicious code on an affected system with advanced privileges, or wreak other kinds of havoc (like deleting or altering files). That's obviously not a good thing. "A remote code execution... Read more...
Prev 1 2 3 4 5 Next ... Last