Flaw in popular PDF creation library enabled remote code execution

Flaw in popular PDF creation library enabled remote code execution

Danny Bradbury A security researcher has discovered a high-severity bug in a popular PHP library that could enable attackers to run remote code on web servers. The researcher, who calls himself Polict, discovered another way to exploit a bug in the PHP programming language that was originally reported at Black Hat in 2018.

Law enforcement needs to protect citizens and their data

Law enforcement needs to protect citizens and their data

While the bill includes limited restrictions on law enforcement requests, the vague definitions and concentrated authorities give the Australian government sweeping powers that ultimately undermine the security and privacy of the very citizens they aim to protect.

Now-Patched Google Photos Vulnerability Let Hackers Track Your Friends and Location History

Now-Patched Google Photos Vulnerability Let Hackers Track Your Friends and Location History

If the search time took longer than the baseline, I could assume the query returned results and thus infer that the current user visited Iceland. So by adding a date to the search query, I could check if the photo was taken in a specific time range.

New BitLocker attack puts laptops storing sensitive data at risk

New BitLocker attack puts laptops storing sensitive data at risk

Image: Denis Andzakovic A security researcher has come up with a new method of extracting BitLocker encryption keys from a computer's Trusted Platform Module (TPM) that only requires a $27 FPGA board and some open-sourced code.

A Deep Dive on the Recent Widespread DNS Hijacking Attacks — Krebs on Security

A Deep Dive on the Recent Widespread DNS Hijacking Attacks — Krebs on Security

Talos said the perpetrators of DNSpionage were able to steal email and other login credentials from a number of government and private sector entities in Lebanon and the United Arab Emirates by hijacking the DNS servers for these targets, so that all email and virtual private networking (VPN) traffic was redirected to an Internet address controlled by the attackers.

Data breach in Michigan may have exposed personal, medical information of 600,000 people

Data breach in Michigan may have exposed personal, medical information of 600,000 people

The business that hackers targeted, Wolverine Solutions Group, a health care company that partners with health plans and hospital systems, said that it has begun notifying clients whose information was compromised by the breach.

As Phones Get Harder to Hack, Zero Day Vendors Hunt for Router Exploits

As Phones Get Harder to Hack, Zero Day Vendors Hunt for Router Exploits

Image: Seth Laupus/Motherboard On Thursday, Crowdfense, a company that buys zero day exploits from researchers and then sells them to government agencies, announced it is now offering a total of $15 million to hackers who have particular exploits for sale.

From hard drive to over-heard drive: Boffins convert spinning rust into eavesdropping mic

From hard drive to over-heard drive: Boffins convert spinning rust into eavesdropping mic

"These unintentional microphones sense speech with high enough fidelity for the Shazam service to recognize a song recorded through the hard drive." The team's research work, scheduled to be presented in May at the 2019 IEEE Symposium on Security and Privacy , explores how it's possible to alter HDD firmware to measure the offset of a disk drive's read/write head from the center of the track it's seeking.

Smart Ski Helmet Headphone Flaws Leak Personal, GPS Data

Smart Ski Helmet Headphone Flaws Leak Personal, GPS Data

A rash of security flaws in the Outdoor Tech CHIPS smart headphones, which fit in ski helmets, allow bad actors to collect data like emails, passwords, GPS location – and even listen to conversations in real time.

Hijacking WhatsApp without Hacking

Hijacking WhatsApp without Hacking

Not only can curious people like me read these, displaying the full content of messages on your lock screen can lead to your instant messaging accounts being hijacked. Of course, this will only work if the CEO’s phone displays incoming messages on the lock screen.

Ring Doorbell Flaw Opens Door to Spying

Ring Doorbell Flaw Opens Door to Spying

A serious flaw in the popular Ring smart doorbell could allow an attacker on a shared WiFi network to spy on families’ video and audio footage, according to researchers.

Ultrasound Tracking Could Be Used to Deanonymize Tor Users

Ultrasound Tracking Could Be Used to Deanonymize Tor Users

In tests carried out by Mavroudis, the researcher has intercepted some of the traffic these ultrasound beacons trigger on behalf of the phone, traffic which contains details such as the user's real IP address, geo-location coordinates, telephone number, Android ID, IMEI code, and device MAC address.

High-Severity SHAREit App Flaws Open Files for the Taking

High-Severity SHAREit App Flaws Open Files for the Taking

“We wanted to give as many people as we can the time to update and patch their devices before disclosing such critical vulnerability.” The flaws, which could be exploited by an attacker on a shared WiFi network, have a CVSS 3.0 score of 8.2, meaning they are high-severity, researchers told Threatpost.

Flaws in 4G and 5G can lead to spying on location and calls, researchers find

Flaws in 4G and 5G can lead to spying on location and calls, researchers find

Attack works by making several calls In the paper, the researchers outline an attack called Torpedo, which can be used to determine whether a device is in a certain location. The attack exploits an issue in how devices send “paging” information when calls or texts are received.

What are Data Manipulation Attacks, and How to Mitigate Against Them

What are Data Manipulation Attacks, and How to Mitigate Against Them

The ability of attackers to manipulate and shift data around is a real threat – one that could cause widespread financial and even physical harm as a result – if done successfully. Mitigating Against Data Manipulation Attacks To combat these types of attacks, organizations need to ensure they have endpoint visibility on their IT systems.

How Do I Know If My Email Has Been Leaked in a Data Breach?

How Do I Know If My Email Has Been Leaked in a Data Breach?

Since most people still recycle versions of their passwords, once one of them is released in a data leak, it could mean that all of your online accounts are compromised thanks to bad password hygiene .

New flaws in 4G, 5G allow attackers to intercept calls and track phone locations

New flaws in 4G, 5G allow attackers to intercept calls and track phone locations

“Any person with a little knowledge of cellular paging protocols can carry out this attack… such as phone call interception, location tracking, or targeted phishing attacks.” Syed Rafiul Hussain, Purdue University The paper, seen by TechCrunch prior to the talk, details the attacks: the first is Torpedo, which exploits a weakness in the paging protocol that carriers use to notify a phone before a call or text message comes through.

Once hailed as unhackable, blockchains are now getting hacked

Once hailed as unhackable, blockchains are now getting hacked

A blockchain protocol is a set of rules that dictate how the computers in the network, called nodes , should verify new transactions and add them to the database.

Australia’s government and political parties hit by cyber attack from ‘sophisticated state actor’

Australia’s government and political parties hit by cyber attack from ‘sophisticated state actor’

Reportedly, the incident sports “the digital fingerprints of China” but there remains the possibility that the attack was framed to look like it originated from China. The national government was attacked in 2015 by a “foreign government” (later named as China) that reportedly used computers at the Bureau of Meteorology as its entry point.

Tails report for January, 2019

The month started with this questions: But after the release of Tails 3.12, the hottest topics were: Our infrastructure was targeted by a distributed denial-of-service (DDoS) attack that caused a couple of temporary outages.

NIST Round 2 and Post-Quantum Cryptography (part 1)

NIST Round 2 and Post-Quantum Cryptography (part 1)

This means that a breakdown of the asymmetric session at the beginning of the connection, leads to the attacker being able to read the secret key for AES, which breaks the encryption for the rest of the connection.

The 5G Protocol May Still Be Vulnerable to IMSI Catchers

The 5G Protocol May Still Be Vulnerable to IMSI Catchers

A number of fantastic papers explore vulnerabilities in 2G , 3G , and 4G which are potentially the same ones exploited by commercial CSSs. The upcoming 5G protocol for cellular communications promised many improvements over the current 4G standard, including a claim that it would protect mobile users from cell-site simulators.

DHS: Multiple US gov domains hit in serious DNS hijacking wave

DHS: Multiple US gov domains hit in serious DNS hijacking wave

Further Reading A DNS hijacking wave is targeting companies at an almost unprecedented scale The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) issued the directive on Tuesday, 12 days after security firm FireEye warned of an unprecedented wave of ongoing attacks that altered the domain name system records belonging to telecoms, ISPs, and government agencies.

Massive 'Fortnite' security hole allowed hackers to take over accounts, eavesdrop on chats

Massive 'Fortnite' security hole allowed hackers to take over accounts, eavesdrop on chats

By Variety LOS ANGELES — "Fortnite" players were exposed to hackers who could control their accounts, purchase in-game items through their credit cards, and drop into in-game chats posing as the hacked player, cybersecurity firm Check Point Software Technologies discovered in November.

Reminder: All those “smart” devices are a growing security threat

Reminder: All those “smart” devices are a growing security threat

But those very same devices, many of which have no real security protections, are also becoming part of what are called “botnets,” vast networks of tiny computers vulnerable to hijacking by hackers.

How Attackers Can Use Radio Signals and Mobile Phones to Steal Protected Data

How Attackers Can Use Radio Signals and Mobile Phones to Steal Protected Data

"The people who are doing that are getting a lot of money and are doing that [full time]." Dubbed "AirHopper" by the researchers at Cyber Security Labs at Ben Gurion University , the proof-of-concept technique allows hackers and spies to surreptitiously siphon passwords and other data from an infected computer using radio signals generated and transmitted by the computer and received by a mobile phone.

German politicians targeted in 'mass hack attack'

German politicians targeted in 'mass hack attack'

These are external links and will open in a new window These are external links and will open in a new window Image copyright Getty Images Image caption Many of those targeted are MPs in Germany's Bundestag Hundreds of German politicians including Chancellor Angela Merkel have had personal details hacked and published online, reports say.

You Should Set Up haveibeenpwned Alerts For Your Entire Organization Right Now

You Should Set Up haveibeenpwned Alerts For Your Entire Organization Right Now

John signs up with his work email address to the recruiting website and uses the same password that he uses for his Active Directory account on your organization’s network.

Cybersecurity and human rights

Cybersecurity and human rights

In addition, should the drafted bill pass, INCD will have access to computers and the authority to collect and process information, all in the name of identifying cybersecurity infiltrators.

Another government system breached; 75,000 people affected

Another government system breached; 75,000 people affected

Apple CEO Tim Cook told BuzzFeed that Bloomberg needs to do the “right thing and retract” the story about Chinese spies managing to implant a malicious backdoor chip in a Super Micro motherboard server used by Apple.

More