Flaw in popular PDF creation library enabled remote code execution

Flaw in popular PDF creation library enabled remote code execution

Danny Bradbury A security researcher has discovered a high-severity bug in a popular PHP library that could enable attackers to run remote code on web servers. The researcher, who calls himself Polict, discovered another way to exploit a bug in the PHP programming language that was originally reported at Black Hat in 2018.

New BitLocker attack puts laptops storing sensitive data at risk

New BitLocker attack puts laptops storing sensitive data at risk

Image: Denis Andzakovic A security researcher has come up with a new method of extracting BitLocker encryption keys from a computer's Trusted Platform Module (TPM) that only requires a $27 FPGA board and some open-sourced code.

A Deep Dive on the Recent Widespread DNS Hijacking Attacks — Krebs on Security

A Deep Dive on the Recent Widespread DNS Hijacking Attacks — Krebs on Security

Talos said the perpetrators of DNSpionage were able to steal email and other login credentials from a number of government and private sector entities in Lebanon and the United Arab Emirates by hijacking the DNS servers for these targets, so that all email and virtual private networking (VPN) traffic was redirected to an Internet address controlled by the attackers.

As Phones Get Harder to Hack, Zero Day Vendors Hunt for Router Exploits

As Phones Get Harder to Hack, Zero Day Vendors Hunt for Router Exploits

Image: Seth Laupus/Motherboard On Thursday, Crowdfense, a company that buys zero day exploits from researchers and then sells them to government agencies, announced it is now offering a total of $15 million to hackers who have particular exploits for sale.

From hard drive to over-heard drive: Boffins convert spinning rust into eavesdropping mic

From hard drive to over-heard drive: Boffins convert spinning rust into eavesdropping mic

"These unintentional microphones sense speech with high enough fidelity for the Shazam service to recognize a song recorded through the hard drive." The team's research work, scheduled to be presented in May at the 2019 IEEE Symposium on Security and Privacy , explores how it's possible to alter HDD firmware to measure the offset of a disk drive's read/write head from the center of the track it's seeking.

Smart Ski Helmet Headphone Flaws Leak Personal, GPS Data

Smart Ski Helmet Headphone Flaws Leak Personal, GPS Data

A rash of security flaws in the Outdoor Tech CHIPS smart headphones, which fit in ski helmets, allow bad actors to collect data like emails, passwords, GPS location – and even listen to conversations in real time.

Hijacking WhatsApp without Hacking

Hijacking WhatsApp without Hacking

Not only can curious people like me read these, displaying the full content of messages on your lock screen can lead to your instant messaging accounts being hijacked. Of course, this will only work if the CEO’s phone displays incoming messages on the lock screen.

Ring Doorbell Flaw Opens Door to Spying

Ring Doorbell Flaw Opens Door to Spying

A serious flaw in the popular Ring smart doorbell could allow an attacker on a shared WiFi network to spy on families’ video and audio footage, according to researchers.

High-Severity SHAREit App Flaws Open Files for the Taking

High-Severity SHAREit App Flaws Open Files for the Taking

“We wanted to give as many people as we can the time to update and patch their devices before disclosing such critical vulnerability.” The flaws, which could be exploited by an attacker on a shared WiFi network, have a CVSS 3.0 score of 8.2, meaning they are high-severity, researchers told Threatpost.

Flaws in 4G and 5G can lead to spying on location and calls, researchers find

Flaws in 4G and 5G can lead to spying on location and calls, researchers find

Attack works by making several calls In the paper, the researchers outline an attack called Torpedo, which can be used to determine whether a device is in a certain location. The attack exploits an issue in how devices send “paging” information when calls or texts are received.

What are Data Manipulation Attacks, and How to Mitigate Against Them

What are Data Manipulation Attacks, and How to Mitigate Against Them

The ability of attackers to manipulate and shift data around is a real threat – one that could cause widespread financial and even physical harm as a result – if done successfully. Mitigating Against Data Manipulation Attacks To combat these types of attacks, organizations need to ensure they have endpoint visibility on their IT systems.

How Do I Know If My Email Has Been Leaked in a Data Breach?

How Do I Know If My Email Has Been Leaked in a Data Breach?

Since most people still recycle versions of their passwords, once one of them is released in a data leak, it could mean that all of your online accounts are compromised thanks to bad password hygiene .

New flaws in 4G, 5G allow attackers to intercept calls and track phone locations

New flaws in 4G, 5G allow attackers to intercept calls and track phone locations

“Any person with a little knowledge of cellular paging protocols can carry out this attack… such as phone call interception, location tracking, or targeted phishing attacks.” Syed Rafiul Hussain, Purdue University The paper, seen by TechCrunch prior to the talk, details the attacks: the first is Torpedo, which exploits a weakness in the paging protocol that carriers use to notify a phone before a call or text message comes through.

Once hailed as unhackable, blockchains are now getting hacked

Once hailed as unhackable, blockchains are now getting hacked

A blockchain protocol is a set of rules that dictate how the computers in the network, called nodes , should verify new transactions and add them to the database.

NIST Round 2 and Post-Quantum Cryptography (part 1)

NIST Round 2 and Post-Quantum Cryptography (part 1)

This means that a breakdown of the asymmetric session at the beginning of the connection, leads to the attacker being able to read the secret key for AES, which breaks the encryption for the rest of the connection.

The 5G Protocol May Still Be Vulnerable to IMSI Catchers

The 5G Protocol May Still Be Vulnerable to IMSI Catchers

A number of fantastic papers explore vulnerabilities in 2G , 3G , and 4G which are potentially the same ones exploited by commercial CSSs. The upcoming 5G protocol for cellular communications promised many improvements over the current 4G standard, including a claim that it would protect mobile users from cell-site simulators.

DHS: Multiple US gov domains hit in serious DNS hijacking wave

DHS: Multiple US gov domains hit in serious DNS hijacking wave

Further Reading A DNS hijacking wave is targeting companies at an almost unprecedented scale The DHS’ Cybersecurity and Infrastructure Security Agency (CISA) issued the directive on Tuesday, 12 days after security firm FireEye warned of an unprecedented wave of ongoing attacks that altered the domain name system records belonging to telecoms, ISPs, and government agencies.

Massive 'Fortnite' security hole allowed hackers to take over accounts, eavesdrop on chats

Massive 'Fortnite' security hole allowed hackers to take over accounts, eavesdrop on chats

By Variety LOS ANGELES — "Fortnite" players were exposed to hackers who could control their accounts, purchase in-game items through their credit cards, and drop into in-game chats posing as the hacked player, cybersecurity firm Check Point Software Technologies discovered in November.

How Attackers Can Use Radio Signals and Mobile Phones to Steal Protected Data

How Attackers Can Use Radio Signals and Mobile Phones to Steal Protected Data

"The people who are doing that are getting a lot of money and are doing that [full time]." Dubbed "AirHopper" by the researchers at Cyber Security Labs at Ben Gurion University , the proof-of-concept technique allows hackers and spies to surreptitiously siphon passwords and other data from an infected computer using radio signals generated and transmitted by the computer and received by a mobile phone.

You Should Set Up haveibeenpwned Alerts For Your Entire Organization Right Now

You Should Set Up haveibeenpwned Alerts For Your Entire Organization Right Now

John signs up with his work email address to the recruiting website and uses the same password that he uses for his Active Directory account on your organization’s network.

Another government system breached; 75,000 people affected

Another government system breached; 75,000 people affected

Apple CEO Tim Cook told BuzzFeed that Bloomberg needs to do the “right thing and retract” the story about Chinese spies managing to implant a malicious backdoor chip in a Super Micro motherboard server used by Apple.

SQLite bug impacts thousands of apps, including all Chromium-based browsers

SQLite bug impacts thousands of apps, including all Chromium-based browsers

This means that Chromium-based browsers like Google Chrome, Vivaldi, Opera, and Brave, are all affected. "We successfully exploited Google Home with this vulnerability," the Tencent Blade team said in a security advisory this week.

These GPS watches put children’s lives at risk, researcher warns

These GPS watches put children’s lives at risk, researcher warns

As one researcher has discovered, kids’ watches based on a specific API are seriously vulnerable to remote attacks, and could help bad actors trick children into a trap.

How to improve security when using IoT or Smart Home devices

How to improve security when using IoT or Smart Home devices

With the advent of the Internet of Things (IoT) and Smart Home devices, our environments are becoming more connected however this comes with the compromise of security. So what is the best way to secure your network when using IoT or Smart Home devices?

Popular browsers made to cough up browsing history

Popular browsers made to cough up browsing history

One of the visited-link attacks – CVE2018-6137, a bug in Chrome 67 that Google fixed in June – peeled off user browsing history at the rate of 3,000 URLs per second.

The Titan M Chip Powers Up Pixel 3 Security

The Titan M Chip Powers Up Pixel 3 Security

In order to use it to protect keys, that’s a reasonable thing to do, but you know there’s still going to be the risk of attacks like Spectre, Meltdown, and Rowhammer,” says Will Drewry, principle software engineer at Google, referring to prominent examples of pernicious hardware-based attacks.

Buggy software in popular connected storage drives can let hackers read private data

Buggy software in popular connected storage drives can let hackers read private data

The researchers Paulos Yibelo and Daniel Eshetu said the software running on three of the devices they tested — NetGear Stora, Seagate Home and Medion LifeCloud — can allow an attacker to remotely read, change and delete data without requiring a password.

Whonix and Tor Limitations

Whonix and Tor Limitations

For example, it is poor operational security to use the same Whonix-Workstation to check email via Tor, while simultaneously publishing an anonymous document. If a user selects a new entry and exit relay each time the Tor network is used, the attacker can correlate all traffic sent with a probability of (c/n)2.

Hackers Pilfered Sensitive Data From Over 30 Million Facebook Accounts, Extensive Private Info On More Than 14 Million

Hackers Pilfered Sensitive Data From Over 30 Million Facebook Accounts, Extensive Private Info On More Than 14 Million

Over 30 million users have been impacted by the hack, with over 14 million people at risk of continued serious privacy invasions, and Facebook has no plans to provide any protections to the users affected by lax security and over-collection of personal data.

Google: Apple, your sneaky iPhone patching is endangering users

Google: Apple, your sneaky iPhone patching is endangering users

A Google Project Zero researcher has published a macOS exploit to demonstrate that Apple is exposing its users to security risks by patching serious flaws in iOS but not revealing the fact until it fixes the same bugs in macOS a week later.

More