Quibi, JetBlue, Wish, others accused of leaking millions of email addresses to ad orgs via HTTP referer headers

The Register - Thu, 30/04/2020 - 23:48
From URL to UR-Hell

Short-video biz Quibi, airline JetBlue, shopping site Wish, and several other companies leaked million of people's email addresses to ad-tracking and analytics firms through HTTP request headers, it is claimed.…

Categories: News

Salt peppered with holes? Automation tool vulnerable to auth bypass: Patch now

The Register - Thu, 30/04/2020 - 12:35
'The impact is full remote command execution as root on both master and all minions'

The Salt configuration tool has patched two vulnerabilities whose combined effect was to expose Salt installations to complete control by an attacker. A patch for the issues was released last night, but systems that are not set to auto-update may still be vulnerable.…

Categories: News

In trying times like these, it's reassuring to know you can still get pwned five different ways by Adobe Illustrator files

The Register - Thu, 30/04/2020 - 06:12
Make sure you update your software with these critical fixes

Adobe has emitted fixes for multiple remote code execution holes in Illustrator and its Bridge code.…

Categories: News

Academics demand answers from NHS over potential data timebomb ticking inside new UK contact-tracing app

The Register - Wed, 29/04/2020 - 15:48
Slurp everyone's details and you create a hugely valuable hacker target

A group of nearly 175 UK academics has criticised the NHS's planned COVID-19 contact-tracing app for a design choice they say could endanger users by creating a centralised store of sensitive health and travel data about them.…

Categories: News

ProtonMail-run website boasting 'complete guide' to GDPR left credential-baring .git repo exposed online

The Register - Wed, 29/04/2020 - 10:00
Ooo, double irony!

An EU-sponsored GDPR advice website run by Proton Technologies had a vulnerability that let anyone clone it and extract a MySQL database username and password.…

Categories: News

San Francisco trial of Russian bloke extradited and accused of hacking LinkedIn, Dropbox, Formspring stalls again amid pandemic lockdown

The Register - Tue, 28/04/2020 - 23:22
Case that has rumbled on since 2016 may have to be started again from scratch

The man accused of hacking LinkedIn, Dropbox and the Formspring Q&A forum, and later selling the stolen data of hundreds of millions of users, has seen his trial disrupted a third time by the coronavirus pandemic.…

Categories: News

Nine million logs of Brits' road journeys spill onto the internet from password-less number-plate camera dashboard

The Register - Tue, 28/04/2020 - 11:46
Democratising mass surveillance, one snafu at a time

Exclusive  In a blunder described as "astonishing and worrying," Sheffield City Council's automatic number-plate recognition (ANPR) system exposed to the internet 8.6 million records of road journeys made by thousands of people, The Register can reveal.…

Categories: News

We're going on a vuln hunt. We're going catch a big one: Researchers find Windows bugs dominate – but fixes are fast

The Register - Tue, 28/04/2020 - 09:18
'The average Windows 10 PC has 14 weaponized bugs'

A study of vulnerabilities - bugs that can be a gateway for malware or allow privilege escalation by an intruder - shows that Windows platforms have the most by far, but that they also tend to be fixed quickly, compared to Linux systems or appliances like routers, printers and scanners.…

Categories: News

UK snubs Apple-Google coronavirus app API, insists on British control of data, promises to protect privacy

The Register - Tue, 28/04/2020 - 07:19
Why do it at all? Easier to audit and adapt, apparently

Analysis  The UK has decided to break with growing international consensus and insist its upcoming coronavirus contact-tracing app is run through centralised British servers – rather than follow the decentralized Apple-Google approach.…

Categories: News

Australian contact-tracing app leaks telling info and increases chances of third-party tracking, say security folks

The Register - Tue, 28/04/2020 - 03:34
Phone model recorded, unique ID infrequently refreshed – but Atlassian's Mike Cannnon-Brookes says use it and two million peeps agree

The design of Australia’s COVIDSafe contact-tracing app creates some unintended surveillance opportunities, according to a group of four security pros who unpacked its .APK file.…

Categories: News

We could have pwned Microsoft Teams with a GIF, claims Israeli infosec outfit

The Register - Mon, 27/04/2020 - 09:20
Proof-of-concept vuln patched a week ago

A vulnerability existed in Microsoft's Slack for Suits tool, Teams, that could have let a remote attacker take over accounts by simply sending a malicious GIF, infosec researchers claim.…

Categories: News

Apple and Google tweak key bits of contact-tracing privacy plan

The Register - Mon, 27/04/2020 - 08:45
As European nations back decentralised plan that leaves data on the device until users call in sick

Apple and Google have revealed a little more about their plans to support COVID-19 contact-tracing apps and changed up some of their security plans.…

Categories: News

Rabobank security cert expires and gives its Australian Android app a case of internet-blindness

The Register - Mon, 27/04/2020 - 01:56
Needs bank staff to sort things out, but a certain virus means the contact centre is rather busy right now

Rabobank’s Australian outpost has messed up its Android app, leaving an unknown number of users unable to access their bank accounts on mobile devices.…

Categories: News

Australia’s contact-tracing app regulation avoids ‘woolly' principles in comparable cyber-laws, say lawyers

The Register - Mon, 27/04/2020 - 01:01
COVIDSafe application lands for Android, iOS – sans source code

Australia has released its promised COVID-19 contact-tracing app.…

Categories: News

Sophos XG firewalls hacked, hotfix ready. Texts wreck Apple iThings. Yup, business as usual in infosec world

The Register - Sun, 26/04/2020 - 13:04
Plus Office 2016, 2019 patches – and a barn-load of other security bits and bytes

Roundup  It's time to dig in to another Register security roundup.…

Categories: News

NSO Group can't claim immunity, Facebook attorneys insist - time to face the music in top-level spyware case

The Register - Fri, 24/04/2020 - 22:05
States can claim immunity, contractors can't, social biz argues

Attorneys for Facebook and its WhatsApp subsidiary have challenged a plea from spyware maker NSO Group to dismiss the high-level hacking case the two are fighting out, arguing it has immunity from procesution.…

Categories: News

Canada's .ca overlord rolls out free privacy-protecting DNS-over-HTTPS service for folks in Great White North

The Register - Thu, 23/04/2020 - 23:42
L’ACEI lance le Bouclier canadien dans le but de protéger gratuitement la vie privée et la sécurité des Canadiens en ligne

The organization that oversees .CA domains, among other important internet functions, is rolling out a free Canada-wide DNS-over-HTTPS service to protect people's privacy.…

Categories: News

GCC 10 gets security bug trap. And look what just fell into it: OpenSSL and a prod-of-death flaw in servers and apps

The Register - Thu, 23/04/2020 - 11:06
Static analyzer proves its worth with discovery of null-pointer error

A static analysis feature set to appear in GCC 10, which will catch common programming errors that can lead to security vulnerabilities, has scored an early win – it snared an exploitable flaw in OpenSSL.…

Categories: News

Why should the UK pensions watchdog be able to spy on your internet activities? Same reason as the Environment Agency and many more

The Register - Thu, 23/04/2020 - 08:33
Extraordinary surveillance powers set to be injected into govt orgs

It has been called the “most extreme surveillance in the history of Western democracy.” It has not once but twice been found to be illegal. It sparked the largest ever protest of senior lawyers who called it “not fit for purpose.”…

Categories: News

Get your free work-from-home IT security awareness training kit, courtesy of SANS

The Register - Thu, 23/04/2020 - 08:00
Focus, train and engage your remote teams to stay safe, gratis

Promo  As toilet paper stocks begin to recover, we all figure out the sweet spot for our government-mandated daily walk or trot, and fence off sections of our homes from our significant others for "me time," it’s time to begin the next phase of social isolation: adjusting sensibly to our environment with an actual plan.…

Categories: News


Subscribe to Sec Tec Limited aggregator - News