News

Researcher claims extension didn't start out by exfiltrating info... while dev says its actions are 'compliant'

Security boffins at Koi Security have warned of a shift in behavior of a popular Chrome VPN extension, FreeVPN.One, which recently appears to have begun snaffling screenshots of users' page activity and transmitting them to a remote server without their knowledge – and Google has yet to take it down.…

One fetcher bot seen smacking a website with 39,000 requests per minute

Cloud services giant Fastly has released a report claiming AI crawlers are putting a heavy load on the open web, slurping up sites at a rate that accounts for 80 percent of all AI bot traffic, with the remaining 20 percent used by AI fetchers. Bots and fetchers can hit websites hard, demanding data from a single site in thousands of requests per minute.…

Took out all traffic to port 443 at a time Beijing didn't have an obvious need to keep its netizens in the dark

China cut itself off from much of the global internet for just over an hour on Wednesday.…

Redmond doesn't bother informing customers about some security fixes

UPDATED  Microsoft has chosen not to tell customers about a recently patched vulnerability in M365 Copilot.…

Move along, nothing to see here

Amazon has quietly fixed a couple of security issues in its coding agent: Amazon Q Developer VS Code extension. Attackers could use these vulns to leak secrets, including API keys from a developer's machine, and run arbitrary code.…

Snarfing up config files for 'thousands' of devices…just for giggles, we're sure

The FBI and security researchers today warned that Russian government spies exploited a seven-year-old bug in end-of-life Cisco networking devices to snoop around in American critical infrastructure networks and collect information on industrial systems.…

Researchers disclosing their findings said 'it's as bad as it sounds'

Researchers at watchTowr just published working proof-of-concept exploits for two unauthenticated remote code execution bug chains in backup giant Commvault.…

iiNet breach blamed on single stolen login, with emails, phone numbers, and addresses exposed

Aussie telco giant TPG Telecom has opened an investigation after confirming a cyberattack at subsidiary iiNet.…

Burger slinger gets a McRibbing, reacts by firing staffer who helped

A white-hat hacker has discovered a series of critical flaws in McDonald's staff and partner portals that allowed anyone to order free food online, get admin rights to the burger slinger's marketing materials, and could allow an attacker to get a corporate email account with which to conduct a little filet-o-phishing.…

Reconfigure local app settings via a 'simple' POST request

A now-patched flaw in popular AI model runner Ollama allows drive-by attacks in which a miscreant uses a malicious website to remotely target people's personal computers, spy on their local chats, and even control the models the victim's app talks to, in extreme cases by serving poisoned models.…

Intruders hoped no one would notice their presence

Criminals exploiting a critical vulnerability in open source Apache ActiveMQ middleware are fixing the flaw that allowed them access, after establishing persistence on Linux servers.…

Toronto company says weekend cyber raid hit internal IT, not punters' wallets

Canadian casino software slinger Bragg Gaming Group has disclosed a "cybersecurity incident," though it's adamant the intruders never got their hands on customer data.…

Tulsi Gabbard boasts Washington forced Blighty to drop iPhone encryption fight

The UK government has reportedly abandoned its attempt to strong-arm Apple into weakening iPhone encryption after the White House forced Blighty into a quiet climb-down.…

Developer demand for sovereign cloud from tech giant is on the rise, says exec

Interview  Google's President of Customer Experience, Hayete Gallot, offered some words of comfort to developers who are looking nervously at the rise of AI assistants while also laying out her vision for cloud sovereignty.…

CEO says if you buy all your infosec stuff from him, life under assault from bots will be less painful

Brace for a new round of browser wars, according to Palo Alto Networks CEO Nikesh Arora.…

High accuracy scores come from conditions that don't reflect real-world usage

Facial recognition technology has been deployed publicly on the basis of benchmark tests that reflect performance in laboratory settings, but some academics are saying that real-world performance doesn't match up.…

Spy vs spy in the chips

Comment  Chinese state media called the US an aspiring "surveillance empire" over its proposed use of asset tracking tags to crack down on black-market GPU shipments to the Middle Kingdom.…

Supply chain breach has been a major target of legal action

Microsoft-owned talk-to-text outfit Nuance has agreed to cough up $8.5 million to settle a class action lawsuit over the sprawling MOVEit Transfer mega-breach – although it admits no liability.…

HR SaaS giant insists core systems untouched

Workday has admitted that attackers gained access to one of its third-party CRM platforms, but insists its core systems and customer tenants are untouched.…

Sni5Gect research crew targets sweet spot during device / network handshake pause

Security boffins have released an open source tool for poking holes in 5G mobile networks, claiming it can do up- and downlink sniffing and a novel connection downgrade attack - plus "other serious exploits" they're keeping under wraps, for now.…