News

Trio claim database queries can lead to remote code execution

Black Hat Asia  A trio of researchers at Palo Alto Networks has detailed vulnerabilities in the JET database engine, and demonstrated how those flaws can be exploited to ultimately execute malicious code on systems running Microsoft’s SQL Server and Internet Information Services web server.…

Nearly 4 million to be exact, say researchers

Researchers at security biz Qualys discovered 21 vulnerabilities in Exim, a popular mail server, which can be chained to obtain "a full remote unauthenticated code execution and gain root privileges on the Exim Server."…

'Was a Mailchimp sub too hard?!' asks Reg reader

A local authority in East London has committed a classic privacy blunder by emailing what appear to be thousands of residents – while forgetting to use the BCC field and exposing all of the email addresseses to each recipient.…

Used the GitHub Codecov Action? Credentials may have been pilfered

Cloud comms platform Twilio has confirmed its private GitHub repositories were cloned after it became the latest casualty of the compromised credential-stealing Codecov script.…

Majority aren't GDPR compliant and Google Play categorises them badly, leading to lax practices

Hundreds of millions of women turn to fertility apps to conceive or prevent pregnancy, and according to a new study those apps may leak very personal information including miscarriages, abortions, sexual history, potential infertility and pregnancy.…

Five vulnerabilities lay undetected for almost a dozen years in Windows driver code

Dell desktops, laptops, and tablets built since 2009 and running Windows can be exploited to grant rogue users and malware system-administrator-level access to the computers. We're told this amounts of hundreds of millions of machines that can be completely hijacked.…

More goodies for OpenShift, plus Konveyor to Kubernetes in association with IBM

Kubecon Europe  As Kubecon Europe gets under way, Red Hat has pushed out StackRox, the Kubernetes security product it acquired earlier this year, as an open-source project which will be the upstream for its Advanced Cluster Security for OpenShift.…

Plus: Micro-op CPU caches abused to leak data, and more

In Brief  Apple on Monday patched security flaws in its software said to have been exploited in the wild by miscreants to hijack gear.…

Act gives government powers to scrutinise, alter, and block transactions where there is a risk to national security

In a move akin to calling the fire brigade after your house has burned down, the UK government today announced the passage of a bill that would afford it powers to intervene in potentially hostile direct investment.…

AI infosec start-up avoids same opening day peril as Deliveroo

British AI-powered security startup Darktrace has enjoyed a bumper IPO Friday as its shares climbed 40 per cent on its London Stock Exchange debut.…

By eight they should be telling you not to upload geo-tagged photos of them in school uniform

Australia has decided that six-year-old children need education on cyber-security, even as it removes other material from the national curriculum.…

'RotaJakiro' now on infosec world's radar, its impact has yet to be determined

Chinese security outfit Qihoo 360 Netlab on Wednesday said it has identified Linux backdoor malware that has remained undetected for a number of years.…

Integer overflows leave IoT, OT, medical gear vulnerable to heap-seeking missiles

Microsoft has taken a look at memory management code used in a wide range of equipment, from industrial control systems to healthcare gear, and found it can be potentially exploited to hijack devices.…

Plus: Browser sends Google's FLoC straight to the blacklist

The latest release of Chromium-based browser Vivaldi has extended ad blocking to handle cookie warning dialogs and sent a shot across the bows of Google's ad technology, FLoC.…

Biggest data protection case for years teeters on brink

Google has urged the UK's Supreme Court to throw out a £3bn lawsuit brought by an ex-Which director over secretly planted tracking cookies on devices running Safari, on the grounds that local law doesn’t allow for opt-out class action lawsuits.…

No, not the US government's task force ... the other one

The Institute for Security and Technology's Ransomware Task Force (RTF) on Thursday published an 81-page report presenting policy makers with 48 recommendations to disrupt the ransomware business and mitigate the effect of such attacks.…

New starter or mid-career switcher? Here’s where to start

Promo  Cyber attackers are a diverse lot. They can strike from anywhere in the world, and may be motivated by greed, politics, status, or pure malevolence. And their techniques range from the dazzlingly sophisticated to the frankly crude, technically speaking.…

First that IPO and now this

Digital Ocean on Wednesday said someone was able to snoop on some of its cloud subscribers' billing information via a now-patched vulnerability.…

Hasn't stopped the trains, though

Brit railway company Merseyrail is understood to have suffered a ransomware attack – and the crooks responsible reportedly pwned a director's Office 365 account to email employees and journalists about it.…

Transport minister confirms use of the NHS app for just that when citizens travel abroad

With Minister for the Cabinet Office Michael Gove expected to announce app-based "COVID status certificates", the UK's post-lockdown plan looks set to come under fierce attack.…