On April 14, MacKeeper security researcher Chris Vickery discovered another misconfigured MongoDB, but this time the database contained the full names, addresses, birth dates and voter registration numbers for every Mexican voter. The database containing personal information on 93.4 million Mexican voters was hosted on an Amazon cloud server with “no password or any authentication of any sort” to protect it. And it has been publicly accessible since September 2015, according to Salted Hash’s Steve Ragan; although it is unknown how many people besides Vickery accessed the records.To read this article in full or to leave a comment, please click here
The secret backdoor in Juniper firewalls which automatically decrypted VPN traffic has been compared to “stealing a master key to get into any government building.” The security hole, which existed for at least three years, was publicly announced in December. The whodunit for installing the backdoor is still unknown, but some people believe it was repackaged from a tool originally created by the NSA.To read this article in full or to leave a comment, please click here
The secret backdoor in Juniper firewalls which automatically decrypted VPN traffic has been compared to “stealing a master key to get into any government building.” The security hole, which existed for at least three years, was publicly announced in December. The whodunit for installing the backdoor is still unknown, but some people believe it was repackaged from a tool originally created by the NSA.To read this article in full or to leave a comment, please click here
A coalition including the New York Police Department and Manhattan District Attorney Cyrus Vance launched an anti-encryption campaign along with a hashtag of #UnlockJustice because “crime victims are entitled to stronger protections than criminals.”“The debate over encryption is often referred to in terms of privacy and security, with little regard for the impact on crime victims,” the press release stated. The Manhattan DA complained about the 230 inaccessible Apple devices running iOS 8 or higher that it can’t unlock and how unfair encryption and “warrant-proof” devices are to crime victims. Companies, according to Vance, should not be permitted “to provide criminals with unprecedented, evidence-free zones.”To read this article in full or to leave a comment, please click here
A coalition, including the New York Police Department and Manhattan District Attorney Cyrus Vance, launched an anti-encryption campaign along with a hashtag of #UnlockJustice because “crime victims are entitled to stronger protections than criminals.”“The debate over encryption is often referred to in terms of privacy and security, with little regard for the impact on crime victims,” the press release stated. The Manhattan DA complained about the 230 inaccessible Apple devices running iOS 8 or higher that it can’t unlock and how unfair encryption and “warrant-proof” devices are to crime victims. Companies, according to Vance, should not be permitted “to provide criminals with unprecedented, evidence-free zones.”To read this article in full or to leave a comment, please click here
If you think that making up a bogus name or using a fake age on a profile actually makes you harder to link to your profiles on other sites, then think again as researchers have determined how to use location data to link users across domains. You also should not be comforted when you learn that big data has been stripped of names and personal details; researchers say it is “no guarantee of privacy.”Columbia University computer science researchers Chris Riederer, Yunsung Kim, and Augustin Chaintreau, along with Google researchers Nitish Korula and Silvio Lattanzi, combined their considerable brain power to come up with an algorithm that only needs location data from two apps to identify someone. The researchers recently presented their paper, “Linking Users Across Domains with Location Data: Theory and Validation” (pdf), at the 25th International World Wide Web Conference.To read this article in full or to leave a comment, please click here
If you think that making up a bogus name or using a fake age on a profile actually makes you harder to link to your profiles on other sites, then think again as researchers have determined how to use location data to link users across domains. You also should not be comforted when you learn that big data has been stripped of names and personal details; researchers say it is “no guarantee of privacy.”Columbia University computer science researchers Chris Riederer, Yunsung Kim, and Augustin Chaintreau, along with Google researchers Nitish Korula and Silvio Lattanzi, combined their considerable brain power to come up with an algorithm that only needs location data from two apps to identify someone. The researchers recently presented their paper, “Linking Users Across Domains with Location Data: Theory and Validation” (pdf), at the 25th International World Wide Web Conference.To read this article in full or to leave a comment, please click here
The hacker responsible for bringing pwnage pain to the Hacking Team last July has published an in-depth “DIY guide” for how he pulled it off. It’s a detailed, really great read.The hacker is none other than Phineas Fisher; he runs the @GammaGroupPR Twitter account, now referred to as “Hack Back,” and previously leaked FinFisher spyware documents, including details like which antivirus solutions could detect Gamma International’s surveillance malware.To read this article in full or to leave a comment, please click here
The hacker responsible for bringing pwnage pain to the Hacking Team last July has published an in-depth “DIY guide” for how he pulled it off. It’s a detailed, really great read.The hacker is none other than Phineas Fisher; he runs the @GammaGroupPR Twitter account, now referred to as “Hack Back,” and previously leaked FinFisher spyware documents, including details like which antivirus solutions could detect Gamma International’s surveillance malware.To read this article in full or to leave a comment, please click here
There’s a storm brewing on the SmartThings forums as the SmartThings community suffered a big loss when community developer Bruce Ravenel announced his decision to pull Rule Machine.You can set up “routines” and add “actions” such as turning all the lights on, opening garage doors, unlocking doors and setting the thermostat in the SmartThings app. If you wanted those devices to be smarter and interact with other apps, then IFTTT lets people setup If This Then That recipes. But Rule Machine added another level of “smart” to smart devices. As was explained on the HA (Home Automation) Forums, Rule Machine is “like IFTTT but with an extra ‘This.’ If This and This, then do an action.”To read this article in full or to leave a comment, please click here
For April 2016 Patch Tuesday, Microsoft released 13 security bulletins with six being rated as critical for remote code execution flaws and the patch for Badlock being among those rated only as important.CriticalMS16-037 is the cumulative fix for Internet Explorer. While most of the vulnerabilities being patched have not been publicly disclosed, the DLL loading RCE bug has been.MS16-038 is the monthly cumulative security update for Microsoft’s Edge browser to stop attackers from achieving RCE when a user visits a specially crafted webpage via Edge. The patch modifies how Edge handles objects in memory as well as ensures cross-domain policies are properly enforced.To read this article in full or to leave a comment, please click here
For April 2016 Patch Tuesday, Microsoft released 13 security bulletins, with six being rated as critical for remote code execution flaws and the patch for Badlock being among those rated only as important.CriticalMS16-037 is the cumulative fix for Internet Explorer. While most of the vulnerabilities being patched have not been publicly disclosed, the DLL loading RCE bug has been.MS16-038 is the monthly cumulative security update for Microsoft’s Edge browser to stop attackers from achieving RCE when a user visits a specially crafted webpage via Edge. The patch modifies how Edge handles objects in memory, as well as ensures cross-domain policies are properly enforced.To read this article in full or to leave a comment, please click here
There’s nothing particularly new about new products being shipped with malware, but if you are in the market for surveillance cameras and are looking for a good deal, then a security researcher warned that even products sold on Amazon come with embedded malware.Security researcher Mike Olsen found a decent deal on an outdoor surveillance CCTV setup, specifically six Sony HD IP cameras and recording equipment which are being sold on Amazon by a seller with “great ratings.”To read this article in full or to leave a comment, please click here
There’s nothing particularly new about new products being shipped with malware, but if you are in the market for surveillance cameras and are looking for a good deal, then a security researcher warned that even products sold on Amazon come with embedded malware.Security researcher Mike Olsen found a decent deal on an outdoor surveillance CCTV setup, specifically six Sony HD IP cameras and recording equipment which are being sold on Amazon by a seller with “great ratings.”To read this article in full or to leave a comment, please click here
Where is IoT going in the long run?... To cash in on the treasure trove of “everything it knows about you,” data collected over the long term, at least it is according to a post on Medium about the “dirty little secret” of the Internet of Things.A company can only sell so many devices, but still needs to make money, so the article suggests the “sinister” reason why companies “want to internet-connect your entire house” is to collect every little bit of data about you and turn it into profit. Although the post was likely inspired in part by the continued fallout of Nest’s decision to brick Revolv hubs, there could a IoT company eventually looking for a way to monetize on “if you listen to music while having sex.”To read this article in full or to leave a comment, please click here
Where is IoT going in the long run?... To cash in on the treasure trove of “everything it knows about you,” data collected over the long term, at least it is according to a post on Medium about the “dirty little secret” of the Internet of Things.A company can only sell so many devices, but still needs to make money, so the article suggests the “sinister” reason why companies “want to internet-connect your entire house” is to collect every little bit of data about you and turn it into profit. Although the post was likely inspired in part by the continued fallout of Nest’s decision to brick Revolv hubs, there could a IoT company eventually looking for a way to monetize on “if you listen to music while having sex.”To read this article in full or to leave a comment, please click here
Oh man, what a shame, Italy’s Hacking Team had its global export license revoked and now it can’t sell its spyware outside of Europe without getting special approval.It’s not even been a year since the Hacking Team became the Hacked Team, but after being pwned the company apparently didn’t crawl off and die. The Hacking Team’s newest woes, which were first reported by the Italian newspaper Il Fatto Quotidiano, means the company can’t easily conduct business as usual by selling its Remote Control Software to just anyone who wants it.To read this article in full or to leave a comment, please click here
Oh man, what a shame, Italy’s Hacking Team had its global export license revoked and now it can’t sell its spyware outside of Europe without getting special approval.It’s not even been a year since the Hacking Team became the Hacked Team, but after being pwned the company apparently didn’t crawl off and die. The Hacking Team’s newest woes, which were first reported by the Italian newspaper Il Fatto Quotidiano, means the company can’t easily conduct business as usual by selling its Remote Control Software to just anyone who wants it.To read this article in full or to leave a comment, please click here
TU Braunschweig, Institute for Operating Systems and Computer Networks, Professors Dominik Schürmann and Lars Wolf are warning about a “Surreptitious Sharing” vulnerability which is present in many Android communication apps. Their pre-published research paper, Surreptitious Sharing on Android (pdf), is to be presented at the security conference GI Sicherheit 2016.To read this article in full or to leave a comment, please click here
There’s a lot of things coming out of Microsoft’s BUILD conference, but here are three.Bash coming to Windows 10There are now 270 million monthly active devices running Windows 10 and some of those people behind those machines surely use Linux as well. After Microsoft rolls out the Windows 10 “Anniversary” update this summer, those folks can have the “real” Bash shell in Windows.First you would need to turn on Developer Mode in Windows settings and download the Bash shell from the Windows Store, but then you open the Start menu and type “bash” to open cmd.exe running Ubuntu’s /bin/bash, explained Dustin Kirkland, part of Canonical’s Ubuntu product and strategy team. Then you have “full access to all of Ubuntu user space.”To read this article in full or to leave a comment, please click here
Ms. Smith