Jump to content



Security/privacy news


EraserheadX

Recommended Posts

https://www.reddit.com/r/announcements/comments/93qnm5/we_had_a_security_incident_heres_what_you_need_to/

 

Quote

A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords.

 

[...] we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.

 

 

  • Like 3
Link to comment
Share on other sites

  • 4 weeks later...

The Untold Story of NotPetya, the Most Devastating Cyberattack in History

 

Ωραία ιστορία, εφοδιαστείτε με ποπ-κορν και αναψυκτικό γιατί ακολουθεί σεντόνι.

 

https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/

  • Like 5
Link to comment
Share on other sites

  • 3 months later...

https://help.quora.com/hc/en-us/articles/360020212652

 

Quote

What kind of user data was affected?

Based on what we have learned, some of our users’ information has been exposed, including:

Account information, e.g. name, email address, encrypted password (hashed with a salt that varies for each user), data imported from linked networks when authorized by users
Public content and actions (e.g. questions, answers, comments, upvotes)
Non-public content and actions (e.g. answer requests, downvotes, direct messages)
Questions and answers that were written anonymously are not affected by this breach as we do not store the identities of people who post anonymous content.

 

Μέχρι στιγμής φαίνεται ότι έχουν διαρρεύσει δεδομένα από ~100 εκατομμύρια λογαριασμούς, συμπεριλαμβανομένου το κωδικού. Από την περιγραφή, οι κωδικοί δε φαίνεται να είναι κρυπτογραφημένοι με κάποιον ιδιαίτερα ισχυρό αλγόριθμο, διαφορετικά -λογικά- θα φρόντιζαν να το επισημάνουν.

 

Το περιεχόμενο στον παραπάνω σύνδεσμο έχει ενημερωθεί αρκετές φορές και εδώ και μερικές ώρες περιλαμβάνει και οδηγίες για όσους θελήσουν να διαγράψουν τον λογαριασμό τους με αυτήν την αφορμή...

  • Like 1
Link to comment
Share on other sites

Υπάρχουν και χειρότερα.

 

Hacker είχε πρόσβαση για μήνες σε e-mail μελών της επιτροπής του Κογκρέσου των Δημοκρατικών, καταγράφοντας όπως λένε "sensitive information" και το ανακάλυψαν τον Απρίλιο του 2018. Και το κουφό στην όλη υπόθεση; Δεν το είπαν στους ανωτέρους τους έως και σήμερα! Το FBI είχε ξεκινήσει έρευνα αλλά όπως ισχυρίζονται, δεν το ανακοίνωσαν ώστε να βρουν τον hacker χωρίς να το υποπτευθεί.

 

https://www.politico.com/story/2018/12/04/exclusive-emails-of-top-nrcc-officials-stolen-in-major-2018-hack-1043309

  • Like 1
Link to comment
Share on other sites

https://www.blog.google/technology/safety-security/expediting-changes-google-plus/

 

Quote

Our testing revealed that a Google+ API was not operating as intended. We fixed the bug promptly and began an investigation into the issue.

Our investigation into the impact of the bug is ongoing, but here is what we have learned so far:

  • We have confirmed that the bug impacted approximately 52.5 million users in connection with a Google+ API.
  • With respect to this API, apps that requested permission to view profile information that a user had added to their Google+ profile—like their name, email address, occupation, age (full list here)—were granted permission to view profile information about that user even when set to not-public.
  • In addition, apps with access to a user's Google+ profile data also had access to the profile data that had been shared with the consenting user by another Google+ user but that was not shared publicly.
  • The bug did not give developers access to information such as financial data, national identification numbers, passwords, or similar data typically used for fraud or identity theft.
  • No third party compromised our systems, and we have no evidence that the developers who inadvertently had this access for six days were aware of it or misused it in any way.

[...]

 

We have also decided to accelerate sunsetting consumer Google+, bringing it forward from August 2019 to April 2019.  We want to give users ample opportunity to transition off of consumer Google+, and over the coming months, we will continue to provide users with additional information, including ways they can safely and securely download and migrate their data.

 

  • Like 1
Link to comment
Share on other sites

https://signal.org/blog/setback-in-the-outback/

 

Quote

Like many others, we have been following the latest developments in Australia related to the “Assistance and Access” bill with a growing sense of frustration. [...] Attempting to roll back the clock on security improvements which have massively benefited Australia and the entire global community is a disappointing development.

 

Although we can’t include a backdoor in Signal, the Australian government could attempt to block the service or restrict access to the app itself. Historically, this strategy hasn’t worked very well.

 

  • Like 2
Link to comment
Share on other sites

  • 5 weeks later...
  • 2 months later...
  • 3 weeks later...

https://www.theverge.com/2019/4/13/18309192/microsoft-outlook-email-account-hack-breach-security

 

Quote

Microsoft has started notifying some Outlook.com users that a hacker was able to access accounts for months earlier this year. The software giant discovered that a support agent’s credentials were compromised for its web mail service, allowing unauthorized access to some accounts between January 1st and March 28th, 2019. Microsoft says the hackers could have viewed account email addresses, folder names, and subject lines of emails, but not the content of emails or attachments.

 

Microsoft_Incident_Notification.jpg

Έγινε επεξεργασία από acct
  • Like 3
Link to comment
Share on other sites

  • 1 month later...

https://nakedsecurity.sophos.com/2019/05/29/researchers-uncover-smart-padlocks-dumb-security/

Παράθεση

Unfortunately, says Pen Test Partners, the Nokelock and its API also come with some major security flaws that prospective owners might like to know about before they stump up their cash.

Such as the ability to:

  • Unlock the Nokelock within a range of 10m without needing to know anything about the registered account.
  • Discover the owner’s information from the Nokelock database, including the email address and password hash.
  • Discover the lock’s location from its GPS coordinates.
  • Assign the lock to another account, locking owners out of their Nokelock.

 

  • Like 2
Link to comment
Share on other sites

  • 3 months later...

https://www.zdnet.com/article/cloudflare-google-chrome-and-firefox-add-http3-support/

 

Quote

HTTP/3, the next major iteration of the HTTP protocol, is getting a big boost today with support added in Cloudflare, Google Chrome, and Mozilla Firefox...

HTTP v3 -- or HTTP/3 -- is different from everything that came before it. It's a complete rewrite of HTTP that uses the QUIC protocol instead of TCP, and also comes with built-in TLS (encryption) support...

HTTP/3 is QUIC implemented inside HTTP, replacing TCP and SPDY at the transport level. It was formally approved last October...

 

Link to comment
Share on other sites

  • 4 weeks later...

https://nakedsecurity.sophos.com/2019/10/24/robot-hotel-says-sorry-about-the-buggy-bedside-bots/

Παράθεση

One guy kept getting woken up during his one-night stay because the in-room bot interpreted his loud snoring as a command, causing it to ask, repeatedly…

Sorry, I couldn’t catch that. Could you repeat your request?

 

  • Like 4
  • Haha 1
Link to comment
Share on other sites

  • 4 weeks later...
  • 2 months later...

Επειδή τα proprietary πρωτόκολλα μας αρέσουν, ορίστε μία ωραία ευπάθεια του Cisco Discovery Protocol που επηρεάζει αμέτρητες συσκευές:

https://www.wired.com/story/cisco-cdp-flaws-enterprise-hacking/

Εδώ χρησιμοποιείται για να τρέξει Doom σε IP phones ?

 

 

Σε άλλο θέμα,  (για να πιάσουμε και λίγο privacy), κάποιος μπορεί να αναρωτηθεί γιατί χρειάζεται να συμφωνήσεις με privacy policy για να χρησιμοποιήσεις μία ταμπλέτα της Wacom. Και ο παρακάτω κύριος είχε την ίδια απορία, και με λίγο ψάξιμο βρήκε ότι στέλνουν "στη βάση" όλα τα προγράμματα που εκτελείς...

https://robertheaton.com/2020/02/05/wacom-drawing-tablets-track-name-of-every-application-you-open/

  • Like 4
Link to comment
Share on other sites

‘The intelligence coup of the century’ - For decades, the CIA read the encrypted communications of allies and adversaries.

 

Quote

For more than half a century, governments all over the world trusted a single company to keep the communications of their spies, soldiers and diplomats secret.

 

But what none of its customers ever knew was that Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence. These spy agencies rigged the company’s devices so they could easily break the codes that countries used to send encrypted messages.

 

Personal Data of All 6.5 Million Israeli Voters Is Exposed

 

Quote

The website for an election app used by Prime Minister Benjamin Netanyahu’s party made it possible to view full names, addresses, identity card numbers and more.

 

A software flaw exposed the personal data of every eligible voter in Israel — including full names, addresses and identity card numbers for 6.5 million people — raising concerns about identity theft and electoral manipulation, three weeks before the country’s national election.

 

  • Like 4
  • Wow 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Δημιουργία...

Important Information

Ο ιστότοπος theLab.gr χρησιμοποιεί cookies για να διασφαλίσει την καλύτερη εμπειρία σας κατά την περιήγηση. Μπορείτε να προσαρμόσετε τις ρυθμίσεις των cookies σας , διαφορετικά θα υποθέσουμε ότι είστε εντάξει για να συνεχίσετε.