Home / Tag Archives: vulnerability

Tag Archives: vulnerability

Multiple Arcserve® Zero-Day Vulnerabilities Disclosed by Digital…

Digital Defense, Inc., a leading security technology and services provider, today announced that its Vulnerability Research Team (VRT) uncovered four previously undisclosed vulnerabilities within the... (PRWeb October 23, 2018) Read the full story at https://www.prweb.com/releases/multiple_arcserve_zero_day_vulnerabilities_disclosed_by_digital_defense_inc_researcher/prweb15856735.htm

Read More »

MindBody-owned FitMetrix exposed millions of user records — thanks to servers without passwords

FitMetrix, a fitness technology and performance tracking company owned by gym booking giant Mindbody, has exposed millions of user records because it left several of its servers without a password. The company builds fitness tracking software for gyms and group classes — like CrossFit and SoulCycle — that displays heart rate and other fitness metric information for interactive workouts. FitMetrix was acquired by gym and wellness scheduling service Mindbody earlier this year for $15.3 million, according to a government filing . Last week, a security researcher found three FitMetrix unprotected servers leaking customer data. It isn’t known how long the servers had been exposed, but the servers were indexed by Shodan, a search engine for open ports and databases, in September. The servers included two of the same ElasticSearch instances and a storage server — all hosted on Amazon Web Service — yet none were protected by a password, allowing anyone who knew where to look to access the data on millions of users. Bob Diachenko, Hacken.io’s director of cyber risk research, found the databases containing 113.5 million records — though it’s not known how many users were directly affected. Each record contained a user’s name, gender, email address, phone numbers, profile photos, their primary workout location, emergency contacts and more. Many of the records were not fully complete. The storage server, hosted in an Amazon S3 bucket, stored user profile pictures, but remained open at the time of writing. For that reason, we’re not linking to it. Diachenko, who wrote up his findings , contacted the company via the email address a week ago but the company only secure the server after TechCrunch reached out. “We recently became aware that certain data associated with FitMetrix technology stored online may have been publicly exposed,” said Jason Loomis, Mindbody’s chief information security officer.

Read More »

To fight fraud, banks and retailers use behavioral biometrics to build millions of user profiles by tracking how they type, swipe, tap when using…

Stacy Cowley / New York Times : To fight fraud, banks and retailers use behavioral biometrics to build millions of user profiles by tracking how they type, swipe, tap when using sites and apps   —  When you're browsing a website and the mouse cursor disappears, it might be a computer glitch — or it might be a deliberate test to find out who you are.

Read More »

Hackers on new ‘secure’ phone networks can bill your account for their roaming charges

I have good news! The infamous SS7 networks used by mobile operators to interoperate, e.g. when you’re roaming — which were built on trust, essentially devoid of security, and permitted rampant fraud, SMS hijacking, eavesdropping, password theft, etc. — are being replaced. Slowly. But I have bad news, too! Which is: the new systems still have gaping holes. One such was described at the Def Con hacking convention today by Dr. Silke Holtmanns of Nokia Bell Labs. She gave a fascinating-to-geeks-like me summary of how the IPX network , which connected five Scandinavian phone systems in 1991, using the SS7 protocol suite secured entirely by mutual trust, has grown into a massive global “private internet” connecting more than 2,000 companies and other entities. It is this private network-of-networks that lets you fly to another country and use your phone there, among many other services. The quote which stood out most starkly from her slides regarding IPX was this: “Security awareness only recently started (2014).” That’s … awfully late to start thinking about security for a massive semi-secret global network with indirect access to essentially every phones, connected car, and other mobile/SIM-card enabled device on the planet. He understated grimly.

Read More »

In-the-wild router exploit sends unwitting users to fake banking site

Enlarge (credit: DLink) Hackers have been exploiting a vulnerability in DLink modem routers to send people to a fake banking website that attempts to steal their login credentials, a security researcher said Friday. The vulnerability works against DLink DSL-2740R, DSL-2640B, DSL-2780B, DSL-2730B, and DSL-526B models that haven’t been patched in the past two years. As described in disclosures here , here , here , here , and here , the flaw allows attackers to remotely change the DNS server that connected computers use to translate domain names into IP addresses. According to an advisory published Friday morning by security firm Radware, hackers have been exploiting the vulnerability to send people trying to visit two Brazilian bank sites—Banco de Brasil’s www.bb.com.br and Unibanco’s www.itau.com.br—to malicious servers rather than the ones operated by the financial institutions. In the advisory, Radware researcher Pascal Geenens wrote: Read 5 remaining paragraphs | Comments

Read More »

Line Corp. acquires a majority stake in Korean game developer NextFloor and sets up Line Games as new publisher of mobile games (Dean…

Dean Takahashi / VentureBeat : Line Corp. acquires a majority stake in Korean game developer NextFloor and sets up Line Games as new publisher of mobile games   —  Japanese mobile messaging firm Line Corp. has acquired a majority stake in game developer NextFloor and it has set up Line Games as a new publisher of mobile games.

Read More »

Equidate, a San Francisco-based marketplace that makes privately held shares available to accredited investors wanting to buy them, raises $50M Series…

Connie Loizos / TechCrunch : Equidate, a San Francisco-based marketplace that makes privately held shares available to accredited investors wanting to buy them, raises $50M Series B   —  Equidate, a 4.5-year-old, San Francisco-based marketplace that makes privately held shares available to accredited investors wanting to buy them …

Read More »

The quantum meltdown of encryption

Shlomi Dolev Contributor Shlomi Dolev is the Chair Professor and founder of the Computer Science department of Ben-Gurion University of the Negev. He is the author of Self-Stabilization . Shlomi also is a cybersecurity entrepreneur and the co-founder and chief scientist of Secret Double Octopus . More posts by this contributor The quantum computing apocalypse is imminent The world stands at the cusp of one of the greatest breakthroughs in information technology. Huge leaps forward in all fields of computer science, from data analysis to machine learning, will result from this breakthrough. But like all of man’s technological achievements, from the combustion engine to nuclear power, harnessing quantum comes with potential dangers as well. Quantum computers have created a slew of unforeseen vulnerabilities in the very infrastructure that keeps the digital sphere safe. The underlying assumption behind nearly all encryption ciphers used today is that their complexity precludes any attempt by hackers to break them, as it would take years for even our most advanced conventional computers to do so. But quantum computing will change all of that. Quantum computers promise to bring computational power leaps and bounds ahead of our most advanced machines. Recently, scientists at Google began testing their cutting edge 72 qubit quantum computer. The researchers expect to demonstrate with this machine quantum supremacy , or the ability to perform a calculation impossible with traditional computers. Chink in the Armor Today’s standard encryption techniques are based on what’s called Public Key Infrastructure or PKI, a set of protocols brought to the world of information technology in the 1970’s.

Read More »

Tinder bolsters its security to ward off hacks and blackmail

This week, Tinder responded to a letter from Oregon Senator Ron Wyden calling for the company to seal up security loopholes in its app that could lead to blackmail and other privacy incursions. In a letter to Sen. Wyden, Match Group General Counsel Jared Sine describes recent changes to the app, noting that as of June 19, “swipe data has been padded such that all actions are now the same size.” Sine added that images on the mobile app are fully encrypted as of February 6, while images on the web version of Tinder were already encrypted. The Tinder issues were first called out in a report by a research team at Checkmarx describing the app’s “disturbing vulnerabilities” and their propensity for blackmail: “The vulnerabilities, found in both the app’s Android and iOS versions, allow an attacker using the same network as the user to monitor the user’s every move on the app. It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising or other type of malicious content (as demonstrated in the research). “While no credential theft and no immediate financial impact are involved in this process, an attacker targeting a vulnerable user can blackmail the victim, threatening to expose highly private information from the user’s Tinder profile and actions in the app.” In February, Wyden called for Tinder to address the vulnerability by encrypting all data that moves between its servers and the app and by padding data to obscure it from hackers. In a statement to TechCrunch at the time, Tinder indicated that it heard Sen. Wyden’s concerns and had recently implemented encryption for profile photos in the interest of moving toward deepening its privacy practices. “Like every technology company, we are constantly working to improve our defenses in the battle against malicious hackers and cyber criminals” Sine said in the letter. “… Our goal is to have protocols and systems that not only meet, but exceed industry best practices.”

Read More »