New Browser Attack Allows Tracking Users Online With JavaScript Disabled

New Browser Attack Allows Tracking Users Online With JavaScript Disabled

Although these methods exploit a covert timing channel in the CPU cache, the new attack devised by Ben-Gurion researchers targets a cache-based side-channel in modern web browsers.This string search is followed by a request for a CSS element that requires DNS resolution from the malicious server.

New browser-tracking hack works even when you flush caches or go incognito

New browser-tracking hack works even when you flush caches or go incognito

Researchers from the University of Illinois, Chicago said in a new paper that most browsers cache the images in a location that’s separate from the ones used to store site data, browsing history, and cookies.

Computer-stored encryption keys are not safe from side-channel attacks

Computer-stored encryption keys are not safe from side-channel attacks

In the paper Stealing Keys from PCs using a Radio: Cheap Electromagnetic Attacks on Windowed Exponentiation (PDF), the researchers explain how they determine decryption keys for mathematically-secure cryptographic schemes by capturing information about secret values inside the computation taking place in the computer.

ShazLocate! Abusing CVE-2019-8791 & CVE-2019-8792

ShazLocate! Abusing CVE-2019-8791 & CVE-2019-8792

I found a vulnerability in the popular Shazam application that allowed an attacker to steal the precise location of a user simply by clicking a link!

Ransomware Gang Collects Data from Blood Testing Lab

Ransomware Gang Collects Data from Blood Testing Lab

Apex Laboratory, which provides blood work at home for patients in New York City, Long Island and South Florida, has been hit with a ransomware attack that also resulted in patient data being stolen.

IPhone zero-click Wi-Fi exploit is one of the most breathtaking hacks ever

IPhone zero-click Wi-Fi exploit is one of the most breathtaking hacks ever

Earlier this year, Apple patched one of the most breathtaking iPhone vulnerabilities ever: a memory corruption bug in the iOS kernel that gave attackers remote access to the entire device—over Wi-Fi, with no user interaction required at all.

No Safety without (Cyber-)Security!

No Safety without (Cyber-)Security!

It’s a common experience: I talk to people developing safety-critical embedded systems, be it cars or medical devices, and, while clearly serious about product safety, they show little interest in security.

Privacy News Online | Weekly Review: November 20, 2020

Privacy News Online | Weekly Review: November 20, 2020

In a new blogpost on Microsoft’s blog, Alex Weinert – Director of Identity Security – has urged users to stop using SMS and call based multi-factor authentication.Privacy News Online is brought to you by Private Internet Access, the world’s most trusted VPN service.

Dating Site Bumble Leaves Swipes Unsecured for 100M Users

Dating Site Bumble Leaves Swipes Unsecured for 100M Users

Bumble fumble: An API bug exposed personal information of users like political leanings, astrological signs, education, and even height and weight, and their distance away in miles.

Cyber-Criminals Target Naked Zoom Users

Cyber-Criminals Target Naked Zoom Users

The email, titled "Regarding Zoom Conference call," claims that the attacker exploited a zero-day vulnerability to access the victim's private data.

ICO fines Marriott International Inc £18.4million for failing to keep customers’ personal data secure

ICO fines Marriott International Inc £18.4million for failing to keep customers’ personal data secure

The ICO’s investigation found that there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation (GDPR).

My friend’s Whatsapp was hacked – and how you can avoid it

My friend’s Whatsapp was hacked – and how you can avoid it

An attacker who has phished your friend’s Whatsapp account may trigger an OTP for your number to your phone, and may message you asking for it.

A New Attack Vector Discovered in Comcast's Remote

A New Attack Vector Discovered in Comcast's Remote

By extensively reverse-engineering both the remote’s firmware and the corresponding software it communicates with on the set-top box, we were able to find a vulnerability in the way the remote handled incoming RF packets.

Apple's T2 Security Chip Has an Unfixable Flaw

Apple's T2 Security Chip Has an Unfixable Flaw

A recently released tool is letting anyone exploit an unusual Mac vulnerability to bypass Apple's trusted T2 security chip and gain deep system access.

Comcast TV Remote Hack Opens Homes to Snooping

Comcast TV Remote Hack Opens Homes to Snooping

“Few people think of their television remote controls as ‘connected devices,’ fewer still would guess that they can be vulnerable to attackers, and almost no one would imagine that they can jeopardize their privacy,” said researchers with Guardicore, in a Wednesday post.

When coffee makers are demanding a ransom, you know IoT is screwed

When coffee makers are demanding a ransom, you know IoT is screwed

Once the device connects to a home network, this ad hoc SSID required to configure the coffee maker and initiate any updates is no longer available.

A Bug Could Let Attackers Hijack Firefox for Android via Wi-Fi Network

A Bug Could Let Attackers Hijack Firefox for Android via Wi-Fi Network

Discovered originally by Australian security researcher Chris Moberly, the vulnerability resides in the SSDP engine of the browser that can be exploited by an attacker to target Android smartphones connected to the same Wi-Fi network as the attacker, with Firefox app installed.

Cyber Deception Reduces Data Breach Costs by Over 51% and SOC Inefficiencies by 32%

Cyber Deception Reduces Data Breach Costs by Over 51% and SOC Inefficiencies by 32%

FREMONT, Calif.--(BUSINESS WIRE)--Attivo Networks®, an award-winning leader in cyber deception and attacker lateral movement threat detection, today announced the results of a new research report conducted with Kevin Fiscus of Deceptive Defense, Inc., “Cyber Deception Reduces Breach Costs & Increases SOC Efficiency.” The paper identifies the direct and measurable financial and productivity benefits of deception technology for organizations of all types and sizes.

Experian breach affects over 24 million customers and businesses in South Africa

Experian breach affects over 24 million customers and businesses in South Africa

ShareTweet Consumer credit reporting agency Experian has suffered a data breach at their South African branch.

Alexa hack granted attackers access to an Echo user's smart home network

Alexa hack granted attackers access to an Echo user's smart home network

A number of vulnerabilities have been revealed in Amazon's Alexa, highlighting the need for providers of smart home platforms, such as Apple's HomeKit, to maintain security as part of the service.

How Malicious Tor Relays are Exploiting Users in 2020 (Part I)

How Malicious Tor Relays are Exploiting Users in 2020 (Part I)

The 3 sharp drops in figure 1 (marked with 1, 2, 3) depict the events when some of these malicious Tor exits got detected, reported and removed from the network by the Tor directory authorities.

Now-fixed exploit used Microsoft Office macros to hack macOS

Now-fixed exploit used Microsoft Office macros to hack macOS

A now-fixed exploit in the macOS version of Microsoft Office may have allowed attackers to hack a Mac user just by getting them to open a document.

Robots, Oracles and Protocols; Breaking Cryptography Through Information Leakage

Robots, Oracles and Protocols; Breaking Cryptography Through Information Leakage

Once this integer is found, our second message which we know is also properly will be denoted as M₁.As we know that M₁ is also properly padded, we know the interval in which it resides, and can use this to narrow the possible intervals for M₀.

Zoom Security Exploit - Cracking private meeting passwords - Tom Anthony

Zoom Security Exploit - Cracking private meeting passwords - Tom Anthony

Over the next couple of days, I spent time reverse engineering the endpoints for the web client Zoom provide, and found I was able to iterate over all possible default passwords to discover the password for a given private meeting.

When the home is no data protection haven: addressing privacy threats from intimate relationships

When the home is no data protection haven: addressing privacy threats from intimate relationships

That’s precisely what a new paper from Karen Levy and Bruce Schneier does: This article provides an overview of intimate threats: a class of privacy threats that can arise within our families, romantic partnerships, close friendships, and caregiving relationships.For example: some intimate privacy threats occur by virtue of copresence between victim, attacker, and device.

EasyJet admits data of nine million hacked

EasyJet admits data of nine million hacked

It said email addresses and travel details had been stolen and that 2,208 customers had also had their credit card details "accessed".The firm has informed the UK's Information Commissioner's Office while it investigates the breach.

FBI cracks alleged al-Qaida shooter’s iPhone without Apple’s help

FBI cracks alleged al-Qaida shooter’s iPhone without Apple’s help

Law enforcement officials have been critical of Apple’s stance on privacy and encryption dating back to 2015 when the FBI got a court order demanding Apple unlock a dead terrorist’s iPhone.

Toll attacker made off with past and present employee data and commercial agreements

Toll attacker made off with past and present employee data and commercial agreements

This server contains information relating to some past and present Toll employees, and details of commercial agreements with some of our current and former enterprise customers," the company said on Tuesday.

GoDaddy Confirms Data Breach: What 19 Million Customers Need To Know

GoDaddy Confirms Data Breach: What 19 Million Customers Need To Know

The email notification stated that, upon an investigation of the incident, it was determined that an "unauthorized individual" had gained access to login credentials that meant they could "connect to SSH" on the affected hosting accounts.

5 Common Social Engineering Techniques to Avoid During Lockdown

5 Common Social Engineering Techniques to Avoid During Lockdown

Social engineering is the practice of psychological techniques that are used on people with the intention of eliciting sensitive information from them in order to gain access to secure systems.Described below are some of the 5 most common social engineering techniques that attackers like to use.