NSO ‘Pegasus’ Hacking Tool Targets Journalists Again - Security Boulevard

Winged Stallion Sadly Not a Myth

… @Apple also deserves criticism, according to commentators. In today’s #SBBlogwatch at @SecurityBlvd, we deck the halls: https://t.co/yuBd5ybHZr

— @Richi Jennings (@RiCHi) December 22, 2020

Zoom Exec Charged With Tiananmen Square Massacre Censorship - Security Boulevard

Jin Jin Jin in Sin Bin

… Tiananmen Square massacre #六月四日大屠杀。There—I said it again. In today’s #SBBlogwatch at @SecurityBlvd, it’s weird how this page isn’t viewable in China. https://t.co/OqgsA9T2gY

— @Richi Jennings (@RiCHi) December 21, 2020

3 Million Chrome Users Infected via Extensions—Here We Go Again - Security Boulevard

Have a Nice Latte and Stop Worrying

… Oh, what a tangled web we weave. In today’s #SBBlogwatch at @SecurityBlvd, we check our extensions: https://t.co/ARKZIiOoqQ

— @Richi Jennings (@RiCHi) December 17, 2020

FTC digs into social ad-tech data privacy—pay attention - TechBeacon

The Washington winds are a-changin’. Is your app next for scrutiny?

… And if so, what about yours? In this week’s #SecurityBlogwatch at @TechBeaconCom, we look ahead: https://t.co/iqHmYM290U

— @Richi Jennings (@RiCHi) December 17, 2020

Signal App Crypto Cracked, Claims Cellebrite - Security Boulevard

Cellebwrong

… Signal honcho @Moxie Marlinspike (pictured) is not going to be a happy bunny. In today’s #SBBlogwatch at @SecurityBlvd, we get physical: https://t.co/iOdVCFYDvu

— @Richi Jennings (@RiCHi) December 15, 2020

SUNBURST: Russia Fingered in ‘Perfect 10’ Supply Chain Attack - Security Boulevard

FireEye’s Other Shoe Drops

… The motive seems to be #espionage. In today’s #SBBlogwatch at @SecurityBlvd, we gather intelligence: https://t.co/IfQi02zfLO

— @Richi Jennings (@RiCHi) December 14, 2020

EU Vaccine Regulator Hacked for Pfizer/BioNTech Info - Security Boulevard

Just a Little Prick

… Who did it? And why?

In today’s #SBBlogwatch at @SecurityBlvd, we speculate to accumulate: https://t.co/2vj6UpsfMq

— @Richi Jennings (@RiCHi) December 10, 2020

FireEye hacked ‘by Russia.’ Who’s next?

Reds school the red team

… It’s being seen as revenge for outing #Russia as the culprit for other high-profile shenanigans. In this week’s #SecurityBlogwatch at @TechBeaconCom, we pass the vodka: https://t.co/9zhkZLw1Lw

— @Richi Jennings (@RiCHi) December 10, 2020

Kazakhstan Spies on its People via Man-in-the-Middle Attack, Again - Security Boulevard

Please Read: If it not Success, I Will Be Execute

Kazakhstan is a former-Soviet republic. In today’s #SBBlogwatch at @SecurityBlvd, “It locate between Tajikistan, and Kyrgyzstan, and ******** Uzbekistan.” https://t.co/nvyZWGk06p

— @Richi Jennings (@RiCHi) December 7, 2020

Brazil Govt’s Huge Leak: Health Data of 243M - Security Boulevard

Zello FAIL (no, not that one)

But you won’t believe the ridiculous way the data was exposed. In today’s #SBBlogwatch at @SecurityBlvd, we fly away in our dreams: https://t.co/oFhMtIdyIQ

— @Richi Jennings (@RiCHi) December 4, 2020

Wormable RCE/PE flaw in iPhone Wi-Fi code: In a word, ‘incredible’ - TechBeacon

But the vuln is a doozy. And it’s laughable how bad this bit of code was, given the risks. In this week’s #SecurityBlogwatch at @TechBeaconCom, we sanitize our inputs, then sanitize them some more: https://t.co/Jv7HdLDmZ6

— TechBeacon (@TechBeaconCom) December 3, 2020

Second Swiss Firm Said to Be CIA Encryption Puppet - Security Boulevard

Second Swiss Firm Said to Be CIA Encryption Puppet ... by Richi Jennings @RiCHi #cia #cryptoag #encryption #omnisec #sbblogwatch https://t.co/z3vfoq5qIN

— SecurityBoulevard (@securityblvd) November 30, 2020

Google Finally Pulls Chinese Apps Stealing Personal Data - Security Boulevard

Bogus Baidu Boo-Boo

Wait, what? As the researchers who discovered the problem point out, #Baidu has no business sniffing your phone’s #IMSI or #IMEI. In today’s #SBBlogwatch at @SecurityBlvd, we give thanks: https://t.co/sWA34RH756

— @Richi Jennings (@RiCHi) November 25, 2020

Should you pen-test WFH staff? Consumer gear has terrible security. - TechBeacon

The moral of the story? Audit the equipment your users use in their working-from-home networks. You’re going to have to keep up with the security status of that too, and mandate replacement of devices that can’t be secured

You know it makes sense. In this week’s #SecurityBlogwatch at @TechBeaconCom, we give thanks: https://t.co/ZThqgCX7In

— @Richi Jennings (@RiCHi) November 25, 2020

Congress Passes IoT Security Act, but is it Toothless? - Security Boulevard

NIST and OMB to Lead

… But it was just a bill. Yes—only a bill. And they voted for it on #CapitolHill. In today’s #SBBlogwatch at @SecurityBlvd, it’s off to the @WhiteHouse, where it’ll wait in a line, with a lot of other bills, for the @POTUS to sign (or not): https://t.co/OSM9EylIea

3/…

— @Richi Jennings (@RiCHi) November 24, 2020

Japanese Orgs Hacked ‘by China’ in Long, Widespread Campaign - Security Boulevard

Stop Monkeying Around

… Here we go again. In today’s #SBBlogwatch at @SecurityBlvd, we get déjà vu—and 既視感: https://t.co/AdUFlrxbye

3/…

— @Richi Jennings (@RiCHi) November 20, 2020

App SDKs sell location data to US military in ‘war on terror’ - TechBeacon

Your tax dollars at work.

The moral of the story?
Dev: Don’t use third-party SDKs unless you’re sure what data is collected.
IT: Help your users choose the best privacy settings on their devices.

… Are you happy this is being done in your name? In this week’s #SecurityBlogwatch at @TechBeaconCom, we fear fear itself: https://t.co/OePjjY1Ahh

4/…

— @Richi Jennings (@RiCHi) November 19, 2020

Trump Fires DHS Cybersecurity Agency Head, Over Election Remarks - Security Boulevard

The Donald’s Signature Move

… But there’s a lot of love for Krebs—right across the aisle. In today’s #SBBlogwatch at @SecurityBlvd, we savor this rare bipartisan moment: https://t.co/pg3FRJT6DT

3/…

— @Richi Jennings (@RiCHi) November 19, 2020

Vertafore Leak: Private Data of 28M Texans - Security Boulevard

TX PII FAIL

…But all this happened months ago. In today’s #SBBlogwatch at @SecurityBlvd, we wonder why we’re only hearing about it now: https://t.co/fgZtkBfI8X

3/…

— @Richi Jennings (@RiCHi) November 16, 2020

Disconnect Your TCL Smart TV From the Internet—NOW - Security Boulevard

Pull the Plug

… Give me my back old 28-inch Sony Trinitron. In today’s #SBBlogwatch at @SecurityBlvd, we define the standard: https://t.co/p6djKODe03

3/…

— @Richi Jennings (@RiCHi) November 13, 2020

‘Solid’ privacy pods: Can Tim Berners-Lee keep his dream alive? - TechBeacon

The moral of the story?
Definitely one to watch, but beware getting sucked into something that’s going nowhere.

— @Richi Jennings (@RiCHi) November 12, 2020

Great British Prank: Company Name Contains XSS Hack - Security Boulevard

Ob. Bobby Tables

The government agency responsible, @CompaniesHouse, nuked the name—but only after people pointed it out. In today’s #SBBlogwatch at @SecurityBlvd, we point the finger: https://t.co/ka6w9IKmp8

3/…

— @Richi Jennings (@RiCHi) November 9, 2020

23% of Windows in Use is Old, Insecure Win7 or XP - Security Boulevard

Remember, Remember

It’s not 2015 any more, let alone 1605. But it is 11/05.

In today’s #SBBlogwatch at @SecurityBlvd, we’re a vaudevillian veteran, cast vicariously as both victim and villain: https://t.co/i11FtEwS71

3/…

— @Richi Jennings (@RiCHi) November 5, 2020

Who you gonna trust? Not your default CA root store, says Chrome - TechBeacon

In GOOG we trust

… Standard is better than “better,” as the old saying goes.

In this week’s #SecurityBlogwatch at @TechBeaconCom, we read widespread distrust of @Google’s #ChromeRootProgram: https://t.co/MhT7Pya89e

3/…

— @Richi Jennings (@RiCHi) November 5, 2020

Google ‘Irresponsibly’ Discloses Windows Zero-Day - Security Boulevard

Google discovered a “threat actor” exploiting a pair of bugs—one in @GoogleChrome and one in @Windows. Together, the bugs allowed a dodgy web page to #elevate to Administrator. https://t.co/eHdeOHuI77

1/…

— @Richi Jennings (@RiCHi) November 2, 2020

Messenger apps: A security nightmare to haunt SecOps - TechBeacon

Crouching feature; hidden threat

Many #messaging apps do link previews insecurely. That’s the conclusion of a pair of well-known #infosec researchers this week. https://t.co/WZJ7Oq4VFw

1/…

— @Richi Jennings (@RiCHi) October 29, 2020

Therapy Center Hacked, 40,000 Patients Sent Ransom Demands - Security Boulevard

What’s Finnish for HIPAA?

A psychotherapy center was hacked, losing sensitive healthcare data on more than 40,000 patients. The Finnish medical organization received a ransom demand, but so did the patients themselves. https://t.co/hRG4R4Nzg2

1/…

— @Richi Jennings (@RiCHi) October 28, 2020

Fake News? Trump’s Twitter ‘Twice Hacked’ - Security Boulevard

‘Nobody gets hacked.’

President Trump’s Twitter account, @POTUS, was broken into by a Dutch hacker. Or, so the Dutch hacker claims.https://t.co/QbqzsyDVX5

1/…

— @Richi Jennings (@RiCHi) October 24, 2020

Check your dependencies: GitHub's npm finds nasty Trojan packages - TechBeacon

The moral of the story? Code reuse is a wonderful thing. But only if you trust ALL the code you’re reusing.

Our favorite JavaScript package manager, #npm (@npmjs), has ’fessed up to hosting four highly malicious packages for up to 18 months. And it’s not the first time the @GitHub-owned registry has had to kick code from dodgy devs. https://t.co/svpAWjDBAx

1/…

— @Richi Jennings (@RiCHi) October 22, 2020

GRU Agents Indicted for Hacking Multiple Targets - Security Boulevard

Enter Sandworm

😷 @TheJusticeDept has charged six Russians with a huge range of computer crimes. Allegedly working for the #GRU, the six are said to have “used some of the world’s most destructive malware.”https://t.co/snauqFiBpb

1/…

— @Richi Jennings (@RiCHi) October 20, 2020

BleedingTooth: Intel Discloses Early, Angering Linux Lovers - Security Boulevard

Intel Disclosure FAIL

A researcher discovered a high-severity vulnerability in the Linux Bluetooth stack. He reported it privately to the stack’s maintainer, @Intel, dubbing it #BleedingTooth (not to be confused with the fungus of the same name). https://t.co/hqTodLTxiU

— @Richi Jennings (@RiCHi) October 16, 2020

Think of the children: Elites want to ban E2E encryption (yet again) - TechBeacon

Irresistible force meets immovable objec

Here we go again. Seven major governments call for tech companies to weaken #encryption—just like the last time, and the time before that, and the time before that, and … https://t.co/dpMnBICsJG

— @Richi Jennings (@RiCHi) October 15, 2020

Xplora Watches for Kids: Chinese Spyware - Security Boulevard

Hey, Kids! What Time Is It?

Chinese smartwatches for kids: Just one of this decade’s objectively terrible ideas. A “Norwegian” company, @Xplora Technologies, sells a Chinese smartwatch that’s full of Chinese software, implicitly controlled by the #ChineseCommunistParty. https://t.co/wgUM7WTK6x

— @Richi Jennings (@RiCHi) October 13, 2020

U.S. Cyber Command Says it Nuked Trickbot, but Microsoft and Chums Claim Credit - Security Boulevard

In the dog days of last week, a shadowy group of secret sources in @US_CYBERCOM whispered to reporters that they’d disrupted a huge, ransomware-spewing botnet. https://t.co/6O6316dERV

1/…

— @Richi Jennings (@RiCHi) October 12, 2020

Google Gives Cops Your Search Terms – Let the Frog-Boiling Commence - Security Boulevard

Google stands accused of agreeing to overly broad search warrants, which might violate the Fourth Amendment.

Federal law enforcement asked Google to tell them who searched for a particular address within certain dates.https://t.co/h2Z1lHv9N2

1/…

— @Richi Jennings (@RiCHi) October 9, 2020

Chrome 86 is … HEY DevOps: Wake up and pay attention - TechBeacon

Google is proud to announce the birth of a bouncing baby browser. Behold: release 86 of @GoogleChrome, Larry and Sergey’s stupidly-popular web access app–cum #PWA platform. https://t.co/qq8Wi6NHxi

1/…

— @Richi Jennings (@RiCHi) October 8, 2020

MosaicRegressor: ‘Chinese’ UEFI Bootkit Snoops on North Korean Foes - Security Boulevard

#Malware that infects below the level of the OS is the holy grail of persistence. It’s fiendishly hard to spot and harder still to remove. https://t.co/WO154hHGFI

1/…

— @Richi Jennings (@RiCHi) October 6, 2020

Troy Hunt Flags Up ‘Sensational’ Sextortion Bug in Grindr - Security Boulevard

#Grindr, the popular dating app, had a ridiculous bug in its password-recovery flow.

“This is one of the most basic account takeover techniques I’ve seen,” blogged security researcher @TroyHunt. https://t.co/aq7P1zom0W

1/…

— @Richi Jennings (@RiCHi) October 5, 2020

Access control: Pandemic forces rethink of IT’s trust model - TechBeacon

Zero trustification

Worrying results from recent survey: Far too many knowledge workers are being given access to far too much data.

It’s especially worrying given the huge rise in home working—what with … y’know … one thing and another. https://t.co/QLfDGhRjx2

1/…

— @Richi Jennings (@RiCHi) October 1, 2020

Ransomware Cripples UHS Hospitals Across the Nation - Security Boulevard

😷 Universal Health Services @UHS_Inc discovered all its Windows PCs had shut down over the weekend. It looks like a widespread #Ryuk #ransomware infection. https://t.co/3wqpqnijJt

1/…

— @Richi Jennings (@RiCHi) September 29, 2020

TikTok kid schools IT about scam apps - TechBeacon

User education: It works. That’s the “lesson about lessons” from this week’s #TikTok security scare. https://t.co/tzmg8Z79pk

1/…

— @Richi Jennings (@RiCHi) September 24, 2020

Feds Yell PATCH NOW over Windows AD ‘Zerologon’ Vuln - Security Boulevard

Fix It or Can It

😷 @CISA sent an unusual warning late last week. The federal #cybersecurity agency instructed government IT departments to drop everything and patch their #Windows servers. https://t.co/2L6NnPeoHr

1/…

— @Richi Jennings (@RiCHi) September 22, 2020

DuckDuckGo: Crazy Name, Growing Crazy-Fast - Security Boulevard

AnatidaeAnatidae囲碁

The #privacy lovers at @DuckDuckGo Inc. are pleased to say the business is growing fast. Plus, @Apple has graciously allowed #iPhone users to set DDG’s browser as the default on #iOS14. https://t.co/ZsDKmUXELY

1/…

— @Richi Jennings (@RiCHi) September 18, 2020

Zerologon bug is a perfect 10. Patch now or crash hard - TechBeacon

The moral of the story? Run—do not walk—to your AD domain controllers (metaphorically speaking). And start planning for February’s second shoe droppage.

A researcher found a really nasty bug in Windows Server, calling it #Zerologon. The #ActiveDirectory domain controller code screws up an important bit of #AES, earning a perfect 10 on the CVSS scale. https://t.co/DeOnCn2BNg

1/…

— @Richi Jennings (@RiCHi) September 17, 2020

BlindSide: Intel/AMD Speculation Bugs Under Microscope Again - Security Boulevard

Sky Falling—Film at 11

Researchers have published frightening details on what they’re calling #BlindSide. It’s a way of defeating the Address Space Layout Randomization (#ASLR) in kernels such as Linux. https://t.co/QTlecKIYVT

1/…

— @Richi Jennings (@RiCHi) September 15, 2020

Russia, China, Iran Meddle in 2020 Election (Unsurprisingly) - Security Boulevard

Fancy Bear and Chums Dance on Democracy’s Grave

It comes as no surprise to hear that #Russia is up to its old tricks. The patterns of attacks on @JoeBiden’s campaign are consistent with those of four years ago, we’re told. https://t.co/IOUCeSKOus

1/…

— @Richi Jennings (@RiCHi) September 11, 2020

Ransomware pandemic: This is getting ridiculous - TechBeacon

Schools and banks and healthcare—oh my

#Ransomware attacks are ten-a-penny now—all over the world. Are we getting blasé about the problem? https://t.co/CHURCfrYe2

1/…

— @Richi Jennings (@RiCHi) September 10, 2020

China Trolls U.S. With ‘Fox in Henhouse’ Data Security Plan - Security Boulevard

Don’t Feed the CCP

#China says countries shouldn’t attack critical #infrastructure. Nor steal data. https://t.co/XOU0PEax7L

1/…

— @Richi Jennings (@RiCHi) September 9, 2020

Apple U-Turn: It Will ‘Delay’ Killing Facebook’s Business Model - Security Boulevard

Tim Blinks

“Would you like evil advertisers to track you in this app?”

Is anyone going to touch “Yes” on their #iPhone?https://t.co/gkjW3h5EZH

1/…

— @Richi Jennings (@RiCHi) September 5, 2020

Sendgrid blames lack of 2FA for mountains of spam - TechBeacon

Bloody Vikings.

Email service provider @Sendgrid is under mounting criticism for sending #spam, #phishing, and other #email nasties. The company claims that a bunch of its customers’ accounts have been hacked. https://t.co/9mP09BMlfc

1/…

— @Richi Jennings (@RiCHi) September 3, 2020

Apple’s Big Brother Attitude Fails to Keep Users Safe - Security Boulevard

#Apple’s insistence on “notarizing” apps—even ones not downloaded from the @AppStore—has failed to “give users more confidence,” as @Tim_Cook’s crew promised.

Even the most prevalent #macOS #malware can slip through the net. Twice, in fact. https://t.co/XKo3XPyNR3

1/…

— @Richi Jennings (@RiCHi) September 1, 2020

Kiwi Stock Exchange DDoSed Again and Again (and Again) - Security Boulevard

Aotearoa Attack

NZX, the stock exchange in #NewZealand, has been suffering denial-of-service attacks for most of the week. The land of the long white cloud seems to have a powerful enemy. https://t.co/HzZPSPbzwp

1/…

— @Richi Jennings (@RiCHi) August 28, 2020

Preinstalled mobile malware steals money in emerging markets - TechBeacon

Supply chain attack blamed

Smartphone users in emerging markets are being ripped off by suspiciously cheap handsets. Phones branded “@Tecnomobile”—made by Shenzhen Transsion Holdings—appear to be preinstalled with #malware. https://t.co/RI1HQO3lC5

1/…

— @Richi Jennings (@RiCHi) August 27, 2020

Bridgefy FAIL: Insecure for Use in Protests - Security Boulevard

Feds Scoff At Your BT Mesh

Tale as old as time: @Bridgefy, a young naïve startup, builds quick and dirty app for use case A. Then many people use it for use case B, so the startup pivots to follow the market. https://t.co/OZDp090MFx

1/…

— @Richi Jennings (@RiCHi) August 25, 2020

Uber ex-CISO Charged ‘Obstruction and Misprision,’ say DoJ/FBI - Security Boulevard

Sullivan Charged—is Kalanick Next?

Joe Sullivan, the former security honcho at @Uber, stands accused of obstructing justice and covering up a crime. It all stems from a cloud #security breach at Uber Technologies in 2016, which leaked the personal information of 57 million drivers.https://t.co/ie9r6jMVGU

— @Richi Jennings (@RiCHi) August 21, 2020

Secret Service dodges location-data warrants … there’s an app for that - TechBeacon

He’d let us in—knows where we’ve been

Law enforcement continues to buy private data from brokers. And investigative journalists continue to uncover these shocking truths. https://t.co/uoyUn7e5ZY

— @Richi Jennings (@RiCHi) August 20, 2020

Paper Ballots: More Secure Than E-voting or Blockchain - Security Boulevard

Vote Early, Vote Often

A brace of experts opined at the weekend that voting using paper #ballots is best. Letting computers help is bound to lead to trouble, they both say—independently of each other, it seems. https://t.co/70zgoz5OVV

— @Richi Jennings (@RiCHi) August 19, 2020

Drovorub: Russia Pushing Invisible Malware, say NSA and FBI - Security Boulevard

Penguin vs. Bear

#FancyBear is at it again, claim @NSAgov and @FBI. This time, it’s said to be infecting #Linux machines with #Drovorub (#rootkit malware that’s very hard to detect). https://t.co/7DbHrm2r2U

— @Richi Jennings (@RiCHi) August 16, 2020

TikTok hands over data to police as Microsoft eyes buying the app - TechBeacon

Po-po shut us down

It’s emerged that @TikTok_us is handing over user data to US law enforcement. The info is thanks to the #BlueLeaks hack last month. https://t.co/VkZAM2uMUR

— @Richi Jennings (@RiCHi) August 13, 2020

Most Android Phones Can Be Pwned Just by Watching a Video - Security Boulevard

Slava FTW, but PR FAIL

More than 400 bugs in @Qualcomm #Snapdragon chips mean the #Android phone in your pocket and the #IoT toy in your child’s bedroom could be tremendously insecure—with no fix in sight. https://t.co/tQGEfuSCXL

— @Richi Jennings (@RiCHi) August 10, 2020

Intel Leak: 20GB of Secrets Just the Start, Says Perp - Security Boulevard

Swiss Cheese Security

A large cache of confidential documents has been exfiltrated from @Intel and leaked. By now, it’s all over #Bittorrent and your favorite file-sharing sites. https://t.co/2L7kC7JDqw

— @Richi Jennings (@RiCHi) August 7, 2020

Chrome Web Store FAIL: 300+ More Scam Browser Extensions - Security Boulevard

GOOG Asleep at the Switch

A researcher has found more #malware in @Google’s store. This is supposed to be the place where Google publishes vetted browser #extensions.https://t.co/Gb9bt62Jyn

— @Richi Jennings (@RiCHi) August 6, 2020

NSA warning on location tracking: ‘Stop using your phone’ - TechBeacon

Your tax dollars at work. But what can you learn from spies like thus?

😷 @NSAGov published advice this week, aimed at the military and related roles. The guidance basically amounts to, “Phones are insecure.” https://t.co/Vj9BpS1nsI

— @Richi Jennings (@RiCHi) August 6, 2020

Garmin Pays Ransom to Evil Corp – Despite Russian Sanctions - Security Boulevard

Trust Mountain to Climb

Last month’s multi-day @Garmin outage outrage still echoes through the news cycle. This week, it’s emerged that Garmin caved in to pressure and paid several million dollars in #ransom to #WastedLocker-wielding criminals. https://t.co/A3Hi9ALXlY

— @Richi Jennings (@RiCHi) August 5, 2020

‘Russians’ Hack News Websites, Sow Anti-NATO Sentiment - Security Boulevard

Negative, Ghostwriter—the CMS is Pwned

Researchers have discovered pro-#Russian narratives being spread via hacked news websites, and other shady techniques. The #disinformation seems to be aimed at attacking #NATO in former-Soviet states. https://t.co/YFqHFhmWtz

— @Richi Jennings (@RiCHi) July 30, 2020

Twitter insiders are out of control, SecOps alumni allege - TechBeacon

Fix it, or bluebird gets it

After last week’s appalling Twitter hack, questions remain over the permissions given to @Twitter support staff.

Allegedly, thousands of contractors can access DMs and other private data, with no effective oversight. https://t.co/i7zCU1PSVO

— @Richi Jennings (@RiCHi) July 30, 2020

Hack of Payday Lender ‘Dave’: All 7.5M Users Breached - Security Boulevard

I’m Sorry, Dave

Hackers breached @DaveSavesYou a few weeks ago, leaking the personal information of all of its users. And we’re only finding out about it now. https://t.co/0ATIHsWyxd

— @Richi Jennings (@RiCHi) July 27, 2020

Garmin Users Furious as Ransomware Freezes Firm - Security Boulevard

Where Was I?

If you have a @Garmin #IoT thing, it’s probably fairly useless right now. That’s because the company is paralyzed after a #ransomware attack. https://t.co/G3wGtdngXZ

— @Richi Jennings (@RiCHi) July 25, 2020

BIMI email standard: Security fix or privacy fail? - TechBeacon

GOOG: benevolent cloud provider or evil marketer?

Google’s @Gmail is joining in with the Brand Indicators for Message Identification effort (@BIMIgroup). #BIMI lets an email client display a brand’s logo in a message, if it passes authentication checks. https://t.co/epxkrKQyEz

1/…

— @Richi Jennings (@RiCHi) July 23, 2020

CBP Scandal: Buying License Plate Scans - Security Boulevard

Big Brother Watching

😷 U.S. Customs and Border Protection is buying access to a huge private database of automatic license-plate recognition records (#LPR aka #ANPR).

And it’s legal (at least, nobody’s said it’s not). https://t.co/OsYtOlJ7gC

1/…

— @Richi Jennings (@RiCHi) July 22, 2020

Twitter is Dead to Me – What Really Happened This Week - Security Boulevard

Avian Blu’

As you probably know, @Twitter got hacked (again) Wednesday. Many high-profile users appeared to tweet a bitcoin scam.

The hack looked too easy: Maybe I’ve had enough of Twitter now. https://t.co/N6Rz4IMlnw

— @Richi Jennings (@RiCHi) July 19, 2020

Clock ticks for TikTok: RNC and DNC nuke app, US mulls ban - TechBeacon

Stop the clock

😷 @TikTok_us, millennials’ flavor of the month, is coming under yet more scrutiny this week. The app’s alleged spyware tendencies and connections to the #ChineseCommunistParty are causing some high-profile organizations to ban it. https://t.co/PgdUzSxDkR

1/…

— @Richi Jennings (@RiCHi) July 16, 2020

Microsoft Sued for LinkedIn Clipboard Snooping Scare - Security Boulevard

Sneaky Paste

😷 @LinkedIn got caught reading personal data from #iPhone clipboards. And now an (ahem) “enterprising” user is suing the @Microsoft-owned business social network. https://t.co/Mll6QMwKiu

1/…

— @Richi Jennings (@RiCHi) July 15, 2020

Police Buy Hacked Data, to Fish for Evidence—Is That Even Legal? - Security Boulevard

Quis Custodiet Ipsos Custodes?

A firm called @SpyCloudCo is selling your data to law enforcement.

What’s worse is that the sources of that data are hackers. https://t.co/RbXbsNCqa1

1/…

— @Richi Jennings (@RiCHi) July 10, 2020

Feds warn: MSPs being hacked—so stop your complacency - TechBeacon

Mismanaged SP?

The US @SecretService issued a mysterious alert, warning that managed service providers are being targeted by criminals. It doesn’t name names, but we think it’s connected with a #vulnerability in software used by many MSPs. https://t.co/J3iocjeP08

1/…

— @Richi Jennings (@RiCHi) July 9, 2020

F5 BIG-IP Has Huge, Enormous, Bad, Scary Security Holes (Patch NOW) - Security Boulevard

Hair. On. Fire.

Drop everything: A #CVSS score of 10 is as bad as it gets. Trivial to #exploit, this @F5Networks BIG-IP #vulnerability lets criminals pwn your entire network, and redirect your customers elsewhere. https://t.co/QDN0yCp6LX

1/…

— @Richi Jennings (@RiCHi) July 7, 2020

1,000 False Wakewords: A Letter! Buy 200 Toilet Rolls - Security Boulevard

Election! Confirm Purchase.

Researchers have found a thousand ways to say smart-speaker wakewords: @Alexa99, okay @Google, #heySiri, and so on. It highlights the problem of misheard speech causing private audio to be squirreled away on corporations’ servers for later analysis. https://t.co/JdjEwulPEj

1/…

— @Richi Jennings (@RiCHi) July 3, 2020

Google, Apple, Mozilla enforce 1-year max certificate expiration - TechBeacon

Time’s up for lazy DevOps

If you use #TLS certificates with long validity periods, then listen up.

Any cert issued after next month needs to last no longer than a year (plus a month’s grace): https://t.co/UfAqeoUWoG

— @Richi Jennings (@RiCHi) July 2, 2020

TikTok Banned: 59 Chinese Apps Blocked in India - Security Boulevard

Stop the Clock

😷Two huge nuclear powers in a standoff.
😷Several dead after a border skirmish.
😷What’s the next escalation?

Why, firewalling a bunch of smartphone apps, of course—including @TikTok_in. https://t.co/SLc6776Ls0

1/…

— @Richi Jennings (@RiCHi) July 1, 2020

Encryption: Politicians Try to Outlaw Math (Again) - Security Boulevard

Think of the Children!

Three Republican Senators are the latest Canutian lawmakers to float the “lawful access to #encryption” balloon. As we all know by now, it’s impossible to meet the irreconcilable aims of data security and government backdoors. https://t.co/vWrsbcPWt7

1/…

— @Richi Jennings (@RiCHi) June 25, 2020

Try harder: CSP won’t save you from Magecart-style attacks - TechBeacon

New trick in the wild

A new hacker trick to exfiltrate data is revealing old #security weaknesses. Seems some sites rely a little too heavily on Content Security Policy (#CSP). https://t.co/AJdhdCG736

1/…

— @Richi Jennings (@RiCHi) June 25, 2020

BlueLeaks is Huge FAIL for Anonymous and DDoSecrets - Security Boulevard

BlueLeaks: Not Clever

#Anonymous and Distributed Denial of Secrets (@DDoSecrets) have published 269GB of private law enforcement data. They justify #BlueLeaks by claiming it “provides unique insights into law enforcement and a wide array of government activities.” https://t.co/ah4LpQPxlE

1/…

— @Richi Jennings (@RiCHi) June 23, 2020

HUGE Google Chrome Spyware Ring: 111 Add-ons,15K Domains - Security Boulevard

GOOG FAIL

Thought @GoogleChrome was safe? Think again. Researchers have found an enormous mess of browser #extensions that spy on you. https://t.co/wy7ZqBRRvo

1/…

— @Richi Jennings (@RiCHi) June 20, 2020

Anonymous tweets ‘DDoS’; everyone freaks out - TechBeacon

T reconfig FAIL

Monday’s scare of a “major” denial-of-service attack turns out to have been just a #BGP misconfiguration. Or some other fat-fingered change. https://t.co/2JyfeCQYGJ

1/…

— @Richi Jennings (@RiCHi) June 18, 2020

Twitter Nukes 32,000 More State Trolls, Mostly From China - Security Boulevard

五毛 FAIL; Hungry Тролли

I ❤ Policemen.

That’s what the cuddly, peace-loving #ChineseCommunistParty wants you to think. And it’s been taking over Twitter to spread its message of joy and hope. https://t.co/XlIvIlWlfX

1/…

— @Richi Jennings (@RiCHi) June 16, 2020

Is Zoom the Next Huawei? ‘Puppet of Chinese,’ Say Critics - Security Boulevard

$ZM PR FAIL (yet again)

😷 @Zoom_us has been closing accounts of U.S. residents who are critical of the Chinese Communist Party. Specifically, accounts hosting discussions of #China’s 1989 #TiananmenSquare massacre and of China’s 2020 aspirations in #HongKong. https://t.co/65NZiQrMdj

1/…

— @Richi Jennings (@RiCHi) June 11, 2020

‘Dark Basin’: Prolific spear-phishers for hire - TechBeacon

Allegedly Sumit & Co.

A little-known security company is accused this week of mercenary hacking. Researchers say @BellTroX InfoTech Services phished countless individuals, advocacy groups, and for-profit companies: https://t.co/bIXSJ54ZGb

1/…

— @Richi Jennings (@RiCHi) June 11, 2020

IBM Jumps on BLM Bus, Drops Failing Facial Biz - Security Boulevard

But Clearview AI Doesn’t

😷 @IBM, that well-known paragon of #woke from Armonk, has stopped work on facial recognition. The technology risks “promoting discrimination and racial injustice” is why. https://t.co/Ly73OiV5Sw

1/…

— @Richi Jennings (@RiCHi) June 9, 2020

Open Source Sucks, Says Ballsy Infosec Firm - Security Boulevard

Duck and Cover

Security bugs are exploding in #opensource software. A ‘courageous’ vulnerability management service makes this bold claim in a recent research white paper. https://t.co/1CpEg8oLfX

1/…

— @Richi Jennings (@RiCHi) June 8, 2020

Who’s DDoSing Anti-Racism Groups? - Security Boulevard

The Ultimate Whataboutists

In the days after #GeorgeFloyd’s death, the websites of several anti-racism or black-rights groups have seen huge denial-of-service attacks. At least 140 billion requests on Sunday alone. https://t.co/eTXeODQeN9 #blacklivesmatter

1/…

— @Richi Jennings (@RiCHi) June 5, 2020

Your passwordless future: Make it sooner rather than later - TechBeacon

It’s a kind of magic

Recent research reminds us that managing unique passwords is hard. For sure, you’re more than capable of doing it, but for the vast majority of “normal” users, it’s basically impossible. https://t.co/X1gvuOEUQB

1/…

— @Richi Jennings (@RiCHi) June 4, 2020

Zoom’s New Model is Making Heads Hurt - Security Boulevard

E2EE for Reelz This Time

🧐 @Zoom_us will soon be introducing end-to-end #encryption. Yeah, I know they said they already had it, but it turns out that was—uhh—“inaccurate.”https://t.co/3hl8nfl5yv

1/…

— @Richi Jennings (@RiCHi) June 1, 2020

NSA: Russia Hacking U.S. Firms, via Old Exim Flaw - Security Boulevard

GRU GTsST vs. the World

The Russian state is breaking into companies, exploiting a vulnerability in an open source email server, according to @NSAgov. The #Exim MTA doesn’t properly sanitize its inputs, allowing hackers codenamed “Sandworm” to run shell scripts as root.https://t.co/l57r95LSQI

1/

— @Richi Jennings (@RiCHi) May 29, 2020

Remember this: Chrome’s security flaws put Rust in the hotseat - TechBeacon

Beware baby+bathwater bogosity

Remember when hackers didn’t target Web browsers? Remember when Internet-connected client code didn’t need to be hardened against “untrustworthy inputs”?https://t.co/5HTlRV28VZ

1/

— @Richi Jennings (@RiCHi) May 28, 2020

Is eBay Port Scanning Your PC? (Probably) - Security Boulevard

L@@K fleaBay Trix

It’s emerged that using the @eBay website causes your Windows PC’s ports to be scanned. The personal data collected gets silently sent back to the mothership.https://t.co/jjdUYkeOxk

1/

— @Richi Jennings (@RiCHi) May 27, 2020

Mom, You Can’t Post Pictures of My Child—Because GDPR - Security Boulevard

UAVG vs. NANA

A Dutch grandmother was busted for violating #GDPR. Her daughter took Granny to court for posting photos of her child without permission.https://t.co/qSzFXmzEqx

1/

— @Richi Jennings (@RiCHi) May 22, 2020

Whistleblower Says Apple Built Secret Dossier on You, via Siri - Security Boulevard

GDPR Toothless?

An ex-Apple contractor has doubled-down on his warning that @Apple is misusing audio recordings from the #Siri voice assistant. He’s goading European regulators into taking action. #GDPRhttps://t.co/Io2o261GtX

1/

— @Richi Jennings (@RiCHi) May 21, 2020

Mercedes software leaks via Git and Google dork - TechBeacon

OLU OSINT OOPS

😣 @MercedesBenz owner @Daimler left 580 repos open on the Internet—naked and unprotected. A Swiss researcher, @deletescape, discovered the trove with a simple #dork—a crafted Google search term.https://t.co/xbm9AWLYX8

1/

— @Richi Jennings (@RiCHi) May 21, 2020

11-Plus Supercomputers Hacked With Cryptominers - Security Boulevard

High-performance computers across Europe have been shut down, to clear out malware infestations. There’s also evidence of attacks in the U.S.https://t.co/g6AWQ7t4sD

1/

— @Richi Jennings (@RiCHi) May 18, 2020

Was This Huawei’s Failed Attempt at a Linux Backdoor? - Security Boulevard

A @Huawei employee submitted a large, buggy patch to the #Linux kernel. The so-called #HKSP (Huawei Kernel Self Protection) apparently contained a “trivially exploitable” security hole: https://t.co/qe3A4aeoCI

1/

— @Richi Jennings (@RiCHi) May 14, 2020

‘Thunderspy’ enlightening—very, very frightening - TechBeacon

#Thunderspy
Seven flaws in #Thunderbolt ports let an attacker fully access data on recent PCs and some Macs. Is this just fantasy?https://t.co/o13BPw1f0u

1/

— @Richi Jennings (@RiCHi) May 14, 2020

DEF CON is Canceled. Wanna Buy a Bridge? - Security Bloulevard

We were told @DEFCON 28 is canceled. But obviously we’re not stupid enough to fall for that old trick: https://t.co/0as3bqh08O

1/

— @Richi Jennings (@RiCHi) May 11, 2020

Cracked Apple: iOS security researchers intimidated into silence - TechBeacon

🧐@Apple v. @CorelliumHQ is causing trouble in the world of independent security researchers. The lawsuit about tools that emulate iPhones might outlaw them—even for legitimate testing: https://t.co/DOQGpKeMFd

1/

— @Richi Jennings (@RiCHi) May 7, 2020

Xiaomi U-Turn: Admits Sending Private Data it Said it Didn’t - Security Boulevard

This just gets weirder: @Xiaomi was caught out by security researchers, who found its devices phoning home with private data. But the Chinese company promised it did no such thing: https://t.co/nUbblyryRb

1/

— @Richi Jennings (@RiCHi) May 6, 2020

Steal Data Through Sound, Sans Speaker? - Security Boulevard

A university researcher has figured out how to get a PC’s power supply to make noises. Why’s that interesting? Because it could be used to transmit and steal data: https://t.co/Ts39RFMCoK

1/

— @Richi Jennings (@RiCHi) May 6, 2020

Quibi, JetBlue, Others Leaked Millions of Emails - Security Boulevard

Hundreds of millions of people might have had their email addresses given to advertising and analytics companies.

According to a new report, brands such as the @WashingtonPost and @Mailchimp have been quietly leaking the personal data—often for years.https://t.co/dQsdkPD2HO

1/

— @Richi Jennings (@RiCHi) May 5, 2020

8.6M PII leaked from UK city's CCTV DB; Neology denies responsibility - TechBeacon

#Sheffield, an English city, somehow forgot to password-protect a huge #PII trove: https://t.co/1COofW1Ymp

…

— @Richi Jennings (@RiCHi) April 30, 2020

COVID-19 Contact Tracing Apps Fight Privacy Fears - Security Boulevard

Governments around the world are introducing apps to help health officials trace contacts of people newly infected with the novel coronavirus.

They work by recording whom you come close to—then alerting those people if you contract #COVID–19: https://t.co/Upd3DapEAy

…

— @Richi Jennings (@RiCHi) April 28, 2020

China Wants to Control All the Internet With 'New IP' Plan - Security Boulevard

The Chinese Communist Party wants to remake the internet in its own image. It’s supported by such open, democratic and transparent regimes as Russia, Saudi Arabia and Iran. …https://t.co/Qb6RMKFMyN

— @Richi Jennings (@RiCHi) April 26, 2020

Apple Scrambles to Patch Old iOS Mail Bugs - Security Boulevard

A pair of unpatched vulnerabilities in Apple iOS have been quietly exploited for months—possibly years. They let an attacker silently read your email. Scary: https://t.co/9SDTFOl5eb

…

— @Richi Jennings (@RiCHi) April 24, 2020

Over a quarter-billion Facebook profiles served (at 0.0002¢ each) - TechBeacon

Criminals are selling 267 million rows of #Facebook data on the dark web. It’s not thought to be a new leak, but if your name’s in there, you might be surprised how cheap your data is: https://t.co/GTl5l2LrIr

— @Richi Jennings (@RiCHi) April 23, 2020

Bad people are feeding off our fears by using #COVIDー19 novel-#coronavirus themes in their #phishing campaigns.

I suppose we shouldn’t be surprised: https://t.co/59hz4PipA2

— @Richi Jennings (@RiCHi) April 22, 2020

Another day, another @Zoom_us dumpster fire. This time, we get news of a “critical” Remote Code Execution (RCE) exploit being sold, plus a second nasty infosec bug. $ZMhttps://t.co/37CPIqtsLF

— @Richi Jennings (@RiCHi) April 16, 2020

Zoom can’t seem to catch a break. The latest bad press for the videoconference service is about reused username/password pairs.

It seems hackers have discovered half a million compromised, reused credentials matching @zoom_us accounts: https://t.co/q28fqyXAvj

— @Richi Jennings (@RiCHi) April 16, 2020

Check out latest blog from Richi Jennings: @RiCHi Twitter: Your Privacy Is For Sale (You Can’t Opt Out) #dataprivacy #gdpr #sbblogwatch #twitter https://t.co/hGLfm9PdxL

— SecurityBoulevard (@securityblvd) April 13, 2020

Check out latest blog from Richi Jennings: @RiCHi Researchers managed to defeat many fingerprint sensors on portable devices, which is extremely worrying. But... #biometricauthentication #cybersecurity #fingerprintsensors #informationsecurity #sbblogwatch https://t.co/kFAQIg219v

— SecurityBoulevard (@securityblvd) April 10, 2020

🤬Repeat after me: An SMS challenge is not proof of identity.

It’s far too easy for a hacker to take over a number or intercept SMS traffic: https://t.co/4BqgLCK7xA

— @Richi Jennings (@RiCHi) April 9, 2020

Check out latest blog from Richi Jennings: @RiCHi Google, Amazon, Facebook and 200 other cloud and CDN services companies had their internet traffic routed through Russia on April 1. #bgphijacking #manrs #russia #sbblogwatch https://t.co/TgBKvXMiDe

— SecurityBoulevard (@securityblvd) April 7, 2020