VMware 2FA flaw can divulge that vital second credential to malicious actors

The Register - Mon, 20/12/2021 - 07:02
Plus: Deep dive into the NSO Group's zero-click exploit and 'Hack the DHS!'

In Brief  VMware has warned users a flaw in its VMware Verify two-factor authentication product could allow a malicious actor with a first-factor authentication credential to obtain a second factor from its VMware Verify product.…

Categories: News

Bad things come in threes: Apache reveals <i>another</i> Log4J bug

The Register - Sun, 19/12/2021 - 22:57
Third major fix in ten days is an infinite recursion flaw rated 7.5/10

The Apache Software Foundation (ASF) has revealed a third bug in its Log4 Java-based open-source logging library Log4j.…

Categories: News

US distrust of Huawei linked in part to malicious software update in 2012

The Register - Sat, 18/12/2021 - 11:01
Report claims Huawei techs working for Chinese intelligence compromised Australian telco

Suspicions about the integrity of Huawei products among US government officials can be attributed in part to a 2012 incident involving a Huawei software update that compromised the network of a major Australian telecom company with malicious code, according to a report published by Bloomberg.…

Categories: News

CISA issues emergency directive to fix Log4j vulnerability

The Register - Fri, 17/12/2021 - 21:29
Federal agencies have a week to get their systems patched

The US government's Cybersecurity and Infrastructure Security Agency (CISA) on Friday escalated its call to fix the Apache Log4j vulnerability with an emergency directive requiring federal agencies to take corrective action by 5 pm EST on December 23, 2021.…

Categories: News

RAF shoots down 'terrorist drone' over US-owned special ops base in Syria

The Register - Fri, 17/12/2021 - 15:29
£200k Anglo-French heat-seeking missile does its thing

The RAF has scored its first air-to-air "kill" – where an aircraft downs an enemy aircraft – for almost 40 years after shooting down a drone over Syria.…

Categories: News

Over Log4j? VMware has another critical flaw for you to patch

The Register - Fri, 17/12/2021 - 02:28
Workspace ONE Unified Endpoint Management can leak info via server-side request forgery

VMware customers have probably had a busy week because more than 100 of the IT giant's products are impacted by the Log4j bug.…

Categories: News

Facebook locks out 1,500 fake accounts used by cyber-spy firms to snoop on people, alerts 50k potential targets

The Register - Fri, 17/12/2021 - 01:41
Meta adverse to internet mercenaries using its social networks to help governments violate human rights

Facebook successor Meta on Thursday said it canceled 1,500 social media accounts used by seven surveillance-for-hire firms to conduct online attacks against government critics and members of civil society.…

Categories: News

Why ransomware attacks happen out of hours or during the holidays

The Register - Thu, 16/12/2021 - 18:00
Security teams have a choice to make – and doing nothing is not an option

Paid Feature  Time waits for no one. But ransomware attackers do. Increasingly, cybercriminals are timing their attacks, detonating them when their victims are out of the office. This gives them the chance to inflict maximum damage, and explains why ransomware attacks surge on public holidays like Thanksgiving and Christmas. How do they do it, and what can under-staffed security teams do about it?…

Categories: News

East Londoners nicked under Computer Misuse Act after NHS vaccine passport app sprouted clump of fake entries

The Register - Thu, 16/12/2021 - 16:04
App runs off a database, and databases are run by humans

British police have made a series of arrests over the past few months after people with apparent access to NHS databases allegedly sold fake vaccination status entries on the NHS vaccine passport app.…

Categories: News

Move fast, break security: Why CISOs must push back against Agile IT

The Register - Thu, 16/12/2021 - 08:30
The Vectra Masked CISO series gives security leaders a place to expose the biggest issues in security and advise peers on how to overcome them

Advertorial  The Vectra Masked CISO series gives security leaders a place to expose the biggest issues in security and advise peers on how to overcome them.

Categories: News

National Cyber Strategy will lead to BritChip for mobile devices by 2025, claims

The Register - Thu, 16/12/2021 - 07:29
And potentially an increase in UK state-backed hacks

The British government has launched a £2.6bn National Cyber Strategy, intended to steer the state's thinking on cyber attack, defence and technology for the next three years – and there's some good news if you run a tech company.…

Categories: News

Japan draws a LINE: web giants must reveal where they store user data

The Register - Thu, 16/12/2021 - 06:46
Looks a lot like a response to messaging services passing data through China

Social media and search engine operators in Japan will be required to specify the countries in which users' data is physically stored, under a planned tweak to local laws.…

Categories: News

Facebook expands bug bounty program to include scraping attacks, two years after it was scraped – hard

The Register - Thu, 16/12/2021 - 01:33
But still allows limited harvesting

Meta has expanded its bug bounty program to include payouts for reports of scraping attacks on Facebook – but hold your applause.…

Categories: News

As CISA tells US govt agencies to squash Log4j bug by Dec 24, fingers start pointing at China, Iran, others

The Register - Wed, 15/12/2021 - 23:31
Microsoft says cyber-spies linked to Beijing, Tehran are getting busy with security flaw along with world + dog

Microsoft reckons government cyber-spies in China, Iran, North Korea, and Turkey are actively exploiting the Log4j 2.x remote-code execution hole.…

Categories: News

US lawmakers want to put NSO Group, 3 other spyware makers out of business with fresh severe sanctions

The Register - Wed, 15/12/2021 - 20:50
Export controls aren't enough, Dems say: Bring on the Global Magnitsky Act

Eighteen US Democratic lawmakers have asked the Treasury Department and State Department to punish Israel-based spyware maker NSO Group and three other surveillance software firms for enabling human rights abuses.…

Categories: News

Pen Test Partners: Anyone could view Gumtree users' GPS location by pressing F12

The Register - Wed, 15/12/2021 - 15:31
And online flea market had IDOR in an iOS-focused API

UK online used goods bazaar Gumtree exposed its users' home addresses in the source code of its webpages, and then tried to squirm out of a bug bounty after infosec bods alerted it to the flaw.…

Categories: News

Microsoft closes installer hole abused by Emotet malware, Google splats Chrome bug exploited in the wild

The Register - Wed, 15/12/2021 - 03:29
Round off the year with a large crop of fixes for programming blunders

Patch Tuesday  It's not just Log4j you need to worry about this week. It's the final Patch Tuesday of the year.…

Categories: News

Apache takes off, nukes insecure feature at the heart of Log4j from orbit with v2.16

The Register - Tue, 14/12/2021 - 23:30
Now open-source logging library's JNDI disabled entirely by default, message lookups removed

Last week, version 2.15 of the widely used open-source logging library Log4j was released to tackle a critical security hole, dubbed Log4Shell, which could be trivially abused by miscreants to hijack servers and apps over the internet.…

Categories: News

You may have cracked serverless development, but it’s almost certain you haven’t solved serverless security

The Register - Tue, 14/12/2021 - 18:00
Here’s how to secure that ever-expanding attack surface

Paid Post  Serverless is revolutionizing software development, allowing organizations to produce applications which consume cloud resources only when they need to. Developing applications this way also dramatically reduces the amount of code to write while increasing the velocity of completed applications.…

Categories: News

Popular password manager LastPass to be spun out from LogMeIn

The Register - Tue, 14/12/2021 - 17:11
Private equity owners play pass the parcel

One of the biggest beasts in the password management world, LastPass, is being spun out from parent LogMeIn as a "standalone cloud security" organisation.…

Categories: News


Subscribe to Sec Tec Limited aggregator - News