2014, Authentication, Encryption and Passwords

Retail giant Home Depot agrees to a $17.5 million settlement over 2014 data breach

Security Affairs

NOVEMBER 25, 2020

million settlement in a multi-state investigation of the data breach that the company suffered in 2014. million settlement over the 2014 data breach. In 2014, Home Depot revealed that the data breach impacted 56 million customers across the US and Canada. Retail giant Home Depot has agreed to a $17.5 ” . .

Retail

Retail Data breaches Penetration Testing Password Management

DRAGONBLOOD flaws allow hacking WPA3 protected WiFi passwords

Security Affairs

AUGUST 3, 2019

Dragonblood researchers found two new weaknesses in WPA3 protocol that could be exploited to hack WPA3 protected WiFi passwords. passwords. A group of researchers known as Dragonblood (Mathy Vanhoef and Eyal Ronen ) devised new methods to hack WPA3 protected WiFi passwords by exploiting two new vulnerabilities dubbed Dragonblood flaws.

Passwords

Passwords Hacking Wireless Authentication

TP-Link Archer routers allow remote takeover without passwords

Security Affairs

DECEMBER 17, 2019

TP-Link has addressed a critical vulnerability impacting some TP-Link Archer routers that could allow attackers to login without passwords. ” The flaw could allow unauthorized third-party access to the router with admin privileges without proper authentication. .” ” continues the post. ” the expert concludes.

Passwords

Passwords Advertising Firmware Authentication

Webinars

Reimagining Cybersecurity Training: Driving Real Impact on Security Culture

MORE WEBINARS

Flaws in several self-encrypting SSDs allows attackers to decrypt data they contain

Security Affairs

NOVEMBER 6, 2018

The encryption system implemented by popular solid-state drives (SSDs) is affected by critical vulnerabilities that could be exploited by a local attacker to decrypt data. “We have analyzed the hardware full-disk encryption of several SSDs by reverse engineering their firmware.

Encryption

Encryption Firmware Passwords Advertising

A flaw in India Digilocker could?ve been exploited to bypass authentication

Security Affairs

JUNE 8, 2020

Any Indian DigiLocker Account Could’ve Been Accessed Without Password. The Indian Government fixed a flaw in the secure document wallet service Digilocker that could have potentially allowed anyone’s access without password. ” ~ Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->.

Authentication

Authentication Mobile Accountability Passwords

WPA3 attacks allow hackers to hack Wi-Fi password

Security Affairs

APRIL 10, 2019

Security researchers discovered weaknesses in WPA3 that could be exploited to recover WiFi passwords by abusing timing or cache-based side-channel leaks. Security researchers discovered weaknesses in WPA3 that could be exploited to recover WiFi passwords by abusing timing or cache-based side-channel leaks.

Passwords

Passwords Hacking Advertising Network Security

OpenSSL Patches New Bug Targeting Encryption [Lessons from Heartbleed]

Security Boulevard

MAY 5, 2022

OpenSSL Patches New Bug Targeting Encryption [Lessons from Heartbleed]. A flaw in the encryption algorithm used to underpin OpenSSL was exploited, triggering an infinite number of requests when certain input value(s) are used. “The Encryption must be encrypted. Then Don’t Ban End-to-End Encryption. Related Posts.

Encryption

Encryption Software Media Authentication

A flaw in Microsoft OAuth authentication could lead Azure account takeover

Security Affairs

DECEMBER 3, 2019

The vulnerability affects the way Microsoft applications use OAuth for authentication, these applications trust certain third-party domains and sub-domains that are not registered by Microsoft. ” ~ Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. You can see more API calls documented here.”

Authentication

Authentication Accountability Social Engineering Advertising

MY TAKE: What NortonLifeLock’s $8 billion buyout of Avast portends for consumer security

The Last Watchdog

AUGUST 18, 2021

Norton got ‘ demergered ’ from Symantec in 2014 and then acquired LifeLock for $2.3 There are simple steps consumers can take today, for free, to lower their overall risk of a cyber attack, including using multi-factor authentication for their accounts and using strong passwords. billion in 2017; Avast acquired AVG for $1.3

Antivirus

Antivirus Marketing Identity Theft Social Engineering

3.4 Million user records from LiveAuctioneers hack available for sale

Security Affairs

JULY 14, 2020

.” According to the company, attackers accessed personal details of the users, including names, email addresses, mailing addresses, phone numbers, and also encrypted passwords. In response to the incident, the bidding portal has forced a password reset for all users’ accounts, both bidder and auctioneer ones.

Hacking

Hacking Data breaches Identity Theft Advertising

FBI issued a flash alert about Netwalker ransomware attacks

Security Affairs

AUGUST 2, 2020

“Once an actor has infiltrated a network with Netwalker, a combination of malicious programs may be executed to harvest administrator credentials, steal valuable data, and encrypt user files. . Use two-factor authentication with strong passwords. Copyright (C) 2014 Media.net Advertising FZ-LLC All Rights Reserved -->.

Ransomware

Ransomware VPN Advertising Government

Visa warns of new sophisticated credit card skimmer dubbed Baka

Security Affairs

SEPTEMBER 6, 2020

The skimmer loads dynamically to avoid static malware scanners and uses unique encryption parameters for each victim to obfuscate the malicious code.” The JavaScript URL is hardcoded in the loader script in encrypted format, experts observed that the attackers can change the URL for each victim. Pierluigi Paganini.

eCommerce

eCommerce Malware Encryption Advertising

Cisco Talos warns of hardcoded credentials in Alpine Linux Docker Images

Security Affairs

MAY 9, 2019

Since December 2015, Alpine Linux Docker images have been shipped with hardcoded credentials, a NULL password for the root user. 3) contain a NULL password for the root user. the /etc/shadow file contains a blank field in place of the encrypted password (sp_pwdp in the context of the spwd struct returned by getspent.”

Passwords

Passwords Advertising Authentication Accountability

New Ransom Payment Schemes Target Executives, Telemedicine

Krebs on Security

DECEMBER 8, 2022

First spotted in mid-August 2022 , Venus is known for hacking into victims’ publicly-exposed Remote Desktop services to encrypt Windows devices. Using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication. Encrypting sensitive data wherever possible.

Healthcare

Healthcare Backups Ransomware Insurance

Sophos blocked attacks exploiting XG Firewall zero-day to deploy Ransomware

Security Affairs

MAY 21, 2020

The data for any specific firewall depends upon the specific configuration and may include usernames and hashed passwords for the local device admin(s), portal admins, and user accounts used for remote access.” Passwords associated with external authentication systems such as AD or LDAP are unaffected. Pierluigi Paganini.

Firewall

Firewall Ransomware Passwords VPN

Marriott Breach: More than 500 Million Guest Affected

Adam Levin

NOVEMBER 30, 2018

. “The company recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it,” Marriott disclosed in a statement. The vulnerability that the hackers took advantage of had been in place and used for “unauthorized access,” according to the company statement, since 2014.

Identity Theft

Identity Theft Financial Services Password Management Media

Data of 21 million Mixcloud users available for sale on the dark web

Security Affairs

DECEMBER 1, 2019

The hacker access to users’ data, including usernames , email addresses, SHA-2 hashed passwords, account sign-up dates and country, the last-login date, the internet (IP) address, and links to profile photos. The majority of Mixcloud users signed up via Facebook authentication, in which cases we do not store passwords.”

Data breaches

Data breaches Passwords Advertising Hacking

5 Ways artificial intelligence Is Being Used to Keep Sensitive Information Secure

Security Affairs

FEBRUARY 19, 2020

Encryption. Therefore, businesses need encryption along the way. Encryption is merely changing the data to something that seems meaningless, like a code, which the system then decrypts on the other side. Password Protection & Authentication. Passwords are the baseline of cybersecurity.

Artificial Intelligence

Artificial Intelligence Information Security Passwords Encryption

Zendesk 2016 security breach may impact Uber, Slack, and other organizations

Security Affairs

OCTOBER 2, 2019

Zendesk discloses a data breach that took place in 2016 when a hacker accessed data of 10,000 users, including passwords, emails, names, and phone numbers. In 2016, customer service software company Zendesk suffered a security breach that exposed data of 10,000 users, including passwords, emails, names, and phone numbers.

Data breaches

Data breaches Passwords Authentication Accountability

Hacking the ‘Unhackable’ eyeDisk USB stick

Security Affairs

MAY 12, 2019

The paradox, the USB stick eyeDisk that uses iris recognition to unlock the drive could reveal the device’s password in plain text in a simple way. eyeDisk features AES 256-bit encryption for your iris pattern.” The first tests he made attempted to bypass the biometric authentication using a photo, but it did work.

Hacking

Hacking Passwords Authentication Advertising

API Security and Hackers: What?s the Need?

Security Affairs

MAY 30, 2020

Authentication. To increase the complexity of hacking your device, always get to know who is calling your APIs, by using a simple access authentication (user/password) or an API key (asymmetric key). Encryption. The authorization and/or authentication of your APIs should be delegated. Just be cryptic.

Authentication

Authentication Firewall Encryption Passwords

USBAnywhere BMC flaws expose Supermicro servers to hack

Security Affairs

SEPTEMBER 3, 2019

When accessed remotely, the virtual media service allows plaintext authentication, sends most traffic unencrypted, uses a weak encryption algorithm for the rest, and is susceptible to an authentication bypass. In the simplest case, an attacker could simply try the well-known default username and password for the BMC.

Hacking

Hacking Firmware Media Authentication

Expert found hundred of vulnerable Jenkins Plugins

Security Affairs

MAY 4, 2019

Jenkins plugins allow to implement additional functionalities like Active Directory authentication, or solve reoccurring tasks such as executing a static code analyser or copying a compiled software to a CIFS share. In the majority of cases these solutions did not involve any encryption.” ” he added. Pierluigi Paganini.

Passwords

Passwords Advertising Encryption Hacking

Android Pie introduces important security and privacy enhancements

Security Affairs

DECEMBER 27, 2018

The latest version of Google OS, Android Pie, implements significant enhancements for cybersecurity, including a stronger encryption and authentication. The tech giant updated the File-Based Encryption implementing the support for external storage media, it also included the metadata encryption with hardware support.

Mobile

Mobile Encryption Authentication Advertising

Moxa Industrial Switches plagued with several flaws

Security Affairs

MARCH 11, 2019

“Successful exploitation of these vulnerabilities could allow the reading of sensitive information, remote code execution, arbitrary configuration changes, authentication bypass, sensitive data capture, reboot of the device, device crash, or full compromise of the device.” Pierluigi Paganini.

Advertising

Advertising Encryption Authentication Passwords

Happy 13th Birthday, KrebsOnSecurity!

Krebs on Security

DECEMBER 29, 2022

Among the Twilio customers targeted was encrypted messaging service Signal , which relied on Twilio to provide phone number verification services. DigitalOcean severs ties with Mailchimp after that incident , which briefly prevented the hosting firm from communicating with its customers or processing password reset requests.

Cryptocurrency

Cryptocurrency Cybercrime Computers and Electronics Scams

GDPR Data Security Checklist in the Age of COVID-19 and the Remote Workforce

Security Affairs

MAY 11, 2020

To maximize your network security, always protect your router with a unique password and use an encrypted network. To resolve this issue, organizations must opt for two-factor authentication for their system. Encrypted Tools. Most of the online tools are not secured and do not provide end to end encryption.

Encryption

Encryption Data breaches Advertising Passwords

Top 10 Data Breaches of All Time

SecureWorld News

MARCH 24, 2022

Summary: Yahoo believes that "state-sponsored actors" compromised all of their users accounts between 2013 and 2014. Summary: This data breach was unique in the sense that there was not a breach in the company's servers, but an authentication error, meaning no authentication was required to view documents. Who attacked: unknown.

Data breaches

Data breaches Passwords Accountability Government

For 2nd Time in 3 Years, Mobile Spyware Maker mSpy Leaks Millions of Sensitive Records

Krebs on Security

SEPTEMBER 4, 2018

The database required no authentication. Before it was taken offline sometime in the past 12 hours, the database contained millions of records, including the username, password and private encryption key of each mSpy customer who logged in to the mSpy site or purchased an mSpy license over the past six months.

Spyware

Spyware Mobile Advertising Software

Netwalker ransomware hit K-Electric, the major Pakistani electricity provider

Security Affairs

SEPTEMBER 9, 2020

The gang also claimed on the ‘Stolen data’ page of their Tor leak site that they have stolen unencrypted files from K-Electric before encrypting its systems. Use two-factor authentication with strong passwords. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. Pierluigi Paganini.

Ransomware

Ransomware Energy and Utilities VPN Advertising

Experts disclose tens of flaws in Zyxel Cloud CNM SecuManager, includes dangerous backdoors

Security Affairs

MARCH 12, 2020

no authentication and clear-text communication Incorrect HTTP requests cause out of range access in Zope XSS on the web interface Private SSH key Backdoor APIs Backdoor management access and RCE Pre-auth RCE with chrooted access. This allows an attacker to MITM and decrypt the encrypted traffic.” Pierluigi Paganini.

Accountability

Accountability Advertising Software Authentication

Thousands credit card numbers of MoviePass customers were exposed online

Security Affairs

AUGUST 21, 2019

The researcher discovered that the records in the database were not encrypted. According to Techcrunch, which analyzed a sample of 1,000 records, data are authentic. Logging data included email addresses and incorrectly typed passwords. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->.

Advertising

Advertising Encryption Authentication Passwords

Netwalker ransomware operators leaked files stolen from K-Electric

Security Affairs

OCTOBER 1, 2020

The gang also claimed on the ‘Stolen data’ page of their Tor leak site that they have stolen unencrypted files from K-Electric before encrypting its systems. Use two-factor authentication with strong passwords. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. Source BleepingComputer.

Ransomware

Ransomware Advertising Engineering VPN

Australian social news platform leaks 80,000 user records

Security Affairs

OCTOBER 5, 2020

To increase efforts to secure user data, Snewpit will be reviewing “all server logs and access control settings” to confirm that no unauthorized access took place and to ensure that “user data is secure and encrypted.”. We will be reviewing all access control settings and ensuring our user data is secure and encrypted.

Identity Theft

Identity Theft Passwords Advertising Password Management

IoT Cybersecurity: 5 Major Vulnerabilities and How to Tackle Them

Security Affairs

OCTOBER 13, 2020

Simple or reused passwords are still a problem. While the cybersecurity industry has presented options for every netizen, the recommendation to use original and complex passwords continues to be disregarded. Instead, people come up with passwords that are comfortable. Improper encryption. Poor credentials.

IoT

IoT Cybersecurity Manufacturing Internet

QNAP urges users to update Malware Remover after QSnatch joint alert

Security Affairs

AUGUST 2, 2020

The first campaign likely began in early 2014 and continued until mid-2017, while the second started in late 2018 and was still active in late 2019. These are encrypted with the actor’s public key and sent to their infrastructure over HTTPS. Change the admin password and use a strong one. Install and update Security Counselor.

Malware

Malware Advertising Passwords Manufacturing

Security Affairs newsletter Round 253

Security Affairs

MARCH 1, 2020

FBI recommends using passphrases instead of complex passwords. Kr00k Wi-Fi Encryption flaw affects more than a billion devices. New strain of Cerberus Android banking trojan can steal Google Authenticator codes. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. Lampion malware v2 February 2020.

Banking

Banking Malware Advertising Ransomware

MY TAKE: Massive Marriott breach continues seemingly endless run of successful hacks

The Last Watchdog

DECEMBER 3, 2018

In 2014, a JP Morgan Chase hack exposed 76 million households. A single neglected server that was not protected by a dual password scheme was the last line of defense standing between the hacker and the exposed data. How could a breach like this continue for four years? Bimal Gandhi, Chief Executive Officer, Uniken : .

Hacking

Hacking eCommerce Social Engineering Authentication

Expert released PoC exploit code for unpatched backdoor in HiSilicon chips

Security Affairs

FEBRUARY 5, 2020

More recent firmware versions had Telnet access and debug port (9527/ tcp ) disabled by default, but they had open port 9530/ tcp that could be exploited by attackers to send a special command to start telnet daemon and enable shell access with a static password ([ 1 ], [ 2 ], [ 3 ]). This is a subject of actual disclosure.”

Firmware

Firmware Encryption Advertising Passwords

Hacking the Twinkly IoT Christmas lights

Security Affairs

DECEMBER 24, 2018

The communications are not encrypted, however the WiFi password is sent encrypted during set up (albeit trivial to decrypt).” “As the communications are not encrypted, it is simple to Man-in-the-Middle the traffic and analyse the API.” ” reads the analysis published by MWR InfoSecurity.

IoT

IoT Hacking DNS Authentication

Cyber CEO: The History Of Cybercrime, From 1834 To Present

Herjavec Group

AUGUST 26, 2021

1962 — Allan Scherr — MIT sets up the first computer passwords, for student privacy and time limits. Student Allan Scherr makes a punch card to trick the computer into printing off all passwords and uses them to log in as other people after his time runs out. She connects him to any phone number he requests for free.

Cybercrime

Cybercrime Computers and Electronics Banking Hacking

FBI warns cyber actors abusing protocols as new DDoS attack vectors

Security Affairs

JULY 27, 2020

Change the default username and passwords for all network devices, especially IoT devices. If the device’s default username or password cannot be changed, ensure the device(s) providing Internet access to that device has a strong password and a second layer of security, such as multi-factor authentication or end-to-end encryption.

DDOS

DDOS IoT Internet Internet

QSnatch malware infected over 62,000 QNAP NAS Devices

Security Affairs

JULY 28, 2020

CGI password logger This installs a fake version of the device admin login page, logging successful authentications and passing them to the legitimate login page. These are encrypted with the actor’s public key and sent to their infrastructure over HTTPS. The QSnatch malware implements multiple functionalities, such as: .

Malware

Malware Firmware Advertising Manufacturing

Hacker broke into super secure French Government’s Messaging App Tchap hours after release

Security Affairs

APRIL 20, 2019

The popular French white hat hacker Robert Baptiste (aka @fs0c131y) discovered how to break into Tchap , a new secure messaging app launched by the French government for encrypted communications between officials and politicians. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. or @elysee.fr

Government

Government Encryption Accountability Advertising

Retail giant Home Depot agrees to a $17.5 million settlement over 2014 data breach

DRAGONBLOOD flaws allow hacking WPA3 protected WiFi passwords

Webinars

Trending Sources

TP-Link Archer routers allow remote takeover without passwords

Webinars

Flaws in several self-encrypting SSDs allows attackers to decrypt data they contain

A flaw in India Digilocker could?ve been exploited to bypass authentication

WPA3 attacks allow hackers to hack Wi-Fi password

OpenSSL Patches New Bug Targeting Encryption [Lessons from Heartbleed]

A flaw in Microsoft OAuth authentication could lead Azure account takeover

MY TAKE: What NortonLifeLock’s $8 billion buyout of Avast portends for consumer security

3.4 Million user records from LiveAuctioneers hack available for sale

FBI issued a flash alert about Netwalker ransomware attacks

Visa warns of new sophisticated credit card skimmer dubbed Baka

Cisco Talos warns of hardcoded credentials in Alpine Linux Docker Images

New Ransom Payment Schemes Target Executives, Telemedicine

Sophos blocked attacks exploiting XG Firewall zero-day to deploy Ransomware

Marriott Breach: More than 500 Million Guest Affected

Data of 21 million Mixcloud users available for sale on the dark web

5 Ways artificial intelligence Is Being Used to Keep Sensitive Information Secure

Zendesk 2016 security breach may impact Uber, Slack, and other organizations

Hacking the ‘Unhackable’ eyeDisk USB stick

API Security and Hackers: What?s the Need?

USBAnywhere BMC flaws expose Supermicro servers to hack

Expert found hundred of vulnerable Jenkins Plugins

Android Pie introduces important security and privacy enhancements

Moxa Industrial Switches plagued with several flaws

Happy 13th Birthday, KrebsOnSecurity!

GDPR Data Security Checklist in the Age of COVID-19 and the Remote Workforce

Top 10 Data Breaches of All Time

For 2nd Time in 3 Years, Mobile Spyware Maker mSpy Leaks Millions of Sensitive Records

Netwalker ransomware hit K-Electric, the major Pakistani electricity provider

Experts disclose tens of flaws in Zyxel Cloud CNM SecuManager, includes dangerous backdoors

Thousands credit card numbers of MoviePass customers were exposed online

Netwalker ransomware operators leaked files stolen from K-Electric

Australian social news platform leaks 80,000 user records

IoT Cybersecurity: 5 Major Vulnerabilities and How to Tackle Them

QNAP urges users to update Malware Remover after QSnatch joint alert

Security Affairs newsletter Round 253

MY TAKE: Massive Marriott breach continues seemingly endless run of successful hacks

Expert released PoC exploit code for unpatched backdoor in HiSilicon chips

Hacking the Twinkly IoT Christmas lights

Cyber CEO: The History Of Cybercrime, From 1834 To Present

FBI warns cyber actors abusing protocols as new DDoS attack vectors

QSnatch malware infected over 62,000 QNAP NAS Devices

Hacker broke into super secure French Government’s Messaging App Tchap hours after release

Stay Connected