Étiquette : vulnerability (Page 7 of 38)

Une cyberattaque paralyse l’équivalent de la SNCF au Danemark

8 novembre 2022 / noflux

“Au Danemark, DSB, la principale société d’exploitation ferroviaire – équivalent de la SNCF – a été victime d’une impressionnante cyberattaque le 29 octobre 2022, paralysant tout le réseau de chemin de fer du pays pendant plusieurs heures. Les pirates ont piégé Supeo, un logiciel sous-traitant utilisés par les employés de l’entreprise, expliquent les médias nationaux. Les conducteurs de train s’en servent pour accéder aux informations opérationnelles en direct, telles que des informations sur des travaux et les limitations de vitesse.Il suffit de bloquer cet outil pour que tout l’engrenage s’arrête. L’opération n’a rien de très innovant non plus, puisque la société en charge du logiciel a subi un ransomware, l’obligeant à fermer tous les serveurs par mesure de sécurité. L’application est subitement tombée en panne pour tous les conducteurs, les obligeants à arrêter les trains par mesure de sécurité. ”

Source : Une cyberattaque paralyse l’équivalent de la SNCF au Danemark – Numerama

Planting Tiny Spy Chips in Hardware Can Cost as Little as $200

2 novembre 2022 / noflux

“Both Elkins and Hudson argue that hardware-based espionage via supply-chain hijacking is a technical reality, and one that may be easier to accomplish than many of the world’s security administrators realize. « What I want people to recognize is that chipping implants are not imaginary. They’re relatively straightforward, » says Elkins. « If I can do this, someone with hundreds of millions in their budget has been doing this for a while. »”

Source : Planting Tiny Spy Chips in Hardware Can Cost as Little as $200 | WIRED

Your Microsoft Exchange Server Is a Security Liability

26 octobre 2022 / noflux

“Williams acknowledges that some users may prefer or even require that their email be hosted locally rather than in the cloud for legal or privacy issues. But many enterprises that rely on the security of controlling the Exchange server themselves need to reckon with the fact they’re likely introducing more risks than they’re avoiding. “I tell customers, ‘I get it, you want to run on-prem for control reasons,’” says Williams. “But you have to start evaluating this as a liability. And that’s because Microsoft is not putting effort and resources into patching.”“The proof is in the pudding,” Williams adds. “This code base is not getting the love that it clearly and desperately needs.” And if Microsoft isn’t giving that love to your Exchange server, perhaps Exchange no longer deserves your love, either.”

Source : Your Microsoft Exchange Server Is a Security Liability | WIRED

Google’s ‘Incognito’ Mode Inspires Staff Jokes — and a Big Lawsuit

19 octobre 2022 / noflux

“Court filings show that well before the search engine giant was taken to court, rank and file Googlers frankly voiced their own frustrations that Incognito didn’t live up to its name.“We need to stop calling it Incognito and stop using a Spy Guy icon,” one engineer said in a 2018 chat among Google Chrome engineers, after sharing research that showed users misunderstood features of private browsing modes. He was referring to the image of sunglasses under a hat that pop ups with a message, “You’ve gone Incognito,” when a user opens a new tab to browse privately.A colleague responded by posting a link to a wiki profile of a character on “The Simpsons” cartoon show called Guy Incognito, who is a doppelganger of protagonist Homer Simpson. “Regardless of the name, the Incognito icon should have always been” Guy Incognito, the employee said. “Which also accurately conveys the level of privacy it provides.””

Source : Google’s ‘Incognito’ Mode Inspires Staff Jokes — and a Big Lawsuit (GOOGL) – Bloomberg

Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users

19 octobre 2022 / noflux

“Apart from offering the intended functionality, the extensions also track the user’s browsing activity. Every website visited is sent to servers owned by the extension creator. They do this so that they can insert code into eCommerce websites being visited. This action modifies the cookies on the site so that the extension authors receive affiliate payment for any items purchased. ”

Source : Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users | McAfee Blog

Meta annonce qu’un million d’utilisateurs ont téléchargé des applications conçues pour voler leurs mots de passe Facebook

7 octobre 2022 / noflux

“Depuis le début de l’année, la maison mère de Facebook et d’Instagram a identifié plus de 400 applications «malveillantes». «Ces applis étaient présentes sur le Google Play Store [Android] et l’App Store d’Apple [iOS] et se faisaient passer pour des outils d’édition de photos, des jeux, des VPN et d’autres services», a détaillé Meta dans un communiqué.
Une fois téléchargées et installées sur le téléphone, ces applications piégées demandaient aux utilisateurs d’entrer leurs identifiants Facebook pour pouvoir utiliser certaines fonctionnalités. « Elles essaient juste d’inciter les gens à donner leurs informations confidentielles pour permettre à des hackeurs d’accéder à leurs comptes », a résumé David Agranovich.”

Source : Meta annonce qu’un million d’utilisateurs ont téléchargé des applications conçues pour voler leurs mots de passe Facebook

Chrome & Edge Enhanced Spellcheck Features Expose PII, Even Your Passwords

21 septembre 2022 / noflux

“Chrome’s enhanced spellcheck & Edge’s MS Editor are sending data you enter into form fields like username, email, DOB, SSN, basically anything in the fields, to sites you’re logging into from either of those browsers when the features are enabled. Furthermore, if you click on « show password, » the enhanced spellcheck even sends your password, essentially Spell-Jacking your data.”

Source : Chrome & Edge Enhanced Spellcheck Features Expose PII, Even Your Passwords | otto

11 avril 2022 / noflux

“Google has yanked dozens of apps from its Google Play store after determining that they include a software element that surreptitiously harvests data.The Panamanian company that wrote the code, Measurement Systems S. de R.L., is linked through corporate records and web registrations to a Virginia defense contractor that does cyberintelligence, network-defense and intelligence-intercept work for U.S. national-security agencies.The code ran on millions of Android devices and has been found inside several Muslim prayer apps that have been downloaded more than 10 million times, as well as a highway-speed-trap detection app, a QR-code reading app and a number of other popular consumer apps, according to two researchers who discovered the behavior of the code in the course of auditing work they do searching for vulnerabilities in Android apps. They shared their findings with Google, a unit of Alphabet Inc., federal privacy regulators and The Wall Street Journal.”

Source : Google Bans Apps With Hidden Data-Harvesting Software – WSJ

31 mars 2022 / noflux

“Apple and Meta provided basic subscriber details, such as a customer’s address, phone number and IP address, in mid-2021 in response to the forged “emergency data requests.” Normally, such requests are only provided with a search warrant or subpoena signed by a judge, according to the people. However, the emergency requests don’t require a court order.[…] Apple and Meta both publish data on their compliance with emergency data requests. From July to December 2020, Apple received 1,162 emergency requests from 29 countries. According to its report, Apple provided data in response to 93% of those requests. Meta said it received 21,700 emergency requests from January to June 2021 globally and provided some data in response to 77% of the requests.”

Source : Apple, Meta Gave User Data to Hackers With Forged Legal Requests (AAPL, FB) – Bloomberg