Group items tagged

"showing how they can create a 40cm x 40cm "patch" that fools a convoluted neural network classifier that is otherwise a good tool for identifying humans into thinking that a person is not a person -- something that could be used to defeat AI-based security camera systems. They theorize that the could just print the patch on a t-shirt and get the same result."

"The malware was delivered through multiple ad networks, and used a number of vulnerabilities, including a recently-patched flaw in Microsoft's former Flash competitor Silverlight, which was discontinued in 2013. When the infected adverts hit users, they redirect the page to servers hosting the malware, which includes the widely-used (amongst cybercriminals) Angler exploit kit. That kit then attempts to find any back door it can into the target's computer, where it will install cryptolocker-style software, which encrypts the user's hard drive and demands payment in bitcoin for the keys to unlock it."

"Microsoft has pulled its latest Windows 10 update offline after some users complained of missing files. It's the latest in a string of incidents with regular patches and Microsoft's larger Windows 10 updates that have been causing issues for some PC users this year. While Microsoft tests Windows 10 with millions of beta testers, there are signs that this public feedback loop isn't always working. Earlier this year Microsoft delayed its April 2018 Windows 10 update due to last minute Blue Screen of Death issues, and then had to fix desktop and Chrome freezing issues after it was shipped to more than 600 million machines. "

The US National Security Agency (NSA) knew of the Heartbleed flaw in the widely used OpenSSL security tool and exploited it for year - instead of blowing the whistle so that the patch could be flawed."

"As more governments turn to contact tracing apps to aid in their efforts to contain the coronavirus outbreak, cybersecurity experts are warning this may spark renewed interest in Bluetooth attacks. They urge developers to ensure such apps are regularly tested for vulnerabilities and release patches swiftly to plug potential holes, while governments should provide assurance that their databases are secure and the data collected will not be used for purposes other than as originally intended. "

"Computer security experts suggested that the crisis could reflect weaknesses in the NHS's cybersecurity. Ross Anderson, of Cambridge University, said the attack appeared to exploit a weakness in Microsoft's software that was fixed by a "critical" software patch earlier this year but which may not have been installed across NHS computers."

"The disclosure points to a problem security researchers have been warning about for years: that despite its reputation for building what is seen by millions of customers as a secure product, some believe Apple's closed culture and fear of negative press have harmed its ability to provide security for those targeted by governments and criminals. "Apple's self-assured hubris is just unparalleled," said Patrick Wardle, a former NSA employee and founder of the Mac security developer Objective-See. "They basically believe that their way is the best way. And to be fair … the iPhone has had incredible success. "But you talk to any external security researcher, they're probably not going to have a lot of great things to say about Apple. Whereas if you talk to security researchers in dealing with, say, Microsoft, they've said: 'We're gonna put our ego aside, and ultimately realise that the security researchers are reporting vulnerabilities that at the end of the day are benefiting our users, because we're able to patch them.' I don't think Apple has that same mindset.""

"Oliver also pointed to a Finnish man who once found "one of the most severe security flaws ever discovered in a voting system" in US machines and alerted their manufacturers, who released a patch to fix the problem in 2006. The state of Georgia, however, never installed it, and the Senate report noted their machines hadn't been updated since at least 2005. "They'd essentially been hitting the 'remind me tomorrow' button on a critical security update for over a decade," Oliver explained, "meaning Georgia's election systems operate on the same level of technical proficiency as Every Dad"."

"Toyota's Lexus rolled out an update for some of its cars, including RX350, which broke the vehicles' navigation and entertainment systems leaving them stuck in a boot loop. Lexus confirmed that the software updates are routinely pushed out via satellite to cars and that a faulty application may be to blame."

"TL;DR: all recent macOS devices are no longer safe to use if left alone, even if you have them powered down. The root of trust on macOS is inherently broken They can bruteforce your FileVault2 volume password They can alter your macOS installation They can load arbitrary kernel extensions"

"The flaw, dubbed "Log4Shell", may be the worst computer vulnerability discovered in years. It was uncovered in an open-source logging tool that is ubiquitous in cloud servers and enterprise software used across the industry and the government. Unless it is fixed, it grants criminals, spies and programming novices alike, easy access to internal networks where they can loot valuable data, plant malware, erase crucial information and much more."