A high-severity hardware vulnerability, dubbed Kr00k, in Wi-Fi chips manufactured by Broadcom and Cypress expose over a billion devices to hack. Cybersecurity researchers from ESET have discovered a new high-severity hardware vulnerability, dubbed Kr00k, that affects Wi-Fi chips manufactured by Broadcom and Cypress. The vulnerability could have a severe impact on the IT sector, the flawed chips are used in over a billion devices, including routers, smartphones, tablets, laptops, and IoT gadgets.…

The controversial surveillance program that gave the NSA access to the phone call records of millions of Americans has cost US taxpayers $100m – and resulted in just one useful lead over four years. That’s the upshot of a report [PDF] from the US government’s freshly revived Privacy and Civil Liberties Oversight Board (PCLOB). The panel dug into the super-snoops’ so-called Section 215 program, which is due to be renewed next month.…

A new version of the ‘Cerberus’ Android banking trojan will be able to steal one-time codes generated by the Google Authenticator app and bypass 2FA-protected accounts. Security researchers say that an Android malware strain can now extract and steal one-time passcodes (OTP) generated through Google Authenticator, a mobile app that’s used as a two-factor authentication (2FA) layer for many online accounts. Source: zdnet.com…

‘The privacy issues are not fixable with regulation and there is no balance that can be struck,’ the Amazon employee said of Ring. The post was published Sunday by the advocacy group Amazon Employees for Climate Justice and it was meant to protest the company’s external communications policy. Source: businessinsider.nl…

Wells Fargo, the nation’s fourth-largest bank, agreed Friday to pay a $3 billion fine to settle a civil lawsuit and resolve a criminal prosecution filed by the Justice Department over its fake account scandal. Under pressure to meet sales quotas, bank employees opened millions of savings and checking accounts in the names of actual customers, without their knowledge or consent. Since the fraud became public in 2016, the bank has faced a torrent of lawsuits.…

Last November, software developers Lenny Bakkalian and David Albert discovered two loopholes in the German McDonald’s system which allowed them to order an endless supply of free food. Recently, I met the two Hamburglars and their colleague Mats Tesch at an East Berlin McDonald’s so they could show me how they did it. McDonald’s receipts in Germany end with a link to a survey page. Once you take the survey, you receive a coupon code for a free small beverage, redeemable within a month.…

Yodlee, the largest financial data broker in the U.S., sells data pulled from the bank and credit card transactions of tens of millions of Americans to investment and research firms, detailing where and when people shopped and how much they spent. The company claims that the data is anonymous, but a confidential Yodlee document obtained by Motherboard indicates individual users could be unmasked. The findings come as multiple Senators have urged the Federal Trade Commission (FTC) to investigate Envestnet, which owns Yodlee, for selling Americans’ transaction information without their knowledge or consent, potentially violating the law.…

ISPs say that a law requiring users to opt-in to having their location and financial data sold is a ‘burdensome restriction’ on their ‘protected speech.’ Source: vice.com…

10.6 million people who had stayed at MGM Resorts have had their personal data published on a hacking forum, it was revealed this week. It is thought that the recent breach stems from an earlier incident which occurred last year, whereby unauthorised actors were able to access MGM’s internal cloud and therefore the personal information of previous guests. The biggest concern in the MGM disclosure is that hackers stole deeper, more sensitive data on 1300 individuals, including information off driver’s licenses and military D cards.…

Samsung’s attempt to prevent attacks on Galaxy phones by modifying kernel code ended up exposing it to more security bugs, according to Google Project Zero (GPZ). Not only are smartphone makers like Samsung creating more vulnerabilities by adding downstream custom drivers for direct hardware access to Android’s Linux kernel, vendors would be better off using security features that already exist in the Linux kernel,according to GPZ researcher Jann Horn. It was this type of mistake that Horn found in the Android kernel on the Samsung Galaxy A50.…

You should feel cranky about all the phishing emails you get. Because getting your brain in a grumpy gear will elevate the odds of your not getting fooled by the next phony invitation to log into your account. The roughly 100 million phishing emails Google blocks every day fall into three main categories: highly targeted but low-volume spear phishing aimed at distinct individuals, “boutique phishing” that targets only a few dozen people, and automated bulk phishing directed at thousands or hundreds of thousands of people.…

UpGuard can now disclose that a repository hosted on GitHub with data from an Amazon Web Services engineer containing personal identity documents and system credentials including passwords, AWS key pairs, and private keys has been secured from public access. The data was committed to a public repository on the morning of 13 January, 2020. It was detected within half an hour by UpGuard analysts, reported to AWS Security, and secured that same day…

Rogue NYPD officers are using a sketchy facial-recognition software that it’s own facial recognition unit doesn’t want to touch because of concerns about security and potential for abuse, The Post has learned. Clearview AI, which has scraped millions of photos from social media and other public sources for its facial recognition program — earning a cease-and-desist order from Twitter — has been pitching itself to law enforcement organizations across the country, including to the NYPD.…

We reveal details on the most sophisticated browser locker campaign we’ve seen yet. Learn how this tech support scam fools users by hiding in plain sight. In the early days, practically all tech support scammers would get their own leads by doing some amateur SEO poisoning and keyword stuffing on YouTube and other social media sites. They’d then leverage their boiler room to answer incoming calls from victims. Today, these practices continue, but we are seeing more advanced operations with a clear separation between lead generation and actual call fulfillment.…

Motherboard has obtained the report made by FTI Consulting into how Crown Prince Mohammad Bin Salman allegedly hacked Amazon CEO Jeff Bezos’s phone. A report investigating the potential hack of Jeff Bezos’ iPhone indicates that forensic investigators found a suspicious file but no evidence of any malware on the phone. It also says that investigators had to reset Bezos’s iTunes backup password because investigators didn’t have it to access the backup of his phone.…

The United Nations is at odds with the world’s most notorious spyware company over an age-old question: Who built the tech that hacked Amazon CEO Jeff Bezos’s cell phone, allegedly by sending him a poisoned WhatsApp message from the Crown Prince of Saudi Arabia? Bezos has a conflicted relationship with the Saudi royal family. As the owner of the Washington Post, he’s called for justice for Khashoggi, who wrote for the paper, and who was assassinated by Saudi agents the CIA believes were acting on bin Salman’s orders, though bin Salman denies involvement.…

Bezos hack connected to Khashoggi murder and the Washington Post’s subsequent media coverage. A timeline of events surrounding the Bezos phone hack Bezos hack connected to Khashoggi murder and the Washington Post’s subsequent media coverage. Source: zdnet.com…

Until recently, Hoan Ton-That’s greatest hits included an obscure iPhone game and an app that let people put Donald Trump’s distinctive yellow hair on their own photos. Then Mr. Ton-That — an Australian techie and onetime model — did something momentous: He invented a tool that could end your ability to walk down the street anonymously, and provided it to hundreds of law enforcement agencies, ranging from local cops in Florida to the F.…

Smart Lock for iOS uses the iPhone’s Secure Enclave Processor (SEP), which is built into every iOS device with Touch ID or Face ID. That’s the processor that handles data encryption on the device – a processor that oh, so many law enforcement and hacker types spend so much time complaining about… or, as the case may be, cracking for fun, fame and profit. After you set it up, you’ll just need your iPhone or iPad, and your usual password, to use in 2FA when you sign in to Google on a desktop using Chrome.…

Chinese authorities continue operations against unauthorized VPN services that are very popular in the country. China continues to intensify the monitoring ofthe cyberspace applying and persecution of VPN services that could be used to bypass its censorship system known as theGreat Firewall. TheGreat Firewall projectalready blocked access to more hundreds of the world’s 1,000 top websites, including Google, Facebook, Twitter, and Dropbox. Since early 2019, the Chinese authorities have started banning“unauthorized” VPN services, any company offering such type of service in the country must obtain an appropriate license from the government.…