Qualcomm vulnerability impacts nearly 40% of all mobile phones
A high severity security vulnerability found in Qualcomm's Mobile Station Modem (MSM) chips (including the latest 5G-capable versions) could enable attackers to access mobile phone users' text messages, call history, and listen in on their conversations. Qualcomm MSM is a series of 2G, 3G, 4G, and 5G capable system on chips (SoCs) used in roughly 40% of mobile phones by multiple vendors, including Samsung, Google, LG, OnePlus, and Xiaomi. READ MORE...
Peloton's Leaky API Spilled Riders' Private Data
Peloton has hit a pothole. Its API was leaking riders' private data, it ignored a vulnerability disclosure from a penetration testing company, and it partially fixed the hole but didn't get around to telling the researcher until he reached out to a cybersecurity journalist for some help. This is bad news for Peloton, coming just before other, far more horrific news hit the headlines: Namely, on Wednesday, the company recalled all of its treadmills, which have been linked to 70 injuries and the death of one child. READ MORE...
DDoS attack knocks Belgian government websites offline
Many government websites and services in Belgium were knocked offline on Tuesday after Belnet, the internet service provider (ISP) for the country's public sector, was hit by a massive distributed denial-of-service (DDoS) attack. According to Belnet, the attack started on Tuesday morning and affected all of the approximately 200 institutions and organizations that use the company's services. READ MORE...
VMware fixes critical RCE bug in vRealize Business for Cloud
VMware has released security updates to address a critical severity vulnerability in vRealize Business for Cloud that enables unauthenticated attackers to remotely execute malicious code on vulnerable servers. vRealize Business for Cloud is an automated cloud business management solution designed to provide IT teams with cloud planning, budgeting, and cost analysis tools. READ MORE...
Severe vulnerabilities in Dell firmware update driver found and fixed
Yesterday, infosec research firm SentinelLabs revealed 12-year-old flaws in Dell's firmware updater, DBUtil 2.3. The vulnerable firmware updater has been installed by default on hundreds of millions of Dell systems since 2009. The five high-severity flaws SentinelLabs discovered and reported to Dell lurk in the dbutil_2_3.sys module, and they have been rounded up under a single CVE tracking number, CVE-2021-21551. READ MORE...
New Crypto-Stealer 'Panda' Spread via Discord
Yet another new information stealer - Panda Stealer - is being spread through a worldwide spam campaign. On Tuesday, Trend Micro researchers said that they first spotted the new stealer in April. The most recent wave of the spam campaign has had the biggest impact in Australia, Germany, Japan and the U.S. The spam emails are masquerading as business-quote requests to lure victims into clicking on booby-trapped Excel files READ MORE...
CISA used new subpoena power to contact US companies vulnerable to hacking
The Department of Homeland Security's cybersecurity agency used a new subpoena power for the first time last week to contact at least one U.S. internet service provider with customers whose software is vulnerable to hacking. It's an authority that DHS's Cybersecurity and Infrastructure Security Agency has long sought, as agency officials struggled to communicate with some technology firms before flaws in their equipment became public and risked exploitation by state-linked or criminal hackers. READ MORE...
Anti-Spam WordPress Plugin Could Expose Website User Data
An SQL-injection vulnerability discovered in a WordPress plugin called "Spam protection, AntiSpam, FireWall by CleanTalk" could expose user emails, passwords, credit-card data and other sensitive information to an unauthenticated attacker. Spam protection, AntiSpam, FireWall by CleanTalk is installed on more than 100,000 sites, and is mainly used to weed out spam and trash comments on website discussion boards. READ MORE...
JET engine flaws can crash Microsoft's IIS, SQL Server, say Palo Alto researchers
A trio of researchers at Palo Alto Networks has detailed vulnerabilities in the JET database engine, and demonstrated how those flaws can be exploited to ultimately execute malicious code on systems running Microsoft's SQL Server and Internet Information Services web server. The team also said Microsoft dismissed some of their findings as not worthy of a fix. READ MORE...
States Push Back Against Use of Facial Recognition by Police
Law enforcement agencies across the U.S. have used facial recognition technology to solve homicides and bust human traffickers, but concern about its accuracy and the growing pervasiveness of video surveillance is leading some state lawmakers to hit the pause button. At least seven states and nearly two dozen cities have limited government use of the technology amid fears over civil rights violations, racial bias and invasion of privacy. READ MORE...
Cybersecurity Experts Share Thoughts for World Password Day
World Password Day was created by Intel in 2013 to raise awareness of the need for strong passwords, but many experts now use the occasion to urge organizations to replace passwords with other, more secure authentication methods. World Password Day is observed every year on the first Thursday of May, and in 2021 that is today, May 6. Passwords are often compromised in data breaches, putting users at risk. On the other hand, passwords are also often leveraged to carry out an attack and breach an organization's systems. READ MORE...
- ...in 1915, actor/filmmaker Orson Welles ("Citizen Kane", "The Third Man") is born in Kenosha, WI.
- ...in 1915, Babe Ruth hits his first major league home run as a pitcher for the Boston Red Sox.
- ...in 1935, President Franklin D. Roosevelt issues Executive Order 7034, establishing the Works Progress Administration.
- ...in 1941, comedian Bob Hope makes his first of dozens of tours with the USO to entertain American troops overseas.
