The Official Internet/Computer Security News Discussion Thread
Team Owner
Joined: Jan 2001
Posts: 25,967
Likes: 2,685
From: Jersey
New Intel Vulnerability
https://cacheoutattack.com/
https://www.pcworld.com/article/3516...ving-soon.html
List of affected products
https://software.intel.com/security-...ction-sampling
https://cacheoutattack.com/
https://www.pcworld.com/article/3516...ving-soon.html
List of affected products
https://software.intel.com/security-...ction-sampling
Moderator
Joined: Oct 2004
Posts: 64,104
Likes: 3,360
From: Not Las Vegas (SF Bay Area)
https://www.bleepingcomputer.com/new...-the-dark-web/
LOL, never trusted Zoom.
Also my company sent out a companywide email at the beginning of the shelter at home to not use Zoom due to security issues.
LOL, never trusted Zoom.
Also my company sent out a companywide email at the beginning of the shelter at home to not use Zoom due to security issues.
Senior Moderator
Joined: Apr 2010
Posts: 48,301
Likes: 9,171
From: SoCal, CA
Update 4/13/20: Made it clearer that credential stuffing attacks are not unique to Zoom. and added AmIBreached service from Cyble.
Any site is susceptible to credential stuffing if they don't have 2FA/MFA enabled and we continue to have an uneducated populace who insists on using the same username/password on every site
Moderator
Regional Coordinator (Southeast)
Regional Coordinator (Southeast)
Joined: Dec 2003
Posts: 44,102
Likes: 4,421
From: Mooresville, NC
@thoiboi or anyone else? Just asking but do you guys go as far as using different passwords for even internet forums? Just curious what most people do. I do for everything remotely even critical but if someone really wants to post as me so bad on a car site or other internet forums then have at it. I know I could start adding those sites to my password manager but just haven't bothered.
Team Owner
Joined: Jan 2001
Posts: 25,967
Likes: 2,685
From: Jersey
https://www.extremetech.com/computin...erable-in-2019
Security Researcher: ‘solarwinds123’ Password Left Firm Vulnerable in 2019
...
Security researcher Vinoth Kumar told Reuters that he contacted the company in 2019, alerting it that anyone could access its update server by guessing the password “solarwinds123.” Reuters also reports that hackers claiming they could sell access to SolarWinds’ computers since 2017. It is not clear from the wording of the story whether the offer was for a method of infiltrating SolarWinds itself, or if the black hat was offering to sell access to computers that used SolarWinds software.
“Kyle Hanslovan, the cofounder of Maryland-based cybersecurity company Huntress – noticed that, days after SolarWinds realized their software had been compromised, the malicious updates were still available for download.”
I want to be clear that this specific password is not thought to be the means by which Cozy Bear accessed SolarWinds network management tool, dubbed Orion, but it speaks to a terrible security culture at the company, given the data security needs of its customers. Because Orion is often used to manage routers and switches inside large corporate networks, penetrating the software gave black hats a marvelous window into the external and internal network traffic of nearly 20,000 companies, federal agencies, and other types of organizations.
...
Security researcher Vinoth Kumar told Reuters that he contacted the company in 2019, alerting it that anyone could access its update server by guessing the password “solarwinds123.” Reuters also reports that hackers claiming they could sell access to SolarWinds’ computers since 2017. It is not clear from the wording of the story whether the offer was for a method of infiltrating SolarWinds itself, or if the black hat was offering to sell access to computers that used SolarWinds software.
“Kyle Hanslovan, the cofounder of Maryland-based cybersecurity company Huntress – noticed that, days after SolarWinds realized their software had been compromised, the malicious updates were still available for download.”
I want to be clear that this specific password is not thought to be the means by which Cozy Bear accessed SolarWinds network management tool, dubbed Orion, but it speaks to a terrible security culture at the company, given the data security needs of its customers. Because Orion is often used to manage routers and switches inside large corporate networks, penetrating the software gave black hats a marvelous window into the external and internal network traffic of nearly 20,000 companies, federal agencies, and other types of organizations.
...
Senior Moderator
Joined: Dec 2001
Posts: 169,055
Likes: 23,830
US scrambling to understand fallout of suspected Russia hack
Team Owner
Joined: Jan 2001
Posts: 25,967
Likes: 2,685
From: Jersey
Wait until we find out that Dominion was indeed hacked, but the hackers thought that 10,000,000 extra votes for Don would be way more than enough. It makes sense that Don was pissed at Dominion and Putin didn't congratulate Biden until the Electoral College did its thing.
Last edited by doopstr; Dec 19, 2020 at 02:25 PM.
Registered but harmless
Joined: Aug 2005
Posts: 14,888
Likes: 1,164
From: Los Angeles, CA
Senior Moderator
Joined: Dec 2001
Posts: 169,055
Likes: 23,830
Team Owner
Joined: Jan 2001
Posts: 25,967
Likes: 2,685
From: Jersey
https://www.businessinsider.in/stock...w/80406500.cms
Intel drops 9% after a reported hack forced the chipmaker to release its 4th-quarter earnings early
Shares in Intel fell as much as 9% on Friday, after the company said its corporate website was hacked, pushing the chipmaker to release its fourth-quarter earnings earlier than planned.
George Davis, Intel's chief financial offer, told the Financial Times a hacker gained unauthorized access to sensitive data tied to its earnings report that was set to be published after the market close on Thursday. But upon finding out about the attack, the chipmaker released its results six minutes before the market close.
"An infographic was hacked off of our PR newsroom site," Davis told the newspaper. "We put our earnings out as soon as we were aware." Without providing further details, he said the breach was caused by an unlawful action that didn't involve any unintentional disclosure by Intel.An Intel spokesperson told Insider the company is investigating reports that non-authorized access may have been obtained to one graphic from its earnings report.Intel's fourth-quarter results exceeded investor expectations and beat the company's own forecast on the back of strong PC sales. The chipmaker saw quarterly revenue fall 1% year-on-year to $20 billion, but still beat the $17.49 billion estimate of analysts polled by Refinitiv. Net income for the quarter came in at $1.52 per share, compared to $1.10 expected.
Intel's shares closed up almost 7% at $62.46 on Thursday, but erased gains after the reported hacker's access to information.
George Davis, Intel's chief financial offer, told the Financial Times a hacker gained unauthorized access to sensitive data tied to its earnings report that was set to be published after the market close on Thursday. But upon finding out about the attack, the chipmaker released its results six minutes before the market close.
"An infographic was hacked off of our PR newsroom site," Davis told the newspaper. "We put our earnings out as soon as we were aware." Without providing further details, he said the breach was caused by an unlawful action that didn't involve any unintentional disclosure by Intel.An Intel spokesperson told Insider the company is investigating reports that non-authorized access may have been obtained to one graphic from its earnings report.Intel's fourth-quarter results exceeded investor expectations and beat the company's own forecast on the back of strong PC sales. The chipmaker saw quarterly revenue fall 1% year-on-year to $20 billion, but still beat the $17.49 billion estimate of analysts polled by Refinitiv. Net income for the quarter came in at $1.52 per share, compared to $1.10 expected.
Intel's shares closed up almost 7% at $62.46 on Thursday, but erased gains after the reported hacker's access to information.
Moderator
Joined: Oct 2004
Posts: 64,104
Likes: 3,360
From: Not Las Vegas (SF Bay Area)
Fkn annoying you have to update the entire OS just for a security update with Safari.
Should be pushed independently or maybe via the App Store.
edit: just remembered that this will be a new feature in iOS 16. The Rapid Security Responses. Took them long enough.
Should be pushed independently or maybe via the App Store.
edit: just remembered that this will be a new feature in iOS 16. The Rapid Security Responses. Took them long enough.
Last edited by Mizouse; Aug 19, 2022 at 12:37 PM. Reason: I’m dumb
Thread Starter
Sanest Florida Man
Joined: Aug 2007
Posts: 45,979
Likes: 11,763
From: Florida
Well this fucking sucks. LastPass got hacked badly. They got hacked months ago and just finally the Thursday before Christmas announced that hackers had got into their 3rd party backup server and stole ALL the data. Not just customer names and email addresses, fucking everything. Everyone's LastPass vaults are now in the hands of hackers so if your master password wasn't secure you're fucked.
They now have until the end of time to crack the master password and once they do they have access to all of your accounts. Yout now have to reset the password for every website you had saved in LastPass.
Most security experts are saying to switch to another Password Manager. I'm switching to 1Password. Bit Warden is supposedly another good option. 1Password is better than LastPass because they encrypt everything, LastPass didn't encrypt the website URLs so hackers can see what sites they'll gain access to before cracking your master password, 1Pass also uses a master password along with a secret key that they don't know or store anywhere so if they were to get hacked as bad as LastPass they still wouldn't be able to signin without the secret key.
It was easy to move your passwords over to 1Password
Follow this guide
https://support.1password.com/import-lastpass/
1Pass is also offering to refund me for the rest of my LastPass subscription, going through that process now.
They now have until the end of time to crack the master password and once they do they have access to all of your accounts. Yout now have to reset the password for every website you had saved in LastPass.
Most security experts are saying to switch to another Password Manager. I'm switching to 1Password. Bit Warden is supposedly another good option. 1Password is better than LastPass because they encrypt everything, LastPass didn't encrypt the website URLs so hackers can see what sites they'll gain access to before cracking your master password, 1Pass also uses a master password along with a secret key that they don't know or store anywhere so if they were to get hacked as bad as LastPass they still wouldn't be able to signin without the secret key.
It was easy to move your passwords over to 1Password
Follow this guide
https://support.1password.com/import-lastpass/
1Pass is also offering to refund me for the rest of my LastPass subscription, going through that process now.
Team Owner
Joined: Jan 2001
Posts: 25,967
Likes: 2,685
From: Jersey
Pisses me off. Just within the last few years I stopped relying on my browser's password store and started using Last Pass. I should have dumped them when they started charging to use it on laptop and mobile. On the bright side I do have a complex master password.
Thread Starter
Sanest Florida Man
Joined: Aug 2007
Posts: 45,979
Likes: 11,763
From: Florida
Since i had 6 months left on my LastPass subscription 1Pass is giving me half off the first year (pricing between both are about the same) to switch
If you switch go here to get a partial discount
https://1password.com/switch
If you switch go here to get a partial discount
https://1password.com/switch
Team Owner
Joined: Jan 2001
Posts: 25,967
Likes: 2,685
From: Jersey
T-Mobile announces another data breach, impacting 37 million accounts
https://www.theverge.com/2023/1/20/23563825/tmobile-data-breach-api-customer-accounts-hacker-securityThe attacker obtained customer names, billing addresses, emails, phone numbers, and birth dates through an internal API.
1Password has a builtin 2FA capability, if you set it up as the authenticator app then it will autofill the 6 digit code, no need to open a 2nd app. This is huge.
Team Owner
Joined: Jan 2001
Posts: 25,967
Likes: 2,685
From: Jersey
https://www.forbes.com/sites/daveywi...h=7d65e43d28fc
The final LastPass hack attack bombshell drops
"This was accomplished by targeting the DevOps engineer’s home computer 
and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault."
and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault."
Thread Starter
Sanest Florida Man
Joined: Aug 2007
Posts: 45,979
Likes: 11,763
From: Florida
It works in iOS too, sort of, it automatically puts the code into your iOS clipboard but you still have to manually paste it in
Moderator
Joined: Oct 2004
Posts: 64,104
Likes: 3,360
From: Not Las Vegas (SF Bay Area)
Last edited by Mizouse; Mar 23, 2023 at 02:48 PM.
Team Owner
Joined: Jan 2001
Posts: 25,967
Likes: 2,685
From: Jersey
https://arstechnica.com/security/202...ware-backdoor/
Millions of PC motherboards were sold with a firmware backdoor
Hidden code in many Gigabyte motherboards invisibly and insecurely downloads programs.
Thread Starter
Sanest Florida Man
Joined: Aug 2007
Posts: 45,979
Likes: 11,763
From: Florida
“I’m confident enough that this is a real problem that I’ve been urging my friends and family who use LastPass to change all of their passwords and migrate any crypto that may have been exposed, despite knowing full well how tedious that is.”
Moderator
Joined: Oct 2004
Posts: 64,104
Likes: 3,360
From: Not Las Vegas (SF Bay Area)
Updating my phone. I have recently gotten a couple text messages with an image related to Bitcoin and some link.
annoyingly if I want to click the “report junk” button I have to open the message.
https://arstechnica.com/gadgets/2023...ios-macos/amp/
annoyingly if I want to click the “report junk” button I have to open the message.
https://arstechnica.com/gadgets/2023...ios-macos/amp/
Apple patches “clickless” 0-day image processing vulnerability in iOS, macOS
Team Owner
Joined: Jan 2001
Posts: 25,967
Likes: 2,685
From: Jersey
https://twitter.com/verge/status/1699736894844661847
“I’m confident enough that this is a real problem that I’ve been urging my friends and family who use LastPass to change all of their passwords and migrate any crypto that may have been exposed, despite knowing full well how tedious that is.”
“I’m confident enough that this is a real problem that I’ve been urging my friends and family who use LastPass to change all of their passwords and migrate any crypto that may have been exposed, despite knowing full well how tedious that is.”
