Motherboard reports that a hacker had bribed a Roblox insider to access the data of over 100 million users.
“I did this only to prove a point to them,” the hacker told Motherboard in an online chat. Motherboard granted the hacker anonymity to speak more candidly about a criminal incident.
Beyond just viewing user data, the hacker was able to reset passwords and change user data too […] The hacker said they changed the password for two accounts and sold their items. One of the screenshots appears to show the successful change of two-factor authentication settings […]
Proving a point my a**. This person tried to claim a bug bounty from Roblox. They denied it because he/she acted “more maliciously than a legitimate security researcher.” He messed with the accounts after denial, so his point was revenge.
Update: A Roblox spokesperson informed me that only a small amount of customers were affected, not 100 million, and immediate action was taken to address the issue. Additionally, it was a Roblox insider and not an employee.
Andrew Orr and Charlotte Henry join host Kelly Guimont to discuss the latest on Contact Tracing and how Apple and Google teamed up.
Charlotte Henry joins host Kelly Guimont to discuss newly everywhere meeting service Zoom, and how hosts and attendees can stay safe.
Following an investigation by PCMag and Bitdefender, a patch has been issued for the Netatmo Smart Indoor Security Camera.
The Bitdefender IoT Vulnerability Research Team discovered that the device is susceptible to an authenticated file write that leads to command execution (CVE-2019-17101), as well as to a privilege escalation via dirtyc0w—a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel’s memory-management subsystem.
Many smart home devices are notoriously insecure, and this is the main reason why I don’t have any of them (Besides my robot vacuum, but I explained my reasoning).
Bryan Chaffin, John Martellaro, AND Charlotte Henry join host Kelly Guimont to discuss the Apple/Google teamup and how that affects our data.
An iOS exploit called Insomnia was used between January and March 2020 to spy on Uyghurs in China using apps like Signal and ProtonMail.
An iPhone zero day has been found in the wild that takes advantage of two vulnerabilities in the Mail app. It’s currently unpatched in the public release of iOS.
Kelly sits down with Bitwarden’s Gary Orenstein to talk about their password manager and how it can be both open source AND secure software. Learn more about setting up passwords and why it matters on Security Friday!
Recently released for customers, the new Cryptomator 1.5.0 update gives us a redesigned user interface, dark mode, and a new code structure.
Linksys Smart Wi-Fi customers are being asked to change their passwords after hackers hijacked some accounts and changed router settings to direct users to malware sites.
The company decided to lock accounts and prompt a password reset because it couldn’t detect which accounts were hacked and which were not, and decided to act on all.
“Linksys is doing everything we can to make it tougher for the bad guys. But there are no guarantees,” Linksys said.
Russian telecom company Rostelecom is implicated in a BGP hijacking incident which rerouted network traffic from Akamai, Amazon, Facebook, Google, and others.
BGP stands for the Border Gateway Protocol and is the de-facto system used to route internet traffic between internet networks across the globe…
BGPMon founder Andree Toonk is giving the Russian telco the benefit of the doubt. On Twitter, Toont said he believes the “hijack” happened after an internal Rostelecom traffic shaping system might have accidentally exposed the incorrect BGP routes on the public internet, rather than Rostelecom’s internal network…
But, as many internet experts have also pointed out in the past, it is possible to make an intentional BGP hijack appear as an accident, and nobody could tell the difference.
MacBooks with a T2 Security Chip have their microphones disabled when the lid is closed. Now the iPad Pro 2020 models have the same feature.
I briefly mentioned WireGuard when I wrote of Cloudflare’s WARP beta. I think it’s something to add to your technology watch lists. It’s just not any old VPN app, it’s a VPN protocol that could very well replace current protocols like IPsec and OpenVPN, or at least be offered as an alternative. You can read the technical whitepaper here [PDF], along with this write up from Ars Technica.
WireGuard will now operate as either a Loadable Kernel Module (LKM) or built statically into the kernel itself. But whether static or loadable, it will be “in-tree”—which means it’s provided ready to go with the vanilla kernel itself, with no need for repackaging by the various distros. This puts it on the same footing as other supported drivers.
After multiple privacy and security violations have been found with Zoom, Andrew wanted to share three Zoom alternatives he found.
Security researcher Patrick Wardle disclosed two Zoom bugs today. They can be used to steal Windows passwords and access your webcam and microphone. They do however require physical access to the machine.
In this blog post, we’ll start by briefly looking at recent security and privacy flaws that affected Zoom. Following this, we’ll transition into discussing several new security issues that affect the latest version of Zoom’s macOS client.
At this point, Zoom should just rewrite its software completely.
Continuing its tradition of April product announcements, today Cloudflare announced that its WARP VPN is entering beta for macOS and Windows.
For three years, router firmware OpenWRT has been vulnerable to remote code execution attacks.
The researcher also found that it was trivial for attackers with moderate experience to bypass digital-signature checks that verify a downloaded update as the legitimate one offered by OpenWTR maintainers. The combination of those two lapses makes it possible to send a malicious update that vulnerable devices will automatically install.
This is especially concerning because OpenWRT is commonly recommend by privacy advocates as an alternative to built-in proprietary router firmware.
Hotel chain Marriott International has suffered a second data breach, exposing the personal data of up to 5.2 million guests.
The breach, which began in mid-January 2020 and was discovered at the end of February 2020, saw contact details, including names, addresses, birth dates, gender, email addresses and telephone numbers exposed. Employer name, gender, room stay preferences and loyalty account numbers were also exposed.
Marriott has also said that at present it does not believe passports, payment details or passwords were exposed in the data breach.
It sounds like login credentials of two employees were stolen, likely through a social engineering attack.
Andrew found seven Apple alternatives to use if you don’t want your data shared with the FBI, including Bitwarden, Cryptomator, and more.
Dave Hamilton and Andrew Orr join host Kelly Guimont to discuss Security Friday news, and the new kernel extension alert popping up in the latest MacOS 10.15 update.