A hacker breached the systems behind Tile device trackers and stole customer data like names, addresses, emails, and phone numbers by accessing a law enforcement request tool. Tile's parent company Life360 confirmed the breach, stating that the hacker attempted extortion.
A researcher claims UK gym chain Total Fitness left a database containing over 474,000 member and staff images, including identity documents and payment info, publicly accessible without a password. Total Fitness stated the images were used for legitimate purposes and that only a small subset contained identifiable information. The issue highlights the potential risks of data exposure.
Asus has released updates patching multiple critical vulnerabilities in its routers. The first is an authentication bypass that allows remote attackers to log into the router with no authentication. The second vulnerability is a buffer overflow that could allow attackers with administrative access to execute arbitrary commands. The third vulnerability allows attackers to execute remote commands with no user interaction. Asus hasn't seen any exploitation of these vulnerabilities.
This blog post dives into a new malware campaign that targets exposed Docker API endpoints to deliver cryptocurrency miners and other payloads. The campaign uses a remote access tool to execute more malware and a utility to spread via SSH.
This blog post discusses architectural decisions that can be made by platforms offering custom domains to proactively prevent subdomain takeovers. The most common mitigation method employed is requiring domain verification, which is most commonly implemented as a TXT record with a verification string. Other mechanisms suggested are to add entropy to the underlying record to make it difficult to generate an identical record, preventing the re-registration of custom domains, and charging for custom domains.
AWS CISO, Chris Bentz, details some of the ideas driving AWS' security prioritization with a focus on generative AI. Bentz highlights some conventional wisdom such as focusing on the basics, security being everyone's job, and security requiring innovation and being necessary to innovation. He also touches on the importance of customers having control over their data and the potential value of generative AI in the AWS security strategy.
Google Cloud's Privileged Access Manager (PAM) enhances security by granting on-demand access with just-in-time approvals. PAM helps organizations shift from always-on privileges to time-bound, approved access for improved security and operational efficiency. IAM admins can create entitlements for users to request specific access, promoting least privilege principles.
Google's Project Zero team discusses a vulnerability in an Android driver related to JPEG decoding. The vulnerability allows for a race condition that can lead to memory corruption and potential exploitation. Attackers can achieve arbitrary read and write capabilities in the system by exploiting this vulnerability.
A researcher found an unpatched bug allowing anyone to impersonate Microsoft corporate email accounts for credible phishing attempts. He reported the email spoofing bug to Microsoft, but the company dismissed it after failing to reproduce the issue, so he then publicized the vulnerability on X.
The CEO of Signal warned that the EU's proposed law to scan private messages for child exploitation material threatens web security. She argued it fundamentally undermines encryption by creating vulnerabilities that would have global implications beyond Europe.