Zaid Shoorbajee – Page 2 – WindowsTechs.com

Schneider Electric’s car charging stations get crucial patches

Posted on January 14, 2019 by Zaid Shoorbajee

Schneider Electric recently patched three security flaws in a popular type of electric-car charger that it manufactures, vulnerability assessment company Positive Technologies said Monday. The most serious of the vulnerabilities in the EVlink charging stations involved hard-coded credentials, meaning the units were shipped with default passwords or security keys embedded in their firmware. If hackers discover such credentials in any type of device, they can use them to gain wide access to them. Schneider and Positive Technologies labeled that flaw as “critical,” saying an intruder could halt the charging process and switch it into “reservation mode,” making a station unusable to anyone until the mode is turned off. Hackers could even control the socket locking hatch, letting them unlock and “walk away with the cable,” Positive Technologies said. A second vulnerability, rated as “high-risk,” allows for an attacker to execute arbitrary commands on the station and gain maximum privileges. And another vulnerability labeled as “medium” risk would let an attacker bypass authorization and access a […]

The post Schneider Electric’s car charging stations get crucial patches appeared first on CyberScoop.

Continue reading Schneider Electric’s car charging stations get crucial patches→

Broad DNS hijacking campaign could originate in Middle East: FireEye

Posted on January 10, 2019 by Zaid Shoorbajee

An unknown actor with “a nexus to Iran” is hijacking aspects of the internet’s infrastructure to target the traffic of government and telecommunications organizations around the world, according to research published by FireEye on Wednesday. Researchers say the perpetrator is using sophisticated methods to manipulate domain name server (DNS) records, diverting the targets’ traffic through malicious servers. DNS is a behind-the-scenes system that links domain names to the actual IP addresses where the user’s intended web destination lies. The identity of the attacker remains unclear. Researchers said they’ve observed the campaign in “multiple clusters” between January 2017 and January 2019. Researchers observed at least three different techniques to hijack targets’ traffic. The methods involve using compromised credentials for the target’s DNS administration panels or domain registrar accounts in order to change DNS records, forcing the victim’s system to pass through malicious IP addresses. FireEye says the attackers also use legitimate-looking certificates on their […]

The post Broad DNS hijacking campaign could originate in Middle East: FireEye appeared first on CyberScoop.

Continue reading Broad DNS hijacking campaign could originate in Middle East: FireEye→

Hyatt launches public bug bounty program

Posted on January 9, 2019 by Zaid Shoorbajee

Global hospitality chain Hyatt Hotels announced Wednesday that it’s launching a public bug bounty program through HackerOne, offering monetary prizes for security researchers to probe its websites and apps for leaky features and vulnerabilities that could be exploited by hackers. The company is now looking to crowdsource vulnerability testing from of a field of ethical hackers through HackerOne’s platform. Covered in the bug bounty program are the websites Hyatt.com, m.hyatt.com, world.hyatt.com and Hyatt’s Android and iOS apps. “At Hyatt, protecting guest and customer information is our top priority and launching this program represents an important step that furthers our goal of keeping our guests safe every day,” Benjamin Vaughn, Hyatt’s chief information security officer, in a press release. Hyatt’s bounties range from $300 to $4,000, based on the severity of bugs security researchers discover. The participants, of course, have to agree to ethical hacking terms like not collecting personally identifiable […]

The post Hyatt launches public bug bounty program appeared first on CyberScoop.

Continue reading Hyatt launches public bug bounty program→

Comcast launches subscription Wi-Fi security service

Posted on January 8, 2019 by Zaid Shoorbajee

With the Consumer Electronics Show underway in Las Vegas, consumers are set to endure a flood of product announcements for connected devices they didn’t know they wanted, creating more potential gateways for home networks to be exploited by hackers. After all, some 20.4 billion devices will be connected to the internet by 2020, up from 8.4 billion in 2017, according to projections from the market research firm Gartner. Many of those devices are not manufactured with security in mind, as evidenced by recent cyberattacks. Now, Comcast is looking to tap into the internet-of-things security market with a new subscription service announced Tuesday. The company’s xFi Advanced Security is a $5.99-per-month service available to existing Comcast Wi-Fi customers that is meant to monitor all of a network’s devices for suspicious activity, block anything necessary, and alert the customer. To subscribe, customers must already be renting the company’s Xfinity xFi Advanced Gateway modem, which by default gives […]

The post Comcast launches subscription Wi-Fi security service appeared first on CyberScoop.

Continue reading Comcast launches subscription Wi-Fi security service→

Yubico unveils new NFC key, developing a Lightning-enabled key

Posted on January 8, 2019 by Zaid Shoorbajee

Yubico, the physical authentication key company, announced two new products Tuesday, as it continues to make its key fob-like authenticators available on more platforms. The YubiKey for Lightning is geared specifically for Mac and iOS users, but is in a private preview phase while Yubico and third-party developers work on making the keys more compatible with Apple devices. The other announced product, the Security Key NFC, is a USB-A key that has near field communication capability. It combines some functionalities of the company’s standard security key and the YubiKey 5 NFC, both of which were updated in Yubico’s Series 5 line released in September. The new key supports FIDO2, a standard for hardware-based, passwordless authentication, as well as the older FIDO U2F two-factor authentication. However, some authentication protocols included in other keys aren’t supported in the new key. Yubico says the Security Key NFC “works out-of-the-box” with many popular services and […]

The post Yubico unveils new NFC key, developing a Lightning-enabled key appeared first on CyberScoop.

Continue reading Yubico unveils new NFC key, developing a Lightning-enabled key→

Here are the big election security measures in the House Democrats’ massive new bill

Posted on January 4, 2019 by Zaid Shoorbajee

A giant bill House Democrats proposed on Friday includes a number of measures aimed at improving election security and voter confidence. The measures in H.R. 1 draw on provisions from several bills that were proposed but failed since the 2016 election, which experts and officials concluded was targeted by a Russian-led influence operation. Key features include a requirement that federal elections be conducted with paper ballots that can be counted by hand or optical scanners, new grants that states and municipalities can use to improve and upgrade equipment, an incident reporting requirement for election system vendors and a number of other measures meant to keep election systems’ security up-to-date. Election security experts have criticized paperless voting machines because of their vulnerability to tampering with little recourse, since they produce no auditable paper trail of each vote. Such machines were used to some extent in more than a dozen states in […]

The post Here are the big election security measures in the House Democrats’ massive new bill appeared first on CyberScoop.

Continue reading Here are the big election security measures in the House Democrats’ massive new bill→

Warner, Rubio introduce bill to protect U.S. from supply chain security issues

Posted on January 4, 2019 by Zaid Shoorbajee

Two senators are trying to create a central government entity to deal with supply chain security and strategize over how to keep U.S. technologies safe from foreign theft in a bill introduced on Friday. The bill, from Sens. Marco Rubio, R-Fla. and Mark Warner, D-Va., seeks to create a White House Office of Critical Technologies and Security. The new entity would take the lead in strategizing and coordinating across agencies to “protect against state-sponsored technology theft and risks to critical supply chains.” The proposed bill comes as the government increases pressure on China for allegedly using its corporate presence and workers in the U.S. to steal intellectual property. The Justice Department in December unsealed indictments against two Chinese citizens for allegedly spying on dozens of U.S. companies and agencies by hacking managed service providers. The White House is also weighing a ban on American companies’ use of technology bought from […]

The post Warner, Rubio introduce bill to protect U.S. from supply chain security issues appeared first on CyberScoop.

Continue reading Warner, Rubio introduce bill to protect U.S. from supply chain security issues→

Hackers steal data on 1,000 North Korean defectors, jeopardizing their safety

Posted on December 28, 2018 by Zaid Shoorbajee

Hackers have stolen personal information about roughly 1,000 North Korean defectors living in South Korea, according to South Korean media outlets, putting those individuals and their families still in the North at risk. The South Korean Ministry of Unification said Friday that the names, addresses and dates of birth of 997 people had been stolen through an infected computer at a resettlement agency called the Hana Foundation, according to Yonhap News and other outlets. The ministry did not identify the hackers, however North Korea is known for launching almost constant cyberattacks on the South. A nonprofit extension of the Ministry of Unification, the Hana Foundation runs about two dozen centers that assist people who manage to flee North Korea to integrate into South Korean society. The organization says that some 31,000 defectors, which the country regards as refugees, are living in the South. Pyonyang is known to target defectors, with state media agencies once referring to people who flee North […]

The post Hackers steal data on 1,000 North Korean defectors, jeopardizing their safety appeared first on CyberScoop.

Continue reading Hackers steal data on 1,000 North Korean defectors, jeopardizing their safety→

BevMo payment breach affects thousands, with researchers pointing to Magecart

Posted on December 27, 2018 by Zaid Shoorbajee

BevMo, a California-based retailer of alcoholic beverages, is notifying some customers that a data breach affected the online store exposed credit card information used between August 2 and Sept. 26. In a notice submitted to the California attorney general’s office, BevMo says that hackers were able to install malicious code onto the company’s checkout page, skimming customer information including names, payment card numbers, expiration dates and security codes, addresses, as well as phone numbers. BevMo says the malicious code has been removed by NCR Corporation, which operates BevMo’s website. NCR, which sells point-of-sale systems and provides IT services, notified BevMo of the breach and sponsored a third-party investigation into it, according to BevMo’s notice. NCR did not respond to a request for comment. A local NBC station in the San Francisco Bay Area reported that the breach impacted 14,579 customers. BevMo has stores in California, Arizona and Washington, but ships online orders […]

The post BevMo payment breach affects thousands, with researchers pointing to Magecart appeared first on CyberScoop.

Continue reading BevMo payment breach affects thousands, with researchers pointing to Magecart→

Caribou Coffee reports data breach including payment information at 265 stores

Posted on December 20, 2018 by Zaid Shoorbajee

American coffee seller Caribou Coffee recently suffered a breach exposing customer payment data at 265 U.S. stores for roughly three months, according to a notice posted to the company’s website. The retailer says an outsider had unauthorized access to point-of-sale systems at affected locations between Aug. 28 and and Dec. 3, someone had unauthorized access to its point of sale systems at affected stores. Hackers may have accessed customer names, payment card numbers, expiration dates and security codes. The company says payments made through its rewards program were not affected. Caribou says that it detected “unusual activity” on its network on Nov. 28, which prompted it to hire Mandiant, a cybersecurity incident response company owned by FireEye. Mandiant identified the issue within two days, the notice says, although customers may have been affected through Dec. 3. Caribou says it’s working to beef up its network security and its payment system in order to better protect customer information. […]

The post Caribou Coffee reports data breach including payment information at 265 stores appeared first on CyberScoop.

Continue reading Caribou Coffee reports data breach including payment information at 265 stores→