News

Researcher Says Google Paid $100k Bug Bounty for Smart Speaker Vulnerabilities

Security researcher Matt Kunze says Google paid him a $107,500 bug bounty reward for responsibly reporting vulnerabilities in the Google Home Mini smart speaker. The issues, the researcher says, could have been exploited by an attacker within wireless proximity to create a rogue account on the device and then perform various actions. According to Kunze, the attacker could use the account to send remote commands to the device, over the internet, to access the microphone,…

Read More

CISA Says Two Old JasperReports Vulnerabilities Exploited in Attacks

The US Cybersecurity and Infrastructure Security Agency (CISA) has added two JasperReports flaws to its Known Exploited Vulnerabilities Catalog. Tibco’s JasperReports Library is advertised as the world’s most popular open source reporting engine. The JasperReports Server software is designed to enable non-technical users to create reports, dashboards, and visualizations. CISA has learned that two JasperReports vulnerabilities discovered in 2018 have been exploited in attacks. One of them is CVE-2018-18809, a critical directory traversal issue in…

Read More

The Five Stories That Shaped Cybersecurity in 2022

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem As we looked back at the security incidents, events and stories that demanded attention over the past year, it became crystal clear that high-profile data breaches and zero-day attacks would continue to dominate the headlines. It seemed that hardly a week went by without some sort of cybersecurity incident making headlines, stretching spending budgets to the limits as CISOs and…

Read More

Several DoS, Code Execution Vulnerabilities Found in Rockwell Automation Controllers

Organizations using controllers made by Rockwell Automation have been informed recently about several potentially serious vulnerabilities. The US Cybersecurity and Infrastructure Security Agency (CISA) last week published three advisories to describe a total of four high-severity vulnerabilities. Rockwell Automation has published individual advisories for each security hole. One flaw is CVE-2022-3156, which impacts the Studio 5000 Logix Emulate controller emulation software. The vulnerability is caused by a misconfiguration that results in users being granted elevated…

Read More

Data Breach at Louisiana Healthcare Provider Impacts 270,000 Patients

Southwest Louisiana healthcare provider Lake Charles Memorial Health System (LCMHS) is informing roughly 270,000 patients that their personal and medical information was compromised in a data breach. A regional community healthcare system consisting of several facilities, LCMHS identified the cyberattack on October 25 and started informing the impacted patients of the incident on December 23. In a notification on its website, LCMHS says that ‘an unauthorized third party’ gained access to its network between October…

Read More

Netwrix Acquires Remediant for PAM Technology

Data security software vendor Netwrix has acquired Remediant, an early-stage startup working on technology in the PAM (privileged access management) category. Financial terms of the acquisition were not disclosed.  Remediant, based in San Francisco and backed by Dell Technologies Capital and ForgePoint Capital, raised $15 million in Series A venture capital funding in August 2019. Remediant, founded in 2015 by security practitioners Paul Lanzi  and Tim Keeler, built a PAM software product that offered continuous…

Read More

EarSpy: Spying on Phone Calls via Ear Speaker Vibrations Captured by Accelerometer

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for eavesdropping on a targeted user’s conversations, according to a team of researchers from several universities in the United States. The attack method, named EarSpy, is described in a paper published just before Christmas by researchers from Texas A&M University, Temple University, New Jersey Institute of Technology, Rutgers University, and the University…

Read More

Data of 400 Million Twitter Users for Sale as Irish Privacy Watchdog Announces Probe

An individual is offering to sell the data of more than 400 million Twitter users, just as Ireland’s data protection watchdog has announced an investigation into the recent data leaks impacting the social media giant. On December 23, someone posted a message on a popular hacking forum announcing the sale of a database containing the names, usernames, email addresses, phone numbers and follower counts of over 400 million Twitter accounts. A sample of roughly 1,000…

Read More

Microsoft Patches Azure Cross-Tenant Data Access Flaw

Microsoft has silently fixed an important-severity security flaw in its Azure Container Service (ACS) after an external researcher warned that a buggy feature allowed cross-tenant network bypass attacks. The vulnerability, documented by researchers at Mnemonic, effectively removed the entire network and identity perimeter around  internet-isolated Azure Cognitive Search instances and allowed cross-tenant access to the data plane of ACS instances from any location, including instances without any explicit network exposure. According to Mnemonic researcher Emilien…

Read More

Facebook Agrees to Pay $725 Million to Settle Privacy Suit

Facebook parent Meta has agreed to pay $725 million to settle a long-running lawsuit that accused the social network of allowing third parties, including Cambridge Analytica, to access users’ private data. The amount was disclosed in a court filing late on Thursday. “The proposed settlement of $725,000,000 is the largest recovery ever achieved in a data privacy class action and the most Facebook has ever paid to resolve a private class action,” lawyers for the…

Read More