Graham Cluley has reported (from an original Wall Street Journal source report) a Google, Inc. (Nasdaq: GOOG) security SNAFU... This time, the failure of the so-called non-evil company to report a significant data custody failure within their so-called 'Google Plus' product, where - in fact - you are the product. The company's better-late-than-never blog post covers the issue, in somewhat less than effective detail...
Yes, you read it right. If you lease a Comcast Modem with WiFi, Comcast has been providing the password to your WiFi network in the clear, with only minimal identity management (snippets of your address for example) (therefor granting access to the world); all courtesy of a nasty little overlooked bug in their code. A nearly perfect example of the apparent lack of application security oversight at the company, of which, alludes to systemic and blatant security incompetence.
The company is claiming to have fixed the access issue as of this writing. Question is, what other flaws exist in the company's deployments? One bright spot to this debacle - currently, customers that supplied their own hardware routers were not among the mutitude of customers affected.
via the eponymous Graham Cluley, writing at the BitDefender Security Blog, discusses the incontrovertible evidence of information security incompetence exhibited by Bellevue, Washington based LocalBlox (further via Zack Whittaker of ZDNet). Of which, evidence of said incompetence (in the form of an unencryped and unencumbered-by-any-access-controls 1.2 TB+ file containing the personal details of 48 million scraped user identities the company uses to flog it's wares) exposed by security researcher Chris Vickery. Today's MustRead!
'LocalBlox makes no secret of how it collects and consolidates data about individuals. Its own website explains how it “automatically crawls, discovers, extracts, indexes, maps and augments data in a variety of formats from the web and from exchange networks… LocalBlox helps companies acquire and utilize a vast amount of information from sources held captive on the web with exceptional speed and scale.” - via Graham Cluley, writing at the BitDefender Security Blog
As is typical of Intel Corporation (Nasdaq: INTC) the firm is attempting to shirk responsability for this attack and transfer the blame onto the company's vendors, not to mention the glad-handing exhibited by the company's CEO at CES.
It's time to rein in Intel Corporation's significantly flawed software development practice (as evidenced by the output), as the ramifications for the company's vulnerability touch many - if not all - systems worldwide. Further, what else is flawed in the company's other products (for example, automotive chips, medical device systems where the firm's hardware and software reside)?
'But the latest vulnerability—discovered in July of 2017 by F-Secure security consultant Harry Sintonen and revealed by the company today in a blog post—is more of a feature than a bug. Notebook and desktop PCs with Intel AMT can be compromised in moments by someone with physical access to the computer—even bypassing BIOS passwords, Trusted Platform Module personal identification numbers, and Bitlocker disk encryption passwords—by rebooting the computer, entering its BIOS boot menu, and selecting configuration for Intel’s Management Engine BIOS Extension (MEBx).' - via Sean Gallagher - writing at Ars Technica
Martin Brinkmann, writing at GHacks, targets the proliferation of spam extensions flooding the Mozilla Foundation's Firefox AMO Web Extension Store. Further proof of deep administrative incompetence at Mozilla Foundation, or something else? You be the judge.
"The site is abused by spammers currently who flood it with extension listings designed to get users to click on links in the description. The method that these spammers use is simple: they have copied the Chrome extension Hide My IP and use it as the extension that they upload." - via Martin Brinkmann, writing at GHacks
465,000. The number of Abbott manufactured pacemakers that require software updates due to life-threatening vulnerabilities resident within installed software packages. Coupled with easy accessibility via the interwebs, another example of incompetent software engineering in the manufacturing process? No, just a jarring welcome to the Internet of Shite. The United States Food and Drug Administration's announcement ordering a recall and detailing the flaws came as no real surprise:
via the FDA Announcement: Abbott's (formerly St. Jude Medical's) implantable cardiac pacemakers, including cardiac resynchronization therapy pacemaker (CRT-P) devices, provide pacing for slow or irregular heart rhythms. These devices are implanted under the skin in the upper chest area and have connecting insulated wires called "leads" that go into the heart. A patient may need an implantable cardiac pacemaker if their heartbeat is too slow (bradycardia) or needs resynchronization to treat heart failure. The devices addressed in this communication are the following St. Jude Medical pacemaker and CRT-P devices:
- Accent MRI
- Accent ST