Yet another bluetooth hacking technique has been uncovered.

A highly critical cryptographic vulnerability has been found affecting some Bluetooth implementations that could allow an unauthenticated, remote attacker in physical proximity of targeted devices to intercept, monitor or manipulate the traffic they exchange.

The Bluetooth hacking vulnerability, tracked as CVE-2018-5383, affects firmware or operating system software drivers from some major vendors including Apple, Broadcom, Intel, and Qualcomm, while the implication of the bug on Google, Android and Linux are still unknown.

images from Hacker News

The Apache Software Foundation (ASF) has released security updates to address several vulnerabilities in its Tomcat application server, one of which could allow a remote attacker to obtain sensitive information.

Apache Tomcat is an open source web server and servlet system, which uses several Java EE specifications like Java Servlet, JavaServer Pages (JSP), Expression Language, and WebSocket, and provides a “pure Java” HTTP web server environment for Java concept to run in.

Unlike Apache Struts2 vulnerabilities exploited to breach the systems of America credit reportingagency Equifax late last year, new Apache Tomcat vulnerabilities are less likely to be exploited in the wild.

Apache Tomcat — Information Disclosure Vulnerability

The more critical flaw (CVE-2018-8037) of all in Apache Tomcat is an information disclosure vulnerability caused due to a bug in the tracking of connection closures which can lead to reuse of user sessions in a new connection.

images from Hacker News

Starting today with the release of Chrome 68, Google Chrome prominently marks all non-HTTPS websites as ‘Not Secure’ in its years-long effort to make the web a more secure place for Internet users.

So if you are still running an insecure HTTP (Hypertext Transfer Protocol) website, many of your visitors might already be greeted with a ‘Not Secure’ message on their Google Chrome browser warning them that they can’t trust your website to be secure.

By displaying ‘Not Secure,’ Google Chrome means that your connection is not secure because there is no SSL Certificate to encrypt your connection between your computer and the website’s server.

So, anything sent over a non-HTTPS connection is in plain text, like your password or payment card information, allowing attackers to snoop or tamper with your data.

images from Hacker News

India-linked highly targeted mobile malware campaign, first unveiled two weeks ago, has been found to be part of a broader campaign targeting multiple platforms, including windows devices and possibly Android as well.

As reported in our previous article, earlier this month researchers at Talos threat intelligence unit discovered a group of Indian hackers abusing mobile device management (MDM) service to hijack and spy on a few targeted iPhone users in India.

Operating since August 2015, the attackers have been found abusing MDM service to remotely install malicious versions of legitimate apps, including Telegram, WhatsApp, and PrayTime, onto targeted iPhones.

images from Hacker News

At Google Cloud Next ’18 convention in San Francisco, the company has introduced Titan Security Keys—a tiny USB device, similar to Yubico’s YubiKey, that offers hardware-based two-factor authentication for your online accounts with the highest level of protection against phishing attacks.

These hardware-based security keys are thought to be more efficient at preventing phishing, man-in-the-middle (MITM) and other types of account-takeover attacks than 2FA via SMS, as even if your credentials are compromised, account login is impossible without that physical key.

images from Hacker News