Security News > 2021

We explain how two French researchers hacked the Google Titan security key product, and dig into the Mimecast certificate compromise story to see what we can all learn from it. WHERE TO FIND THE PODCAST ONLINE. You can listen to us on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher, Overcast and anywhere that good podcasts are found.

The ongoing controversies surrounding TikTok hit a new gear on Thursday with a bombshell report accusing the Chinese company of spying on millions of Android users using a technique banned by Google. The Wall Street Journal said TikTok was exploiting a loophole to collect MAC addresses for at least 15 months.

Facebook has taken legal action against the makers of malicious Chrome extensions used for scraping user-profiles and other information from Facebook's website and from users' systems without authorization. After being installed on the users' computers, these Chrome extensions also installed malicious code in the background which allowed the defendants to scrape user data from Facebook's site.

In light of successful cyberattacks targeting organizations' cloud services, the U.S. Cybersecurity and Infrastructure Security Agency has published a series of recommendations on how businesses can improve their cloud security. The attacks observed by CISA exploit poor cyber hygiene practices within cloud services configurations, and the agency says the activity is not tied to a specific threat actor or the recent SolarWinds attack.

The Ministry of Defence's multibillion budget overrun has been caused in part because of its spending splurge on flashy new "Cyber" capabilities, according to the National Audit Office. The MoD faces a budget black hole measured in billions thanks to its profligacy - and even the announcement of a cash top-up of £4bn per year between now and 2024, on top of its £41.2bn annual budget, won't be enough to plug it, according to the auditors.

After a much anticipated response to critics, Ring this week rolled out end-to-end encryption for many of its home security camera products. Last October, Ring raised privacy hackles again when it unveiled the new Always Home Cam, a smart home security camera drone that flies around homes taking security footage of people inside their own homes.

Video game giant Capcom this week revealed that thousands more people than initially believed had their personal information stolen in a ransomware attack in November 2020. On November 4, the game maker announced that it detected unauthorized access to its network, and two weeks later confirmed that the attackers accessed the personal information of employees, as well as financial information, sales reports, and other business data.

The US National Security Agency says that companies should avoid using third party DNS resolvers to block threat actors' DNS traffic eavesdropping and manipulation attempts and to block access to internal network information. NSA's recommendation was made in a new advisory on the benefits of using DNS over HTTPS in enterprise environments, an encrypted domain name system protocol that blocks unauthorized access to the DNS traffic between clients and DNS resolvers.

Several vulnerabilities have been identified in Pepperl+Fuchs Comtrol IO-Link Master industrial gateways, including flaws that researchers claim can be exploited to gain root access to a device and create backdoors. A researcher at Austria-based cybersecurity consultancy SEC Consult discovered five types of vulnerabilities in Pepperl+Fuchs Comtrol industrial products, including cross-site request forgery, reflected cross-site scripting, blind command injection, and denial-of-service issues.

Using readily available software and a rooted Android device, he's able to spoof the location his device reports to Telegram servers. By using just three different locations and measuring the corresponding distance reported by People Nearby, he is able to pinpoint a user's precise location.