Security News

Netgear's routerlogin.com HTTPS cert snafu now has a live proof of concept
2020-02-12 12:52

An infosec researcher has published a JavaScript-based proof of concept for the Netgear routerlogin.com vulnerability revealed at the end of January. Through service workers, scripts that browsers run as background processes, Saleem Rashid reckons he can exploit Netgear routers to successfully compromise admin panel credentials.

Leaving your admin interface's TLS cert and private key in your router firmware in 2020? Just Netgear things
2020-01-20 21:23

Netgear left in its router firmware key ingredients needed to intercept and tamper with secure connections to its equipment's web-based admin interfaces. Specifically, valid, signed TLS certificates with private keys were embedded in the software, which was available to download for free by anyone, and also shipped with Netgear devices.

Bad news: Windows security cert SNAFU exploits are all over the web now. Also bad: Citrix gateway hole mitigations don't work for older kit
2020-01-16 23:13

Easy-to-use exploits have emerged online for two high-profile security vulnerabilities, namely the Windows certificate spoofing bug and the Citrix VPN gateway hole. Within hours of the NSA going public with details about its prized bug find, exploit writers posted working code demonstrating how the flaw can be abused to trick unpatched Windows computers into accepting fake digital certificates - which are used to verify the legitimacy of software, and encrypt web connections.

US-CERT warns of critical flaws in Medtronic equipment
2019-11-13 12:06

Medtronic's latest problem is in their Valleylab electrosurgical generators used by surgeons things like cauterisation during operations.

Are you as handy with privacy certs as you are with a screwdriver? Ikea has the perfect vacancy
2019-11-01 15:12

Disposable furniture flogger seeks data wranglers Scandi furniture emporium Ikea is seeking privacy specialists to join its office in Malmö, Sweden.…

HMRC's HTTPS howler: Childcare payments site cert expired at 1am on Sunday, down for hours
2019-09-23 13:03

Gov.uk portal finally lurched back to life after lunch Furious parents have lashed out at Her Majesty's Revenue and Customs after the UK tax authority let a key HTTPS certificate expire on its...

Imperva Breach Exposes WAF Customers' Data, Including SSL Certs, API Keys
2019-08-27 18:48

Imperva, one of the leading cybersecurity startups that helps businesses protect critical data and applications from cyberattacks, has suffered a data breach that has exposed sensitive information...

Web body mulls halving HTTPS cert lifetimes. That screaming in the distance is HTTPS cert sellers fearing orgs will bail for Let's Encrypt
2019-08-13 01:43

Expensive renewals once a year... or free certificates any time? Tough choice CA/Browser Forum – an industry body of web browser makers, software developers, and security certificate issuers – is...

Mozilla boots alleged snoop troupe from its root cert coop: UAE-based DarkMatter thrown onto CA blocklist
2019-07-10 01:33

Maker of Firefox fires fox from hen house guard duty Mozilla on Tuesday added digital certificates belonging to security biz DarkMatter and its subsidiaries to Firefox's OneCRL blocklist, based on...

US-Cert alert! Thanks to a massive bug, VPN now stands for "Vigorously Pwned Nodes"
2019-04-12 21:00

Multiple providers leaving storage cookies up for grabs The US-Cert is raising alarms following the disclosure of a serious vulnerability in multiple VPN services.…