Security News

Popular video conferencing app Zoom recently fixed a new security flaw that could have allowed potential attackers to crack the numeric passcode used to secure private meetings on the platform and snoop on participants. Zoom meetings are by default protected by a six-digit numeric password, but according to Tom Anthony, VP Product at SearchPilot who identified the issue, the lack of rate limiting enabled "An attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people's private Zoom meetings."

Two months ago investigators in France and the Netherlands cracked the network's encryption, allowing law enforcement to listen in to criminal communications about selling and trafficking drugs, laundering money and murdering rivals, authorities said. The service's owners apparently became aware of the criminal investigation last month, informing an estimated 60,000 users with a message warning them to get rid of their EncroChat devices because their servers-operating out of France - had been "Seized illegally by government entities," according to the NCA. The service relied on EncroChat devices, which came with pre-loaded apps for instant messaging as well as the ability to make secure internet calls, with no other "Conventional smartphone" functionality, U.K. officials said.

From September 1, Apple software, from Safari to macOS to iOS, will reject new HTTPS and other SSL/TLS certificates that are valid for more than 398 days, plus or minus some caveats. "Connections to TLS servers violating these new requirements will fail," Apple warned in its official note.

"It is now possible to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. For this reason, we will be disabling the 'ssh-rsa' public key signature algorithm by default in a near-future release," said OpenSSH maintainer Damien Miller in the release notes for OpenSSH 8.3, echoing similar comments from the 8.2 release notes back in February. The OpenSSH team suggest users and administrators use alternative, more secure hashing algorithms including SHA-2 or the even older ssh-ed25519 or ECDSA as proposed in 2009.

"It is now possible to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K. For this reason, we will be disabling the 'ssh-rsa' public key signature algorithm by default in a near-future release," said OpenSSH maintainer Damien Miller in the release notes for OpenSSH 8.3, echoing similar comments from the 8.2 release notes back in February. The OpenSSH team suggest users and administrators use alternative, more secure hashing algorithms including SHA-2 or the even older ssh-ed25519 or ECDSA as proposed in 2009.

The US Department of Justice is once again taking Apple to task for not cooperating with device decryption requests, even after it announced that it had retrieved information from a pair of iPhones without Cupertino's help. "Thanks to the great work of the FBI - and no thanks to Apple - we were able to unlock Alshamrani's phones," said Attorney General Barr.

The US Department of Justice is once again taking Apple to task for not cooperating with device decryption requests, even after it announced that it had retrieved information from a pair of iPhones without Cupertino's help. "Thanks to the great work of the FBI - and no thanks to Apple - we were able to unlock Alshamrani's phones," said Attorney General Barr.

When is ICANN going to do something about the explosion of scammy domains spawned by the COVID-19 pandemic? We can't, the overseers of the internet said last Tuesday, throwing its hands in the air and telling domain registrars that they can - and should.

Microsoft says it managed to disrupt the Necurs botnet by taking control of the U.S.-based infrastructure that it has been using to conduct its malicious activities. Necurs is a peer-to-peer hybrid botnet that uses a Domain Generation Algorithm to ensure bots could always connect to a command and control server.

Researchers are warning that while LoRaWAN itself is perfectly secure, poor device security and user mistakes in configuration and implementation can still lead to hacks and widespread operational disruption. The application-layer security is responsible for confidentiality, with end-to-end encryption between the device and the application server, preventing third parties from accessing the application data being transmitted.