Security News

F5 Networks this week released patches to address an authentication bypass vulnerability affecting BIG-IP Access Policy Manager, but fixes are not available for all impacted versions. Tracked as CVE-2021-23008, the high-severity vulnerability allows for the bypass of BIG-IP APM AD authentication if the attacker can hijack a Kerberos KDC connection using a spoofed AS-REP. Authentication bypass is also possible from an AD server that the attacker has already compromised, F5 explains.

For businesses, sending text messages to hundreds, thousands, or perhaps millions of customers can be a laborious task. A wide ecosystem of these companies exist, each advertising their own ability to run text messaging for other businesses.

Today, researchers have exposed common weaknesses lurking in the latest smart sex toys that can be exploited by attackers. In examples provided by the researchers, technologies like Bluetooth and inadequately secured remote APIs make these IoT personal devices vulnerable to attacks that go beyond just compromising user privacy.

Apple on Monday released security patches for macOS, iOS, iPadOS, watchOS, and Safari to fix up a vulnerability that can be exploited by malicious web pages to run malware on victims' computers and gadgets. Apple thanks Clément Lecigne of Google's Threat Analysis Group and Alison Huffman of Microsoft Browser Vulnerability Research for reporting the arbitrary code execution security flaw, CVE-2021-1844, which is present in WebKit, the browser engine used by various bits of Cupertino code.

The exploitation of bitsquatted domains tends to be automatic when a DNS request is being made from a computer impacted by a hardware error, solar flare, or cosmic rays, thereby flipping one of the bits of the legitimate domain names. Researacher sees real windows.com traffic coming to his domains!

Improperly generated ISNs in nine TCP/IP stacks could be abused to hijack connections to vulnerable devices, according to new research from Forescout. TCP/IP stacks are critical components that provide basic network connectivity for a broad range of devices, IoT and OT included, and which process all incoming frames and packets.

Police have arrested 10 people in the U.K., Belgium and Malta for allegedly hijacking mobile phones belonging to U.S. celebrities including internet influencers, sports stars and musicians to steal personal information and millions in cryptocurrency, authorities said. The European Union police agency Europol said Wednesday that the gang is believed to have stolen more than $100 million in cryptocurrencies by using so-called SIM swap attacks.

The sheriff of a small city in Florida warned on Monday that hackers had tried to poison its water. Pinellas County Sheriff Bob Gualtieri said Oldsmar's water treatment system, which serves roughly 15,000 people, was broken into by someone, via the internet, who had hoped to flood the supply with levels of sodium hydroxide more than 100 times the normal amount.

New details have emerged about a vast network of rogue extensions for Chrome and Edge browsers that were found to hijack clicks to links in search results pages to arbitrary URLs, including phishing sites and ads. Collectively called "CacheFlow" by Avast, the 28 extensions in question - including Video Downloader for Facebook, Vimeo Video Downloader, Instagram Story Downloader, VK Unblock - made use of a sneaky trick to mask its true purpose: Leverage Cache-Control HTTP header as a covert channel to retrieve commands from an attacker-controlled server.

Seven vulnerabilities have been found in a popular DNS caching proxy and DHCP server known as dnsmasq, raising the possibility of widespread online attacks on networking devices. Dnsmasq 2.83, maintained by open source software developer Simon Kelley, has been released to address the issues, which recall the DNS cache poisoning vulnerability identified in 2008 by security researcher Dan Kaminsky.