Security News

An unsecured database has exposed sensitive data for users of Microsoft's Bing search engine mobile application - including their location coordinates, search terms in clear text and more. While no personal information, like names, were exposed, researchers with Wizcase argued that enough data was available that it would be possible to link these search queries and locations to user identities - giving bad actors information ripe for blackmail attacks, phishing scams and more.

Users of 70 different adult dating and e-commerce websites have had their personal information exposed, thanks to a misconfigured, publicly accessible Elasticsearch cloud server. The data kept on the server was connected to a notification tool used by Mailfire's clients to market to their website users and, in the case of dating sites, notify website users of new messages from potential matches.

Security consultant Bob Diachenko ran across a misconfigured Elasticsearch cloud cluster that exposed a segment of Razer's infrastructure to the public internet, for anyone to see. "As more organizations adopt cloud-based tools to obtain a competitive advantage, the rate of cloud application usage increases in tandem. However, most organizations are not equipped to handle the security demands of the cloud. In fact, 86 percent of companies deploy cloud applications, yet just 34 percent have single sign-on solutions in place, demonstrating a massive gap in cloud adoption and necessary cloud-security solutions."

Jenkins-a popular open-source automation server software-published an advisory on Monday concerning a critical vulnerability in the Jetty web server that could result in memory corruption and cause confidential information to be disclosed. "Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat," read the advisory.

The Maze hacker gang claims it has infected computer memory maker SK hynix with ransomware and leaked some of the files it stole. For what it's worth, the Maze crew doesn't tend to need to fib about these sort of things.

A just-released volume [PDF] from the panel's dossier on Russia's efforts to meddle in that year's White House race pretty much accuses the Assange-run WikiLeaks of actively helping Moscow in its dirty work - by obtaining the internal memos from Russian hackers and spreading them online to derail Hillary Clinton's campaign and help nudge Donald Trump to victory. 'A key role in the Russian influence campaign'.

Jenkins-a popular open-source automation server software-published an advisory on Monday concerning a critical vulnerability in the Jetty web server that could result in memory corruption and cause confidential information to be disclosed. "Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat," read the advisory.

Abstract: Four hack-and-leak operations in U.S. politics between 2016 and 2019, publicly attributed to the United Arab Emirates, Qatar, and Saudi Arabia, should be seen as the "Simulation of scandal" ­- deliberate attempts to direct moral judgement against their target. Although "Hacking" tools enable easy access to secret information, they are a double-edged sword, as their discovery means the scandal becomes about the hack itself, not about the hacked information.

Intel is investigating reports that a claimed hacker has leaked 20GB of data coming from the chip giant, which appear to be related to source code and developer documents and tools. "The information appears to come from the Intel Resource and Design Center, which hosts information for use by our customers, partners and other external parties who have registered for access," an Intel spokesperson told SecurityWeek.

The NSA released the advisory this week informing people of the various ways mobile phones, by design, give up location information-which go beyond the well-known Location Services feature that people use on a regular basis. Most people are aware that location services on devices can pinpoint where they are so people can have access to services in the area, as well as share their location with friends via mobile apps such as WhatsApp, among other useful activities.