Security News

A National Security Agency system that analyzed logs of Americans' domestic phone calls and text messages cost $100 million from 2015 to 2019, but yielded only a single significant investigation, according to a newly declassified study. Only twice during that four-year period did the program generate unique information that the F.B.I. did not already possess, said the study, which was produced by the Privacy and Civil Liberties Oversight Board and briefed to Congress on Tuesday.

Exploiting a vulnerability in the mobile communication standard LTE, researchers at Ruhr-Universität Bochum can impersonate mobile phone users. David Rupprecht and Dr. Katharina Kohls from the Chair of System Security developed attacks to exploit security gaps in the mobile phone standard LTE. "An attacker can book services, for example stream shows, but the owner of the attacked phone would have to pay for them," illustrates Professor Thorsten Holz from Horst Görtz Institute for IT Security, who discovered the vulnerability together with David Rupprecht, Dr. Katharina Kohls and Professor Christina Pöpper.

The Russian government, via mouthpiece RIA Novosti, has claimed Korean tech giant Samsung will comply with a controversial Russian law passed in November that forces smartphones and computers to come pre-installed with domestic-made shovelware. "Samsung Electronics will be ready to meet the requirements of the Russian legislation provided by the regulator and adapt the company's activities in accordance with the adopted regulations," the state-owned wire service quoted a "Representative" as telling it.

FYI: Wacom's official tablet drivers leak to the manufacturer the names of every application opened, and when, on the computers they are connected to. If you want to disable this snooping, open your Wacom Desktop Center, find the slightly hidden More link, click on it, go to the privacy settings, and opt out of "Wacom's Experience Program." Note that you may have to opt out again after updating your driver installation: this data collection is enabled by default.

Four of the five high-severity bugs are remote code execution issues affecting Cisco routers, switches, and IP cameras, whereas the fifth vulnerability is a denial-of-service issue affecting Cisco IP phones. Collectively dubbed 'CDPwn,' the reported vulnerabilities reside in the various implementations of the Cisco Discovery Protocol that comes enabled by default on virtually all Cisco devices and can not be turned OFF. Cisco Discovery Protocol is an administrative protocol that works at Layer 2 of the Internet Protocol stack.

Four of the five high-severity bugs are remote code execution issues affecting Cisco routers, switches, and IP cameras, whereas the fifth vulnerability is a denial-of-service issue affecting Cisco IP phones. Collectively dubbed 'CDPwn,' the reported vulnerabilities reside in the various implementations of the Cisco Discovery Protocol that comes enabled by default on virtually all Cisco devices and can not be turned OFF. Cisco Discovery Protocol is an administrative protocol that works at Layer 2 of the Internet Protocol stack.

December's story of the researcher who tricked Twitter's Android app into matching random phone numbers to 17 million user accounts just took a turn for the worse. The flaw related to Twitter's contact upload feature, by which users upload their contact book to enable them to connect to other Twitter users whose email or phone number matches the data.

Twitter has admitted a flaw in its backend systems was exploited to discover the cellphone numbers of potentially millions of twits en masse, which could lead to their de-anonymization. That is the same day that security researcher Ibrahim Balic revealed he had managed to match 17 million phone numbers to Twitter accounts by uploading a list of two billion automatically generated phone numbers to Twitter's contact upload feature, and match them to usernames.

Criminals sometimes damage their mobile phones in an attempt to destroy data. Manufacturers use those taps to test their circuit boards, but by soldering wires onto them, forensic investigators can extract data from the chips.

Twitter today issued a warning revealing that attackers abused a legitimate functionality on its platform to unauthorizedly determine phone numbers associated with millions of its users' accounts. According to Twitter, the vulnerability resided in one of the APIs that has been designed to make it easier for users to find people they may already know on Twitter by matching phone numbers saved in their contacts with twitter accounts.