Security News

Multiple security vulnerabilities have been disclosed in Bosch BCC100 thermostats and Rexroth NXA015S-36V-B smart nutrunners that, if successfully exploited, could allow attackers to execute...

About Bruce Schneier I am a public-interest technologist, working at the intersection of security, technology, and people. I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

Threat actors have been observed serving malicious code by utilizing Binance's Smart Chain (BSC) contracts in what has been described as the "next level of bulletproof hosting." The campaign,...

Cybercriminals are employing a novel code distribution technique dubbed 'EtherHiding,' which abuses Binance's Smart Chain contracts to hide malicious scripts in the blockchain. The threat actors responsible for this campaign previously used compromised WordPress sites that redirected to Cloudflare Worker hosts for injecting malicious JavaScript into hacked websites, but later pivoted to abusing blockchain systems that provide a far more resilient and evasive distribution channel.

Hackers are once again abusing LinkedIn Smart Links in phishing attacks to bypass protection measures and evade detection in attempts to steal Microsoft account credentials. Smart Links are part of LinkedIn's Sales Navigator service, used for marketing and tracking, allowing Business accounts to email content using trackable links to determine who engaged with it.

TechRepublic Premium Portable Storage Policy Portable storage media allow employees to access or back up business data both inside and outside the office. The ease of use presented by portable storage devices can also place companies at significant risk of lost or stolen data.

TechRepublic Premium Portable Storage Policy Portable storage media allow employees to access or back up business data both inside and outside the office. Malware can infect portable storage media, which can then be inadvertently or purposely introduced .... TechRepublic Premium MSP Best Practices: Network Switch and Router Deployment Checklist No managed services provider should lock itself out of the very network switches or routers it deploys, yet such accidents occur.

Infosec in brief Bot defense software vendor Human Security last week detailed an attack that "Sold off-brand mobile and Connected TV devices on popular online retailers and resale sites preloaded with a known malware called Triada." Human named the campaign to infect and distribute the Android devices BADBOX. The infected devices were sold for under $50. Human's researchers found over 200 models with pre-installed malware, and when it went shopping for seven particular devices found that 80 percent of units were infected with BADBOX. Analysis of infected devices yielded intel on an ad fraud module Human's researchers named PEACHPIT. At its peak, PEACHPIT ran on a botnet spanning 121,000 devices a day on Android.

While smart speakers are only supposed to listen after being invoked with a "Wake" phrase, their data collection and who they share that with may surprise. A profound difference was also found in the amount of data requested from smart device owners depending on whether the associated app was installed on an Android or iOS phone.

A trio of researchers split between Italy and the UK have recently published a paper about cryptographic insecurities they found in a widely-known smart light bulb. The researchers seem to have chosen their target device, the TP-Link Tapo L530E, on the basis that it is "Currently [the] best seller on Amazon Italy," so we don't know how other smart bulbs stack up, but their report has plenty to teach us anyway.