Categories
Engadget

UK closes loophole that allowed using your phone while driving

The UK is about to make it clear that you shouldn’t grab your phone while you’re driving — regardless of what you intend to do. The government is closing a legal loophole (via BBC) that allowed people to pick up their phones while driving as long as they weren’t calling or messaging. When enacted, you’ll have to use hands-free features for just about everything. The lone exception is for contactless payment while you’re stationary, such as paying for a meal at a drive-thru. The law previously only banned “interactive communication.” Effectively, this let people escape punishment by claiming they were browsing the web, taking a selfie or otherwise doing something that didn’t involve chatting with others. Source linkContinue readingUK closes loophole that allowed using your phone while driving

Categories
Engadget

Grindr flaw allowed hijacking accounts with just an email address

While Grindr quickly fixed the issue after hearing from Hunt, the incident underscored the platform’s shortcomings when it comes to security. And that’s a huge problem when the dating app caters to individuals whose sexual orientations and identities could make them a target for harassment and violence. This isn’t the first security issue Grindr has had to deal with. Back in 2018, it had a couple of flaws that risked exposing a user’s location. Earlier this year, the Norwegian Consumer Council published a report accusing Grindr and other dating services of spreading sensitive information, such as GPS locations. Grindr chief operating officer Rick Marini told TechCrunch that in response to the discovery of this particular flaw, it’s taking additional steps to tighten its security measures. It’s making it easier for researchers to report security issues, and it vows to announce a new bug bounty program “soon.” “We are grateful for the researcher who identified a vulnerability. The reported issue has been fixed. Thankfully, we believe we addressed the issue before it was exploited by any malicious parties. As part of our commitment to improving the safety and security of our service, we are partnering with a leading security firm to simplify and improve the ability for security researchers to report issues such as these. In addition, we will soon announce a new bug bounty program to provide additional incentives for researchers to assist us in keeping our service secure going forward.” Source linkContinue readingGrindr flaw allowed hijacking accounts with just an email address

Categories
Tech Radar

Tor will finally fix a bug that allowed for DDoS attacks against dark web sites

Launching DDoS attacks against dark web sites could soon be a little more difficult to pull off now that the Tor Project is preparing to fix a bug that has been abused by attackers for years. As reported by ZDNet, the bug itself is a denial of service (DoS) issue that an attacker can exploit to initiate thousands of connections to a targeted dark web site.  For each of these connections, the remote Onion service needs to negotiate a complex circuit through the Tor network to secure the connection between a user and the site’s server. As this process is very CPU intensive, initiating thousands of these connections can quickly overload a site’s server to the point where it can’t accept any new connections. While Tor developers have known about this bug for years, they haven’t released a fix for it yet as doing so would be quite difficult as the bug exploits the same process used to establish user connections to other sites on the Tor network. Dark web DDoS attacks In a blog post, the Tor Project provided further insight on the DoS attacks that some Onion services have experiencing over the past few years, saying: “The attacks exploit the inherent asymmetric nature of the onion service rendezvous protocol, and that makes it a hard problem to defend against. During the rendezvous protocol, an evil client can send a small message to the service while the service has to do lots of expensive work to react to it.…Continue readingTor will finally fix a bug that allowed for DDoS attacks against dark web sites

Categories
Mashable

Zoom bug allowed anyone to use a company’s custom meeting URL

Cybersecurity professionals are still finding some big problems with . On Thursday, researchers at online security firm Check Point their latest discovery: an exploit in Zoom which would have allowed any bad actor to use a company’s vanity URL for their own video meeting. Here’s what this means. Basically, companies and organizations paying Zoom for video conferencing services can set up a unique vanity subdomain to brand their meetings right in the Zoom domain name. For example, a company can set up its video meetings to live on the URL https://YourCompany.zoom.us/meetingID.  This bug allowed anyone to setup their own Zoom meeting and add any subdomain registered with Zoom. Let’s say McDonald’s used a mcdonalds.zoom.us custom subdomain for its meetings. Anyone could have started their own meeting, add the “mcdonalds” subdomain to their own personal Zoom meeting link and the link would have worked. That URL would have led users who clicked it to the bad actor’s personal Zoom meeting. Those attending the Zoom meeting could be tricked into believing they were on a conference call with the company mentioned in the subdomain. Attackers could have used this ability to pose as a company representative and social engineer real employees or customers into divulging sensitive information. Furthermore, there was a secondary way in which this exploit could have been abused too.  Some companies with custom Zoom URLs set up branded web conference interfaces for its meeting logins. Continuing to use the example above, McDonald’s could have set up its own branded…Continue readingZoom bug allowed anyone to use a company’s custom meeting URL

Categories
The Next Web

US companies will soon be allowed to work with Huawei again (kind of)

The consequences resulting from the Huawei ban last year are manifold. While the most prominent effect for consumers has been the fact that Huawei phones are no longer allowed to run Google apps and services or be sold in the US, American companies have also been prevented from working with Huawei on technology like 5G connectivity. This has had the ironic effect of weakening the influence US companies can have over setting global standards, as Huawei has a major role in these discussions. Reuters is now reporting that particular block will be lifted very soon. U.S Commerce Secretary Wibur Ross confirmed to Reuters that US companies will be allowed to collaborate with Huawei on developing standards for 5G networks. The US government is expected to make a public announcement later today. Ross also said “The United States will not cede leadership in global innovation,” and “the department is committed to protecting U.S. national security and foreign policy interests by encouraging U.S. industry to fully engage and advocate for U.S. technologies to become international standards.” While Huawei fans missing out on Google services and new devices might see this as a bit of a light at the end of the tunnel, I wouldn’t expect to be able to pick up a P40 Pro at your local Best Buy any time soon. An earlier Reuters report, which anticipated today’s report, suggested that the Huawei ban had placed some US companies at a disadvantage in developing wireless standards. Huawei is world’s largest manufacturer of telecommunications equipment…Continue readingUS companies will soon be allowed to work with Huawei again (kind of)