Several Logitech keyboards, mice and wireless presenters suffer from security vulnerabilities, Not only can attackers eavesdrop on keystrokes, they can even infect the host system. c’t has established which products are affected and what you should do now.
A large range of Logitech wireless input devices is vulnerable to wireless attacks and can pose a security risk. That is the conclusion of security expert Marcus Mengs, with whom c’t has been in touch for quite some time. Mengs investigation of the wireless connections of several Logitech devices has uncovered numerous weaknesses. They affect keyboards and mice as well as remote controls known as wireless presenters.
The vulnerabilities allow an attacker to eavesdrop on keystrokes from wireless keyboards. Everything an affected user types, from e-mails to passwords, is readily available to the adversary. But it gets worse: An attacker can send any command to the victim’s computer if a vulnerable Logitech-device is installed. And that makes it easy to infect the computer with malicious code without the rightful owner taking notice.
Mengs demonstrates how to infect a system with a backdoor (remote shell) through which he can control the system remotely by radio. In a way, it’s an elegant hack, because he simply piggybacks on the wireless Logitech connection to infect the system and to communicate with the backdoor. That means even computers who are not online are ripe for the hack.
YouTube is currently under investigation by the Federal Trade Commission following complaints that the platform improperly collected data from young users. It’s unclear how much data this might be, but there’s reason to believe it could be a lot. For many kids, YouTube has replaced television; depending on how parents use online platforms, children could begin to amass data even before birth.
After the UK’s leading industry group of internet service providers named Mozilla an “Internet Villain” because of its intentions to support a new DNS security protocol named DNS-over-HTTPS (DoH) inside Firefox, the browser maker told ZDNet that such plans don’t currently exist.
“We have no current plans to enable DoH by default in the UK,” a spokesperson ZDNet last night.
It has been reported that China’s border guards are installing surveillance apps on the phones of some visitors as part of the government’s ever-increasing mass surveillance regime in the Xinjiang province.
According to an investigation by the Guardian, The New York Times, and Germany’s Süddeutsche Zeitung, the “secret” app allows for personal information to be downloaded. The app was discovered to be installed on the phones of visitors entering the country from Kyrgyzstan.
The report says people using the remote Irkeshtam border crossing into the country have routinely had their phones screened by guards. The Irkeshtam crossing is China’s most westerly border and is used by traders and tourists, some following the historic Silk Road.
The publication said specifically that the app extracts emails, text messages, contact information, as well as handset information. Visitors have not been informed this is happening.
Ransomware has no shortage of cautionary tales and wakeup calls from the past decade. But for local governments, this past year has been a particularly brutal reminder of the threat. Following a 2018 attack that paralyzed the City of Atlanta for weeks, more than half a dozen cities and public services across the country have fallen to ransomware so far in 2019, on a near-monthly basis; the Administrative Office of the Georgia Courts became the latest victim on Saturday, when an attack knocked its systems offline.
Germany’s cyber-security agency is working on a set of minimum rules
that modern web browsers must comply with in order to be considered
The new guidelines are currently being drafted by the German Federal Office for Information Security (or the Bundesamt für Sicherheit in der Informationstechnik — BSI), and they’ll be used to advise government agencies and companies from the private sector on what browsers are safe to use.
A first version of this guideline was published in 2017, but a new standard is being put together to account for improved security measures added to modern browsers, such as HSTS, SRI, CSP 2.0, telemetry handling, and improved certificate handling mechanisms — all mentioned in a new draft released for public debate last week.