Tag: Flaw

NHS Covid app in England now able to log all test results after flaw fixed

a hand holding a cellphone: Photograph: Carl Recine/Reuters

© Provided by The Guardian
Photograph: Carl Recine/Reuters

People tested for Covid-19 in NHS hospitals and Public Health England labs were unable to share their results with the NHS’s contact-tracing app in England, it has emerged.

The Department of Health and Social Care said on Saturday evening that the issue, which was was revealed on Friday by the app’s official Twitter account as it responded to a complaint from someone unable to log their result, has now been fixed.

The app, which launched two days ago, requires a code which the user said was not provided in the text and email he received with his result.

“If your test took place in a Public Health England lab or NHS hospital, or as part of national surveillance testing by the Office for National Statistics, test results cannot currently be linked with the app whether they’re positive or negative. Thanks,” the NHS

Read More

Feds issue emergency order for agencies to patch critical Windows flaw

Close-up photograph of computer networking components.

The US Department of Homeland Security is giving federal agencies until midnight on Tuesday to patch a critical Windows vulnerability that can make it easy for attackers to become all-powerful administrators with free rein to create accounts, infect an entire network with malware, and carry out similarly disastrous actions.

Zerologon, as researchers have dubbed the vulnerability, allows malicious hackers to instantly gain unauthorized control of the Active Directory. An Active Directory stores data relating to users and computers that are authorized to use email, file sharing, and other sensitive services inside large organizations. Zerologon is tracked as CVE-2020-1472. Microsoft published a patch last Tuesday.

An unacceptable risk

The flaw, which is present in all supported Windows server versions, carries a critical severity rating from Microsoft as well as a maximum of 10 under the Common Vulnerability Scoring System. Further raising that stakes was the release by multiple researchers of proof-of-concept

Read More

A Bluetooth Flaw Leaves Billions of Devices Vulnerable

The October issue of WIRED took a close, in-depth look at the state of election security. While lots of it isn’t pretty, we did find some pockets of hope. Data scientist Sara-Jayne Terp is on a mission to stamp out misinformation. The former Facebook employees at the nonprofit Acronym are hoping to use the Trump’s 2016 strategies against him. And we dug into the story of STAR-Vote, an audacious plan to secure voting machine tech for good.

There’s more! We talked to Stacey Abrams about how to overcome voter suppression. We looked at how some countries have successfully stymied Russian interference efforts. And we explained how you’ll know for sure that the presidential election results are valid, no matter how loudly Trump yells that they’re going to be rigged.

Plenty of non-election news happened this week as well. Customs and Border Protection seized 2,000 OnePlus Buds, claiming they were counterfeit

Read More

Software flaw hid signs of $576 million state unemployment fraud, officials say

The state’s Employment Security Department took nearly a year to fix a software flaw that wound up playing a small but significant role in this spring’s massive unemployment fraud.

The disclosure comes as the agency shakes up its anti-fraud operations and personnel in the wake of the spring’s $576 million unemployment scam.

The software flaw, which ESD said resided in its three-year-old claims-processing system, meant the agency was sending out benefits payments before claims had been run through a so-called discovery process to check for fraud risk. 

“Claims were made, claims were paid and then discovery was run,” ESD Commissioner Suzi LeVine said during an Thursday interview. Even if unemployment claims were eventually flagged as having a high fraud risk, the sequencing flaw meant “they were already paid,” LeVine added.

As unemployment claims in Washington soared to historic levels during the coronavirus-triggered economic shutdown, criminals used bogus claims to siphon

Read More

New Bluetooth flaw leaves devices vulnerable to man-in-the-middle attacks

A new Bluetooth vulnerability could allow an attacker to downgrade or bypass Bluetooth encryption keys, opening the door to man-in-the-middle attacks or other types of malicious exploits.

The flaw, dubbed “BLURtooth,” resides in a component of the Cross-Transport Key Derivation standard and leaves devices vulnerable to man-in-the-middle attacks or other exploits. It affects all “dual-mode” devices running Bluetooth 4.0 or 5.0, which includes the iPad Pro to the iPhone 11.

According to a security notice by the Bluetooth Special Interest Group (SIG), researchers at Purdue University and the Ecole Polytechnique Federale de Lausanne discovered that CTKD may permit escalation of access between two devices.

The CTKD component is used to negotiate authenticate keys when pairing two Bluetooth devices together, and works by implementing two different sets of keys for the Bluetooth Low Energy or Basic Rate/Enhanced Data Rate standards.

However, the researchers discovered that an attack could leverage CTKD to

Read More

A Critical Flaw Is Affecting Thousands of WordPress Sites

Hackers are actively exploiting a vulnerability that allows them to execute commands and malicious scripts on Websites running File Manager, a WordPress plugin with more than 700,000 active installations, researchers said on Tuesday. Word of the attacks came a few hours after the security flaw was patched.


This story originally appeared on Ars Technica, a trusted source for technology news, tech policy analysis, reviews, and more. Ars is owned by WIRED’s parent company, Condé Nast.

Attackers are using the exploit to upload files that contain webshells that are hidden in an image. From there, they have a convenient interface that allows them to run commands in plugins/wp-file-manager/lib/files/, the directory where the File Manager plugin resides. While that restriction prevents hackers from executing commands on files outside of the directory, hackers may be able to exact more damage by uploading scripts that can carry out actions on other parts

Read More