It was starting to feel like Intel was overdue for serious Management Engine ( ME ) vulnerabilities . But this week , researchers at Positive Technologies revealed Vulnerability-related.DiscoverVulnerability a new security flaw in the subsystem that could let attackers compromise its MFS file system . Intel has released Vulnerability-related.PatchVulnerability updates to address Vulnerability-related.PatchVulnerability the problem , though , so Intel CPU owners should make sure their firmware is up-to-date . ME has become a repeated source of problems for Intel and its customers . The utility is a chip-on-a-chip that allows IT managers to remotely access company PCs with tools like Intel 's Active Management Technology ( AMT ) . ME has its own network interface , memory , operating system and file system ( MFS ) that are kept separate from the main system in a bid to prevent it from allowing hackers to access ostensibly secure information . The problem is that researchers have discovered Vulnerability-related.DiscoverVulnerability numerous vulnerabilities in ME over the last few years ; Positive Technologies revealed Vulnerability-related.DiscoverVulnerability one in 2017 that allowed full takeover of ME via USB ( it 's since been fixed Vulnerability-related.PatchVulnerability ) . Now , it 's revealed Vulnerability-related.DiscoverVulnerability another one that allows someone with physical access to a system to compromise ME and `` manipulate the state of MFS and extract important secrets '' with the ability to `` add files , delete files and change their protection attributes . '' Positive Technologies said the attack can be used to learn four keys MFS uses to secure data -- the Intel Integrity Key , Non-Intel Integrity Key , Intel Confidentiality Key and Non-Intel Confidentiality Key -- that were supposed to be protected via a firmware update Intel released Vulnerability-related.PatchVulnerability in 2017 . Positive Technologies explained how someone with physical access to the system could bypass that patch to compromise those keys in its blog post : `` Positive Technologies expert Dmitry Sklyarov discovered Vulnerability-related.DiscoverVulnerability vulnerability CVE-2018-3655 , described in advisory Intel-SA-00125 . He found that Non-Intel Keys are derived from two values : the SVN and the immutable non-Intel root secret , which is unique to each platform . By using an earlier vulnerability to enable the JTAG debugger , it was possible to obtain the latter value . Knowing the immutable root secret enables calculating the values of both Non-Intel Keys even in the newer firmware version . ... Attackers could calculate the Non-Intel Integrity Key and Non-Intel Confidentiality Key for firmware that has the updated SVN value and therefore compromise the MFS security mechanisms that rely on these keys . '' Intel released Vulnerability-related.PatchVulnerability the Intel-SA-00125 firmware update to defend against this vulnerability on September 11 . But this is another point in favor of companies questioning -- or outright banning -- the use of ME in their systems . Purism avoids ME and the services it enables in its privacy-focused Librem notebooks , Google is working to remove ME from the Intel processors it uses and previous security flaws have raised concerns among consumers .

De Ceukelaire has discovered Vulnerability-related.DiscoverVulnerability that he can exploit Facebook to obtain cell phone numbers of users ; which they want to remain hidden . According to De Ceukelaire , he can easily identify the cell phone numbers of well-known personalities including top politicians and “ Flemish ” celebs simply through checking out their Facebook profile . This is done by analyzing the numbers that are associated with their profiles . It must be noted that these numbers are supposed to be confidential information and aren ’ t viewable by the public . Must Read : Hacking Facebook Account by Knowing Account Phone Number Reportedly , De Ceukelaire proved his claim Vulnerability-related.DiscoverVulnerability by obtaining the cell number of Jan Jambon , the Interior Minister for Belgium , through his Facebook profile . He further stated that : “ For clarity , I could find out his number on his account , not vice versa ; roughly , I think you get the number 20 percent of the Flemish people can find that way . Of all the people who have their mobile number linked to their profile goes to the 80 percent ” . De Ceukelaire already warned Vulnerability-related.DiscoverVulnerability the Facebook security team twice about this issue and stated that he might expose it to the public if the social network does not fix Vulnerability-related.PatchVulnerability the issue and make necessary changes . However , according to Facebook ’ s representatives , this isn ’ t a vulnerability that has been exploited Vulnerability-related.DiscoverVulnerability but a feature . He also notified law enforcement authorities about the exploitable aspect of this feature . “ If the users enter their private phone numbers and don ’ t lock them down in the privacy settings section , chances of a privacy leak are quite bright ” . Facebook informed De Ceukelaire about how to control the searching criteria , that is , who can search for you through your phone number or email address but De Ceukelaire asserts that this is a privacy leak because phone numbers are visible to the public while these are supposed to remain confidential . This problem was identified way back in 2012 because the cell number ’ s setting could not be set to visible by “ Only Me ” . Facebook did make Vulnerability-related.PatchVulnerability some modifications in its privacy settings feature , due to which only a limited number of reverse lookups would come from a particular IP address . This happened after a security researcher managed to access thousands of random phone numbers . But , it is apparent that the problem hasn ’ t been fixed Vulnerability-related.PatchVulnerability even today . It is worth noting that De Ceukelaire didn ’ t release details about how he managed to exploit Facebook to conduct this privacy leak and whether he used any different method than previous security researchers or not . But , yet again Facebook is paying no heed to his pleas of getting this feature fixed and he has been given the same ‘ Feature not Flaw ’ reply this time as well

Insecure backend databases and mobile apps are making for a dangerous combination , exposing Attack.Databreach an estimated 280 million records that include a treasure-trove of private user data . According to a report by Appthority , more than 1,000 apps it looked at on mobile devices leaked Attack.Databreach personally identifiable information that included passwords , location , VPN PINs , emails and phone numbers . Appthority Mobile Threat Team called Vulnerability-related.DiscoverVulnerability the vulnerability HospitalGown and said Vulnerability-related.DiscoverVulnerability the culprit behind the threat are misconfigured backend storage platforms including Elasticsearch , Redis , MongoDB and MySQL . “ HospitalGown is a vulnerability to data exposure caused , not by any code in the app , but by the app developers ’ failure to properly secure the backend servers with which the app communicates , ” wrote the authors of the report released Vulnerability-related.DiscoverVulnerability Wednesday . According to Seth Hardy , director of security research , the problem is a byproduct of insecure database instillations that made headlines Vulnerability-related.DiscoverVulnerability in February . That ’ s when misconfigured and insecure MongoDB , Hadoop and CouchDB installations became popular extortion Attack.Ransom targets for hackers who were scanning for vulnerable servers to attack . The weak link in the chain when it comes to HospitalGown are the insecure servers that apps connect to , Hardy said . During the course of Appthority ’ s investigation , it found Vulnerability-related.DiscoverVulnerability 21,000 open Elasticsearch servers , revealing more than 43 terabytes of exposed data . In one scenario , the attacker looks for vulnerabilities in the space between the vendor ’ s mobile application and the app ’ s server side components , according to researchers . “ The servers for most mobile applications are cloud based and accessible via the Internet , this allows a bad actor to skip the long and potentially many-layered ‘ compromise ’ stage of an attack , accessing Attack.Databreach company data directly from a database that is impossible for the enterprise to see or secure , ” they wrote . Researchers said Vulnerability-related.DiscoverVulnerability vulnerable mobile apps it found Vulnerability-related.DiscoverVulnerability ran the gamut , from office productivity , enterprise access management , games , dating to travel , flight and hotel applications . Any personal identifiable data a user shared with the app was vulnerable Vulnerability-related.DiscoverVulnerability to possible exfiltration Attack.Databreach by a hacker . “ These servers were accessible from the Internet , lacked any means of authentication to prevent unwanted access Attack.Databreach to the data they contained , and failed to secure transport of data , including PII , using HTTPS : conventions , ” according to the report . While this is a strictly a data security issue , Appthority said Vulnerability-related.DiscoverVulnerability , attacks can quickly escalate and personal information could easily be leveraged in a spear phishing attack Attack.Phishing or brute force attack . In its report , AppThority showed how a mobile VPN app called Pulse Workspace , used by enterprises , government agencies and service providers , leaked Attack.Databreach data . While Pulse Workspace created an API to secure front-end Elasticsearch access , the backend , and all of the app ’ s data records , were exposed and leaked Attack.Databreach Pulse customer data . AppThority notified Vulnerability-related.DiscoverVulnerability Pulse Workspace and its customers of the vulnerability , which have since been fixed Vulnerability-related.PatchVulnerability . Appthority is careful to point out that of the platforms it examined – Elasticsearch , Redis , MongoDB , and MySQL – each had plugins to allow for proper public exposure on the internet . “ Best practices on secure data stores is just not being adopted in too many cases , ” Hardy said . Elasticsearch , for example , has a bevy of security and data protection capabilities , such as being able to encrypt all the data that ’ s on the platform . Increasing the risk of HospitalGown type-attacks is that fact that many apps Appthority looked at seemed benign in terms of shared user data . But , increasingly apps have advertising components that collect Attack.Databreach personal identifiable data that can be mined by hackers for phishing Attack.Phishing or ransomware attacks Attack.Ransom . App developers and system administrators need to know where their data is stored and make sure it is secured , Hardy told Threatpost .