Australian Health Minister Greg Hunt has denied state health officials are unable to access COVIDSafe app data to perform coronavirus contact tracing. During a press conference on Wednesday, Hunt was asked if reports, originally from The Guardian, that New South Wales Health officials have been unable to access the data for contact tracing were true. […] More

Scum. Scummy. Scummy-scum. That’s what I kept thinking as I started to put together this article. There are some people out there who are scum, scummy, scummy-scum. They use unfortunate events or unspeakable horrors as the foundation for scamming scared and vulnerable people out of their money. Now they’ve decided that COVID-19 is the new […] More

The developers of Libgcrypt have issued an urgent update to tackle a critical vulnerability reported in a recent version of the software. 

Libgcrypt is an open source cryptographic library and GNU Privacy Guard (GnuPG) module. While the code can be used independently, Libgcrypt relies on the library GnuPG ‘libgpg-error’.
Version 1.9.0 of the software was released on January 19. On Thursday, Google Project Zero researcher Tavis Ormandy publicly disclosed the existence of a “heap buffer overflow in libgcrypt due to an incorrect assumption in the block buffer management code.”
“Just decrypting some data can overflow a heap buffer with attacker-controlled data, no verification or signature is validated before the vulnerability occurs,” Ormandy said. “I believe this is easily exploitable.”
The researcher passed on his findings to libgcrypt developers. As soon as the report was received, the team published an immediate notice for users, “[Announce] [urgent] Stop using Libgcrypt 1.9.0!”.
In the advisory, principal GnuPG developer Werner Koch asked users to stop using version 1.9.0, which as a new release had begun to be adopted by projects including Fedora 34 and Gentoo. 
A new version of libgcrypt, version 1.9.1, was released in a matter of hours that addressed the severe vulnerability, of which a CVE number is yet to be assigned. 

In an analysis of the vulnerability, cryptographer Filippo Valsorda suggested that the bug was caused by memory safety issues in C and may be related to efforts to defend against timing side-channel attacks. 
Users that upgraded to libgcrypt 1.9.0 are urged to download the patched version as quickly as possible. 
“Exploiting this bug is simple and thus immediate action for 1.9.0 users is required,” the developers say. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

It has taken security researchers nearly ten months to discover a reliable method of cleaning smartphones infected with xHelper, a type of Android malware that, until recently, has been impossible to remove. The removal technique is described at the end of this article, but first some context for readers who want to learn more about […] More

Legislation surrounding the federal government’s coronavirus trace tracking mobile app, COVIDSafe, has been introduced to Parliament. The purpose of the Privacy Amendment (Public Health Contact Information) Bill 2020 is to assist in “preventing and controlling the entry, emergence, establishment, or spread of COVID-19 into Australia”, by amending the Privacy Act 1988 to provide stronger privacy protections for users […] More