Feeds

Security > More stories

Flytrap

Yawn, Wikileaks, we already knew about FinFisher. But these software binaries...

WikiLeaks is making the controversial FinFisher commercial spyware tool available for download as part of the latest in a series of leaks that have put the operations of the controversial business under the microscope. FinFisher, which was part of UK-based Gamma Group International until late 2013 before relocating to Germany, …
John Leyden, 15 Sep 2014
Chat from the #opaustralia IRC channel

Freenode IRC users told to change passwords after securo-breach

A security breach at popular, free and open source software-focused IRC network Freenode means users need to change their passwords. Freenode's IRC server was compromised and passwords were likely sniffed by unidentified hackers, prompting a warning to users that they should reset their passwords as a precaution. The security …
John Leyden, 15 Sep 2014
Arrow quiver

Hey, scammers. Google's FINE with your dodgy look-a-like apps

Attackers can easily craft third party scripts to imitate Google to trick users into granting authorisation to their email accounts, says infosec chap Andrew Cantino. The Mavenlink engineer said Mountain View did not make it sufficiently clear when users were approving third party access to their data, thus making social …
Darren Pauli, 15 Sep 2014
Doom printer hack

Infosec geniuses hack a Canon PRINTER and install DOOM

Security researchers have demonstrated a hack that allowed them to get into the web interface of a Canon Pixma printer before modifying its firmware to run the classic 90s computer game Doom. The proof-of-concept demo by security researchers at Context Information Security, which involved remotely accessing the web interface on …
John Leyden, 15 Sep 2014
Glenn Greenwald and Kim Dotcom

Snowden, Dotcom, throw bombs into NZ election campaign

Edward Snowden and Kim Dotcom have joined hands and waded into New Zealand politics ahead of the nation's forthcoming election, by alleging prime minister John Key has told fibs about his government's involvement with the NSA's nasties. Snowden has released a new missive in which he claims that the many tools with which he …
Brute Force

Hackers pop Brazil newspaper to root home routers

A popular Brazilian newspaper has been hacked by attackers who used code that attacked readers' home routers, says researcher Fioravante Souza of web security outfit Sucuri. Attackers implanted iFrames into the website of Politica Estadao, which, when loaded, began brute force password guessing attacks against users. Souza says …
Darren Pauli, 15 Sep 2014

New Snowden leak: US and Brit spooks 'tap into German telco networks to map end devices'

An NSA and GCHQ surveillance programme - dubbed Treasure Map - grants US and British spooks access to the networks of German telcos such as Deutsche Telekom, according to a new stash of leaked documents from Edward Snowden. Der Spiegel published the latest revelations today. However, Deutsche Telekom reportedly said it had found …
Kelly Fiveash, 14 Sep 2014
Photo of a stack of $100 bills

Apple Pay is a tidy payday for Apple with 0.15% cut, sources say

Banks and credit card providers are paying a hefty price to be part of Apple's new Pay system, unveiled by boss Tim Cook earlier this week. According to the Financial Times, which cited two people familiar with the terms inked between Cupertino and interested parties, 15 cents of a $100 purchase will be pocketed by Apple. As …
Kelly Fiveash, 13 Sep 2014
ipod u2 edition

Not pro Bono: Apple's audio junk mail made spammers' lives easier

Comment Apple's decision to push a new album by Irish boy band U2 into the iCloud libraries of millions isn't just egregious. It arguably plays into the hands of scammers. Without warning, the iPhone maker emitted Songs of Innocence with all the haste of a critical security update after the group's appearance at its Apple Watch and …
John Leyden, 13 Sep 2014
twitchpokemon

Beware geeks bearing gifts: Steam-draining nasty spreads via Twitch

Infosec bods are warning of new malware spreading through game-streaming web hit Twitch: the software nasty subverts Steam accounts to drain player's wallets, and could take away all their precious weaponry. eskimo I've got 99 problems but a Twitch ain't one The malware spreads by bombarding users of Twitch's chat feature …
Iain Thomson, 12 Sep 2014
Apple Watch

iPhone NFC: 'Apple, photos and security ... WHAT could go WRONG?'

QuoTW This was the week when Apple released their newest iteration of the iPhone and revealed the long heralded iWatch, sorry, justWatch: and told fanbois and gurrls that they could start paying for stuff with their mobes. But you knew that already. What does it all mean? Gartner veep Van Baker reckons that Apple has finally caught …

CryptoLocker-style ransomware booms 700 PER CENT this year

CryptoLocker-style ransomware is eight times more common now than in January, going a long way towards overtaking fake police warning ransomware scams, according to Symantec. The disruption of the GameOver Zeus banking trojan botnet back in late May took away one of the main distribution methods for CryptoLocker itself. …
John Leyden, 12 Sep 2014

UK.gov's flagship infosec program ISN'T DELIVERING - but all's still well, say auditors

The UK's National Cyber Security Programme is not yet delivering on its much-vaunted economic benefits but is still a worthwhile exercise, according to a report by government auditors. An update by the National Audit Office for Parliament's Public Accounts Committee on the government’s National Cyber Security Programme said that …
John Leyden, 12 Sep 2014
chalk outline of  human body at crime scene

What kind of mugs do you take us for? Malicious sites in spam scams target UK

Spam destined for recipients in the UK is almost three times more likely to contain a malicious URL than unsolicited email sent to the United States. Unsolicited email in Germany and France is significantly less likely than mail sent to the US to contain malicious URLs. This means that, on average, an unsolicited email sitting …
John Leyden, 12 Sep 2014
Spam image

spɹɐʍʞɔɐB writing is spammers' new mail filter avoidance trick

Spammers are writing emails backwards in an attempt to sneak past spam filters, security researcher Brian Bebeau has found. The pests were using left-to-right override code intended to facilitate the use of bi-direction text, such as a document that included English and Hebrew. The Trustwave researcher said the tactic had a …
Darren Pauli, 12 Sep 2014

Hacker publishes tech support phone scammer slammer

Security pro Matthew Weeks has released a Metasploit module that can take over computers running the Ammyy Admin remote control software popular among "Hi this is Microsoft, there's a problem with your computer" tech support scammers. Weeks' day job is director at Root9b, but he's taken time to detail a zero-day flaw in Ammyy …
Darren Pauli, 12 Sep 2014
Kim Jong-un

NORKS ban Wi-Fi and satellite internet at embassies

North Korea has sent a stern request to foreign embassies, asking them to stop using WiFi and satellite internet services within their walls. NKNews.org reports that the hermit kingdom's State Radio Regulatory Department has written to diplomatic missions to remind them that licences are required to operate radio equipment. …
Simon Sharwood, 12 Sep 2014

US! govt! ordered! Yahoo! to! hand! over! user! data! or! pay! $250k! fine! PER! DAY!

Yahoo! has tried to explain why it buckled under pressure from Uncle Sam to hand over its users' data to the US government - by promising to publish the court documents which ordered the snooping. Said filings will, we're told, show Uncle Sam threatened to make Yahoo! pay a $250,000 fine for every day it refused to hand over …
Iain Thomson, 12 Sep 2014
Clay in ZipLoc bag masquerading as an iPad 2

5 Nigerian gangs dominate Craigslist buyer scams

Just five Nigerian criminal gangs are behind a widespread type of fraud targeting sellers on Craigslist. The Lads from Lagos are going to considerable lengths of investing time and money in order to make their scams more plausible, according to a study by George Mason University researchers Damon McCoy and Jackie Jones. The …
John Leyden, 11 Sep 2014
Internet of Things

Intellifridge terror: Internet of Stuff kit must fend off hackers of the FU-TURE-TURE-TURE

Internet of Stuff gadgets need to have security with a 10-year lifespan if they are to offer any kind of decent protection to people and national infrastructures, according to a new report. Beancounters at Beecham Research have been the latest to warn that the much-vaunted Internet of Things is going to run into security issues …
Angry woman on mobile

This flashlight app requires: Your contacts list, identity, access to your camera...

A global survey of more than 1,200 mobile apps has discovered that the vast majority (85 per cent) fail to provide basic privacy information. The global survey faulted apps for accessing large amounts of personal information without adequately explaining how they were collecting, using and disclosing personal information. Almost …
John Leyden, 11 Sep 2014
Brute force

Leak of '5 MEELLLION Gmail passwords' creates security flap

Plain-text passwords and account names linked to five million Gmail accounts have been leaked onto several Russian forums. Security experts had already confirmed the data seemed legit, albeit approximately three years old, before Google put up its blog post on the subject. The leak, to a variety of forums, not all of which are …
John Leyden, 11 Sep 2014

Satellite weather forecast: Cloudy with a chance of p0wnage

Weather predictions could be thrown into chaos if miscreants exploited a litany of dangerous and years-old holes reported in ground control for the Joint Polar Satellite System (JPSS). The flaws, of which 12,703 are considered high risk, have been detailed in a US Government audit report that examined the state of security of …
Darren Pauli, 11 Sep 2014

Microsoft to patch ASP.NET mess even if you don't

Microsoft has taken the final step in sunsetting a dangerous server setting, announcing that all future versions of ASP.NET will enforce the deprecation of EnableViewStateMac=“false”. Since December 2013, when this security advisory landed, Redmond has warned sysadmins that the setting had a privilege escalation vulnerability. …

PayPal goes crypto-currency with Bitcoin

eBay's PayPal business will start accepting the crypto-currency Bitcoin for payments “over the coming months”. The move confirms rumours that emerged in August that the online store was in talks with Bitcoin processor Coinbase. Those talks involved Braintree, which the company acquired early this year, and according to …

TorrentLocker unpicked: Crypto coding shocker defeats extortionists

Crooks have borked the encryption behind the TorrentLocker ransomware, meaning victims can avoid paying the extortionists and unlock their data for free. TorrentLocker was regarded as the demonic spawn of CryptoLocker and CryptoWall which made killings last year by encrypting valuable data owned by individuals and organisations …
Darren Pauli, 11 Sep 2014
Rubbish bin

Webmin hole allows attackers to wipe servers clean

Holes in the Webmin Unix management tool - thankfully since patched - could allow attackers to delete data on servers, says security researcher John Gordon of the University of Texas. The remote root access server tool contained vulnerabilities in newly-created cron module environment variables that could erase data through …
Darren Pauli, 11 Sep 2014
Printed key

2016: Robo-butlers, flying cars, and Google's internet Terminators hunting SHA-1 SSL certs

Google Chrome will flag up websites with SHA-1 SSL certificates as insecure – and that's a huge policy change which ought to kick businesses into action, says an expert in digital certificates. Only 15 per cent of sites use SHA-256 certificates, the replacement for SHA-1, according to stats from SSL Pulse. This means plenty of …
John Leyden, 10 Sep 2014
NFC applications

Payment security bods: Nice pay-by-bonk (hint: NO ONE uses it) on iPhone 6, Apple

Apple's confirmation that the iPhone 6 will enable contactless payments via NFC has received a broadly positive reaction from security firms and payment-processing vendors. Apple said it wouldn't access any payment data, so the transaction would take place between a user, bank and retailer. ‪This privacy, along with ease of use …
John Leyden, 10 Sep 2014

Troll or thief? User claims Bitcoin founder Satoshi Nakamoto dox sabotage

An internet user has claimed to have hacked the email account of the entity thought to be behind the Bitcoin - Satoshi Nakamoto -and has offered to release personal details for $12,000. Nothing is known about the identity of the claimed hacker and there is little evidence that they had details of Nakamoto to hand. Evidence for …
Darren Pauli, 10 Sep 2014

YouTube, Amazon and Yahoo! caught in malvertising mess

Cisco has spotted some big names serving up malicious advertising: YouTube, Amazon and Yahoo! among them. A Borg blogger, Armin Pelkmann, with fellow-authors Shaun Hurley and David McDaniel, writes that what the company calls the “Kyle and Stan” malware campaign began in May, and uses redirects to try and trick users into …

OpenSSL promises devs advance notice of future bugs, slaps if they blab

In the wake of Heartbleed, the OpenSSL project has decided that *nix distributions that use the popular crypto pack will get advance notice of upcoming security-related bugfixes. The project has decided that distributions that ship with OpenSSL will get some advance notice of issues ahead of fixes – an announcement on the …
xfinity wifi

Comcast using JavaScript to inject advertising from Wi-Fi hotspots

Comcast has begun injecting adverts onto the computers of users who sign up for its public Wi-Fi network, although the company prefers to use the term "watermark" to describe its efforts. The ISP operates over 3.5 million Wi-Fi hotspots around the USA and people who sign up for home or work internet can choose to add them into …
Iain Thomson, 10 Sep 2014
gavel_judgment_channel

Microsoft tells judge: Hold us in contempt of court, we're NOT giving user emails to US govt

At Microsoft's own request, a judge has held the software giant in contempt of court for failing to comply with an order to give US authorities access to customer emails housed in a data center in Dublin, Ireland. Redmond's request was made jointly with government prosecutors, with the aim of expediting its appeal of the July 31 …
Neil McAllister, 10 Sep 2014
IE8 patch

Microsoft unloads monster-sized can of bug spray on Internet Explorer, again

True to form, Microsoft has released its latest batch of monthly security fixes, although as expected, September's Patch Tuesday update is a relatively light one. As Redmond warned us, the only critical patches this time around are included in a big roll-up of fixes for Internet Explorer, which addresses one publicly disclosed …

Phishing miscreants THWART securo-sleuths with AES-256 crypto

Phishing fraudsters have begun using industry-standard AES-256 encryption to disguise the content of fraudulent sites. Obfuscated phishing sites are nothing new. Various techniques such as JavaScript encryption tools are commonly used but Symantec recently caught what it reckons is the first use of AES-256 encryption in dodgy …
John Leyden, 9 Sep 2014
Flytrap

Use home networking kit? DDoS bot is BACK... and it has EVOLVED

A router-to-router bot first detected two years ago has evolved - and now has the capability to reconfigure the firewalls of its victims. The Lightaidra malware captured by security researcher TimelessP (@TimelessP) is an IRC-based mass router scanner/exploiter that's rare because it spreads through consumer network devices …
John Leyden, 9 Sep 2014
iOS 8

Greater dev access to iOS 8 will put us AT RISK from HACKERS

Increased developer access to iOS 8 could result in decreased security, a mobile security expert warns. Apple's expected iPhone 6 / iOS 8 announcement later on Tuesday is expected to include adding a number of new features to iOS 8 for developers. This will involve opening up more of the underlying architecture – increasing the …
John Leyden, 9 Sep 2014

Ultimate hardware hack: Home Depot nailed by vice merchants

Do-it-yourself kingpin Home Depot has confirmed a report it was breached indicating the compromise occurred in April this year. The US retail chain was working with law enforcement over compromise of payment terminals across stores in the country. Chief executive of the hacked firm Frank Blake admitted the breach in a terse …
Darren Pauli, 9 Sep 2014

Enigmail PGP plugin forgets to encrypt mail sent as blind copies

Enigmail has patched a hole in the world's most popular PGP email platform that caused mail to be sent unencrypted when all security check boxes were ticked. The dangerous hole in the Mozilla Thunderbird extension affected email that was sent only to blind carbon copy recipients on all versions below 1.7.2 released last month. …
Darren Pauli, 9 Sep 2014
adobe

Everyone taking part in Patch Tuesday step forward. NOT SO FAST, Adobe!

Adobe has pushed back the release date for a planned security fix in Acrobat and Reader. The company said that the patch for both Windows and OS X versions of Reader and Acrobat due for tomorrow will instead arrive next week. The delay will give the company time to iron out problems spotted during testing, the company said in …
Shaun Nichols, 9 Sep 2014

China is now 99.8% sure you're you, thanks to world's-best facial recognition wares

Chinese researchers have developed a facial recognition system that can pick faces from a crowd with 99.8 percent accuracy from 91 angles. The platform can distinguish between identical twins, unravel layers of makeup and still identify an individual if they've packed on or shed kilos. Researcher Zhou Xi of the Chinese Academy …
Darren Pauli, 9 Sep 2014