Security > More stories

Car crash

DVLA denies driving licence processing site is a security 'car crash'

A UK government agency has disputed complaints from security pros that its website involved in the processing of driving licence applications is insecure and otherwise unfit for purpose. Reader Andy, who asked to remain anonymous, alerted us to what he described as a "disgraceful web server configuration" at https://motoring. …
John Leyden, 09 Mar 2018
CMU president Farnam Jahanian

Carnegie Mellon makes network security guru Jahanian president

Carnegie Mellon University has named computer science professor and Arbor Networks founder Farnam Jahanian as its new president. The researcher-turned-entrepreneur-turned-administrator takes over the permanent position after an eight-month temporary turn as president. Previously, he had led the university's academic department …
Shaun Nichols, 08 Mar 2018

Hansa down, this is cool: How Dutch cops snatched the wheel of dark web charabanc

The takedown of the Hansa dark web marketplace, done live on national TV by Dutch police, was possible because officers had been running the site themselves – and on Thursday they detailed how they did it. In 2016, security shop Bitdefender tipped off the Dutch plod that Hansa, one of the most popular dark web markets, was …
Iain Thomson, 08 Mar 2018
Utah bar topless

Will the defendant please rise? Utah State Bar hunts for sender of topless email

The Utah State Bar in America is investigating how a picture of a topless woman appeared in an email sent to all its members earlier this week. There was little to alert lawyers about what they were about to see when the email, titled "2018 Spring Convention Walk-Ins Welcome! Learn How!", popped up in inboxes. Those who did …
Kieren McCarthy, 08 Mar 2018

Surprise: Norks not actually behind Olympic Destroyer malware outbreak – Kaspersky

A close analysis of the code that took down part of the 2018 Winter Olympics computer network reveals a cunning plan to seemingly falsely pin the blame on North Korea. On the first day of the games in Pyeongchang, South Korea, the main website crashed, Wi-Fi networks around the events became unusable, and data was wiped from …
Iain Thomson, 08 Mar 2018

UK data watchdog raids companies suspected of 11 million nuisance texts

The Information Commissioner's Office has raided two companies thought to be behind 11 millions nuisance texts sent to the public. Computer equipment and documents were seized for analysis at two Greater Manchester-based premises of the unnamed entities, the ICO said. The perpetrators are understood to have sent the text …
Kat Hall, 08 Mar 2018

Your entire ID is worth £820 to crooks on dark web black market

Fraudsters operating on the dark web could buy a person's entire identity ("fullz" in the cybercrook lingo) for just £820. Bank account details, Airbnb profiles and even logins are worth money to bidders that reside on the murkier side of the internet, a study by virtual private network comparison site …
John Leyden, 08 Mar 2018
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Sigh. Cisco security kit has Java deserialisation bug and a default password SNAFU

Cisco's security developers have served up a parcel of patches. First up, there's a gem in Switchzilla's Secure Access Control System. The ACS (which ceased sale in August 2017) is a hardware-based login gatekeeper, and it's got a remotely-pwnable Java deserialisation bug. Cisco's notice for CVE-2018-0147 says an attacker …
Keeping a secret photo via Shutterstock

IBM's homomorphic encryption accelerated to run 75 times faster

IBM has rewritten its C++ homomorphic encryption library and claims it now goes up to 75 times faster. Homomorphic encryption is a technique used to operate on encrypted data without decrypting it. This would make sensitive operations much more secure: for example, companies could encrypt their cloud-hosted databases, and work …
Department of Homeland Security

Audit finds Department of Homeland Security's security is insecure

The United States' Department of Homeland Security could do more to keep its IT systems secure, a government report has found. In an agency-wide audit titled "Evaluation of DHS' Information Security Program for Fiscal Year 2017" (PDF), the DHS's watchdog, the Office of Inspector General (OIG), concluded that DHS "could protect …
Thomas Claburn, 08 Mar 2018
Facebook emojis

Facebook Onavo Protect doesn't protect against Facebook

Facebook's mobile VPN app, Onavo Protect, has been pushed as a way to protect personal information over public networks. But the app, which the social media giant acquired in 2013, sends users' data back to Facebook, even when the app is turned off. In a blog post on Monday, Will Strafach, CEO of the Sudo Security Group, …
Thomas Claburn, 07 Mar 2018

Buffer overflow in Unix mailer Exim imperils 400,000 email servers

Researchers have uncovered a critical buffer overflow vulnerability in all versions of the Exim mail transfer agent. The flaw (CVE-2018-6789) leaves an estimated 400,000 email servers at potential risk to remote code execution-style attacks. Fortunately a patched version (Exim version 4.90.1) is already available. The bug …
John Leyden, 07 Mar 2018
Screengrab from the Thick of IT - Brit govt satirical comedy show. Cast text furiously while in crisis mode. cooks up code of conduct to enforce a smidge of security on Internet of S**t kit

The makers of connected devices will be expected to build in security measures to prevent cyber threats, under a draft "code of conduct" issued by the UK government today. The Security by Design review intends to bake security into devices to protect "individuals' online security, privacy, safety" as well as preventing large- …
Kat Hall, 07 Mar 2018

Women of Infosec call bullsh*t on RSA's claim it could only find one female speaker

Day one of the annual RSA conference in San Francisco on April 17 will have some competition after a group of female infosec professionals decided to hold their own shindig - titled Our Security Advocates or OURSA - to showcase the work of women in the field. Last week RSA was hammered on social media when its keynote speaker …
Iain Thomson, 07 Mar 2018

CryptoLurker hacker crew skulk about like cyberspies, earn $$$

A sophisticated mystery hacker group is using tactics more familiar to the world of cyber espionage to earn millions through mining malware. Kaspersky Lab researchers report that cybercrooks have begun using infection methods and techniques borrowed from targeted attacks in order to install mining software. The most …
John Leyden, 06 Mar 2018
Hand pulls on a latex rubber glove (disposable). Photo by shutterstock

Co-op Bank's shonky IT in spotlight as delayed probe given go-ahead

An inquiry into The Co-operative Bank's financial collapse is to open four years after it was first announced by former UK chancellor George Osborne. The Treasury today directed financial regulator Prudential Regulation Authority (PRA) to conduct a review into how the bank was regulated between 2008 and 2013, before a £1.5bn …
Kat Hall, 06 Mar 2018

Miner vs miner: Attack script seeks out and destroys competing currency crafters

Cryptocurrency-mining malware-scum have started to write code that evicts rivals from compromised computers. The miner in question was first noticed by SANS Internet Storm Center handler Xavier Mertens. Mertens spotted the PowerShell script on March 4, and noting that it kills any other CPU-greedy processes it spots on target …

World's biggest DDoS attack record broken after just five days

Last week, the code repository GitHub was taken off air in a 1.3Tbps denial of service attack. We predicted then that there would be more such attacks and it seems we were right. Arbor Networks is now reporting that a US service provider suffered a 1.7Tbps attack earlier this month. In this case, there were no outages as the …
Iain Thomson, 05 Mar 2018
Uber office in San Francisco

Pennsylvania AG sues Uber over 2016 data fail

Uber has been hit with a lawsuit over its failure to disclose the 2016 theft of its customer and driver records. Pennsylvania state Attorney General Josh Shapiro says the dial-a-ride broker violated state data breach law when it failed to promptly file a report and notify both drivers and passengers of the loss of data. …
Shaun Nichols, 05 Mar 2018
Airbus A380

Emirates dinged for slipshod online data privacy practices

Updated International airline Emirates leaks customers' sensitive personal information to third-party marketing partners and network adversaries, according to Konark Modi, a data security engineer for Cliqz, a privacy-focused browser based on Firefox. Modi, in an online post on Friday, said that after a customer books a flight through …
Thomas Claburn, 05 Mar 2018
A railgun. Pic: Shutterstock

Brit semiconductor tech ended up in Chinese naval railgun – report

A Chinese firm's buyout of a British semiconductor company may have directly led to China developing railgun weaponry and electromagnetic aircraft carrier catapults for its navy, according to reports. An anonymous source, identified as a former Dynex exec, told The Sunday Times that the acquisition of Dynex Semiconductor by …
Gareth Corfield, 05 Mar 2018
rain on an umbrella

Spring break! Critical vuln in Pivotal framework's Data parts plugged

Pivotal's Spring Data REST project has a serious security hole that needs patching. Pivotal's Spring Framework is a popular platform for building web apps. Spring Data REST is a collection of additional components for devs to build Java applications that offer RESTful APIs to underlying Spring Data repositories. These …
John Leyden, 05 Mar 2018

Cryptocurrency miners go nuclear, RSA blunder, Winner back in court, and plenty more

Roundup Here's a quick summary of infosec news from this week, beyond what we've already covered. Cloud security shop Cyren surveyed 500,000 websites over the past four months, and said it saw a 725 per cent increase in the use of surreptitious crypto-coin mining code. The bulk of that code has shown up in the past two months, and it' …
Iain Thomson, 04 Mar 2018
blood splatter

RedDrop nasty infects Androids via adult links, records sound, and fires off premium-rate texts

A newly discovered strain of Android malware makes live recordings of ambient audio around an infected device. The RedDrop nasty also harvests and uploads files, photos, contacts, application data, config files and Wi-Fi information from infected kit. Both Dropbox and Google Drive are being used as temporary storage by the …
John Leyden, 02 Mar 2018

US Navy gives Lockheed Martin $150m big frickin' laser cannon contract

Lockheed Martin, makers of the F-35 and various other bits of defence hardware, has been handed a $150m contract by the US Navy to build two bloody great laser cannons. The laser weapons will be delivered along with a long-range intelligence, surveillance and reconnaissance "capability" and are specified to be capable of …
Gareth Corfield, 02 Mar 2018

Train to become an expert cyber crime fighter

Promo As cyber threats seem to multiply and mutate at ever-increasing speed, it becomes difficult to be sure you are able defend your organisation against an attack that could come from any direction. Security training leader SANS is running a series of courses at the Grand Connaught Rooms in London from 16 to 21 April that promise …
David Gordon, 02 Mar 2018
Spectre graphic

Microsoft lobs Skylake Spectre microcode fixes out through its Windows

Microsoft is pushing out another round of security updates to mitigate data-leaking Spectre side-channel vulnerabilities in modern Intel x64 chips. Redmond said those who run Windows 10 Fall Creators Update and Windows Server Core with Skylake (aka 6th-generation Core) CPUs can go through the Microsoft Update Catalogue to get …
Shaun Nichols, 01 Mar 2018
A burning dumpster

HTTPS cert flingers Trustico, SSL Direct go TITSUP after website security blunder blabbed

The websites for HTTPS certificate reseller Trustico, and one of its partners, SSL Direct, took a dive on Thursday – after a critical and trivial-to-exploit security flaw in was revealed on Twitter. The vulnerability could be leveraged by miscreants to execute arbitrary commands on the website's host server. A …
Iain Thomson, 01 Mar 2018
Data breach

Equifax peeks under couch, finds 2.4 million more folk hit by breach

Embattled credit-reporting company Equifax has done some data crunching and discovered another 2.4 million people that had their information slurped by hackers. The biz, which was subject to one of the biggest data breaches in US history last May, has already had to revise up the number of affected individuals. The total …
Rebecca Hill, 01 Mar 2018
Homer Simpson

Spectre haunts Intel's SGX defense: CPU flaws can be exploited to snoop on enclaves

Vid The Spectre design flaws in modern CPUs can be exploited to punch holes through the walls of Intel's SGX secure environments, researchers claim. SGX – short for Software Guard eXtensions – is a mechanism that normal applications can use to ring-fence sections of memory that not even the operating system nor a hypervisor can …

German government confirms hackers blitzkrieged its servers to steal data

The German Interior ministry has confirmed that it has identified a serious attack against its servers, amidst reports that the culprits were the Russian APT28 – aka Fancy Bear – hacking group. On Wednesday local news site DPA International reported that the German government discovered a serious intrusion into its servers in …
Iain Thomson, 01 Mar 2018
Broken chain graphic

23,000 HTTPS certs will be axed in next 24 hours after private keys leak

Customers of HTTPS certificate reseller Trustico are reeling after being told their website security certs – as many as 23,000 – will be rendered useless within the next 24 hours. This is allegedly due to a security blunder in which the private keys for said certificates ended up in an email sent by Trustico. Those keys are …
John Leyden, 01 Mar 2018
bearded gentleman raises glass

Brit spooks slammed over 'gentlemen's agreement' with telcos to get mass comms data

Privacy International has slammed the UK's spy agencies for failing to keep a proper paper trail over what data telcos were asked to provide under snooping laws, following its first ever cross-examination of a GCHQ witness. The campaign group was granted the right to grill GCHQ's star witness after he made a series of errors …
Rebecca Hill, 28 Feb 2018
Ireland map, photo via Shutterstock

Irish eyes are sighing: Data protection office notes olagoanin'* up 79%

The Irish Data Protection Commissioner received 79 per cent more complaints last year than in 2016, while data breach notifications rose 26 per cent. The figures, released in the commissioner's annual report for 2017 (PDF), show that the DPC's office received a record 2,642 complaints in 2017. That's a 79 per cent increase on …
Rebecca Hill, 28 Feb 2018
Jigsaw puzzle of a desktop box

Got that itchy GandCrab feeling? Ransomware decryptor offers relief

White hats have released a free decryption tool for GandCrab ransomware, preventing the nasty spreaders of the DIY malware from asking their victims for money. GandCrab has been spreading since January 2018 via malicious advertisements that lead to the RIG exploit kit landing pages or via crafted email messages impersonating …
John Leyden, 28 Feb 2018
I think I'm a clone now

XM-Hell strikes single-sign-on systems: Bugs allow miscreants to masquerade as others

Various single-sign-on systems can be hoodwinked to allow miscreants to log in as strangers without their password, all thanks to bungled programming. Specifically, the vulnerable authentication suites mishandle information submitted in the XML-like Security Assertion Markup Language (SAML). These weaknesses can be potentially …
John Leyden, 28 Feb 2018

Biting the hand that feeds IT © 1998–2018