Feeds

Security > More stories

Call of Duty: Black Ops

Call of Duty 'fragged using OpenSSL's Heartbleed exploit'

Call of Duty: Black Ops II appears to have been compromised using the now infamous Heartbleed exploit, according to security researchers. The Heartbleed security bug is a simple example of memory leakage through an overflow vulnerability in the Heartbeat component of OpenSSL. Bits of memory in 64 kilobyte chunks may be extracted …
John Leyden, 10 Apr 2014
snowden SXSW

Snowden lawyer PGP email 'crack' flap: What REALLY happened?

The leak of a PGP-encrypted email between Ed Snowden's pet journalist Glenn Greenwald and a lawyer has created a bit of a fuss in crypto circles. Jesselyn Radack, a national security and human rights brief, ‪said an encrypted email sent by her to Greenwald was this week leaked by persons unknown to Cryptome, the long-running …
John Leyden, 10 Apr 2014

Not just websites hit by OpenSSL's Heartbleed – PCs, phones and more under threat

While most of the buzz surrounding OpenSSL's Heartbleed vulnerability has focussed on websites and other servers, the SANS Institute reminds us that software running on PCs, tablets and more is just as potentially vulnerable. Institute analyst Jake Williams said the data-leaking bug “is much scarier” than the gotofail in Apple's …

Anatomy of OpenSSL's Heartbleed: Just four bytes trigger horror bug

Analysis The password-leaking OpenSSL bug dubbed Heartbleed is so bad, switching off the internet for a while sounds like a good plan. A tiny flaw in the widely used encryption library allows anyone to trivially and secretly dip into vulnerable systems, from your bank's HTTPS server to your private VPN, to steal passwords, login cookies …

Revoke, reissue, invalidate: Stat! Security bods scramble to plug up Heartbleed

The startling password-spaffing vulnerability in OpenSSL affects far more than web servers, with everything from routers to smartphones also at risk. The so-called “Heartbleed” vulnerability (CVE-2014-0160) can be exploited to extract information from the servers running vulnerable version of OpenSSL, and this includes email …
John Leyden, 9 Apr 2014
bug on keyboard

Cyber hostage-takers SCAMMED six times as many people last year

Malware-powered frauds that lock up victims' computers - or worse yet, encrypt files and force them to pay a fee to unlock their information - increased by 500 per cent during 2013, according to a study by Symantec. Symantec's latest global Internet Security Threat Report also revealed that targeted attack campaigns for the …
John Leyden, 9 Apr 2014
Chrome browser

Chrome makes new password grab in version 34

Google has announced that Chrome 34 is now stable enough to be promoted to the Stable Channel. In a few days it will therefore become the default version for millions of users. Most of the updates to the browser are anodyne: there are 30-odd security fixes, a new look on Windows 8 and what Google labels “Lots of under the hood …
Bitcoin bloodbath

Mt Gox's 'transaction malleability' claim rubbished by researchers

By now, we all know the Magic the Gathering Online Exchange says it came undone because of a gap in the Bitcoin protocol called “transaction malleability”. Now, two ETH Zurich researchers have rubbished that claim. In this paper at Arxiv, Christian Decker and Roger Wattenhofer analyse a year's worth of Bitcoin activity to reach …

Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed

All over the world, systems administrators are scrambling to fix the OpenSSL “Heartbleed” bug. At the same time, certificate sellers are preparing rub currency all over their bodies as Web admins virtually swipe the corporate Amex to revoke and renew their certs. OpenSSL's history reaches back to Eric Young's SSLeay. While it …
Windows XP boot screen

Office, IE, Flash fixes accompany Windows XP's final Patch Tuesday

Microsoft has released patches for critical security vulnerabilities in Word and Internet Explorer on what is to be the final Patch Tuesday update for Windows XP systems. The April edition of the monthly security update contains four bulletins that address a total of 11 vulnerabilities in various Microsoft products. Two of the …
Shaun Nichols, 8 Apr 2014

Not your father's spam: Trojan slingers attach badness to attachment WITHIN attachment

Cybercrooks are upping the ante by loading malware as an attachment inside another attachment in a bid to slip past security defences. A new variant of the Upatre Trojan comes bundled in spammed messages that imitate emails from known banks such as Lloyds Bank and Wells Fargo. The .MSG file of the malicious emails contains …
John Leyden, 8 Apr 2014

'Yahoo! Breaks! Every! Mailing! List! In! The! World!' says email guru

Email luminary John Levine has accused Yahoo! of sabotaging email lists for everyone, everywhere. In a post titled “Yahoo! Breaks! Every! Mailing! List! In! The! World! Including! The! IETF's!'”, Levin explains “an emerging e-mail security scheme” called DMARC that “lets a domain owner make assertions about the From: address, in …

You can play Flappy Bird on a POINT OF SALE TERMINAL

Mobile Point of Sale (MPOS) devices can be easily hacked and leave banks and retailers wide open to fraud, warn infosec researchers. Security researchers from MWR InfoSecurity, the same security firm that researched serious vulnerabilities in chip-and-PIN devices back in 2012, demonstrated at last week's SyScan security …
John Leyden, 8 Apr 2014
Evil Android

Google kills fake anti-virus app that hit No. 1 on Play charts

"Virus Shield", an app that briefly shot to the top of the charts on Google Play, has turned out to be a complete fake and has therefore been pulled by Google. The scam, turned up by Android Police, is as simple as a con-man could wish for: the app includes almost no functionality whatever, yet it was briefly a chart-topper on …

Running OpenSSL? Patch now to fix CRITICAL bug

Sysadmins using the OpenSSL cryptographic library have an urgent job: patching a memory leak vulnerability that could reveal user IDs and passwords. Dubbed “Heartbleed”, the vulnerability was discovered by Google Security's Neel Mehta and announced by CloudFlare. As the terse OpenSSL advisory states: “A missing bounds check in …
Password Assistant

The Great Hash Bakeoff: Infosec bods cook up next-gen crypto

Cryptographers are limbering up for a competition aimed at developing a next-generation password hash to create a better means for websites to store users' login credentials. In total 24 submissions have been made to the Password Hashing Competition. Cryptographers will now test the effectiveness of the two dozen entrants by …
John Leyden, 7 Apr 2014

Vint Cerf wanted to make internet secure from the start, but secrecy prevented it

The NSA acted as a barrier to the rollout of encryption as standard from the very inception of the internet back in the mid 1970s. Youtube Video Engineers had wanted to add a network encryption layer as part of the original specifications for TCP/IP. Whitfield Diffie and Martin Hellman had published a paper on public key …
John Leyden, 7 Apr 2014
Disney's Beagle Boys

Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'

Several US states have launched an investigation into a subsidiary of credit reference bureau Experian after a fraudster allegedly bought millions of consumers' personal data from it. Vietnamese national Hieu Minh Ngo allegedly used information obtained through Experian subsidiary Court Ventures to run two identity fraud- …
John Leyden, 7 Apr 2014
Include Security's Tinder leakage demo

Left swipe! That hot Tinder babe is a malware-flinging ROBOT

Hackers are abusing the popular Tinder dating app to spread malware and survey scams using bots and clever social-engineering trickery. Bots are luring users with tempting profiles and pictures using pictures from an Arizona-based photography studio, according to net security firm BitDefender. Some of these images have also been …
John Leyden, 7 Apr 2014
bug on keyboard

Microsoft spells out new rules for exiling .EXEs

Microsoft has updated the methodology it uses to define adware, a move designed to make it clearer just what the company considers worthy for removal by its malware tools. Redmond's new rules are simple: an application is adware if any of the following criteria are met: It breaks the “unwanted behaviour” rules (in more detail …
Parrot Ar.Drone

Drone 'hacked' to take out triathlete

A competitor in an Australian triathlon apparently failed to complete an event over the weekend after being felled by an unmanned aerial vehicle. Everything Geraldton reports that Raija Ogden was approaching the finish line of the Endure Batavia Triathlon when a “ … remote-controlled copter struck her head and she fell to the …
Tesla connector

Tesla in 'Ethernet port carries data' SCANDAL

A Tesla enthusiast has sparked a thousand variations on headlines saying “Tesla hacked” by working out that in-car network traffic is visible on a port designed for service access to the network. The thread on the Tesla Motors Club forum begins in March, and reveals various traffic types that are visible on the network segment …

ACLU launches user-friendly database of every Snowden doc

The American Civil Liberties Union (ACLU) has launched a searchable online database that contains all of the documents obtained by Edward Snowden and made public since last June. "These documents stand as primary source evidence of our government's interpretation of its authority to engage in sweeping surveillance activities at …
Rik Myslewski, 5 Apr 2014

Bank-raid ZeuS malware waltzes around web with 'valid app signature'

A variant of the bank-account-raiding ZeuS Trojan is masquerading as a legit Windows app using a valid digital signature – and packs a rootkit to burrow deep into victims' PCs. It appears miscreants have somehow gained access to the private signing key belonging to a Microsoft-registered third-party developer in Switzerland, and …
John Leyden, 5 Apr 2014

Five-year-old discovers Xbox password bug, hacks dad's Live account

A five-year-old boy has found and exploited a password flaw in his Xbox to hack into his father's Xbox Live account. Still of Kristoffer playing on the Xbox Look out, Mitnick ... Kristoffer Von Hassel on his Xbox (Credit: ABC 10 / KGTV) The parents of Kristoffer Von Hassel, from Ocean Beach in San Diego, California, noticed …
Iain Thomson, 4 Apr 2014
The Four Horsemen Apocalypse ride up the grassy mound that adorns the WinXP desktop

Win XP usage down but not out as support cutoff deadline looms

Windows XP usage on the web is decreasing as the venerable operating system edges ever closer towards its "end of life" from Microsoft support next week. Data from cloud security firm's Qualys QualysGuard shows that the percentage of XP on machines decreased from 35 per cent as of January 2013 to 14 per cent in February 2014. …
John Leyden, 4 Apr 2014
Bitcoin bloodbath

China's Bitcoin exchanges begin pulling down the shutters

The Chinese central bank's Bitcoin crackdown, first signalled in December 2013, is coming to fruition as the middle kingdom's Bitcoin exchanges begin halting withdrawals. The FXBTC exchange has posted a notice saying that it received the instruction by telephone as part of the central bank's “Bitcoin risk prevention work”, …
Nest Labs' The Nest

Google's Nest halts sales of its fire alarm – because waving your hand switches it off

Google's Internet-of-Things wunderkind Nest is disabling a software feature called Nest Wave, citing safety concerns. In this letter to customers, Nest Labs CEO Tony Fadell writes: “During recent laboratory testing of the Nest Protect smoke alarm, we observed a unique combination of circumstances that caused us to question …
Bounty hunters

How much is a security bug report worth to Facebook? About $2,100

Facebook wasn't the first to offer security researchers bounties for reporting vulnerabilities – but the social network reports it paid out $1.5m in 2013 for bug reports, and says it is increasing the amount of cash on offer in the coming year. According to the advertising giant, it received 14,763 reports of suspected flaws …
Iain Thomson, 3 Apr 2014
money trap conceptual illustration

Your files held hostage by CryptoDefense? Don't pay up! The decryption key is on your hard drive

A basic rookie programming error has crippled an otherwise advanced piece of ransomware dubbed CryptoDefense – but the crap coders are still pulling in more than $30,000 a month from unwary punters. Symantec reports that the malware, once it infects a Windows PC, encrypts the victim's files using a 2,048-bit RSA public key, …
Iain Thomson, 3 Apr 2014
Puss considers how to respond to PayPal marketing overtures

'Bank couriers' who stole money from OAP cancer sufferer jailed

Two men have been jailed following their conviction for running a series of courier fraud scams in south London, Surrey and Sussex. Shaun Moore, 22, of no fixed abode and Jevon Grant, 20, of Croydon were sentenced to 18 months imprisonment and two years in a young offenders' institution, respectively. Both pleaded guilty to …
John Leyden, 3 Apr 2014

'Good job, NSA! You turned Yahoo! into an encryption beast'

Yahoo! has announced major encryption improvements designed to thwart dragnet surveillance efforts by the likes of the NSA. Alex Stamos, Yahoo!'s recently appointed CISO (chief information security officer), said the internet giant has finished encrypting traffic between its data centres. Stamos also outlined a roadmap for …
John Leyden, 3 Apr 2014
Bondi Blue Rev. A iMac - logo

What took you so long Apple? 26 remote exec bugs die in OS X Safari

Apple has fixed 27 vulnerabilities in its Safari web browser for OS X computers, 18 of which were uncovered by Google's Chrome Security Team. All but one of the flaws allow miscreants to execute arbitrary code on victims' computers. The iPhone giant said its Safari 7.0.3 and 6.1.3 update will close the holes, which were found in …
Shaun Nichols, 2 Apr 2014

'Dads from the Midwest' pull down their email-spaffing LinkedIn plugin

A controversial browser plug-in that offered to reveal LinkedIn users’ private email addresses has been withdrawn by its developers, at least for now. Sell Hack added a “Hack In” button to LinkedIn profiles, which sometimes (but not always) displayed email addresses that supposedly allowed users to contact LinkedIn users …
John Leyden, 2 Apr 2014
Stourport cctv image 12.03.03

Dimwit hackers use security camera DVRs as SUPER-SLOW Bitcoin-mining rig

Miscreants are using hacked digital video recorders in a somewhat misguided attempt to mine cryptocurrency BitCoins. Hackers have created custom code to infect devices normally used for recording footage from security cameras. After getting in, likely to taking advantage of weak default passwords, a common security mistake with …
John Leyden, 2 Apr 2014

Extended Random: The PHANTOM NSA-RSA backdoor that never was

Over the last day or so the security press has been touting stories of a second NSA-induced backdoor in RSA's encryption software BSafe. But it appears to be more sound and fury than substance. The brouhaha was kicked off by a Reuters report into an as-yet-unpublished academic study examining the cryptographically crap Dual …
Iain Thomson, 2 Apr 2014
Double Facepalm; when one facepalm is not enough.

SmartTV, dumb vuln: Philips hard-codes Miracast passwords

Video Demonstrating once again that consumer electronics companies don't understand security, ReVuln has turned up a hard-coded password in Philips “smart” televisions. Shown off in the video below, the vulnerability is simplicity itself: the WiFi Miracast feature is switched on by default, has a fixed password (“Miracast”, for heaven …

Password bug let me see shoppers' credit cards in eBay ProStores, claims infosec bod

A serious vulnerability that potentially allowed shoplifters to empty eBay ProStores shops and swipe customer credit cards has been fixed – according to the security researcher who says he found the hole. Mark Litchfield, an infosec pro at Securatary, told us he discovered a flaw in eBay-owned ProStores that not only opened the …
John Leyden, 1 Apr 2014
Angry Birds

Angry Birds developers downplay fresh data leak claims

The developers of Angry Birds have hit back at renewed allegations that the ultra-popular game leaks users' personal information. Security vendor FireEye put out a detailed critique of Angry Birds last week claiming that the smartphone game leaked data like a sieve. An early March update of Angry Birds, available through Google …
John Leyden, 1 Apr 2014
Tesla Model S

Researcher lights fire under Tesla security

A security researcher is calling on Tesla to introduce two-factor authentication for access to the combination of services that make its Tesla S model one of the most “Internet of Things” vehicles in the world today. As noted by Threatpost, researcher Nitesh Dhanjani has found that the combination of a mere six-character …

Snowden files latest: NSA and GCHQ targeted German satcomms

The NSA and GCHQ hacked into the systems of three German satellite communication providers, according to the latest leaks from the files of Edward Snowden, fugitive ex-NSA sysadmin. Der Spiegel reports that GCHQ and the NSA tried to infiltrate internal networks run by satellite comms firms Stellar, Cetel and IABG. Stellar …
John Leyden, 31 Mar 2014
Parliament in the clouds

Crack CERT warriors arrive to save UK from grid-crippling hack attacks

The UK is finally getting a national Computer Emergency Response Team (CERT), with the delayed launch of the organisation taking place today. CERT-UK, a key component of the government's £650m National Cyber Security Strategy, will co-ordinate responses to hacking and malware-based cyber attacks on a national level. The …
John Leyden, 31 Mar 2014