Security > More stories

Bank vault

UK data watchdog: Massive fines won't keep data safe

The UK’s data protection watchdog has said issuing fines "left, right and centre" is not the way to ensure privacy. However, Information Commissioner Christopher Graham added that this doesn’t mean his office shouldn’t have those exact powers at its disposal. “The obligation laid on data protection authorities always to fine …
Jennifer Baker, 22 May 2015

mSpy: We haven't been breached. Customers: Oh yes you have

Controversial commercial spyware firm mSpy has denied it's been hacked, following an apparent breach of its systems several days ago. However, its contention that the incident is just the latest in a series of extortion attempts is seemingly undermined by confirmation that some of the private information leaked is genuine. mSpy …
John Leyden, 22 May 2015

Factory reset memory wipe FAILS in 500 MEELLION Android mobes

Half a billion Android phones could have data recovered and Google accounts compromised thanks to flaws in the default wiping feature, University of Cambridge scientists Laurent Simon and Ross Anderson have claimed. The gaffe apparently allows tokens for Google and Facebook, among others, to be recovered in 80 per cent of cases …
Darren Pauli, 22 May 2015
Sean Connery in Dr. No

Big sales growth nothing to do with NSA fears - Huawei top brass

Chinese kit-maker Huawei isn't apportioning swelling sales outside the Middle Kingdom to NSA snooping fears, more that double digit growth in Europe is related to brand recognition a decade after it up shop there. According to 2014 numbers, the global Carrier operation climbed 16.4 to ¥192bn (£19.7bn), the Consumer division was …
Kat Hall, 22 May 2015

Hacker uses Starbucks INFINITE MONEY for free CHICKEN SANDWICH

Sakurity hacker Egor Homakov has found a way to dupe Starbucks into loading free cash onto the "coffee" chain's payment cards. Homakov says a race condition within Starbuck's card purchase system means money can be transferred between cards without it being deducted. The bug hunter exploited the bug and tested it by purchasing …
Darren Pauli, 22 May 2015
'Fresh' by https://www.flickr.com/photos/vintagechica/ cc 2.0 attribution https://creativecommons.org/licenses/by/2.0/

PCI council gives up, dumbs down PCI DSS for small business

The Payment Card Industry Security Standards Council has created a taskforce charged with improving security among small businesses. The prodigious task will be tackled by encouraging small businesses to adopt security best practice and simplified Payment Card Industry Data Security Standards (PCI DSS). Barclaycard payment …
Darren Pauli, 22 May 2015
Snowden

Snowden latest: NSA planned sneak attacks on Android app stores

The latest package of documents from whistleblower Edward Snowden details how the intelligence services planned to host man-in-the-middle attacks to install tracking and control software onto Android smartphones. According to a presentation released from the Snowden archive to The Intercept the so-called "5 Eyes" nation's …
Iain Thomson, 22 May 2015

City of birth? Why password questions are a terrible idea

Using secret questions to give people access to their passwords is a terrible idea, according to a new paper from Google. A white paper [PDF] called "Secrets, Lies, and Account Recovery: Lessons from the Use of Personal Knowledge Questions at Google" dug into the data of millions of users interactions with a range of password- …
Kieren McCarthy, 21 May 2015
Crop of doctor with pen and clipboard

WHOOPSIE! Vast US health insurer CareFirst plundered of 1.1 MEELLION records

More than 1.1 million user records have been compromised following a hack against US health insurer CareFirst BlueCross BlueShield. Data including members’ names, birth dates, email addresses and subscriber identification numbers may have been stolen by hackers as a result of a security breach last July. The hack was only …
John Leyden, 21 May 2015

Hacker launches ransomware rescue kit

Security bod Jada Cyrus has compiled a ransomware rescue kit to help victims decrypt locked files and avoid paying off crooks. The kit sports removal tools for common ransomware variants along with guides for how to perform the necessary tasks. Cyrus recommends users not pay ransoms as doing so sustains the criminal business …
Darren Pauli, 21 May 2015
Rand Paul

Rand Paul stages Senate filibuster against Patriot Act

Update Senator Rand Paul (R-KY) is currently four hours into a filibuster on the Senate floor over plans to renew sections of the Patriot Act that allow mass surveillance of American citizens. Exclusive video that answers the question: why a filibuster? https://t.co/4HxwQn0IEw — Dr. Rand Paul (@RandPaul) May 20, 2015 "There comes a …
Iain Thomson, 21 May 2015
container_ship_hamburg_shutterstock_648

US plans to apply export controls to 0-days put out for comment

US proposals for export controls for zero-day vulnerabilities and malware have finally been pushed forward, re-opening the fault lines of a long-running argument among security experts in the process. The proposals (pdf) from the US Department of Commerce would introduce the Wassenaar Arrangement (WA) – an international …
John Leyden, 20 May 2015
Lego lumberjack

Average enterprise 'using 71 services vulnerable to LogJam'

As many as 575 cloud-based services have been left at risk to the newly discovered LogJam crypto vulnerability, according to cloud security specialists Skyhigh Networks. LogJam creates a means for hackers to weaken encrypted connections between a user and a web or email server. The vulnerability was discovered as part of …
John Leyden, 20 May 2015
The Royal Opera House in Muscat by night. Credit: Shenmuelll Licence: CC BY-SA 3.0

Spy-tech firms Gamma and Trovicor target Shell Oil in Oman

Exclusive The Sultan of Oman's intelligence services are spying on the local operations of British oil company Shell with the aid of controversial European tech companies, the Register has learned. Documents seen by el Reg reveal that the internal phone systems at Petroleum Development Oman (PDO) - a joint venture between the Omani …
Alastair Sloan, 20 May 2015
phishing_648

Safari URL-spoofing vuln reveals how fanbois can be led astray

A recently published exploit for the Safari browser demonstrates a URL spoofing mechanism which might convince users they are visiting a legitimate website, when they are actually visiting another site which may be phishing their details. Deusen researchers have disclosed a vulnerability which may be exploited by hackers to …
teslacrypt

Hi! You've reached TeslaCrypt ransomware customer support. How may we fleece you?

The TeslaCrypt ransomware gang raked in $76,500 in around 10 weeks, according to new research into the scam. TeslaCrypt, which was distributed through the widely-used Angler browser exploit kit, was first spotted in February 2015 by security researchers at Dell SecureWorks. After encrypting popular file types on compromised …
John Leyden, 20 May 2015

'Millions' of routers open to absurdly outdated NetUSB hijack

SEC Consult Vulnerability Lab Stefan Viehböck says potentially millions of routers and internet of things devices using KCodes NetUSB could be exposed to remote hijacking or denial of service attacks. The packet fondler says the vulnerability (CVE-2015-3036) hits the Linux kernel module in scores of popular routers which serves …
Darren Pauli, 20 May 2015
Apple Watch Sport

Apple patches FREAK-ed out Watch

Apple has patched a dozen security flaws in Watch, including FREAK and two allowing arbitrary code execution. The updates cover Oracle hacker Marc Schoenefeld's arbitrary code execution which triggers (CVE-2015-1093) when the Apple Watch processes a maliciously crafted font file. It also squashes hacker Loki@ART's bug that …
Darren Pauli, 20 May 2015
Breach

Hackers pop submarine cable operator Pacnet, probe internal networks

Submarine cable and data centre operator Pacnet was breached last month by hackers rummaging through its corporate network accessing emails and administration systems. Pacent was recently acquired by Australia's Telstra, which today disclosed the breach of a "critical server" and is now informing customers and regulators about …
Darren Pauli, 20 May 2015
car hacking

Manchester car park lock hack leads to horn-blare hoo-ha

Vehicles across an entire car park in Manchester had their locks jammed on Sunday as the apparent result of a botched criminally-motivated hack. No one at the Manchester Fort Shopping Park, in north Manchester, was able to lock their car's doors on Sunday evening as a result of the attack by persons as-yet unknown. Manual …
John Leyden, 20 May 2015
Compressed version of Log Jam

'Logjam' crypto bug could be how the NSA cracked VPNs

Updated A team led by Johns Hopkins crypto researcher Matthew Green* thinks they might have an explanation for how the NSA attacked VPN services: flaws in how TLS implements Diffie-Hellman crytography. In what's bound to be the next big branded bug, Green says servers that support 512-key “export-grade” Diffie-Hellman (DH) can be forced …
Airbus President and CEO Tom Enders and the A400M Programme Manager at the OCCAR organisation for the management of European defence programmes, Bruno Delannoy, participate in a parachute jump from an A400M. Credit: Airbus Military

Airbus warns of software bug in A400M transport planes

A software bug may have cause the May 9 crash that grounded Airbus' troubled A400M military transport aircraft. Airbus has sent an alert to customers instructing them to conduct “specific checks of the Electronic Control Units (ECU) on each of the aircraft's engines”. Spiegel reports that the bug caused three of the transport's …

Hacker data dumps scrape to make huge grey marketing database

Former password collector Steve Thomas plans to tear up the contact broker market by offering a database of 30 million names for free, all built on data sourced by scraping the web. The former PwnedList founder, and now SalesMaple CEO, says the database will soon to balloon to almost 100 million records. Thomas said it will …
Darren Pauli, 20 May 2015
China

We caught Chinese technology spies RED-HANDED, claims US government

Six Chinese nationals acting as university professors and graduate students have been arrested on charges of stealing wireless technology from US firms and exporting it to the Middle Kingdom. The US Department of Justice (DOJ) has charged the group with attempting to lift intellectual property from two Silicon Valley companies: …
Shaun Nichols, 19 May 2015
heart.russia

Russia will fork Sailfish OS to shut out pesky Western spooks

Russia's Minister of Communications and Mass Media, Nikolai Nikiforov, has taken part in talks to form a consortium that will aid Russia in developing a custom mobile OS, reportedly a forked version of Jolla's Sailfish OS, to lessen its dependence on Western technology. Nikiforov held a working meeting last week with the …
The US White House. Pic: Roman Boed

Please no non-consensual BACKDOOR SNIFFING, Mr Obama

Google, Apple and 140 other technology companies will write to US President Obama today (19 May) to argue against plans which could see the security of electronic communications deliberately and compulsorily compromised for the sake of government surveillance access. The letter is intended to display the depth of support for …

South Korea mandates spyware installation on teenagers' smartphones

A law requiring the mass installation of spyware on teenagers' smartphones suggests that the frightening level of population control exercised by its neighbours in "Best Korea" has rubbed off on the Republic's administrators in Seoul. The Republic of South Korea's Communications Commission, a media regulator modeled after the …

Robots.txt tells hackers the places you don't want them to look

Melbourne penetration tester Thiebaud Weksteen is warning system administrators that robots.txt files can give attackers valuable information on potential targets by giving them clues about directories their owners are trying to protect. Robots.txt files tell search engines which directories on a web server they can and cannot …
Darren Pauli, 19 May 2015
Photo of an insulin pump made by Medtronic

IEEE's prescription for med-tech crowd: preventing hacks is better than a cure

Medical devices shouldn't be hackable, so the IEEE has published the first steps towards laying down decent security practise for the sector. From the late Barnaby Jack's work on insulin pumps through to this month's "hackable infusion pump", this decade has seen growing interest in medical device vulns. Working with the IEEE's …
Open-mouthed Burmese python

Oracle releases antidote for VENOM vulnerability

Oracle has released patches for its virtualisation software to crimp the VENOM vulnerability that allows attackers to break out of virtual machines to attack hosts. The company follows a host of others including KVM and Xen which have patched the buffer overflow bug. VMware, Microsoft, and Bochs are immune to the problem. …
Darren Pauli, 19 May 2015
Padlocks by Simon Cocks Flickr CC2 license

Redmond promises even MORE cloudy crypto

Get ready for the spooks to howl: Microsoft Research has developed another layer of security to lock up customer data in the cloud. What the Redmond boffins dub "VC3" – Verifiable Confidential Cloud Computing – takes advantage of Intel's SGX command set to create a “lockbox” for customers running MapReduce computations in the …
Moments of perspiration

Airplane HACK PANIC! Hold on, it's surely a STORM in a TEACUP

Claims by a security researcher that he hacked an aircraft in flight have been questioned widely across the hacking community and the airline industry. According to a FBI affidavit, security researcher Chris Roberts claimed to have taken control of an airplane using an ordinary laptop connected to the aircraft’s In Flight …
Iain Thomson, 19 May 2015
grand_theft_auto_v_gta_5_648

Screech! Grand Theft Auto V malware mods warning

Cybercrooks are cooking up malware disguised as mods for the Grand Theft Auto V video game. GTA V allows players to modify their gaming environment with "mods" (modifications). It's all been good fun, but recently two of the mods – "Angry Planes" and "No Clip" – have generated warnings on forums frequented by fans of the game. …
John Leyden, 18 May 2015
Abbott and Costello dressed as policemen

Welsh police force fined £160,000 after losing sensitive video interview

South Wales Police has been hit with a £160,000 fine for losing a video recording which formed part of the evidence in a sex abuse case. The lost DVDs contained film of an interview with a victim, who had been sexually abused as a child. Despite the DVDs containing a graphic and disturbing account of events, the discs were …
John Leyden, 18 May 2015
Bebo president Joanna Shields

Ex 'Tech City' chief Shields appointed junior Fun minister for internet safety

Tory Baroness Joanna Shields OBE, ex-Tech City supremo, ex-head of Bebo*, ex-head of Facebook Europe and ex-MD of Google EMEA, has been appointed minister for internet safety and security. Shields was awarded the OBE in the 2014 New Year’s Honours list and elevated to the peerage the following August. The Telegraph reports that …
Simon Rockman, 18 May 2015

High-level, state-sponsored Naikon hackers exposed

The activities of yet another long-running apparently state-sponsored hacking crew have finally been exposed. The Naikon cyber-espionage group has been targeting government, military and civil organisations around the South China Sea for at least five years, according to researchers at Kaspersky Lab. The Naikon attackers appear …
John Leyden, 18 May 2015
Oil Pump Jack by https://www.flickr.com/photos/paul_lowry/  cc 2.0 attribution

Crude scammer targets Brit oil brokers

Panda Labs researchers have identified a scammer who is fleecing British oil buyers using a malware-free spin on the classic Nigerian scam. They say the scammers steal credentials from oil brokers to swindle buyers across Germany, Spain, and across Asia out of cash. The sting works using a PDF file in the first stage of the …
Darren Pauli, 18 May 2015
Fluffy grey ragdoll cat relaxes next to laptop.

PANIC! RSA keys are compromised!

Just as quickly as a panic emerged about vulnerable 4096-bit RSA keys, it's been defused. The discussion started with this brief post at Loper-OS, with the headline claim that: “I am pleased to announce that we have now broken a 4096-bit RSA key, as well as its factor-sharing counterpart (yet to be determined, but won’t wait for …

Google App Engine Java sandbox is leaking, say researchers

Security Explorations hacker Adam Gowdiak says three partial Java sandbox security holes still exist in Google App Engine. Gowdiak says the problems stem from buggy implementations and lax security checks that mean evildoers could gain access to the Google cloud's Java environment. He dropped exploitation code after the ad …
Darren Pauli, 18 May 2015
United Airlines Boeing 757. Pic: Aero Icarus

Feds: Bloke 'HACKED PLANE controls' - from his PASSENGER seat

The FBI has accused an infosec security researcher of hacking into the controls of a United Airlines plane in midair via the inflight entertainment system, causing the aircraft to temporarily fly "sideways". Infosec chap Chris Roberts allegedly made that audacious claim to special agent Mark Hurley of the FBI, who subsequently …
Kelly Fiveash, 17 May 2015
hacker

Penn State University network sacked by China malware blitz

Penn State University has had to take networks in its school of engineering offline after falling victim to a malware attack traced partially to China. Acting on an FBI tip, the school found that PCs on the network of its College of Engineering were infected with malware that appeared to be trying to harvest research data and …
Shaun Nichols, 15 May 2015
spy_eye_648

Mobile spyware firm mSpy hacked, clients doxxed on dark web

Mobile spyware firm mSpy's database has appeared on the dark web, following an apparent hack on its systems last week. Emails, text messages, payment details, Apple IDs, passwords, photos and location data for mSpy users have all been exposed, according to investigative reporter Brian Krebs, who broke the story about the …
John Leyden, 15 May 2015