Security > More stories

Orion Hindawi

'We should have done better' – the feeble words of a CEO caught using real hospital IT in infosec product demos

The CEO of computer security biz Tanium has admitted his staff logged into hospital networks and accessed live IT systems during product demos with potential customers. Since 2014 Tanium sales executives have used healthcare systems at the El Camino Hospital in Mountain View, California, to demonstrate their endpoint …
Iain Thomson, 20 Apr 2017

Trump's self-imposed cybersecurity deadline is up: What we got?

Analysis On January 6, president-elect Donald Trump had a meeting with the heads of the intelligence services and came out with one action point: cybersecurity. "Whether it is our government, organizations, associations or businesses we need to aggressively combat and stop cyberattacks," an official statement read. "I will appoint a …
Kieren McCarthy, 20 Apr 2017

Online ad scam launders legions of pirates and pervs into 'legit' surfing

An elaborate online ad scam that disguised junk traffic as views on reputable sites has been costing advertisers as much as $7m per month. Fraudsters behind the "Traffic Alchemist" scam dressed junk traffic as quality views originating from Google and Twitter. They began by buying traffic, typically on porn or torrent sites, …
John Leyden, 20 Apr 2017

Mastercard launches card that replaces PIN with fingerprint sensor

Mastercard has unveiled its new biometric card which adds a fingerprint sensor to the chip as a replacement security measure to the four-digit PIN. When the biometric card is placed into a retailer's EMV terminal, the owner will be able to place their finger on the embedded sensor. Their fingerprint will then be verified …
botnet

Flaws found in Linksys routers that could be used to create a botnet

Multiple models of Linksys Smart Wi-Fi Routers have vulnerabilities that might be exploited to create a botnet, security researchers at IOActive warn. The flaws could be abused to overload a router and force a reboot, deny user access, leak sensitive information about the router and connected devices, or change restricted …
John Leyden, 20 Apr 2017
Image by ART production http://www.shutterstock.com/gallery-3278237p1.html

Microsoft shrugs off report that Edge can expose user identities from JS Fetch requests

Updated An independent researcher claims to have uncovered a security flaw in Microsoft Edge. The issue enables any website to identify someone by their username from another website, according to Ariel Zelivansky. More specifically the bod alleges that Edge exposes the URL of any JavaScript Fetch response, in contradiction to the …
John Leyden, 20 Apr 2017
Light bulb photo via Shutterstock

Ambient light sensors can steal data, says security researcher

Security researcher Lukasz Olejnik says it is possible to slurp sensitive data with the ambient light sensors installed in many smartphones and laptops. The sensors are there so that devices can automatically change the brightness of screens, a handy trick that save scrambles to change settings. But Olejnik says such sensors …
Simon Sharwood, 20 Apr 2017

We're spying on you for your own protection, says NSA, FBI

A new factsheet by the NSA and FBI has laid bare ludicrous contradictions in how US intelligence agencies choose to interpret a law designed to prevent spying on American citizens, but which they use to achieve exactly that end. While noting that the law specifically bans the gathering of information on US citizens, it then …
Kieren McCarthy, 19 Apr 2017
hotel

If you've stayed at a Holiday Inn you may have lost more than a good night's sleep (like maybe your bank card)

In February, Intercontinental Hotels Group alerted customers that some of its US locations had been infected with credit-card-stealing malware. Now it has admitted the cyber-outbreak is much worse than first thought. IHG, which owns brands like Holiday Inn and Crown Plaza, has warned that around 1,200 of its hotels across the …
Iain Thomson, 19 Apr 2017
Metropolitan police image via Shutterstock

30,000 London gun owners hit by Met Police 'data breach'

London gun owners are asking questions of the Metropolitan Police after the force seemingly handed the addresses of 30,000 firearm and shotgun owners to a direct mail marketing agency for a commercial firm's advertising campaign. The first any of the affected people knew about the blunder was when the leaflet (pictured below) …
Gareth Corfield, 19 Apr 2017
phishing

UK.gov survey shines light on cybersecurity threats to businesses

Phishing and ransomware remain the most pressing security threats for UK business, according to a government-backed survey out Wednesday. The survey, commissioned by the Department for Culture, Media and Sport, found that the most common types of breaches are related to staff receiving fraudulent emails (in 72 per cent of …
John Leyden, 19 Apr 2017

Speaking in Tech: Hacking Microsoft Windows? That's cute

Podcast speaking_in_tech Greg Knieriemen podcast enterprise Ed, Melissa and Amy are joined by Chris Wysopal, noted hacker and CTO/co-founder of Veracode on this week's tech podcast. The crew talks about how hacking has evolved and the importance of secure software. The details... (0:00) Out and about (2:40) Over Slacking (4:30 …
Team Register, 19 Apr 2017
Smart oven

Fixing your oven can cook your computer

Updated If your Hotpoint cooker or washer's on the blink, don't arrange a repair by visiting the manufacturer's website: the appliance vendor has been inadvertently foisting nastyware onto visitors. As spotted by Netcraft, fake Java update dialogs started appearing on Hotpoint's UK and Republic of Ireland sites this week. If you click …
Simon Sharwood, 19 Apr 2017

Revealed: Scammers plaster Google Maps with pins to lure punters from honest traders

Computer scientists at the University of California, San Diego, and Google, are clamping down on fake businesses trying to scam victims through Google Maps. Most Google search results are influenced by your physical whereabouts. Googling restaurants, movie theaters, or hairdressers runs up a list of businesses Google Maps …
Katyanna Quach, 19 Apr 2017
Oracle acrobatics in the cloud

Oracle patches Solaris 10 hole exploited by NSA spyware tool – and 298 other security bugs

Oracle today emitted a huge batch of 299 security fixes for its software – including a patch for a vulnerability exploited by a leaked NSA tool that can hijack Solaris systems. Details of the massive April dump can be found here: Oracle describes the updates as "critical," and urges admins to install them "without delay." …
Iain Thomson, 19 Apr 2017

Stop asking people for their passwords, rights warriors yell at US Homeland Security

Civil and digital rights groups are leading a campaign to stop the US Department of Homeland Security's demanding access to foreigners' social media accounts when entering America. In an open letter to DHS secretary John Kelly, the group argues that by forcing travelers from some countries to give border patrol agents free …
Shaun Nichols, 18 Apr 2017

Profit with just one infection! Crook sells ransomware for $175

Cybercrooks have begun retailing a new easy-to-use ransomware strain that promises profit with only one successful infection. Karmen is being sold on Dark Web forums from Russian-speaking cyber-criminal DevBitox for $175. The new ransomware-as-a-service variant offers a graphical dashboard, allowing purchasers to keep a …
John Leyden, 18 Apr 2017
Data breach

Large UK businesses are getting pwned way more than smaller ones

Larger businesses in the UK are far more likely to be victims of attacks than smaller ones, according to a survey by the British Chamber of Commerce. Nearly half (42 per cent) of companies with more than 100 staff have been hit by information spillages, hackers or malware attacks. This figure compares to 18 per cent of …
Team Register, 18 Apr 2017
Russian hacking

That apple.com link you clicked on? Yeah, it's actually Russian

Click this link (don't fret, nothing malicious). Chances are your browser displays "apple.com" in the address bar. What about this one? Goes to "epic.com," right? Wrong. They are in fact carefully crafted but entirely legitimate domains in non-English languages that are designed to look exactly the same as common English words …
Kieren McCarthy, 18 Apr 2017
NSA

Leaked NSA point-and-pwn hack tools menace Win2k to Windows 8

Updated The Shadow Brokers have leaked more hacking tools stolen from the NSA's Equation Group – this time four-year-old exploits that attempt to hijack venerable Windows systems, from Windows 2000 up to Server 2012 and Windows 7 and 8. The toolkit puts into anyone's hands – from moronic script kiddies to hardened crims – highly …
Iain Thomson, 14 Apr 2017

All ready for that Easter holiday? Here's a mild MySQL security bug

A programming blunder has been uncovered in Oracle's MySQL that can potentially leak usernames and passwords to man-in-the-middle eavesdroppers. Known as "The Riddle," the flaw potentially allows a miscreant to intercept and obtain login credentials sent from MySQL clients 5.5 and 5.6 to servers. Apparently, a fix introduced …
Shaun Nichols, 14 Apr 2017

Sysadmin 'trashed old bosses' Oracle database with ticking logic bomb'

A systems administrator is being sued by his ex-employer, which has accused the IT bod of planting a ticking time-bomb on company's servers to wipe crucial data. Nimesh Patel, of Shrewsbury, Massachusetts, is alleged to have broken the Computer Fraud and Abuse Act, trespassed, and committed conversion – that's legal jargon for …
Iain Thomson, 14 Apr 2017
patch

Linux remote root bug menace: Make sure your servers, PCs, gizmos, Android kit are patched

A Linux kernel flaw that potentially allows miscreants to remotely control vulnerable servers, desktops, IoT gear, Android handhelds, and more, has been quietly patched. The programming blunder – CVE-2016-10229 – exposes machines and gizmos to attacks via UDP network traffic: any software receiving data using the system call …
Iain Thomson, 14 Apr 2017
Woman stares at laptop screen, shocked. Pic by shutterstock

Cerber surpasses Locky to become dominant ransomware menace

Cerber eclipsed Locky as the most common ransomware pathogen doing the rounds in the first three months of 2017. Cerber's control of the cybercrime market rose from 70 per cent market share in January to 87 per cent in March, according to the latest cybercrime tactics report by Malwarebytes Lab. The success of Cerber is down …
John Leyden, 13 Apr 2017

Callisto Group snoopers wreak havoc with leaked HackingTeam spyware

Leaked HackingTeam spyware was used by a cyber-spy group to collect intelligence. The Callisto Group cyber-spies collected intel on foreign and security policy in eastern Europe and the south Caucasus using spyware developed for law enforcement agencies, according to F-Secure Labs. The group – which remains active – has …
John Leyden, 13 Apr 2017
Man ties laces on running shoe pre-jog. Photo by Shutterstock

Free health apps laugh in the face of privacy, sell your wheezing data

Free health tracker apps pose a severe privacy risk, security researchers warn. Developers frequently neglect data protection and, worse, intentionally lure in users with free health gimmicks in order to monetise their data. Other sharp practices uncovered by the researchers include unsecured data transmission and ad tracking …
John Leyden, 13 Apr 2017

Irish! data! police! are! preparing! to! whack! Yahoo! over! that! hack!

Yahoo! is set to get a spanking under European Union data protection laws for the biggest of the many megabreaches it copped to last year. The Irish data protection commissioner has stated that a probe by the office into Yahoo!'s megabreach of 2014 – the one in which more than a billion user accounts were affected – has almost …
sirens

DTMF replay phreaked out the Dallas tornado alarm, say researchers

Strap yourself into the DeLorean: researchers from Duo reckon the Dallas tornado alarm incident was a case of old-style DTMF phreaking. On Friday night, someone figured out how to activate all 156 of the city's sirens in a stunt hack. It turns out the sirens, from Federal Signal, use one of the oldest signalling techniques …

SAP's TREX exposed HANA, NetWeaver

SAP has rushed out a patch for its TREX search engine, after security researchers found bugs in a 2015 patch. TREX is a search engine used in several SAP products, including its HANA database and its venerable NetWeaver application and integration platform. According to ERPScan, SAP thought it had patched the code injection …

Monster patch day for Juniper customers

Clear the diaries, Juniper sysadmins, a van-load of patches landed today. I suggest you join me in getting a coffee and settling in while we go through the list. The security fixes cover six fixes to Junos, one for the company’s EX Series switches, BIND fixes for SRX, vSRX and J-Series units, and multiple fixes for the …

SWIFT on security: Fresh anti-bank-fraud defenses now live

Inter-bank data comms biz SWIFT says it has introduced mechanisms to better protect money transfers from tampering. We're told the fresh defenses will make it easier for banks to track movements of money. The payment controls are part of SWIFT's Customer Security Programme, a set of mandatory IT and physical security …
Shaun Nichols, 13 Apr 2017

Half-baked security: Hackers can hijack your smart Aga oven 'with a text message'

Miscreants can remotely turn off and on posh Aga ovens via unauthenticated text messages, security researchers have warned. All the hijackers need is the phone numbers of the appliances. The vulnerable iTotal Control models of the upmarket cookers contain a SIM card and radio tech that connects to mobile phone networks. This …
John Leyden, 13 Apr 2017
voting

India to world+dog: Go ahead, please hack our elections ... if you can

Following demands for an investigation into the security of India's electronic voting machines, the country's election watchdog has invited all comers to hack its e-ballot boxes. A kerfuffle over the machines kicked off after a round of recent elections: some in the Indian parliament claimed tallies were maliciously altered by …
Iain Thomson, 12 Apr 2017
Brexit - arrow points to leave

MPs worried Brexit vote website wobble caused by foreign hackers

A committee of MPs has expressed concerns that foreign hackers might have had a hand in crashing the UK's voter registration website last year shortly before the Brexit referendum. The Public Administration Committee concluded that a foreign cyber attack remains a potential reason that the "register to vote" site crashed on 7 …
John Leyden, 12 Apr 2017

Gordon Ramsay's in-laws admit plot to hack sweary celeb chef's biz

Gordon Ramsay's father-in-law has admitted conspiring to hack into the computer systems of businesses run by the celebrity chef. Christopher Hutcheson, 68, and his sons Adam, 46, and Christopher, 37, all admitted conspiracy to unlawfully access Gordon Ramsay Holdings Limited's computer systems at a hearing in London's Central …
John Leyden, 12 Apr 2017

Prisoners built two PCs from parts, hid them in ceiling, connected to the state's network and did cybershenanigans

We are impressed by five prisoners in the US who built two personal computers from parts, hid them behind a plywood board in the ceiling of a closet, and then connected those computers to the Ohio Department of Rehabilitation and Correction's (ODRC) network to engage in cybershenanigans. Compliments are less forthcoming from …

UK boffins steal smartmobe PINs with motion sensors

Updated with Apple fix The World Wide Web Consortium might want to take another look at its habit of exposing too much stuff to application interfaces: a UK researcher has demonstrated a JavaScript app can spy on smartphone sensors to guess the codes users employ to unlock the devices. The attack, published in the International Journal of …

TCP/IP headers leak info about what you're watching on Netflix

An infosec educator from the United States Military Academy at West Point has taken a look at Netflix's HTTPS implementation, and reckons all he needs to know what programs you like is a bit of passive traffic capture. The problem, writes Michael Kranch (with collaborator Andrew Reed), is information in TCP/IP headers are …
DOor to a bank vault. Photo by Shutterstock

DARPA seeks SSITH lords to keep hardware from the Dark Side

America's Defense Advanced Research Project Agency reckons too many vulnerabilities arise from hardware design errors, so it wants experts and boffins to propose better hardware-level security mechanisms. Baked-in security is a vexed question, for good reason: recipe slips can also hard-wire vulnerabilities into a chip. For …
danger

Systems-on-a-chip are a huge, unaudited attack surface, says Project Zero's Wi‑Fi attack man

The internal inter-chip communications of devices like smartphones are a “huge, mostly unaudited attack surface,” according to Gal Beniamini of Google’s Project Zero, in his promised follow-up to last week’s demonstration of how to attack Wi‑Fi chips over the air. His April 4 “part one” prompted emergency patches from Apple …

Cowardly Microsoft buries critical Hyper-V, WordPad, Office, Outlook, etc security patches in normal fixes

Microsoft today buried among minor bug fixes patches for critical security flaws that can be exploited by attackers to hijack vulnerable computers. In a massive shakeup of its monthly Patch Tuesday updates, the Windows giant has done away with its easy-to-understand lists of security fixes published on TechNet – and instead …
Shaun Nichols, 11 Apr 2017

Homes raided in North West over data thefts from car body repair shops

Two properties in the North West of England were raided this morning as part of an ongoing investigation into nuisance calls related to data thefts from car body repair shops. The pair of search warrants — which had been obtained in court by Information Commissioner's Office — were executed this morning at homes in …

Biting the hand that feeds IT © 1998–2017