Security > More stories

Schoolkids in uniform studying with books/apple. Photo by shutterstock
33

Brit govt told to do its homework ahead of talks over post-Brexit spy laws and data flows

There is no doubt that the UK's surveillance regimes will come under scrutiny in negotiations on continued data flows with Europe after Brexit, and the government needs to start preparing for that now, MPs have been told. The British government has been repeatedly warned that gaining an adequacy decision from the EU will not …
Rebecca Hill, 10 May 2018
USB Ban symbol
207

IBM bans all removable storage, for all staff, everywhere

IBM has banned its staff from using removable storage devices. In an advisory to employees, IBM global chief information security officer Shamla Naidoo said the company “is expanding the practice of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive).” The advisory stated some …
Simon Sharwood, 10 May 2018
Here we go again
138

Every major OS maker misread Intel's docs. Now their kernels can be hijacked or crashed

Updated Linux, Windows, macOS, FreeBSD, and some implementations of Xen have a design flaw that could allow attackers to, at best, crash Intel and AMD-powered computers. At worst, miscreants can, potentially, "gain access to sensitive memory information or control low-level operating system functions,” which is a fancy way of saying …
Spraying bugs with insecticide
19

Second wave of Spectre-like CPU security flaws won't be fixed for a while

The new bunch of Spectre-like flaws revealed last week won't be patched for at least 12 days. German outlet Heise, which broke news of the eight Spectre-like vulnerabilities last week has now reported that Intel wants disclosure of the flaws delayed until at least May 21. “Intel is now planning a coordinated release on May 21 …
botnet

Mirai botnet cost you $13.50 per infected thing, say boffins

Berkeley boffins reckon the Dyn-based Internet of Things attack that took down Brian Krebs' Website in 2016 cost device owners over $US320,000. Since the 2016 hit on KrebsOnSecurity involved devices in their tens of thousands, the costs to individuals (in power consumption and bandwidth charges) only ends up a handful of …
A Microsoft cloud... sorta
42

It's 2018, and a webpage can still pwn your Windows PC – and apps can escape Hyper-V

Patch Tuesday Microsoft and Adobe have patched a bunch of security bugs in their products that can be exploited by hackers to commandeer vulnerable computers, siphon people's personal information, and so on. Redmond emitted 68 patches alone, 21 rated critical and at least two being actively exploited in the wild. There are browser and …
Chris Williams, 09 May 2018
red_hat_648

Red Hat smitten by secure enclaves 'cos some sysadmins are evil

Red Hat Summit Red Hat has revealed a plan to to work with CPU-makers so that its wares can take advantage of in-silicon security features such as secure enclaves. The company today told attendees at its 2018 Summit in San Francisco that it will work with major silicon shops, including Arm, Intel, and AMD, to move operations such as handling …
Shaun Nichols, 08 May 2018
Data breach
79

Equifax reveals full horror of that monstrous cyber-heist of its servers

Equifax has published yet more details on the personal records and sensitive information stolen by miscreants after they hacked its databases in 2017. The good news: the number of individuals affected by the network intrusion hasn't increased from the 146.6 million Equifax previously announced, but extra types of records …
lock
11

Android P to improve users' network privacy

The forthcoming Android P release will protect the operating system's network processes against snoops and nasties. Android's problems lie in a folder and file inherited from Linux, the source of Android's kernel and its key structures: /proc/net. In a commit at Android Open Source, Google's Jeffrey Vander Stoep launched the …
Canada
62

Hacking charge dropped against Nova Scotia teen who slurped public records from the web

Cops in Halifax, Nova Scotia, Canada, will not pursue charges against a 19-year-old fella who had dared to download a cache of public documents. In a brief statement issued Monday, police said that, following nearly a month of investigation, there were "no grounds to lay charges" in a case that had drawn harsh criticism from …
Shaun Nichols, 07 May 2018
zombie_648

That Drupal bug you were told to patch weeks ago? Cryptominers hope you haven't bothered

A set of high-severity vulnerabilities in Drupal that were disclosed last month are now the target of widespread attacks by a malware campaign. Researcher Troy Mursch of Bad Packets Report has spotted hundreds of compromised Drupal sites being used to host "cryptojacking" malware that uses the CPUs of visitors to mine …
Shaun Nichols, 07 May 2018
NSA
22

NSA sought data on 534 MILLION phone calls in 2017

The United States’ Office of the Director of National Intelligence (ODNI) released its annual Intelligence Community Transparency Report last Friday, revealing the extent of America’s domestic intelligence-gathering efforts. Those efforts are certainly quite extensive. The report says America’s national security agencies …
Simon Sharwood, 07 May 2018
113

Password re-use is dangerous, right? So what about stopping it with password-sharing?

Two comp-sci boffins have proposed that websites cooperate to block password re-use, even though they predict the idea will generate "contempt” among many end users, . Their expectation is founded on experience: Troy Hunt's HaveIBeenPwned is useful because so many people reuse passwords, and it currently claims to record more …
13

Cookie code compromise caper caught and crumbled

NPM, the biz responsible for the Node Package Manager for JavaScript and Node.js, has caught a miscreant trying to tamper with web cookie modules on Wednesday and managed to exile the individual and associated code before significant harm was done. It's a good sign for the code registry which over the past few years has had to …
Thomas Claburn, 04 May 2018

Penetrate the mind of the cyber criminal at SANS London July 2018

Promo As the security landscape constantly changes, keeping your data and systems safe from a growing variety of attacks becomes more challenging than ever. Reports of prominent organisations being hacked and suffering irreparable damage are increasingly common, and that means security-savvy employees who can detect and prevent …
David Gordon, 04 May 2018
Spectre logo jazzed up
29

Fresh fright of data-spilling Spectre CPU design flaws haunt Intel

Researchers have unearthed a fresh new set of ways attackers could potentially exploit data-leaking Spectre CPU vulnerabilities in Intel chips. German publication Heise reported that eggheads are preparing to disclose at least eight new CVE-listed vulnerability reports describing side-channel attack flaws in Chipzilla's …
Shaun Nichols, 03 May 2018
listening
128

It's World (Terrible) Password (Advice) Day!

It's World Password Day! And you know what that means: all the effort you've put into trying to persuade people to rethink how they do passwords turns to mush because some company sees a PR opportunity and floods social media with terrible advice. This year's award for Terrible Password Advice goes to the wireless industry's …
Kieren McCarthy, 03 May 2018
quantum_satellite
11

European Space Agency wants in on quantum comms satellites

The European Space Agency is looking to build a communications satellite to send data securely using quantum key distribution. On Thursday, it signed a contract with SES Techcom S.A, a satellite communications company based in Luxembourg, to develop QUARTZ (Quantum Cryptography Telecommunication System). Quantum entanglement …
Katyanna Quach, 03 May 2018
71

Twitter: No big deal, but everyone needs to change their password

Twitter is ringing in World Password Day by notifying its users, all 330 million of them, that their login credentials were left unencrypted in an internal log file and should be changed. Chief technology officer Parag Agrawal broke the news on Wednesday that its internal team had found that, while passwords are usually stored …
Shaun Nichols, 03 May 2018

Hurry up patching those Oracle bugs: Attackers aren't waiting

Security experts are advising administrators to hurry up installing Oracle patches after finding that attackers are quick to target their vulnerabilities. The SANS Institute issued a warning after one of its honeypot systems was targeted by exploits of the CVE-2018-2628 remote code execution flaw in WebLogic just hours after …
Shaun Nichols, 03 May 2018

Using Docker and Windows Server Containers? There's a patch for that

Microsoft has emitted a patch to fix a critical vulnerability in a wrapper used to launch Windows Server Containers from Go. The issue (CVE-2018-8115) is a nasty one, allowing remote code execution when importing a container image due to a failure of the library to validate what was on the way in. Exploiting the issue could …
Richard Speed, 03 May 2018

Quit WebEx now if you want to live! (Bad bugs, not killer slideware)

It's time for Cisco's Midweek Misery, netadmins, with four critical vulns to patch and a slew of others to look over if you have time. WebEx has two nasties, CVE-2018-0112 and CVE-2018-0264. CVE-2018-0112 is a remote code execution (RCE) vulnerability in two clients (the WebEx Business Suite client and WebEx Meetings), and …
Bouncer photo via Shutterstock

Oracle Access Manager is a terrible doorman: Get patching this bug

A security vulnerability in Oracle Access Manager leaves the network authentication tool leaning more toward "access" than "manager." The flaw, classified as CVE-2018-2879, can be exploited by a remote attacker to bypass an Oracle Access Manager (OAM) authentication screen and, in the process, take over the account of any user …
Shaun Nichols, 03 May 2018
Fancy Bear Anonymous bear logo
23

Fancy that, Fancy Bear: LoJack anti-laptop theft tool caught phoning home to the Kremlin

LoJack for Laptops, a software tool designed to rat on computer thieves, appears to be serving a double purpose – by seemingly working with a Russian state-sponsored hacking team. The application allows administrators to remotely lock and locate, and remove files from, stolen personal computers. It's primarily aimed at …
Thomas Claburn, 02 May 2018
Candle
11

Vlad that's over: Remote code flaws in Schneider Electric apps whacked

Infosec researchers at Tenable Security have unearthed a remote code execution flaw in critical infrastructure software made by energy management multinational Schneider Electric. The vulnerability could have allowed miscreants to control underlying critical infrastructure systems, researchers said. The apps affected – used …
Kat Hall, 02 May 2018
23

Hands off! Arm pitches tamper-resistant Cortex-M35-P CPU cores

Arm has released a new processor core design for Cortex-M-powered system-on-chips that will try to stop physical tampering and side-channel attacks by hackers. The microcontroller-grade Cortex M35-P CPU cores are aimed at embedded IoT devices that operate in public or areas where there is a risk someone will either crack open …
Shaun Nichols, 02 May 2018
Kim Jong Un
25

North Korea's antivirus software whitelisted mystery malware

North Korea’s very own antivirus software has been revealed as based on a 10-year-old application made by Trend Micro, but with added nasties. So says Check Point, which was sent a copy of the “SiliVaccine” application and after analysis declared it contained “large chunks of 10+-year-old antivirus engine code belonging to …
Simon Sharwood, 02 May 2018
Banned
27

AWS sends noise to Signal: You can't use our servers to beat censors

Amazon has followed Google's example by lowering the boom on a practice called “domain fronting” that organisations like Signal use to get around government censorship. As defined by Amazon Web Services, "Domain Fronting is when a non-standard client makes a TLS/SSL connection to a certain name, but then makes a HTTPS request …
32

Scammers use Google Maps to skirt link-shortener crackdown

Scam sites have been abusing a little-known feature on Google Maps to redirect users to dodgy websites. This according to security company Sophos, who says a number of shady pages are being peddled to users via obfuscated Maps links. According to security shop Sophos scammers are using the Maps API as a defacto link- …
Shaun Nichols, 01 May 2018

Bitcoin hijackers found at least one sucker for scam Chrome extension

Security researchers have caught a Bitcoin-hijacking Chrome extension that only managed to grab one BitCoin transaction before being exposed. Trend Micro researchers said the malicious extensions used an attack technique that first emerged last year, dubbed FacexWorm, and added that they noticed re-emerging activity earlier …
bars broken in jail cell
17

Failbreak: Bloke gets seven years in the clink for trying to hack his friend out of jail

A Michigan fella will spend up to seven years and three months behind bars – for trying to hack government IT systems in the US state to get a friend out of jail. Konrads Voits, 27, of Ypsilanti, Michigan, received the 87-month sentence after he pleaded guilty to one federal charge of damaging a protected computer. He will …
Shaun Nichols, 30 Apr 2018
NHS hosptial photo, by Marbury via Shutterstock
76

Brit healthcare system inks Windows 10 install pact with Microsoft

The UK government's Department of Health and Social Care has inked a deal with Microsoft to upgrade all NHS machines to Windows 10 – in a supposed attempt to boost resilience following the WannaCry incident last year. On the NHS tech team? Weep at ugly WannaCry post-mortem, smile as Health dept outlines plan READ MORE The …
Kat Hall, 30 Apr 2018

Thailand seizes server linked to North Korean attack gang

A server hidden in a Thai university and allegedly used as part of a North Korean hacking operation has been seized by ThaiCERT. Thailand's infosec organisation announced last Wednesday that the box was operated by the Norks-linked Hidden Cobra APT group, and was part of the command-and-control rig for a campaign called …
Oracle acrobatics in the cloud

Umm, Oracle – about that patch? It might not be very sticky ...

Earlier this month, Oracle patched a critical vulnerability in its WebLogic server – but someone identifying himself as an Alibaba security researcher reckons Big Red botched the patch. The bug in question was fixed in Oracle's 254-strong quarterly patch-fest that was headlined by Java and Spectre fixes. Tucked way down on …
41

Windows USB-stick-of-death, router bugs resurrected, and more

Roundup Here's your summary of infosec news – from router holes to Windows crashes – beyond what we've already covered this week. TPLink? More like TPwnedLink, amiright? Anyone? Tim Carrington at Fidus Infosec went public on Thursday with not-so-new remote-code execution flaws in TPLink router firmware. We're told the security holes ( …
Shaun Nichols, 28 Apr 2018
Ray Ozzie
59

Ozzie Ozzie Ozzie, oi oi oi! Tech zillionaire Ray's backdoor crypto for the Feds is Clipper chip v2

Analysis Those who cannot remember the past are condemned to repeat it, particularly if forgetfulness promises profit. Ray Ozzie, former CTO of Microsoft and the designer of Lotus Notes, is old enough to recall the battle over the Clipper chip, an ill-fated NSA-backed effort from 1993 through 1996 to require a US-government-accessible …
Thomas Claburn, 27 Apr 2018

Biting the hand that feeds IT © 1998–2018