Security > More stories

fail

Missed patch caused Equifax data breach

Equifax has revealed that the cause of its massive data breach was a flaw it should have patched weeks before it was attacked. The company has updated its www.equifaxsecurity2017.com/ site with a new “A Progress Update for Consumers” that opens as follows: Equifax has been intensely investigating the scope of the intrusion …
Simon Sharwood, 14 Sep 2017
you_fail_extended_648

Credit reference agencies faulted for poor patching

Updated Experian and Annual Credit Report.com – an organization set up by Equifax, Experian and Transunion to meet US consumer finance regulations – left themselves exposed to a serious vulnerability in Apache Struts earlier this year. The security shortcoming raises important questions following the disclosure of a mega-breach at …
John Leyden, 13 Sep 2017
stop

Homeland Security drops the hammer on Kaspersky Lab with preemptive ban

Despite pending legislation to ban US federal government offices from using Kaspersky Lab security software, Homeland Security has issued a Binding Operational Directive demanding that the products be removed within 90 days. The directive gives government IT managers 30 days to identify which – if any – of their systems have …
Iain Thomson, 13 Sep 2017
Sharks with frikkin lasers.

Giant frikkin' British laser turret to start zapping stuff next year

The Dragonfire laser cannon consortium has unveiled a fullsize mockup of its shipborne blaster at the Defence and Security Exhibition International arms fair in London. The £30m Dragonfire laser turret mockup at DSEI 2017 The £30m turret-mounted laser cannon is being developed for the Royal Navy by a consortium formed of …
Gareth Corfield, 13 Sep 2017

Apple’s facial recognition: Well, it is more secure for the, er, sleeping user

Security watchers have given Apple’s introduction of facial recognition technology a cautious welcome. The newly unveiled iPhone X smartphone débuts an advanced facial recognition technology, called Face ID, which relies on Apple’s TrueDepth camera system. The technology features seven sensors and machine learning algorithms …
John Leyden, 13 Sep 2017
Kaspersky

Kaspersky shrugs off government sales ban proposal

Kaspersky Lab has laughed off attempts to have its wares banned from US government computers by saying it hardly sold to the Feds anyway. “Given that U.S. government sales have not been a significant part of the company’s activity in North America, Kaspersky Lab is exploring opportunities to better optimize the Washington D.C …
Simon Sharwood, 13 Sep 2017
Bitcoin

North Korea attacks Bitcoin bods to swell its war chest says FireEye

North Korea appears to have commenced online attacks aimed at acquiring Bitcoin so it can evade sanctions. South Korea's Cyber Warfare Research Center alleged a few weeks ago that at least one Bitcoin exchange had been targeted by a Nork hack, and now FireEye threat researcher Luke McNamara writes that “since May 2017, we have …
Simon Sharwood, 13 Sep 2017
frustration

SAP E-Recruiting bug could let you stop rivals poaching your people

SAP admins, there's an e-mail system bug that could give your HR department headaches, by blocking peoples from registering their e-mail with its E-Recruiting system. The problem is that a registration URL provided to job-seekers is predictable, meaning an attacker could put other peoples' e-mails into the system and guess the …
Man in suit performs double facepalm, presumably after witnessing incident of great stupidity. Photo by shutterstock

It's September 2017, and .NET lets PDFs hijack your Windows PC

While much of the tech world is still fixating on Apple's $1,000 face-reading iPhone, administrators are going to be busy testing and deploying this month's Patch Tuesday load. Microsoft, Adobe, and Google have all released patches to mark the second Tuesday of the month. The updates include fixes for Flash, Edge, Internet …
Shaun Nichols, 12 Sep 2017

Bish, bosh, Bashware: Microsoft downplays research on WSL Win 10 'hack' threat

Microsoft has downplayed the risks of running a Linux Bash shell command line on Windows 10 via its Windows Subsystem for Linux (WSL) feature after security researchers said the technology could help hackers smuggle malware past security scanners and onto Windows 10 machines. Researchers at Check Point say that a potential …
John Leyden, 12 Sep 2017
A close up at atomic level of limpits' teeth. Image via Portsmouth University

Bluetooth bugs bedevil billions of devices

Security experts have long complained that complexity is the enemy of security, but the designers of the Bluetooth specification have evidently failed to pay attention. Bluetooth is a wireless communication protocol for connecting devices over short ranges. It's used in mobile phones, wireless speakers, smartwatches, printers …
Thomas Claburn, 12 Sep 2017

D-Link router riddled with 0-day flaws

Updated A security researcher has shamed D‑Link by publicly disclosing 10 serious, as-yet unpatched vulnerabilities in a line of consumer-grade routers without notifying the vendor first. Security researcher Pierre Kim went public on a series of flaws in D‑Link DIR 850L wireless AC1200 dual-band gigabit cloud routers without …
John Leyden, 12 Sep 2017

Another reason to hate Excel: its Macros can help pivot attacks

A white-hat has taken a good look at whether you can pivot an attack from one machine to others using Microsoft Excel, and you probably won't like what he found. The researcher, Matt Nelson of SpecterOps (@enigma0x3) writes that he's found loose default launch and access permissions, meaning a macro-based attack doesn't need …
Sorry Shutterstock image

Equifax backtracks arbitrate-don't-litigate plan for punters

Equifax has decided it will no longer try and impose arbitration on any of the millions of Americans who try to find out if they've been stung in its massive data leak. Following its 143-million-record megaleak, the company posted a Website meant to let worried people sign up for a credit file monitoring product – if they …
Certified and rejected stamps

Google to kill Symantec certs in Chrome 66, due in early 2018

Google has detailed its plan to deprecate Symantec-issued certificates in Chrome. The decision to end-of-life its trust for Symantec certificates was the outcome of a long tussle over dodgy certificates, which came to a head when certs for example.com and various permutations of test.com escaped into the wild. The absolute …
Justin Liverman

Crackas With Attitude troll gets five years in prison for harassment

A member of the short-lived Crackas With Attitude hacking troupe has received five years in prison, despite the fact that he hadn't actually hacked any accounts himself and had accepted a plea deal. Justin Liverman was sentenced to 60 months inside by Judge Gerald Bruce Lee in the Federal Court of the Eastern District of …
Iain Thomson, 11 Sep 2017
Woman and gun photo via Shutterstock

FireEye pulls Equifax boasts as it tries to handle hack fallout

FireEye removed an Equifax case study* from its website in response to a recently disclosed mega-breach at the credit reference agency. Equifax’s endorsement that FireEye’s tech protected it against zero-day and targeted attacks had more than the whiff of hubris about it once it emerged hackers had successfully pwned the …
John Leyden, 11 Sep 2017
Man sits on sand with laptop

44m UK consumers on Equifax's books. How many pwned? Blighty eagerly awaits spex on the breach

The impact of the Equifax data leak in the UK remains unclear days after the breach was first made public, amid reports estimating that the personal details of up to 44 million Brit could have been exposed. The credit reference agency and its UK subsidiaries provide services for UK companies including BT, Capital One and …
John Leyden, 11 Sep 2017

42: The answer to life, the universe and how many Cisco products have Struts bugs

More than 42 Cisco products might inherit the Apache Struts bug that emerged last week. Last Tuesday, Semmle researchers revealed the bug, which lets an attacker send a crafted request to Struts' REST API to inject malicious code. Like many vendors, Cisco long ago adopted the open-source Apache for its Web interfaces, and …
Downloading a patch

Everybody without Android Oreo vulnerable to overlay attack

Any unpatched Android phone running a version older than Oreo is going to need patching fairly soon, with researchers turning up a class of vulnerability that lets malware draw fake dialogs so users “okay” their own pwnage. The risk, according to Palo Alto Networks' researchers, comes from what's known as an overlay attack. …

Apache Foundation rebuffs allegation it allowed Equifax attack

The Apache Software Foundation has defended its development practices in the face of a report alleging its code was responsible for the Equifax data leak. QZ.com, an outlet run by Atlantic Media, alleged that the hack was the result of an attack on Apache Struts, which as we reported last week was found to have a flaw allowing …
Simon Sharwood, 11 Sep 2017
Raised hands vote

Virginia scraps poke-to-vote machines hackers destroyed at DefCon

Virginia's State Board of Elections has decided its current generation of electronic voting machines is potentially vulnerable, and wants them replaced in time for the gubernatorial election due on November 7th, 2017. The decision was announced in the minutes of the Board's September 8th meeting: “The Department of Elections …
best buy

Red panic: Best Buy yanks Kaspersky antivirus from shelves

Updated US big box retailer Best Buy has pulled from its shelves Kaspersky Lab's PC security software amid fears of Kremlin spies using the antivirus tool to snoop on Americans. Despite there being no concrete evidence to indicate that the security software is a threat, the retail chain is ending its long relationship with Kaspersky, …
Iain Thomson, 08 Sep 2017
Soup Nazi

Scotiabank internet whizzkids screw up their HTTPS security certs

The team behind Scotiabank's Digital Banking Unit isn't impressing some customers, after forgetting to renew the security certificates for their own website. The DBU was set up last year to sell "world class digital solutions" to electronic banking customers around the world. But Jason Coulls, CTO of food safety testing …
Iain Thomson, 08 Sep 2017
window

Microsoft says it won't fix kernel flaw: It's not a security issue. Suuuure

A design flaw within the Windows kernel that could stop antivirus software from recognizing malware isn't going to be fixed, Microsoft has said. The issue, spotted this week by enSilo security researcher Omri Misgav, lies within the system call PsSetLoadImageNotifyRoutine, which has been part of Microsoft's operating system …
Iain Thomson, 08 Sep 2017
Take a number machine

Surprising nobody, lawyers line up to sue the crap out of Equifax

Less than 24 hours after credit monitors Equifax revealed it had lost the personal data of more than 130 million Americans, two class action suits have been filed. The suits, separately filed in the Portland, Oregon and North Georgia US District Courts, accuse the credit reporting company of negligence and violations of the US …
Shaun Nichols, 08 Sep 2017
open_door_648

Mexican tax refund site left 400GB of sensitive customer info wide open

Mexican VAT refund site MoneyBack exposed sensitive customer information online as a result of a misconfigured database. A CouchDB database featuring half a million customers' passport details, credit card numbers, travel tickets and more was left publicly accessible, security firm Kromtech reports. More than 400GB of …
John Leyden, 08 Sep 2017
Terrified wet man with wrench rings plumber

Equifax mega-leak: Security wonks smack firm over breach notification plan

Credit reference agency Equifax has been criticised for its breach response in the wake of the disclosure on Thursday of a megahack that affected the data of up to 143 million people in the US alone. The credit reference agency admitted that criminals may have been able to access data including names, social security numbers, …
John Leyden, 08 Sep 2017
Woman stares at laptop screen, shocked. Pic by shutterstock

HSBC biz banking crypto: The case of the vanishing green padlock and... what domain are we on again?

HSBC has been faulted for redirecting business customers to a website that is not obviously secure. Rob Jonson, director of Hobbyist Software, who alerted us to the issue, was concerned that he'd fallen victim to a phishing scam. I logged into my HSBC business account, and the site failed to give me any info. Then I looked …
John Leyden, 08 Sep 2017
Rage

Stand up who HASN'T been hit in the Equifax mega-hack – whoa, whoa, sit down everyone

Vid Global credit reporting agency Equifax admitted today it suffered a massive breach of security that could affect almost half of the US population. In a statement, the biz confessed that hackers managed to get access to some of its internal data in mid-May by exploiting a vulnerable website application. They remained on the …
Iain Thomson, 07 Sep 2017

Wonder why Congress doesn't clamp down on its gung-ho spies? Well, wonder no more

Analysis When Edward Snowden revealed the extent of illegal operations carried out by American spy agencies, many wondered whether the US Congress was either unaware or had simply turned a blind eye toward them. Nevertheless, Congress did act, restricting some programs and declaring others illegal. Even the notoriously secretive FISA …
Kieren McCarthy, 07 Sep 2017
Dunce

Top tip, hacker newbs: Don't use the same Skype ID for IoT bot herding and job ads

Updated An alleged teenage tearaway with a passion for building botnets was caught using the same Skype ID he used for hacking activities when applying for jobs. Researchers at NewSky Security claim they spotted the 13-year-old's Skype name on job ad message boards and a website called Daddyhackingteam, which hosts numerous code …
Iain Thomson, 07 Sep 2017
Security guard, picture via Shutterstock

Microsoft slings bulked-up Windows Defender preview at world+dog

Microsoft says its upcoming Windows 10 Creators Update will include new capabilities in the Windows Defender Advanced Threat Protection security suite. Redmond says the updated Defender ATP tools are now open for public preview and will hit general availability this fall with the Creators Update. "This focused security …
Shaun Nichols, 07 Sep 2017

Achtung! German election tabulation software 'insecure'

Software used in Germany for vote counting is insecure, according to research by the Chaos Computer Club (CCC). The white-hat hackers found multiple vulnerabilities and security holes in German national voting software. The findings were released by the group on Thursday, just weeks before the upcoming vote on September 24 to …
John Leyden, 07 Sep 2017

.UK domains left at risk of theft in Enom blunder

Updated Thousands of UK companies were at risk of having their .uk domain names stolen for more than four months by a critical security failure at domain registrar Enom. The security lapse allowed .uk domains to be transferred between Enom accounts with no verification, authorisation or logs. Any domains hijacked would have been “ …
John Leyden, 07 Sep 2017

Keep your data safe from lockup malware flinging thieves

Promo Ransomware has become one of the most damaging threats on the internet. In recent years viruses have proliferated, spreading through spam emails and off-the-shelf malware kits that even criminals with minimal IT expertise can use to hijack and encrypt data, then demand a ransom to unlock it. The sums of money have grown – and …
Nicole Segre, 07 Sep 2017

Biting the hand that feeds IT © 1998–2017