Security > More stories

Cryptocurrency miners go nuclear, RSA blunder, Winner back in court, and plenty more

Roundup Here's a quick summary of infosec news from this week, beyond what we've already covered. Cloud security shop Cyren surveyed 500,000 websites over the past four months, and said it saw a 725 per cent increase in the use of surreptitious crypto-coin mining code. The bulk of that code has shown up in the past two months, and it' …
Iain Thomson, 04 Mar 2018
blood splatter

RedDrop nasty infects Androids via adult links, records sound, and fires off premium-rate texts

A newly discovered strain of Android malware makes live recordings of ambient audio around an infected device. The RedDrop nasty also harvests and uploads files, photos, contacts, application data, config files and Wi-Fi information from infected kit. Both Dropbox and Google Drive are being used as temporary storage by the …
John Leyden, 02 Mar 2018

US Navy gives Lockheed Martin $150m big frickin' laser cannon contract

Lockheed Martin, makers of the F-35 and various other bits of defence hardware, has been handed a $150m contract by the US Navy to build two bloody great laser cannons. The laser weapons will be delivered along with a long-range intelligence, surveillance and reconnaissance "capability" and are specified to be capable of …
Gareth Corfield, 02 Mar 2018

Train to become an expert cyber crime fighter

Promo As cyber threats seem to multiply and mutate at ever-increasing speed, it becomes difficult to be sure you are able defend your organisation against an attack that could come from any direction. Security training leader SANS is running a series of courses at the Grand Connaught Rooms in London from 16 to 21 April that promise …
David Gordon, 02 Mar 2018
Spectre graphic

Microsoft lobs Skylake Spectre microcode fixes out through its Windows

Microsoft is pushing out another round of security updates to mitigate data-leaking Spectre side-channel vulnerabilities in modern Intel x64 chips. Redmond said those who run Windows 10 Fall Creators Update and Windows Server Core with Skylake (aka 6th-generation Core) CPUs can go through the Microsoft Update Catalogue to get …
Shaun Nichols, 01 Mar 2018
A burning dumpster

HTTPS cert flingers Trustico, SSL Direct go TITSUP after website security blunder blabbed

The websites for HTTPS certificate reseller Trustico, and one of its partners, SSL Direct, took a dive on Thursday – after a critical and trivial-to-exploit security flaw in was revealed on Twitter. The vulnerability could be leveraged by miscreants to execute arbitrary commands on the website's host server. A …
Iain Thomson, 01 Mar 2018
Data breach

Equifax peeks under couch, finds 2.4 million more folk hit by breach

Embattled credit-reporting company Equifax has done some data crunching and discovered another 2.4 million people that had their information slurped by hackers. The biz, which was subject to one of the biggest data breaches in US history last May, has already had to revise up the number of affected individuals. The total …
Rebecca Hill, 01 Mar 2018
Homer Simpson

Spectre haunts Intel's SGX defense: CPU flaws can be exploited to snoop on enclaves

Vid The Spectre design flaws in modern CPUs can be exploited to punch holes through the walls of Intel's SGX secure environments, researchers claim. SGX – short for Software Guard eXtensions – is a mechanism that normal applications can use to ring-fence sections of memory that not even the operating system nor a hypervisor can …

German government confirms hackers blitzkrieged its servers to steal data

The German Interior ministry has confirmed that it has identified a serious attack against its servers, amidst reports that the culprits were the Russian APT28 – aka Fancy Bear – hacking group. On Wednesday local news site DPA International reported that the German government discovered a serious intrusion into its servers in …
Iain Thomson, 01 Mar 2018
Broken chain graphic

23,000 HTTPS certs will be axed in next 24 hours after private keys leak

Customers of HTTPS certificate reseller Trustico are reeling after being told their website security certs – as many as 23,000 – will be rendered useless within the next 24 hours. This is allegedly due to a security blunder in which the private keys for said certificates ended up in an email sent by Trustico. Those keys are …
John Leyden, 01 Mar 2018
bearded gentleman raises glass

Brit spooks slammed over 'gentlemen's agreement' with telcos to get mass comms data

Privacy International has slammed the UK's spy agencies for failing to keep a proper paper trail over what data telcos were asked to provide under snooping laws, following its first ever cross-examination of a GCHQ witness. The campaign group was granted the right to grill GCHQ's star witness after he made a series of errors …
Rebecca Hill, 28 Feb 2018
Ireland map, photo via Shutterstock

Irish eyes are sighing: Data protection office notes olagoanin'* up 79%

The Irish Data Protection Commissioner received 79 per cent more complaints last year than in 2016, while data breach notifications rose 26 per cent. The figures, released in the commissioner's annual report for 2017 (PDF), show that the DPC's office received a record 2,642 complaints in 2017. That's a 79 per cent increase on …
Rebecca Hill, 28 Feb 2018
Jigsaw puzzle of a desktop box

Got that itchy GandCrab feeling? Ransomware decryptor offers relief

White hats have released a free decryption tool for GandCrab ransomware, preventing the nasty spreaders of the DIY malware from asking their victims for money. GandCrab has been spreading since January 2018 via malicious advertisements that lead to the RIG exploit kit landing pages or via crafted email messages impersonating …
John Leyden, 28 Feb 2018
I think I'm a clone now

XM-Hell strikes single-sign-on systems: Bugs allow miscreants to masquerade as others

Various single-sign-on systems can be hoodwinked to allow miscreants to log in as strangers without their password, all thanks to bungled programming. Specifically, the vulnerable authentication suites mishandle information submitted in the XML-like Security Assertion Markup Language (SAML). These weaknesses can be potentially …
John Leyden, 28 Feb 2018
Data corruption

Dutch name authority: DNSSEC validation errors can be eliminated

DNSSEC, which secures the ancient domain name system, is important to Internet security and privacy, but as APNIC luminary Geoff Huston wrote last week, there's evidence that its use could be declining. “From the validation perspective, the use of DNSSEC appeared to have peaked in early 2016 and has been declining since then”, …
Shutterstock Firehose

Popular cache utility exploited for massive reflected DoS attacks

Attackers have discovered a new amplified denial-of-service attack vector, and have launched attacks reaching hundreds of gigabits per second in Asia, North America and Europe. Former Internet Systems Consortium CEO and now Akamai principal architect Barry Raveendran Greene has detailed the reflected DOS attack on his blog and …
Three candles - suggesting performance graph

Intel gives Broadwells and Haswells their Meltdown medicine

Intel slipped out a new Microcode Update Guidance on Monday, revealing that lots of Haswell and Broadwell Xeons can now receive inoculations against the Meltdown and Spectre CPU design flaws. The new document (PDF) says Broadwell processors with CPUIDs 50662, 50663, 50664, 40671, 406F1, 306D4 and 40671 are ready for their …
Simon Sharwood, 28 Feb 2018
Mike Rogers

NSA boss: Trump won't pull trigger for Russia election hack retaliation

NSA boss Mike Rogers told a US congressional panel today that Russia’s online mischief-making in America's elections is not going to stop – because Uncle Sam isn’t hitting back. "I believe that President Putin has clearly come to the conclusion there’s little price to pay here, and that therefore I can continue this activity …
Iain Thomson, 27 Feb 2018

Use of HTTPS among top sites is growing, but weirdly so is deprecated HTTP public key pinning

The adoption of HTTPS among the top million sites continues to grow with 38.4 per offering secure web connections. A study by web security expert Scott Helme, published on Tuesday, found that HTTPS adoption by the web's most-visited sites had grown more than 7 percentage points from 30.8 per cent over the last six months since …
John Leyden, 27 Feb 2018

Fender's 'smart' guitar amp has no Bluetooth pairing controls

Updated Guitar amp manufacturer Fender's recently-introduced Mustang GT 100 guitar amplifier can be made to play whatever audio an attacker fancies, security researchers have discovered. The amp allows Bluetooth connections, but without pairing security. Anyone within range could therefore "stream arbitrary audio to it and hijack your …
John Leyden, 27 Feb 2018

Opt-in cryptomining script Coinhive 'barely used' say researchers

Few sites are bothering to use the opt-in version of Coinhive, the controversial ride-along JavaScript crypto-mining package that requires end-users' consent to run. So said security firm Malwarebytes in an analysis emitted on Monday, but Coinhive developers disputed those findings and argued that a third of cryptomining-using …
John Leyden, 27 Feb 2018
A rat sits on a fibre-optic cable

RAT king thrown in the slammer for peddling NanoCore PC nasty

A bloke has been jailed for nearly three years for developing and selling malware that allowed miscreants to snoop on and remote-control victims' Windows PCs. Taylor Huddleston, of Arkansas, USA, pleaded guilty in July 2017 to one charge of aiding and abetting computer intrusions by building and peddling his $25 software nasty …
Shaun Nichols, 27 Feb 2018
Atlanta, GA skyline

You get a criminal record! And you get a criminal record! Peach state goes bananas with expanded anti-hack law

A proposed anti-hacking law in the US state of Georgia is raising all kinds of alarms – because it could chill security research, and criminalize anyone who breaks a website or ISP's T&Cs. The bill, SB 315, would expand the state's computer crime laws to include penalties for accessing a machine without permission even if no …
Shaun Nichols, 26 Feb 2018
A person hiding in a box

Private browsing isn't: Boffins say smut-mode can't hide your tracks

A group of boffins working at MIT's Computer Science and Artificial Intelligence Laboratory believe that “private” browsing modes aren't private, so have given developers a framework to fix it. The problem, wrote Frank Wang with his thesis advisors (Nickolai Zeldovich and luminary James Micken), is that even if you're using “ …
Shutterstock punch through wall

Cisco NFV controller is a bit too elastic: It has an empty password bug

Cisco's Elastic Services Controller's release 3.0.0 software has a critical vulnerability: it accepts an empty admin password. The Controller (ESC) is Cisco's automation environment for network function virtualisation (NFV), providing VM and service monitors, automated recovery and dynamic scaling. Cisco's advisory about the …

Stunning infosec tips from Uncle Sam, furries exposed, Chase bank web leak, and more

Roundup Happy weekend, everyone. Here's a roundup of computer security news beyond everything we've already reported this week. Last week a consortium of biz giants got together to set the bar on computer security because governments weren't getting their act together. Sadly, based on Uncle Sam's actions this week, it's clear such …
Iain Thomson, 24 Feb 2018

Tor pedo's torpedo torpedoed: FBI spyware crossed the line but was in good faith, say judges

Analysis US judges have shut down an appeal from a convicted pedophile who claimed the FBI hacking of his computer was an illegal and unreasonable search. Gabriel Werdene, 53, of Bucks County, Philadelphia, is serving two years in a federal prison for rummaging through the Playpen dark-web filth souk for images and footage of child …
Iain Thomson, 24 Feb 2018
Evil Uncle Sam

Intel didn't tell CERTS, govs, about Meltdown and Spectre because they couldn't help fix it

Letters sent to the United States Congress by Intel and the other six companies in the Meltdown/Spectre disclosure cabal have revealed how and why they didn't inform the wider world about the dangerous chip design flaws. Republican members of the House Energy and Commerce Committee sent letters to the seven in January, to seek …
Simon Sharwood, 23 Feb 2018
Meltdown bug

OpenBSD releases Meltdown patch

OpenBSD's Meltdown patch has landed, in the form of a Version 11 code update that separates user memory pages from the kernel's – pretty much the same approach as was taken in the Linux kernel. A few days after the Meltdown/Spectre bugs emerged in January, OpenBSD's Phillip Guenther responded to user concerns with a post …

That microchipped e-passport you've got? US border cops still can't verify the data in it

Two Democratic US senators have formally asked Uncle Sam's Customs and Border Protection (CBP) agency to get its act together on electronic passports. In 2005, America began issuing passports with implanted machine-readable RFID chips that contain the traveler's personal information. This data is cryptographically signed so …
Iain Thomson, 22 Feb 2018

uTorrent file-swappers urged to upgrade after PC hijack flaws fixed

Users of uTorrent should grab the latest versions of the popular torrenting tools: serious security bugs, which malicious websites can exploit to commandeer PCs, were squashed this week in the software. If you're running a vulnerable Windows build of the pira, er, file-sharing applications while browsing the web, devious …
Iain Thomson, 22 Feb 2018

Hey, you. App dev. You like secure software? Let's learn from Tinder, Facebook's blunders

App developers should take a long, hard look at how they use Facebook's Account Kit for identifying users – after a flaw in the system, and Tinder's use of the toolkit, left shag-seekers open to account hijacking. When a horny netizen logs into their Tinder profile using their phone number as a username, the hookup app relies …
Iain Thomson, 22 Feb 2018
Man reading newspaper with glasses on his head

Guys, you're killing us! LA Times homicide site hacked to mine crypto-coins on netizens' PCs

A Los Angeles Times' website has been silently mining crypto-coins using visitors' web browsers and PCs for several days – after hackers snuck mining code onto its webpages. The newspaper's IT staffers left at least one of the publication's Amazon Web Services S3 cloud storage buckets wide open to anyone on the internet to …
Shaun Nichols, 22 Feb 2018
AMD underwater

Guess who else Spectre is haunting? Yes, it's AMD. Four class-action CPU flaw lawsuits filed

It's not just Intel facing a legal firestorm over its handling of the Spectre and Meltdown CPU design flaws – AMD is also staring at a growing stack of class-action complaints related to the chip vulnerabilities. At least four separate lawsuits have now been filed against the California-based processor slinger, alleging …
Shaun Nichols, 21 Feb 2018
Person hides face in shocked anticipation of something horrible. Photo via shutterstock

If at first you don't succeed, you're likely Intel: Second Spectre microcode fix emitted

Updated For the second time of asking, Intel has issued microcode updates to computer makers that it prays says will mitigate the Spectre variant two design flaw impacting generations of x86 CPUs spewed out over previous decades. Yep, old Chipzilla has turned up at the scene of the metaphorical IT industry earthquake with a dustpan …
Paul Kunert, 21 Feb 2018

World's cyber attacks hit us much harder in past year – major infosec chief survey

Cyber security breaches were twice as severe in the past year, with total financial losses reaching $500,000 (£356,00) per business, according to an extensive survey of CISOs across the globe. Some 32 per cent of breaches affected more than half of an organisation's systems in 2017, up from 15 per cent the previous year, …
Kat Hall, 21 Feb 2018

Biting the hand that feeds IT © 1998–2018