Security > More stories

snowden SXSW

Snowden files show NSA's AURORAGOLD pwned 70% of world's mobe networks

The NSA, and its British counterpart GCHQ, snooped on innocent telco employees and standards bodies to tap into mobile phone networks worldwide, according to the latest leak from the Edward Snowden archive. The mobile tapping system, dubbed AURORAGOLD, successfully cracked 701 of an estimated 985 cellular networks worldwide, …
Iain Thomson, 4 Dec 2014
Pwned

Sony Pictures MEGAHACK: Securobods pull out probes, analyse badness

Security experts have been able to obtain and analyse samples of the malware linked to the Sony Pictures breach. An FBI advisory issued on Monday, leaked to Reuters, warned US businesses to be vigilant about a new strain of “destructive” malware. The link between the Sony breach and the malware described by the FBI is yet to be …
John Leyden, 4 Dec 2014
Cartoon of  green skeletal figure reaching out of phone

DeathRing: Cheapo Androids pre-pwned with mobile malware

A new mobile Trojan is being pre-loaded onto smartphones somewhere in the supply chain. DeathRing masquerades as a ringtone app and is impossible to remove because it’s pre-installed in the system directory, according to mobile security firm Lookout. Samples of the malware are restricted to entry-level phones purchased in Asian …
John Leyden, 4 Dec 2014

Big Blue patches big blooper in Endpoint Manager for mobes

Big Blue has patched a serious hole in its Endpoint Manager for Mobile Devices that allows attackers to gain remote access and compromise connected mobes. Endpoint Manager appears to have been written with Ruby, and the (flaw) means "attackers can create valid session cookies containing marshalled objects of their choosing," …
Darren Pauli, 4 Dec 2014
Data breach image

Deloitte's files on bean counters swept up in Sony hack stash – report

Bean-counting giant Deloitte has been pulled into Sony Pictures' ongoing nightmare – the one in which the movie giant was comprehensively hacked and gigabytes of sensitive files leaked online. Unreleased films, draft scripts, criminal record checks on staff, doctors' notes, passwords, encryption certificates, social security …
Shaun Nichols, 4 Dec 2014

Squashed bug opened EVERY PayPal account to hijacking

PayPal has plugged a huge hole that exposed every account to hijacking. The cross-site request forgery (CSRF) flaw reported by Egyptian researcher Yassar H Ali allowed attackers access to any PayPal account of their choosing if they were capable of convincing a target to click a link. A PayPal spokesperson confirmed the flaw to …
Darren Pauli, 4 Dec 2014
Facebook privacy image

Facebook cosies up to ESET for malware detection

Facebook, which earlier this year started partnering with F-Secure and Trend Micro for malware detection, has added Slovak vendor ESET to its suite of security products. The previous tie-ups, detailed here, are worth noting to put the new partnership in context. F-Secure and Trend both pointed Facebook users at their free online …
Barbed wire against a clear blue sky

Google kills CAPTCHAs: Are we human or are we spammer?

Google has developed a new CAPTCHA-like system to allow people, and not automated software, into websites with only a single click. The "No CAPTCHA reCAPTCHA" offers a tick box for humans to check rather than distorted text to decipher. It's designed so that automated spam software is still fooled by it and gets stuck on the …
John Leyden, 3 Dec 2014

Not sure what RFID is? Can't hack? You can STILL be a card fraudster with this Android app

Cybercrooks have developed an Android app that makes it possible to hack RFID payment cards, researchers discovered after a Chilean transport system was defrauded. The app at the centre of the scam hacked into the user’s radio frequency ID (RFID) bus transit card in order to recharge credits. The fraud-enabling Android tool, …
John Leyden, 3 Dec 2014
Stephen Hawking, weightless and happy

Hawking: RISE of the MACHINES could DESTROY HUMANITY

Professor Stephen Hawking has given his new voice box a workout by once again predicting that artificial intelligence will spell humanity's doom. In a chat with the BBC, Hawking said “the primitive forms of artificial intelligence we already have have proved very useful, but the I think the development of true artificial …

Sony Pictures struggles as staff details, salaries and films leaked

It's getting worse for Sony: the latest data dump from the raid that's brought the company to an IT standstill includes the personal details of staff. Documents leaked through BitTorrent show the names, home addresses, salaries (and bonuses), and social security numbers of thousands of staff, including executives. Sony Pictures …
Darren Pauli, 3 Dec 2014
cloud

Alca-Lu security stuff goes virtual

Yet more of Alcatel-Lucent's portfolio has escaped its hardware prison to be virtualised: this time, it's the vendor's security solutions. Alca-Lu's Motive Security Guardian (MSG) – based on technology that came with Kindsight Security Labs, which it acquired in April 2013 – is to be turned into a virtualised service, the …
Random numbers

GCHQ boffins quantum-busted its OWN crypto primitive

While the application of quantum computers to cracking cryptography is still, for now, a futuristic scenario, crypto researchers are already taking that future seriously. It came as a surprise to Vulture South to find that in October of this year, researchers at GCHQ's information security arm the CESG abandoned work on a …
padlock

Google will see other clouds and raise them a PCI certification

Google has announced that it's obtained Payment Card Industry (PCI) certification for its cloud platform, chasing Microsoft and Amazon into the cloudy payment space. The Chocolate Factory outlined the certification in this blog post, also announcing WePay as the first developer using the system. WePay supplied the usual …

Fort Lauderdale websites DDoSed after Anonymous threats over feeding ban

Municipal websites in Fort Lauderdale, Florida suffered a distributed denial of service attack on Monday after Anonymous promised to disrupt the city's activities following the passing of local laws outlawing the feeding of homeless people. The attack occurred on Monday afternoon and led to massive congestion of the websites of …
Iain Thomson, 3 Dec 2014

Iranian CLEAVER hacks through airport security, Cisco boxen

An alleged Iranian hacking group whose existence is denied by the state is turning up the heat on its two-year global campaign to pop critical infrastructure systems, Cylance researchers say. The group was tied to Iran by the local infrastructure it was alleged to use in the attacks and appeared to have formed as a response to …
Darren Pauli, 3 Dec 2014
Hacker image

An alleged 27GB Sony Pictures data dump. 65 PlayStation web servers. One baffling mystery

Sony PlayStation website servers were used to distribute a 27.78GB archive potentially containing sensitive data swiped from Sony Pictures computers, it's claimed. Until early on Tuesday afternoon, San Francisco time, more than 60 systems seeding the archive on the BitTorrent network appeared to be virtual servers in the Amazon …
Iain Thomson, 3 Dec 2014

US parking operator: YEP, hackers got your names, credit card numbers, secret codes...

Point-of-Sale systems have been hacked at major US parking garage operator SP+. The breach has resulted in the exposure of customer financial information, SP+ explained at an advisory on Friday. SP+ said it had learned of the breach from the firm that handles its payment card processing. The firm operates about 4,200 parking …
John Leyden, 2 Dec 2014

FBI warns of disk NUKE malware after Sony Pictures megahack

The FBI has alerted US businesses to data-wiping malware after hackers, possibly in North Korea, ransacked computers at Sony Pictures. The malicious software described in the Feds' warning is pretty close to the malware believed to have infiltrated Sony's network. Miscreants have leaked gigabytes of passwords, personal records, …
John Leyden, 2 Dec 2014
channel_teaser_money_top

Brits conned out of nearly £24m in phone scams IN ONE YEAR

Brits have lost three times as much money in phone scams in the last year than they did the year before, according to Financial Fraud Action UK. The organisation, which works with consumers, retailers and the police as well as the financial services industry, said that 58 per cent of people said they’d received suspect calls, up …
cookies_eyes_privacy evercookies flash cookies

Device fingerprinting tech: It's not a cookie, but 'cookie' rules apply

Website operators that turn to new "device fingerprinting" technologies to track internet users' behaviour in place of "cookies" have to obtain users' consent in accordance with the same EU legal standards that apply to the use of cookies, an EU privacy watchdog has said. In a new opinion it has issued, the Article 29 Working …
OUT-LAW.COM, 2 Dec 2014

Silver-tongued phish bait lures execs, hooks M&A deals

A hacking group has been stealing identity information and reading emails to get the inside edge on stock markets to buy and sell to make quick profits. Vendor FireEye reckons the group sent articulate phishing emails with malicious attachments demonstrating "deep" knowledge of financial markets and corporate communications. In …
Darren Pauli, 2 Dec 2014

Australian Government funds effort to secure wearable data pulses

Wearable health devices could feed Australians' health data into official databases to improve diagnosis under security research funded by the Federal Government. The researchers want to find ways to secure wearable consumer devices and validate the identity of users in order to enable health practitioners to trust data feeds. …
Darren Pauli, 2 Dec 2014

OpenVPN plugs DoS hole

OpenVPN has patched a denial-of-service vulnerability which authenticated users could trigger by sending malicious packets. The flaw (CVE-2014-8104) is most hurtful to VPN service providers and was reported by researcher Dragana Damjanovic to OpenVPN last month. Maintainers said in an advisory issued this morning that the flaw …
Darren Pauli, 2 Dec 2014

Feds dig up law from 1789 to demand Apple, Google decrypt smartphones, slabs

The FBI has made it no secret that it hates Apple and Google's efforts to encrypt files in your smartphones and tablets. Now court documents have emerged showing just how far the Feds are willing to go to decrypt citizens' data. The paperwork has shown two cases where federal prosecutors have cited the All Writs Act – which was …
Iain Thomson, 1 Dec 2014

E-cigarettes fingered as source of NASTY VIRUS

E-cigarettes have been fingered as the source of a new computer virus. "IT guy" Jrockilla told the Talesfromtechsupport forum that he suspects the malware was "hard coded" into the USB charger of his boss's electronic toker. In his post, he says: The executive’s system was patched up to date, had anti-virus and up-to-date anti- …
Simon Rockman, 1 Dec 2014
Nuke blast

Ex-GCHQ boss: Hey, UK.gov, have you heard how crap iPhone biometrics are?

Comment If you're an ex-GCHQ spook, it seems the BBC will leap to attention when you've words of wisdom to impart about mobile security. Dear old Auntie Beeb has reported that former GCHQ boss Sir John Adye doesn’t trust the biometric security in the iPhone 6. As a story it’s got everything: top spy chief with a knighthood, mistrust of …
Simon Rockman, 1 Dec 2014

Pay with your credit card at station kiosk? 'Dare Devil' is targeting YOU

A financial malware strain has been found targeting payment systems behind transit systems and kiosks sucking up all manner of junk data, researchers say. The malware dubbed d4re|dev1l (dare devil) has been found in kiosks at Italy's regional transport company Azienda Regionale Sarda Trasporti, as well as at undisclosed …
Darren Pauli, 1 Dec 2014

EVIL researchers dupe EVERY 32 bit GPG print

Researchers have found collision attacks for 32 bit GPG keys leaving the superseded technology well and truly dead. Eric Swanson and Richard Klafter used graphical processing units to clone fingerprints for each 32 bit key id in Web of Trust strong set. The feat took four seconds per key increasing the chance that human error …
Darren Pauli, 1 Dec 2014

Weather Channel forecast: Bleak, with prolonged XSS

The Weather Channel has dammed a downpour of cross-site-scripting vulnerabilities that soaked three quarters of links on the popular site, security bod Wang Jin says. The website received a tsunami of traffic with more than a billion unique visitors checking in each month according to Drupal which noted it was the "highest …
Darren Pauli, 1 Dec 2014
Random numbers

IETF takes rifle off wall, grabs RC4 cipher's collar, goes behind shed

The IETF is getting ready to finally kill off the venerable-but-vulnerable RC4 cipher. The group has issued a last call for comments before humming over a proposal that Internet-standard clients and servers need to quit using RC4 in Transport Layer Security (TLS). It's a simple enough change, but in the wide world of the …

Author fined $500k in first US spyware conviction

A US man has been handed a US$500,000 fine for selling the StealthGenie malware in the first prosecution of a mobile spyware slinger. Police collared Hammad Akbar, 31, in September after he allegedly sold the malware to an undercover agent in 2012. Akbar a Danish citizen, sold the StealthGenie malware capable of intercepting …
Darren Pauli, 30 Nov 2014

Did North Korean hackers nobble Sony Pictures?

Sony Pictures has reportedly begun investigating possible hacking links to North Korea, following a savage attack on its network earlier this week. According to Re/code, which cited insiders, the company was yet to determine whether Nork hackers, possibly operating from within China, were behind the attack. As The Register …
Kelly Fiveash, 30 Nov 2014
Hacker image

Sony employees face 'weeks of pen and paper' after crippling network hack

Sony Pictures still hasn't recovered from a comprehensive attack on its computer networks – and staff have been reduced to doing their work by hand – according to insiders. This notice stuck on lifts at Sony Pictures in London.. pic.twitter.com/RMZcQhjfYI — James Dean (@JamesDeanTimes) November 28, 2014 The infiltration by …
Iain Thomson, 28 Nov 2014
android tongue

That sub-$100 Android slab you got on Black Friday? RIDDLED with holes, say infosec bods

Those fighting through hordes of fellow crazed bargain junkies this Black Friday should avoid some of the cheapo Android tablets on offer. Security researchers at Bluebox Labs bought a dozen Android fondleslabs, each costing less than $100, and tested them for poor patching, dodgy OS installation, and sloppy security practices …
Iain Thomson, 28 Nov 2014

World's best threat detection pwned by HOBBIT

Some of the world's best threat detection platforms have been bypassed by custom malware in a demonstration of the fallibility of single defence security. Five un-named top advanced threat detection products were tested against four custom malware samples written by researchers at Crysys Lab, Hungary and MRG-Effitas, UK” The …
Darren Pauli, 28 Nov 2014
Edward Snowden

Edward Snowden: best ... security ... educator ... EVER!

A good deal of folk aware of NSA leaker Edward Snowden have improved the security of their online activity after learning of his exploits, a large survey has found. Researchers from think tank The Centre for International Governance Innovation collected responses from 23,376 users between October and November and found 60 …
Darren Pauli, 28 Nov 2014
Riecoin

Cryptocurrency cruncher cranks prime number constellation

Bitcoin mining, our own Simon Rockman wrote last January, “is essentially a brute-force attack on the generating algorithm”. “Bitcoin, and all the other alt-coins, is training a skillset for building password-cracking hardware that is both powerful and portable,” he wrote. It looks like cryptocurrencies are also helping to spot …
Simon Sharwood, 28 Nov 2014

Leaked Syrian log files reveal attempts to starve rebels of information

Syria's Bashar al Assad-led regime blocked scores of legitimate services and entire network regions in its bid to scrub out access to sites such as Reddit, Google and Skype, the first analysis of the nation's web filtering reveals. Research by three Sydney researchers from National ICT Australia (NICTA), together with three …
Darren Pauli, 28 Nov 2014
SEA hack the Independent website

Syrian Electronic Army in news site 'hack' POP-UP MAYHEM

The Syrian Electronic Army has compromised a number of news websites – apparently through DNS redirects via Gigya, a customer identity management platform used by all the sites. The Pro-Assad javascript popup appeared across several websites, including The Telegraph, The Independent, Forbes, Time Out, PC World and The Evening …
Jasper Hamill, 27 Nov 2014

Home Depot hacker hosing cost a wallet-draining $43m (so far)

Hacked hardware mart Home Depot has forked out $43m to quash spot fires emanating from the data breach inferno this year, SEC filing documents show. The payout covered damages from the theft of 56 million payment cards and 53 million email addresses. It covered the cost of investigating this year's five-month-long breach, …
Darren Pauli, 27 Nov 2014

Home Office: Fancy flogging us some SECRET SPY GEAR?

The Home Office is seeking suppliers for a £20m contract for a "bespoke tracking and surveillance system" for all law enforcement agencies. The tender for surveillance, security systems and devices also includes software "to meet the specific and unique operational requirements of a covert surveillance systems." Suppliers will …
Kat Hall, 27 Nov 2014