Security > More stories


Hey, you. App dev. You like secure software? Let's learn from Tinder, Facebook's blunders

App developers should take a long, hard look at how they use Facebook's Account Kit for identifying users – after a flaw in the system, and Tinder's use of the toolkit, left shag-seekers open to account hijacking. When a horny netizen logs into their Tinder profile using their phone number as a username, the hookup app relies …
Iain Thomson, 22 Feb 2018
Man reading newspaper with glasses on his head

Guys, you're killing us! LA Times homicide site hacked to mine crypto-coins on netizens' PCs

A Los Angeles Times' website has been silently mining crypto-coins using visitors' web browsers and PCs for several days – after hackers snuck mining code onto its webpages. The newspaper's IT staffers left at least one of the publication's Amazon Web Services S3 cloud storage buckets wide open to anyone on the internet to …
Shaun Nichols, 22 Feb 2018
AMD underwater

Guess who else Spectre is haunting? Yes, it's AMD. Four class-action CPU flaw lawsuits filed

It's not just Intel facing a legal firestorm over its handling of the Spectre and Meltdown CPU design flaws – AMD is also staring at a growing stack of class-action complaints related to the chip vulnerabilities. At least four separate lawsuits have now been filed against the California-based processor slinger, alleging …
Shaun Nichols, 21 Feb 2018
Person hides face in shocked anticipation of something horrible. Photo via shutterstock

If at first you don't succeed, you're likely Intel: Second Spectre microcode fix emitted

Updated For the second time of asking, Intel has issued microcode updates to computer makers that it prays says will mitigate the Spectre variant two design flaw impacting generations of x86 CPUs spewed out over previous decades. Yep, old Chipzilla has turned up at the scene of the metaphorical IT industry earthquake with a dustpan …
Paul Kunert, 21 Feb 2018

World's cyber attacks hit us much harder in past year – major infosec chief survey

Cyber security breaches were twice as severe in the past year, with total financial losses reaching $500,000 (£356,00) per business, according to an extensive survey of CISOs across the globe. Some 32 per cent of breaches affected more than half of an organisation's systems in 2017, up from 15 per cent the previous year, …
Kat Hall, 21 Feb 2018

Bad news: 43% of login attempts 'malicious' Good news: Er, umm...

An extraordinary 43 per cent of all attempted online account logins are malicious, Akamai claims in its latest internet security report. "Credential abuse" is an increasingly popular line of attack, thanks in large part to the readily availability of huge user/password databases that has been stolen and are sold online. …
Kieren McCarthy, 21 Feb 2018

UK local gov: 37 cyber attacks a minute but little mandatory training

Britain's local governments were hit by almost 100 million cyber attacks in the last five years, while one in four councils’ systems were successfully breached, according to research. Privacy campaign group Big Brother Watch sent Freedom of Information to all the UK's local authorities, asking for details of cyber attacks and …
Rebecca Hill, 20 Feb 2018
Coal miners

Year-old vuln turns Jenkins servers into Monero mining slaves

Here's a salutary reminder why it pays to patch promptly: a Jenkins bug patched last year became the vector for a multi-million-dollar cryptocurrency mining hijack. A campaign security researchers dubbed “JenkinsMiner” exploited CVE-2017-1000353, a deserialisation bug first disclosed with fixes by the Jenkins team in April …

Google reveals Edge bug that Microsoft has had trouble fixing

Google has again decided to disclose a flaw in Microsoft software before the latter company could deliver a fix. Indeed, Microsoft has struggled to fix this problem. Detailed here on Google's Project Zero bug-tracker, the flaw impacts the just-in-time compiler that Microsoft's Edge browser uses to execute JavaScript and makes …
Simon Sharwood, 20 Feb 2018
Image by LuckyN

Crims pull another SWIFT-ie, Indian bank stung for nearly US$2m

A year after the SWIFT international bank transfer system enhanced its security, another breach has emerged: an Indian bank has confirmed that criminals gained access to its systems and made transfers totalling US$1.8 million. The Kumbakonam-based City Union Bank issued a statement [PDF] on Sunday February 18, in response to …

Australia's new insta-pay scheme has insta-lookup of any user's phone number

Updated The brand-new app implementing Australia’s New Payment Platform (NPP) system has a user enumeration flaw, but the organisation responsible for it considers it to be a feature. The NPP is an instant-money-transfer scheme implemented by Australia’s banks to give customers an app that can transfer money between account-holders, …

Global security crackdown, a host of code nasties, Brit cops mocked, and more

Roundup Here's a summary of this week's security news beyond what we've already reported. At the Munich Security Conference in Germany, major companies, including Siemens, Airbus, Allianz, Daimler Group, IBM, NXP, SGS and Deutsche Telekom, signed a Charter of Trust for cybersecurity. The signatories were joined by Elżbieta Bieńkowska …
Iain Thomson, 17 Feb 2018

Hands up who HASN'T sued Intel over Spectre, Meltdown chip flaws

Intel says it is facing 32 separate class-action lawsuits following the revelations it shipped millions of processors with security design flaws dubbed Meltdown and Spectre. The figure was slipped into its annual 10-K financial filing, submitted earlier this week to the US Securities and Exchange Commission (SEC). Speaking to …
Shaun Nichols, 17 Feb 2018
MOSCOW, RUSSIA, JANUARY 2017: Russian traditional toy - Matryoshka with a portrait of Putin and Trump. showcase souvenir kiosk Editorial credit: dimbar76 / Shutterstock, Inc.

Mueller bombshell: 13 Russian 'troll factory' staffers charged with allegedly meddling in US presidential election

Robert Mueller, the special prosecutor investigating foreign agents tampering with the 2016 US presidential election, has criminally charged 13 Russian nationals with conspiring against the United States. A 37-page grand jury indictment, revealed today, named staff at the Internet Research Agency troll factory as conspirators …
Shaun Nichols, 16 Feb 2018

PM urged to protect data flows post-Brexit ahead of Munich speech

Security experts have warned that Brexit could lead to data flows between the UK and European Union being "substantially curtailed". The community is amping up the pressure on government to ensure there is a legal basis for data transfer ahead of British Prime Minister Theresa May's speech at the Munich security conference …
Rebecca Hill, 16 Feb 2018
A Eurofighter Typhoon. Pic: BAE Systems Psst. Belgium. Buy these Typhoon fighter jets from us, will you?

Great Britain, which is buying the US-made F-35 fighter jet, is urging European neighbour Belgium not to buy the US-made F-35 fighter jet. Instead the British government is lobbying Belgium to buy 34 British-built Eurofighter Typhoons. Belgium is in the middle of a major revamp of its air force and is planning to replace the …
Gareth Corfield, 16 Feb 2018

Russians behind bars in US after nicking $300m+ in credit-card hacks

Two Russian criminals have been sent down in America after pleading guilty to helping run the largest credit-card hacking scam in US history. Muscovites Vladimir Drinkman, 37, and Dmitriy Smilianets, 34, ran a massive criminal ring that spent months hacking companies to get hold of credit and debit card information. They then …
Iain Thomson, 16 Feb 2018

Techno-senator tells Tinder to hook up its app with better security

Cyber-senator Ron Wyden (D-OR) is asking execs from the parent company of Tinder to please use protection when spreading the love around. Wyden, a ranking member on the US Senate committee on finance (and a member of four other committees), said in a letter addressed to Match Group CEO Greg Blatt that he wants Tinder to use …
Shaun Nichols, 16 Feb 2018
Grand Theft Auto (1997)

Former ICE top lawyer raided US govt database to steal aliens' identities

Yet again an insider has been caught misusing a workplace computer system to conduct identity theft and fraud. Unusually, the perp was, at the time, serving as the head lawyer for the US government's Immigration and Customs Enforcement’s (ICE) Office of Principal Legal Advisor (OPLA) at the time. And rather than turning to the …
Thomas Claburn, 15 Feb 2018
A man in panic

That terrifying 'unfixable' Microsoft Skype security flaw: THE TRUTH

Microsoft has poured a bucket of cold water on people freaking out over a supposedly unfixable security flaw in Skype. The infosec world was atwitter this week over fears and headlines of a nasty bug in Redmond's video chat app that apparently cannot be addressed without a massive code rewrite. That the programming blunder was …
Shaun Nichols, 15 Feb 2018

Dell EMC squashes pair of VMAX virtual appliance bugs

Dell EMC has patched two serious flaws in the management interface for its VMAX enterprise storage systems, one of which could potentially allow a remote attacker to gain unauthorised access to systems. The vendor announced that the VMAX vApp Manager had "Multiple Vulnerabilities" in a security advisory earlier this week. The …
Chris Mellor, 15 Feb 2018
Goncalo Esteves' police mugshot. Pic: National Crime Agency

Essex black hat behind Cryptex and reFUD gets two years behind bars

A 24-year-old Essex man behind the antivirus evasion site, who made an estimated half a million pounds from Bitcoin, has been jailed for two years. Goncalo Esteves, of Cape Close, Colchester, England, admitted two computer misuse offences and one charge of money laundering in January. He was sentenced today at …
Gareth Corfield, 15 Feb 2018

UK names Russia as source of NotPetya, USA follows suit

Updated The United Kingdon's Foreign and Commonwealth Office has formally "attributed the NotPetya cyber-attack to the Russian Government", specifically the nation's military. "The decision to publicly attribute this incident underlines the fact that the UK and its allies will not tolerate malicious cyber activity," said a February- …
Simon Sharwood, 15 Feb 2018
The One Ring from Lord of the Rings

PCI Council and X9 Committee to combine PIN security standards

The PCI Security Standards Council (PCI SSC) and financial services standards outfit the Accredited Standards Committee X9 have decided to combine forces on personal-identification-number-handling-rules. Today, both have their own standards, which is a pain for organisations like banks that follow rules set by both …
Simon Sharwood, 15 Feb 2018
Spraying bugs with insecticide

Hate to ruin your day, but... Boffins cook up fresh Meltdown, Spectre CPU design flaw exploits

When details of the Meltdown and Spectre CPU security vulnerabilities emerged last month, the researchers involved hinted that further exploits may be developed beyond the early proof-of-concept examples. It didn't take long. In a research paper – "MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting …
Thomas Claburn, 14 Feb 2018
Lady looking at phone with the world map in the background connecting with the phone

US govt staffers use personal gear on work networks, handle biz docs on the reg – study

Employees of US government agencies are largely ignoring basic security measures. This is according to a study published this month by security biz Lookout, which suggests Uncle Sam's staffers may be putting confidential information at risk. According to a survey of 200 IT and security admins at US federal agencies, 67.5 per …
Shaun Nichols, 14 Feb 2018

Hua-no-wei! NSA, FBI, CIA bosses put Chinese mobe makers on blast

Don't trust the Chinese – that seemed to be the theme at Tuesday's open US Senate Intelligence Committee hearings on Capitol Hill. The directors of the NSA, CIA, FBI, National Intelligence, Defense Intelligence Agency and National Geospatial-Intelligence Agency were asked if they would personally use a smartphone from Huawei …
Iain Thomson, 14 Feb 2018

Crypto-gurus: Which idiots told the FBI that Feds-only backdoors in encryption are possible?

Four cryptography experts have backed a US Senator's campaign to force the FBI to explain how exactly a Feds-only backdoor can be added to strong and secure encryption. The four are: Stanford professor Martin Hellman, of Diffie-Hellman fame and who helped invent the foundations of today's crypto systems; Columbia professor and …
Kieren McCarthy, 14 Feb 2018

Three in hospital after NSA cops open fire on campus ram-raid SUV

Three people are in hospital after a car rammed a barrier at the NSA headquarters in Fort Meade, Maryland, today at around 0655 ET (0355 PT, 1155 UTC). A trio of blokes tried to drive onto the US intelligence agency's campus in a rented SUV, and were intercepted by spy cops, according to the FBI. The vehicle's driver was hurt …
Iain Thomson, 14 Feb 2018

Roses are red, Kaspersky is blue: 'That ban's unconstitutional!' Boo hoo hoo

Kaspersky Lab, the antivirus house, now claims that the US government's ban on its products amounts to punishment without trial. In court filings made late last year Kaspersky said it was intending to use the US Administrative Procedure Act to get the ban declared unconstitutional. Now, according to local reports, the Russian …
Gareth Corfield, 14 Feb 2018

From tomorrow, Google Chrome will block crud ads. Here's how it'll work

Starting tomorrow, Google, which makes most of its money from online advertising, will begin blocking egregious ads in its Chrome browser under limited circumstances – though it would really rather not. The reason, explained Chrome veep Rahul Roy-Chowdhury in a blog post on Tuesday, is that some ads suck. "It’s clear that …
Thomas Claburn, 14 Feb 2018
Royal Navy frigate HMS Richmond, Type 23. Crown copyright

South China waters are red, Brit warships are blue, HMS Sutherland's sailing there

A British warship has set sail for the South China Sea, paving the way for aircraft carrier HMS Queen Elizabeth to do the same thing in three years’ time. HMS Sutherland, a Type 23 frigate, will sail through the disputed region on her way home from Australia, as much to fly the flag in foreign climes as to carry out a dry run …
Gareth Corfield, 14 Feb 2018

Microsoft working to scale Blockchain for grand distributed ID scheme

Microsoft's wanted a really good federated identity scheme ever since the early 2000s, when it gave the world Project Hailstorm, aka ".Net My Services", to let a web of online services know a little about you and the information you are happy to share with others. Hailstorm passed, swept back years later as Geneva Server and …
Simon Sharwood, 14 Feb 2018

OpenSSL alpha adds TLS 1.3 support

Developers working with OpenSSL can finally start to work with TLS 1.3, thanks to the alpha version of OpenSSL 1.1.1 that landed yesterday. Getting TLS 1.3 into users hands and working with infrastructure has been a long, slow process: the first version of its Internet-Draft dates back to April 2014, it reached version 23 in …

Meltdown-and-Spectre-detector comes to Windows Analytics

Microsoft's added a Meltdown-and-Spectre detector to Windows Analytics, the company's telemetry analysis tool for sysadmins. The new version of the tool arrived on Tuesday, when Redmond revealed new features to check antivirus status, operating system update level, and firmware status. Sysadmins weary from gazing at users' …
A woman with a Valentine gift

Roses are red, Windows error screens are blue. It's 2018, and an email can still pwn you

Patch Tuesday Serious security flaws in Outlook and Edge are headlining a busy Microsoft Patch Tuesday. The Redmond giant has issued the February edition of its monthly security update, addressing a total of 50 CVE-listed vulnerabilities in its products. Adobe has also posted an update for flaws in Reader and Experience Manager. Microsoft, …
Shaun Nichols, 14 Feb 2018

Biting the hand that feeds IT © 1998–2018