Security > More stories

L0phtCrack's back! Crack hack app whacks Windows 10 trash hashes

Ancient famed Windows cracker L0phtCrack has been updated after seven years, with the release of the "fully revamped" version seven. The password cracker was first released 19 years ago gaining much popularity in hacker circles and leading Microsoft to change the way it handled password security at the time. No new versions …
Darren Pauli, 1 Sep 2016
Pacemaker

MedSec's 'hackable pacemaker' report autopsy: Bombshell crash claim in doubt

Researchers at the University of Michigan (U-M) have poured doubt on one claim by MedSec that St Jude Medical's implanted pacemakers and defibrillators are remotely breakable. Last week MedSec went public with a report saying that life-giving devices sold by St Jude Medical could be wirelessly compromised by hackers – who …
Iain Thomson, 1 Sep 2016
Photo by a katz / Shutterstock.com

FBI Director wants 'adult conversation' about backdooring encryption

FBI Director James Comey is gathering evidence so that in 2017 America can have an "adult" conversation about breaking encryption to make crimefighters' lives easier. Speaking at Tuesday's 2016 Symantec Government Symposium in Washington, Comey banged on about his obsession with strong cryptography causing criminals to "go …
Iain Thomson, 31 Aug 2016
Image by Arak Rattanawijittakorn http://www.shutterstock.com/gallery-2364116p1.html

Angler's obituary: Super exploit kit was the work of Russia's Lurk group

Ruslan Stoyanov was right: what could be history's most advanced financially-driven malware was the progeny of some 50 jailed hackers known as the Lurk group. It is a finding that solves the mysterious demise of the world's most capable exploit kit and one of the biggest threats to end users on the internet. Kaspersky's head …
Darren Pauli, 31 Aug 2016
band_aid_648

HPE yawns, stretches, and patches January OpenSSH bug in virtual access products

HPE customers have just been issued patches related to the lighttpd daemon and OpenSSH for remote access devices. The vulns are in the company's HPE Remote Device Access: Virtual Customer Access System (vCAS). vCAS is designed for IT shops to provide remote support access to customer networks. The company has disclosed three …
Image by LuckyN http://www.shutterstock.com/gallery-1795121p1.html

More banks plundered through SWIFT attacks

Criminals have hacked an unspecified number of new banks, using the SWIFT messaging system already implicated in one of the most lucrative breaches in history. Reuters reports SWIFT has sent notices to banks around the world warning of breaches and asking the financial institutions to lift their security game. Hackers of …
Darren Pauli, 31 Aug 2016

Dropbox: Leaked DB of 68 million account passwords is real

A leaked database purported to contain login information for 68 million Dropbox accounts is the real deal. The cloud biz confirmed the authenticity of the records to The Register, with independent verification from IT security guru Troy Hunt. The archive, which is being shared online, contains Dropbox user IDs and hashed …
bee

USBee stings air-gapped PCs: Wirelessly leak secrets with a file write

Video Mordechai Guri, the Israeli researcher who has something of a knack for extracting information from air-gapped PCs, has done it again – this time using radio frequency transmissions from USB 2 connections. Dubbed USBee, the technique turns a computer's USB ports into mini RF transmitters by modulating the data fed at high …
Iain Thomson, 31 Aug 2016

OneLogin breached, hacker finds cleartext credential notepads

Password attic OneLogin has been breached, and it's bad, because the service that suffered the breach is one often used by people to store credentials like admin password and software keys. The online credential manager says its Secure Notes facility was breached, allowing the intruder to read in cleartext notes edited between …
Darren Pauli, 31 Aug 2016
Minecraft HoloLens

71,000 Minecraft World Map accounts leaked online after 'hack'

Some 71,000 user accounts and IP addresses have been leaked from Minecraft fan website Minecraft World Map. The dumps, reported by Australian security researcher Troy Hunt, include email addresses, IP address data, usernames, and passwords for popular site Minecraft World Map. Login passwords were salted and hashed, and …
Team Register, 30 Aug 2016
image by JoeBakal http://www.shutterstock.com/gallery-832894p1.html

Ripper! Boffins find malware thought behind $347k Thai ATM raids

Researchers at security firm FireEye may have found the malware responsible for plundering ATMs across Thailand and other parts of South East Asia. The security boffins reckon the Ripper malware is "strongly" linked to the plundering last week of ATMs in Thailand in which 12 million Thai baht (US$346,992 ,£265,308, A$458,432) …
Darren Pauli, 30 Aug 2016

Victoria Gov tips $6.5M into uni security seeder, city-country farm tech

The government of the southern Australian state of Victoria has tipped A$450,000 (£260,083, US$340,872) to spin up an information security incubator in Deakin University. The university and Dimension Data want the incubator to accelerate the development of technology and industry skills. It will be coupled with a security …
Darren Pauli, 30 Aug 2016

FBI: Look out – hackers are breaking into US election board systems

IT admins have received a flash warning from the FBI to harden up their systems following attacks against servers run by two US state election boards. The security advisory states that the security breaches in June and August emanated from IP addresses around the world and involved Acunetix, SQLMap, and DirBuster tools. It …
Iain Thomson, 29 Aug 2016
fail

Chinese CA hands guy base certificates for GitHub, Florida uni

A Chinese certificate authority handed out a base certificate for GitHub and the Univerisity of Central Florida to a mere user in a significant security blunder. British Mozilla programmer Gervase Markham reported the incident on the browser baron's mailing list saying it occurred more than a year ago in July 2015 but went …
Darren Pauli, 29 Aug 2016
Sweet32 logo

Big data busts crypto: 'Sweet32' captures collisions in old ciphers

Researchers with France's INRIA are warning that 64-bit ciphers – which endure in TLS configurations and OpenVPN – need to go for the walk behind the shed. The research institute's Karthikeyan Bhargavan and Gaëtan Leurent have demonstrated that a man-in-the-middle on a long-lived encrypted session can gather enough data for a …

Russia MP's son found guilty after stealing 2.9 million US credit cards

The son of a Russian member of parliament has been found guilty of stealing and selling millions of US credit card numbers using point of sales malware. Roman Seleznev, 32, is the son of ultra-nationalist Liberal Democratic Party MP Valery Seleznev. He was arrested in 2014 while attempting to board a plane in the Maldives, …
Darren Pauli, 29 Aug 2016

NewSat network breach 'most corrupted' Oz spooks had seen: report

Defunct Australian satellite company Newsat distinguished itself in a way never known to the public before the company went under: it was so badly hacked it had 'the most corrupted' network the nation's spy agency had encountered. The company's assets were sold off last year after it went into administration. Unnamed sources …
Darren Pauli, 29 Aug 2016

Our pacemakers are totally secure, says short-sold St Jude

The manufacturer of pacemakers and defibrillators has slammed a report by security researchers, arguing it puts patients' lives at risk. On Thursday security startup MedSec claimed that St Jude Medical pacemakers and defibrillators were easily hackable and that hackers could either run down the batteries in patent's implanted …
Iain Thomson, 29 Aug 2016
shark

Muddying the waters of infosec: Cyber upstart, investors short medical biz – then reveal bugs

Analysis A team of security researchers tipped off an investment firm about alleged software vulnerabilities in life-preserving medical equipment in order to profit from the fallout. Researchers at MedSec Holdings, a cybersecurity startup in Miami, Florida, believed they found numerous holes in pacemakers and defibrillators …
Iain Thomson, 26 Aug 2016

IoT manufacturer caught fixing security holes

In a shocking development, smart lock manufacturer August has been caught promptly patching security holes discovered in its product. At this year's DEF CON, security researcher Anthony Rose gave a presentation where he outlined how a whole range of "smart locks" were hackable. "Smart locks appear to be made by dumb people," …
Kieren McCarthy, 25 Aug 2016

Update your iPhones, iPads right now – govt spy tools exploit vulns

Apple has pushed out an emergency security update for iPhones, iPads and iPods after super sophisticated spyware was found exploiting three iOS vulnerabilities. The iOS 9.3.5 upgrade plugs three holes that, according to researchers, are being used right now by the Pegasus surveillance kit – a powerful commercial malware …
Shaun Nichols, 25 Aug 2016

Doing business with Asia? Then worry more about security

Organisations across the Asia Pacific are terrible at information security, a Mandiant report contests. While businesses in the United States will detect a hacker in their networks within four months, in line with the global average, it takes 17 months for those in the Asia Pacific region to notice their intruder. The region …
Darren Pauli, 25 Aug 2016

French, German ministers demand new encryption backdoor law

A meeting this week between the interior ministers of France and Germany has focused on the issue of encryption and its potential impact on security. In the lead-up to the meeting and in subsequent public comments from the ministers, they both made repeated mention of the issue of data encryption, even calling out the app …
Kieren McCarthy, 24 Aug 2016
Engineer aboard Das Boot U-96 responds to telegraphs

French submarine builder DCNS springs leak: India investigates

India is investigating a security breach affecting its French-built Scorpene-class submarines after more than 22,000 pages covering its secret capabilities were leaked. First reported in The Australian, the documents offer details on the designs of the submarines, which were put together by French company DCNS. Based on the …

Major update drops for popular Pwntools penetration showbag

The third version of the Pwntools exploit showbag has been released, sporting new Android p0wnage functions and a host of additional modules. The Python development library is the brainchild of the Gallopsled CTF team, which wrote the toolset to help fellow security types build faster exploits for penetration testing and …
Darren Pauli, 24 Aug 2016
Africa Studio http://www.shutterstock.com/gallery-137002p1.html

Intel douses Wildfire ransomware as-a-service Euro menace

An alliance of cops and anti-malware experts have doused the Wildfire ransomware that plagued users in Belgium and the Netherlands. Wildfire is carried in spam messages and demands up to 1.5 Bitcoins of ransom for files to be decrypted. Security researchers have uploaded 1,600 decryption keys with more to come to the No More …
Darren Pauli, 24 Aug 2016
Image composite bazzier and valeo5 http://www.shutterstock.com/gallery-761863p1.html http://www.shutterstock.com/gallery-1393552p1.html

Equation Group exploit hits newer Cisco ASA, Juniper Netscreen

Hungary-based security consultancy SilentSignal has ported a public exploit to newer models of Cisco's Adaptive Security Appliance (ASA). The firm expanded the attack range of the ExtraBacon Cisco hack hole revealed as part of the Shadow Brokers cache of National Security Agency-linked exploits and tools. The exploit was …
Darren Pauli, 24 Aug 2016
ASIC

Boffins design security chip to spot hidden hardware trojans in processors

Scientists at the NYU Tandon School of Engineering have designed a new form of application-specific integrated circuit (ASIC) designed to spot hidden vulnerabilities deep within a processor's design. Very few people run their own chip fabrication plants these days. Most processors are designed by one firm, which then …
Iain Thomson, 24 Aug 2016

Hacked hookup site Ashley Madison's security was laughable

Ruby Corp, the rebranded parent company of illicit-affair-arranging outfit Ashley Madison, has had to enter into court-enforceable orders with privacy authorities in Canada and Australia, following the findings of a joint investigation in the two countries. After the company was hacked by Impact Team, it was pretty clear that …
Overwatch

Blizzard blighted by another DDoS storm

Blizzard, the game developer behind World of Warcraft and Overwatch, was hit by another DDoS attack on Tuesday. The assault coincides with the final day of its Overwatch Summer Games event. In an update to an official Twitter account, Blizzard admitted the assault was affecting its ability to deliver services. "We continue to …
John Leyden, 23 Aug 2016

EU ministers look to tighten up privacy – JUST KIDDING – surveillance laws

European ministers are debating a clampdown on encryption and a further increase in surveillance in response to mounting terrorist threats. Bernard Cazeneuve, France’s interior minister is due to meet his German counterpart, Thomas de Maizere, to discuss possible regulations to limit the use of encrypted communications across …
John Leyden, 23 Aug 2016

'NSA' hack okshun woz writ by Inglish speeker trieing to hyde

The perpetrator behind the dumping of tools penned by the probably-the-NSA hacking squad called"Equation Group" appears to be a native English speaker, according to linguistic data researcher Shlomo Argamon. Earlier this month some 300 files were circulated online purporting to be stolen from the Equation Group, which is …
Darren Pauli, 23 Aug 2016
Robot touches screen with finger. Photo via Shutterstock

Crims share vulns but vendors don't. This needs fixing

Interview Attackers like to re-use code, but vendors don't find out because they don't share, according to Centrify's David McNeely. In Sydney for Gartner's Security and Risk Management Summit, McNeely – the company's veep of product strategy – said that realisation was driven home to him during the recent Black Hat conference in Las …

Epic Games forums breached, salted passwords nabbed

Information on some 808,000 Unreal Engine and Unreal Tournament forum accounts, including email addresses, birth dates, and private messages, have been stolen from Epic Games. The games company says passwords were not compromised on the Unreal forums so account resets are not necessary. Salted passwords were breached for …
Darren Pauli, 23 Aug 2016
man_from_uncle_648

Software-defined networking is dangerously sniffable

Software-defined networking (SDN) controllers respond to network conditions by pushing new flow rules to switches. And that, say Italian researchers, creates an unexpected security problem. The researchers were able to persuade their SDN environment to leak information that sysadmins probably don't want out in public, …
Spy hides in dustbin, lifts lid to take photograph

Californian gets 50 months in prison for Chinese 'technology spy' work

A sting operation by the US Department of Homeland Security has netted one California woman a 50-month sojourn in prison after she was found guilty of trying to break the US Arms Export Control Act. The court heard that between March 2011 and June 2013, Wenxia Man, 45, of San Diego, worked with a Chinese national – who she …
Iain Thomson, 23 Aug 2016

Australia Post says use blockchain for voting. Expert: you're kidding

A prominent privacy consultant has criticised Australia Post's intervention in the Australian State of Victoria's inquiry into electronic voting. The state has been gathering submissions into the idea, and held its first public hearings yesterday. Among the submissions was Australia Post's, in which the organisation pitches …

Software exploits overrated - it's the humans you need to be watching

Video Weak passwords and phishing offer far easier mechanisms for breaking into most organizations than exploiting software vulnerabilities. A study by US cybersecurity firm Praetorian based on 100 penetration tests and 450 real-world attacks discovered that stolen credentials offer the best way into enterprise networks. Software …
John Leyden, 22 Aug 2016
Smart TV privacy issues

Four in five Android devices inherit Linux snooping flaw

A previously identified Linux flaw, which allows anyone to hijack internet traffic, also affects 80 per cent of Android devices. The original vulnerability, which was reported this spring, involves a critical exploit in TCP that lets hackers obtain unencrypted traffic and degrade encrypted traffic to spy on victims. The …
John Leyden, 22 Aug 2016
Chick and bunny Image via Shutterstock

Is security keeping pace with continuous delivery?

Broadcast On the September 27 2016 at 11am we're running a live broadcast that will explore the changing game of application security. The thinking is that the world has moved on in terms of how applications are created and deployed — two-year development cycles are being replaced by fast-moving, integrated processes delivered by …
Phil Mitchell, 22 Aug 2016

German minister seeks facial recognition at airports, train stations

Germany's interior minister Thomas de Maiziere wants facial recognition systems in the country's airports and train stations to identify terror suspects. Europe has experienced a wave of attacks, many terror-related, over recent months, which has in turn triggered a heightened state of security. De Maiziere told the German …
Darren Pauli, 22 Aug 2016
Surprised by smartphone

Beauty site lets anyone read customers' personal information

Popular online cosmetics site Strawberrynet has asked customers if a function that allows anyone to retrieve its customers names, billing addresses, and phone numbers with nothing more than an email address is a bug or a feature. The bug was first disclosed almost exactly a decade ago and resurfaced after security man Troy …
Darren Pauli, 22 Aug 2016