Security > More stories

michael_oleary_ryanair_650

Ryanair stung after $5m Shanghai'd from online fuel account

Budget airline Ryanair has fallen victim to a $5m hacking scam. Crooks siphoned off money from an account earmarked for the payment of fuel bills via an electronic transfer to a bank in China last week. The transfer was subsequently blocked, but the funds – earmarked to pay for aviation fuel for Ryanair's 400-plus Boeing 737-800 …
John Leyden, 30 Apr 2015
Siemens GSM-R train cab radio. Pic: Joshua Brown

UK rail comms are safer than mobes – for now – say infosec bods

Analysis Last week's warning that Britain's railway systems could be susceptible to hacking has triggered a debate among security experts. Prof David Stupples of City University London made headlines last week with a warning that plans to replace the existing (aging) signalling system with the new European Rail Traffic Management System …
John Leyden, 30 Apr 2015
Printed key

SHA-1 crypto hash retirement fraught with problems

The road towards phasing out the ageing SHA-1 crypto hash function is likely to be littered with potholes, security experts warn. SHA-1 is a hashing (one-way) function) that converts information into a shortened "message digest", from which it is impossible to recover the original information. This hashing technique is used in …
John Leyden, 30 Apr 2015
eBay

eBay year-long patch stall a little XSSive, researcher says

Clarified Security researcher Jaanus Kääp has disclosed a year-old cross-site scripting (XSS) bug in eBay's messaging service that lets attackers target victims through messages. The researcher says he reported the XSS three times over more than a year and says he is surprised to find the bug be describes as dangerous has as of …
Darren Pauli, 30 Apr 2015
Uni Geneva Quantum RNG

Geneva boffins make light work of random numbers

“How good is your random number generator?” is a pretty ticklish question in cryptography that a bunch of Swiss quantum bods have set out to answer. The history of crypto is littered with examples of buggy random number generators, so the group at the University of Geneva have set out to create a self-testing quantum RNG that …

Ransomware scum find the sweet spot to coin it without copping it

RSA 2015 RSA chief information security officer David Martin says ransomware scum may have reached the sweet spot between extorting users and avoiding law enforcement heat. Martin says ransomware extortionists' demands top out at about US$10,000, a sum sufficiently low to get reluctant companies to pay and to prevent time-poor police …
Darren Pauli, 30 Apr 2015

Macroviruses are BACK and are the future of malware, says Microsoft

Macro malware is making a comeback with one nineties nasty infecting half a million computers, Microsoft says. Macro viruses took a battering over the last decade after Redmond spent a decade boosting security in its Office suites to reduce the likelihood that users would execute malicious macros. Word processors throw warnings …
Darren Pauli, 30 Apr 2015
Google Password Alert warning

Google polishes Chrome security with Password Alert

Google's seen way too much phishing, it seems, so the Chocolate Factory has pushed out a Chrome extension to catch attacks against accounts on Google domains. Mountain View reckons two per cent of Gmail messages are phishing attempts, and a well-constructed attack can have a 47 per cent success rate. Outlined here, the Password …
JPMorgan

JP Morgan bank bod accused of flogging customer account info

The FBI has charged a former JP Morgan employee with selling customer information to thieves who wanted to empty accounts without triggering any alarms. Unsealed court records [PDF] recount that Peter Persaud, who worked at JP Morgan's Brooklyn branch, contacted an undercover FBI informant, and allegedly offered to sell him the …
Iain Thomson, 29 Apr 2015
Ostrich

Gambling with your data: Betfair fixes HUGE account reset email vuln

Betfair has left consumers wide-eyed with worry after gaping holes in its its account recovery system were discovered by users. The alarm was raised with Betfair after people found that the account reset procedure for users with less than £100 in their account was simply to provide data such as the account name and holder's date …
The Rise of Islamic State: ISIS and the New Sunni Revolution

New EU security strategy: Sod cyber terrorism, BAN ENCRYPTION

“It is unacceptable that a Kalashnikov can be bought easily on the internet,”* thundered European Commission number two Frans Timmermans yesterday, as he presented the Commission’s plans to combat terrorism. So what’s he going to do about it? That’s right, hold a consultation. The much-trumpeted new EU Security Strategy is …
Jennifer Baker, 29 Apr 2015
Facebook's Mark Zuckerberg, speaking at the 2015 F8 conference

Chinese report loopy Facebook redirections

China appears to have neutered swathes of otherwise uncensored websites and redirected Facebook login attempts to external websites, according to local reports. The gaffe, the cause of which some say is likely accidental, affects local users who do not access Facebook through virtual private networks. Users report being bounced …
Darren Pauli, 29 Apr 2015

Stop the war between privacy and security – EU data watchdog

Security and privacy are not mutually exclusive says Europe’s privacy watchdog – and people should stop saying they are. The European Data Protection Supervisor (EDPS), Giovanni Buttarelli, told a Brussels conference he was concerned that “the objective of cyber-security may be misused to justify measures which weaken protection …
Jennifer Baker, 29 Apr 2015
Fiesta CC.20 attribution by https://www.flickr.com/photos/mtsrs/

Fiesta exploit kits wakes from siesta

Brad Duncan says attackers are again slinging the Fiesta, this time using a complicated series of loops that researchers will find difficult to trace. The Rackspace malware boffin says the kit, once one of the more popular on underground markets, is hitting victims through gates that push traffic from hacked sites to the …
Darren Pauli, 29 Apr 2015
Zombie rising from the grave

Barclays, Halifax and Tesco still being gnawed by POODLE

Major banks are still open to POODLE attacks months after being called out as vulnerable. The POODLE (Padding Oracle On Downgraded Legacy Encryption) security flaw surfaced October and affects the Secure Sockets Layer (SSL) 3.0 algorithm and versions of TLS (Transport Layer Security). Ivan Ristic's SSL Labs site revealed at the …
Darren Pauli, 29 Apr 2015
Hacker kitten

SOHOpeless Realtek driver vuln hits Wi-Fi routers

Twenty months of optimism has come to nought, so the Zero Day Initiative has gone public with a vulnerability in the Realtek SDK that's inherited by at least two broadband router vendors. The vulnerability that the HP-owned TippingPoint initiative discovered, here, is in the SDK's SOAP implementation. The minigd SOAP service …

DDoSsers use reflection amplification to crank up the volume to 100Gbps+

DDoS attacks have grown in volume yet again with 25 attacks larger than 100Gbps globally in Q1 2015, according to the latest stats from DDoS mitigation firm Arbor Networks. The majority of recent super-sized attacks leverage a reflection amplification technique using Network Time Protocol (NTP), Simple Service Discovery Protocol …
John Leyden, 28 Apr 2015
America

WHY can't Silicon Valley create breakable non-breakable encryption, cry US politicians

Analysis At last week's RSA security conference, the halls were full of government speakers telling the tech community that it must do the impossible: invent a form of encryption that's strong, but also easy for law enforcement to crack. Ever since Apple and Google enabled full-device encryption by default on their mobile operating …
Iain Thomson, 28 Apr 2015
No junk mail. Pic: gajman, Flickr

SendGrid infosec chief eats humble pie, admits email service hacked

Marketing email distribution service SendGrid is asking customers to switch passwords after admitting it got hacked. The move follows the realisation that a previously reported hack is a bigger deal than previously imagined. The initial alert was triggered after the SendGrid account of Bitcoin exchange Coinbase was compromised …
John Leyden, 28 Apr 2015
Bank vault

Romanian rozzers round up alleged $15 MILLION ATM cybercrim gang

Romanian police have arrested 25 people who are suspected of being part of a cyber-crime gang that organised $15m in fraudulent bank withdrawals. The Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT) searched 42 houses across the country on Sunday in connection with more than 34,000 fraudulent cash …

EXTREME COUPONING zeros checkout carts in eBay's Magento

Hacker Netanel Rubin has found a critical remote vulnerability in Ebay's web commerce platform Magento that affects 88,000 shops and allows buyers to purchase anything for free, and compromise credit cards and personal data. The CheckPoint vulnerability hunter says many tat bazaar stores are still exposed to the bug that allows …
Darren Pauli, 28 Apr 2015

Man-in-the-Middle diddle hits 25,000 iOS apps

Some 25,000 iOS apps are exposed to man-in-the-middle attacks thanks to vulnerabilities in the popular AFNetworking library. The now-fixed Secure Sockets Layer (SSL) bug is the latest found in the library which has been patched three times since March. US firm SourceDNA says the flaw existed in code that was near a previous bug …
Darren Pauli, 28 Apr 2015
Doctor Nick Riviera

Surgery-bot can be hacked to HACK YOU TO PIECES

Surgical robot makers are just as good at security as the rest of the world - ie, hopeless - according to University of Washington infosec boffins. The researchers targeted a product of their own university's research, a telesurgery unit called the Raven II, and among other things found an exploitable safety mechanism in the …
WordPress

Comments considered harmful: WordPress web hijack bug revealed

A frustrated Finnish security researcher has gone public with a vulnerability in WordPress that lets attackers hijack website admin accounts. The flaw was found by Jouko Pynnönen, and is a cross-site scripting (XSS) bug similar to one patched last week. It is buried within the widely used web publishing software's comments …
Iain Thomson, 27 Apr 2015
Archer cracks the ISIS mainframe's password

'Use 1 capital' password prompts make them too predictable – study

A new study has found that password structure is a key flaw in making login IDs hard to guess. Security firm Praetorian analyzed 34 million stolen passwords from the LinkedIn, eHarmony and Rockyou breaches and found that 50 per cent of all passwords followed 13 basic structures. This lack of entropy makes it possible to use …
John Leyden, 27 Apr 2015
Panic button

MASSIVE FAIL: Indian gov DOXXES net neutrality campaigners

The Telecom Regulatory Authority of India has dumped more than a million Indian netizens' traceable personal details online, after it decided to publish, in full, the emails it received as part of its consultation paper about net neutrality. Obviously deeply convinced by last week's arguments for transparency in internet …
Manneken pis wears football kit. Source: James Cridland, Flickr

Tesla Twitter account and website hijacked, Elon Musk pwned

The website and Twitter account of carmaker Tesla were hacked over the weekend, as part of what looks like a prank between rival hackers. Elon Musk’s personal Twitter account was also hijacked on Saturday night (US time) by miscreants who at one point claimed to be from the infamous Lizard Squad hacking crew. The name …
John Leyden, 27 Apr 2015

US hospitals to treat medical device malware with AC power probes

Two large US hospitals will in the next few months begin using a system that can detect malware infections on medical equipment by monitoring AC power consumption. The unnamed hospitals will be the first in a list to test the add-on monitoring platform dubbed WattsUpDoc to check for potentially life-threatening malware running …
Darren Pauli, 27 Apr 2015
Good riddance to bad Java

NINETY PER CENT of Java black hats migrate to footling Flash

RSA 2015 Almost every Java-hacking black hat is now popping Adobe Flash, after Microsoft's hard-line patch policy made it harder to target software such as Java. The stricken scum now face a choice: work harder to find Java zero-days or abandon ship and start exploiting old Flash bugs. Redmond's security brains trust – Tim Rains, Matt …
Darren Pauli, 27 Apr 2015
Facepalming statue

App makers, you're STILL doing security wrong

Security expert Troy Hunt has taken a look at what mobile apps collect to send home to their owners, and isn't impressed: even PayPal is still addicted to invasive habits, he says. Looking at PayPal and two Australian apps – a small sample, admittedly, but we'll get to this shortly – the prominent Microsoft security researcher …
Percentage of mobile malware on Android

Fandroids, take your phone's antivirus and burn it – Android bod

RSA 2015 Google takes a lot of stick from Apple and others over malware on the Android platform, but the company thinks the OS is now so secure that users don't need antivirus software. Speaking at the RSA Conference in San Francisco this week, Adrian Ludwig, lead engineer for Android security, explained that Google is now scanning for …
Iain Thomson, 24 Apr 2015

Here's why the Pentagon is publishing its cyber-warfare rulebook – if China hasn't already hacked in and read it

The Pentagon has published an outline of its cyber-warfare strategy for the first time, revealing the conditions under which it will hack enemy nations. And Defense Secretary Ashton Carter, speaking at Stanford University, has named China, Russia, Iran, and North Korea as the US's greatest adversaries in computer security. …
John Leyden, 24 Apr 2015
Shopping trolley. Pic: Mikey, Flickr

Looking for laxatives, miss? Shoppers stalked via smartphone Wi-Fi

The FTC has now settled with a New York startup that stealthily tracks the movements of Americans around stores using their smartphones' Wi-Fi signals. The regulator alleged [PDF] in late 2013 that Nomi Technologies broke the FTC Act by not being totally upfront with shoppers. Nomi's Listen service is used by retail chains to …
Shaun Nichols, 24 Apr 2015

Win 95 code gaffe nearly made Stuxnet Suxnet, say infosec blokes

RSA 2015 [Please see the bootnote on this story, which we've added post-publication. The code shown at the conference does not appear to marry up with the claims made by the speakers. – ed.] Super-worm Stuxnet could have blown its cover and failed its sabotage mission due to a bug that allowed it to spread to ancient Windows boxes, …
Darren Pauli, 24 Apr 2015
Close-up of the flu virus (artist's impression) - Shutterstock

US judge lobs antivirus patents back to Hell

A US district court has torn the heart out of two patents wielded by Intellectual Ventures against two antivirus makers. In a judgment [PDF] this week, Chief Judge Leonard Stark ruled that Intellectual Ventures' US patents 6,460,050 and 6,073,142 were "ineligible," meaning they are too vague and the technologies they described …
Shaun Nichols, 24 Apr 2015
The NSA Unchained

The big boys made us do it: US used German spooks to snoop on EU defence industry

Germany's BND spy agency spied on European politicians and enterprises at the behest of the NSA for over a decade. Der Spiegel reports (in German) that for years the NSA sent its counterparts at the BND (Bundesnachrichtendienst – Germany's Federal Intelligence Service) thousands of so-called selectors – IP addresses, emails, and …
John Leyden, 24 Apr 2015
Derailed train wagon. Pic: New York MTA

UK rail signals could be hacked to cause crashes, claims prof

The rollout of a next generation train signalling system across the UK could leave the network at greater risk of hack attacks, a university professor has claimed. Prof David Stupples warns that plans to replace the existing (aging) signalling system with the new European Rail Traffic Management System (ERTMS) could open up the …
John Leyden, 24 Apr 2015
David Petraeus and Paula Broadwell

Licence to chill: Ex-CIA spyboss Petraeus gets probation for leaking US secrets to his mistress

General David Petraeus – the former head of US forces in Iraq and Afghanistan and briefly the head of the CIA – has been sentenced to two years' probation and fined $100,000 after admitting leaking America's secrets to his lover. Married Petraeus, 62, handed over military logs containing classified material to his official …
Iain Thomson, 24 Apr 2015
Liam Neeson Taken

Ransomware crims drop Bitcoin faster than Google axes services

RSA 2015 The falling price of Bitcoin is forcing ransomware masterminds to convert the crypto-currency as soon as they can. Rather than holding on to their ill-gotten BTC, the crims are simply laundering the ransom money as soon as possible. "I've seen this discussion in underground forums among Russian criminals," Etay Maor, senior …
Iain Thomson, 24 Apr 2015
Congress

America's cyber-security proto-laws branded 'surveillance in disguise'

The US House of Representatives has passed not one but two computer security bills that allow companies and Uncle Sam to share information about citizens, cyber-attacks and software vulnerabilities – and removes any legal liabilities for firms doing so. The Protecting Cyber Networks Act [PDF] (PCNA), which passed by 307 votes to …
Iain Thomson, 23 Apr 2015
Samsung Galaxy S5

Got a Samsung Galaxy S5? Crooks can steal your fingerprint – claim

RSA 2015 Malware can snaffle fingerprints used to unlock Samsung Galaxy S5 smartphones thanks to a security blunder, researchers claim. The vulnerabilities, due to be discussed at the RSA security conference in San Francisco this week, may be present in non-Samsung Android mobiles, too. Today's smartphones recognize their owners' …
John Leyden, 23 Apr 2015

Infosec bods can now sniff out the NSA's Quantum Insert hacks

Security researchers have developed a method for detecting NSA Quantum Insert-style hacks. Fox-IT has published free open-source tools to detect duplicate sequence numbers of HTTP packets, with different data sizes, that are the hallmarks of Quantum Insert. The utilities developed by Fox-IT are capable of exposing fiddling with …
John Leyden, 23 Apr 2015