Security > More stories

That big scary 1.4bn leak was 100s of millions of email, postal addresses

Updated The “1.4 billion identity leak” that was hyped up before the weekend involved, no, not a database ransacking at Facebook, YouTube, or anything like that. No, instead, a US-based spam-slinging operation accidentally spilled its treasure chest of email and postal addresses used to deluge people with special offers, marketing …
John Leyden, 7 Mar 2017

Shamoon malware spawns even nastier 'StoneDrill'

Researchers following up on last November's re-emergent Shamoon malware attacks have found something even nastier. A quartet of Kaspersky researchers say the “StoneDrill” malware sits in a victim's browser, and wipes any physical or logical path accessible with the target user's privileges. Although StoneDrill mostly seeks …
Wordpress logo

Put down the coffee, stop slacking your app chaps or whatever – and patch Wordpress

Internet scribblers who use WordPress must update their installation of the publishing tool following the disclosure and patching of six security holes. Version 4.7.3 of the content management system includes fixes for the half dozen flaws that could allow for, among other things, cross-site scripting and request forgery …
Shaun Nichols, 7 Mar 2017
handshake

Wow, did you see what happened to Veracode? Oh no, no, it's not dead. It's been bought by CA

Investors in the cloudy app security biz Veracode are going to be celebrating after CA Technologies agreed to buy it up for $614m in cash. CA announced the buy on Monday and said that it wanted to add Veracode's application security testing to its security lineup and devops business, as well as keeping its cloud apps more …
Iain Thomson, 7 Mar 2017
bricklayer

Don't worry, slowpoke Microsoft, we patched Windows bug for you, brags security biz

Video A computer security outfit claims to have plugged an information leak in Windows that was publicly revealed by Google before Microsoft had a patch ready. Could this third-party patching become a trend? Last month, Google's Project Zero team disclosed details of a trivial vulnerability in the Windows user-mode GDI library: the …
Iain Thomson, 7 Mar 2017
Wave Rock in Western Australia

Western Australia's Web votes have security worries, say 'white hat' mathematicians

The Western Australian government is pushing back against concerns about the security of its implementation of the iVote electoral system. iVote is an electronic system already used in another Australian State, New South Wales, primarily as an accessibility tool because it lets the vision-impaired and others with disabilities …
USMC

US Marines seek a few supposedly good men ... who leaked naked pics of a few good women

The US Marine Corps is investigating how compromising photos of some of its female members came to be shared on Facebook and Google Drive by fellow marines. In January, a closed Facebook group called Marines United was plastered with photos of partially clothed or naked female members of the Corps, along with their names, …
Iain Thomson, 6 Mar 2017

Ex penetrated us almost 700 times through secret backdoor, biz alleges

A sportswear company in Oregon has alleged that a senior IT manager left a backdoor in its systems before departing to a business partner and illegally used that access almost 700 times for his new employer's benefit. In its complaint to a federal court in Oregon [PDF], Columbia Sportswear demanded a jury trial for Michael …
Clint Eastwood bounty hunter

Google, Microsoft bump bug bounties

Google and Microsoft have both increased the cash on offer under their bug bounty programs. Google's increases are permanent, in recognition of what security program manager Josh Armour says is an environment in which “high severity vulnerabilities have become harder to identify over the years.” Google's therefore going to pay …

1.37bn records from somewhere to leak on Monday

Updated “Data breach hunter” Chris Vickery has claimed that he will shortly reveal a “1.4 billion identity leak”. 1.4 billion identity leak story incoming Monday morning. Thanks go to @SteveD3 (and someone else) for cooperating on investigation. — Chris Vickery (@VickerySec) March 3, 2017 He later offered a teaser of the leak, …
Mike Pence

Pence v Clinton: Both used private email for work, one hacked, one accused of hypocrisy

US Vice President Mike Pence has been accused of hypocrisy after it was revealed he used his personal AOL account for state government business. That Pence had a personal AOL account was public knowledge – rather embarrassingly, it was hacked last year and the intruder sent out emails to his contacts saying he had been mugged …
Iain Thomson, 3 Mar 2017

Cybersecurity rules toughened up for NY financial firms

Major financial firms operating in New York need to comply with tougher cybersecurity rules that came into effect this week. The regulation [PDF] by the New York State Department of Financial Services (DFS) covers issues ranging from the maintenance of written policies, testing, governance and auditing, to detection, defence …
John Leyden, 3 Mar 2017
Hipster with laptop photo via Shutterstock

Slack quick to whack account hijack crack

Slack quickly squashed a potential account hijack bug hours after it was reported. Frans Rosén, a security researcher at Detectify, discovered a vulnerability in Slack that created a means for a malicious website to steal a user's Slack token, potentially seizing control of their account in the process. Slack fixed the bug in …
John Leyden, 3 Mar 2017
An RAF Airbus Voyager tanker-cum-troop transport aircraft. Pic: MoD/Crown copyright

RAF pilot awaits sentence for digicam-induced airliner dive

A Royal Air Force pilot has been cleared of perjury – but will be sentenced at court martial today after admitting he allowed his digital camera to jam his military airliner’s controls, sending it into a 4,000ft plummet. Flight Lieutenant Andrew Townshend was taking photos while flying an Airbus A330 Voyager from RAF Brize …

UK's first Investigatory Powers Commissioner: Lord Justice Fulford

The Prime Minister has today appointed Lord Justice Fulford as the first Investigatory Powers Commissioner, who will be the chief overseer of the UK's new surveillance laws. The role of the commissioner was established by Section 227 of the Investigatory Powers Act 2016, which allows the Prime Minister to appoint the …

Awkward. Investigatory Powers Act could prove hurdle to UK-EU Privacy Shield following Brexit

UK surveillance laws could be an obstacle to the creation of a US-Europe Privacy Shield-style arrangement post-Brexit. The issue came up during testimony by Sir Julian King, EU Commissioner for the Security Union, at a Home Affairs select committee hearing on Tuesday. Once Brexit happens, the UK will have to set up something …
John Leyden, 3 Mar 2017
Image by Maksim Kabakouhttp://www.shutterstock.com/pic-362745248/stock-photo-privacy-concept-broken-shield-on-wall-background.html

SHA-1 crack just got real: System Center uses it to talk to Linux

When Google revealed last week that it had destroyed the SHA-1 algorithm, it hammered another nail into the venerable algo's coffin. But as we noted in our report on the feat, many applications still use SHA-1. And if you're one of the many Windows shops running Microsoft's System Center Operations Manager Management Server, …

We found a hidden backdoor in Chinese Internet of Things devices – researchers

IoT devices from a Chinese vendor contain a weird backdoor that the vendor is refusing to fix, we're told. The vulnerability was discovered in almost all devices produced by VoIP specialist dbltek, and appears to have been purposely built in as a debugging aid, according to researchers at TrustWave. The infosec biz says that …
John Leyden, 2 Mar 2017
Woman with mask - Shutterstock

Dark net webmail provider Sigaint still in the, er, dark

Sigaint, one of the largest dark web email providers, is approaching its third week of unavailability with still no clear signs about what's happening to the service. The site has been down since at least February 11, with no news about what's happening as yet. In the absence of a clear explanation, speculation is, …
John Leyden, 2 Mar 2017

Yahoo! dysfunction! meant! security! warnings! were! ignored!

Yahoo!'s board has decided CEO Marissa Mayer should not be paid her bonus, after investigating the 2014 hack that has so besmirched the company's reputation and finding the company knew about the gravity of the situation but failed to act properly to address the situation. Mayer has also decided to forego an award of equity due …
Credit card theft

Online shops plundered by bank card-stealing malware after bungling backend Aptos hacked

Shoppers of 40 online stores have had their bank card numbers and addresses slurped by a malware infection at backend provider Aptos. The security breach occurred late last year when a crook was able to inject spyware into machines Aptos used to host its retail services for online shops. This software nasty was able to access …
Shaun Nichols, 1 Mar 2017

US-Europe Privacy Shield not worth the paper it's printed on – civil liberties groups

The critical transatlantic data agreement, named Privacy Shield, is worthless, gives intelligence agencies complete free rein, and should be discarded, according to Human Rights Watch and the American Civil Liberties Union. In a letter to European Union leaders responsible for overseeing the agreement, the two organizations …
SQL injection

WordPress photo plugin opens 'a million sites' to SQLi database feasting

A critical flaw has been found in the third-party WordPress NextGEN Gallery plugin that is, according to wordpress.org, actively used by more than a million websites. If you're using this plugin, patch now to version 2.1.79 or greater. If you're a cyber-scamp, well, here's a surefire way to compromise a lot of tardy sites. The …
Iain Thomson, 1 Mar 2017
hitchBOT

Infosec white-coats: Robots are riddled with software security bugs

Common security flaws in mainstream robotic technologies leave them wide open to attack, infosec researched have warned. IOActive made the admonition after evaluating the security of multiple home, business, and industrial robots. The array of vulnerabilities identified in the systems evaluated included many graded as high or …
John Leyden, 1 Mar 2017
The Royal Courts of Justice in London

Vice News YouTube video commenter set for retrial over 'menacing' posts

A man under police surveillance who was cleared of criminal offences after leaving unpleasant comments on YouTube will be tried again after the Director of Public Prosecutions got his acquittal overturned. Kingsley Anthony Smith, a 19-year-old of Woodbridge Close, Luton, was cleared of four charges of breaking Section 127 of …
Myspace screengrab.  Editorial credit: thelefty / Shutterstock.com

Speaking in Tech: A chat with Web 2.0 MySpace worm dude Samy Kamkar

Podcast speaking_in_tech Greg Knieriemen podcast enterprise Ed Saipetch and Peter Smallbone steer the podcast this week with very special guest Samy Kamkar of Samy worm fame, a world renowned privacy and security researcher, computer hacker, whistleblower and entrepreneur. The details… 2:15 Samy’s Myspace worm 8:27 Curiosity 9: …
Team Register, 1 Mar 2017
Kylo Ren lightsaber credit Licasefilm Disney

Palo Alto Networks buys LightCyber for $105m

Palo Alto Networks has acquired smaller cyber security firm LightCyber for $105m in cash. LightCyber has developed technology that uses machine learning to identify hacker and malware-based attacks based on identifying behavioural anomalies inside deployed networks. Palo Alto Networks plans to integrate LightCyber's …
John Leyden, 1 Mar 2017
Tin foil hat

Prisoners' 'innovative' anti-IMSI catcher defence was ... er, tinfoil

Exclusive Prisoners at a Scottish jail evaded an IMSI catcher deployed to collar them making illegal phone calls – by putting up tinfoil after bungling guards left the spy gear visible to inmates. “As you are also aware the invisible grabber at HMP Shott [sic] was visible,” Maurice Dickie of the Scottish Prison Service wrote in an …

Tricksy bugs in Zscaler admin portal let you ruin a coworker's day

Cloud management software peddler Zscaler has plugged cross-site scripting holes in the admin portal it provides to customers. People logged into the website could have exploited the bugs to inject malicious HTML and JavaScript into the browsers of other users of the site, allowing them to take over their accounts and perform …
John Leyden, 1 Mar 2017

CloudPets' woes worsen: Webpages can turn kids' stuffed toys into creepy audio bugs

As the world learns of its embarrassingly leaky customer database, internet-connected cuddly toy maker CloudPets is under further scrutiny. This time for not securing its gizmos against remote exploitation via the Bluetooth Web API. Basically, it is possible for a webpage to connect to CloudPets plushie, via Bluetooth in the …

Security slip-ups in 1Password and other password managers 'extremely worrying'

Password management applications, recommended by many security experts as the only viable way to deal with large sets of passwords that are unique and sufficiently complex, introduce their own set of problems – namely the general fallibility of software. A group of security researchers called TeamSIK from the Fraunhofer …
Thomas Claburn, 28 Feb 2017

Health firm gets £200k slap after IVF patients' records leak online

Updated A private health firm in the UK has been fined £200,000 after fertility patients’ confidential conversations leaked online. The £200,000 monetary penalty was levied following an investigation by Blighty's Information Commissioner’s Office (ICO) into the way the Lister Hospital in London was transferring, transcribing and …
John Leyden, 28 Feb 2017
France Germany

Germany, France lobby hard for terror-busting encryption backdoors – Europe seems to agree

The tech industry has hit back at France and Germany's demands for EU laws requiring secret backdoors in file and communications encryption. Last week, Thomas de Maizière and Bruno Le Roux, respectively the German and French ministers of the interior, sent a letter to the European Commission calling for measures to stem what …
Iain Thomson, 28 Feb 2017

Two million recordings of families imperiled by cloud-connected toys' crappy MongoDB

Updated Two million voice recordings of kids and their families were exposed online and repeatedly held to ransom – because an IoT stuffed-toy maker used an insecure MongoDB installation. Essentially, the $40 cuddly CloudPets feature builtin microphones and speakers, and connect to the internet via an iOS or Android app on a nearby …
The Easy Button

ESET antivirus cracks opens Apple Macs to remote root execution via man-in-middle diddle

Bored hacker looking for fun? We couldn't possibly suggest you attack the latest vulnerability in ESET's antivirus software, because it's too basic to offer any challenge at all. As outlined in this advisory today, all you need to get root-level remote code execution on a Mac is to intercept the ESET antivirus package's …
The Windows 10 Store

Microsoft slaps Apple Gatekeeper-like controls on Windows 10: Install only apps from store

A feature in the Windows Insider Preview Build 15042 allows administrators to block the installation of any Win32 application that is not fetched from Microsoft's software marketplace. This configurable barrier is a new option presented in the beta Windows build. Users – with admin account permissions – will be able to allow …
Shaun Nichols, 28 Feb 2017

Apple's macOS is the safer choice – but not for the reason you think

MWC Apple's Mac operating system may be the safer choice – but only because cybercriminals can't get their hands on people who know how to exploit it. That's according to security showman Eugene Kaspersky, who gave a keynote at the Mobile World Congress in Barcelona on Monday. In recent months, Kaspersky has made a habit of giving …
Kieren McCarthy, 27 Feb 2017

Google Chrome 56's crypto tweak 'borked thousands of computers' using Blue Coat security

Updated The availability of Transport Layer Security protocol version 1.3 was supposed to make network encryption faster and more secure. TLS 1.3 dispenses with a number of older cryptographic functions that no longer offer adequate protection, and reduces the amount of time required to negotiate "handshakes" between devices. Google …
Thomas Claburn, 27 Feb 2017
Wire wastepaper bin filled with scrunched up paper. Photo by Shutterstock

NHS patient letters meant for GPs went undelivered for years

The NHS has been accused of covering up a large data loss involving the loss or mislaying of more than half a million pieces of confidential information. Confidential medical correspondence – including test results, diagnoses and treatment plans – between GPs and hospitals went undelivered during the five years from 2011 to …
John Leyden, 27 Feb 2017
shutterstock_192561857-cat-

New prison law will let UK mobile networks deploy IMSI catchers

The Prisons and Courts Bill, introduced to Parliament last week, will force UK mobile networks to deploy fake mobile phone masts around the outside of prisons to snoop on mobile phone users. Provisions in the new bill will allow the Justice Secretary to order networks to deploy so-called “IMSI catchers” to prevent, detect or …
Gareth Corfield, 27 Feb 2017
Switch

D-Link resolves enterprise switch hacker risk

D-Link has resolved an authentication bypass flaw in one of its enterprise switches. Flaws in the vendor's DGS-1510 enterprise switch kit, discovered by security researchers Varang Amin and Aditya Sood, were resolved with a firmware update (pdf advisory here). Left unresolved, the security bug can create an unauthenticated …
John Leyden, 27 Feb 2017

Google's Project Zero reveals another Microsoft flaw

Google's Project Zero has revealed a bug in Microsoft's Internet Explorer and Edge browsers. First turned up on November 25, the bug offers evildoers a technique that would let a malicious web site crash a visitor's browser as the main course, with code execution as the dessert. Detailed here, the bug works by attacking a …

Biting the hand that feeds IT © 1998–2017