Security > More stories

Netflix US Twitter account hacked

Netflix's US Twitter account was briefly hijacked on Wednesday. The feed was taken over by a hacking group, OurMine, who used the hijack to promote its website and invite Netflix to get in touch. The social media team running the Netflix US Twitter account, which has 2.5 million followers, got off easily. Previous account …
John Leyden, 21 Dec 2016
High voltage power grid, in the sunset. Photo by SHutterstock

Energy firm points to hackers after Kiev power outage

A cyber attack is suspected in connection with an outage of the Ukrainian power grid that affected homes around Kiev last weekend. A substation in Pivnichna was cut off from the main power grid for about 75 minutes late on Saturday 17 December, lasting into the early hours of Sunday. As a result, houses and flats of the right …
John Leyden, 21 Dec 2016
Man thumbs down, image via Shutterstock

Facebook has stopped SHA-ring, a year later than it promised

Facebook's quietly taken its SHA-1 certificates out behind the data centre with an electrified degaussing machine. The SHA-1 hashing algorithm was declared unreliable back in 2005. By 2010, hackers cracked a password hashed with SHA-1 using just US$2 of resources rented from Amazon Web Services. In 2015 researchers blew the …
Simon Sharwood, 21 Dec 2016

Strong non-backdoored encryption is vital – but the Feds should totally be able to crack it, say House committees

A bipartisan House working group on encryption has today come to the conclusion that encryption is vital to US national interests, even as it seeks to mitigate the problem the technology can pose for law enforcement. Citing the Federal Bureau of Investigation's effort earlier this year to force Apple to help the agency decrypt …
Thomas Claburn, 21 Dec 2016
negotiation

Wassenaar weapons pact talks collapse leaving software exploit exports in limbo

Security researchers face continued uncertainty after talks broke down between US negotiators and 40 other countries over the state of exploit exports. The negotiations concern the Wassenaar Arrangement, an arms-control pact in which members agree to limit the export of certain types of weaponry and "dual-use products." …
Iain Thomson, 21 Dec 2016
Seaglider

China gives America its underwater drone back – with a warning

The Chinese government has handed back to America the US Navy underwater drone it stole last week. The Seaglider submersible was scooped out of the ocean by a Chinese military vessel shadowing the USNS Bowditch in the South China Sea. The drone, one of hundreds of autonomous vehicles the US Navy uses to track currents and …
Iain Thomson, 20 Dec 2016

Testing times: Can your crypto-code survive the Google gauntlet?

Google has unleashed Project Wycheproof, a set of security tests to check cryptographic libraries for susceptibility to known weaknesses. The toolkit, maintained by Google’s security engineers, is named after Mount Wycheproof, the smallest mountain in the world, and has set out with commendably modest goals. The aim is to look …
John Leyden, 20 Dec 2016

Kingpin in $1m global bank malware ring gets five years in chokey

A villain at the heart of an organized crime network that stole £840k ($1m) from victims' online bank accounts has been jailed. Tomasz Skowron, 29, of Meredith Road, Worthing, England, was sent down for five years and three months on Monday at Croydon Crown Court, after pleading guilty to conspiracy to defraud, fraud, and …

Bad news, fandroids: Mobile banking malware now encrypts files

Cybercrooks have outfitted ransomware functionality onto an already dangerous mobile banking Trojan. The modified Faketoken can steal credentials from more than 2,000 Android financial applications, security researchers at Kaspersky Lab warn. Based on telemetry, Kaspersky Lab estimates that Faketoken has claimed over 16,000 …
John Leyden, 20 Dec 2016
Plane. Image via shutterstock

This is your captain speaking ... or is it?

Updated Vulnerabilities in Panasonic in-flight entertainment systems create a possible mechanism for attackers to control in-flight displays, PA systems and lighting, say researchers. Ruben Santamarta, principal security consultant at IOActive, said it had found vulnerabilities in Panasonic Avionic In-Flight Entertainment (IFE) …
John Leyden, 20 Dec 2016

Evolved DNSChanger malware slings evil ads at PCs, hijacks routers

Malware that spreads via evil web ads and menaces broadband routers has been discovered – and it's going to be particularly horrible for small business and home internet users, which it targets. This latest variant of the years-old DNSChanger nasty, just spotted by Californian infosec biz Proofpoint, works like this: some …
Iain Thomson, 20 Dec 2016

Sports blog jocks to crypto-cash nerds – here's who got pwned

Two more websites say they have had user accounts sniffed by hackers. Sports blog network Bleacher Report says that someone may have accessed a database containing user email addresses and passwords, while blockchain development site Ethereum says that a hacker managed to get hold of a database backup that contained the …
Shaun Nichols, 20 Dec 2016

Cops, Feds spaff $100m on Stingray cellphone snooping gear – and there's sod all oversight

American crimefighters spend huge amounts of cash on Stingray-like devices that impersonate cellphone towers to snoop on people – and with little or no oversight. That's the findings of an 18-month US congressional study, which revealed the Department of Justice (DoJ) has spent $71m on 310 cellphone-tracking units between 2010 …
Iain Thomson, 20 Dec 2016
Skyline of Los Angeles

Los Angeles to extradite bloke from Nigeria after scores of city workers fall for phish scam

Los Angeles wants to extradite a Nigerian man accused of swiping the passwords of more than 100 workers in 15 city and county departments via a phishing attack. The metropolis' prosecutors have obtained arrest warrants seeking the extradition of Austin Kelvin Onaghinor from Nigeria to face charges of identity theft and …
Shaun Nichols, 19 Dec 2016
Frustrated accountant puts head in hands. Photo by Shutterstock

Cyber insurance brokers: If it makes you feel any better, 2016 was not our year either

Insurers are handling "hundreds" of breach claims, according to figures from CFC Underwriting. CFC Underwriting said it handled more than 400 claims against cyber-breach policies it issued this year alone. The rise in data breaches and money transfer scams are driving the increase. Claims on CFC policies almost doubled year …
John Leyden, 19 Dec 2016

Akamai buys bot-sniffing startup Cyberfend

Akamai Technologies has beefed up its existing bot management and mitigation services with the acquisition of US startup Cyberfend. Financial terms of the deal, announced Monday, were undisclosed. Credential theft and abuse is a significant problem for online businesses and their customers. Cyberfend’s tech is designed to …
John Leyden, 19 Dec 2016

PayAsUGym breach exposes passwords

Fitness website PayAsUGym has been breached in a hack that may have exposed up to 400K emails and passwords. In a breach notice to users, the firm admitted one of its servers was hacked after “underground researchers” posted screenshots purporting to show PayAsUGym’s hacked database via Twitter. The 1x0123 hacker crew later …
John Leyden, 19 Dec 2016
Auctioneer with hammer

Bayrob: Romanian auction fraud suspects extradited to the US

Three suspected cybercriminals have been arrested and extradited from Romania to the US over a multi-million dollar malware-facilitated scams. The suspects are believed to be members of a gang, nicknamed Bayrob by Symantec researchers, which allegedly earned a living from online fraud for nearly a decade. The indictment claims …
John Leyden, 19 Dec 2016
Very colourful For Sale sign (limited offer etc). Photo by Shutterstock

FYI! – Your! hacked! Yahoo! account! is! worth! $0.0003!

The hacked database containing the account details of more than one billion Yahoo! users is reportedly being sold for a meager $300,000. This according to a report by the New York Times, which spoke with researchers at US computer security biz InforArmor. Those eggheads claim to have knowledge of at least three groups – two …
Shaun Nichols, 19 Dec 2016

LinkedIn's training arm resets 55,000 members' passwords, warns 9.5m

Lynda.com, the training arm of LinkedIn, on Saturday issued email notices to about 55,000 members whose data it says has been perused by an “unauthorized third party.” The letter sent to members, two of whom thoughtfully forwarded it to El Reg, reads as follows: We recently became aware that an unauthorized third party …
Simon Sharwood, 18 Dec 2016
testing

Hack attack fear scares Canadian exam board away from online tests

Every year Ontario’s Education Quality and Accountability Office (EQAO) tests secondary school students in their literacy skills. This year it rolled out online tests and the results weren't good. In October the online pilot test of the Ontario Secondary School Literacy Test (OSSLT) was deployed and quickly fell over with its …
Iain Thomson, 17 Dec 2016
Photo by MediaGroupBestForYou / Shutterstock

'I told him to cut it out' – Obama is convinced Putin's hackers swung the election for Trump

Analysis Outgoing US President Barack Obama has promised to take action against Russia over its alleged interference in the presidential election campaign. American intelligence agencies have concluded that hackers linked to the Kremlin infiltrated the computer network of the Democratic National Committee as well as the email account …
John Leyden, 17 Dec 2016
A person holding a radio

Houston, we have a problem: 'App dev stole our radio station'

A Texas radio station claims the software developer hired to build its mobile app has "gone rogue" – and is attempting to take control of the station. KCOH, a talk radio station in Houston, has filed a lawsuit [PDF] in the Harris County Court seeking a restraining order against Johnny Taylor and his company, Mobile Encryption …
Shaun Nichols, 16 Dec 2016
USNS Bowditch

Don't panic, friends, but the Chinese navy just nicked one of America's underwater drones

A diplomatic incident is brewing after US defense officials accused a Chinese warship of filching one of America's robotic submersibles. We're told the Seaglider underwater drone was being picked up by the USNS Bowditch in the South China Sea after it surfaced for collection. As the US naval oceanographic vessel went to …
Iain Thomson, 16 Dec 2016
Vodafone adds payment cards to mobile wallet

Banks 'not doing enough' to protect against bank-transfer scams

UK banks have been told they needed to go further protecting consumers against money transfer scams - a growing form of fraud. The Payment Systems Regulator said institutions must improve the way they respond to bank transfer scams and do more to identify fraudulent payments without advocating changes in liability for …
John Leyden, 16 Dec 2016
DDoS

DDoS in 2017: Strap yourself in for a bumpy ride

DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. Whole industries have developed around launching and preventing DDoS campaigns as black hats and white hats battle for dominance, and 2017 …
Robin Birtstone, 16 Dec 2016

National Lottery whacked with £3m fine for suspect ticket win

The National Lottery has been whacked with a £3m fine by the Gambling Commission over its failure to have proper controls in place to prevent a fraudulent ticket winning. It followed a probe by the regulator into allegations that a £2.5m fraudulent National Lottery prize had been paid in 2009, but which only came to light last …
Kat Hall, 16 Dec 2016
AVSWinvote box

US voting machine certification agency probes potential hack

The US agency charged with ensuring that voting machines meet security standards may have been compromised, according to evidence uncovered by cyber security firm Recorded Future. In a statement, the EAC confirmed it was investigating a potential breach. EAC has become aware of a potential intrusion into an EAC web-facing …
John Leyden, 16 Dec 2016

German infosec agency urges security review after Yahoo! flensing

Germany's Bundesamt für Sicherheit in der Informationstechnik (Federal Office for Information Security or BSI) has warned users to reconsider the security chops of their email providers and plugged local services in response to news a billion credentials were stolen from Yahoo! The oft-raided web concern revealed yesterday …
Darren Pauli, 16 Dec 2016
Newly passed out 2Lts from 6 RIFLES on Salisbury Plain Training Area. Crown copyright, 2013

Ransomware scum face unified white hat army

More security players have joined the No More Ransom initiative, which should make life hard for the cretins who create ransomware. More than 30 security research firms and law enforcement agencies have joined the initiative to unify their efforts to free victims from ransomware extortion. More than 6,000 users have used the …
Darren Pauli, 16 Dec 2016

Macbook seized or stolen? But you've set a FileVault password, right? Ha, it's useless

Until earlier this week, Apple's FileVault 2 disk encryption could be defeated in the time it takes to reboot a Mac, given a few hundred dollars in hardware and physical access to the computer. Apple on its website claims that FileVault 2 uses "XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to …
Thomas Claburn, 16 Dec 2016
Tavis Ormandy's Symantec exploit

Dear hackers, Ubuntu's app crash reporter will happily execute your evil code on a victim's box

Users and administrators of Ubuntu Linux desktops are being advised to patch their systems following the disclosure of serious security flaws. Researcher Donncha O'Cearbhaill, who discovered and privately reported the vulnerabilities to the Ubuntu team, said that a successful exploit of the bugs could allow an attacker to …
Shaun Nichols, 15 Dec 2016

Security! experts! slam! Yahoo! management! for! using! old! crypto!

Analysis Fallen web giant Yahoo! has been branded negligent for failing to tackle the prodigious challenge of upgrading its MD5 password hashing before some one billion accounts were stolen. The security-battered organisation revealed today that attackers had stolen more than a billion accounts in August 2013 in history's biggest …
Darren Pauli, 15 Dec 2016

Bluetooth-enabled safe lock popped after attackers win PINs

Attackers can locate and pop safes protected with high security commercial locks thanks to poor Bluetooth implementations, say researchers at Somerset Recon say. The SecuRam ProLogic B01 locks are badged as the industry's only Bluetooth-packing lock for safes that can be paired with smartphones. The researchers (@ …
Darren Pauli, 15 Dec 2016

BlackEnergy power plant hackers target Ukrainian banks

The same hackers who turned out the lights at Ukrainian utilities last December have been running attacks against the same country’s banks over recent months. Security firm ESET reports that the gang slinging the TeleBots malware against Ukrainian banks shares a number of similarities with the BlackEnergy group, which …
John Leyden, 15 Dec 2016
Yahoo

Yahoo! says! hackers! stole! ONE! BEELLION! user! accounts!

Yahoo! says hackers have probably stolen details from more than a billion user accounts, including names, addresses, phone numbers, and weakly-hashed passwords in attacks dating back to 2013. Chief information security officer Bob Lord said in a statement that this event is likely a separate haul unrelated to past breaches. " …
Darren Pauli, 14 Dec 2016
Triggertrap

Give us encrypted camera storage, please – filmmakers, journos

Over 150 prominent filmmakers and photojournalists have asked leading camera makers to add support for data encryption to their devices. An open letter published on Wednesday by the Freedom of the Press Foundation – a group that includes Academy Award winners Laura Poitras and Alex Gibney – states that encryption is absent …
Thomas Claburn, 14 Dec 2016

Infosec bods: This is a backdoor in Skype for Macs. Microsoft: No.

A security hole in Skype for OS X allowed installed apps to silently delve into the user's chat logs, record their calls, and leaf through their contacts. The authentication bypass vulnerability was discovered by security researchers at Trustwave SpiderLabs, which described the flaw as a backdoor that allowed access to all …
John Leyden, 14 Dec 2016

Persistent ad and dialler trojans found on 28 Android phones

More than two dozen cheap Androids have been found to host pre-installed malicious apps capable of downloading persistent adware and making phone calls. The phones, which include Lenovo's A6000 and A319, were discovered bearing the pre-installed malicious apps by security researchers with antivirus firm Dr Web. Dr Web reckons …
Darren Pauli, 14 Dec 2016
Image composite Andreas Berheide https://www.shutterstock.com/gallery-584422p1.html

A single typo may have tipped US election Trump's way

A single typo from a Clinton campaign aide gave Russian hackers access to a decade's worth of emails, some 60,000 in total, owned by Clinton campaign chairman John Podesta. Clinton campaign aide Charles Delavan wrote in an email to one of Podesta's aides. later published by Wikileaks, that Podesta must "immediately" change his …
Darren Pauli, 14 Dec 2016
Photo by JStone / Shutterstock

Uber-creepy: Dial-a-ride devs accused of stalking pop diva Beyonce

A former Uber staffer claims the amateur taxi app maker routinely pried into customer records to spy on people, including celebrity riders and ex-partners of employees. The allegations against the ride-sharing giant were made by Ward Spangenberg, a former forensic investigator at Uber who is now suing the Silicon Valley biz …
Shaun Nichols, 14 Dec 2016

Reschedule the holiday party, Patch Tuesday is here and it's a big one

Security patches for Windows, macOS, iOS and other Apple firmware, and a host of Adobe products, were emitted this week. The final scheduled patch dump of the year sees Microsoft deliver fixes for multiple products, while Apple has security updates for iOS, macOS, Safari, and iTunes, and Adobe patches nine products including …
Shaun Nichols, 14 Dec 2016