Feeds

Security > More stories

Hackers plunder Hilton 'HHonors' rewards points, go on shopping spree

Millions of Hilton HHonors* rewards points are being stolen and sold online traded in by scammers for gift cards and goods. Points appear to be stolen through brute force attacks. One user on a forum has released simple capture code alleged to have been used to breach accounts protected only with a four-digit PIN on the Hilton …
Darren Pauli, 5 Nov 2014
BCE video days: Jack Mullin, Bing Crosby and Wayne Johnson

Raj Samani: The Director’s Cut

Regcast after dark After our recent Regcast in which Raj Samani of McAfee's Intel Security scared us to death about security threats businesses are facing (before showing us how automating our security systems means we’re not doomed if we do the right thing), we got the sense he had more to say. Youtube Video We were right. So we sat Raj down for …
Tim Phillips, 4 Nov 2014

Apple OSX Yosemite infested by nasty 'Rootpipe' vuln

A Swedish security researcher has turned up a serious vulnerability in OS X “Yosemite”, but details are to be withheld until January, giving Apple time to prepare a patch. The vuln was first described in mid-October, when Truesec posted a YouTube video (below) that sketchily described the existence of the bug. Truesec …
Wifi grumpy cat

Pay-by-bonk 'glitch' means cards can go kaching-for-crims

Researchers from the UK's Newcastle University have outlined how pay-by-bonk cards can be p0wned by a “rogue POS terminal” running on a mobile phone. To be detailed on Wednesday at the 21st ACM Conference on Computer and Communications Security, the attack is said to rely on a “rogue POS terminal” being set up with a pre-set …
News team, 4 Nov 2014

Forging administrator cookies and crocking crypto ... for dummies

Security pro Laurens Van Houtven has created a free introduction cryptography course to help programmers lift their infosec game. The Crypto 101 book contained everything needed to understand complete systems including block and stream ciphers; hash functions; message authentication codes; public key encryption; key agreement …
Darren Pauli, 4 Nov 2014
Sham Shui Po market Hong Kong

Pro-democracy Hong Kong sites DDoS'd with Chinese cyber-toolkit

Hacking attacks against organisations promoting democracy in Hong Kong were run using the same infrastructure previously linked to Chinese cyber-espionage attacks, according to new research from security firm FireEye. Sites promoting the Occupy Central Pro Democracy movement, including Next Media’s Apple Daily publication and …
John Leyden, 3 Nov 2014

VMware: Yep, ESXi bug plays 'finders keepers' with data backups

Running VMware’s ESXi and diligently backing up your data in the belief it’s safe as houses? Think again. VMware has quietly ‘fessed up to the existence of a bug affecting all versions of its bare-metal hypervisor. It copped the problem in its knowledge base as users began cottoning on to the fact something was amiss in their …
Gavin Clarke, 3 Nov 2014
ISIS leader Shakir Wahiyib with Facebook thumbs-up

Pro-ISIS script kiddies deface West Yorkshire egg-chasers' site

Pro-ISIS script kiddies defaced the website of Rugby League team the Keighley Cougars over the weekend in the latest of a series of attacks against somewhat obscure targets. The West Yorkshire club's home page was replaced by a black screen and the message: "I love you Isis" with the tag "Hacked By Team System DZ" at the top of …
John Leyden, 3 Nov 2014

Auditors find encrypted chat client TextSecure is secure

Popular text and instant messaging client TextSecure would offer excellent security ... if it patched an attack vector found by a German research team conducting the first audit of the software. The app was downloaded half a million times from the Android play store and was built into the popular Cyanogenmod Android operating …
Darren Pauli, 3 Nov 2014

Remote code execution flaws fixed in tnftp and wget

The maintainer of the tnftp FTP client has patched a remote code execution vulnerability which affected operating systems including NetBSD, FreeBSD and Mac OS X. The flaw (CVE-2014-8517), which did not affect OpenBSD due to modifications, was patched over the weekend. Maintainer Luke Mewburn notified NetBSD (which ships tnftp) …
Darren Pauli, 3 Nov 2014

LastPass releases Open Source command line client

LastPass has published an open source command line application to provide terminal-loving devs with alternative access to their passwords and login data. The outfit says the app improves user security, with a growing list of commands that lets users edit their LastPass data. It also supports functions such as regular automated …
Darren Pauli, 2 Nov 2014
Gottfrid Svartholm Warg

Pirate Bay co-founder JAILED for three years after massive CSC HACK ATTACK

The Pirate Bay co-founder Gottfrid Svartholm Warg was banged up for three and a half years on Friday. The jail term comes after the 30-year-old was found guilty of hacking charges by a court in Denmark on Thursday. Warg and an unnamed, 21-year-old accomplice hacked into the mainframe of American tech outfit CSC, which was …
Kelly Fiveash, 1 Nov 2014

Facebook lifts Tor ban, touts encrypted onion access point

Facebook has changed its stance on Tor traffic and will now provide users with a way to connect to its free content ad network using the anonymizing service. The company said that it will now offer a special URL – https://facebookcorewwwi.onion – that will allow users running Tor-enabled browsers to access the service. Facebook …
Shaun Nichols, 31 Oct 2014

Popular Science site shrugs off malicious code infection

Surfers visiting Popular Science would be well advised to check their systems following an attack that has left the site compromised and harbouring malicious code. Security firm Websense warns that visiting the site exposed surfers to the RIG exploit kit. The malicious code was removed on Wednesday, but a number of surfers may …
John Leyden, 31 Oct 2014
Cloud security image

Microsoft patches GroupMe 'full account' hijack hole

Microsoft has patched a simple 'full-account takeover' flaw in its popular iOS and Android messaging client GroupMe. The app once described as "utterly indispensable" had of 2012 processed a whopping 550 million messages a month, and was downloaded 76,000 times from Google's Play Store. New York hacker Dylan Saccomanni said in …
Darren Pauli, 31 Oct 2014

Free government-penned crypto can swipe identities

The PLAID (Protocol for Lightweight Authentication of Identity) cryptography kit appears to be insecure. PLAID is a homebrew cryptography system designed by Centrelink - the Australian government agency that shovels out tens of billions a year in welfare payments. The system has been considered for use by US government agencies …
Darren Pauli, 31 Oct 2014

Google heads out the back with rifle, puts down POODLE

Google will destroy vicious POODLE in a pending update to its flagship Chrome browser. Update 40 will remove SSLv3 and the hard-to-exploit cookie-stealing Padding Oracle on Downgraded Legacy Encryption (POODLE) attack. Mountain View followed Redmond in its browser POODLE put-down after a single click FixIt SSLv3 disabler was …
Darren Pauli, 31 Oct 2014
Gottfrid Svartholm Warg

Danish court finds Pirate Bay cofounder guilty of hacking CSC servers

Gottfrid Svartholm Warg, cofounder of the Pirate Bay, has been found guilty of hacking charges by a court in Denmark, which ruled that he and a 21-year-old accomplice had hacked US technology company CSC to gain access to Danish government servers. "We welcome the decision of the court, and the trial clearly demonstrated the …
Iain Thomson, 30 Oct 2014

BIGGEST THREAT to Europe’s cybersecurity? Hint: not hackers

Forget cyber-espionage, cyber-warfare and cyber-terrorism. The biggest threat to Europe’s infrastructure cybersecurity are power outages and poor communication. On Thursday, ENISA (European Network and Information Security Agency) held its biggest ever cybersecurity exercise involving more than 200 organisations and 400 cyber- …
pyramidinvestnorthafrica

The ULTIMATE CRUELTY: Sandworm uses PowerPoint against Swiss bank customers

The Sandworm vulnerability is being actively abused to attack Swiss banking customers, Danish security consultancy CSIS has warned. CSIS reports that the attacks are pushing the latest version of the Dyre banking trojan. Attacks arrive as spam emails under the guise of information about unpaid invoices. In reality the …
John Leyden, 30 Oct 2014
alertme review energy meter monitor

UK smart meters arrive in 2020. Hackers have ALREADY found a flaw

British consumers could easily hack into controversial new smart meters, allowing them to illegally slash their energy bills, cyber-security experts have warned. The caution came as top White Hall apparatchiks met with energy industry leaders today to discuss plans that will see the the devices installed in every British home by …
Jasper Hamill, 30 Oct 2014

UK consumers particularly prone to piss-poor patching

UK consumer patching practices have worsened still further over the last three months, increasing the threat of malware problems, according to a new study by IT security provider Secunia. Secunia estimates 12.6 per cent of UK users are running unpatched operating systems, up from 9.7 per cent the previous quarter. In addition, …
John Leyden, 30 Oct 2014

Carders offer malware with the human touch to defeat fraud detection

A new cybercrime tool promises to use credit card numbers in a more human way that is less likely to attract the attention of fraud-detection systems, and therefore be more lucrative for those who seek to profit from events like the Target breach. The "Voxis Platform" is billed as "advanced cash out software" that promises to …
Darren Pauli, 30 Oct 2014
quasar map

Mozilla releases geolocating WiFi sniffer for Android

Mozilla has released a new app, Stumbler, that “collects GPS data for our location service” by detecting WiFi access points and mobile phone cells towers, then “uses these wireless network locations to provide geolocation services for Firefox OS devices and other open source projects.” That sort of data collection has, of course …
Simon Sharwood, 30 Oct 2014

DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned

Drupal websites that had not patched seven hours after the disclosure on a "highly critical" SQL injection (SQLi) hole disclosed on 15 October are essentially hosed, the content management tool's developers say. Attacks against the vulnerability (CVE-2014-3704) in version seven of the content management system began "hours" …
Darren Pauli, 30 Oct 2014

Big Retail: We don't hate Apple, we hate the credit card companies

The Merchant Customer Exchange (MCX) went on a PR offensive on Wednesday to explain what happened in the hacking attack that saw its testers' emails exposed, why its member retailers banned Apple Pay and Google Wallet, and what makes its CurrentC mobile payment system so great. Dekkers Davidson, CEO of MCX, which represents 50 …
Iain Thomson, 30 Oct 2014

The NO-NAME vuln: wget mess patched without a fancy brand

Sysadmins: another venerable and nearly-ubiquitous *nix tool, wget, needs patching because of a bug first reported by HD Moore. As the Red Hat Bugzilla report describes, the bug was a beauty: a recursive directory fetch over FTP would let an attacker “create arbitrary files, directories or symbolic links” due to a symlink flaw …
Breach

Australian E-Health records breached twice in the last year

Australia's Office of the Information Commissioner (OAIC) has released its Annual report of the Information Commissioner’s activities in relation to eHealth 2013–14, complete with a report on two data breaches in the systems used to store personally controlled electronic health records (PCEHRs). The first was notified in …
Simon Sharwood, 29 Oct 2014

Naked and afraid: that's how Telstra's Wi-Fi security makes you feel

Sit down, open up the laptop, join the advertised SSID, and go online. Free Wi-Fi makes working at the cafe a breeze. Free Wi-Fi transformed Sydney’s libraries into some of the most sought-after spots in town. Cities blanket themselves in free Wi-Fi to encourage tourists and business and residents to spend more time - and money …
Mark Pesce, 29 Oct 2014

Bad dog: Redmond's new IE tool KILLS POODLE with one shot

Microsoft has issued new guidance on the POODLE (Padding Oracle On Downgraded Legacy Encryption) SSL vulnerability, including a one-click utility that can automatically disable SSL 3.0 in Internet Explorer. The Fix It utility, which was released on Wednesday, is a reversible workaround for all versions of Redmond's browser from …
Neil McAllister, 29 Oct 2014
Fail and You

Big Retail's Apple Pay killer CurrentC HACKED, tester info nicked

CurrentC, the mobile payments system being pushed by some of the biggest retailers in the US, has been hacked – before the system is even fully up and running. "Within the last 36 hours, we learned that unauthorized third parties obtained the e-mail addresses of some of our CurrentC pilot program participants and individuals who …
Iain Thomson, 29 Oct 2014
Photo of the White House at dusk

WHITE HOUSE network DOWN: Nation-sponsored attack likely

Hackers have disrupted computer operations at the White House after breaking into its unclassified internal network. The attack, blamed by US government sources on Russian hackers, has resulted in the disruption of some services while incident response teams work to contain the intrusion. The White House network is under …
John Leyden, 29 Oct 2014

BlackEnergy crimeware coursing through US control systems

Industrial control systems in the United States have been compromised by the BlackEnergy malware toolkit for at least three years in a campaign the US Computer Emergency Response Team has dubbed "ongoing" and sophisticated. Attackers had compromised unnamed industrial control system operators and implanted BlackEnergy on …
Darren Pauli, 29 Oct 2014

Cisco: We made UCS secure but need your help to finish the job

Cisco has released a hardening guide for its unified computing system (UCS) that reveals the company's servers do most things right - all manner of potentially-insecure services are off by default - but also offers plenty of suggestions to make sure risks don't increase during production. The document centres on hardening the …
Darren Pauli, 29 Oct 2014

Find My Phone does just one thing but Samsung's messed it up

Researcher Mohamed Baset has reported a zero day flaw that allows hackers to lock a host of Samsung phones with the lost device feature. Baset (@SymbianSyMoh) uploaded a proof of concept video to YouTube showing how to lock a Samsung phone using a cross site request forgery vulnerability in the Find My Mobile feature. Phones …
Darren Pauli, 29 Oct 2014
Pierce Brosnan in Tomorrow Never Dies

'GCHQ's surveillance data gulp is BULKY and WARRANTLESS', human rights groups moan

Britain's spooks routinely rummage through reams of intelligence data from the NSA and other foreign spy agencies without first having to request a warrant, it has been claimed. According to the human rights groups that brought the UK's snooping agency GCHQ to court in July this year, secret internal policies unveiled during a …
Kelly Fiveash, 29 Oct 2014
Q and Bond, Skyfall

Security Avengers team up to take down Chinese hacking group

Security firms are claiming credit for putting the skids under a Chinese cyber-espionage crew thought to have been operating for at least six years. The so-called Axiom Threat Actor Group allegedly victimised pro-democracy non-governmental organisations (NGO) and other groups and individuals that would be perceived as a …
John Leyden, 28 Oct 2014

FBI impersonated newspaper to finger school bomb threat suspect

A US newspaper has reacted angrily after it emerged that the FBI impersonated its website in order to locate a target using snoopware. The Feds set up a fake Seattle Times news story on a counterfeit website in order to entice a bomb-threat suspect to disclose his location back in 2007. Links to the doctored story were sent to …
John Leyden, 28 Oct 2014

Feds seek potential 'second Snowden' gov doc leaker – report

A worker at a US government contractor is suspected of being the second leaker who turned over sensitive documents on the US government's terrorist watch list to journalist Glenn Greenwald, according to recent reports. The FBI reportedly searched the suspect's home and opened a criminal case, according to unnamed law enforcement …
John Leyden, 28 Oct 2014

EvilToss and Sourface hacker crew 'likely' backed by Kremlin – FireEye

Russia is "likely" sponsoring a hacking outfit that targets foreign governments and security organisations, the US intelligence firm FireEye claims. "APT28", a group operating for possibly more than a decade, has attacked governments in Georgia, Eastern Europe, as well as NATO and the Organisation for Security and Co-operation …
Darren Pauli, 28 Oct 2014

Intel bods to detail RSA birko crypto man-in-the-middle diddle

A pair of Intel security researchers will tomorrow delve into a class of dangerous vulnerabilities they found last month that allowed forged RSA certificates to be created by abusing the Mozilla Network Security Services (NSS) cryptographic library. Attendees at a Buenos Aires event will be walked through the fine points of how …
Darren Pauli, 28 Oct 2014

Knock Knock tool makes a joke of Mac AV

Security research and development bod Patrick Wardle has released a tool to reveal executables that automatically boot in Mac OS X. The Knock Knock tool was open source and built on an extensible framework to encourage the community to evolve the platform. Wardle, of consultancy Synack, said he designed the tool because he was …
Darren Pauli, 28 Oct 2014