John Leyden

Contact Mail Follow Twitter RSS feed

Thousands of misconfigured 3D printers on interwebz run risk of sabotage

Internet-connected 3D printers are at risk of being tampered with or even sabotaged because users fail to apply security controls, a researcher has warned. Xavier Mertens, a senior handler for the SANS Internet Storm Center (ISC) and freelance cybersecurity consultant, found more than 3,700 3D printers directly connected to …
John Leyden, 4 Sep 2018
Child in shock in front of computer. Photo by Shutterstock

Excuse me, but your website's source code appears to be showing

An internet-wide scan on 230 million domains found 390,000 exposed source code directories. The results, obtained by security researcher Vladimír Smitka, are a problem because access to the .git folder within the file versions repository contains a lot of information about the website's structure or worse. "Sometimes you can …
John Leyden, 4 Sep 2018

Google cracks down on dodgy tech support ads

Google has placed restrictions on tech support ads after admitting it's increasingly hard to tell promos for legit services from deceptions. Tech support scams come via either cold calls to unsuspecting users or bogus web pages showing made-up, fake alert messages usually about dummy virus infections. Cold-callers posing as …
John Leyden, 3 Sep 2018
A man with no money in his wallet

C'mon, if you say your device is 'unhackable', you're just asking for it: Bitfi retracts edgy claim

Bitfi finally and reluctantly retracted its unhackable claim last night in the face of a new cold boot attack. The John McAfee-backed hardware crypto-wallet firm got under the skins of security researchers by marketing its device as "unhackable" when it launched in July. The $120 Wi-Fi-enabled Bitfi wallet is a hardware …
John Leyden, 31 Aug 2018
Jennifer Lawrence at a movie opening.

Fourth 'Fappening' celeb nude snap thief treated to 8 months in the clink

The last of the four hackers collared for stealing and leaking people's private nude photos from their online accounts back in 2014 has been sentenced to eight months' imprisonment. George Garofano, 26, of North Branford, Connecticut, was also sentenced to three years' supervision post-release as punishment for his role in " …
John Leyden, 31 Aug 2018

Cobalt cybercrooks phry up phishing campaign to phling at phinance orgs

A notorious hacking group suspected in attacks across dozens of countries has launched a campaign against banks in eastern Europe and Russia. The so-called Cobalt Group is slinging spear-phishing emails in an attempt to get into the systems of targeted financial organisations. The emails are set up to look like they were sent …
John Leyden, 31 Aug 2018
Two miners (cosplay) carrying coal up "mine shaft" -

Hackers latch onto new Apache Struts megavuln to mine cryptocurrency

A recently uncovered critical vulnerability in Apache Struts is already being exploited in the wild. Threat intel firm Volexity has warned that hackers are abusing the CVE-2018-11776 vuln to attack systems running Apache Struts 2, a popular open-source framework for developing applications in Java. Specifically, some nasty …
John Leyden, 30 Aug 2018
Bank vault

Hackers faked Cosmos backend to hoodwink bank out of $13.5m

Security researchers have taken a deep dive into the cyber attack on the SWIFT/ATM infrastructure of Cosmos Bank, the recent victim of a $13.5m cyber-heist. Experts at Securonix have outlined the most likely progression of the attack against the bank, the latest financial institution to face hacks blamed on state-backed North …
John Leyden, 29 Aug 2018
Man vs paperwork. Paper-pusher loses control. Photo by Shutterstock

ABBYY woes: Doc-reading software firm leaves thousands of scans blowing in wind

Document-reading software flinger ABBYY exposed more than 203,000 customer documents as the result of a MongoDB server misconfiguration. The AWS-hosted MongoDB server was accidentally left publicly accessible and contained 142GB of scanned documents including over 200,000 scanned contracts, memos, letters and other sensitive …
John Leyden, 29 Aug 2018
Sad Android

We're all sick of Fortnite, but the flaw found in its downloader is the latest way to attack Android

A newfound way to hack Android using a technique dubbed "Man-in-the-Disk" is central to the recent security flap about Fortnite on the mobile platform. Man-in-the-Disk can circumvent sandboxes and infect a smartphone or tablet using shared external storage through a seemingly harmless Android application. Sandboxing isolates …
John Leyden, 29 Aug 2018

Footie fans calling for a red card over West Ham United CC email blunder

Fat-fingered staff at London football team West Ham United have upset some fans following a ticket confirmation email bungle. West Ham's email to away season ticket-holders confirming their ticket for tonight's (Tuesday) Football League Cup fixture at Wimbledon was CC'd to every intended recipient. The message should have been …
John Leyden, 28 Aug 2018

Give yourselves a pat on the back, top million websites, half of you now use HTTPS

More than half (51.8 per cent) of the Alexa Top 1 Million sites are actively redirecting to HTTPS for the first time. The milestone was crossed during another strong six months moving towards a fully encrypted web, according to the latest stats from security researcher Scott Helme, published on Friday. Back in February, at …
John Leyden, 28 Aug 2018
kids in classroom with raised hands

Back to school soon – for script kiddies as well as normal kids. Hackers peddle cybercrime e-classes via Telegram

Crooks are now taking to encrypted messenger Telegram to tout their online how-to courses on cybercrime, according to risk management biz Digital Shadows. Russian criminals have for some time now taught classes over the internet on how to rip off folks and credit card companies. Digital Shadows, which chronicled this trade …
John Leyden, 24 Aug 2018
Onavo screenshot

Facebook pulls 'snoopy' Onavo VPN from Apple's App Store after falling foul of rules

Facebook has pulled its data-snaffling Onavo VPN from Apple's App Store after the iGiant said the tech violated recently tightened rules. Onavo is a free VPN app that pipes user traffic through Facebook systems under the pretext of protecting surfers from malware-tainted websites and other threats. The app, which the social …
John Leyden, 23 Aug 2018
Image composite Andreas Berheide

US Democrats call in Feds: There's something phishy going on with our voter database

Updated The Democratic National Committee (DNC) has called in the FBI after uncovering an apparent attack against its internal voter database system. CNN reported that the DNC learned of the attempted phishing attack from cloud service provider DigitalOcean via Lookout, a mobile security firm that detected the malfeasance. Miscreants …
John Leyden, 23 Aug 2018
Woman in hospital (in hospital gown) covers face with hands

If it doesn't need to be connected, don't: Nurse prescribes meds for sickly hospital infosec

BSides Manchester A children's nurse prescribed hospitals ways to improve their computer security at the BSides conference in Manchester, England, earlier this month. Jelena Milosevic developed an interest in cybersecurity over the past four years while working as an on-call nurse in several hospitals across the Netherlands, where she said …
John Leyden, 23 Aug 2018
Man holds the BMW f30 key fob with an apple watch showing the connected drive information.

Connected car data handover headache: There's no quick fix... and it's NOT just Land Rovers

The perils of previous owners retaining unfettered access to the data and controls of connected cars after resale is a wider problem across the industry, The Register has discovered. We have confirmed that BMW, Mercedes-Benz and Nissan may all have much the same issue as Jaguar Land Rover, the focus of our recent article on …
John Leyden, 21 Aug 2018

SuperProf gets schooled after assigning weak passwords to tutors

Updated Private tutor networking website SuperProf has irritated teacher clients of a firm it recently acquired – by handing out hopelessly insecure passwords. SuperProf, headquartered in Paris, recently bought UK-based Tutor Pages. Tutor Pages teachers have been migrated to the SuperProf platform but details of their fees, subjects, …
John Leyden, 20 Aug 2018

So phar, so FUD: PHP flaw puts WordPress sites at risk of hacks

Bsides Manchester A newly discovered WordPress flaw has left installs of the ubiquitous content management system potentially vulnerable to hacking. A security shortcoming within WordPress's PHP framework can be leveraged by logged-in non-admin users to run arbitrary malicious code and commands on the host servers, infosec consultancy Secarma …
John Leyden, 20 Aug 2018

Web cache poisoning just got real: How to fling evil code at victims

BSides Manchester Websites can be hijacked to turn their caches into exploit delivery systems. James Kettle of Portswigger, the biz behind Burp Suite, has developed techniques to go beyond previous cache poisoning. Caching speeds up webpage loads by reducing latency while also reducing the load on application server. Some organizations host …
John Leyden, 17 Aug 2018
Reaper pixelated

What happens to your online accounts when you die?

BSides Manchester What happens to the numerous user logins you've accumulated after you die or become too infirm to manipulate a keyboard? Some people have a plan, the digital equivalent of living will, or have chosen "family" option in a password management package such as LastPass or have entrusted a book of passwords to a family member. But …
John Leyden, 17 Aug 2018

Support for ageing key exchange crypto leaves VPNs open to attack

Security gaps have been identified in widely used implementations of the IPsec protocol, which is used in the set up of Virtual Private Networks (VPNs). The Internet Key Exchange protocol "IKEv1", which is part of the IPsec protocol family, has vulnerabilities that enable potential attackers to interfere with the communication …
John Leyden, 15 Aug 2018
movie still from zoolander: 'hansel, he's so hot right now. hansel'

Baddies of the internet: It's all about dodgy mobile apps, they're so hot right now

Rogue mobile apps have become the most common fraud attack vector, according to the latest quarterly edition of RSA Security's global fraud report. Fraud from mobile browsers and mobile applications made up 71 per cent of total fraudulent transactions recorded (of approximately 402,000) in Q2 2018, compared to 61 per cent in …
John Leyden, 15 Aug 2018

Criminals a bit less interested in nicking Brits' identities this year

New figures reveal UK identity fraud dropped during the first six months of 2018 to reach a four-year low. Cifas members recorded 84,463 cases of identity fraud in the first six months of the year, a 5 per cent drop compared to the same period in 2017 (89,199). Despite the reduction, identity fraud still represents over half …
John Leyden, 15 Aug 2018

Medical device vuln allows hackers to falsify patients' vitals

Hackers may be able to falsify patient vitals by messing with the traffic on hospital networks. Research from McAfee shows it’s possible to emulate and modify a patient’s vital signs in real time on a medical network using a patient monitor and a central monitoring station. Most patient monitoring systems comprise a minimum …
John Leyden, 14 Aug 2018

Biting the hand that feeds IT © 1998–2018