Articles about security

casino_security_648

Patch Drupal now: Yet another critical website bug found – a sequel to 'Drupalgeddon2'

After scrambling to patch a critical vulnerability late last month, Drupal is at it again. The open source content management project has issued an unscheduled security update to augment its previous patch for Drupalgeddon2. There was also a cross-site scripting bug advisory in mid-April. Rage Running Drupal? You need to …
Thomas Claburn, 25 Apr 2018

ISO blocks NSA's latest IoT encryption systems amid murky tales of backdoors and bullying

Two new encryption algorithms developed by the NSA have been rejected by an international standards body amid accusations of threatening behavior. The "Simon" and "Speck" cryptography techniques were designed for the next generation of internet-of-things sensors, and were intended to become a global standard. But there were …
Kieren McCarthy, 25 Apr 2018
Man opens hotel room with key card

Hotel, motel, Holiday Inn? Doesn't matter – they may need to update their room key software

Infosec outfit F-Secure has uncovered security vulnerabilities in a hotel keycard system that can be exploited by miscreants to break into rooms across the globe. Exploitable flaws were discovered in the lock system software, Vision by VingCard, which F-Secure said is used to secure millions of hotel rooms worldwide. Their …
Kat Hall, 25 Apr 2018
Fusée Gelée demo, image by Kate Temkin

I got 99 secure devices but a Nintendo Switch ain't one: If you're using Nvidia's Tegra boot ROM I feel bad for you, son

Updated Security researcher Kate Temkin has released proof-of-concept code dubbed Fusée Gelée that exploits a bug in Nvidia's Tegra chipsets to run custom code on locked-down devices. Temkin, who participates in the Nintendo Switch hacking project ReSwitched, has developed a cold-boot hack for the games console that takes advantage of …
Thomas Claburn, 23 Apr 2018
panic

Cloud-surfing orgs under attack, Microsoft antivirus for Chrome, Windows 10 S bypass, non-RSA gigs, and more

Roundup Here's a roundup of this week's security news, beyond what we've already covered. Besides RSA: BSides and OURSA Sunday saw the start of the two-day BSides SF conference, which caters more for hackers – white, gray, and black hat – rather than this week's RSA Conference, which is aimed more at sales and marketing execs, and IT …
Iain Thomson, 21 Apr 2018
Facebook's Mark Zuckerberg, speaking at the 2015 F8 conference

Facebook privacy audit by auditors finds everything is awesome!

The US Federal Trade Commission has released an audit of Facebook's privacy practices and it turns out there's nothing to worry about, at least as far as accounting firm PricewaterhouseCoopers (PwC) is concerned. Clearly, there's nothing to worry about. Go back to your homes, people. PwC, retained to check on how Facebook has …
Thomas Claburn, 21 Apr 2018
RSA history wall, photo: RSA

No way, RSA! Security conference's mobile app embarrassingly insecure

RSA has copped to a security vulnerability in the backend systems powering the smartphone app for its annual security conference, held this week in San Francisco, USA. Infosec expert "svbl" discovered and reported a privacy cockup in an API, which could be accessed by anyone with an RSA Conference account, to fetch the names …
Shaun Nichols, 20 Apr 2018
whoah

Apple's magical quality engineering strikes again: You may want to hold off that macOS High Sierra update...

An increasing number of Mac loyalists are complaining that the latest desktop operating system update from Apple is killing their computers. The 10.13.4 update for macOS High Sierra is recommended for all users, and was emitted at the end of March promising to "improve stability, performance, and security of your Mac." macos …
Kieren McCarthy, 20 Apr 2018
virus_1_648

Patch or ditch Adobe Flash: Exploit on sale, booby-trapped Office docs spotted in the wild

In case you needed another reason not to open Adobe Flash or Microsoft Office files from untrusted sources: ThreadKit, an app for building documents that infect vulnerable PCs with malware when opened, now targets a recently patched Flash security bug. This means less-than-expert hackers can use ThreadKit to craft booby- …
Facebook information operations chart

Facebook exec extracts foot from mouth: We didn't really mean growth matters more than human life

Facebook held a press conference on Thursday to provide details about its efforts to prevent electoral manipulation, only to have its damage control eclipsed by the publication of an executive's internal memo from 2016 suggesting growth mattered more than human life. Acknowledging that Facebook had been used "to divide …
Thomas Claburn, 30 Mar 2018
Mobile phones on Iran flag

Nine Iranians accused of cyber-swiping 30TB+ of blueprints from unis, biz on Tehran's orders

The US Department of Justice and Department of the Treasury on Friday charged nine Iranians with carrying out a series of internet attacks on more than 300 universities and 47 companies in the US and abroad, as well as federal and state agencies and the United Nations. The defendants were involved in various capacities with …
Thomas Claburn, 23 Mar 2018
Atlanta

City of Atlanta's IT gear thoroughly pwned by ransomware nasty

Updated IT systems used by the City of Atlanta, in the US state of Georgia, have succumbed to a ransomware attack, cutting off some online city services and potentially putting the personal information of employees and citizens at risk. At a press conference held on Thursday afternoon, Atlanta Mayor Keisha Lance Bottoms said the …
Thomas Claburn, 22 Mar 2018
AMD bloodbath

CTS who? AMD brushes off chipset security bugs with firmware patches

AMD has finally weighed in with its opinion of the security flaws in its Epyc, Ryzen, Ryzen Pro, and Ryzen Mobile chips, identified in a rather over-the-top fashion by CTS-Labs a week ago. The vulnerabilities affect the firmware managing the AMD Secure Processor and the chips used in some socket AM4 and socket TR4 desktop …
Thomas Claburn, 21 Mar 2018
Woman holding keys

Cluster-f*ck! Etcd DBs spaff passwords, cloud keys to world by default

Software called etcd, used for storing data across clusters of containers, has a problem – it does not implement authentication by default and so poses a security risk if deployed without further fiddling. It's also rather widely used because it comes with Kubernetes, the popular container orchestration software. Giovanni …
Thomas Claburn, 20 Mar 2018
Illustration of someone taking off a mask

FYI: AI tools can unmask anonymous coders from their binary executables

Talk about the ultimate Git Blame. Programmers can be potentially identified from the low-level machine-code instructions in their software executables by AI-powered tools. That's according to boffins from Princeton University, Shiftleft, Drexel University, Sophos, and Braunschweig University of Technology, who have described …
Thomas Claburn, 16 Mar 2018
DHS and FBI diagram of Dragonfly attack UI

We're Putin our foot down! DHS, FBI blame Russia for ongoing infrastructure hacks

The US Department of Homeland Security and the Federal Bureau of Investigation on Thursday issued an alert warning of ongoing cyber-attacks against the West's energy utilities and other critical infrastructure by individuals acting on behalf of the Russian government. The security warning coincides with the US Treasury …
Thomas Claburn, 15 Mar 2018

OK, deep breath, relax... Let's have a sober look at these 'ere annoying AMD chip security flaws

Analysis CTS-Labs, a security startup founded last year in Israel, sent everyone scrambling and headlines flying today – by claiming it has identified "multiple critical security vulnerabilities and manufacturer backdoors in AMD’s latest Epyc, Ryzen, Ryzen Pro, and Ryzen Mobile processors." Tuesday's glitzy advisory disclosed no …
Thomas Claburn, 13 Mar 2018
Sandvine interface

Citizen Lab says Sandvine network gear aids government spyware

Internet users in Turkey, Egypt and Syria who attempted to download legitimate Windows applications have been redirected to nation-state spyware through deep-packet inspection boxes placed on telecom networks in Turkey and Egypt, according to a report issued Friday by security research group Citizen Lab. Citizen Lab, a Canada- …

Create a news alert about security, or find more stories about security.

Biting the hand that feeds IT © 1998–2018