Security > More stories

data leakage

Carbon Black denies its IT security guard system oozes customer secrets

Security firms are, understandably, quite sensitive about claims that their products are insecure, so accusations of this sort tend to cause a kerfuffle. On Wednesday, security consultancy DirectDefense published a blog post alleging endpoint security vendor Carbon Black's Cb Response protection software would, once installed …
Iain Thomson, 10 Aug 2017
An empty courtroom

US court system bug opened hole for hackers to scoop up legal docs for free on victims' dime

A cross-site forgery vulnerability in the American court system's document archive PACER has been fixed. The bug could have been exploited to hijack accounts and retrieve civil and criminal lawsuit files on victims' dime. PACER, run by the Administrative Office of the US Courts, is a massive searchable trove of records, …
Shaun Nichols, 09 Aug 2017

US border cops must get warrants to search phones, devices – EFF

The controversial topic of electronic device searches at the US border, and whether customs agents should be required to get warrants before sucking data off them, is heading to the Fifth Circuit Court of Appeals. For several years the legal issues surrounding what border agents are entitled to do with your electronic devices …
Kieren McCarthy, 09 Aug 2017
Nexus 5X

It's August 2017 and your Android gear can be pwned by, oh look, just patch the things

Android users should be expecting a security update to land for the mobile operating system in short order, as Google has issued fixes for 99 CVE-listed programming cockups. This month's update has been released for the Pixel and Nexus lines and kicked out to other manufacturers and carriers, which will post their own updates …
Shaun Nichols, 09 Aug 2017
flaw

SAP cleans up more than a dozen troubling CRM security blunders

Critical issues in SAP’s CRM application – patched on Tuesday – open the door to corporate espionage, security researchers warn. SAP resolved a total of 19 software flaws yesterday. Among the most critical bugs is an SQL injection in SAP CRM WebClient User Interface (SAP Security Note 2450979). The issue, identified by …
John Leyden, 09 Aug 2017
sextortion

FBI's spyware-laden video claims another scalp: Alleged sextortionist charged

The FBI’s preferred tool for unmasking Tor users has brought about another arrest: a suspected sextortionist who allegedly tricked young girls into sharing nude pics of themselves and then blackmailed his victims. As we learned from previous investigations, the Feds have a network investigative technique (NIT) up their sleeve …
Iain Thomson, 09 Aug 2017
DOor to a bank vault. Photo by Shutterstock

It's 2017 and Hyper-V can be pwned by a guest app, Windows by a search query, Office by...

Patch Tuesday Microsoft has released the August edition of its Patch Tuesday update to address security holes in multiple products. Folks are urged to install the fixes as soon as possible before they are exploited. Among the flaws are remote code execution holes in Windows, Internet Explorer/Edge and Flash Player, plus a guest escape in …
Shaun Nichols, 08 Aug 2017
justice

Marcus Hutchins free for now as infosec world rallies around suspected banking malware dev

British security researcher Marcus Hutchins was released on Monday from a Nevada jail after posting bail. He is now on his way to Milwaukee to face charges of selling malware online. Hutchins, 23, who shot to fame after finding a way to kill off the WannaCry ransomware outbreak that crippled parts of Britain's National Health …
Iain Thomson, 08 Aug 2017

NotBeingPetya: UK critical infrastructure firms face huge fines for lax security

The UK government has announced that businesses providing essential services like energy and transport could be fined as much as £17m or 4 per cent of global turnover for failing to have effective cyber security measures in place. The proposals from the Department for Digital, Culture, Media & Sport satisfy requirements under …
John Leyden, 08 Aug 2017

Engineer gets 18 months in the clink for looting ex-bosses' FTP server

An engineer has been jailed for 18 months after admitting to stealing blueprints from his former employer's FTP server. Jason Needham, 45, of Arlington, Tennessee, USA, worked at engineering firm Allen & Hoshall until 2013, when he left to set up his own consultancy, HNA. But in the two years following his departure he hacked …
Iain Thomson, 08 Aug 2017
Department of Homeland Security

US Homeland Security CIO hits ctrl-alt-delete after just three months

The chief information officer of America's Department of Homeland Security has become the latest Trump administration appointee to resign. Richard Staropoli, the former US secret service agent who at one time vowed to run the department "like a hedge fund," will be leaving at the end of the month. Staropoli had been appointed …
Shaun Nichols, 08 Aug 2017
power outage

Hackers could exploit solar power equipment flaws to cripple green grids, claims researcher

A Dutch researcher says he found a way to cause mischief on power grids by exploiting software bugs in solar power systems. Specifically, Willem Westerhof, a cybersecurity researcher at ITsec, said he uncovered worrying flaws within power inverters – the electrical gear turns direct current from solar panels into alternating …
Iain Thomson, 07 Aug 2017

Hotspot Shield VPN throws your privacy in the fire, injects ads, JS into browsers – claim

The Center for Democracy & Technology (CDT), a digital rights advocacy group, on Monday urged US federal trade authorities to investigate VPN provider AnchorFree for deceptive and unfair trade practices. AnchorFree claims its Hotspot Shield VPN app protects netizens from online tracking, but, according to a complaint filed …
Thomas Claburn, 07 Aug 2017
HMS Queen Elizabeth, pictured in Scapa Flow in August 2017. Crown copyright

HMS Queen Liz will arrive in Portsmouth soon, says MoD

New aircraft carrier HMS Queen Elizabeth could arrive at her home port, Portsmouth, within the next fortnight, according to the Ministry of Defence. The 65,000-tonne warship, the first true aircraft carrier in Royal Navy service for almost a decade, is currently undergoing sea trials off the coast of Scotland. While the ship …
Gareth Corfield, 07 Aug 2017

Send mixed messages: Mozilla wants you to try its encrypted file sharing

Mozilla has just rolled out an experimental service called Send that allows users to make an encrypted copy of a local file, store it on a remote server, and share it with a single recipient. And once shared, the encrypted data gets deleted from the server. Send solves what used to be a common problem, sending a large file …
Thomas Claburn, 05 Aug 2017
Mickey Mouse doll

Parents claim Disney gobbled up kids' info through mobile games

Disney has been sued in America for allegedly collecting children's personal information without getting parents' approvals. A class-action lawsuit [PDF] filed Thursday in northern California accuses the unstoppable children's entertainment brand and three of its developer partners of violating privacy laws by tracking the …
Shaun Nichols, 05 Aug 2017

WannaCry-killer Marcus Hutchins denies Feds' malware claims

Marcus Hutchins, the WannaCry ransomware killer and now suspected malware developer, was told by a Las Vegas court on Friday he can be released on bail. He also denied any wrongdoing. The British citizen was sensationally arrested and taken into custody on Wednesday by the FBI. The agents swooped as he was about to board a …
Iain Thomson, 04 Aug 2017

Forget sexy zero-days. Siemens medical scanners can be pwned by two-year-old-days

Hackers can exploit trivial flaws in network-connected Siemens' medical scanners to run arbitrary malicious code on the equipment. These remotely accessible vulnerabilities lurk in all of Siemens' positron emission tomography and computed tomography (PET-CT) scanners running Microsoft Windows 7. These are the molecular imaging …
Iain Thomson, 04 Aug 2017
US boxing glove, photo via Shutterstock

DJI drones: 'Cyber vulnerabilities' prompt blanket US Army ban

The US Army has issued a global order banning its units from using drones made by Chinese firm DJI, citing “cyber vulnerabilities”. The memorandum, issued by the US Army’s Lieutenant General Joseph Anderson, orders all US Army units with DJI products to immediately stop using them. “Due to increased awareness of cyber …
Gareth Corfield, 04 Aug 2017

To truly stay anonymous online, make sure your writing is as dull as the dullest conference call you can imagine

To publish online and remain anonymous, boffins from Bulgaria and Qatar advise being mediocre. And if you can't manage that on your own, they have a technique to make your prose less scintillating. Distinctive writing tends to point to a specific author. That's what stylometry, the study of linguistic patterns, aims to reveal …
Thomas Claburn, 04 Aug 2017
Bear

Russian admits being Ebury botnet herder, now jailed for 46 months

A Russian man has been imprisoned for 46 months after admitting to using the Ebury malware to create a massive botnet for fun and profit. Maxim Senakh, 41, of Veliky Novgorod in Russia, was sentenced in Minnesota after pleading guilty to conspiracy to commit wire fraud and violating the Computer Fraud and Abuse Act. He was …
Iain Thomson, 03 Aug 2017

Hacked Chrome web dev plugin maker: How those phishers tricked me

The chap behind Chrome Web Developer, a popular third-party extension that was briefly hijacked to inject ads into browsers, today confirmed he was the victim of a phishing attack. Chris Pederick, a Brit living abroad in San Francisco, California, said he received an email on Tuesday claiming to be from Google warning that his …
Shaun Nichols, 03 Aug 2017
Marcus Hutchins

WannaCry-slayer Marcus Hutchins 'built Kronos banking trojan' – FBI

Marcus Hutchins, the British malware researcher who killed off the WannaCry ransomware outbreak, was arrested in Las Vegas on Wednesday on suspicion of being a malware writer himself. Hutchins, aka MalwareTechBlog on Twitter, was collared after attending the DEF CON hacking conference in Nevada, US, last week. FBI agents …
Iain Thomson, 03 Aug 2017
arrest

WannaCry kill-switch hero Marcus Hutchins collared by FBI on way home from DEF CON

Updated Marcus Hutchins, the unassuming Brit who found and activated the kill switch in the WannaCry ransomware, has been arrested by the FBI in America. Hutchins had been invited over to the States for the DEF CON hacking conference, held last week in Las Vegas, Nevada, and stayed on a few extra days to do the usual touristy things …
Iain Thomson, 03 Aug 2017

WannaCrypt victims paid out over $140k in Bitcoin to get files unscrambled

More than $140,000 (£105,000) in Bitcoin has been paid out by victims of the global WannaCrypt ransomware outbreak from May. The money was removed from the online wallets at 4am UTC on Thursday. The Bitcoin activity was noticed by a Twitter bot set up by Quartz journalist Keith Collins. It tweeted: Status of WannaCrypt …
Kat Hall, 03 Aug 2017
Cat with a surprised expression. Photo by Shutterstock

Wait. What? The IBM cloud's APIs use insecure TLS1 crypto?

An email has gone out from IBM about its Bluemix cloud: after next Tuesday, the SoftLayer APIs will no longer accept connections encrypted with the ancient TLS 1.0. It's not quite a surprise that the 1990s-era protocol was still accepted: a great many services are still midway through their deprecation plans. To give just one …
Headshot of Trojan horse

This typosquatting attack on npm went undetected for 2 weeks

A two-week-old campaign to steal developers' credentials using malicious code distributed through npm, the Node.js package management registry, has been halted with the removal of 39 malicious npm packages. Developers regularly add these bundles of JavaScript code to Node.js applications to implement common functions, so they …
Thomas Claburn, 02 Aug 2017
Woman stares at laptop screen, shocked. Pic by shutterstock

Thought your divorce was ugly? Bloke sues wife for wiretapping – 'cos she read his email

A fella in the US is suing his ex‑wife, alleging she broke federal wiretapping and privacy laws by snooping on his email during their divorce. The case, just kicked off in an Illinois district court after six years of wrangling, pits Barry Epstein against his former spouse of 46 years, Paula Epstein, who filed for divorce in …
Shaun Nichols, 02 Aug 2017
Ads on Times Square. Photo by Allen G via Shutterstock editorial use only

Chrome web dev plugin with 1m+ users hijacked, crams ads into browsers

A popular Chrome extension was hijacked earlier today to inject ads into browsers, and potentially run malicious JavaScript, after the plugin's creator was hacked. Chris Pederick, maker of the Web Developer for Chrome extension, is urging anyone who uses his programming tool to update to version 0.5 or later. That's because …
Shaun Nichols, 02 Aug 2017
1984

Cardiff did Nazi that coming: Hackers slap Trump, swastikas, Sharia law on e-sign

Shoppers in Cardiff got an eyeful this week when mystery hackers took control of an electronic billboard overlooking the main shopping street and broadcasted a string of images, including Nazi swastikas. The billboard, on Queen Street in the Welsh capital, began displaying pictures of the Nazi symbol, and a sign declaring: " …
Iain Thomson, 02 Aug 2017

FCC: We could tell you our cybersecurity plan… but we'd have to kill you

America's broadband watchdog, the FCC, has continued digging an ever-deeper hole over its claims it was subject to a distributed denial-of-service attack. The latest shovel of BS came in a letter [PDF] to US Congress in which the FCC's chief information officer David Bray said he could not tell Congressmen what the "additional …
Kieren McCarthy, 02 Aug 2017

Brit voucher biz's signup page blabbed families' details via URL tweak

A UK web biz has been slammed for blocking people on Twitter just for reporting a security vulnerability that potentially leaked people's contact details. Kids Pass – a Cheshire-based outfit that offers more than 500,000 folks discount vouchers for family activities – was alerted over the weekend, via Twitter, that its code …
Rebecca Hill, 02 Aug 2017

Sorry, psycho bosses, it's not OK to keylog your employees

Installing keylogging software on your employees' computers and using what you find to fire them is not OK, a German court has decided. In a decision (in German) last week, the Federal Labor Court looked at the case of a web developer at a media agency who was fired for developing a computer game for a different company while …
Kieren McCarthy, 02 Aug 2017
mobile malware

'Invisible Man' malware runs keylogger on your Android banking apps

A new breed of Android malware is picking off mobile banking customers, particularly those in the UK and Germany, we're told. The Svpeng software nasty has been around for four years, and its creator was caught and thrown in the clink in 2015. However, the malware keeps on evolving, thanks to other crooks trying their hand …
Iain Thomson, 02 Aug 2017
Spy hides in dustbin, lifts lid to take photograph

'Real' people want govts to spy on them, argues UK Home Secretary

Analysis UK Home Secretary Amber Rudd kicked off a firestorm in the tech community Tuesday when she argued that "real people" don't need or use end-to-end encryption. In an article in the Daily Telegraph timed to coincide with Rudd's appearance at a closed event in San Francisco, Rudd argued: "Real people often prefer ease of use and a …
Kieren McCarthy, 01 Aug 2017
Continental control unit

It’s 2017 and Hayes AT modem commands can hack luxury cars

Updated A bunch of mid-age Ford, Infiniti, Nissan and BMW vehicles are carrying around a vulnerable chipset from Infineon that America's ICS-CERT reckons is easy to exploit. The BMWs went on sale between 2009 and 2010, the affected Infiniti models were built between 2013 and 2015 and there's a chance Nissan Leafs manufactured between …
Netflix Repulsive Grizzly logo

'App DDoS bombs' that slam into expensive APIs worry Netflix

Netflix has identified denial of service threat to microservices architectures that it's labelled “application DDoS”. Traditional DDoS attacks flood networks with bogus traffic so that infrastructure runs out of resources to serve legitimate users. Netflix characterises an application DDoS attack as one in which attackers “ …
Simon Sharwood, 01 Aug 2017
Shutterstock Rhinoceros beetle

McAfee online scan used plain old HTTP to fetch screen elements

McAfee has moved to patch a bug that falls under the “didn’t you get the memo?” category: among other things, its free Security Scan Plus online tool retrieved information over HTTP – that is, in plain text. The potential man-in-the-middle vector exists not in the operation of the free online scan, but in the house ads and UI …
Game of Thrones

Game of Pwns: Hackers invade HBO, 'leak Game of Thrones script'

HBO is the latest entertainment giant to have its precious content stolen and leaked by hackers, including program episodes and possibly Game of Thrones scripts. The security breach reportedly includes the script or a script treatment for next week's Game of Thrones episode, meaning fans will be disappointed to realize it's …

Look out Silicon Valley, here comes Brit bruiser Amber Rudd to lay down the (cyber) law

Executives at Facebook, Google and other terrorist-enabling online services are said to be quaking in their boots as UK Home Secretary Amber Rudd swoops into Silicon Valley this week to read them the riot act. Rudd has been a frequent critic of social media giants, particularly after the murders in London and Manchester, and …
Kieren McCarthy, 31 Jul 2017

PasteBin data dump: Hackers claim files are from Mandiant FireEye 'breach'

Hackers have leaked what they claim is information stolen from FireEye/Mandiant after apparently breaking into the incident response biz's network. Mandiant has denied this. The miscreants, who branded their attack campaign "Op #LeakTheAnalyst," claimed in a preface to their PasteBin dump that they had "breached [Mandiant's] …
John Leyden, 31 Jul 2017
Caesars

Destination PWND: Safes, ATMs, phones all fall to Vegas hax0rs

Analysis BSides, Black Hat, DEF CON... For the last six days, Las Vegas has been home to the top brains in the computer security industry and the business menagerie that follows them – causing some panic among locals. We've seen the pathetic state of the US electronic voting system exposed, claims of advanced eavesdropping at the …
Iain Thomson, 31 Jul 2017

Biting the hand that feeds IT © 1998–2017