British Airways faces a £500m lawsuit over its recent mega-breach that exposed payment card details of 380,000 customers. The airliner last week apologised and offered to compensate customers for any direct financial loss for the attack that took place between 21 August and 5 September via its website and app. However, an …

Security experts are debating the cause of the British Airways mega-breach, with external scripts on its payment systems emerging as a prime suspect in the hack. Why infosec folk think it was the payment system Although BA hasn't disclosed the root of the breach, the unusual precision it ascribed to the hack's duration …

In late August, Microsoft announced a free service that arguably reveals more about the future of the email business and its struggles with security than several years' worth of earnest press releases. Called AccountGuard, it's Microsoft's answer to the phenomenon of Russian phishing meddling with the US elections and the …

A security researcher has disclosed a bug that could be abused to spoof website addresses in either Edge or Safari. Rafay Baloch told The Register that while Microsoft has since patched the flaw (CVE-2018-8383) in its browser, Apple has been dragging its feet on a fix for Safari for weeks, and the browser remains vulnerable …

Netgear has irked some security pros by demanding people register accounts before they can use a mobile app to control their Orbi mesh routers. Thus, you'll need a Netgear customer account to manage your network infrastructure, thereby "advertising to hackers everywhere that there’s a nice little honeypot on their servers, …

Bug broker Zerodium has released word of a flaw in the Tor browser that would potentially allow an attack site to bypass security protections and execute malicious code in the supposedly secure internet system. The flaw was disclosed in a Zerodium Tweet Monday morning that provides some detail on the nature of the flaw. …

If you've been looking at SiFive's RISC-V-based chip technology and thinking, y'know what, it's missing an Arm TrustZone-style element to run sensitive code, well, here's some good news. And if you're just into processor design and checking out alternatives to Arm CPU cores, then this may be some interesting news. SiFive …

Updated A bunch of Trend Micro anti-malware tools have vanished from Apple's Mac App Store – after they were spotted harvesting and siphoning off users' browser histories. Dr Cleaner, Dr Antivirus, and App Uninstall – utilities owned by the Japan-headquartered security house and distributed on the Mac App Store – are no longer …

Persistence pays off for crooks when it comes to sextortion-based phishing scams, research into its effectiveness suggests. One variant bombards prospective marks with threats to release non-existent footage of them watching smut unless they give in to demands. Cleverly, these threats are lent an air of authenticity by using …

Roundup This week brought with it a Supermicro shoring up firmware security, a North Korean hacking charge, and a spying anti-adware macOS tool getting yanked by Apple from its App Store. Elsewhere, we had… BrokenType broken out with source code release A software vulnerability probing tool called BrokenType had appeared in public on …

The upcoming 2020 US presidential election should be conducted on paper, since there is no way currently to make electronic and internet voting secure. That's according to a dossier from the National Academies of Sciences, Engineering, and Medicine, which probed the fallout of alleged Russian meddling with America's 2016 …

Apple has removed an app called Adware Doctor:Anti Malware &Ad from the macOS App Store following claims it sent users' browser histories to a remote server in China. The app's misbehavior was first noted by a security researcher who goes by name Privacyis1st on Twitter and claims to have alerted Apple to the weirdness in …

Bouxtie had everything you can dream of in a Silicon Valley startup. A stupid name (it's pronounced "bow-tie"), a vastly over-confident CEO with a story, millions in VC money, and a nonsensical business model built around an app. And yet this week its chief exec Renato Libric pleaded guilty, in a US federal district court, to …

Exclusive Just weeks before being hacked in late August, British Airways' parent IAG was planning to outsource its cybersecurity to IBM, admitting it needed a "group-wide strategic and proactive approach" to counter threats. The memo in full Subject: Group IT Cyber Security Update From: John Hamilton Sent: 01 August 2018 13:56 All …

The number of UK companies on the receiving end of business scams involving email has risen by nearly two-thirds – 58 per cent – in the last year, new data from Lloyds Bank has revealed. Stats from the bank showed the average loss from so-called "business email compromise" (BEC) frauds has reached £27,000. IT workers are …

Two crooks scammed Vodafone customers in the Czech Republic out of $26,000 thanks to weak telco-issued PIN codes. Vodafone preset the online passwords for their customers with a numerical password of 4-6 digits. A pair of chancers with no technical skills were able to launch a brute-force attack that reportedly involved trying …

Cisco has taken delivery of a bulk order for 29 Common Vulnerabilities and Exposures (CVEs) IDs. If you're running the end-of-life RV110 Wireless-N VPN firewall or RV215W Wireless-N VPN router, bad news: some of their security vulnerabilities won't be patched and there's no workaround – so it is probably time to replace them …

The privacy issues thrown up by connected cars don't seem to be going anywhere soon. Drivers of cars from BMW, Jaguar Land Rover and Mercedes-Benz have reported that previous owners retain unfettered access to the data and controls of connected cars after resale. The problem is international and extends to hire cars due to …

Comment Businesses find themselves in a world where the threat to their networks often comes not simply from a compromise of their computers, servers, or infrastructure, but from legitimate, sanctioned users. There is nothing new about the notion of cyber-attackers seeing human beings as their biggest target. For years, real-world …

Researchers claim to have discovered an exploitable flaw in the baseboard management controller (BMC) hardware used by Supermicro servers. Security biz Eclypsium today said a weakness in the mechanism for updating a BMC's firmware could be abused by an attacker to install and run malicious code that would be extremely …

Tesla will allow vetted security researchers to hunt for vulnerabilities in its vehicle firmware risk free – as long as it is done under its now-tweaked bug bounty program. The luxury electric automaker said this week it will reflash the firmware on cars that have been bricked by infosec bods probing for exploitable bugs in …

Analysis Despite repeated denials, some under oath, US Supreme Court nominee Brett Kavanaugh appears to have known – and may even have pushed for – the warrantless spying program that was approved by President George W Bush in the aftermath of the September 11, 2001 attacks. That is the upshot of a series of emails that were provided …

The US government has formally accused the North Korean government of being behind the Sony Pictures hack, the WannaCry ransomware that crippled the UK's National Health Service and other organizations, and a series of online bank heists including $81m stolen from Bangladesh's national bank. The state-sponsored attacks were …

British Airways on Thursday said it is investigating the theft of customer data from its website and mobile app servers. The biz, which bills itself as the world's favorite airline, said its systems had been compromised for more than two weeks. "From 22:58 BST August 21 2018 until 21:45 BST September 5 2018 inclusive, the …

The UK's TV Licensing agency has taken its website offline "as a precaution" after being blasted for running transactional pages that were not sent over HTTPS. The publicly funded outfit had been criticised for inviting folk to submit sensitive data over unencrypted links. Just a few hours after proclaiming "we will soon …

Updated Researchers in Germany have discovered how to obtain HTTPS security certificates for web domains they don't own – even if the certs are protected by PKI-based domain validation. Essentially, some certificate authorities can be tricked into incorrectly issuing the cryptographic certs, meaning a miscreant can get a SSL/TLS …

Analysis Not since the days of the US Clipper chip in the early 1990s, have backdoors put there by government decree to bypass encryption been this fashionable with governments. Clipper – an encryption chipset with a US-government-accessible backdoor backed by the US National Security Agency (NSA) – foundered on the stubborn resistance …

A former NASA contractor was arrested and charged on Wednesday for allegedly sextorting women. Richard Gregory Bauer, 28, was detained at his Los Angeles home by special agents from the space agency's internal watchdog. Bauer is accused of stalking, unauthorized access to protected computers, and aggravated identity theft, …

The Windows ALPC security hole that emerged early last week remains unpatched, even though it is being actively exploited by hackers to gain total control over PCs. As we reported at the end of August, a person behind the now-deleted Twitter account SandboxEscaper publicly revealed the system-level privilege escalation zero- …

Vid Beware using your web browser's autofill feature to log into your broadband router via Wi-Fi and unprotected HTTP. A nearby attacker can attempt to retrieve the username and password. The problem – found by SureCloud's Elliott Thompson and detailed here – is the result of a mismatch in browser behavior and router configuration …

Health-insurance biz Premera Blue Cross has been accused of deliberately knackering one of its computers to cover up details of a cyber-break-in. The organization denies any wrongdoing. The allegation was leveled last week against Premera, and is the latest twist in a long-running class-action lawsuit filed by the insurer's …

A scurrilous marketing agency that fired 1.42 million emails at prospective customers was today saddled with a £60,000 fine by the UK’s data watchdog. The Information Commissioner’s Office said Stevenage-based Everything DM Ltd (EDML) pestered people for a year from May 2016 via its direct marketing system, Touchpoint. EDML, …

A pair of cybercrooks who may have started out as legit infosec pros have expanded their operations outside Russia and begun attacking banks across the world. "Silence is an example of a mobile, small, and young group that has been progressing rapidly," Group-IB said, adding that the cybercrime group has shown signs of …

A British teenager has pleaded guilty in court to making hoax bomb threats to schools and airports while posing online as part of a hacker crew, a police agency has alleged. George Duke-Cohan, a 19-year-old from Garston near Watford in Hertfordshire, England, pleaded guilty at Luton Magistrates’ Court yesterday to three counts …

Cybercrims are ramping up their efforts to target employees through fraudulent email and social media scams, according to a new study by email security firm Proofpoint. Retailers and government agencies saw huge quarter-on-quarter increases in email fraud attempts in calendar Q2, with attacks per company and agency soaring 91 …

The US Securities and Exchange Commission (SEC) has put out a call for proposals on a new system that would be able to identify possible stock scams posted on Twitter, Facebook, and other social networks. The SEC posted the call last week with a September 11 deadline for proposals from developers on an application that would …