Security firms are, understandably, quite sensitive about claims that their products are insecure, so accusations of this sort tend to cause a kerfuffle. On Wednesday, security consultancy DirectDefense published a blog post alleging endpoint security vendor Carbon Black's Cb Response protection software would, once installed …

A cross-site forgery vulnerability in the American court system's document archive PACER has been fixed. The bug could have been exploited to hijack accounts and retrieve civil and criminal lawsuit files on victims' dime. PACER, run by the Administrative Office of the US Courts, is a massive searchable trove of records, …

The controversial topic of electronic device searches at the US border, and whether customs agents should be required to get warrants before sucking data off them, is heading to the Fifth Circuit Court of Appeals. For several years the legal issues surrounding what border agents are entitled to do with your electronic devices …

Android users should be expecting a security update to land for the mobile operating system in short order, as Google has issued fixes for 99 CVE-listed programming cockups. This month's update has been released for the Pixel and Nexus lines and kicked out to other manufacturers and carriers, which will post their own updates …

Critical issues in SAP’s CRM application – patched on Tuesday – open the door to corporate espionage, security researchers warn. SAP resolved a total of 19 software flaws yesterday. Among the most critical bugs is an SQL injection in SAP CRM WebClient User Interface (SAP Security Note 2450979). The issue, identified by …

The FBI’s preferred tool for unmasking Tor users has brought about another arrest: a suspected sextortionist who allegedly tricked young girls into sharing nude pics of themselves and then blackmailed his victims. As we learned from previous investigations, the Feds have a network investigative technique (NIT) up their sleeve …

Patch Tuesday Microsoft has released the August edition of its Patch Tuesday update to address security holes in multiple products. Folks are urged to install the fixes as soon as possible before they are exploited. Among the flaws are remote code execution holes in Windows, Internet Explorer/Edge and Flash Player, plus a guest escape in …

British security researcher Marcus Hutchins was released on Monday from a Nevada jail after posting bail. He is now on his way to Milwaukee to face charges of selling malware online. Hutchins, 23, who shot to fame after finding a way to kill off the WannaCry ransomware outbreak that crippled parts of Britain's National Health …

The UK government has announced that businesses providing essential services like energy and transport could be fined as much as £17m or 4 per cent of global turnover for failing to have effective cyber security measures in place. The proposals from the Department for Digital, Culture, Media & Sport satisfy requirements under …

An engineer has been jailed for 18 months after admitting to stealing blueprints from his former employer's FTP server. Jason Needham, 45, of Arlington, Tennessee, USA, worked at engineering firm Allen & Hoshall until 2013, when he left to set up his own consultancy, HNA. But in the two years following his departure he hacked …

The chief information officer of America's Department of Homeland Security has become the latest Trump administration appointee to resign. Richard Staropoli, the former US secret service agent who at one time vowed to run the department "like a hedge fund," will be leaving at the end of the month. Staropoli had been appointed …

A Dutch researcher says he found a way to cause mischief on power grids by exploiting software bugs in solar power systems. Specifically, Willem Westerhof, a cybersecurity researcher at ITsec, said he uncovered worrying flaws within power inverters – the electrical gear turns direct current from solar panels into alternating …

The Center for Democracy & Technology (CDT), a digital rights advocacy group, on Monday urged US federal trade authorities to investigate VPN provider AnchorFree for deceptive and unfair trade practices. AnchorFree claims its Hotspot Shield VPN app protects netizens from online tracking, but, according to a complaint filed …

New aircraft carrier HMS Queen Elizabeth could arrive at her home port, Portsmouth, within the next fortnight, according to the Ministry of Defence. The 65,000-tonne warship, the first true aircraft carrier in Royal Navy service for almost a decade, is currently undergoing sea trials off the coast of Scotland. While the ship …

Mozilla has just rolled out an experimental service called Send that allows users to make an encrypted copy of a local file, store it on a remote server, and share it with a single recipient. And once shared, the encrypted data gets deleted from the server. Send solves what used to be a common problem, sending a large file …

Disney has been sued in America for allegedly collecting children's personal information without getting parents' approvals. A class-action lawsuit [PDF] filed Thursday in northern California accuses the unstoppable children's entertainment brand and three of its developer partners of violating privacy laws by tracking the …

Marcus Hutchins, the WannaCry ransomware killer and now suspected malware developer, was told by a Las Vegas court on Friday he can be released on bail. He also denied any wrongdoing. The British citizen was sensationally arrested and taken into custody on Wednesday by the FBI. The agents swooped as he was about to board a …

Hackers can exploit trivial flaws in network-connected Siemens' medical scanners to run arbitrary malicious code on the equipment. These remotely accessible vulnerabilities lurk in all of Siemens' positron emission tomography and computed tomography (PET-CT) scanners running Microsoft Windows 7. These are the molecular imaging …

The US Army has issued a global order banning its units from using drones made by Chinese firm DJI, citing “cyber vulnerabilities”. The memorandum, issued by the US Army’s Lieutenant General Joseph Anderson, orders all US Army units with DJI products to immediately stop using them. “Due to increased awareness of cyber …

To publish online and remain anonymous, boffins from Bulgaria and Qatar advise being mediocre. And if you can't manage that on your own, they have a technique to make your prose less scintillating. Distinctive writing tends to point to a specific author. That's what stylometry, the study of linguistic patterns, aims to reveal …

A Russian man has been imprisoned for 46 months after admitting to using the Ebury malware to create a massive botnet for fun and profit. Maxim Senakh, 41, of Veliky Novgorod in Russia, was sentenced in Minnesota after pleading guilty to conspiracy to commit wire fraud and violating the Computer Fraud and Abuse Act. He was …

The chap behind Chrome Web Developer, a popular third-party extension that was briefly hijacked to inject ads into browsers, today confirmed he was the victim of a phishing attack. Chris Pederick, a Brit living abroad in San Francisco, California, said he received an email on Tuesday claiming to be from Google warning that his …

Marcus Hutchins, the British malware researcher who killed off the WannaCry ransomware outbreak, was arrested in Las Vegas on Wednesday on suspicion of being a malware writer himself. Hutchins, aka MalwareTechBlog on Twitter, was collared after attending the DEF CON hacking conference in Nevada, US, last week. FBI agents …

Updated Marcus Hutchins, the unassuming Brit who found and activated the kill switch in the WannaCry ransomware, has been arrested by the FBI in America. Hutchins had been invited over to the States for the DEF CON hacking conference, held last week in Las Vegas, Nevada, and stayed on a few extra days to do the usual touristy things …

More than $140,000 (£105,000) in Bitcoin has been paid out by victims of the global WannaCrypt ransomware outbreak from May. The money was removed from the online wallets at 4am UTC on Thursday. The Bitcoin activity was noticed by a Twitter bot set up by Quartz journalist Keith Collins. It tweeted: Status of WannaCrypt …

An email has gone out from IBM about its Bluemix cloud: after next Tuesday, the SoftLayer APIs will no longer accept connections encrypted with the ancient TLS 1.0. It's not quite a surprise that the 1990s-era protocol was still accepted: a great many services are still midway through their deprecation plans. To give just one …

A two-week-old campaign to steal developers' credentials using malicious code distributed through npm, the Node.js package management registry, has been halted with the removal of 39 malicious npm packages. Developers regularly add these bundles of JavaScript code to Node.js applications to implement common functions, so they …

A fella in the US is suing his ex‑wife, alleging she broke federal wiretapping and privacy laws by snooping on his email during their divorce. The case, just kicked off in an Illinois district court after six years of wrangling, pits Barry Epstein against his former spouse of 46 years, Paula Epstein, who filed for divorce in …

A popular Chrome extension was hijacked earlier today to inject ads into browsers, and potentially run malicious JavaScript, after the plugin's creator was hacked. Chris Pederick, maker of the Web Developer for Chrome extension, is urging anyone who uses his programming tool to update to version 0.5 or later. That's because …

Shoppers in Cardiff got an eyeful this week when mystery hackers took control of an electronic billboard overlooking the main shopping street and broadcasted a string of images, including Nazi swastikas. The billboard, on Queen Street in the Welsh capital, began displaying pictures of the Nazi symbol, and a sign declaring: " …

America's broadband watchdog, the FCC, has continued digging an ever-deeper hole over its claims it was subject to a distributed denial-of-service attack. The latest shovel of BS came in a letter [PDF] to US Congress in which the FCC's chief information officer David Bray said he could not tell Congressmen what the "additional …

A UK web biz has been slammed for blocking people on Twitter just for reporting a security vulnerability that potentially leaked people's contact details. Kids Pass – a Cheshire-based outfit that offers more than 500,000 folks discount vouchers for family activities – was alerted over the weekend, via Twitter, that its code …

Installing keylogging software on your employees' computers and using what you find to fire them is not OK, a German court has decided. In a decision (in German) last week, the Federal Labor Court looked at the case of a web developer at a media agency who was fired for developing a computer game for a different company while …

A new breed of Android malware is picking off mobile banking customers, particularly those in the UK and Germany, we're told. The Svpeng software nasty has been around for four years, and its creator was caught and thrown in the clink in 2015. However, the malware keeps on evolving, thanks to other crooks trying their hand …

Analysis UK Home Secretary Amber Rudd kicked off a firestorm in the tech community Tuesday when she argued that "real people" don't need or use end-to-end encryption. In an article in the Daily Telegraph timed to coincide with Rudd's appearance at a closed event in San Francisco, Rudd argued: "Real people often prefer ease of use and a …

Updated A bunch of mid-age Ford, Infiniti, Nissan and BMW vehicles are carrying around a vulnerable chipset from Infineon that America's ICS-CERT reckons is easy to exploit. The BMWs went on sale between 2009 and 2010, the affected Infiniti models were built between 2013 and 2015 and there's a chance Nissan Leafs manufactured between …

Netflix has identified denial of service threat to microservices architectures that it's labelled “application DDoS”. Traditional DDoS attacks flood networks with bogus traffic so that infrastructure runs out of resources to serve legitimate users. Netflix characterises an application DDoS attack as one in which attackers “ …

McAfee has moved to patch a bug that falls under the “didn’t you get the memo?” category: among other things, its free Security Scan Plus online tool retrieved information over HTTP – that is, in plain text. The potential man-in-the-middle vector exists not in the operation of the free online scan, but in the house ads and UI …

HBO is the latest entertainment giant to have its precious content stolen and leaked by hackers, including program episodes and possibly Game of Thrones scripts. The security breach reportedly includes the script or a script treatment for next week's Game of Thrones episode, meaning fans will be disappointed to realize it's …

Executives at Facebook, Google and other terrorist-enabling online services are said to be quaking in their boots as UK Home Secretary Amber Rudd swoops into Silicon Valley this week to read them the riot act. Rudd has been a frequent critic of social media giants, particularly after the murders in London and Manchester, and …

Hackers have leaked what they claim is information stolen from FireEye/Mandiant after apparently breaking into the incident response biz's network. Mandiant has denied this. The miscreants, who branded their attack campaign "Op #LeakTheAnalyst," claimed in a preface to their PasteBin dump that they had "breached [Mandiant's] …

Analysis BSides, Black Hat, DEF CON... For the last six days, Las Vegas has been home to the top brains in the computer security industry and the business menagerie that follows them – causing some panic among locals. We've seen the pathetic state of the US electronic voting system exposed, claims of advanced eavesdropping at the …