Security > More stories

Department of Homeland Security

Audit finds Department of Homeland Security's security is insecure

The United States' Department of Homeland Security could do more to keep its IT systems secure, a government report has found. In an agency-wide audit titled "Evaluation of DHS' Information Security Program for Fiscal Year 2017" (PDF), the DHS's watchdog, the Office of Inspector General (OIG), concluded that DHS "could protect …
Thomas Claburn, 08 Mar 2018
Facebook emojis

Facebook Onavo Protect doesn't protect against Facebook

Facebook's mobile VPN app, Onavo Protect, has been pushed as a way to protect personal information over public networks. But the app, which the social media giant acquired in 2013, sends users' data back to Facebook, even when the app is turned off. In a blog post on Monday, Will Strafach, CEO of the Sudo Security Group, …
Thomas Claburn, 07 Mar 2018

Buffer overflow in Unix mailer Exim imperils 400,000 email servers

Researchers have uncovered a critical buffer overflow vulnerability in all versions of the Exim mail transfer agent. The flaw (CVE-2018-6789) leaves an estimated 400,000 email servers at potential risk to remote code execution-style attacks. Fortunately a patched version (Exim version 4.90.1) is already available. The bug …
John Leyden, 07 Mar 2018
Screengrab from the Thick of IT - Brit govt satirical comedy show. Cast text furiously while in crisis mode. cooks up code of conduct to enforce a smidge of security on Internet of S**t kit

The makers of connected devices will be expected to build in security measures to prevent cyber threats, under a draft "code of conduct" issued by the UK government today. The Security by Design review intends to bake security into devices to protect "individuals' online security, privacy, safety" as well as preventing large- …
Kat Hall, 07 Mar 2018

Women of Infosec call bullsh*t on RSA's claim it could only find one female speaker

Day one of the annual RSA conference in San Francisco on April 17 will have some competition after a group of female infosec professionals decided to hold their own shindig - titled Our Security Advocates or OURSA - to showcase the work of women in the field. Last week RSA was hammered on social media when its keynote speaker …
Iain Thomson, 07 Mar 2018

CryptoLurker hacker crew skulk about like cyberspies, earn $$$

A sophisticated mystery hacker group is using tactics more familiar to the world of cyber espionage to earn millions through mining malware. Kaspersky Lab researchers report that cybercrooks have begun using infection methods and techniques borrowed from targeted attacks in order to install mining software. The most …
John Leyden, 06 Mar 2018
Hand pulls on a latex rubber glove (disposable). Photo by shutterstock

Co-op Bank's shonky IT in spotlight as delayed probe given go-ahead

An inquiry into The Co-operative Bank's financial collapse is to open four years after it was first announced by former UK chancellor George Osborne. The Treasury today directed financial regulator Prudential Regulation Authority (PRA) to conduct a review into how the bank was regulated between 2008 and 2013, before a £1.5bn …
Kat Hall, 06 Mar 2018

Miner vs miner: Attack script seeks out and destroys competing currency crafters

Cryptocurrency-mining malware-scum have started to write code that evicts rivals from compromised computers. The miner in question was first noticed by SANS Internet Storm Center handler Xavier Mertens. Mertens spotted the PowerShell script on March 4, and noting that it kills any other CPU-greedy processes it spots on target …

World's biggest DDoS attack record broken after just five days

Last week, the code repository GitHub was taken off air in a 1.3Tbps denial of service attack. We predicted then that there would be more such attacks and it seems we were right. Arbor Networks is now reporting that a US service provider suffered a 1.7Tbps attack earlier this month. In this case, there were no outages as the …
Iain Thomson, 05 Mar 2018
Uber office in San Francisco

Pennsylvania AG sues Uber over 2016 data fail

Uber has been hit with a lawsuit over its failure to disclose the 2016 theft of its customer and driver records. Pennsylvania state Attorney General Josh Shapiro says the dial-a-ride broker violated state data breach law when it failed to promptly file a report and notify both drivers and passengers of the loss of data. …
Shaun Nichols, 05 Mar 2018
Airbus A380

Emirates dinged for slipshod online data privacy practices

Updated International airline Emirates leaks customers' sensitive personal information to third-party marketing partners and network adversaries, according to Konark Modi, a data security engineer for Cliqz, a privacy-focused browser based on Firefox. Modi, in an online post on Friday, said that after a customer books a flight through …
Thomas Claburn, 05 Mar 2018
A railgun. Pic: Shutterstock

Brit semiconductor tech ended up in Chinese naval railgun – report

A Chinese firm's buyout of a British semiconductor company may have directly led to China developing railgun weaponry and electromagnetic aircraft carrier catapults for its navy, according to reports. An anonymous source, identified as a former Dynex exec, told The Sunday Times that the acquisition of Dynex Semiconductor by …
Gareth Corfield, 05 Mar 2018
rain on an umbrella

Spring break! Critical vuln in Pivotal framework's Data parts plugged

Pivotal's Spring Data REST project has a serious security hole that needs patching. Pivotal's Spring Framework is a popular platform for building web apps. Spring Data REST is a collection of additional components for devs to build Java applications that offer RESTful APIs to underlying Spring Data repositories. These …
John Leyden, 05 Mar 2018

Cryptocurrency miners go nuclear, RSA blunder, Winner back in court, and plenty more

Roundup Here's a quick summary of infosec news from this week, beyond what we've already covered. Cloud security shop Cyren surveyed 500,000 websites over the past four months, and said it saw a 725 per cent increase in the use of surreptitious crypto-coin mining code. The bulk of that code has shown up in the past two months, and it' …
Iain Thomson, 04 Mar 2018
blood splatter

RedDrop nasty infects Androids via adult links, records sound, and fires off premium-rate texts

A newly discovered strain of Android malware makes live recordings of ambient audio around an infected device. The RedDrop nasty also harvests and uploads files, photos, contacts, application data, config files and Wi-Fi information from infected kit. Both Dropbox and Google Drive are being used as temporary storage by the …
John Leyden, 02 Mar 2018

US Navy gives Lockheed Martin $150m big frickin' laser cannon contract

Lockheed Martin, makers of the F-35 and various other bits of defence hardware, has been handed a $150m contract by the US Navy to build two bloody great laser cannons. The laser weapons will be delivered along with a long-range intelligence, surveillance and reconnaissance "capability" and are specified to be capable of …
Gareth Corfield, 02 Mar 2018

Train to become an expert cyber crime fighter

Promo As cyber threats seem to multiply and mutate at ever-increasing speed, it becomes difficult to be sure you are able defend your organisation against an attack that could come from any direction. Security training leader SANS is running a series of courses at the Grand Connaught Rooms in London from 16 to 21 April that promise …
David Gordon, 02 Mar 2018
Spectre graphic

Microsoft lobs Skylake Spectre microcode fixes out through its Windows

Microsoft is pushing out another round of security updates to mitigate data-leaking Spectre side-channel vulnerabilities in modern Intel x64 chips. Redmond said those who run Windows 10 Fall Creators Update and Windows Server Core with Skylake (aka 6th-generation Core) CPUs can go through the Microsoft Update Catalogue to get …
Shaun Nichols, 01 Mar 2018
A burning dumpster

HTTPS cert flingers Trustico, SSL Direct go TITSUP after website security blunder blabbed

The websites for HTTPS certificate reseller Trustico, and one of its partners, SSL Direct, took a dive on Thursday – after a critical and trivial-to-exploit security flaw in was revealed on Twitter. The vulnerability could be leveraged by miscreants to execute arbitrary commands on the website's host server. A …
Iain Thomson, 01 Mar 2018
Data breach

Equifax peeks under couch, finds 2.4 million more folk hit by breach

Embattled credit-reporting company Equifax has done some data crunching and discovered another 2.4 million people that had their information slurped by hackers. The biz, which was subject to one of the biggest data breaches in US history last May, has already had to revise up the number of affected individuals. The total …
Rebecca Hill, 01 Mar 2018
Homer Simpson

Spectre haunts Intel's SGX defense: CPU flaws can be exploited to snoop on enclaves

Vid The Spectre design flaws in modern CPUs can be exploited to punch holes through the walls of Intel's SGX secure environments, researchers claim. SGX – short for Software Guard eXtensions – is a mechanism that normal applications can use to ring-fence sections of memory that not even the operating system nor a hypervisor can …

German government confirms hackers blitzkrieged its servers to steal data

The German Interior ministry has confirmed that it has identified a serious attack against its servers, amidst reports that the culprits were the Russian APT28 – aka Fancy Bear – hacking group. On Wednesday local news site DPA International reported that the German government discovered a serious intrusion into its servers in …
Iain Thomson, 01 Mar 2018
Broken chain graphic

23,000 HTTPS certs will be axed in next 24 hours after private keys leak

Customers of HTTPS certificate reseller Trustico are reeling after being told their website security certs – as many as 23,000 – will be rendered useless within the next 24 hours. This is allegedly due to a security blunder in which the private keys for said certificates ended up in an email sent by Trustico. Those keys are …
John Leyden, 01 Mar 2018
bearded gentleman raises glass

Brit spooks slammed over 'gentlemen's agreement' with telcos to get mass comms data

Privacy International has slammed the UK's spy agencies for failing to keep a proper paper trail over what data telcos were asked to provide under snooping laws, following its first ever cross-examination of a GCHQ witness. The campaign group was granted the right to grill GCHQ's star witness after he made a series of errors …
Rebecca Hill, 28 Feb 2018
Ireland map, photo via Shutterstock

Irish eyes are sighing: Data protection office notes olagoanin'* up 79%

The Irish Data Protection Commissioner received 79 per cent more complaints last year than in 2016, while data breach notifications rose 26 per cent. The figures, released in the commissioner's annual report for 2017 (PDF), show that the DPC's office received a record 2,642 complaints in 2017. That's a 79 per cent increase on …
Rebecca Hill, 28 Feb 2018
Jigsaw puzzle of a desktop box

Got that itchy GandCrab feeling? Ransomware decryptor offers relief

White hats have released a free decryption tool for GandCrab ransomware, preventing the nasty spreaders of the DIY malware from asking their victims for money. GandCrab has been spreading since January 2018 via malicious advertisements that lead to the RIG exploit kit landing pages or via crafted email messages impersonating …
John Leyden, 28 Feb 2018
I think I'm a clone now

XM-Hell strikes single-sign-on systems: Bugs allow miscreants to masquerade as others

Various single-sign-on systems can be hoodwinked to allow miscreants to log in as strangers without their password, all thanks to bungled programming. Specifically, the vulnerable authentication suites mishandle information submitted in the XML-like Security Assertion Markup Language (SAML). These weaknesses can be potentially …
John Leyden, 28 Feb 2018
Data corruption

Dutch name authority: DNSSEC validation errors can be eliminated

DNSSEC, which secures the ancient domain name system, is important to Internet security and privacy, but as APNIC luminary Geoff Huston wrote last week, there's evidence that its use could be declining. “From the validation perspective, the use of DNSSEC appeared to have peaked in early 2016 and has been declining since then”, …
Shutterstock Firehose

Popular cache utility exploited for massive reflected DoS attacks

Attackers have discovered a new amplified denial-of-service attack vector, and have launched attacks reaching hundreds of gigabits per second in Asia, North America and Europe. Former Internet Systems Consortium CEO and now Akamai principal architect Barry Raveendran Greene has detailed the reflected DOS attack on his blog and …
Three candles - suggesting performance graph

Intel gives Broadwells and Haswells their Meltdown medicine

Intel slipped out a new Microcode Update Guidance on Monday, revealing that lots of Haswell and Broadwell Xeons can now receive inoculations against the Meltdown and Spectre CPU design flaws. The new document (PDF) says Broadwell processors with CPUIDs 50662, 50663, 50664, 40671, 406F1, 306D4 and 40671 are ready for their …
Simon Sharwood, 28 Feb 2018
Mike Rogers

NSA boss: Trump won't pull trigger for Russia election hack retaliation

NSA boss Mike Rogers told a US congressional panel today that Russia’s online mischief-making in America's elections is not going to stop – because Uncle Sam isn’t hitting back. "I believe that President Putin has clearly come to the conclusion there’s little price to pay here, and that therefore I can continue this activity …
Iain Thomson, 27 Feb 2018

Use of HTTPS among top sites is growing, but weirdly so is deprecated HTTP public key pinning

The adoption of HTTPS among the top million sites continues to grow with 38.4 per offering secure web connections. A study by web security expert Scott Helme, published on Tuesday, found that HTTPS adoption by the web's most-visited sites had grown more than 7 percentage points from 30.8 per cent over the last six months since …
John Leyden, 27 Feb 2018

Fender's 'smart' guitar amp has no Bluetooth pairing controls

Updated Guitar amp manufacturer Fender's recently-introduced Mustang GT 100 guitar amplifier can be made to play whatever audio an attacker fancies, security researchers have discovered. The amp allows Bluetooth connections, but without pairing security. Anyone within range could therefore "stream arbitrary audio to it and hijack your …
John Leyden, 27 Feb 2018

Opt-in cryptomining script Coinhive 'barely used' say researchers

Few sites are bothering to use the opt-in version of Coinhive, the controversial ride-along JavaScript crypto-mining package that requires end-users' consent to run. So said security firm Malwarebytes in an analysis emitted on Monday, but Coinhive developers disputed those findings and argued that a third of cryptomining-using …
John Leyden, 27 Feb 2018
A rat sits on a fibre-optic cable

RAT king thrown in the slammer for peddling NanoCore PC nasty

A bloke has been jailed for nearly three years for developing and selling malware that allowed miscreants to snoop on and remote-control victims' Windows PCs. Taylor Huddleston, of Arkansas, USA, pleaded guilty in July 2017 to one charge of aiding and abetting computer intrusions by building and peddling his $25 software nasty …
Shaun Nichols, 27 Feb 2018
Atlanta, GA skyline

You get a criminal record! And you get a criminal record! Peach state goes bananas with expanded anti-hack law

A proposed anti-hacking law in the US state of Georgia is raising all kinds of alarms – because it could chill security research, and criminalize anyone who breaks a website or ISP's T&Cs. The bill, SB 315, would expand the state's computer crime laws to include penalties for accessing a machine without permission even if no …
Shaun Nichols, 26 Feb 2018

Biting the hand that feeds IT © 1998–2018